Opened 4 years ago

Closed 4 years ago

#17093 closed task (implemented)

New VM for Jabber server

Reported by: dgoulet Owned by:
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Keywords:
Cc: ioerror Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

After some discussion on tor-internal@ (and IRC), we would like to run a Jabber server on tpo infrastructure. I'm willing to help with setting it up and managing it.

We need a VM (or whatever Tor can offer). My goal would be to run a prosody jabber server plugged in Tor's LDAP server and possibly create a group for that.

We also need DNS record for which I have no preference, jabber.tpo, chat.tpo, xmpp.tpo. I'll let the sysadmin team decide it (with SRV record if possible).

We also need TLS of course to connect to it. I'm not familiar with the procedure of copying cert or mounting some encrypted partition or if we use a tls terminator in front. I might need guidance on that.

We need port 5222 (e2s) and 5269 (s2s) open inbound and outbound.

I may have forgotten some items needed for a deployment such like this on tpo infra so please feel free to fill the gaps! Please let me know the best way for me to provide an SSH key for login (I assume signed message by email or in this ticket?).

Thanks!

Child Tickets

Change History (7)

comment:1 Changed 4 years ago by ioerror

I'd like to support this effort as well - most importantly, I'd like to make sure that this jabber server supports forward secrecy for all TLS connections, has a Tor Hidden Service and that it also works for making voice/video calls with clients like Jitsi.

comment:2 in reply to:  1 ; Changed 4 years ago by nickm

Replying to ioerror:

I'd like to support this effort as well - most importantly, I'd like to make sure that this jabber server supports forward secrecy for all TLS connections, has a Tor Hidden Service and that it also works for making voice/video calls with clients like Jitsi.

+1. (Actually, could it be made to _only_ support TLS? Plaintext-over-TCP is so very 1980s.)

Anyway, I'm in favor here. What resources would the VM require?

And would this be on the same VM as the contemplated mumble server, or is that something we would want to be doing on a separate VM?

comment:3 in reply to:  2 Changed 4 years ago by ioerror

Replying to nickm:

Replying to ioerror:

I'd like to support this effort as well - most importantly, I'd like to make sure that this jabber server supports forward secrecy for all TLS connections, has a Tor Hidden Service and that it also works for making voice/video calls with clients like Jitsi.

+1. (Actually, could it be made to _only_ support TLS? Plaintext-over-TCP is so very 1980s.)

Yes, I think so - this is actually a jabber best practice as of this year.

Anyway, I'm in favor here. What resources would the VM require?

I think it depends on scale - I bet we can start with 1-2GB of RAM and minimal disk for a minimal debian TPO install.

And would this be on the same VM as the contemplated mumble server, or is that something we would want to be doing on a separate VM?

I'd like to keep them separate. I suspect that the xmpp server software is safer and I also think we should compartmentalize our communications risks. Ideally the xmpp server doesn't ever relay unencrypted data while the mumble server is only relaying (internally, still TLS encrypted to clients) unencrypted audio.

comment:4 Changed 4 years ago by ioerror

This is a nice xmpp survey site by the way: https://xmpp.net/reports.php

comment:5 Changed 4 years ago by nickm

I can start a new VM, I believe, with a new role account. I'm guessing I should go for minimal RAM and CPU requirements? Please let me know two or more folks who volunteer to configure and maintain this service.

FWIW, Support already has their own jabber server, but it might not be suitable for broader use, since it lacks S2S support and it automagically accepts roster requests.

comment:6 in reply to:  5 Changed 4 years ago by dgoulet

Replying to nickm:

I can start a new VM, I believe, with a new role account. I'm guessing I should go for minimal RAM and CPU requirements? Please let me know two or more folks who volunteer to configure and maintain this service.

On otr.im the prosody server takes ~139M in virtual memory and 87M physical for >340 users so not so expensive. To be safe, 1G RAM should be enough. CPU can go to minimum, it's not really expensive.

You can add me as admin. I do not know who are the possible others. Let me know if you would like me to send you an ssh key gpg signed.

FWIW, Support already has their own jabber server, but it might not be suitable for broader use, since it lacks S2S support and it automagically accepts roster requests.

comment:7 Changed 4 years ago by nickm

Resolution: implemented
Status: newclosed

okay, dgoulet and ioerror added as admins here, on a new vm.

Note: See TracTickets for help on using tickets.