Update Prosody to version 0.12

This brings a number of changes and improvements, and moves from MariaDB
to SQLite for storage, which requires manual migration for pre-existing
deployments using `prosody-migrator`.

host/virtual/spec.bu

@@ -84,6 +84,14 @@ systemd:
             [Service]
             Environment=UPSTREAM_HOST=nginx-serve-volume-git-serve UPSTREAM_PORT=8080
 
+    - name: nginx-proxy-http@chat.localhost.service
+      enabled: true
+      dropins:
+        - name: prosody-upstream.conf
+          contents: |
+            [Service]
+            Environment=UPSTREAM_HOST=prosody UPSTREAM_PORT=5280
+
     - name: nginx-proxy-http@dav.localhost.service
       enabled: true
       dropins:

host/virtual/virtual.env

@@ -11,15 +11,8 @@ MARIADB_ROOT_PASSWORD=password
 # Configuration for Prosody.
 PROSODY_HOST=prosody.localhost
 PROSODY_HOST_EXTERNAL=prosody-external.localhost
-
-PROSODY_DATABASE_NAME=prosody
-PROSODY_DATABASE_USERNAME=prosody
-PROSODY_DATABASE_PASSWORD=password
-
 PROSODY_BIBOUMI_PASSWORD=password
 PROSODY_SPECTRUM_PASSWORD=password
-PROSODY_TURN_HOST=localhost
-PROSODY_TURN_SECRET=password
 
 # Configuration for Coturn.
 COTURN_AUTH_SECRET=password

service/prosody/Containerfile

@@ -1,18 +1,19 @@
 FROM docker.io/debian:bullseye-slim
-ARG VERSION=0.11.13
-ARG MODULES_VERSION=a1181413a0eb
+ARG VERSION=0.12.0
+ARG MODULES_VERSION=f07c9a6f19b3
 
 RUN apt-get update -y && apt-get install -y --no-install-recommends \
-    curl mercurial gnupg ca-certificates apt-transport-https netcat-traditional
+    curl mercurial gnupg ca-certificates apt-transport-https
 
 RUN addgroup --system --gid 10000 prosody
 RUN adduser --system --uid 10000 --ingroup prosody --home /var/lib/prosody prosody
+RUN install --owner prosody --group prosody --directory /run/prosody
 
 RUN echo "deb https://packages.prosody.im/debian bullseye main" > /etc/apt/sources.list.d/prosody.list && \
     echo "deb-src https://packages.prosody.im/debian bullseye main" >> /etc/apt/sources.list.d/prosody.list && \
     curl -o - https://prosody.im/files/prosody-debian-packages.key | apt-key add - && \
     apt-get update -y && apt-get install -y --no-install-recommends \
-    lua-dbi-mysql lua-event lua-zlib lua-sec lua-luaossl lua-bitop prosody=${VERSION}*
+    lua5.2 lua-dbi-sqlite3 lua-zlib lua-sec lua-luaossl lua-bitop lua-unbound prosody=${VERSION}*
 
 RUN mkdir -p /usr/lib/prosody/community-modules && \
     hg clone --rev ${MODULES_VERSION} https://hg.prosody.im/prosody-modules /usr/lib/prosody/community-modules
@@ -21,9 +22,6 @@ COPY container/config /etc/prosody
 RUN prosodyctl check config
 
 VOLUME /var/lib/prosody
-ENV __FLUSH_LOG yes
-
 USER prosody
-EXPOSE 5222 5269 5280 5347
 
 ENTRYPOINT ["prosody"]

service/prosody/container/config/prosody.cfg.lua

@@ -21,14 +21,10 @@
 -- Example: admins = { "user1@example.com", "user2@example.net" }
 admins = {}
 
--- Enable use of libevent for better performance under high load
--- For more information see: https://prosody.im/doc/libevent
-use_libevent = true
-
 -- Prosody will always look in its source directory for modules, but
 -- this option allows you to specify additional locations where Prosody
 -- will look for modules first. For community modules, see https://modules.prosody.im/
-plugin_paths = {"/usr/lib/prosody/community-modules"}
+plugin_paths = {"/usr/lib/prosody/modules", "/usr/lib/prosody/community-modules"}
 
 -- This is the list of modules Prosody will load on startup.
 -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
@@ -40,6 +36,7 @@ modules_enabled = {
     "tls"; -- Add support for secure TLS on c2s/s2s connections
     "dialback"; -- s2s dialback support
     "disco"; -- Service discovery
+    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
 
     -- Not essential, but recommended
     "carbons"; -- Keep multiple clients in sync
@@ -53,13 +50,9 @@ modules_enabled = {
     "uptime"; -- Report how long server has been running
     "time"; -- Let others know the time here on this server
     "ping"; -- Replies to XMPP pings with pongs
-    "register"; -- Allow users to register on this server using a client and change passwords
     "mam"; -- Store messages in an archive and allow users to access it
     "smacks"; -- Stream management for resuming dropped connections.
-    "csi"; -- Chat state information.
     "csi_simple"; -- Enables simple traffic optimisation for clients that have reported themselves as inactive.
-    "filter_chatstates"; -- Don't send chat state notifications when client is inactive.
-    "throttle_presence"; -- Don't send presence information when client is inactive.
 
     -- Push notifications
     "cloud_notify"; -- Support for push notifications.
@@ -70,27 +63,20 @@ modules_enabled = {
     "watch_spam_reports"; -- Alert admins of spam/abuse reports by users
 
     -- Admin interfaces
-    "admin_telnet"; -- Opens telnet console interface on localhost port 5582
+    "admin_shell"; -- Allows for Prosody administration over a local shell
 
     -- HTTP modules
     "websocket"; -- XMPP over WebSockets
 
     -- Other specific functionality
-    "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
     "conversejs"; -- Web-based frontend for XMPP
-    "bookmarks2"; -- Next-generation group-chat bookmarks
-    "turncredentials"; -- Connect to TURN/STUN server
+    "bookmarks"; -- Next-generation group-chat bookmarks
+    "turn_external"; -- Connect to TURN/STUN server
 }
 
 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
-modules_disabled = {
-    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
-}
-
--- Disable account creation by default, for security
--- For more information see https://prosody.im/doc/creating_accounts
-allow_registration = false
+modules_disabled = {}
 
 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.
@@ -136,11 +122,8 @@ authentication = "internal_hashed"
 
 storage = "sql" -- Default is "internal"
 sql = {
-    driver   = "MySQL",
-    host     = os.getenv("PROSODY_DATABASE_HOST") or "localhost",
-    database = os.getenv("PROSODY_DATABASE_NAME") or "prosody",
-    username = os.getenv("PROSODY_DATABASE_USERNAME") or "prosody",
-    password = os.getenv("PROSODY_DATABASE_PASSWORD") or ""
+    driver   = "SQLite3",
+    database = "/var/lib/prosody/prosody.sqlite",
 }
 
 -- For the "sql" backend, you can uncomment *one* of the below to configure:
@@ -163,6 +146,10 @@ archive_expires_after = "1w" -- Remove archived messages after 1 week
 -- For advanced logging see https://prosody.im/doc/logging
 log = {{to = "console", levels = {min = "info"}, timestamps = true}}
 
+-- Set PID file and socket in ephemeral path.
+pidfile = "/run/prosody/prosody.pid"
+admin_socket = "/run/prosody/prosody.sock"
+
 -- Don't show banner when performing console commands.
 console_banner = ""
 
@@ -180,8 +167,8 @@ auth_imap_ssl = {
 }
 
 -- Configuration for TURN/STUN.
-turncredentials_host   = os.getenv("PROSODY_TURN_HOST") or "localhost"
-turncredentials_secret = os.getenv("PROSODY_TURN_SECRET") or ""
+turn_external_host   = os.getenv("PROSODY_TURN_HOST") or "localhost"
+turn_external_secret = os.getenv("PROSODY_TURN_SECRET") or ""
 
 -- Uncomment to enable statistics
 -- For more info see https://prosody.im/doc/statistics
@@ -195,7 +182,7 @@ turncredentials_secret = os.getenv("PROSODY_TURN_SECRET") or ""
 -- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
 
 -- Location of directory to find certificates in (relative to main config file):
-certificates = "certificates"
+certificates = "/etc/ssl/private/certificates"
 
 -- Listen on all interfaces for component connections.
 component_interface = "0.0.0.0"

service/prosody/container/config/virtualhost.cfg.lua

@@ -6,22 +6,33 @@
 local host_base = os.getenv("PROSODY_HOST") or "localhost"
 local host_external = os.getenv("PROSODY_HOST_EXTERNAL") or "external.localhost"
 
+-- The primary virtual host, typically anchored to the root domain (e.g. "example.com"). User JIDs
+-- will need to match this domain name.
 VirtualHost(host_base)
-  http_host = host_external
+  http_host         = host_external
   http_external_url = "https://" .. host_external .. "/"
-  certificate = "/etc/ssl/private/certificates/" .. host_base .. ".crt"
-  authentication = "imap"
-  auth_append_host = true
+  authentication    = "imap"
+  auth_append_host  = true
+  http_paths = {
+    conversejs = "/web"
+  }
 
+-- The component responsible for multi-user chats.
 Component(host_external) "muc"
-  modules_enabled = {"muc_mam", "vcard_muc"}
-  name = "The " .. host_base .. " chat-room server"
-  certificate = "/etc/ssl/private/certificates/" .. host_external .. ".crt"
+  name                   = "The " .. host_base .. " chat-room server"
   restrict_room_creation = "local"
-  max_history_messages = 100
+  max_history_messages   = 100
+  modules_enabled = {
+    "muc_mam",
+    "vcard_muc"
+  }
 
-Component(host_external) "http_upload"
-  http_external_url = "https://" .. host_external .. "/"
-  http_upload_expire_after = 60 * 60 * 24 * 7
-  http_upload_file_size_limit = 1024 * 1024 * 32
-  http_upload_quota = 1024 * 1024 * 1024
+-- The component responsible for HTTP file uploads.
+Component(host_external) "http_file_share"
+  http_file_share_expire_after = 60 * 60 * 24 * 31
+  http_file_share_size_limit   = 1024 * 1024 * 32
+  http_file_share_daily_quota  = 1024 * 1024 * 128
+  http_file_share_global_quota = 1024 * 1024 * 1024 * 5
+  http_paths = {
+    file_share = "/upload"
+  }

service/prosody/prosody.env.template

@@ -2,12 +2,6 @@
 PROSODY_HOST=${PROSODY_HOST}
 PROSODY_HOST_EXTERNAL=${PROSODY_HOST_EXTERNAL}
 
-# Database connection options.
-PROSODY_DATABASE_HOST=mariadb
-PROSODY_DATABASE_NAME=${PROSODY_DATABASE_NAME}
-PROSODY_DATABASE_USERNAME=${PROSODY_DATABASE_USERNAME}
-PROSODY_DATABASE_PASSWORD=${PROSODY_DATABASE_PASSWORD}
-
 # Authentication options.
 PROSODY_IMAP_AUTH_HOST=dovecot
 PROSODY_IMAP_AUTH_PORT=993

service/prosody/service/mariadb-migrate.sql

@@ -1,8 +0,0 @@
--- Create default database.
-CREATE DATABASE IF NOT EXISTS `${PROSODY_DATABASE_NAME}`;
-
--- Create default user with pre-defined password.
-CREATE USER IF NOT EXISTS '${PROSODY_DATABASE_USERNAME}'@'%' IDENTIFIED BY '${PROSODY_DATABASE_PASSWORD}';
-GRANT ALL PRIVILEGES ON `${PROSODY_DATABASE_NAME}`.* TO '${PROSODY_DATABASE_USERNAME}'@'%';
-
-FLUSH PRIVILEGES;

service/prosody/spec.bu

@@ -8,7 +8,5 @@ storage:
       local: service/prosody/systemd/
 systemd:
   units:
-    - name: prosody-firstboot.target
-      enabled: true
     - name: prosody.service
       enabled: true

service/prosody/systemd/prosody-component-register@.service

@@ -12,12 +12,12 @@ EnvironmentFile=-%E/coreos-home-server/%i/%i.env
 ExecStartPre=/bin/install --mode 0700 --directory /tmp/%N
 ExecStartPre=/bin/sh -c "envsubst < %E/coreos-home-server/prosody/service/component.cfg.lua.template > /tmp/%N/component.cfg.lua"
 ExecStartPre=/bin/podman cp --archive=false /tmp/%N/component.cfg.lua prosody:/etc/prosody/conf.d/%i.cfg.lua
-ExecStartPre=/bin/podman exec prosody sh -c "echo 'config:reload()' | nc -q 1 -w 10 127.0.0.1 5582"
-ExecStart=/bin/podman exec prosody sh -c "echo 'host:activate(\"${PROSODY_COMPONENT_NAME}\")' | nc -q 1 -w 10 127.0.0.1 5582"
+ExecStartPre=/bin/podman exec prosody prosodyctl shell config reload
+ExecStart=/bin/podman exec prosody prosodyctl shell host activate "$PROSODY_COMPONENT_NAME"
 ExecStartPost=/bin/rm -Rf /tmp/%N
-ExecStop=/bin/podman exec prosody sh -c "echo 'host:deactivate(\"${PROSODY_COMPONENT_NAME}\")' | nc -q 1 -w 10 127.0.0.1 5582"
+ExecStop=/bin/podman exec prosody prosodyctl shell host deactivate "$PROSODY_COMPONENT_NAME"
 ExecStopPost=/bin/podman exec --user=root prosody rm -f /etc/prosody/conf.d/%i.cfg.lua
-ExecStopPost=/bin/podman exec prosody sh -c "echo 'config:reload()' | nc -q 1 -w 10 127.0.0.1 5582"
+ExecStartPre=/bin/podman exec prosody prosodyctl shell config reload
 
 [Install]
 WantedBy=multi-user.target

service/prosody/systemd/prosody-firstboot.target

@@ -1,9 +0,0 @@
-[Unit]
-Description=Initialize Prosody XMPP Server
-Wants=mariadb-migrate@prosody.service prosody.service
-After=mariadb-migrate@prosody.service
-Before=prosody.service
-ConditionKernelCommandLine=ignition.firstboot
-
-[Install]
-WantedBy=multi-user.target

service/prosody/systemd/prosody.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Prosody XMPP server
-Wants=container-build@%N.service container-volume@%N.service mariadb.service dovecot.service
-After=container-build@%N.service container-volume@%N.service mariadb.service dovecot.service
+Wants=container-build@%N.service container-volume@%N.service dovecot.service
+After=container-build@%N.service container-volume@%N.service dovecot.service
 
 [Service]
 Type=notify
@@ -18,7 +18,7 @@ ExecStart=/bin/podman run --replace --name %N --net internal --sdnotify=conmon \
                           localhost/%N:latest
 ExecStop=/bin/podman stop --ignore --time 10 %N
 ExecStopPost=/bin/podman rm --ignore --force %N
-ExecReload=/bin/podman exec %N sh -c 'echo "config:reload()" | nc -q 1 -w 10 127.0.0.1 5582'
+ExecReload=/bin/podman exec %N prosodyctl shell config reload
 
 [Install]
 WantedBy=multi-user.target