XMPP clients
This chat module is based on the XMPP protocol, also known as Jabber. It is therefore possible to connect to the chats using XMPP client software. This can for example be useful to facilitate moderation operations.
For the user documentation associated with these features, please refer to the user documentation page.
Enabling these features requires configuration changes on the server, and on the DNS records. It is not possible to configure this only from the Peertube interface, and it requires some basic system some basic system admin skills.
Login to your Peertube account
This feature is not yet available, and will come in a future version of the plugin.
Connection using an external XMPP account
To enable this feature, you will need to set up your server and DNS records, so that XMPP clients can find and access the Prosody server that this plugin uses internally.
إعدادات الملحق
Start by going to the livechat plugin settings of your instance, then enable the setting “Enable connection to room using external XMPP accounts”. By checking this setting, new settings appear below.
First of all, the “Prosody server to server port” field. This one defaults to 5269, which is the standard port for this service. You can however change to another port, if this is already in use on your server.
Next, the field “Server to server network interfaces” field allows you to specify which network interfaces the server should listen on. The default value “*, ::” indicates to listen on all IP addresses. You can change these values, if you wish to listen on only certain IP addresses. The syntax is explained next to the setting.
For the “Certificate folder” setting, you can leave it empty. In this case, the plugin will automatically generate self-signed certificates. Some XMPP servers may refuse to connect, depending on their configuration. In this case, you can indicate here a path on the server, in which you must place certificates to be used by the module. It is up to you to generate and renew them. See bellow for more information.
Firewall
You must open the configured port (5269 by default) on your firewall.
If you are using Docker for your Peertube, you need to modify the
docker-compose.yml
file to open port 5269 of the peertube
container, so
that the outer world can connect to it.
نظام أسماء النطاقات
You need to add DNS records allowing remote servers to find “room.your_instance.tld” and “external.your_instance.tld” components.
The easiest way to do this is to add SRV records for the “room” and “external” subdomain:
record name: _xmpp-server._tcp.room.your_instance.tld. (replace «your_instance.tld» by your instance uri)
TTL: 3600
class: IN
SRV: 0
priority: 0
weight: 5
port: 5269 (adapt if your changed the default port)
target: your_instance.tld. (replace by your instance uri)
record name: _xmpp-server._tcp.external.your_instance.tld. (replace «your_instance.tld» by your instance uri)
TTL: 3600
class: IN
SRV: 0
priority: 0
weight: 5
port: 5269 (adapt if your changed the default port)
target: your_instance.tld. (replace by your instance uri)
Be careful to keep the dot after “your_instance.tld”.
Using the dig
command to check your records, you should get a result
similar to this:
$ dig +short _xmpp-server._tcp.room.videos.john-livingston.fr. SRV
0 5 5269 videos.john-livingston.fr.
$ dig +short _xmpp-server._tcp.external.videos.john-livingston.fr. SRV
0 5 5269 videos.john-livingston.fr.
If you are not using the standard 5269
port, you must also add a SRV
record for _xmpp-server._tcp.your_instance.tld.
(same as above, just
without the room.
prefix). Of course, you can also add this record if you
use the standard port. It will also work.
استخدام شهادات موثوق فيها
The self-signed certificates that this plugin uses by default can be rejected by some XMPP servers, for security reasons.
It is possible to use certificates validated by a certification authority. However, this requires advanced system administration knowledge. Indeed, due to the multitude of possible use cases, it is impossible to document all situations here. This documentation will therefore only explain the goal to be reached, and give an example which will only be suitable for a “basic” situation (manual installation of Peertube, using letsencrypt). If you are in another situation (Docker installation, certificates signed by another authority, etc…), you will have to adapt this approach by yourself.
Basic principle
It is up to you to generate valid certificates for domains
your_instance.tld
and room.your_instance.tld
. You can use any method
supported by Prosody.
You must then place these certificates in a folder that will be accessible
to the peertube
user, and specify this folder in the plugin setting
“Certificate folder”.
If you want to use the ProsodyCtl utility to import certificates, this
utility is available (once Peertube is started) using the following command
(adapting the path to your Peertube data folder, and replacing “xxx” with
the arguments you wish to pass to prosodyctl): sudo -u peertube /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun prosodyctl --config /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua xxx
The plugin will check once a day to see if any files have been modified in this folder, and reload Prosody if necessary.
Method for the simple case
We assume here that your Peertube installation is “classic” (no use of Docker), and that the certificates are generated by letsencrypt, using the certbot tool.
First of all, we’ll have to create a certificate for the subdomain
room.your_instance.tld
: this is the uri of the MUC (XMPP chat rooms)
component. Even if the connections are made on your_instance.tld
, we will
need a valid certificate for this subdomain.
So start by setting up a DNS entry for room.your_instance.tld
, which
points to your server. You can use a CNAME entry (or an A entry and a AAAA
entry).
Next, we’ll use nginx (already installed for your Peertube) to generate the
certbot certificate. We will create a new site. In the file
/etc/nginx/site-available/room.peertube
, add:
server {
listen 80;
listen [::]:80;
server_name room.your_instance.tld;
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
}
location / { return 301 https://your_instance.tld; }
}
Then enable the site:
ln -s /etc/nginx/sites-available/room.peertube /etc/nginx/sites-enabled/
systemc reload nginx
Then we prepare the folder in which we will later import the certificates.
We assume here that you already have the plugin active. We will create the
following folder (if it doesn’t already exist), with the user peertube
to
make sure there are no permissions issues:
sudo -u peertube mkdir /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/certs
Now you have to configure this folder in the plugin settings, for the parameter “Certificate folders”. It’s important to do this now, otherwise the certificate import script will put the certificates in the wrong folder.
We will configure certbot to import the generated certificates into the Prosody folder. We can use the ProsodyCtl utility packaged in the plugin.
Note: for it to be available, the plugin must have been started at least once.
We will create a file /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
containing:
#!/bin/sh
/var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun prosodyctl \
--root \
--config /var/www/peertube/storage/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua \
cert import \
room.your_instance.tld your_instance.tld /etc/letsencrypt/live
Then we ask to generate the certificate:
certbot -d room.videos.john-livingston.fr
If certbot offers you several methods to generate the certificate, choose “nginx”.
Normally you should now find the certificates in the configured folder.
Note: the first time you do this, you will have to reload Prosody. The easiest way to do this is to restart Peertube.
Method for the Docker case
This method works with the officially supported Docker guide from PeerTube.
First, ensure you create a DNS entry for room.your_instance.tld
, which
points to your server. You can use a CNAME entry (or an A entry and a AAAA
entry). This is necessary for Let’s Encrypt to validate the domain for
certificate generation.
Enter the directory where your docker-compose.yml
file exists.
Open a shell in the certbot container:
docker exec -it certbot /bin/sh
Run certbot:
certbot
You will be presented with a series of prompts. Enter 2
for the
authentication type:
How would you like to authenticate with the ACME CA?
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enter the domain name room.your_instance.tld
:
Please enter the domain name(s) you would like on your certificate (comma and/or space separated) (Enter 'c' to cancel): room.your_instance.tld
Enter the directory where the PeerTube webserver serves requests for Let’s
Encrypt, /var/www/certbot
:
Input the webroot for <room.your_instance.tld>: (Enter 'c' to cancel): /var/www/certbot
You should see output like the following:
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/room.your_instance.tld/fullchain.pem
Key is saved at: /etc/letsencrypt/live/room.your_instance.tld/privkey.pem
Run the below command inside the certbot container to give read access to the new certs and private keys to the peertube group. Note: This will also make the files readable to the group with id 999 on the host system. Check the groups on your system to assess this as a risk before running this command.
chown -R root:999 /etc/letsencrypt/live; \
chmod 750 /etc/letsencrypt/live; \
chown -R root:999 /etc/letsencrypt/archive; \
chmod 750 /etc/letsencrypt/archive; \
find /etc/letsencrypt/ -name 'privkey*' -exec chmod 0640 {} \;
Exit the certbot container:
exit
Modify your docker-compose.yml
file, changing the entrypoint
line under
the certbot
service to the following. This is the same as the above, but
to be automatically executed after every certificate renewal.
entrypoint: /bin/sh -c "trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot; chown -R root:999 /etc/letsencrypt/live; chmod 750 /etc/letsencrypt/live; chown -R root:999 /etc/letsencrypt/archive; chmod 750 /etc/letsencrypt/archive; find /etc/letsencrypt/ -name 'privkey*' -exec chmod 0640 {} +; sleep 12h & wait $${!}; done;"
Continuing to modify docker-compose.yml
, add the certbot certificate
volume into the peertube container. It should look something like this:
volumes:
- ./docker-volume/certbot/conf:/etc/letsencrypt
Restart your services:
docker-compose down; docker-comopse up -d
In the livechat plugin settings from your PeerTube administration settings, set the certificate directory to the following:
/etc/letsencrypt/live
Save the plugin settings and verify Prosody can see the certificates:
docker-compose exec -u peertube \
peertube \
/data/plugins/data/peertube-plugin-livechat/prosodyAppImage/squashfs-root/AppRun \
prosodyctl \
--config /data/plugins/data/peertube-plugin-livechat/prosody/prosody.cfg.lua \
check certs
في حال مشكلة
If you can’t make it work, you can use the diagnostic tool (there is a button on top of the plugin settings page), and take a close look on the «Prosody check» section.