Initial commit

README.md

@@ -0,0 +1,42 @@
+# Prosody
+
+#### Setup Client
+We use the [Profanity](https://profanity-im.github.io/) XMPP client for comunnication.
+
+###### Commands
+```
+/register acidvegas@xmpp.supernets.org
+```
+
+```
+/account add acidvegas
+/account default set acidvegas
+/account set acidvegas clientid ""
+/account set acidvegas jid acidvegas@xmpp.supernets.org
+/account set acidvegas muc muc.supernets.org
+/account set acidvegas nick acidvegas
+/account set acidvegas port 5222
+/account set acidvegas resource ""
+/account set acidvegas server xmpp.supernets.org
+/account set acidvegas session_alarm 2
+/account set acidvegas status online
+/account set acidvegas tls force
+/autoconnect set acidvegas
+```
+```
+/color on
+/color own on
+/connect acidvegas
+/occupants color on
+/omemo char 🔑
+/omemo gen
+/omemo log off
+/omemo policy always
+/omemo trustmode blind
+/omemo trustmode manual
+/outtypee off
+/privacy logging off
+/privacy os off
+/receipts send off
+/states off
+```

deploy

@@ -0,0 +1,51 @@
+#!/bin/bash
+# Prosody Container Script - developed by acidvegas (https://git.acid.vegas/prosody)
+
+set -xev
+
+create_container() {
+	NAME=$1
+
+	incus storage create $NAME-pool dir
+	incus launch images:debian/12 $NAME-container -s $NAME-pool	
+	incus config set $NAME-container boot.autostart true
+	sleep 10 # Delay to allow the container to start and get an IP address from the DHCP server
+	incus exec $NAME-container -- apt update  -y
+	incus exec $NAME-container -- apt upgrade -y
+	incus exec $NAME-container -- apt install -y git nano unattended-upgrades wget
+	incus exec $NAME-container -- useradd -m -s /bin/bash agent
+	incus exec $NAME-container -- journalctl --vacuum-time=1d
+	incus exec $NAME-container -- sh -c 'printf "[Journal]\nStorage=volatile\nSplitMode=none\nRuntimeMaxUse=500K\n" > /etc/systemd/journald.conf'
+	incus exec $NAME-container -- systemctl restart systemd-journald
+}
+
+setup_prosody() {
+    PORT_C2S=5222 # Default 5222
+    PORT_S2S=5269 # Default 5269
+    CONTAINER_IP=$(incus list | grep gotify-container | awk '{print $6}')
+
+    create_container prosody
+    
+    incus config set prosody-container boot.autostart true
+    incus config device add prosody-container prosody-c2s-port proxy listen=tcp:0.0.0.0:$PORT_C2S connect=tcp:$CONTAINER_IP:5222
+    incus config device add prosody-container prosody-s2s-port proxy listen=tcp:0.0.0.0:$PORT_S2S connect=tcp:$CONTAINER_IP:5269
+
+    incus exec prosody-container -- apt-get install certbot libevent-dev prosody -y
+
+    incus exec prosody-container -- certbot certonly --standalone -d xmpp.supernets.org -d muc.supernets.org -m nobody@no.name --agree-tos --non-interactive --no-eff-email
+
+    incus exec prosody-container -- sh -c 'printf "[Unit]\nDescription=cerbot renewal\n\n[Service]\nType=oneshot\nExecStart=/usr/bin/certbot renew -n --quiet --agree-tos --deploy-hook \"prosodyctl --root cert import /etc/letsencrypt/live\"\n" > /etc/systemd/system/certbot.service'
+	incus exec prosody-container -- sh -c 'printf "[Unit]\nDescription=cerbot renewal timer\n\n[Timer]\nOnCalendar=0/12:00:00\nRandomizedDelaySec=1h\nPersistent=true\n\n[Install]\nWantedBy=timers.target\n" > /etc/systemd/system/certbot.timer'
+
+	incus exec prosody-container -- systemctl enable certbot.timer
+	incus exec prosody-container -- systemctl start certbot.timer
+
+    incus file push prosody.cfg.lua prosody-container:/etc/prosody/prosody.cfg.lua
+
+    # Need to set the certifcate permissions to allow prosody to read it
+    #sudo ln -s /etc/letsencrypt/live/xmpp.supernets.org/privkey.pem /etc/prosody/certs/xmpp.supernets.org.key
+    #sudo ln -s /etc/letsencrypt/live/xmpp.supernets.org/privkey.pem /etc/prosody/certs/xmpp.supernets.org.key
+
+    incus exec prosody-container -- systemctl enable prosody
+    incus exec prosody-container -- systemctl start prosody
+}

fiya

@@ -0,0 +1,101 @@
+#!/bin/bash
+# Prosody XMPP Firewall - developed by acidvegas (https://git.acid.vegas/prosody)
+
+set -xev
+
+# Configuration
+IP_SSH="changeme"
+PORT_SSH=22        # Default 22
+PORT_XMPP_C2S=5222 # Default 5222
+PORT_XMPP_S2S=5269 # Default 5269
+
+CONTAINER_IP=$(incus list | grep prosody-container | awk '{print $6}')
+SUBNET=$(echo $CONTAINER_IP | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+/\1.0\/24/')
+
+# -------------------------------------------------- #
+
+# Kernel hardening settings
+mkdir -p /etc/sysctl.d
+{
+  echo "net.ipv4.conf.all.accept_source_route = 0"
+  echo "net.ipv6.conf.all.accept_source_route = 0"
+  echo "net.ipv4.conf.all.rp_filter = 1"
+  echo "net.ipv4.conf.default.rp_filter = 1"
+  echo "net.ipv4.conf.all.accept_redirects = 0"
+  echo "net.ipv6.conf.all.accept_redirects = 0"
+  echo "net.ipv4.conf.default.accept_redirects = 0"
+  echo "net.ipv6.conf.default.accept_redirects = 0"
+  echo "net.ipv4.conf.all.log_martians = 1"
+  echo "kernel.randomize_va_space = 2"
+  echo "fs.suid_dumpable = 0"
+  echo "net.ipv4.ip_forward=1"
+} > /etc/sysctl.d/99-custom-hardening.conf
+
+# Apply hardening settings
+sysctl -p /etc/sysctl.d/99-custom-hardening.conf
+
+# -------------------------------------------------- #
+
+# Flush existing rules
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+
+# Default chain policies
+iptables -P INPUT ACCEPT
+iptables -P FORWARD DROP
+iptables -P OUTPUT ACCEPT
+
+# Common Firewall rules
+iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
+iptables -A INPUT -p icmp --icmp-type port-unreachable -j DROP
+iptables -A INPUT -i lo -j ACCEPT
+
+# -------------------------------------------------- #
+
+# Allow container NAT
+iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+iptables -A FORWARD -i incusbr0 -o eth0 -j ACCEPT
+iptables -A FORWARD -i eth0 -o incusbr0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# Allow container DHCP
+iptables -I INPUT -i incusbr0 -p udp --dport 67:68 -j ACCEPT
+iptables -I FORWARD -i incusbr0 -p udp --dport 67:68 -j ACCEPT
+
+# Allow container DNS
+iptables -A INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT
+iptables -A INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT
+iptables -A FORWARD -i incusbr0 -o eth0 -p udp --dport 53 -j ACCEPT
+iptables -A FORWARD -i incusbr0 -o eth0 -p tcp --dport 53 -j ACCEPT
+
+# -------------------------------------------------- #
+
+# Allow SSH
+iptables -A INPUT -p tcp -s $IP_SSH --dport $PORT_SSH -j ACCEPT
+
+# Allow Certbot
+iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination $CONTAINER_IP:80
+iptables -t nat -A POSTROUTING -s $SUBNET -o eth0 -j MASQUERADE
+iptables -A FORWARD -d ${CONTAINER_IP}/32 -o incusbr0 -p tcp --dport 80 -j ACCEPT
+iptables -A FORWARD -s ${CONTAINER_IP}/32 -i incusbr0 -j ACCEPT
+
+# Allow Prosody
+iptables -A INPUT -p tcp --dport $PORT_XMPP_C2S -j ACCEPT
+iptables -A INPUT -p tcp --dport $PORT_XMPP_S2S -j ACCEPT
+
+# -------------------------------------------------- #
+
+# Save rules (iptables-persistent package)
+iptables-save > /etc/iptables/iptables.rules
+
+# Create and configure the iptables service
+printf '#!/bin/sh\nexec 2>&1\niptables-restore < /etc/iptables/iptables.rules\nexec chpst -b iptables pause\n' > /etc/sv/iptables/run
+chmod +x /etc/sv/iptables/run
+ln -sf /etc/sv/iptables /var/service/ && sv restart iptables
+
+# Show rules
+iptables -L -v -n

prosody.cfg.lua

@@ -0,0 +1,31 @@
+admins = { }
+
+plugin_paths = { "/usr/local/lib/prosody/modules" }
+
+pidfile = "/run/prosody/prosody.pid";
+
+limits = {
+    c2s   = { rate = "3kb/s";  burst = "2s"; };
+    s2sin = { rate = "10kb/s"; burst = "5s"; };
+}
+
+log = "*syslog"
+
+VirtualHost "xmpp.supernets.org"
+    modules_enabled = { "carbons"; "dialback"; "disco"; "limits"; "pep"; "ping"; "posix"; "register"; "register_limits", "roster"; "saslauth"; "tls"; }
+
+    allow_registration = true -- register
+    authentication = "internal_hashed" -- register
+    blacklist_on_registration_throttle_overload = true -- register_limits
+    c2s_require_encryption = true
+    min_seconds_between_registrations = 86400 -- register_limits
+    registration_throttle_cache_size = 100 -- register_limits
+    s2s_require_encryption = true
+
+    ssl = {
+        certificate = "/etc/prosody/certs/xmpp.supernets.org/fullchain.pem";
+        key = "/etc/prosody/certs/xmpp.supernets.org/privkey.pem";
+    }
+
+    Component "muc.supernets.org" "muc"
+        name = "SuperNETs XMPP Chatrooms"