Skip to content

raspberry pi en

Marcel Waldvogel edited this page Sep 29, 2018 · 45 revisions

Your personal autonomous federated file, calendar, and chat server

:de: Diesen Artikel auf Deutsch lesen

aka Setup of Nextcloud+JSXC+ejabberd on a Raspberry Pi

…or any other computer running Debian Stretch or Ubuntu 18.04 LTS aka bionic. For any other setup, follow the generic instructions in the wiki.

:warning: If you use an older distribution, please install the latest ejabberd manually instead of using the distribution-provided version.

Basic setup

:warning: The individual steps which need to be executed to configure the device have been marked with a wrench icon (:wrench:).

:wrench: On your Router:

  • Assign the Raspberry Pi an (internal) fixed IP address
  • Forward ports 80, 443, 5222, 5223, 5269, and 7777 on the router to the Raspberry Pi
  • Activate DynDNS with a Provider (assuming you have a dynamic IP address only)
  • If possible, add the following DNS entries. Even without them, 1:1 text and video chat works, but you will experience the following restrictions:
    • Group chats: Are only possible between local users; members in the federation cannot join your group chats
    • Social network functions on top of XMPP will not work, e.g. those provided by Movim

:wrench: On the Raspberry Pi:

  • Install Raspbian Stretch
  • Optional: Attach an external disk and mount it at /var/www/nextcloud/data (after creating the path)

:loudspeaker: In the following code snippets, a capital SERVERNAME should be replaced with the name you got from your DynDNS provider.

Install the software

:wrench: If your Raspberry Pi has not yet enabled ssh access, follow these steps to enable ssh

:wrench: Log in to the Raspberry Pi using ssh from a Terminal window (on Windows, use putty)

  • User name: "pi"
  • Passwort: "raspberry"

:wrench: If not already done, change the password using the passwd command, before anyone else takes control of your device

:wrench: All the following commands will be executed as the superuser: sudo -s

:wrench: Install the software (Apache+PHP, Let's Encrypt/CertBot, ejabberd, and git)

apt update && apt upgrade
apt install dirmngr apt-transport-https
echo deb http://http.debian.net/debian stretch-backports main > /etc/apt/sources.list.d/backports.list
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553
echo deb https://dl.jsxc.org stable main > /etc/apt/sources.list.d/jsxc.list
wget -qO - https://dl.jsxc.org/archive.key | apt-key add -
apt update
apt install -t stretch-backports ejabberd
apt install apache2 libapache2-mod-php php-gd php-json php-sqlite3 php-curl php-mbstring php-intl php-imagick php-xml php-zip
apt install python-certbot-apache xcauth python3-bsddb3 python3-systemd

:warning: If you have trouble with the PHP modules, check the Nextcloud installation instructions

:wrench: Install automatic security updates: apt install unattended-upgrades

:wrench: Download the latest version of Nextcloud:

cd /var/www
wget https://download.nextcloud.com/server/releases/latest.tar.bz2
tar xfj latest.tar.bz2
chown -R www-data:www-data nextcloud
rm latest.tar.bz2

See also the offical Nextcloud install instructions.

Configuration of Apache including HTTPS

:wrench: the contents of /etc/apache2/sites-available/000-default.conf with (adapted from the Nextcloud admin documentation:

<VirtualHost *:80>
  ServerName SERVERNAME

  DocumentRoot /var/www/nextcloud
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  ProxyPass /http-bind/ http://localhost:5280/http-bind/
  ProxyPassReverse /http-bind/ http://localhost:5280/http-bind/
  ProxyPreserveHost On
</VirtualHost>

<Directory /var/www/nextcloud/>
  Options +FollowSymlinks
  AllowOverride All

 <IfModule mod_dav.c>
  Dav off
 </IfModule>

 SetEnv HOME /var/www/nextcloud
 SetEnv HTTP_HOME /var/www/nextcloud
</Directory>

:wrench: Create a new file /etc/apache2/sites-available/userdata.conf with these contents:

<VirtualHost *:80>
  ServerName userdata.SERVERNAME
  # Mostly to satisfy certbot
  ServerAlias conference.SERVERNAME pubsub.SERVERNAME
  # This DocumentRoot is irrelevant, but match ejabberd.conf anyway
  DocumentRoot /var/www/userdata
  ErrorLog ${APACHE_LOG_DIR}/userdata_error.log
  CustomLog ${APACHE_LOG_DIR}/userdata_access.log combined
  ProxyPass / http://localhost:5288/
  ProxyPassReverse / http://localhost:5288/
  ProxyPreserveHost On
</VirtualHost>

:wrench: Finalize the configuration:

mkdir --mode=660 /var/www/userdata
chown ejabberd:ejabberd /var/www/userdata
a2enmod headers env dir mime proxy proxy_http
a2ensite userdata

:wrench: Activate HTTPS encryption (and automatic certificate renewal):

(if you did not obtain the extra DNS entries, then instead of the certbot line below, use certbot run --authenticator standalone --installer apache --redirect --uir --hsts --staple-ocsp -d $S)

S=SERVERNAME
apache2ctl stop
certbot run --authenticator standalone --installer apache --redirect --uir --hsts --staple-ocsp -d $S -d userdata.$S -d conference.$S -d pubsub.$S
chgrp -R ssl-cert /etc/letsencrypt/{archive,live}
chmod -R g+rX,o-rwx /etc/letsencrypt/{archive,live}
apache2ctl start

Configure Nextcloud

:wrench: Point your Webbrowser to the host name and configure Nextcloud (keep sqlite as the database for now; if you want, you can change it later, if the need arises). Install the JSXC App (JavaScript XMPP Client in social).

:wrench: Create (at least) two users for the following experiments.

:warning: These usernames should only consist of lower case ASCII letters (az), digits (09), and the dash (-). Especially no spaces or @ signs.

:wrench: Put these users into one group for additional comfort later. If you have no idea how to name your group, call it 'Pioneers'.

:eyes: Milestone 1: Try the internal chat

:wrench: in as two of the users and send messages. For this, we recommend two separate machines. Two machines are required for video chat (which we will see later), but if you use a different browser (e.g., Firefox and Chrome) or different containers within the same browser for each of the users, sending text messages does not require a second machine.

:cry: Disadvantage: This is a closed system and only works inside Nextcloud, not between different servers and only from the browser.

Activate federated chat

:wrench: NextcloudSettingsJavaScript XMPP Client: Switch to Managed Chat, click Register. (This takes about 30 seconds; most of it is waiting for the required Let's Encrypt certificates.)

:eyes: Milestone 2a: Try federated chat

  • In the workshop, talk among users from different Raspberries.
  • At home, talk to someone who already has an XMPP account somewhere else.
  • If your friends are not yet into XMPP, create a free account on a public XMPP server such as Movim or Chinwag

Chat between these Nextcloud/JSXC instances (text or video). Z.B. zwischen user1@SERVERNAME.jsxc.ch und user2@SOME-OTHER-SERVERNAME.jsxc.ch (:warning: For users on the managed server, the domain ends in jsxc.ch!)

:eyes: Milestone 2b: Federated file sharing

:pushpin: The commands in this section can be skipped, if you do not know a user which has another Nextcloud+JSXC+XMPP server. Then, just read it to know the motivation for the following steps.

Of course, Nextcloud also allows you to share files between the instances as part of their file sharing function.

Share files or directories between the users user1@SERVERNAME und user2@SOME-OTHER-SERVERNAME

:cry: Disadvantage: The domain name differs between applications, as the servers providing the services (files or chat) are under different management. This is, because the managed server is operated somewhere else (and provides domains ending in jsxc.ch).

Set up your own XMPP server on the Raspberry Pi under your own Domain

This setup will result in an XMPP server which achieves 100% compatibility in the Conversations Compliance Chart.

:wrench: Replace the contents of /etc/ejabberd/ejabberd.yml with the contents of the example file /etc/ejabberd/ejabberd.yml-xcauth-example, replacing SERVERNAME as usual.

(:wrench: At a later time, you might want to adapt loglevel (less output with 3) and acladminusers (list of users that can send administrative commands) above.)

:wrench: Modify /etc/xcauth.conf so that url (API URL) and secret (Secure API token) from your Nextcloud. You obtain these values as follows:

In your Browser, as an administrator of your Nextcloud, navigate to Nextcloud→Settings→Administration→JavaScript XMPP Client and change the Server type to External. Further down on the page, you will see API URL and Secure API token. Make sure the Secure API token does not fall into the wrong hands, as it can be used to impersonate any user to the XMPP server

:wrench: Uncomment (=activate) the line ejabberdctl=/usr/sbin/xcejabberdctl in /etc/xcauth.conf to enable automatic maintenance of shared roster groups. As a result, a user will see the fellow Nextcloud group members in their roster, and be allowed to view their presence.

:wrench: Execute the following commands:

chown -R xcauth:xcauth /etc/xcauth.conf /var/{lib,log}/xcauth
chmod 640 /etc/xcauth.conf
xcrestart
adduser ejabberd ssl-cert
openssl dhparam -out /etc/ejabberd/dhparams.pem 2048

openssl dhparam can take more than half an hour on a Raspberry Pi. If this is too long for you, run the command on a faster machine and copy /etc/ejabberd/dhparams.pem. If all else fails, use the file in /etc/ejabberd/dhparams.pem-xcauth-example.

:wrench: And then continue here:

service ejabberd restart

:wrench: Now change the Nextcloud JSXC settings as follows.

:warning: Ignore "BOSH server unreachable" errors until you have changed both XMPP Domain or BOSH URL.

  • Server type: Set to "External" (if it isn't already)
  • XMPP Domain: Change to your DynDNS name
  • BOSH URL: Change to https://SERVERNAME/http-bind/
  • External Services: Delete all, then add userdata.SERVERNAME Everything else is already set correctly by the managed server settings.
  • :bangbang:Save settings:bangbang: (at the very bottom of the page)

:cry: For video chat, you need a STUN or better a TURN server, to facilitate setting up a connection between clients behind NAT. This is not easily possible from a machine itself behind NAT or using a dynamic IP address. Therefore, we retain turn.jsxc.ch.

:eyes: Milestone 3: Try the chat with your own domain

Now the users are called user1@SERVERNAME, both for XMPP as well as for Nextcloud. Now, only mail addresses are missing for that domain…

Applications

If you do not want to solely use this from the web browser, there are several apps to chose from:

:sunglasses: Enjoy the liberty and privacy of your own server!

References

This how-to was compiled using information from:

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.