nixos-dotfiles

nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git
nixos-dotfiles / future-modules / vultr-deploy-guide.md
11,864 bytes raw

Vultr Deployment Guide - Secure XMPP Server

Complete guide to deploying a hardened XMPP server on Vultr.

Step 1: Create Vultr Instance

  1. Log in to Vultr
  2. Click "Deploy New Server"
  3. Choose:
    • Server Type: Cloud Compute
    • Location: Closest to you/friends (e.g., New York, Los Angeles)
    • Image: NixOS 24.05 (if available) OR Ubuntu 22.04 (we'll install NixOS)
    • Plan: $6/month (1 CPU, 1GB RAM) - sufficient for <50 users
    • Additional Features: Enable IPv6 (optional)
  4. SSH Keys: Upload your SSH public key (see Step 2)
  5. Server Hostname: xmpp.yourdomain.com
  6. Click "Deploy Now"

Wait ~5 minutes for deployment.

Step 2: Generate SSH Key (Local Machine)

If you don't have an SSH key:

# Generate ED25519 key (most secure)
ssh-keygen -t ed25519 -C "your_email@example.com"

# Press Enter for default location (~/.ssh/id_ed25519)
# Set a strong passphrase (optional but recommended)

# Display public key (copy this)
cat ~/.ssh/id_ed25519.pub

Copy the output (starts with ssh-ed25519 AAAA...) - you'll need it.

Step 3: Initial SSH Connection

# Get IP from Vultr dashboard
ssh root@YOUR_SERVER_IP

# If using custom key location:
ssh -i ~/.ssh/id_ed25519 root@YOUR_SERVER_IP

Step 4: Install NixOS (If Not Pre-installed)

If Vultr provided NixOS, skip to Step 5.

If you started with Ubuntu:

# On the Vultr server (as root):
curl -L https://nixos.org/nix/install | sh
source ~/.nix-profile/etc/profile.d/nix.sh

# Install NixOS
nix-env -iA nixos.nixos-install-tools

# Follow NixOS installation guide:
# https://nixos.org/manual/nixos/stable/#sec-installing-from-other-distro

Or easier: Use Vultr's Custom ISO feature to upload NixOS ISO and reinstall from scratch.

Step 5: Clone Your Config

On your local machine:

cd ~/nixos-dotfiles

# Add Vultr-specific config
cp xmpp.nix vultr-xmpp.nix
cp vultr-security.nix .

# Edit configurations (see Step 6)

Step 6: Configure Files

A. Edit vultr-security.nix

vim vultr-security.nix

Change line 66:

users.users.tony = {  # CHANGE THIS to your username

To your desired username (e.g., users.users.alice).

Change line 77-83: Add your SSH public key:

openssh.authorizedKeys.keys = [
  "ssh-ed25519 AAAAC3Nza... your@email.com"  # Paste your key here
];

B. Edit xmpp.nix

vim xmpp.nix

Change line 12:

domain = "yourdomain.com";  # CHANGE THIS

To your actual domain (e.g., chat.example.com).

Change line 126:

defaults.email = "admin@yourdomain.com";  # CHANGE THIS

Step 7: Create configuration.nix for Vultr

Create /home/tony/nixos-dotfiles/vultr-configuration.nix:

{ config, pkgs, ... }:

{
  imports = [
    ./hardware-configuration.nix  # Will be generated on server
    ./xmpp.nix
    ./vultr-security.nix
  ];

  # Boot loader
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";  # Vultr uses virtio

  # Hostname
  networking.hostName = "xmpp";

  # Time zone
  time.timeZone = "America/New_York";  # Change to your timezone

  # Networking (Vultr provides DHCP)
  networking.useDHCP = true;

  # System packages
  environment.systemPackages = with pkgs; [
    vim
    git
    htop
    tmux
  ];

  # NixOS version
  system.stateVersion = "24.05";  # Match your NixOS version
}

Step 8: Deploy to Vultr

Option A: Copy Files Manually

On your local machine:

# Copy config files to server
scp -r ~/nixos-dotfiles root@YOUR_SERVER_IP:/etc/nixos/

# SSH into server
ssh root@YOUR_SERVER_IP

# On server: Generate hardware config
nixos-generate-config --show-hardware-config > /etc/nixos/hardware-configuration.nix

# Rebuild
nixos-rebuild switch

Option B: Git Deploy (Recommended)

On your local machine:

cd ~/nixos-dotfiles
git init
git add xmpp.nix vultr-security.nix vultr-configuration.nix
git commit -m "Initial Vultr config"

# Push to private repo (GitHub, GitLab, etc.)
git remote add origin git@github.com:yourusername/nixos-server-config.git
git push -u origin main

On Vultr server:

# Clone your config
cd /etc/nixos
git clone git@github.com:yourusername/nixos-server-config.git .

# Generate hardware config
nixos-generate-config --show-hardware-config > hardware-configuration.nix

# Build and switch
nixos-rebuild switch

Step 9: DNS Configuration

In your domain registrar (e.g., Namecheap, Cloudflare):

Required DNS Records:

Type  Name                           Value              TTL
----  ----                           -----              ---
A     chat.yourdomain.com            YOUR_SERVER_IP     300
A     conference.yourdomain.com      YOUR_SERVER_IP     300
A     upload.yourdomain.com          YOUR_SERVER_IP     300

SRV   _xmpp-client._tcp              5222 0 5 chat.yourdomain.com.   300
SRV   _xmpp-server._tcp              5269 0 5 chat.yourdomain.com.   300

SRV Record Format (if your DNS provider asks):

  • Service: _xmpp-client
  • Protocol: _tcp
  • Priority: 0
  • Weight: 5
  • Port: 5222
  • Target: chat.yourdomain.com. (note the trailing dot)

Wait 5-10 minutes for DNS propagation.

Test DNS:

dig chat.yourdomain.com
dig SRV _xmpp-client._tcp.yourdomain.com

Step 10: First Deploy and Test

On the Vultr server (as root):

# Switch to new config
nixos-rebuild switch

# This will:
# - Install Prosody
# - Configure firewall
# - Get Let's Encrypt SSL certificates
# - Set up fail2ban
# - Harden SSH

# IMPORTANT: Before logging out, test SSH with your new user!

Step 11: Test New User SSH (CRITICAL!)

Open a NEW terminal window (don't close root session yet):

# Test SSH with your new user
ssh youruser@YOUR_SERVER_IP

# If this works, great! If not, fix it before logging out as root.

If SSH works, continue. If not:

  • Check your SSH key is correct in vultr-security.nix
  • Verify user is in wheel group
  • Check systemctl status sshd

Step 12: Create XMPP Admin Account

On the Vultr server (as your user, using sudo):

# Create admin account
sudo prosodyctl adduser admin@yourdomain.com

# Enter a strong password when prompted

Step 13: Create User Accounts

# Create accounts for friends
sudo prosodyctl adduser alice@yourdomain.com
sudo prosodyctl adduser bob@yourdomain.com
sudo prosodyctl adduser charlie@yourdomain.com

# List all users
sudo prosodyctl list:users

Step 14: Test XMPP Connection

From your local machine:

  1. Install an XMPP client:

    • Linux: nix-shell -p dino or sudo apt install dino-im
    • Mac: Download Monal from App Store
    • Windows: Download Gajim

  2. Add account:

    • Jabber ID: admin@yourdomain.com
    • Password: (the one you set)

  3. Connect. If it works, you're done!

Test from command line:

# Test SSL certificate
openssl s_client -connect chat.yourdomain.com:5222 -starttls xmpp

# Should show certificate details and "Verify return code: 0 (ok)"

Step 15: Create Group Rooms

In your XMPP client (logged in as admin):

  1. Join/Create Room:

    • Address: #general@conference.yourdomain.com
    • It will auto-create

  2. Make Room Persistent:

    • Open room settings/config
    • Enable "Persistent" and "Public"

  3. Repeat for other rooms:

    • #random@conference.yourdomain.com
    • #tech@conference.yourdomain.com
    • #gaming@conference.yourdomain.com

Step 16: Lock Down Root (Final Hardening)

Only do this after confirming your user account SSH works!

On the Vultr server:

# Lock root account (already done in config, but verify)
sudo passwd -l root

# Verify SSH config
sudo cat /etc/ssh/sshd_config | grep PermitRootLogin
# Should show: PermitRootLogin no

# Restart SSH
sudo systemctl restart sshd

Test that root SSH is blocked:

# From your local machine (should fail):
ssh root@YOUR_SERVER_IP
# Expected: Permission denied

Step 17: Give Friends Access

Send each friend:

  1. Their credentials:

    • Username: theirname@yourdomain.com
    • Password: (the one you created)

  2. The setup guide:

    • Share xmpp-setup.md with them

  3. Room invitations:

    • Tell them to join #general@conference.yourdomain.com

Maintenance Commands

Checking Status

# Prosody status
sudo systemctl status prosody

# View logs
sudo journalctl -u prosody -f

# Check connected users
sudo prosodyctl about

Managing Users

# Add user
sudo prosodyctl adduser newuser@yourdomain.com

# Change password
sudo prosodyctl passwd username@yourdomain.com

# Delete user
sudo prosodyctl deluser baduser@yourdomain.com

# List users
sudo prosodyctl list:users

Fail2ban Status

# Check banned IPs
sudo fail2ban-client status sshd

# Unban an IP
sudo fail2ban-client set sshd unbanip 1.2.3.4

Updating System

# Update NixOS
sudo nixos-rebuild switch --upgrade

# Or manually pull latest config from git
cd /etc/nixos
git pull
sudo nixos-rebuild switch

Troubleshooting

Can't connect to XMPP server?

# Check Prosody is running
sudo systemctl status prosody

# Check firewall
sudo iptables -L -n -v | grep 5222

# Check SSL certificate
sudo prosodyctl cert check yourdomain.com

Let's Encrypt certificate failed?

# Check ACME status
sudo systemctl status acme-yourdomain.com

# View logs
sudo journalctl -u acme-yourdomain.com

# Common issues:
# - DNS not pointing to server yet (wait 10 minutes)
# - Port 80/443 blocked (check firewall)
# - Rate limit hit (Let's Encrypt limits 5 certs/week)

SSH locked out?

Use Vultr's web console:

  1. Go to Vultr dashboard
  2. Click your server
  3. Click "View Console"
  4. Log in as root (if you haven't locked it yet)

Security Checklist

  • [ ] Root login disabled
  • [ ] SSH key-only authentication
  • [ ] Fail2ban enabled
  • [ ] Firewall rules active
  • [ ] SSL certificates valid
  • [ ] Sudo requires password
  • [ ] Non-standard SSH port (optional)
  • [ ] Automatic updates enabled
  • [ ] Logs being written

Verify:

sudo systemctl status sshd
sudo systemctl status fail2ban
sudo systemctl status prosody
sudo iptables -L -v

Cost Estimate

  • Vultr VPS: $6/month (1GB RAM)
  • Domain name: ~$12/year
  • Total: ~$84/year ($7/month)

Compare to Discord Nitro: $10/month with worse privacy.

Next Steps

  1. Invite friends (share xmpp-setup.md)
  2. Create more rooms as needed
  3. Set up backups (see below)
  4. Optional: Add voice/video (Jitsi Meet)

Backup Strategy (Recommended)

What to backup:

  • User accounts: /var/lib/prosody/
  • SSL certs: /var/lib/acme/
  • Config: /etc/nixos/

Simple backup script:

#!/usr/bin/env bash
# backup-xmpp.sh

BACKUP_DIR="/root/backups"
DATE=$(date +%Y%m%d)

mkdir -p $BACKUP_DIR

# Backup Prosody data
tar czf $BACKUP_DIR/prosody-$DATE.tar.gz /var/lib/prosody/

# Backup configs
tar czf $BACKUP_DIR/nixos-$DATE.tar.gz /etc/nixos/

# Keep last 7 days
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete

Automate:

# Add to configuration.nix
systemd.timers.xmpp-backup = {
  wantedBy = [ "timers.target" ];
  timerConfig = {
    OnCalendar = "daily";
    Persistent = true;
  };
};

systemd.services.xmpp-backup = {
  serviceConfig.ExecStart = "/root/backup-xmpp.sh";
};

You're Done!

Your XMPP server is now running, hardened, and ready for your friends.

Share this guide with friends: xmpp-setup.md

Welcome to decentralized, private communication. 🎉