# Vultr Deployment Guide - Secure XMPP Server Complete guide to deploying a hardened XMPP server on Vultr. --- ## Step 1: Create Vultr Instance 1. Log in to [Vultr](https://vultr.com) 2. Click **"Deploy New Server"** 3. Choose: - **Server Type:** Cloud Compute - **Location:** Closest to you/friends (e.g., New York, Los Angeles) - **Image:** NixOS 24.05 (if available) OR Ubuntu 22.04 (we'll install NixOS) - **Plan:** $6/month (1 CPU, 1GB RAM) - sufficient for <50 users - **Additional Features:** Enable IPv6 (optional) 4. **SSH Keys:** Upload your SSH public key (see Step 2) 5. **Server Hostname:** `xmpp.yourdomain.com` 6. Click **"Deploy Now"** Wait ~5 minutes for deployment. --- ## Step 2: Generate SSH Key (Local Machine) If you don't have an SSH key: ```bash # Generate ED25519 key (most secure) ssh-keygen -t ed25519 -C "your_email@example.com" # Press Enter for default location (~/.ssh/id_ed25519) # Set a strong passphrase (optional but recommended) # Display public key (copy this) cat ~/.ssh/id_ed25519.pub ``` **Copy the output** (starts with `ssh-ed25519 AAAA...`) - you'll need it. --- ## Step 3: Initial SSH Connection ```bash # Get IP from Vultr dashboard ssh root@YOUR_SERVER_IP # If using custom key location: ssh -i ~/.ssh/id_ed25519 root@YOUR_SERVER_IP ``` --- ## Step 4: Install NixOS (If Not Pre-installed) **If Vultr provided NixOS, skip to Step 5.** **If you started with Ubuntu:** ```bash # On the Vultr server (as root): curl -L https://nixos.org/nix/install | sh source ~/.nix-profile/etc/profile.d/nix.sh # Install NixOS nix-env -iA nixos.nixos-install-tools # Follow NixOS installation guide: # https://nixos.org/manual/nixos/stable/#sec-installing-from-other-distro ``` Or easier: Use Vultr's Custom ISO feature to upload NixOS ISO and reinstall from scratch. --- ## Step 5: Clone Your Config On your **local machine**: ```bash cd ~/nixos-dotfiles # Add Vultr-specific config cp xmpp.nix vultr-xmpp.nix cp vultr-security.nix . # Edit configurations (see Step 6) ``` --- ## Step 6: Configure Files ### **A. Edit `vultr-security.nix`** ```bash vim vultr-security.nix ``` **Change line 66:** ```nix users.users.tony = { # CHANGE THIS to your username ``` To your desired username (e.g., `users.users.alice`). **Change line 77-83:** Add your SSH public key: ```nix openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3Nza... your@email.com" # Paste your key here ]; ``` ### **B. Edit `xmpp.nix`** ```bash vim xmpp.nix ``` **Change line 12:** ```nix domain = "yourdomain.com"; # CHANGE THIS ``` To your actual domain (e.g., `chat.example.com`). **Change line 126:** ```nix defaults.email = "admin@yourdomain.com"; # CHANGE THIS ``` --- ## Step 7: Create `configuration.nix` for Vultr Create `/home/tony/nixos-dotfiles/vultr-configuration.nix`: ```nix { config, pkgs, ... }: { imports = [ ./hardware-configuration.nix # Will be generated on server ./xmpp.nix ./vultr-security.nix ]; # Boot loader boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/vda"; # Vultr uses virtio # Hostname networking.hostName = "xmpp"; # Time zone time.timeZone = "America/New_York"; # Change to your timezone # Networking (Vultr provides DHCP) networking.useDHCP = true; # System packages environment.systemPackages = with pkgs; [ vim git htop tmux ]; # NixOS version system.stateVersion = "24.05"; # Match your NixOS version } ``` --- ## Step 8: Deploy to Vultr ### **Option A: Copy Files Manually** On your **local machine**: ```bash # Copy config files to server scp -r ~/nixos-dotfiles root@YOUR_SERVER_IP:/etc/nixos/ # SSH into server ssh root@YOUR_SERVER_IP # On server: Generate hardware config nixos-generate-config --show-hardware-config > /etc/nixos/hardware-configuration.nix # Rebuild nixos-rebuild switch ``` ### **Option B: Git Deploy (Recommended)** On your **local machine**: ```bash cd ~/nixos-dotfiles git init git add xmpp.nix vultr-security.nix vultr-configuration.nix git commit -m "Initial Vultr config" # Push to private repo (GitHub, GitLab, etc.) git remote add origin git@github.com:yourusername/nixos-server-config.git git push -u origin main ``` On **Vultr server**: ```bash # Clone your config cd /etc/nixos git clone git@github.com:yourusername/nixos-server-config.git . # Generate hardware config nixos-generate-config --show-hardware-config > hardware-configuration.nix # Build and switch nixos-rebuild switch ``` --- ## Step 9: DNS Configuration In your domain registrar (e.g., Namecheap, Cloudflare): ### **Required DNS Records:** ``` Type Name Value TTL ---- ---- ----- --- A chat.yourdomain.com YOUR_SERVER_IP 300 A conference.yourdomain.com YOUR_SERVER_IP 300 A upload.yourdomain.com YOUR_SERVER_IP 300 SRV _xmpp-client._tcp 5222 0 5 chat.yourdomain.com. 300 SRV _xmpp-server._tcp 5269 0 5 chat.yourdomain.com. 300 ``` **SRV Record Format (if your DNS provider asks):** - **Service:** `_xmpp-client` - **Protocol:** `_tcp` - **Priority:** `0` - **Weight:** `5` - **Port:** `5222` - **Target:** `chat.yourdomain.com.` (note the trailing dot) Wait 5-10 minutes for DNS propagation. **Test DNS:** ```bash dig chat.yourdomain.com dig SRV _xmpp-client._tcp.yourdomain.com ``` --- ## Step 10: First Deploy and Test On the **Vultr server** (as root): ```bash # Switch to new config nixos-rebuild switch # This will: # - Install Prosody # - Configure firewall # - Get Let's Encrypt SSL certificates # - Set up fail2ban # - Harden SSH # IMPORTANT: Before logging out, test SSH with your new user! ``` --- ## Step 11: Test New User SSH (CRITICAL!) **Open a NEW terminal window** (don't close root session yet): ```bash # Test SSH with your new user ssh youruser@YOUR_SERVER_IP # If this works, great! If not, fix it before logging out as root. ``` **If SSH works, continue. If not:** - Check your SSH key is correct in `vultr-security.nix` - Verify user is in `wheel` group - Check `systemctl status sshd` --- ## Step 12: Create XMPP Admin Account On the **Vultr server** (as your user, using sudo): ```bash # Create admin account sudo prosodyctl adduser admin@yourdomain.com # Enter a strong password when prompted ``` --- ## Step 13: Create User Accounts ```bash # Create accounts for friends sudo prosodyctl adduser alice@yourdomain.com sudo prosodyctl adduser bob@yourdomain.com sudo prosodyctl adduser charlie@yourdomain.com # List all users sudo prosodyctl list:users ``` --- ## Step 14: Test XMPP Connection ### **From your local machine:** 1. Install an XMPP client: - **Linux:** `nix-shell -p dino` or `sudo apt install dino-im` - **Mac:** Download Monal from App Store - **Windows:** Download Gajim 2. Add account: - **Jabber ID:** `admin@yourdomain.com` - **Password:** (the one you set) 3. Connect. If it works, you're done! ### **Test from command line:** ```bash # Test SSL certificate openssl s_client -connect chat.yourdomain.com:5222 -starttls xmpp # Should show certificate details and "Verify return code: 0 (ok)" ``` --- ## Step 15: Create Group Rooms In your XMPP client (logged in as admin): 1. **Join/Create Room:** - Address: `#general@conference.yourdomain.com` - It will auto-create 2. **Make Room Persistent:** - Open room settings/config - Enable "Persistent" and "Public" 3. **Repeat for other rooms:** - `#random@conference.yourdomain.com` - `#tech@conference.yourdomain.com` - `#gaming@conference.yourdomain.com` --- ## Step 16: Lock Down Root (Final Hardening) **Only do this after confirming your user account SSH works!** On the **Vultr server**: ```bash # Lock root account (already done in config, but verify) sudo passwd -l root # Verify SSH config sudo cat /etc/ssh/sshd_config | grep PermitRootLogin # Should show: PermitRootLogin no # Restart SSH sudo systemctl restart sshd ``` **Test that root SSH is blocked:** ```bash # From your local machine (should fail): ssh root@YOUR_SERVER_IP # Expected: Permission denied ``` --- ## Step 17: Give Friends Access Send each friend: 1. **Their credentials:** - Username: `theirname@yourdomain.com` - Password: (the one you created) 2. **The setup guide:** - Share `xmpp-setup.md` with them 3. **Room invitations:** - Tell them to join `#general@conference.yourdomain.com` --- ## Maintenance Commands ### **Checking Status** ```bash # Prosody status sudo systemctl status prosody # View logs sudo journalctl -u prosody -f # Check connected users sudo prosodyctl about ``` ### **Managing Users** ```bash # Add user sudo prosodyctl adduser newuser@yourdomain.com # Change password sudo prosodyctl passwd username@yourdomain.com # Delete user sudo prosodyctl deluser baduser@yourdomain.com # List users sudo prosodyctl list:users ``` ### **Fail2ban Status** ```bash # Check banned IPs sudo fail2ban-client status sshd # Unban an IP sudo fail2ban-client set sshd unbanip 1.2.3.4 ``` ### **Updating System** ```bash # Update NixOS sudo nixos-rebuild switch --upgrade # Or manually pull latest config from git cd /etc/nixos git pull sudo nixos-rebuild switch ``` --- ## Troubleshooting ### **Can't connect to XMPP server?** ```bash # Check Prosody is running sudo systemctl status prosody # Check firewall sudo iptables -L -n -v | grep 5222 # Check SSL certificate sudo prosodyctl cert check yourdomain.com ``` ### **Let's Encrypt certificate failed?** ```bash # Check ACME status sudo systemctl status acme-yourdomain.com # View logs sudo journalctl -u acme-yourdomain.com # Common issues: # - DNS not pointing to server yet (wait 10 minutes) # - Port 80/443 blocked (check firewall) # - Rate limit hit (Let's Encrypt limits 5 certs/week) ``` ### **SSH locked out?** Use Vultr's web console: 1. Go to Vultr dashboard 2. Click your server 3. Click "View Console" 4. Log in as root (if you haven't locked it yet) --- ## Security Checklist - [ ] Root login disabled - [ ] SSH key-only authentication - [ ] Fail2ban enabled - [ ] Firewall rules active - [ ] SSL certificates valid - [ ] Sudo requires password - [ ] Non-standard SSH port (optional) - [ ] Automatic updates enabled - [ ] Logs being written **Verify:** ```bash sudo systemctl status sshd sudo systemctl status fail2ban sudo systemctl status prosody sudo iptables -L -v ``` --- ## Cost Estimate - **Vultr VPS:** $6/month (1GB RAM) - **Domain name:** ~$12/year - **Total:** ~$84/year ($7/month) Compare to Discord Nitro: $10/month with worse privacy. --- ## Next Steps 1. Invite friends (share `xmpp-setup.md`) 2. Create more rooms as needed 3. Set up backups (see below) 4. Optional: Add voice/video (Jitsi Meet) --- ## Backup Strategy (Recommended) **What to backup:** - User accounts: `/var/lib/prosody/` - SSL certs: `/var/lib/acme/` - Config: `/etc/nixos/` **Simple backup script:** ```bash #!/usr/bin/env bash # backup-xmpp.sh BACKUP_DIR="/root/backups" DATE=$(date +%Y%m%d) mkdir -p $BACKUP_DIR # Backup Prosody data tar czf $BACKUP_DIR/prosody-$DATE.tar.gz /var/lib/prosody/ # Backup configs tar czf $BACKUP_DIR/nixos-$DATE.tar.gz /etc/nixos/ # Keep last 7 days find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete ``` **Automate:** ```nix # Add to configuration.nix systemd.timers.xmpp-backup = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "daily"; Persistent = true; }; }; systemd.services.xmpp-backup = { serviceConfig.ExecStart = "/root/backup-xmpp.sh"; }; ``` --- ## You're Done! Your XMPP server is now running, hardened, and ready for your friends. **Share this guide with friends:** `xmpp-setup.md` Welcome to decentralized, private communication. 🎉