Added prosody

stacks/productivity/README.md

@@ -1,9 +1,7 @@
 # Productivity Stack
-
-GitLab, Vaultwarden, Memos, Mortis, and FreshRSS.
+GitLab, Vaultwarden, Memos, Mortis, FreshRSS, and Prosody.
 
 ## Services
-
 | Service | Port | Description |
 |---------|------|-------------|
 | gitlab | 8929:80, 2222:22 | Git repository |
@@ -11,53 +9,90 @@ GitLab, Vaultwarden, Memos, Mortis, and FreshRSS.
 | memos | 5230:5230 | Note-taking |
 | mortis | 5231:5231 | Memos iOS companion |
 | freshrss | 8054:80 | RSS reader |
+| prosody | 5222, 5269, 5280, 5281 | XMPP server |
 
 ## GitLab
-
 ### Initial Setup
-
 GitLab runs migrations on first start - takes 15-20 minutes. Be patient.
-
 ### Get Root Password
-
 ```bash
 docker exec -it gitlab grep 'Password:' /etc/gitlab/initial_root_password
 ```
-
 ### NGINX Proxy Manager
-
 Create HTTPS proxy for `git.rishighan.com` pointing to `192.168.1.75:8929`
-
 GitLab recommends SSL, so use HTTPS.
 
 ## Vaultwarden
-
 ### NGINX Proxy Manager
-
 Create HTTPS proxy for `vault.rishighan.com` pointing to `192.168.1.75:4743`
-
 ### Admin Panel
-
 Access at `https://vault.rishighan.com/admin` with the `ADMIN_TOKEN` from stack.env
 
 ## Memos + Mortis
-
 Mortis is the iOS companion for Memos. It connects via gRPC to memos:5230.
-
 ### NGINX Proxy Manager
-
 Create HTTPS proxy for `memos.rishighan.com` pointing to `192.168.1.75:5230`
 
 ## FreshRSS
-
 ### NGINX Proxy Manager
-
 Create HTTPS proxy for `rss.rishighan.com` pointing to `192.168.1.75:8054`
-
 ### Import Feeds
-
 1. Copy `feeds.opml` to `/mnt/user/appdata/freshrss/`
 2. In FreshRSS: Settings → Import/Export → Import OPML
 3. Enable `af_readability` extension to bypass paywalls
 
 The OPML contains curated feeds for Gaming, Tech, Politics, Weather, and World News - free from paywalled bullshit.
+
+## Prosody
+Self-hosted XMPP server for `rishighan.com`. Image: `prosodyim/prosody:13.0`.
+
+### Ports
+| Port | Purpose |
+|------|---------|
+| 5222 | Client-to-server (c2s) |
+| 5269 | Server-to-server / federation (s2s) |
+| 5280 | HTTP/BOSH |
+| 5281 | HTTPS/BOSH |
+
+Both 5222 and 5269 must be forwarded on the UDM Pro to Flook (192.168.x.75).
+
+### TLS Cert
+Issued manually via certbot DNS challenge covering `rishighan.com` and `xmpp.rishighan.com`.
+Certs stored at `./certs/privkey.pem` and `./certs/fullchain.pem` (copied from appdata archive, not symlinked).
+
+**Cert expires: 2026-05-24. Renew before then:**
+```bash
+certbot certonly --manual --preferred-challenges dns \
+  --config-dir /mnt/user/appdata/prosody/certs \
+  --work-dir /mnt/user/appdata/prosody/certs/work \
+  --logs-dir /mnt/user/appdata/prosody/certs/logs \
+  -d rishighan.com -d xmpp.rishighan.com
+
+# Copy new certs (increment N to match new archive version):
+cp /mnt/user/appdata/prosody/certs/archive/xmpp.rishighan.com/privkeyN.pem \
+   /mnt/user/flook-stacks/stacks/productivity/certs/privkey.pem
+cp /mnt/user/appdata/prosody/certs/archive/xmpp.rishighan.com/fullchainN.pem \
+   /mnt/user/flook-stacks/stacks/productivity/certs/fullchain.pem
+chmod 644 /mnt/user/flook-stacks/stacks/productivity/certs/*.pem
+docker restart prosody
+```
+
+### DNS Records (GoDaddy)
+| Type | Service | Protocol | Name | Value | Port |
+|------|---------|----------|------|-------|------|
+| SRV | `_xmpp-client` | `_tcp` | `@` | `xmpp.rishighan.com` | 5222 |
+| SRV | `_xmpp-server` | `_tcp` | `@` | `xmpp.rishighan.com` | 5269 |
+| A | — | — | `xmpp` | Flook's public IP | — |
+
+### User Management
+```bash
+docker exec -it prosody prosodyctl adduser user@rishighan.com
+docker exec -it prosody prosodyctl passwd user@rishighan.com
+docker exec -it prosody prosodyctl deluser user@rishighan.com
+```
+
+### Data Directory Permissions
+The `./data` directory must be owned by UID 999:
+```bash
+chown -R 999:999 /mnt/user/flook-stacks/stacks/productivity/data
+```