Problems with setting up prosody with IPv6 and certbot

[nee]

Hello, I've been trying to setup the prosody xmpp service a few weeks
ago, but a some things are not working out of the box.


1. Server-to-server connection failed: connection-timeout

After adding a few people on other servers I keep getting messages like
this when I login with a client:

Error from <retracted username>@jabber.network: Server-to-server
connection
           failed: connection-timeout

This happens for multiple foreign servers, but not all.
For example server-to-server connections to iro-iro.xyz work fine.
I tried to upgraded prosody to 0.10, but it didn't change anything.

Workaround: unknown
Proper fix: unknown

2. Some users can't log into my server with the profanity client.
The user couldn't log into my server from the 'profanity' client, but
could do so with 'pidgin', profanity worked fine for other servers like
jabber.network. I myself have no problems login in with profanity, we
both used the same profanity version from guix. I suspect that a buggy
ipv6 setup could be the culprit here (see below), but I have to recheck
that.

Workaround: unknown
Proper fix: unknown

3. Using letsencrypt certificates
Problem:
Prosody can not read the certificates generated by the certbot service.
The reason is, Prosody directly starts up as non-root user, unlike other
services like for example murmur that start up as root, read
certificates and then call setuid afterwards. So it has no rights to
read from /etc/letsencrypt/...
I know that there is a prosody script to fetch certs, but I wanted to
use one I already generated for a website.

Workaround:
chgrp prosody -R /etc/letsencrypt/
chmod 2750 -R /etc/letsencrypt/

Proper fix:
I don't know, but it should be easier than this. The documentation
mentions should explain how to use certificates generated by certbot.

4. Ipv6 is not enabled by default on GuixSD
Problem:
With the default configuration `ifconfig`
and `ip addr` did not show an ipv6 address for my server.
This resulted in `prosodyctl check` printing:

________________________________________________________________________
Checking DNS for host tomato.hidamari.blue...
    tomato.hidamari.blue AAAA record points to unknown address
2a03:4000:1d:1cb::
    Host tomato.hidamari.blue does not seem to resolve to this server (IPv6)
    Only some targets for tomato.hidamari.blue appear to resolve to this
server.
________________________________________________________________________

Workaround:
ip -6 addr add <my ipv6 address here> dev eth0

Proper fix:
I don't know. Something has to be changed about system/base.scm? I don't
know what exactly it is.

5. Running `prosodyctl check`
Problem:
Now after I applied the ipv6 workaround `prosodyctl check` still has
some problems. The complete output is:

________________________________________________________________________
**************************
Prosody was unable to find lua-bitops
This package can be obtained in the following ways:

        Source:           http://bitop.luajit.org/
        Debian/Ubuntu:    sudo apt-get install lua-bitop
        luarocks:         luarocks install luabitop

WebSocket support will not be available
More help can be found on our website, at http://prosody.im/doc/depends
**************************

Checking config...
Done.

Checking DNS for host tomato.hidamari.blue...
    Host tomato.hidamari.blue has AAAA records, but your version of
LuaSocket does not support IPv6.
      Please see http://prosody.im/doc/ipv6 for more information.

Checking certificates...
Checking certificate for tomato.hidamari.blue
  Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem
    Certificate expires within one month.

All checks passed, congratulations!
________________________________________________________________________

Proper fix:
Build prosody with luasocket 3.0rc1 which introduced ipv6 support and is
recommended on http://prosody.im/doc/ipv6
Currently we only have luasocket 2.0.2 packaged.

lua-bitops is probably also something that should be packaged, but I
just saw a patch for it on guix-patches.

I also think that `prosodyctl check` should be run in the activation
phase of prosody like the nginx configuration check during nginx activation.

I packaged luasocket 3.0-ac3201d in my package path. 3.0-ac3201d is the
version which is used by Debian and Arch, it fixed some build system
bugs that are in the 3.0rc1 version that hasn't been updated since 2013.
I haven't packaged the tests, since it needs a LUA_DEBUG env variable
during compilation now. It probably must be solved like in the crawl
package.
https://hidamari.blue/git/packages/html/xmpp.scm.html

This brought the output of `prosodyctl check` down to this, but did not
solve the server-to-sever connection errors:
________________________________________________________________________
**************************
Prosody was unable to find lua-bitops
This package can be obtained in the following ways:

    Source:           http://bitop.luajit.org/
    Debian/Ubuntu:    sudo apt-get install lua-bitop
    luarocks:         luarocks install luabitop

WebSocket support will not be available
More help can be found on our website, at http://prosody.im/doc/depends
**************************

Checking config...
Done.

Checking DNS for host tomato.hidamari.blue...

Checking certificates...
Checking certificate for tomato.hidamari.blue
  Certificate: /etc/letsencrypt/live/tomato.hidamari.blue/fullchain.pem
    Certificate expires within one month.

All checks passed, congratulations!
________________________________________________________________________