Revert "Remove obsolete xmpp.guschin.info cert references."

This reverts commit 29bfdd417c.

.claude/commands/release-new.md

@@ -0,0 +1,41 @@
+---
+allowed-tools: Bash(git tag:*), Bash(git add:*), Bash(git commit:*), Bash(git push:*), Bash(git log:*), Bash(git describe:*), Bash(git-cliff:*), Bash(git cliff:*)
+description: Create a new semver release. Usage: /release-new [major|minor|patch]
+---
+
+## Context
+
+- Current latest tag: !`git describe --tags --abbrev=0 2>/dev/null || echo "none"`
+- Current branch: !`git branch --show-current`
+- Unreleased commits: !`git log --oneline -20`
+
+## Your task
+
+Arguments: $ARGUMENTS (should be "major", "minor", or "patch")
+
+1. **Determine next version**:
+   - Get current latest tag (from context above). If none, start at v0.1.0.
+   - Parse the version as vMAJOR.MINOR.PATCH.
+   - Bump the appropriate component based on arguments (default: patch if none given).
+   - New version = vX.Y.Z (with "v" prefix).
+
+2. **Update CHANGELOG.md** using git-cliff:
+   ```
+   git-cliff --config cliff.toml --tag NEW_VERSION -o CHANGELOG.md
+   ```
+
+3. **Commit the changelog**:
+   - Stage: `git add CHANGELOG.md`
+   - Commit: `git commit -m "chore: release NEW_VERSION"`
+
+4. **Create annotated tag**:
+   ```
+   git tag -a NEW_VERSION -m "Release NEW_VERSION"
+   ```
+
+5. **Push commit and tag**:
+   ```
+   git push && git push --tags
+   ```
+
+Do not ask for confirmation. Execute all steps in sequence. Report what version was released when done.

.gitignore

@@ -1,2 +1,4 @@
 .env
 data/prosody/certs
+web-sites
+logs

CHANGELOG.md

@@ -0,0 +1,95 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [0.1.1] - 2026-03-23
+
+### Bug Fixes
+
+- Fix: fix shell substitution in release-new command context
+
+## [0.1.0] - 2026-03-23
+
+### Bug Fixes
+
+- Fix certs path.
+- Fix self signed certs.
+- Fix su prosody.
+- Fix su prosody (2).
+- Fix su prosody (3).
+- Fix su prosody (4).
+- Fix symlinks.
+- Fixed tls config..
+- Fix TLS cert domain mismatch: VirtualHost now matches cert domain
+
+VirtualHost changed from "guschin.info" to "xmpp.guschin.info" to match
+the Let's Encrypt certificate. Moved certificates directive before
+VirtualHost block. Removed misplaced default_realm and global ssl block.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+### Changes
+
+- Initial commit
+- Init.
+- MySQL running on host.
+- Network.
+- Extra hosts.
+- Change ip.
+- Nginx.
+- Certs in docker compose.
+- Certs volume.
+- Certs path.
+- Nginx ssl.
+- Lua-unbound.
+- Certs volume.
+- Delete self signed certs.
+- Delete user prosody from entrypoing..
+- Using existing certs..
+- Remove obsolete version attribute from docker-compose.yml
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+- Mount only xmpp cert dirs to fix letsencrypt permission errors
+
+Mount specific live/ and archive/ subdirectories instead of all of
+/etc/letsencrypt to avoid Prosody scanning root-only directories
+(accounts/, archive/ for other domains). Also remove allow_registration.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+
+### Features
+
+- Enable s2s_require_encryption to match s2s_secure_auth
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+- Add ca-certificates to fix s2s TLS verification
+
+Without CA certs, Prosody cannot verify remote servers' certificates,
+causing all server-to-server connections to fail with "not trusted".
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+- Enable mod_mam for persistent direct message archiving
+
+Messages are stored indefinitely in MySQL.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+- Add guschin.info VirtualHost alongside xmpp.guschin.info
+
+Users can now register as name@guschin.info or name@xmpp.guschin.info.
+Added Let's Encrypt cert mounting and install for guschin.info domain.
+Refactored entrypoint cert install into reusable function.
+
+Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
+- Add changelog service and release-new skill
+
+- cliff.toml: git-cliff config with semantic-style grouping (no conventional commits required)
+- CHANGELOG.md: initial changelog generated from full git history
+- .claude/commands/release-new.md: /release-new [major|minor|patch] skill that bumps version, updates changelog, commits, tags, and pushes
+
+Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
+
+### Miscellaneous Tasks
+
+- Chore: release v0.1.0
+
+

Dockerfile

@@ -4,6 +4,7 @@ FROM debian:bookworm-slim
 RUN apt-get update --fix-missing && \
     apt-get install -y --no-install-recommends \
     prosody \
+    prosody-modules \
     lua-dbi-mysql \
     lua-sec \
     lua-unbound \

cliff.toml

@@ -0,0 +1,45 @@
+[changelog]
+header = """
+# Changelog\n
+All notable changes to this project will be documented in this file.\n
+"""
+body = """
+{% if version %}\
+## [{{ version | trim_start_matches(pat="v") }}] - {{ timestamp | date(format="%Y-%m-%d") }}
+{% else %}\
+## [Unreleased]
+{% endif %}\
+{% for group, commits in commits | group_by(attribute="group") %}
+### {{ group | striptags | trim | upper_first }}
+{% for commit in commits %}
+- {{ commit.message | upper_first }}\
+{% endfor %}
+{% endfor %}\n
+"""
+trim = true
+footer = ""
+
+[git]
+conventional_commits = false
+filter_unconventional = false
+split_commits = false
+commit_parsers = [
+  { message = "^[Ff]eat", group = "Features" },
+  { message = "^[Ff]ix", group = "Bug Fixes" },
+  { message = "^[Dd]oc", group = "Documentation" },
+  { message = "^[Pp]erf", group = "Performance" },
+  { message = "^[Rr]efactor", group = "Refactor" },
+  { message = "^[Ss]tyle", group = "Styling" },
+  { message = "^[Tt]est", group = "Testing" },
+  { message = "^[Cc]hore", group = "Miscellaneous Tasks" },
+  { message = "^[Aa]dd", group = "Features" },
+  { message = "^[Ee]nable", group = "Features" },
+  { message = "^[Rr]emove", group = "Changes" },
+  { message = ".*", group = "Changes" },
+]
+filter_commits = false
+tag_pattern = "v[0-9]*"
+skip_tags = ""
+ignore_tags = ""
+topo_order = false
+sort_commits = "oldest"

data/prosody/configuration/prosody.cfg.lua

@@ -3,6 +3,8 @@
 
 admins = { "admin@guschin.info", "admin@xmpp.guschin.info" }
 
+plugin_paths = { "/usr/lib/prosody/modules" }
+
 modules_enabled = {
 	-- Generally required
 	"roster";
@@ -25,6 +27,10 @@ modules_enabled = {
 
 	-- Admin interface
 	"admin_adhoc";
+
+	-- Gateway support
+	"privilege";
+	"http_file_share";
 };
 
 modules_disabled = {
@@ -53,6 +59,7 @@ sql = {
 c2s_ports = { 5222 }
 s2s_ports = { 5269 }
 component_ports = { 5347 }
+component_interface = "0.0.0.0"
 http_ports = { 5280 }
 https_ports = { 5281 }
 
@@ -75,15 +82,46 @@ VirtualHost "guschin.info"
         key = "/etc/prosody/certs/guschin.info.key";
         certificate = "/etc/prosody/certs/guschin.info.crt";
     }
+    privileged_entities = {
+        ["telegram.guschin.info"] = {
+            roster  = "both";      -- auto add/remove Telegram contacts from roster
+            message = "outgoing";  -- reflect messages sent via official Telegram apps
+            iq = {
+                ["http://jabber.org/protocol/pubsub"]        = "both"; -- PEP bookmarks
+                ["http://jabber.org/protocol/pubsub#owner"]  = "set";  -- message display sync
+                ["urn:xmpp:http:upload:0"]                   = "get";  -- upload on behalf of users
+            };
+        };
+    }
 
 -- Secondary virtual host (user@xmpp.guschin.info)
 VirtualHost "xmpp.guschin.info"
     ssl = {
-        key = "/etc/prosody/certs/xmpp.guschin.info.key";
+        key = "/etc/prosody/certs/guschin.info.key";
-        certificate = "/etc/prosody/certs/xmpp.guschin.info.crt";
+        certificate = "/etc/prosody/certs/guschin.info.crt";
     }
 
 -- Component for MUC (Multi-User Chat)
 Component "muc.guschin.info" "muc"
     modules_enabled = { "muc_mam" }
     storage = "sql"
+    ssl = {
+        key = "/etc/prosody/certs/guschin.info.key";
+        certificate = "/etc/prosody/certs/guschin.info.crt";
+    }
+
+-- HTTP file upload (XEP-0363) — used by slidgram for Telegram→XMPP attachments
+Component "upload.guschin.info" "http_file_share"
+    http_file_share_access = { "telegram.guschin.info", "guschin.info", "xmpp.guschin.info" }
+    ssl = {
+        key = "/etc/prosody/certs/guschin.info.key";
+        certificate = "/etc/prosody/certs/guschin.info.crt";
+    }
+
+-- Telegram gateway (slidgram)
+Component "telegram.guschin.info"
+    component_secret = os.getenv("SLIDGRAM_COMPONENT_SECRET")
+    ssl = {
+        key = "/etc/prosody/certs/guschin.info.key";
+        certificate = "/etc/prosody/certs/guschin.info.crt";
+    }

docker-compose.yml

@@ -12,13 +12,14 @@ services:
       MYSQL_USER: ${MYSQL_USER}
       MYSQL_PASSWORD: ${MYSQL_PASSWORD}
       MYSQL_DATABASE: ${MYSQL_DATABASE}
+      SLIDGRAM_COMPONENT_SECRET: ${SLIDGRAM_COMPONENT_SECRET}
     extra_hosts:
       - "host.docker.internal:172.17.0.1"
     ports:
       - "5222:5222"
       - "5269:5269"
-      - "5347:5347"
       - "5280:5280"
+      - "5281:5281"
     volumes:
       - ./data/prosody:/var/lib/prosody
       - ./logs/prosody:/var/log/prosody
@@ -38,6 +39,25 @@ services:
     networks:
       - prosody
 
+  slidgram:
+    image: codeberg.org/slidge/slidgram:latest
+    container_name: slidgram
+    user: "100:102"
+    environment:
+      SLIDGE_JID: telegram.guschin.info
+      SLIDGE_SECRET: ${SLIDGRAM_COMPONENT_SECRET}
+      SLIDGE_SERVER: prosody-xmpp
+      SLIDGE_PORT: 5347
+      SLIDGE_UPLOAD_SERVICE: upload.guschin.info
+    volumes:
+      - ./data/slidgram:/var/lib/slidge
+    restart: unless-stopped
+    depends_on:
+      prosody:
+        condition: service_healthy
+    networks:
+      - prosody
+
 networks:
   prosody:
     driver: bridge