<jonesv[m]>
Still hoping to get time to try Sandstorm more thoroughly soon :). At the moment I'm still exploring Cap'n Proto, slowly learning 🙂. I'd like to get to understand better how it is done in Sandstorm eventually.
<jonesv[m]>
But that's a lot to learn 😊
<ocdtrekkie>
Yeah it is. I've been following Sandstorm development since 2014 and I still ask a lot of probably dumb questions. :P
<jonesv[m]>
:)
<jonesv[m]>
So you've been self-hosting Sandstorm and using some apps for quite a few years already, haven't you?
<jonesv[m]>
I see a lot of traction with NextCloud out there, but... yeah I think I just like the technology behind Sandstorm a lot, so that's what I want to learn (I don't know anything about NextCloud except that it is PHP, and I'm not even sure).
<ocdtrekkie>
Yeah I was using Oasis until it shut down but have run my own for a few years now.
<ocdtrekkie>
Yeah, Nextcloud is PHP, I think it has a hefty JS frontend now too, maybe Vue based?
<ocdtrekkie>
I definitely find a lot of the selfhosting community doesn't have a strong security mindset, I see a lot of discussion of running several different applications on one bare metal server with no containerization of any kind.
<jonesv[m]>
Yeah, security is hard 😇
<jonesv[m]>
I often find myself frustrated when I read opinions that seem to think that self-hosting is "more secure" because you "own" the server, that federations are "more secure" than centralized system, etc. Where often it feels completely disconnected from the actual security problems.
<jonesv[m]>
But that's the thing about security, right? You have to "trust" something at some point based on your level of knowledge. And if you can't make the difference technically between two projects, then I guess you end up rationalizing on what you understand.
<jonesv[m]>
This said, I'm still not self-hosting at home (I have a VPS), because I'm super scared of screwing up the security 😅. I have been thinking about having my homeserver in a separate LAN (I have two routers: the first one would have 2 VLANs, 1 for the homeserver, and the other for my second router, behind which would be my home LAN). And then in the homeserver I was thinking about running the different services with Xen (a bit similar to what
<jonesv[m]>
Qubes OS is doing, I guess, but as a server).
<jonesv[m]>
And then I discovered Sandstorm, so I'm thinking that maybe I would not need Xen after all :)
<ocdtrekkie>
People often don't understand that they have to consider different threat models. Like I see a lot of people worried about government surveillance, and for some people that is a huge deal. For me it isn't a big deal, but advertising behavior is a huge problem for me.
<ocdtrekkie>
Often different threat models have completely opposing solutions. Google is often claimed to be working on keeping people safe from hostile governments, but they will not protect you at all from ads. A lot of selfhosting will protect you from Google ads but may not stop a state level attacker.
<ocdtrekkie>
As far as selfhosting and network security, Sandstorm has some decent features for preventing using it to pivot into your network. I run it in my main VLAN.
<ocdtrekkie>
But I do really like having multiple VLANs at home.
<jonesv[m]>
Out of curiosity: do you mean personal ads (like you don't want to be influenced by targeted ads), or corporate surveillance (the fact that Google can profile people in mass, for instance)?
<ocdtrekkie>
I have my internal wired only VLAN, a guest/wifi VLAN, and a security camera VLAN which can be reached from my secure network but has no outbound Internet of its own, since I don't trust trashy camera firmwares at all.
<ocdtrekkie>
Both. But I don't feel targeted ads are actually that effective, so more of the mass profiling.
<jonesv[m]>
Got it. Yes I agree with that, though I believe self-hosting is not really at a level where it can have a significant impact? E.g. without being a fanboy, I like what Signal Messenger is doing. That's centralized around their servers, but they do interesting work about metadata. Or Tor/VPNs, or more recently even the Apple Relay thingy seems pretty cool. I think I'm attracted to self-hosting mostly because I can have control, to be honest. And
<jonesv[m]>
it's interesting in terms of technology 😊
<abliss[m]>
i, for one, am still angry about Google Reader.
<ocdtrekkie>
There are things you could do on selfhosted servers, that just isn't common right now. More sophisticated encryption setups aren't super common on selfhosted servers, but it's something that could be done.
<ocdtrekkie>
I never used Google Reader but TTRSS is my most used Sandstorm grain.
<ocdtrekkie>
Hi abliss!
<ocdtrekkie>
How is it going?
<jonesv[m]>
abliss: what are you using now? TTRSS? 😇
<jonesv[m]>
<ocdtrekkie> "I never used Google Reader but..." <- Yes that what I expect will be mine. Actually I'm slowly re-discovering RSS, for years I only used it for podcasts, for some reason. But it's great for many things!
<abliss[m]>
yes, ttrss is my #1 grain as well, but the sharing/republishing never got anywhere as good as GR
<jonesv[m]>
Right.
<jonesv[m]>
What are other grains you use, btw? I was hoping for a Matrix grain, but it seems like it's not a trivial thing to do 😆. Other than that there is this drive grain that is supposedly compatible with NextCloud clients (my /e/ OS Android can synchronize with NextCloud). I forgot its name though
<ocdtrekkie>
abliss, your republishing feed disappeared years afo
<ocdtrekkie>
ago*
<ocdtrekkie>
It's still in my feed reader but is dead
<jonesv[m]>
Davros I think, that's the one that should be compatible with NextCloud clients, supposedly
<ocdtrekkie>
We occasionally talk about Matrix support but yeah it's a very hard one.
<abliss[m]>
yeah i spent quite a while working on matrix but was ultimately unsuccessful
<ocdtrekkie>
Davros is great, I use a lot of Etherpad and HedgeDoc grains.
<abliss[m]>
i mean i got it o
<abliss[m]>
s/o/workinig locally but not federating./
<ocdtrekkie>
Prioritize is amazing, it's kinda a todo app but different than one you'll find anywhere else.
<ocdtrekkie>
I have all my GitHub projects mirroring themselves to GitWeb grains via a GitHub Action.
<jonesv[m]>
> Prioritize is amazing
<jonesv[m]>
I'd like to find some "getting things done" app, a bit like todoist. Haven't seen one though
<jonesv[m]>
abliss: what's the hard part about the matrix federating? Is it just a big thing to do, or are there fundamental problems?
<ocdtrekkie>
Prioritize is for things you do regularly, but with sliding deadlines instead of calendar reminders.
<abliss[m]>
jonesv[m]: seemed like a pretty fundamental mismatch, sadly
<ocdtrekkie>
(I use Yet Another Todo as well, but only for grocery lists)
<abliss[m]>
sandstorm wants to expose one randomly-generated public api url with a specific set of capabilities; matrix wants one public url that different people send passwords to and get granted capabilities by the backend
<abliss[m]>
you basically need some kind of very fancy proxy in front of sandstorm, and at that point you might as well just run a matrix server without sandstorm
<ocdtrekkie>
I think it would need to be something we support a bit more directly at the system level of Sandstorm instead of being just an app.
<ocdtrekkie>
We talked a bit about "system grains" as a concept.
<jonesv[m]>
How would a "system grain" be different than an app, and how different would that be from running Synapse directly on the server?
<jonesv[m]>
(for my understanding :))
<ocdtrekkie>
We do not let normal grains set well known subdomains, and full IP access is also not available to non-admins.
<ocdtrekkie>
Whereas presumably an admin could install an app for the server's users to use which has more network access and can use something like matrix.example.com
<jonesv[m]>
Right
<jonesv[m]>
So you would still get most of Sandstorm's sandboxing, except for the capability-based networking stuff?
<ocdtrekkie>
I mean it's still technically a capability, just a much wider one.
<jonesv[m]>
Yeah it would be really cool if a Matrix homeserver could just be installed as a Sandstorm app
<ocdtrekkie>
Yeah I don't selfhost anything that doesn't go on my Sandstorm server so I am pretty big on getting everything running on it.
<jonesv[m]>
Sounds good :)
<jonesv[m]>
Alright, time to sleep here 💤
<jonesv[m]>
Good night!
<jonesv[m]>
And thanks for the insights =)
<TimMc>
Incidentally, Dendrite (one of the major Matrix server implementations) is just now reaching what I would consider to be basic usability. They've recently cleared up some problems with room-read status and other annoyances.
<TimMc>
They're trying to replace Synapse with Dendrite, but are also evolving the protocol at the same time, which obviously slows down progress towards having *anything* "fully production ready".