XMPP Service Operators - 2021-04-19

  1. christian

    > jonas’, can I use XMPP? > I dislike email Depends. Xmpp is for to express ideas and/or brainstorm. But if you really have something to say you must write a mail.

  2. Licaon_Kter

    christian: you've missed context

  3. mimi89999

    Who is running badxmpp.eu ?

  4. Sam

    Zash, I think

  5. mimi89999

    A Prosody dev I guess

  6. mimi89999

    Could we get C2S support even with the server rejecting all login attempts?

  7. Martin

    19.04.21 18:19:23 - magicbot@magicbroccoli.de: contact addresses for badxmpp.eu are - abuse-addresses : - admin-addresses : - feedback-addresses : mailto:zash+badxmpp@zash.se , xmpp:zash@zash.se - sales-addresses : - security-addresses : - support-addresses :

  8. andrey.utkin

    Does anybody here use "infrastructure as code" (e.g. Terraform) and configuration management tool (e.g. Ansible) for your XMPP server?

  9. Sam

    I use Terraform quite heavily (or used to, I don't think I have anything deployed right this moment that's using it). Haven't used a configuration management tool in a long time though.

  10. andrey.utkin

    i am interested in learning and trying to apply these tools on my XMPP server; i find it not justifiable on its own merit for a single tiny server, but it could be more interesting if there was a group of similarly minded people collaborating on common codebase which they use to deploy & update their servers.

  11. menel

    I think somewhere at xmpp:chat@joinjabber.org?join did do it for prosody? You could ask there

  12. Sam

    Terraform tends to be pretty service specific, I don't know how useful that would be unless lots of people are all deploying on DigialOcean or Amazon or whatever

  13. Sam

    I'll have to dig it up out of backups because I avoid self-hosting at all costs these days but I might have some old terraform scripts for deploying Prosody to Vultr or Linode or something somewhere if you want them

  14. andrey.utkin

    true, that's one of my concerns, the code would be not so reusable

  15. Sam

    It's reusable as long as you're using the same service (mostly). You could rewrite it for various different services with similar options maybe and keep it all in a repo so that people can import the one they want.

  16. andrey.utkin

    thanks for offering your configs Sam, i may be fine without, but i would appreciate if you find and share it.

  17. Sam

    I'll dig around tonight and see if I still have them. They'll need updating to hcl2 probably.

  18. rob

    I'm adding prosody to homelabos which is all ansible, it's working just needs tweeks and docs

  19. andrey.utkin

    ooh https://github.com/snikket-im/snikket-terraform-aws

  20. rob

    https://homelabos.com/ if your interested

  21. andrey.utkin

    thanks rob

  22. rob

    Your welcome

  23. rob

    I'll update my branch and open a merge request soon so you can see the changes

  24. octagon

    > Does anybody here use "infrastructure as code" (e.g. Terraform) and configuration management tool (e.g. Ansible) for your XMPP server? Seems like overkill

  25. Sam

    I find that Terraform is extremely useful even for small personal servers. Inevitably a drive will die, or your datacenter will burn down, or something bad will happen and you'll want to spin up the same machine again in the exact same way.

  26. Sam

    Or you just won't want to waste hours provisioning new stuff and instead you can just run a single command and have a machine start and all the stuff you need installed.

  27. andrey.utkin

    true, that's why i am looking for collaboration. Seems Snikket team has code for Terraform and Ansible, which is exciting. Their Prosody config differs substantially from my config (and preferences), but it might be worth for me to tag along

  28. octagon

    If you have a lot of servers/services that is understanble

  29. octagon

    But for one or two things the learning curve isn't worth it. Unless you are doing it TO learn it

  30. octagon

    Just my 2¢ There is prob a better muc to talk pro/cons

  31. andrey.utkin

    it is a good job security plan for me to learn it anyway 🙂 this toolkit is about high legibility, low cost of change and low risk of change. After ~5 years, i find it quite dreadful to make risky changes, and it doesn't help that I run my server on Gentoo.

  32. andrey.utkin

    i would think server maintenance tooling is on topic for "XMPP Service Operators" chatroom 🙂

  33. mathieui

    yeah that seems on-point

  34. mathieui

    I do have most of my setup on ansible, but I find secrets/data management quite lacking

  35. mathieui

    so I need to cross-interact with borg extract to have something decent

  36. mathieui

    (as I do FDE nowadays and do not run my infrastructure on a VM, terraform is not much use to me, but otherwise I would probably use it)

  37. mathieui

    (plus it is made by hashicorp, which generally makes good quality open-source tools)

  38. andrey.utkin

    FDE & no VM = dedicated hardware server which you have to feed a password to open its encrypted storage?

  39. mathieui


  40. octagon


  41. mathieui

    technically not *full* disk encryption, as I have an initrd with an ssh server for unlocking

  42. octagon

    Oh the dropbear in init?

  43. mathieui


  44. octagon

    How often do you reboot for updates?

  45. mathieui

    we have had two reboots in a year

  46. octagon

    That doesn't seem secure

  47. mathieui

    it’s not perfect, but it’s better than not doing it

  48. mathieui

    (covers theft/seizures/decommissions of drives, but not awesome against an attacker that has access to it during downtime)

  49. octagon

    I meant the patching part

  50. octagon

    The dropbear method for fde is good

  51. mathieui

    services are restarted more often than the server is rebooted

  52. mathieui

    and the kernel is not the one with the most vulns these days

  53. octagon

    Services sandboxed?

  54. octagon

    Example for topicness https://github.com/divestedcg/Brace/blob/master/brace/usr/lib/systemd/system/ejabberd.service.d/99-brace.conf

  55. mathieui

    octagon, somewhat sandboxed with systemd yes, though I find the options a bit hard to navigate

  56. mathieui

    but realistically, the most exposed service is prosody, and if an attacker gains access to prosody, they already have everything sensitive there is to get ^^"

  57. mathieui

    I do wish most systemd units were secure by default

  58. rob

    I'm running everything on a dedicated on prem system at home, no disk encryption because I was lazy but am using btrfs so maybe I will change as I replace drives in the pool? Idk if it works like that. It's all docker with non public services behind authentication (authy)

  59. rob

    And everything deploys with one command of I point it at an ip

  60. rob

    And everything deploys with one command if I point it at an ip

  61. rob

    I do have maybe two dozen services though, so wouldn't want to spin all that up manually

  62. octagon

    rob: you can indeed luks a drive, add it to btrfs, balance it, and rm the old drive, until they are all encrypted

  63. octagon

    Works quite well

  64. octagon

    All online, btrfs very impressive

  65. rob

    Sweet, I was hoping so. And since I'll usually be around to reboot it's fine to punch in the phrase by hand every month or two

  66. rob

    I've already added and rebalanced but haven't done any encryption

  67. tom

    What's going on with yax.im?

  68. tom

    I'm getting lots of errors federating

  69. tom

    Error 500s join mucs

  70. tom

    Mucs dissapearing and coming back

  71. tom

    Error 404

  72. tom

    Connection timeouts

  73. Sam

    /cc Ge0rG

  74. moparisthebest

    He was having load issues due to covid app thing

  75. octagon

    I read that, what app?

  76. moparisthebest

    octagon: https://yaxim.org/blog/2021/04/09/vaxbot-performance-challenge/

  77. octagon

    That is neat!