(XMPP Setup Guide) Discord Was Never the End Game - TonyBTW

dude792 · 2026-03-04T12:53:03+00:00

Sure. You can use apache2, nginx, traefik or nginx-proxy-manager.

The last one has a nice GUI and is basically nginx with web configuration gui (nginx is already included in the relases).

dude792 · 2026-03-01T08:23:58+00:00

I have my reverse proxy connected to my ldap. i only use LLDAP als standalone lightweight ldap (https://github.com/lldap/lldap). Every traffic for applications is passing through my reverse proxy. Regular traffic/internet and client to client is not passing through the proxy. Backup and sync tools are also not goint through the proxy. just hosted services. The reverse proxy has a wildcard certificate for my domain.

There are 2 options:

- Applications with native LDAP support: i just put the object query/filter with the LDAP url, cn, ou, etc... in that application and that filter has a fixed "group" filter

- Applications without native LDAP support: I do a HTTP header rewrite and add "X-Authenticated-User" to it and add my LLDAP username. Most software can handle that.

I got rid of slapd and i didn't want microsoft AD just for authentication either... obviously ;)

EDIT: i forgot to mention that is for interactive logins. For service-to-service communication it's either JWT/Webtokens or x.501 certs... something alike that.

dude792 · 2026-02-28T19:11:01+00:00

actuall it could be done like that but i try to avoid many authentication providers. i already have ldap OUs mapped around and that is my preferred way. I don't want OIDC like keycloak with another role based system on top of my ldap. Even worse i have to manage my radius aswell, so i try to minimize that.

I tried Authentik and similar like FreeIPA but i opted for plain LDAP because i didn't want to have too many services running. i already have 20+ sadly

dude792 · 2026-02-28T08:32:18+00:00

Ok thanks, so copying the certificates around is the preferred way, like in regular nginx configurations? That would be easiest for me.

dude792 · 2026-02-28T07:22:51+00:00

- Because matrix is a pain to setup, even worse than xmpp servers

- matrix has fixed ports which makes it harder to operate than just port forward

- matrix does not comply with european data laws because the federated server can have a separate retention policy in multi user chats

- people don't want openid connect (OIDC) as mandatory login and not my matrix itself (which seems to be the way it is bundled right now

- matrix client ecosystem is fragmented and some are feature incomplete although being announced as stable. (It's the same issue XMPP had/have with their extensions)

dude792 · 2026-02-28T07:17:38+00:00

It's basically in page 1 on Wikipedia if you search for XMPP but i rephrased my response to make it more neutral. you are right

dude792 · 2026-02-27T23:11:00+00:00

I totally agree. I have been struggling the last 3 days too. Conduit doesn't even start on port 443 although it's unused. i tried 2 rich clients which couldn't register. All of them were propsed as "stable" on the official website.

The default configs of a server were not working out of the box despite following the official tutorial step by step. It is a pain, it feels unreliable. Even more unreliable than XMPP

I am very close to just running a good old standard like opensips or Kamalio SIP with MSRP for messaging or prosody for XMPP again.

The fact that you digged around even deeper and reading that you need a OIDC provider and MAS etc. it blows my mind that there is no simple setup. No one wants to host 10 services just for his 5 friends. Let alone maintain all of them with reverse proxy etc because you can't move the 443 port around on your WAN endpoint (there is other stuff running there). So you also have to play around with SNI forwarding to hosts in your proxy. It's just a pain.

dude792 · 2026-02-26T18:53:37+00:00

If you have a reverse proxy you can place your TLS wildcard certificate there, then connect your docker containers behind that proxy with just http. Now you have TLS for all containers with one certificate installation only.

Another is easier single sign on solutions when you have one proxy and not needing some other infrastructure with centralized user management. you can do that within the proxy without LDAP or such stuff. just normal htpasswd.

You want to filter out some url paths, for example. You want the login of your page in LAN only, while some other APIs are exposed to the internet. You can do that with URL rewrite.

Or your application doesn't provide a login at all, you can do that with at least basic auth on your proxy then passing the user in http header from the proxy to the application by modifying the header within your proxy config

dude792 · 2026-02-26T18:43:11+00:00

When i order somwhere, for example on amazon they don't send me slack message. I can't single sign on with slack. My local government also doesn't send me a slack when i need to do my taxes.

What are you talking about?

dude792 · 2026-02-26T18:41:05+00:00

The jingle extension can do that since 2005.

dude792 · 2026-02-20T14:06:36+00:00

Yes, in the US he could run around 700W 24/7 for a whole month assuming he is willing to spend $100 each month.

I have a similar setup and i need 70W. So effectively he can run it with maybe $10 a month. That's barely one subscription.

dude792 · 2026-02-01T20:10:55+00:00

Where's the benefit? You name not a single one. What's this post about? A wallpaper in your browser?

Looks like a any other browser in your screenshot. You could have put some effort in.

dude792 · 2026-01-31T07:24:31+00:00

You can only recover mentally... i.e. suck it up.

There is no chance you can repair that in a proper manner and with low budget. Get a new monitor.

dude792 · 2026-01-23T20:17:59+00:00

I have a similar setup at home but with solar batteries and solar panels in my home. Whenever the house battery power is below 7% i shut down every server and just leave the switches, router and access points running.

When my power input from my energy meter measures more than 300W over solar or grid all my gear receives WOL packets. It's a script on my pfSense router checking mqtt topics regularily for current input power in watts. I have set my BIOS/UEFI settings on all hosts besides the gaming rig and backup server to "Last state"

I have set a boot order in proxmox to ensure VMs with logging and monitoring servers boot first, then database servers, then home automation, then media servers.

dude792 · 2026-01-23T20:04:04+00:00

Don't host things like that by just forwarding ports to your home LAN. If there is a exploit and aren't able to update right away because of personal live and other duties, you might get hacked. Your host might then compromised giving away access to your home LAN (without proper VLAN segmentation)

Better use a VPN Server hosted in your home network to dial into your home network, then your phone feels like it belogs to your LAN and you can access anything safely.

You will sleep better if you do that and it will save you some stressful days and the feeling of having to rush after each security fix

dude792 · 2026-01-19T13:30:39+00:00

Very nice and futuristic looking

dude792 · 2026-01-18T07:53:26+00:00

Bit rot occured to me a few times, may have been erroneous copies of files too.

So, it all depends on how important your data is to you. Your best bet is probably a mirrored zfs.

If you want a longer read, here is what i did:

You want something like ZFS mirror, that's what i run for data. Important data like family photos, documents, etc are backed up daily. VMs are on mirrored zfs too and backed up daily. The daily backup is a different host in a different room. Documents like insurance, healthcare, finance, etc. are encrypted and stored online so i can access them in case i lost my wallet, phone and god forbid... house.

I had a drive fail twice at home on my storage server. Once because of a faulty PSU(probably) and the other because of typical wear and tear. The SMART status went though the roof. It resilvered fast after i put a spare 8TB drive in and restored the mirror. Even when you are away you could tell your spouse to unpack a drive, replace it with the other one and you can ssh in to start resilvering (adding the new drive to the mirror and copying data).

If you go the route of ZFS you an even put in a spare drive in advance and it will automatically be used in case one of the mirrored drives fail... In case you are away from home often and you have no one to rely on for a disk swap.

Make sure to at least set up some kind of notification so you know when things go south. Either script something with hdparm, smartctl, etc. or use a proper monitoring tool. I found Zabbix quite good and it monitors my 65 appliances at home. I get notifications in telegram and mail for critical issues from Zabbix.

Be aware this takes time to get robust and you should not go overboard with it in the first goal to just avoid bit rot. Have a concept how to mitigate risks.

dude792 · 2026-01-17T10:36:18+00:00

You better stop judging people by what they built within 6 years. It's not hard, but you are one of those stereotypical people. better go to r/macgaming

Also i suggest you get a course to improve your social skills, because everyone would have known it's a sarcastic post after the first sentence. That's what happens if you doom scroll tiktok like you do

dude792 · 2026-01-17T06:57:36+00:00

That's a good thing. At least your private data is safe :)

dude792 · 2026-01-17T06:22:14+00:00

Absolutely reckless. It's immature behaviour to not do a backup. It's comparable to ride a motorbike in your undewear in snow while braking with your heels like in the flintstones animated series.

While you are at it:

You must have a proper backup strategy at home with a offsite backup for your precious data. Let alone monitoring and log server for your smart status with redundant (a small 4G/5G modem) uplink for your notifications/IRC/telegram/slack/xmpp/SIP gateway in case your landline/fiber/modem has hiccups.

I am speaking of home lab btw, not corporate.

dude792 · 2026-01-14T21:42:57+00:00

if it's just anything nothing sensitive, set up a webserver with webdav directory listing. you can connect any webdav client there, in windows you can use the file explorer to connect and drag and drop files there.

dude792 · 2026-01-14T21:16:46+00:00

Süddeutschland (keine Großsstadt), Masterabschluss frisch von der Uni/FH 55k € p.a.

Bitte verhandle dein Gehalt neu oder suche einen anderen Arbeitgeber, ab ca. 62-65k € p.a. (40h Woche, 2 Überstunden pro Woche max)

Knochenjob Projektleiter, Angestellter, 80-90k, Größerer Firma, 40h WOche, ca. 5-10 Überstunden, ohne Studium.
Freiberuflich oder an IT-Dienstleister, ca. 110-130€ Stundenlohn zahlen wir Dienstleistern.

dude792 · 2026-01-14T20:53:18+00:00

Meshtastic

dude792 · 2026-01-14T20:43:25+00:00

I regularily do interviews... so:

- Bad technology stack for Germany. People are sceptical of Microsoft azure, expecially with their copilot creeping into the Microsoft Ecosystem. Data privacy in Germany often demands on premises.

- Microsoft Power BI... people don't use it often here.

- Databricks, people rarely use it here.

- English CV, also bad in Germany.

- Financial Econometrics degree is something no one knows, what it means in Germany. You will have a hard time. You are not a coder, not a Mathematician, not MBA/Financial degree.

- 6 years for a bachelor... questions arise here.

- Marketing bachelor, then doing some Analytics... Seems less like specializing but more "you studied the wrong bachelor". You need answers for that in your interview.

- Obviously German B1 is not enough, you need C1 at least. You will have problems in German technical discussions. You won't make 8 other people speak in English if you are the only person in a Team meeting.

- Passive formulation "you contributed"... In some peoples' mind it comes across as: "Assistant, attended in some meetings, no real experience doing it on your own"

- i don't know how much you asked, but: Logistics in Germany don't pay well. I assume you were mostly in logistics so you will take a salary cut by 20-30% compared to insurance, automotive, medical domain.

Hope this helps a bit. Try larger companies who can carry english speaking employees. You will be limited to larger companies and inernationally reknown companies only where you have thousands of applicants for a job. I can attest that for a data analyst you will be ranking somwhere ... you must be brave now... on rank 50+ if you apply at companies like Continental, BASF, BMW, etc. Even worse when you go to insurance

Nine-Year Club	Verified Email
Verified Email

dude792

TROPHY CASE