I have tried to deploy #Snikket. Gave up after I didn't manage to convince it to not manage TLS certificates itself.
I have tried to deploy #Prosody, Snikket's underlying project. Gave up after I didn't manage to configure it enough for it to be happy.
I have tried to deploy #ejabberd. Gave up after I realized how underdocumented and confusing the configuration is, convinced I wouldn't be able to secure it enough.
Is there really no good #XMPP server that would just work? I am annoyed.
@latenightowl
Out of curiosity, why were you trying to prevent Snikket from obtaining TLS certificates? It's typically a 5-minute setup, but it sounds like you have special requirements?
If you could share the obstacles you had with Prosody I'm very interested. It sounds like it would be the better fit for you, so I'm curious what went wrong. (cont...)
@mattj For me, it is mostly about control and stack transparency. I already have Caddy doing the certificate management, I'd prefer if I didn't have to keep in mind some certificates exist elsewhere.
From purely technical standpoint... It makes it really hard to deploy in airgapped environments. Plus I don't want to get rate limited by Let's Encrypt if I misconfigure the setup.
And there's the whole digital sovereignity thing, with Let's Encrypt being a US company. It is fine for now, but what about in a year or two?
@mattj I... have just unblocked myself. Basically, the cause was here:
https://hg.prosody.im/docker/file/tip/entrypoint.sh#l6
I use many Podman hardening features, so in the volume mount, I have configured without thinking
> Volume=/home/prosody/data/:/var/lib/prosody/:rw,U,Z
without realizing the 'U' changes the ownership of the directory. So I'd run 'chown' by hand and rootful Podman would overwrite it every time I restarted the container to try the fix out.
Sorry for shitting on your software, I know how hard vertical integration is. I feel bad every time I complain and the maintainers come to help me :|
Late Night Owl
MattJ