stratself
@stratself@lemdro.id
- Comment on 1 day ago:
Search “selfhosting” on matrixrooms.info and sort by most members, you should find a few
- Comment on Matrix hosting 2 days ago:
The easy solution is to choose someone other than matrix.org, get everyone over there, and hope it works out in the long run
The technical answer is that if you own your domain name you can migrate from a managed solution to a selfhosted one with some caveats. If you can’t migrate the database, then some data will be lost (namely, unfederated rooms and local-only data) and your friends will likely need to do a few things (reset their passwords, and export/reimport their encryption keys). Unfortunately there are no database migrator between different server software right now
- Comment on Matrix hosting 3 days ago:
We are (like everyone) on matrix.org now but realize we need to move eventually.
Consider moving to another open registration server too. Find one that supports Element Call
do I need to pay for a domain still?
If you’re gonna selfhost, you should purchase a domain for proper federation with the wider network. IP-only servers are possible, but they are generally banned in most rooms due to antispam. Same with dynamic DNS domains
Unless it really is easy enough to do it on a synology nas for text/voice/screen share…
You’ll need to integrate a Matrix homeserver (I recommend Continuwuity.org, much lighter than Synapse) and Livekit (the server that handle calls). It’s not particularly easy so maybe consider managed hosting beforehand, too
- Comment on How to self-host a Prosody XMPP server on Bazzite with Podman for Movim 4 days ago:
You can try Snikket.org, which is basically Prosody but easier. But you can’t selfhost “on each person’s own computers” as you said because you’d still need a publicly exposable IP addresses and high uptime. Maybe you could try registering on an XMPP or Matrix instance you like and migrate your community over there first
Question for others: is Prosody’s (and XMPP’s) group calls really good? I’m under the impression that Matrix (with Element Call) is currently better due to the SFU architecture, but I’d be happy to be proven otherwise. I’m interested to hear required specs, how large the calls can be, and how much strain it puts on the TURN server and clients especially when it comes to multiparty streaming
AFAIK the Movim people are working on SFU calls too, but not soon
- Comment on Is it feasible to run a TURN server behind NAT? 1 week ago:
If you want a non-federating LAN-only Matrix server, then STUN/TURN can be behind the NAT. Since you have Tailscale, STUN/TURN can also expose itself on the Tailscale VPN too. Just configure proper DNS records per-interface and you should be fine.
Since calls are p2p, the purpose of STUN is to determine a client’s (usually public) IP address, and TURN is to relay the connection if they can’t connect directly (i.e. behind NAT). If your clients are on the same LAN/VPN with unrestrictive firewalls then you might not even need any STUN/TURN altogether.
- Comment on System requirements for a Matrix server? 1 week ago:
None of the answers given were concrete. So here’s my take.
I am able to run singleuser Continuwuity on a 8GB RAM Pi machine with 4 cores, and join many large rooms (around >=1000 users, although the number of homeservers in the room is a more suitable metric). It would use around 2GB RAM, but you can tune it for less (basically reduce cache values, but ask in the room for more advice).
After a few months the database hovers at around 2GB, because the database uses zstd compression by default. It’s not anyhow a major problem like Synapse, just don’t use HDD for storage and you should be fine.
For best experience, I also selfhost a dedicated caching resolver (unbound) for continuwuity. That takes like a few hundred more MBs of memory.
Given the fact you’d like to play around with it, a mid-tier VM/VPS (2CPU, 2GB RAM, 20GB SSD) is a reasonable starting choice
- Comment on System requirements for a Matrix server? 1 week ago:
jade-liveit-guide.continuwuity.pages.dev/calls
the call docs are being rewritten to reflect latest developments. Join the Matrix room for further help too, it’s quite active these days
- Comment on Weird Internet Behavior Starting Selfhost Server & PC's 2 weeks ago:
Question: what sort of misconfiguration was it? Might have an effect on the round robin assignments of Cloudflare
- Comment on Nextcloud/OneDrive Files-only Replacement 2 weeks ago:
Why are files unusable outside of Nextcloud? Consider using the External Storage plugin.
Imo there are two types of file servers: smart clouds with offline and smart selective on-demand sync on brand-specific clients, groupware support, conflict resolution, and enterprisy plugins (Nextcloud, Opencloud, Seafile, etc); and dumb clouds with protocol-based file transfers and filesystem-tree/userperms instant compliance (copyparty, sftpgo, etc)
Of the first one, only Opencloud has a native-looking filesystem (PosixFS) and does it without dependency on a db. It supports smart sync for Windows (via the same API OneDrive uses). Linux smart sync is sadly nonexistent due to lack of protocols, and whatever other software do (e.g. using an
.owncloudplaceholder file) is highly experimental.Of the second type, you’d get all the standardizations and speed but no bidirectional sync nor offlineness - again this is honestly an advanced undertaking requiring academic understanding of distributed systems and whatnot. On Linux you may try emulating some aspects of it via a half-smart client like rclone with VFS, but the UX to store files offline is still not there.
Knowing these constraints I’d tier my storage into 2 parts: the daily files like notes and recent photos stored in one of the smart sync solution, ready for download and later offline use; and anything unnecessary (Jellyfin media, archives, ) to be in a dumb SMB share/SFTP mount.
- Comment on Geo-distributed Jellyfin 2 weeks ago:
I’m in a similar rut with intercontinental internet issues, and would like to share my thoughts
While not a full-fledged CDN, you may consider setting up an Asian VPS to serve as a second reverse proxy/ingress route, terminate TLS there, and route plaintext HTTP back to your homelab (this virtual tunnel shall be behind a WireGuard VPN interface). As I’ve figured out in my blogpost here (see scenario 2), this allows the initial TCP and TLS handshakes to happen nearer to the user instead of going all the way to Europe and back home.
Before renting compute, I suggest trying these smaller actions first - if they work you mightn’t need a VPS anymore:
- Look into Linux sysctls tuning of network parameters. My personal tweaks for the
/etc/sysctl.confstuff are: - Implement some sort of Smart Queue Management on your router (e.g. CAKE algorithm)
- Enable HTTP/3+QUIC on your reverse proxy for reduced handshakes. Though it’s unlikely native Jellyfin clients also benefit from such features
Curious to see if any of this helps :)
- Look into Linux sysctls tuning of network parameters. My personal tweaks for the
- Comment on Self-Host Weekly (30 January 2026) 3 weeks ago:
The Cloudflare Matrix blog in the newswire section is an AI slopfest, featuring vibe-coded repos lacking fundamental protocol features, trivially false claims about Matrix projects, and misinformed or dishonest claims to market their software offerings. It is not anything of proper substance.
To the selfh.st maintainers, please kindly include the community’s responses towards this action, for completeness of the situation
- Jade’s blogpost - tech.lgbt/@JadedBlueEyes/115967791152135761
- news.ycombinator.com/item?id=46781516 - Hacker News thread of above
- Comment on Messaging apps - XMPP vs Matrix vs ??? 4 weeks ago:
I’m running continuwuity, and ejabberd as text-only IM servers to talk to some communities. The latter (and XMPP in general) has more moving parts (more ports, SRV records, etc) to set up, but messages deliver much faster and take much less resources. They’d probably both run fine on a VPS with the proper tweaks anyhow - the Rust-based server makes Matrix actually not suck after all
For bridges, I’ve used maunium-discord as a Matrix bridge in the past, and trying out slidcord right now. I think Matrix bridges still got better UI/UX due to more supported features (spaces/threads) and coherent clients, though let it be known Slidge is a hobbyist project. If your chat server is mainly for bridges, stick to Matrix and consider disabling federation. Also Matrix if you’d like your friends to switch over from Discord - it has more Discordesque features like custom emojis/stickers and SFU-backed group calls
Though this doesn’t mean I’m unrecommending XMPP. I do appreciate its clients’ snappiness, in-band notifications, and unrivaled efficiency. I kinda wanna write a blogpost comparing both software and protocols, but right now I don’t have an opinion about one over the other. They’re both cool albeit they both leak different metadata differently
- Comment on A new look for Snikket on Android 4 weeks ago:
It’s basically XMPP with a clear packaging, from server to client
- Comment on New to Tailscale. Can I use it along with my own DNS and NPM to access my services externally using my existing internal custom domain? 4 weeks ago:
Yes.
If you want to access your NPM stuff on both Tailscale and LAN, either:
- Advertise a subnet route for your LAN range, configure Tailscale devices to use it, and use your LAN IP on the AGH rewrite, or
- Split Horizon: Have your DNS respond with a Tailnet IP when it’s queried from the Tailnet range, and respond with a LAN IP when queried from LAN. AGH cannot do this, but other software like Technitium can
- Comment on New to Tailscale. Can I use it along with my own DNS and NPM to access my services externally using my existing internal custom domain? 4 weeks ago:
Do a DNS rewrite at AGH, but instead of the LAN IP make it the Tailscale IP of your NPM machine. Then configure AGH as one of the global nameservers on your Tailscale admin panel
Delete all A/AAAA records on Cloudflare, only use it for registrar purposes and the occassional certs authentication.
- Comment on [deleted] 5 weeks ago:
In your Tailscale DNS panel, disable “Use with exit node” option for your nameservers.
When turned on, that option actually allows you to talk directly to nameservers without tunneling DNS queries through the exit node. Since Quad9 in fact has a worldwide CDN, this would leak your (general) DNS query location.
I believe Tailscale send the queries in parallel and fetch the faster response, which is Quad9 in this case. Ideally for your use case, all your queries should be able to reach and show up in Pi-hole’s logs. Use
tailscale dnscommands for further debugging - Comment on DNS kicking my ass (Technitium and opnsense) 5 weeks ago:
Glad to know you got it working.
When you use a VPN as a matter of privacy, I believe you should use their DNS service too to blend in with the crowd. Because of DNS leaks, websites would likely know which DNS server you’re querying from, so using a selfhosted one instead of a VPN’s can be a major uniqueness vector. On the contrary however, I’ve seen many do exactly that, so I guess it’s not as big of an issue. So it’s your choice ultimately.
Now, if you opt for commercial VPN’s DNS servers, be aware that don’t usually block any ads (if they do it’s likely a paid option), and you’d want to configure your own local zones too. To intercept DNS queries and forward only the approved ones to the VPN, I think you have 2 options:
- Host Technitium on the VPN’d machine (your computer) and set up blocklists there. Create Conditional Forwarding zones: 1 towards the main TDNS server for your local domains, and the rest towards the 10.2.0.1 server for your public queries. Technitium may be overkill, AdGuard Home can also do this.
- Configure your main TDNS server to forward queries via the VPN tunnel. This requires the VPN tunnel having an available SOCKS5/HTTP proxy, to be used with TDNS’ Proxy and Forwarders options. Even better, you may use the Advanced Forwarding app to only use this routing for the VPN’d device, and use another routing for other devices
- Comment on DNS kicking my ass (Technitium and opnsense) 1 month ago:
Have you solved your problem? It seems like there are some issues with your setup:
TDNS is set to “allow recursion only for private networks” this means that if something external tried to resolve using my TDNS they’ll be refused, correct?
Correct. It only accept recursion queries from private networks and can do outbound requests to the internet as normal
10.2.0.1 turned out to be my vpn’s dns server
On the computer, you’re also using your VPN’s DNS service accessible within the VPN tunnel (hence the weird IP address). If you wanna use Technitium you should disable such service
I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.
Unable to reach external net when NAT rules active.
If you’re forcing every device to talk to TDNS, then your TDNS server is also talking to itself and cannot make queries to Cloudflare/Quad9 on port 53. You can either:
- Create an exception rule to allow your TDNS address to talk to Cloudflare/Quad9
- Use DNS-over-HTTPS/DNS-over-TLS as your TDNS forwarder protocols as they aren’t affected by rules on port 53 (recommended)
It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333.
Yes it’s expected, if you’re telling your clients to forward their queries to dnsmasq, and then let dnsmasq forward those queries to Technitium. If you want clients to talk directly to TDNS instead, set the DHCP option to advertise its address and don’t use your firewall’s address as a forwarder. I prefer the second option as it’ll give you correct client IPs in query logs and save some round trips.
I don’t really know what I’m doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com
If you can query the zone and its reverse PTR record in Technitium’s DNS client, then you’ve properly set it up. Remember you’ll have to tick the PTR options when setting up said record. Also you can open an issue on Technitium’s Github or their subreddit for assistance.
- Comment on How are people discovering random subdomains on my server? 1 month ago:
My guess would be NSEC zone walking if your DNS provider supports DNSSEC. But that shouldn’t work with unregistered or wildcard domains
The next guess would be during setup, someone somewhere got ahold of your SNI (and/or outgoing DNS requests). Maybe your ISP/VPN service actually logs them and announce it to the world
I suggest next time, try setting up without any over-the-internet traffic at all. E.g. always use
curlwith the–resolveflag on the same VM as Apache to check if it’s working - Comment on Cloudflare Tunnel: proxy-dns Command Removal 2026 | What are some nice alternatives to encrypted DNS? 1 month ago:
they have an official build too: hub.docker.com/r/adguard/dnsproxy
- Comment on Cloudflare Tunnel: proxy-dns Command Removal 2026 | What are some nice alternatives to encrypted DNS? 1 month ago:
Technitium is very powerful and could perfectly handle being a DNS forwarder + DHCP provider for your LAN, replacing both Pihole + cloudflared. Though it does many other things too, which can make the UI overwhelming for starters. But in my opinion if you’d like to fine-tune a lot of things like cache and custom DNS logic (via installable applets), this would be the software for you
For the upstream provider I guess Quad9 is popular enough to give you fairly good geolocated IPs, but also has some sense of privacy. The main thing is to always validate your andwers with DNSSEC as to detect and refuse any DNS tampering attempts
- Comment on How do you get a certificate for an internal domain? 1 month ago:
Yes it involves nginx’s stream directive
- Comment on How do you get a certificate for an internal domain? 1 month ago:
As continued from my answer for ypur previous post I suggest you route pure TCP traffic all the way to your backend and terminate TLS (with a Let’s Encrypt cert) there. In fact, I prefer not to mount any certs on the VPS. This does not involve separate certs nor internal domains.
- Comment on PSA: If you are running a Matrix homeserver written in Rust, you'll need to upgrade NOW 1 month ago:
- Comment on My Unifi Dream Machine Pro's ad-blocking was doing more than I expected 1 month ago:
Is there a way for you to talk to upstream DNS bypassing Ubiquiti’s firewall? Maybe do it on a different port? (idk if the RFC permits this)
- Comment on reverse proxy over vpn without docker? 1 month ago:
There are many ways to do this and you got the right gist, but my recommendation:
- Set up a WireGuard tunnel connecting your VPS and homeserver
- Set up a layer-4 TCP reverse proxy (Nginx’s stream module/Traefik TCP routers/Caddy-L4/HAProxy are all doable) on the VPS
- Use that reverse proxy to route all TCP traffic back to the homeserver’s HTTPS service(s), via the wg tunnel
Here’s a guide that helped me with such a setup: theorangeone.net/…/wireguard-haproxy-gateway/
Wireguard only need one peer to open a silent UDP port, so use the VPS’ IP and no need to portforward your homeserver. There are other more convenient solutions like Tailscale or Pangolin, but being Wireguard-based they all follow the same principle. Lastly this keeps your certs locally for TLS all the way through
- Comment on How do I migrate my VPS out of Cloudflare? 1 month ago:
For the DNS provider I recommend desec.io. It’s a nonprofit running worldwide DNS servers, supports DNSSEC, and has a plugin for Lego. If your registrar supports DNSSEC as well, I’d recommend enabling it to protect from DNS forgery.
For the DDoS protection I don’t have a recommendation as they’re all “just another SaaS”, but maybe you could limit many more selfhosted things behind auth as to not expose more surface to potential scrapers.
- Comment on Question about accessing my services from corporate Network 1 month ago:
Beat me to it. This is likely the best way as 443 is ubiquitously unblocked on most networks
- Submitted 2 months ago to selfhosting@slrpnk.net | 1 comment
- Comment on Self-hosting with an old laptop 2 months ago:
That doesn’t seem to be too old of a laptop at all. One thing I’d say is to use an SSD as the main partition you run your apps on, as HDDs might be quite slow.
If you wanna keep the VPS, you can use it as a public inbound gateway + outbound VPN for your homeserver, so traffic looks like it comes in and out of your VPS. I wrote some notes on setting up Tailscale in such a manner, but there’s plenty of other options.
If you don’t wanna keep the VPS, you can front your inbound traffic with Cloudflare Tunnels, and use a VPN for outbounds. If you don’t have any apps that make frequent network requests (e.g. a Matrix server), then a VPN may not be necessary
You should leave SSH on, especially if if you wanna run it without a monitor, but use key auth and limit it to your LAN only