-
Splitting the Horizon: Secure Public Federation vs. Blind Internal LAN Routing in Matrix
When architecting a sovereign communication appliance, the engineering requirements for security and usability are frequently at war. This tension reaches its peak when configuring federation for a private Matrix homeserver. By default, self-hosted Matrix setups inherit a classic, binary problem: When engineering the Remote Rails Sovereign Appliance, we rejected this compromise. We implemented a Split-Horizon…
-
Bypassing Google and Apple: Implementing True De-Googled Push Notifications with UnifiedPush and ntfy
When engineering a sovereign communication stack, the most difficult architectural hurdle is rarely the chat protocol itself. The true weakest link for metadata leakage is the push notification pipeline. Historically, mobile operating systems have forced developers into a centralized paradigm. If a message arrives on your private server, that server has to ping Google’s Firebase…
-
The Death of the Local Account: Building a Sovereign Identity Layer with Defguard OIDC
One of the most persistent architectural failures in the self-hosted ecosystem is “identity sprawl.” When engineers first begin building out a private infrastructure stack, they inevitably stand up a dozen disparate services: a chat server, a file sync instance, an email relay, and a password manager. By default, every single one of these services maintains…
-
Architecting Element Call: Escaping Docker Bottlenecks, Double Encryption, and WebRTC Port Ranges
Deploying a native, high-performance video conferencing stack for a sovereign Matrix homeserver requires far more than just spinning up a few containers. At the core of Element Call’s architecture are two critical components: LiveKit (operating as the Selective Forwarding Unit, or SFU) and Coturn (acting as the STUN/TURN relay). When engineering the communications stack for…
-
Rethinking External Collaboration—Why We Say “No” to Guest Accounts
For years, enterprise IT departments have operated under a dangerous architectural myth: to collaborate with external clients, vendors, and contractors, you have to provision “Guest Accounts” inside your internal communication system. Whether it is Microsoft Teams adding a user to your identity directory or an IT admin manually setting up an external account in an…