💾 Archived View for dio9sys.fun › writeups › snikket › index.gmi captured on 2024-07-08 at 23:07:16. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2023-05-24)

-=-=-=-=-=-=-

Home

Snikket - A guide to setting up your own chat server

Greetings, weary traveller! Today we're going to set up a chat server on Snikket.

I set up a server the other day using the official install guide, but ran into

a couple snags that aren't appropriately addressed.

For context: here is the install guide (web URL, sorry)

Snikket server quick start

Intro, specs, etc

Like most of my small projects, I used the cheapest linode I could find. I really

like how no-mess linode is, but you can use whatever you like to use.

I went with a 1 GB RAM server, referred to as a "nanode" on linode. Please note

that you will *not* need to pay for SSL, as the Snikket server automatically

generates keys with Let's Encrypt. More on that later

Now, I set up a linode running Debian 11 on an amd64 machine. This made things

fairly easy, as docker and docker-compose both have very clear instructions for

Debian servers.

Issues - SSL

One thing I didn't anticipate was issues with SSL. Let's Encrypt just...would

not work for me.

I checked all my ports and whatnot, then looked in the logs when trying to

redeploy Let's Encrypt.

The Snikket guide mentions needing groups.* and share.* subdomain records.

Somehow I missed that in the beginning ^_^;

Okay, we fixed it.

Now we have it all deployed! I set up a user for myself and started

generating invite links.

Pro tip: Once you generate a user for yourself, you can go straight to

the link on your phone, browser etc and access an admin panel. This

panel includes, among other things, the ability to generate both

individual invite links AND generic group invite links, and the ability

to assign the group, permissions and time before the link expires in

a really easy GUI interface!

Issue - OMEMO fingerprints

For the first couple days, everything was great! Then I ran into a minor

snag - A friend of mine joined, and suddenly I couldn't message the group!

I got the following erorr:

There are no usable keys available for this contact.
Could not fetch new keys from the server.  Maybe there is something wrong
with your contact's server?

So, I went to the support chat, asked what I can fix on my server and got

told in no uncertain terms that this isn't actually a problem with my server.

Weird, since I, you know, got an error message saying it may have been an

issue with my server.

Whatever, let's figure it out. I asked what client my friend was using.

This friend was using Profanity, an XMPP client for the terminal. Very

neat!

I dug through the documentation of Profanity and found the problem:

The default Snikket app automagically accepts the OMEMO fingerprints

of all other connected devices.

Profanity on the other hand? Nah, by default you have to manually

verify fingerprints.

This makes a TON of sense from a security standpoint, especially for one on

one conversations, but it meant that there was an issue.

We were all trying to chat. My friend was trying to chat. On the protocol

level, though, since my friend's client was not accepting the other people's

fingerprints Snikket just straight up blocked everyone from sending OMEMO

encrypted messages, rather than the more graceful failure of the default

xmpp "your device is not compatible with OMEMO" message.

A little weird, but by running some commands in Profanity you can set it to

trust other devices by default.

UPDATE: turning on carbons simply didn't work. I kicked my friend from the server,

had them join again using a client that trusts OMEMO fingerprints by default and...

it didn't work. At first.

I had them manually trust my device and for a while I was still getting OMEMO error

messages. At some point I guess the fingerprints synced and, like magic, it started

to work.

OMEMO is confusing and frustrating.

OMEMO issues - Snikket app

If you choose to send your OMEMO fingerprint to someone to manually trust it, the

snikket app does NOT like that.

It is not documented anywhere, but it turns off a flag to automatically trust

OMEMO fingerprints.

This is also not documented anywhere, but you can reverse this by going to:

settings
   |->expert settings
            |->Blind trust Before Verification

Check the box again. If the box is checked it will start doing the OMEMO fingerprints

automatically again.

Final thoughts

This guide is very barebones, mostly going over what wasn't covered in the

documentation that I found.

Overall, I really like Snikket. Encrypted chat that works across a billion

chat clients? Heck yes.

There are of course concerns about hosting yoru own encrypted chat on your own

server, but OMEMO and PGP are included as options by default and, if somebody

pops my server, I can always just wipe it since it's a very small server that

JUST does this one thing. I'm a big fan of single-use VPSs for exactly this

purpose.

Maybe at some point I'll flesh out this guide more but, for now, I'm calling

this good.