Self-hosted Communication Platform [2024-ongoing]

A Secure, Low-Cost System for Volunteer Community Moderation

1. Project Overview

“Splat Safety” is a volunteer group that enforces rules for privately-run events within the Splatoon gaming community. When players report serious misconduct—including bullying, harassment, or sexual violence—Splat Safety investigates and decides on appropriate actions (e.g., warnings, bans).

To handle these sensitive cases safely, volunteers require a secure platform for communication and data storage.

Project Goals:

  • Affordability: Operate the entire system for less than $25/month.
  • Security: Protect against attackers with basic-to-intermediate technical skills.
  • Independence: Replace Discord and similar tools with a self-hosted solution.

Technologies: Matrix/Synapse, Kubernetes (k3s), Authentik, Cilium, ArgoCD, Grafana/Loki/Prometheus, PostgreSQL/Redis, Velero, MicroOS

Source: (currently closed source)

2. System Design

How Does It Work?

The platform functions as a digital workspace where volunteers chat, share files, and manage cases. It runs on a single rented server (Hetzner) costing $20/month, with backups at OVH ($2/month).

Key Features:

  1. Secure Chat: A self-hosted messaging system (Matrix/Synapse) similar to Slack, fully controlled by Splat Safety.
  2. Automatic Updates: Critical security patches are applied automatically.
  3. Backups: Daily encrypted backups to prevent data loss.
  4. Access Control: Mandatory two-factor authentication (2FA) for all users.

Technology Choices

  • Why Self-Hosted? Primarily to minimize costs while retaining control over sensitive data.
  • Matrix/Synapse: An open-source messaging system developed by element.io, chosen for its transparency and community-driven development.
  • Kubernetes (k3s): A lightweight orchestration system that automates software deployment and resource management, allowing multiple services to run efficiently on a single server.

3. Security Measures

Protecting Against Attacks

The system mitigates risks through:

  • Encryption: Data is encrypted at rest (disk) and in transit (network).
  • CiliumNetworkPolicies: Firewall-like rules that restrict communication between services (e.g., isolating the chat system from databases).
  • Automatic Updates: Kubernetes and applications update without manual intervention.
  • Strict Authentication requirements: Only approved users gain access, 2FA required, geofencing planned.
  • Principle of Least Priviledge: Permissions can be centrally managed within the OpenID Connect-based SSO system.
  • Replacing inadequate measures: Because of the low cost, the system is able to convince groups to switch away from using private-grade tools that do not provide adequate security.

Technical Implementation

Core Applications

  1. Matrix/Synapse:
    • Role: Secure chat with end-to-end encryption.
    • Why Chosen: Open-source, customizable, and community-vetted.
  2. Authentik:
    • Role: Centralized user authentication with 2FA.
    • Why Chosen: Easier to set up and manage than alternatives like Keycloak.
  3. Kubernetes (k3s):
    • Role: Manages and scales services on the server.
    • Why Chosen: Lightweight and resource-efficient compared to standard Kubernetes.
  4. ArgoCD:
    • Role: Automatically deploys code changes (GitOps).
    • Example: Security patches in GitHub trigger immediate updates.

Infrastructure

  1. Cilium:
    • Role: Implements network policies (firewalls) to isolate services.
  2. Velero:
    • Role: Backs up Kubernetes configurations and data.
  3. Grafana/Loki/Prometheus:
    • Role: Monitors performance, analyzes logs, and alerts for anomalies.
  4. MicroOS:
    • Role: Immutable operating system optimized for running containerized services securely.

Design Principles

  • Single-Server Architecture: A temporary setup to minimize costs; future plans include ARM64-based clusters for scalability.
  • Infrastructure-as-Code (IaC): All configurations are version-controlled, ensuring consistency and rapid recovery.

4. Impact and Future Plans

Current Success

  • Adoption: 10-15 volunteers actively use the platform.
  • Feedback: Volunteers describe the system as reliable. They were able to adopt the system with little complications.

Next Steps

  1. Security Hardening (By Mid-February 2025):
    • Implement outstanding security measures listed above.
    • Train volunteers on phishing prevention and secure practices.
  2. Monetization:
    • Offer managed hosting at ~$50/month (server costs included; support sold separately).
  3. Expanding Features:
    • Investigate an integration of ZenDiS OpenDesk into my system, otherwise integrate document sharing (ownCloud) and task management (plane.so).
    • Add a Intrusion Detection/Prevention System like Falco.
    • Add VPN, at least for privileged accounts.
    • Improve interplay between individual components through custom extensions.
  4. Further cost-cutting potential:
    • Investigate the feasibility of multi-tenancy for RAM-intensive microservices.

5. Why This Matters

This project demonstrates that small groups can achieve enterprise-grade security on a budget. By combining open-source tools and careful design, Splat Safety built a system that:

  • Protects sensitive data.
  • Costs less than $25/month.
  • Can be replicated by other communities.