Infrastructure, not dependency. Built to last without corporate oversight.
What's running, where, and why it's set up that way.
Badlands runs on dedicated bare-metal VMs — not AWS, not GCP, not Azure. No dependency on Big Tech infrastructure means no terms-of-service risk, no account suspension exposure, and no third-party data access by default.
All public Matrix traffic enters through Traefik running inside K3s. It handles automatic TLS via ACME (Let's Encrypt), IngressRoute rules for routing, and HTTP→HTTPS redirection. No direct pod exposure to the internet.
All public endpoints enforce TLS 1.2 minimum, with TLS 1.3 preferred. Certificates auto-renew via Let's Encrypt. HSTS headers enforce HTTPS for all subdomains. There is no unencrypted HTTP path to any Matrix service.
Account registration and login are handled by MAS — no external OAuth dependency, no email required, no identity broker. Passwords are stored as salted hashes. We have no plaintext credential access.
We retain only what's necessary for stability and abuse prevention. Encrypted message content is never logged — it's unreadable at the server layer. IP addresses are retained temporarily and not linked to account identities long-term.
Media uploads (images, files, attachments) are stored in S3-compatible object storage external to the VM. Encrypted media is stored as ciphertext — the storage provider cannot read it. Synapse mediates all access.
What we collect, what we don't, and why.
| Email address | Not collected |
| Phone number | Not collected |
| Real name / identity | Not collected |
| Encrypted message content | Not readable by us |
| Advertising / tracking | None. Ever. |
| Passwords | Salted hash only — never plaintext |
| Server access logs | Minimal — operational stability only |
| IP addresses | Temporary — abuse prevention, not profiled |
| Room membership | Visible to server — required by protocol |
| Message timing / frequency | Metadata visible — content is not |
Honest assessment of what this infrastructure protects against — and what it doesn't.
All traffic is TLS-encrypted in transit. A network observer can see that you're connecting to matrix.badlands.pw but cannot read any message content, room names, or account activity.
Encrypted message content is stored as ciphertext. A full database dump reveals room membership and metadata but no message content. Passwords are stored as salted hashes — not reversible without significant compute per-hash.
We cannot produce message content because we cannot read it — E2EE is technical, not policy. We could produce metadata (who is in which rooms, account creation times, IP logs within retention window). We have no email or identity to produce. No email means no account recovery path for law enforcement either.
A malicious operator could read metadata, manipulate room state in public rooms, or inject unverified devices to intercept future messages in unverified sessions. They cannot read past E2EE messages without your keys. This is why device verification matters — it detects injected sessions.
If your device is compromised, an attacker can read messages as they decrypt in the client, export your key backup, and impersonate you. E2EE protects the network path — not the endpoint. Device security is your responsibility. Keep OS and client updated.
When you join rooms with users on other homeservers, those servers receive room events. In E2EE rooms, they receive ciphertext only. In public unencrypted rooms, federated servers see full message content. This is a property of the Matrix protocol — not specific to Badlands.
Specific steps taken to reduce attack surface.
Only ports 80, 443, and the LiveKit WebRTC UDP range are externally reachable. PostgreSQL, internal cluster ports, and SSH are firewalled from public access. K3s pod networking is internal-only except through Traefik.
All nginx-served properties set Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, and a Content Security Policy restricting script, style, and connection sources.
TLS certificates auto-renew via ACME (Let's Encrypt) through Traefik and nginx. No manual certificate management. Certificates are monitored by Uptime Kuma for expiry.
All Matrix services run as isolated pods inside K3s. Synapse, MAS, PostgreSQL, and LiveKit cannot directly reach each other except through defined internal service routes. A compromised Synapse pod cannot directly access the database without going through the cluster's service mesh.
nginx enforces rate limiting on all public-facing endpoints to mitigate brute-force login attempts and DoS. Synapse has its own built-in rate limiting on registration and login endpoints as a second layer.
Uptime Kuma monitors all public endpoints continuously. Downtime or TLS errors trigger immediate alerts. The live status widget on the Badlands homepage reflects real-time health — not a manually updated status page.
How all the pieces connect. Hover nodes for details.
Read the encryption guide or reach out directly.
