Finalised and use tangle for some source code
This commit is contained in:
parent
55fc8ebef5
commit
6adfe0ba7d
|
@ -2,7 +2,7 @@
|
||||||
#+SUBTITLE: In 2019, IRC is still the best.
|
#+SUBTITLE: In 2019, IRC is still the best.
|
||||||
#+AUTHOR: Yann Esposito
|
#+AUTHOR: Yann Esposito
|
||||||
#+EMAIL: yann@esposito.host
|
#+EMAIL: yann@esposito.host
|
||||||
#+DATE: [2019-08-17 Sat]
|
#+DATE: [2019-10-19 Sat]
|
||||||
#+KEYWORDS: self-hosting, chat, irc
|
#+KEYWORDS: self-hosting, chat, irc
|
||||||
#+DESCRIPTION: How to modernize IRC
|
#+DESCRIPTION: How to modernize IRC
|
||||||
#+OPTIONS: auto-id:t
|
#+OPTIONS: auto-id:t
|
||||||
|
@ -174,6 +174,100 @@ that.
|
||||||
I couldn't find a nice resource to link to with all those details.
|
I couldn't find a nice resource to link to with all those details.
|
||||||
This is certainly a call to write such article myself.
|
This is certainly a call to write such article myself.
|
||||||
|
|
||||||
|
*** Create a reverse proxy with nginx
|
||||||
|
:PROPERTIES:
|
||||||
|
:CUSTOM_ID: create-a-reverse-proxy-with-nginx
|
||||||
|
:END:
|
||||||
|
|
||||||
|
This is how I create new reverse proxy with nginx using a template:
|
||||||
|
[[./0006-modern-irc/reverse-proxy-template.m4][reverse-proxy-template.m4]].
|
||||||
|
|
||||||
|
#+begin_src m4 :exports none :mkdirp yes :tangle ./0006-modern-irc/reverse-proxy-template.m4
|
||||||
|
# Nginx configuration
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name SUB.DOMAIN;
|
||||||
|
access_log /var/log/nginx/SUB()_ssl_access.log;
|
||||||
|
error_log /var/log/nginx/SUB()_ssl_error.log;
|
||||||
|
|
||||||
|
# # access restricted
|
||||||
|
# auth_basic "Admin restricted";
|
||||||
|
# auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
|
|
||||||
|
listen *:443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
## SSL
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
|
## [Optional] Enable HTTP Strict Transport Security
|
||||||
|
## HSTS is a feature improving protection against MITM attacks
|
||||||
|
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:PORT;
|
||||||
|
gzip off;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
## Some requests take more than 30 seconds.
|
||||||
|
proxy_read_timeout 30s;
|
||||||
|
proxy_connect_timeout 30s;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Client-Verify SUCCESS;
|
||||||
|
proxy_set_header X-Client-DN $ssl_client_s_dn;
|
||||||
|
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
|
||||||
|
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
## Redirects all HTTP traffic to the HTTPS host
|
||||||
|
server {
|
||||||
|
## In case of conflict, either remove "default_server" from the listen line below,
|
||||||
|
## or delete the /etc/nginx/sites-enabled/default file.
|
||||||
|
listen 0.0.0.0:80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name SUB.DOMAIN;
|
||||||
|
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
access_log /var/log/nginx/SUB.DOMAIN()_access.log;
|
||||||
|
error_log /var/log/nginx/SUB.DOMAIN()_error.log;
|
||||||
|
}
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
That I use with the following script: [[./0006-modern-irc/new-reverse-proxy.sh][new-reverse-proxy.sh]]
|
||||||
|
|
||||||
|
#+begin_src bash :mkdirp yes :tangle ./0006-modern-irc/new-reverse-proxy.sh
|
||||||
|
#!/usr/bin/env zsh
|
||||||
|
|
||||||
|
(($#<3)) && {
|
||||||
|
print "usage: $0:t SUB DOMAIN PORT"
|
||||||
|
exit 1
|
||||||
|
} >&2
|
||||||
|
|
||||||
|
SUB="$1"
|
||||||
|
DOMAIN="$2"
|
||||||
|
PORT="$3"
|
||||||
|
|
||||||
|
m4 -D SUB=$SUB -D DOMAIN=$DOMAIN -D PORT=$PORT reverse-proxy-template.m4 > $SUB.$DOMAIN
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
The script will generate a reverse proxy nginx conf that I put in
|
||||||
|
=/etc/nginx/sites-available/= and I link it in =/etc/nginx/sites-enabled=.
|
||||||
|
|
||||||
** Install/configure ngircd
|
** Install/configure ngircd
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: install-configure-ngircd
|
:CUSTOM_ID: install-configure-ngircd
|
||||||
|
@ -270,6 +364,9 @@ To use znc web interface behind an nginx reverse proxy:
|
||||||
</Listener>
|
</Listener>
|
||||||
#+end_src
|
#+end_src
|
||||||
|
|
||||||
|
|
||||||
|
Now you can put your znc behind a reverse proxy.
|
||||||
|
|
||||||
*** Playback module
|
*** Playback module
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: playback-module
|
:CUSTOM_ID: playback-module
|
||||||
|
@ -302,18 +399,43 @@ The major modernizer of IRC are here in ZNC.
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: install-configure-clients
|
:CUSTOM_ID: install-configure-clients
|
||||||
:END:
|
:END:
|
||||||
*** thelounge
|
|
||||||
:PROPERTIES:
|
|
||||||
:CUSTOM_ID: thelounge
|
|
||||||
:END:
|
|
||||||
*** weechat
|
*** weechat
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: weechat
|
:CUSTOM_ID: weechat
|
||||||
:END:
|
:END:
|
||||||
|
1. add the [[https://weechat.org/scripts/source/zncplayback.py.html/][weechat znc playback script]]
|
||||||
|
2. add the default server capabilities
|
||||||
|
#+begin_src irc
|
||||||
|
/set irc.server_default.capabilities "account-notify,away-notify,cap-notify,multi-prefix,server-time,znc.in/server-time-iso,znc.in/self-message,znc.in/playback
|
||||||
|
#+end_src
|
||||||
|
3. add the server for your networks:
|
||||||
|
#+begin_src irc
|
||||||
|
/server add zncnetwork znc.my.domain/6697 -ssl -username=username/zncnetwork -password=password -autoconnect
|
||||||
|
/connect zncnetwork
|
||||||
|
#+end_src
|
||||||
|
|
||||||
|
More details here: https://wiki.znc.in/Weechat
|
||||||
|
*** thelounge
|
||||||
|
:PROPERTIES:
|
||||||
|
:CUSTOM_ID: thelounge
|
||||||
|
:END:
|
||||||
|
|
||||||
|
Here are the infos for installing it.
|
||||||
|
|
||||||
|
https://thelounge.chat/docs/install-and-upgrade
|
||||||
|
|
||||||
|
|
||||||
|
You can use my reverse proxy scripts to put the lounge behind a reverse
|
||||||
|
proxy from your host. So you'll be able to reach =thelounge.my.domain=.
|
||||||
*** Palaver
|
*** Palaver
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: palaver
|
:CUSTOM_ID: palaver
|
||||||
:END:
|
:END:
|
||||||
|
Using palaver should be straightfoward.
|
||||||
|
Here is its website: https://palaverapp.com
|
||||||
|
|
||||||
|
I previously used the app mutter, but it appears to be deprecated and has a lot of
|
||||||
|
bugs since the iOS 13 update.
|
||||||
* Bonus
|
* Bonus
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: bonus
|
:CUSTOM_ID: bonus
|
||||||
|
@ -322,3 +444,14 @@ The major modernizer of IRC are here in ZNC.
|
||||||
:PROPERTIES:
|
:PROPERTIES:
|
||||||
:CUSTOM_ID: no-brainer-upload-file
|
:CUSTOM_ID: no-brainer-upload-file
|
||||||
:END:
|
:END:
|
||||||
|
I made an image uploader inspired by the image uploader example of the
|
||||||
|
Yesod web framework.
|
||||||
|
It is only one single self-executable file + one css and jquery.
|
||||||
|
The only dependency is [[https://docs.haskellstack.org/en/stable/README/][stack]].
|
||||||
|
|
||||||
|
So to install it:
|
||||||
|
|
||||||
|
1. install [[https://docs.haskellstack.org/en/stable/README/][stack]]
|
||||||
|
2. create an nginx reverse proxy protected with basic-auth
|
||||||
|
3. share the creds to your team mates
|
||||||
|
4. start the script, and enjoy
|
12
src/posts/0006-modern-irc/new-reverse-proxy.sh
Normal file
12
src/posts/0006-modern-irc/new-reverse-proxy.sh
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/usr/bin/env zsh
|
||||||
|
|
||||||
|
(($#<3)) && {
|
||||||
|
print "usage: $0:t SUB DOMAIN PORT"
|
||||||
|
exit 1
|
||||||
|
} >&2
|
||||||
|
|
||||||
|
SUB="$1"
|
||||||
|
DOMAIN="$2"
|
||||||
|
PORT="$3"
|
||||||
|
|
||||||
|
m4 -D SUB=$SUB -D DOMAIN=$DOMAIN -D PORT=$PORT reverse-proxy-template.m4 > $SUB.$DOMAIN
|
63
src/posts/0006-modern-irc/reverse-proxy-template.m4
Normal file
63
src/posts/0006-modern-irc/reverse-proxy-template.m4
Normal file
|
@ -0,0 +1,63 @@
|
||||||
|
# Nginx configuration
|
||||||
|
|
||||||
|
server {
|
||||||
|
server_name SUB.DOMAIN;
|
||||||
|
access_log /var/log/nginx/SUB()_ssl_access.log;
|
||||||
|
error_log /var/log/nginx/SUB()_ssl_error.log;
|
||||||
|
|
||||||
|
# # access restricted
|
||||||
|
# auth_basic "Admin restricted";
|
||||||
|
# auth_basic_user_file /etc/nginx/htpasswd;
|
||||||
|
|
||||||
|
listen *:443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
## SSL
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/DOMAIN/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/DOMAIN/privkey.pem; # managed by Certbot
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
ssl_session_cache shared:SSL:10m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
|
## [Optional] Enable HTTP Strict Transport Security
|
||||||
|
## HSTS is a feature improving protection against MITM attacks
|
||||||
|
## For more information see: https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:PORT;
|
||||||
|
gzip off;
|
||||||
|
proxy_redirect off;
|
||||||
|
|
||||||
|
## Some requests take more than 30 seconds.
|
||||||
|
proxy_read_timeout 30s;
|
||||||
|
proxy_connect_timeout 30s;
|
||||||
|
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
|
||||||
|
proxy_set_header Host $http_host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Ssl on;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header X-Client-Verify SUCCESS;
|
||||||
|
proxy_set_header X-Client-DN $ssl_client_s_dn;
|
||||||
|
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
|
||||||
|
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
## Redirects all HTTP traffic to the HTTPS host
|
||||||
|
server {
|
||||||
|
## In case of conflict, either remove "default_server" from the listen line below,
|
||||||
|
## or delete the /etc/nginx/sites-enabled/default file.
|
||||||
|
listen 0.0.0.0:80;
|
||||||
|
listen [::]:80;
|
||||||
|
server_name SUB.DOMAIN;
|
||||||
|
server_tokens off; ## Don't show the nginx version number, a security best practice
|
||||||
|
return 301 https://$http_host$request_uri;
|
||||||
|
access_log /var/log/nginx/SUB.DOMAIN()_access.log;
|
||||||
|
error_log /var/log/nginx/SUB.DOMAIN()_error.log;
|
||||||
|
}
|
Loading…
Reference in a new issue