weechat IRC chat client (also acts like a bouncer) runs inside a tmux session(called weechat). This tmux session can also be accessed through any web browser via gotty. We can also connect to weechat from different clients using its "relay" feature. gotty and the weechat relay are secured with TLS behind an nginx reverse proxy(using letsencrypt).
Reference: http://www.mythmon.com/posts/2015-02-15-systemd-weechat.html
# sudo apt install weechat
# sudo apt install tmux
[Unit]
Description=weechat IRC Client (in tmux)
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/tmux -2 new-session -d -s weechat /usr/bin/weechat
ExecStop=/usr/bin/tmux kill-session -t weechat
[Install]
WantedBy=default.target
Install https://github.com/yudai/gotty at /home/bitc/gotty
[Unit]
Description=gotty web terminal (serving tmux weechat)
[Service]
Type=simple
Restart=always
Environment="TERM=xterm-256color"
ExecStart=/home/dexter/gotty -a 127.0.0.1 -p 18080 --title-format weechat -w tmux -2 attach -t weechat
[Install]
WantedBy=default.target
# loginctl enable-linger bitc
$ # I needed this, but it may be optional:
$ export XDG_RUNTIME_DIR=/run/user/`id -u`
$ # Enable the services to start at boot time.
$ systemctl --user enable weechat.service
$ systemctl --user enable gotty.service
$ # Start the services.
$ systemctl --user start weechat.service
$ systemctl --user start gotty.service
$ # Test out the tmux session (exit with C-b d)
$ tmux attach -t weechat
To allow the user to view his own journalctl logs:
...
[Journal]
Storage=persistent
...
After modifying the file, a reboot may be required. Now user can do:
$ journalctl --user --user-unit=gotty -f
# apt install nginx
# apt install letsencrypt
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
location ~ /.well-known {
allow all;
}
}Restart nginx:
# systemctl restart nginx
We need to get a letsencrypt TLS certificate. We use nip.io service to get a certificate for our public IP address. We need two certificates: one for gotty, and one for the weechat relay.
(Replace 1.2.3.4 with the server's public IP address)
# letsencrypt certonly --register-unsafely-without-email --agree-tos -a webroot --webroot-path=/var/www/html -d gotty.1.2.3.4.nip.io -d relay.1.2.3.4.nip.io
Configure auto-renewal of the Lets Encrypt certificate:
# crontab -e
Add to cron the following two lines:
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx
We will use HTTP basic access authentication to password-protect the gotty website.
Our file containg the list of users will be located at: /etc/nginx/passwd
# touch /etc/nginx/passwd
# chown www-data:www-data /etc/nginx/passwd
# chmod 600 /etc/nginx/passwd
Use the below instructions to add users the passwd file. Note that if you change the password file (add or remove users) you do NOT need to reload nginx, it automatically picks up the changes.
You probably only need/want a single user.
Use the following command. Replace sammy with the desired username. You will be prompted for a password.
# sh -c "echo -n 'sammy:' >> /etc/nginx/passwd"
# sh -c "openssl passwd -apr1 >> /etc/nginx/passwd"
To remove a user, delete the appropriate line from /etc/nginx/passwd
Reference: http://nginx.org/en/docs/http/websocket.html
(Replace all occurences of 1.2.3.4 with the server's public IP address)
ssl_certificate /etc/letsencrypt/live/gotty.1.2.3.4.nip.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/gotty.1.2.3.4.nip.io/privkey.pem;
upstream gotty {
server 127.0.0.1:18080 fail_timeout=0;
}
upstream relay {
server 127.0.0.1:18081 fail_timeout=0;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gotty.1.2.3.4.nip.io;
# This must always be available for Lets Encrypt auto-renewal:
root /var/www/html;
location ~ /.well-known {
allow all;
}
location / {
auth_basic "Enter Password or go away";
auth_basic_user_file /etc/nginx/passwd;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 3600s;
proxy_pass http://gotty;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name relay.1.2.3.4.nip.io;
# This must always be available for Lets Encrypt auto-renewal:
root /var/www/html;
location ~ /.well-known {
allow all;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 3600s;
proxy_pass http://relay;
}
}Restart nginx:
# systemctl restart nginx
Open web browser and navigate to https://gotty.1.2.3.4.nip.io
Notice that in the nginx config we are expecting the weechat relay to run on port 18081
We set the relay to listen only on localhost, since it is not a secure connection (it is secured only through nginx)
Run these commands from within weechat:
/set relay.network.bind_address 127.0.0.1
/set relay.network.password ********************
/relay add ipv4.weechat 18081
Open web browser and navigate to https://www.glowing-bear.org
hostname: relay.1.2.3.4.nip.io
port: 443
password: The relay password you set in weechat
encryption: enabled
- Disable weechat tmux status bar
- weechat config
- bitlbee
- Customize weechat
- weechat logs
- Install Glowing Bear on server