From 31992aa48738981bf81c87e9405e1a1478ff5944 Mon Sep 17 00:00:00 2001
From: DarkFeather <ircs://aninix.net:6697/DarkFeather>
Date: Tue, 21 Oct 2025 15:31:32 -0500
Subject: [PATCH] Moving KiwiIRC websocket behind Nginx instead of dedicated
 external port

---
 roles/IRC/tasks/daemon.yml                    |  9 ++++
 roles/IRC/tasks/web.yml                       | 49 +++++++++----------
 roles/IRC/templates/inspircd/inspircd.conf.j2 | 34 +++----------
 roles/IRC/templates/kiwiirc/client.json.j2    |  9 ++--
 .../WebServer/files/conf.d/Yggdrasil/irc.conf | 19 ++++++-
 5 files changed, 62 insertions(+), 58 deletions(-)

diff --git a/roles/IRC/tasks/daemon.yml b/roles/IRC/tasks/daemon.yml
index d906032..4825f82 100644
--- a/roles/IRC/tasks/daemon.yml
+++ b/roles/IRC/tasks/daemon.yml
@@ -13,6 +13,15 @@
      - "/etc/inspircd"
      - "/etc/inspircd/data/"
 
+ - name: Socket directory permissions
+   become: yes
+   file:
+     state: directory
+     path: /run/inspircd
+     owner: inspircd
+     group: ircd
+     mode: 0755
+
  - name: Generate dhparam
    become: yes
    command:
diff --git a/roles/IRC/tasks/web.yml b/roles/IRC/tasks/web.yml
index 80d80b2..308e556 100644
--- a/roles/IRC/tasks/web.yml
+++ b/roles/IRC/tasks/web.yml
@@ -1,33 +1,30 @@
 ---
 
 - name: KiwiIRC Packages
-become: yes
-package:
-name:
-- kiwiirc-server-bin
-state: present
-
-# Need to capture AniNIX skinning of client as well as client build process.
+  become: yes
+  package:
+    name:
+      - kiwiirc-server-bin
+    state: present
 
 - name: Update permissions
-become: yes
-file:
-path: "{{ item }}"
-recurse: yes
-owner: ircd
-group: http
-loop:
-- /etc/kiwiirc
-- /usr/share/kiwiirc
+  become: yes
+  file:
+    path: "{{ item }}"
+    recurse: yes
+    owner: ircd
+    group: http
+  loop:
+    - /etc/kiwiirc
+    - /usr/share/kiwiirc
 
 - name: Populate config
-become: yes
-#register: config
-template:
-src: "kiwiirc/{{ item }}.j2"
-dest: "/etc/kiwiirc/{{ item }}"
-owner: ircd
-group: http
-mode: 0640
-loop:
-- "client.json"
+  become: yes
+  template:
+    src: "kiwiirc/{{ item }}.j2"
+    dest: "/etc/kiwiirc/{{ item }}"
+    owner: ircd
+    group: http
+    mode: 0640
+  loop:
+    - "client.json"
diff --git a/roles/IRC/templates/inspircd/inspircd.conf.j2 b/roles/IRC/templates/inspircd/inspircd.conf.j2
index 06d568f..d9059c1 100644
--- a/roles/IRC/templates/inspircd/inspircd.conf.j2
+++ b/roles/IRC/templates/inspircd/inspircd.conf.j2
@@ -83,34 +83,14 @@
 
 # Websockets
 <connect
-   name="websockets"
-   parent="main"
-   allow="*"
-   port="7778">
-<bind address=""
-   port="7778"
-   hook="websocket"
-   proxyranges="{{ main_subnet }}/{{ netmask }}"
-   nativeping="yes"
-   defaultmode="text"
-   sslprofile="websockets">
-<sslprofile
     name="websockets"
-    provider="openssl"
-    cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/chain.pem"
-    certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
-    keyfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/privkey.pem"
-    ciphers="{{ ssl['ciphersuite'] }}"
-    hash="sha256"
-    renegotiation="no"
-    requestclientcert="no"
-    sslv3="no"
-    tlsv1="no"
-    tlsv11="no"
-    tlsv12="yes"
-    tlsv13="yes">
-
-
+    allow="/run/inspircd/websocket.sock">
+<bind
+    path="/run/inspircd/websocket.sock"
+    type="clients"
+    hook="websocket"
+    permissions="0777"
+    replace="yes">
 
 # Performance
 <performance
diff --git a/roles/IRC/templates/kiwiirc/client.json.j2 b/roles/IRC/templates/kiwiirc/client.json.j2
index f589f5c..76877aa 100644
--- a/roles/IRC/templates/kiwiirc/client.json.j2
+++ b/roles/IRC/templates/kiwiirc/client.json.j2
@@ -1,5 +1,5 @@
 {
-    "windowTitle": "{{ external_domain }}/IRC | Web IRC client",
+    "windowTitle": "{{ organization['displayname'] }}/IRC | Web IRC client",
     "startupScreen": "welcome",
     "kiwiServer": "https://irc.{{ external_domain }}/webirc/websocket/",
     "restricted": true,
@@ -18,11 +18,12 @@
         { "name": "Elite", "url": "static/themes/elite" }
     ],
     "startupOptions" : {
-        "infoContent": "<h3>{{ external_domain }}/IRC</h3>Log in with your AniNIX account.",
+        "infoContent": "<img src='https://{{ external_domain }}/assets/img/AniNIX.png' style='width:100%;height:auto;' /><h3>{{ organization['displayname'] }}/IRC</h3>Log in with your AniNIX account.",
         "channel": "#lobby",
-        "nick": "kiwi-n?",
+        "nick": "Guest?",
         "server": "irc.{{ external_domain }}",
-        "port": 7778,
+        "direct_path": "/websocket/",
+        "port": 443,
         "direct": true,
         "tls": true
     },
diff --git a/roles/WebServer/files/conf.d/Yggdrasil/irc.conf b/roles/WebServer/files/conf.d/Yggdrasil/irc.conf
index 9c52a0d..ef7a955 100644
--- a/roles/WebServer/files/conf.d/Yggdrasil/irc.conf
+++ b/roles/WebServer/files/conf.d/Yggdrasil/irc.conf
@@ -3,7 +3,6 @@ server {
     server_name irc.aninix.net;
 
     include conf/sec.conf;
-    include conf/local.conf;
     include conf/default.csp.conf;
     include conf/letsencrypt.conf;
 
@@ -13,4 +12,22 @@ server {
         autoindex on;
         autoindex_format html;
     }
+
+    location /websocket/ {
+        proxy_pass http://unix:/run/inspircd/websocket.sock;
+
+        proxy_http_version 1.1;
+
+        proxy_set_header Host        $host;
+        proxy_set_header Upgrade     $http_upgrade;
+        proxy_set_header Connection  "upgrade";
+
+        proxy_set_header X-Original-Host      $host;
+        proxy_set_header X-Original-Protocol  $scheme;
+        proxy_set_header X-Real-IP            $remote_addr;
+
+        proxy_set_header X-Forwarded-Host   $host;
+        proxy_set_header X-Forwarded-Proto  $scheme;
+        proxy_set_header X-Forwarded-For    $remote_addr;
+    }
 }