Moving KiwiIRC websocket behind Nginx instead of dedicated external port

roles/IRC/tasks/daemon.yml

@@ -13,6 +13,15 @@
      - "/etc/inspircd"
      - "/etc/inspircd/data/"
 
+ - name: Socket directory permissions
+   become: yes
+   file:
+     state: directory
+     path: /run/inspircd
+     owner: inspircd
+     group: ircd
+     mode: 0755
+
  - name: Generate dhparam
    become: yes
    command:

roles/IRC/tasks/web.yml

@@ -7,8 +7,6 @@ name:
       - kiwiirc-server-bin
     state: present
 
-# Need to capture AniNIX skinning of client as well as client build process.
-
 - name: Update permissions
   become: yes
   file:
@@ -22,7 +20,6 @@ loop:
 
 - name: Populate config
   become: yes
-#register: config
   template:
     src: "kiwiirc/{{ item }}.j2"
     dest: "/etc/kiwiirc/{{ item }}"

roles/IRC/templates/inspircd/inspircd.conf.j2

@@ -84,33 +84,13 @@
 # Websockets
 <connect
     name="websockets"
-   parent="main"
-   allow="*"
-   port="7778">
-<bind address=""
-   port="7778"
+    allow="/run/inspircd/websocket.sock">
+<bind
+    path="/run/inspircd/websocket.sock"
+    type="clients"
     hook="websocket"
-   proxyranges="{{ main_subnet }}/{{ netmask }}"
-   nativeping="yes"
-   defaultmode="text"
-   sslprofile="websockets">
-<sslprofile
-    name="websockets"
-    provider="openssl"
-    cafile="/etc/letsencrypt/live/{{ ssl['identity'] }}/chain.pem"
-    certfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/fullchain.pem"
-    keyfile="/etc/letsencrypt/live/{{ ssl['identity'] }}/privkey.pem"
-    ciphers="{{ ssl['ciphersuite'] }}"
-    hash="sha256"
-    renegotiation="no"
-    requestclientcert="no"
-    sslv3="no"
-    tlsv1="no"
-    tlsv11="no"
-    tlsv12="yes"
-    tlsv13="yes">
-
-
+    permissions="0777"
+    replace="yes">
 
 # Performance
 <performance

roles/IRC/templates/kiwiirc/client.json.j2

@@ -1,5 +1,5 @@
 {
-    "windowTitle": "{{ external_domain }}/IRC | Web IRC client",
+    "windowTitle": "{{ organization['displayname'] }}/IRC | Web IRC client",
     "startupScreen": "welcome",
     "kiwiServer": "https://irc.{{ external_domain }}/webirc/websocket/",
     "restricted": true,
@@ -18,11 +18,12 @@
         { "name": "Elite", "url": "static/themes/elite" }
     ],
     "startupOptions" : {
-        "infoContent": "<h3>{{ external_domain }}/IRC</h3>Log in with your AniNIX account.",
+        "infoContent": "<img src='https://{{ external_domain }}/assets/img/AniNIX.png' style='width:100%;height:auto;' /><h3>{{ organization['displayname'] }}/IRC</h3>Log in with your AniNIX account.",
         "channel": "#lobby",
-        "nick": "kiwi-n?",
+        "nick": "Guest?",
         "server": "irc.{{ external_domain }}",
-        "port": 7778,
+        "direct_path": "/websocket/",
+        "port": 443,
         "direct": true,
         "tls": true
     },

roles/WebServer/files/conf.d/Yggdrasil/irc.conf

@@ -3,7 +3,6 @@ server {
     server_name irc.aninix.net;
 
     include conf/sec.conf;
-    include conf/local.conf;
     include conf/default.csp.conf;
     include conf/letsencrypt.conf;
 
@@ -13,4 +12,22 @@ server {
         autoindex on;
         autoindex_format html;
     }
+
+    location /websocket/ {
+        proxy_pass http://unix:/run/inspircd/websocket.sock;
+
+        proxy_http_version 1.1;
+
+        proxy_set_header Host        $host;
+        proxy_set_header Upgrade     $http_upgrade;
+        proxy_set_header Connection  "upgrade";
+
+        proxy_set_header X-Original-Host      $host;
+        proxy_set_header X-Original-Protocol  $scheme;
+        proxy_set_header X-Real-IP            $remote_addr;
+
+        proxy_set_header X-Forwarded-Host   $host;
+        proxy_set_header X-Forwarded-Proto  $scheme;
+        proxy_set_header X-Forwarded-For    $remote_addr;
+    }
 }