fix dingen op chat.bitlair.nl

authorized_keys/blackdragon.keys

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICLZGbt/we3JQ482/NYcdOKGoKDOj1MgmYFP2GDmjLw/ kyan@flandre

chat.yaml

@@ -0,0 +1,7 @@
+- hosts: chat
+  roles:
+    - { role: "common", tags: [ "common" ] }
+    - { role: "nft", tags: [ "nft" ] }
+    - { role: "nginx", tags: [ "nginx" ] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "chat", tags: [ "chat" ] }

group_vars/chat.yaml

@@ -0,0 +1,68 @@
+---
+root_access:
+  - blackdragon
+  - ak
+  - foobar
+  - polyfloyd
+nodejs_version: 22.x
+thelounge_version: "4.4.3"
+thelounge_ldap_url: ldaps://ldap.bitlair.nl
+thelounge_ldap_filter: (objectClass=inetOrgPerson)
+thelounge_ldap_base: ou=Members,dc=bitlair,dc=nl
+chat_hostname: chat.bitlair.nl
+
+acme_domains:
+ - "{{ chat_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ chat_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://127.0.0.1:9000/;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # by default nginx times out connections in one minute
+          proxy_read_timeout 1d;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - "tcp dport 113 accept # Allow identd from world"
+---
+root_access:
+  - blackdragon
+  - ak
+  - foobar
+  - polyfloyd
+nodejs_version: 22.x
+thelounge_version: "4.4.3"
+thelounge_ldap_url: ldaps://ldap.bitlair.nl
+thelounge_ldap_filter: (objectClass=inetOrgPerson)
+thelounge_ldap_base: ou=Members,dc=bitlair,dc=nl
+chat_hostname: chat.bitlair.nl
+acme_domains:
+ - "{{ chat_hostname }}"
+
+nginx_sites:
+  - server_name: "{{ chat_hostname }}"
+    config:
+      - |-
+        location / {
+          proxy_pass http://127.0.0.1:9000/;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header X-Forwarded-For $remote_addr;
+          proxy_set_header X-Forwarded-Proto $scheme;
+
+          # by default nginx times out connections in one minute
+          proxy_read_timeout 1d;
+        }
+
+group_nft_input:
+  - "tcp dport { http, https } accept # Allow web-traffic from world"

inventory

@@ -46,6 +46,9 @@ shell.bitlair.nl
 [homeassistant]
 homeassistant.bitlair.nl
 
+[chat]
+chat.bitlair.nl
+
 [debian:children]
 bank
 fotos
@@ -60,3 +63,4 @@ services
 wiki
 shell
 homeassistant
+chat

roles/chat/tasks/main.yaml

@@ -0,0 +1,143 @@
+- name: Install dependencies
+  ansible.builtin.apt:
+    state: present
+    pkg: 
+      - gpg
+      - apt-transport-https
+      - build-essential
+
+- name: Import nodesource signing key
+  ansible.builtin.shell:
+    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
+      -o /usr/share/keyrings/nodesource.gpg
+  args:
+    creates: /usr/share/keyrings/nodesource.gpg
+  notify: Apt update
+
+- name: Install nodesource source list
+  ansible.builtin.template:
+    src: nodesource.list
+    dest: /etc/apt/sources.list.d/nodesource.list
+    owner: root
+    group: root
+    mode: 0644
+  notify: Apt update
+
+- name: Install nodejs apt preference
+  ansible.builtin.template:
+    src: nodejs-apt-pref
+    dest: /etc/apt/preferences.d/nodejs
+    owner: root
+    group: root
+    mode: 0644
+  notify: Apt update
+
+- ansible.builtin.meta: flush_handlers
+
+- name: Install nodejs
+  ansible.builtin.apt:
+    name: nodejs
+
+- name: Install yarn
+  ansible.builtin.shell:
+    cmd: npm install --global yarn
+
+- stat: path=/opt/thelounge
+  register: src_path
+
+- name: Retreive thelounge source
+  block:
+    - name: Checkout source
+      ansible.builtin.git:
+        repo: 'https://github.com/revspace/thelounge.git'
+        dest: /opt/thelounge
+        version: 9d6dc83
+        force: true
+
+    - name: Copy patch
+      ansible.builtin.template:
+        src: thelounge-bitlair.patch    
+        dest: /tmp/thelounge-bitlair.patch
+
+    - name: Apply patch
+      ansible.builtin.shell:
+        chdir: /opt/thelounge
+        cmd: git apply /tmp/thelounge-bitlair.patch
+  when: not src_path.stat.exists
+
+- name: Build and install thelounge
+  ansible.builtin.shell:
+    chdir: /opt/thelounge
+    cmd: yarn add sharp --ignore-engines && yarn install --include-optional sharp && NODE_ENV=production yarn build && ln -sf $(pwd)/index.js /usr/local/bin/thelounge
+
+- name: Ensure user thelounge is present
+  user:
+    name: thelounge
+    createhome: no
+    comment: The Lounge (IRC client)
+    system: yes
+    state: present
+  become: yes
+      
+- name: Ensure JS and JSON syntax checking packages are installed
+  yarn:
+    name: "{{ item }}"
+    global: yes
+    state: latest # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+  with_items:
+    - esprima
+    - jsonlint
+  become: yes
+  changed_when: no # FIXME: Remove when https://github.com/ansible/ansible/pull/39557 makes it in
+
+- name: Ensure thelounge configuration directory is present
+  file:
+    path: /etc/thelounge
+    owner: thelounge
+    group: thelounge
+    state: directory
+  become: yes
+
+- name: Ensure The Lounge is configured
+  template:
+    src: config.js.j2
+    dest: /etc/thelounge/config.js
+    owner: thelounge
+    group: thelounge
+    validate: 'esvalidate %s'
+  become: yes
+
+- name: Ensure user configuration directory is present
+  file:
+    path: /var/local/thelounge/users
+    owner: thelounge
+    group: thelounge
+    state: directory
+  become: yes
+
+- name: Ensure preview storage directory is present
+  file:
+    path: /var/local/thelounge/storage
+    owner: thelounge
+    group: thelounge
+    mode: "0770"
+    state: directory
+  become: yes
+
+- name: Copy service file to systemd directory
+  ansible.builtin.template:
+    src: thelounge.service    # Path to your service file in your Ansible project
+    dest: /etc/systemd/system/thelounge.service
+    owner: root
+    group: root
+    mode: '0644'
+  
+- name: Reload systemd daemon to read new service file
+  ansible.builtin.systemd:
+    daemon_reload: yes
+
+- name: Enable and start the service
+  ansible.builtin.systemd:
+    name: thelounge
+    state: started
+    enabled: yes

roles/chat/templates/config.js.j2

@@ -0,0 +1,58 @@
+"use strict";
+
+module.exports = {
+    public: false,
+    port: 9000,
+    bind: "0.0.0.0",
+    reverseProxy: true,
+    lockNetwork: true,
+    maxHistory: 10000,
+    leaveMessage: "Doei!",
+    defaults: {
+        name: "Smurfnet",
+        password: "",
+        rejectUnauthorized: true,
+        nick: "",
+        username: "",
+        realname: "",
+        join: "#bitlair",
+    },
+    messageStorage: ["sqlite", "text"],
+    fileUpload: {
+        enable: true,
+    },
+    networks: {
+        Smurfnet: {
+            host: "irc.smurfnet.ch",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: false,
+        },
+        "Libera.Chat": {
+            host: "irc.libera.chat",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+        OFTC: {
+            host: "irc.oftc.net",
+            port: 6697,
+            tls: true,
+            rejectUnauthorized: true,
+        },
+    },
+    identd: {
+        enable: false,
+    },
+    ldap: {
+        enable: true,
+        url: "{{ thelounge_ldap_url }}",
+        primaryKey: "uid",
+        searchDN: {
+            rootDN: "{{ thelounge_ldap_rootDN }}",
+            rootPassword: "{{ thelounge_ldap_rootPassword }}",
+            filter: "{{ thelounge_ldap_filter }}",
+            base: "{{ thelounge_ldap_base }}",
+        },
+    },
+};

roles/chat/templates/nodejs-apt-pref

@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+Package: nodejs
+Pin: origin deb.nodesource.com
+Pin-Priority: 1000

roles/chat/templates/nodesource.list

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+deb [arch=amd64 signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_{{ nodejs_version }} nodistro main

roles/chat/templates/thelounge-bitlair.patch

@@ -0,0 +1,28 @@
+diff --git a/package.json b/package.json
+index 2991a6ec..dac43f16 100644
+--- a/package.json
++++ b/package.json
+@@ -84,9 +84,7 @@
+     "ua-parser-js": "1.0.33",
+     "uuid": "8.3.2",
+     "web-push": "3.4.5",
+-    "yarn": "1.22.17"
+-  },
+-  "optionalDependencies": {
++    "yarn": "1.22.17",
+     "sqlite3": "5.1.7"
+   },
+   "devDependencies": {
+diff --git a/server/plugins/auth/ldap.ts b/server/plugins/auth/ldap.ts
+index e6093b0f..d30b9a1c 100644
+--- a/server/plugins/auth/ldap.ts
++++ b/server/plugins/auth/ldap.ts
+@@ -134,7 +134,7 @@ const ldapAuth: AuthHandler = (manager, client, user, password, callback) => {
+ 	// auth plugin API
+ 	function callbackWrapper(valid: boolean) {
+ 		if (valid && !client) {
+-			manager.addUser(user, null, false);
++			manager.addUser(user, null, true);
+ 		}
+ 
+ 		callback(valid);

roles/chat/templates/thelounge.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=The Lounge (IRC client)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=thelounge
+Group=thelounge
+Type=simple
+Environment=THELOUNGE_HOME=/var/local/thelounge
+ExecStart=/usr/local/bin/thelounge start
+ProtectSystem=yes
+ProtectHome=yes
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target

roles/common/tasks/main.yaml

@@ -79,6 +79,7 @@
       - unattended-upgrades
       - apt-listchanges
       - sudo-ldap
+      - cron
 
 - name: Configure FZF for Bash
   ansible.builtin.lineinfile: