In theory, this should work without that option (by getting the correct domain
from the nginx reverse proxy via IP header), but apparently it doesn't.
Also, I moved wink to wink2.hacc.space
For the record: this is the last state before nftables broke yesterday.
As far as I know, all that is missing from this to make the authentication
for wink actually work is internet access for the container (as was also
the case for hasenloch); the snippets for coredns and NAT copied from that
container led to the aforementioned firewall problem — or at least they are
the only thing I changed between deployments.
Apart from that:
this moves the proxy into the container, mostly to make keeping track of its
state (esp. the secrets file) easier should we ever decide to move this
somewhere else / delete the container, since that will just delete any
additional state of the proxy with it.
Since there was a desire for some kind of authentication in front of wink,
here is a barebones config using oauth2-proxy. It is as yet untested, since
I didn't want to deploy things right now / fiddle with the keycloak settings.
See the comments in the documentation for what must still be done to make
this work.
I acknowledge that I said I wouldn't do this, but no one else seems to care.
This adds an instance of wink for the hacc-voc to hainich. Unfortunately,
neither the actual package nor the container itself look very nixy, and
e.g. cannot be configured declaratively. On the other hand, it does not
appear the wink *has* any kind of config, so I guess there's that.
Wink itself runs in a nixos container, but I've exposed its database
to /var/lib/wink-db on the host, just to make it easier to access.
After deployment, we still need to migrate our current database to this
instance by hand (i.e. take the current database, rename it
"development.sqlite3", and move it into the wink-db directory).
Any improvements to this mess are welcome.
Intended for KontraIAA; requirements were that it should be a simple and
non-confusing as possible.
I tried both KiwiIRC and thelounge, and found both horrible to
package (a fact not helped by the somewhat opaque structure of
nixpkgs.nodePackages, which does contain a version of thelounge but
will apparently ignore overrides of the src attribute).
Instead, this now contains a very hacky version of thelounge, which
merely takes the already-built version from nixpkgs and glues some extra
css to it which hides potentially confusing fields.
Things hidden on the "connect" screen:
- the "name" field (since thelounge offers "nick" "name" and "realname"
by default, which seems too much for something embedded on a website)
- the "I have a password" checkbox
Things hidden on the general view:
- the button to open the side panel (the panel itself is not hidden,
and will appear by itself on wider layouts), so that users will only
see that one channel
- the "channel options" menu (which includes a "leave channel" option
which would effectively break the webchat)
Things not addressed:
- thelounge has autocompletion for /join /leave, etc. Do we want to
disable that as well?
- It would probably useful to suppress all the "x joined the channel"
messages. Thelounge supports this, but apparently doesn't support
setting it as default?
Misc:
- for now, users will be connected to #thelounge on libera.chat, which
appears to be okay with being used as an experimental channel
- I allowed prefetching link previews, but only on the server's side
(i.e. users' browsers won't fetch content from arbitrary sites)
- not yet tested on hainich, but should work (tested in a NixOS
container)
- currently assumes a "webchat.voc.hacc.space" domain (I think we had a
voc domain? but I forgot where it is …)
Among other things, this contains the "collapsable reply threads" feature
which makes it behave similar to slack.
Also, after spending thirty minutes or so attempting to teach niv that
it should really only fetch the tag "5.37.0" from the mattermost-server
repository and not any other commit, branch, or similar (there is a
"release-5.37" branch, but that seems to be for active development), I
have temporarily given up on it and typed in the urls manually.
Unfortunately, this means that any kind of `niv update` will now break
things. If anyone knows how to use niv correctly for this please patch
this; otherwise I guess we can extract mattermost out from niv again.
because gitlab broke websites AGAIN, they are now running on hainich
directly
While this is only a temporary solution, I think it will be as permanent
as they come
nixos and its concepts/service management/update mechanism don't play nice with minecraft
In general some things I wanted to do (e.g. a map) are to spikiely resource intensive to run on a server meant to provide other services consistently
A replacement will be provided soon™