Deploying a Glowing Bear Backend Server on CentOS 7

Glowing Bear is a web frontend for the WeeChat IRC client and strives to be a modern interface. With its features like click-to-mention, substituting emojis, built-in image uploading to Imgur, great portability (available on every JavaScript-enabled browser) as well as the ability to utilize powerful extensions offered by weechat, it's bound to be your ideal IRC (and many other protocols, like XMPP) client.

This article will guide you through the process of setting up an encrypted weechat relay (backend of Glowing Bear) at example.com:9001. After this, simply point your browser here and filling in necessary information, and you're good to go.

Prerequisites

We'll be deploying on CentOS 7 x64. You'll need the following:

• A newly-created CentOS 7 server.
• A domain name.
• Some patience.

We assume that the domain is properly configured (that is to say, you have properly filled in A and AAAA records at your nameserver). After these prerequisites have been met, proceed to the next section.

Software installation

In order to have weechat running in the background while being able to attach to it in case any intervention is needed, we're going to utilize tmux. Install the required packages by:

yum update
yum install weechat tmux certbot

Security notes

• Never run weechat as root.
• It's important to keep the relay safe, remember to choose a strong password for it.
• If possible, rate limit connections to the relay in your system's firewall.

Configuration

Encryption will be enabled. Get a certificate for example.com first:

systemctl stop firewalld
certbot certonly

Remember to temporarily disable firewalld for ACME's authentication to go through. Pick standalone authentication to get a certificate.

Put the certificate in weechat's working directory.

mkdir -p ~/.weechat/ssl
cd ~/.weechat/ssl
cat /etc/letsencrypt/live/example.com/{fullchain,privkey}.pem | tee relay.pem

We can configure weechat now. Start it by:

tmux new-session weechat

Enter the following configuration commands. Remember to replace things like <this> with your own value.

First set a master password for the credentials:

/secure passphrase <your master password>

Then:

/server add freenode chat.freenode.net
/set irc.server.freenode.nicks "<nick1>,<nick2>,<...>"
/set irc.server.freenode.username "<your user name>"
/set irc.server.freenode.realname "<your real name>"
/set irc.server.freenode.autoconnect on
/set irc.server.freenode.addresses "chat.freenode.net/7000"
/set irc.server.freenode.ssl on
/set irc.server.freenode.sasl_username "<your sasl username>"  
/secure set freenode_password <your sasl password>  
/set irc.server.freenode.sasl_password "$"
/set irc.server.freenode.autojoin "<your channels>"
/secure set relay_password <your desired relay password>
/set relay.network.password "$"
/relay add ssl.weechat 9001
/relay sslcertkey

Please note that it is important to choose a strong relay password, as access to the relay allows executing arbitrary commands (via weechat's /exec).

Settings are automatically saved. Exit and re-enter:

/exit
tmux new-session weechat 

You should be able to connect the relay here now. Enable encryption.

Optionally (strongly recommended) re-enable firewalld and enable tcp/9001 inbound connections.

Your new Glowing Bear backend is ready! Detach from tmux with <C-b>d. Enjoy!

Maintenance

When it comes time to renew the certificate, you'll need to renew the certificate by re-running the copying steps above. When an updated certificate is in place, run /relay sslcertkey. I suggest adding this as a cron job.