Tue 3 May 2022 12:49PM

Online infrastructure for UK workers coops

Following on from the discussions and decisions on 1st May 2022 at Selgars Mill how does this sound in terms of a plan for today:

  1. Webarchitects contact domains.coop to see if worker.coop and workers.coop could be made available to us for less than the £264.08 for the first year then £482.28 per year after that, that workers.coop is listed as being available for at Gandi.net (with the C rate discount we get).
  2. As 1. might take a while to sort out, Webarchitects registers workercoop.uk and workercoops.uk today with a view to ownership being transferred to a new legal entity, once it exists.
  3. Webarchitects sets up a Discourse forum at forum.workercoop.uk and we use that to decide what to do next, setting up email, Nextcloud and a chat system, Rocket or Mattermost or something like them etc.

Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 1:03PM

We'd like to host some of the services that'll be needed if everyone is happy with that


John Atherton Tue 3 May 2022 1:12PM

Wasn't in the sessions so not sure what has already been agreed, but I'd say look into 1 see what discount we can get as currently we have zero cash. Hold off registering other urls as once we use one it will probably stick forever.

As for a discourse forum, if thats what has been agreed. If we can redirect to somethign like xxx.worker.coop in the future then if you want to crack on with it and host pro-bono just do it under your own url and we can switch it to something better once we get our own url.


> Hold off registering

Having a domain name to start with, rather than simply using sub-domains of webarchitects.coop or whatever, is that:
1. With .uk domains it is not expensive and the price is stable due to the nature of Nominet
2. It makes sharing access to things a lot easier, we can create a git repo and give Liam and Luke access for managing domain names today, whereas we can't do that with webarchitects.coop because so much other stuff is run on that domain.


Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 1:32PM

I agree with the sub domain being forum.workers.coop obviously until we get the actual domain a temporary I've can be used and charged at a later date. Are web architects happy to host pro bono? We're happy to if not.


Yes, I was assuming that, I might give you a call for a quick chat in a while about this.


Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 2:12PM

Sure, give me a call when you're free ☺️


Autonomic Co-operative Tue 3 May 2022 1:56PM

Thanks @Chris Croome (Webarchitects Co-operative) @Liam MacLeod (MediaBlaze Hosts) for stepping up to get this discussion running about our own co-op run digital infrastructure. Autonomic can likely commit time/energy to helping where needed on this topic. Let us know. Luke on behalf of Autonomic


Cheers Luke, SSO is the thing that Liam and I were wondering if Autonomic might be able to help with.


Autonomic Co-operative Tue 3 May 2022 3:13PM

Yeh nice, would be well up for that. I'll let other Autonomic folks know this could be a thing we'd be asked to support on. Will be keeping an eye here anyway to see progress and ways to dip in.


John Atherton Tue 3 May 2022 2:02PM

In which case work out how much the domain is going to cost and we just need to find the money for that. Its better to use the one we want to use over the long term then if it means we need to find a few £100 I'm sure we can get that from somewhere


Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 2:11PM

Hopefully domains.coop will do it cheaper than advertised


I've sent a email to suppor[email protected] and [email protected] with the Subject line, "Registration of .COOP Premium Domain Names for a new UK Workers Co-op Federation":

On 1st May 2022 UK worker co-ops agreed to establish a new workers co-op federation (the exact name is yet to be decided) and we would like to register worker.coop and workers.coop and were wondering if it would be possible to do this at the usual rate rather than the premium domain name rates.

Initially we will register the domains to existing UK co-ops with the intention to transfer legal ownership once a new legal entity has been established.

When discussing all this in the barn on Monday people were very keen for things to be set up ASAP, I promised to get things up and running in a matter of days, it is really not a big deal to change a domain name after a month and redirect the old one to the new one and I think it would be better to crack on with setting stuff up than wait until we hear back from domains.coop, is that OK with everybody?


Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 3:12PM

Waiting till we hear back from them is (in my opinion) the best move forward to prevent the inevitable change in the future, hopefully they get back to Chris soon


Liam MacLeod (MediaBlaze Hosts) Tue 3 May 2022 3:30PM

Apologies, I read that just post wrong. If you're happy to go ahead without the domain then that's fine, I don't imagine it'll take a month for us to obtain the actual domain we want, but might end up setting something up only to get to change in a few days or a week. Either way I'm easy it's up to the consensus of others on what to do


Simon Ball (Blake House) Tue 3 May 2022 11:04PM

RE the money, could we not write a solid fund proposal for the domain costs?


Richard Crook: (Essential Trading Co-op) Wed 4 May 2022 12:43PM

Can anyone update or elaborate on what the “decisions at Selgars Mill “are? Wasn’t at the WCW so this is all a bit of a mystery.


John Atherton Wed 4 May 2022 1:38PM

Hi, too get a sense it might useful to look at the first set of sessions at the worker co-op weekend programme

In summary there were a series of sessions looking at the potential to create a new worker co-op organisation, what it could look like and do. There were working groups set-up, one was a mobilisation one so hopefully there is plan for how to engage those not in attendance. If in doubt talk to Tim or Ian who were both there from essential.


Tim Blanc Fri 6 May 2022 2:03PM

I feel that this project may risk being rushed through. Although it was introduced to a handful of worker co-ops attending the Worker Co-op Weekend (29th April to 1st May), the "discussion paper" that was presented at the event was simply printed for reading as the workshop began. I do not remember seeing this document as part of the WCW agenda papers. Please can this be circulated for all to read & comment.

I feel that it is very important that the Worker Co-op Council, as an elected body inside Co-operatives UK, do NOT take the informal feedback from the WCW as a "go-ahead" to create a new worker co-op organisation (workers.coop ???). There needs to be some wider consultation of the worker co-op members of Coops UK & beyond (non-members & Radical Routes).

More information needs to be formally presented & benefits/costs explained, so that the worker co-op movement can be in engaged. This project will fail if it is a few, closed-circle enthusiasts pushing through radical changes without such wider engagement. There needs to be a dialogue as to how a new body will work alongside (in co-operation with) already established UK organisations such as Coops UK & Solidfund. There was a comment at the WCW that this move must NOT be seen as "England" led either. There should be ground-up engagement, across the UK nations.

I understand the opportunities that workers.coop might provide, but having been an elected director of ICOM, I also fear that past mistakes can easily be made.

If this discussion is simply about spending cash to buy .coop or .uk domain names then a proposal to Solidfund would easily meet such costs.


Sion Whellens (Principle Six/Calverts) Thu 30 Jun 2022 7:45AM

Hi Tim (again!) - earlier in the year, when things were at a sensitive stage with Co-ops UK, members of the WCC and working group engaged in a long round of 1-2-1 calls with worker co-op members to gauge initial reactions to the idea of an independent network/federation. Although this was by no means scientific or properly democratic, the very positive response gave the WCC confidence to pursue it. Your warning is well taken. I think perhaps we need to try and schedule in person meetings with every worker co-op we know (in and out of CUK membership) over the next months, to inform the plan.


Tim Blanc Thu 30 Jun 2022 9:23AM

Hi Sion. Thanks for your flurry of comments today & yesterday. As it happens, I had a long & informative phonecall with John Atherton yesterday, in my role as Chair of the Essential Trading Management Committee (MC). I now understand the following issues...

  • Internal issues within CUK concerning the "dilution" of the worker co-op agenda within the CUK Board & wider UK co-op movement.... maybe the worker co-op movement has become a bit passé.... even though we all love it ? Is that CUK issue or an internal cultural problem within the UK WC movement ?

  • December 2022 target deadline, linked to CUK annual subscription renewals.

  • Dual subscription model CUK & new WCF.... may need more clarification around CUK services under the simple "partner" membership

  • Possible division of "services" between CUK & a new WCF

  • The reasons for confidentiality & sensitivity with the internal discussions between the WCC & CUK board. It is a shame that Essential Trading was not contacted by WCC in your initial "scientific or properly democratic" dialogues.

  • I have read the two key documents "Draft Vision" & "Draft agreement between CUK and WCC"

Having such a 1-2-1 discussion is helpful & I suggest that WCC needs to do this with other significant UK worker co-ops (of differing size, age, geographic location & business sector) within CUK membership, Radical Roots & outside these (if possible).

I have concerns (some already expressed here) about the pace of this project, if such a rushed process creates a flawed foundation for a new WCF organisation. These are some of my concerns...

  1. Clear definition of what is meant by "worker-led". I would feel very uncomfortable with a WCF including "worker-led" organisations that do not subscribe to the ICA 7 Coop Principles, in particular ONE & TWO.

  2. Transparency & accountability of assignment of "jobs".... I fully trust John Atherton as a freelance "route finder" to get a new WCF of the ground, but the process by which this job assignment discussion was made & how his post is being funded needs to be made clear.

  3. The transfer of governance of the WCC from CUK to a new WCF board.... yes the WCC are elected representatives & well suited to "birth" a new WCF, but their initial term needs to be defined, together with a "job description".

  4. There needs to clear definition of how SolidFund resources might be used. It makes absolute sense for a new WCF to act like the old CUK Enterprise Hub, to offer business support "bursaries" to new start or existing worker co-ops from SF. Such an approach would deliver a more strategic rather than adhoc approach to use of the SF. BUT... I am very wary of the hard "earned" SolidFund being used to set up an untested new WCF. This new body needs to stand on its own legs. As I wrote before, a blank cheque approach is very worrying.

Going forwards, I suggest that the WCC reach out to around 30 to 50 people within the worker co-op community (at least 75% being actual worker members, rather than individuals or consultants) & use such a group as a sounding board for your plans going forward.

I welcome & I am grateful for the dedicated voluntary work of the WCC in putting the possibility of a new WCF on the agenda, but having been part of previous "great principle six" co-op networks, I am wary of stuff being rushed & not being clearly defined & not being financially viable.

There is an alternative strategy, that would be to push hard within CUK so that an established body takes worker co-ops seriously again.... or maybe the WCC has hit too many brick walls on this ?

Towards further co-operation

luta continua


Graham Thu 30 Jun 2022 9:47AM

Just a quick response on the final point you make Tim, suggesting that CUK doesn't take worker cooperatives seriously. I don't believe that this is the case at all. In fact I'm sure that the org does take worker cooperatives seriously. However, I feel that there is a hard reality at work here: in recent years at least, the funding that CUK increasingly relies on is not focussed on supporting or growing the worker-owned sector. A large percentage of worker cooperatives are not in membership of CUK, and even if they were if probably wouldn't make a huge difference to the budget.

As someone who was there at the time of the merger between ICOM and the Co-operative Union back at the turn of the century, the big win from that merger as I saw it (bringing together the innovation and energy of the worker cooperatives with the scale and assets of the consumer movement for mutual benefit) was never realised.

The move to create a new federal makes huge sense, and I agree absolutely with you that if it is to succeed it demands very careful thought, planning and execution.


Dan Holden Wed 4 May 2022 1:28PM

@ratcrook an impromptu working group was formed at the WCW to develop some digital infrastructure for a new worker co-op organisation. Attached is a scan of a relevant flipchart page, I don't have any more specifics than that. I'm sure a full report from the Worker Co-op Council will be forthcoming soon.


I'm sorry that we haven't got anything up and running yet, I have a Discourse server half set-up I need to do some more work on it so that emails work, without that people can't activate accounts, I have to drive to London now, I should be able to get everything working on Friday, once again sorry for the delay.


Dan Holden Wed 4 May 2022 3:02PM

@Chris Croome (Webarchitects Co-operative) I wouldn't worry, you're miles ahead of where I thought we'd be at this stage!


Jack Lord (Open Data Services Co-op) Thu 5 May 2022 11:10AM

I don't understand why high-level decisions about technical infrastructure (host everything ourselves) are apparently being baked into the design of a potential worker co-op federation with so little consultation or explanation of the underlying thinking.

The tech should serve the organisation and not the other way round. My impression is that we risk designing in a massive barrier to participation via an unspoken and frankly irrelevant commitment to using open software.* Every new system and sign-up imposes a cost on users, and many of them will simply opt-out when faced with unfamiliar chat, docs and meeting apps, especially if the sign-up process is convoluted, complex or poorly documented.

At the very least, we should be looking at previous experiences here:

  • What are the user needs of the worker co-op federation around tech, both for the inner core and the members who will need to interact with the organisation? From SolidFund and this group, for example, we know that getting people to sign-up to and use Loomio is a barrier to participation.

  • What has been the impact of self-hosting open software on engagement elsewhere, e.g. in CoTech? (For a survey of one: I have never managed to summon the energy to make it through this list of CoTech sign-ups - one of which requires my co-op to buy a share in another co-op, while others appear to require me to send an email to someone unspecified.)

(*At ODSC we have an open source policy, build open licences into our contracts, produce a huge amount of original open source software and open data standards, and much of our work is ultimately directed at producing open data. We use open software and tools where we can. But we also use Google Workspace and various other SaaS products to get our work done, and collaborate with others. That's a compromise we make so that we can concentrate on the areas where we can make the greatest impact.)


Autonomic Co-operative Thu 5 May 2022 3:33PM

Hi @jacklord

The proposal that Chris made above is very modest. It's just to buy a domain and then setup a Discourse forum so that we can co-ordinate next steps.

> Webarchitects sets up a Discourse forum at forum.workercoop.uk and we use that to decide what to do next

This strategy is clearly very effective for CoTech as the Discourse forum has 100s of users and we have organised many events using it and connected with co-ops around the world. The ICA also has a Discourse forum that is active. I can't think of a proprietary service that does what Discourse does as well.


Simon Ball (Blake House) Thu 5 May 2022 3:42PM

what's the benefit of starting a new forum as opposed to keeping on this one? I think there's 309 members here, which will be difficult to migrate consensually to a different forum.


Jack Lord (Open Data Services Co-op) Thu 5 May 2022 3:51PM

No objections to a forum. But in the flip chart posted above there is clearly a lot more going on (NextCloud, Rocketchat), and all of it is built on the self-hosting open software idea. It's the totality of how all that works that I am concerned about, not whether one component works well.


Dan Holden Thu 5 May 2022 6:45PM

Apologies, perhaps posting a rather 'brainstorming' flipchart page out-of-context wasn't that helpful. I don't really think any decisions were made last Sunday, there wasn't really time for one thing, not to mention the requirements/input of everyone who wasn't in a barn in Devon at just the right moment needs to be taken into account.

There will need to be a lot more thinking about the user needs before committing to any particular software beyond a basic discussion/organising platform. I agree the technology must serve the federation. At my own co-op we (mostly) use Google Workspace, attempts at using unfamiliar software that requires additional user accounts haven't (yet) been that successful for our mostly non-technical 68 members. A robust, flexible and well documented SSO would likely help!

Leaning from the experience of CoTech and other federations like the USFWC will be really important too.

My 2p would be there shouldn't be a forum, a slack/irc/mattermost/whatever and a loomio group. Where possible a single flexible space for conversation works better. And resources are likely to be stretched at least to begin with, so keeping it simple to start with makes sense.


Billy Smith Fri 6 May 2022 9:45AM

"The tech should serve the organisation and not the other way round."


Billy Smith Fri 6 May 2022 9:45AM

"The tech should serve the organisation and not the other way round."

This is why the FLOSS systems should be used. Proprietary systems are always biased towards the company that made them, and not towards the benefits & rights of the people using the systems.

Whether it's self-hosted, or run on an external data centre is another question.

This was discussed at a CoTech meetup last year.

When reading the thread here, I just had an "esprit d'escalier" moment, and realised what i should have said then. :D

"Looking at different aspects of the market-place from an ecological-energy metaphor, you can see how each of the organisations inhabit a different ecological niche when you look at how it generates energy within their respective local micro-climate ( market-niche ).

If you see a privately-held company operating within a specific market-niche, then you know that it's relatively profitable to be operating within that niche, otherwise they wouldn't be there.

Market analysis of the niche, and, company analysis of their operations, will then get you a better idea of how profitable that niche is, and, whether it is worth replicating their operations as a co-operative." :D

Co-operatives are about an ownership model, not about whether a specific market-niche will be profitable.

Those are two separate topics of discussion. :D


Jack Lord (Open Data Services Co-op) Fri 6 May 2022 2:33PM

@Dan Holden (Unicorn Grocery) Thanks - that all sounds sensible and good to hear that those things will be thought about. And no need to apologise - I thought it was useful to see some details of what was discussed, even without context.


Jack Lord (Open Data Services Co-op) Fri 6 May 2022 2:52PM

@Billy Smith I think this is exactly the conversation any proposed organisation should have. Your views are ones that I share but I also think there are costs and benefits when deciding how to deal with that, and different groups will place different values on what those costs and benefits are!


Autonomic Co-operative Thu 5 May 2022 3:35PM

Could we maybe consider setting up Single Sign On (SSO) using oauth from the start @Chris Croome (Webarchitects Co-operative)? Then we can add more services as time goes on and they will all use the same login. We can also have a clear view of which users belong to which worker co-ops.

We use Keycloak for that for our clients. I think that was one of the main problems with the CoTech infra. Autonomic can help with that part of the infra.


Liam MacLeod (MediaBlaze Hosts) Fri 6 May 2022 10:08AM

We use a centralised LDAP server so something like that I guess


Yes, ideally we would setup SSO at the beginning, we have a Nextcloud server up and running at office.workerscoop.uk (however there is an issue with the ONLYOFFICE connection) and we have a Discourse server up and running at forum.workerscoop.uk (however there is an issue with outgoing email that I'm working on fixing) and email accounts and aliases can be created on the workerscoop.uk domain. How would suggest we proceed regarding Keycloak -- I haven't used it before.


Autonomic Co-operative Fri 6 May 2022 3:27PM

Could you:

  1. Install the Discourse OIDC plugin, and one of the two Nextcloud OIDC apps (#1, no GUI, more reliable or #2, nice GUI, slightly jank)

  2. Set up a DNS record for e.g. login.workercoop.uk - A record to, or CNAME to swarm.autonomic.zone would be fab


I've created the DNS record and installed the plugins,

dig +short login.workerscoop.uk

php occ app:install oidc_login
oidc_login 2.3.1 installed
oidc_login enabled

If you create an account on forum.workerscoop.uk I can manually activate or I could simply create it and I can also create one on the office.workerscoop.uk Nextcloud server, what username / email should I use for the accounts?

Note that Luke and Liam have access to the repo at git.coop that contains the Bind 9 zonefiles and also a repo with all the Ansible for the server configuration. Luke and Liam can also add users to the workers group on git.coop and perhaps we should continue this via an issue on the servers repo to save everybody here from the details of the SSO configuration?


Autonomic Co-operative Sat 7 May 2022 5:45PM

@Chris Croome (Webarchitects Co-operative) I set up a Keycloak instance on login.workerscoop.uk; I'd like to share the admin password with you as a backup. Are we using (or can we use) Nextcloud Passwords on office.workerscoop.uk, should I fire up a Vaultwarden, or do you have another system in mind?

I signed up as 3wc on the forum but no activation email received yet. Same email / username for Nextcloud, please - [email protected], 3wc.

I'll set up SSO on Discourse and Nextcloud as soon as I have access.


Chris Croome (Webarchitects Co-operative) Sun 8 May 2022 12:30PM

Thanks, happy to use Nextcloud Passwords, I have added and enabled it:

php occ app:install passwords
passwords 2022.5.10 installed
passwords enabled

I have added a Nextcloud account for you and made you an admin, you should be able to request a password reset at this URL.

Do you have a git.coop account -- I'd like to add you to the workers group and also do you have a public SSH key available and if so could you share the URL with me so I can create accounts on the servers, add your SSH public keys and give you sudo access? What username would you like to be used? Once you have SSH access to the servers you could drop the Keycloak admin password into /root on one of the server and I could copy, encrypt and save and then delete it.

I have asked Kate, the other sysadmin at Webarchitects to help with the issue we have with the Discourse server outgoing emails not being accepted by the virtual server the site is running on (she wrote the Ruby code we use for this) but I haven't heard back from her yet -- until outgoing email is working I can't make your account a Discourse admin account.


Autonomic Co-operative Mon 9 May 2022 10:19PM

Got into Passwords, thanks. I shared the admin password for login.workerscoop.uk with you there, did that come through?

Discourse email seems to have started working, and the SSO is configured; if you click "OpenID" on the login screen, you'll see a Keycloak login where you can log in with configured SSO providers - currently, a local database of users, and Autonomic's Keycloak instance.

I created an account for you - username: chriscroome, you should have received an email to reset the password. Any problems, you can log in on login.workerscoop.uk and fiddle with your own account settings here: https://login.workerscoop.uk/auth/admin/master/console/#/realms/Workerscoopuk/users/ac1e1798-cdf4-4a49-8391-b7da2e8941ab/user-credentials

If you let me know once you've got into Discourse successfully, I'll disable local registration and login there - you can get a sneak preview of the user experience on e.g. forum.wiki.cafe where I set it up the same.

To configure Nextcloud, I'll need to make changes to `config.php` - is there a way of giving me direct access to that, or should I give you the changes to make?


Chris Croome (Webarchitects Co-operative) Tue 10 May 2022 11:29AM

Thanks @autonomiccooperative I have the Keycloak admin login.

Yes the outgoing email on Discourse has been fixed, however I haven't yet had a chance to test incoming email, if you could post a reply to this thread then I'll receive a email and can then reply to that to test that it is working.

You can have SSH access to the Nextcloud server if you can provide me with a username and SSH public key (ideally a URL to a public key) and if possible a email address for the account.


Chris Croome (Webarchitects Co-operative) Tue 10 May 2022 1:13PM

I created an account for you - username: chriscroome, you should have received an email to reset the password.

I can't find this email, could you let me know what the From: header would have been or the IP address of the sending server so I can check the logs to try to work out what happened to it?


Autonomic Co-operative Wed 11 May 2022 2:18PM

I'll try re-sending. `From: [email protected]`, sending server should have been `mail.gandi.net`.


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 2:22PM

I've greped our mail server logs for the string [email protected] and there were zero matches there were also no matches when grepping for mail.gandi.net and autonomic.


Autonomic Co-operative Wed 11 May 2022 2:52PM

Seems like Gandi's blocking the email for some reason. Trying a different server...


Autonomic Co-operative Wed 11 May 2022 2:53PM

OK the second email seems to have worked. Adding a user for Liam on there as well now.


Autonomic Co-operative Wed 11 May 2022 2:55PM

Username for SSH `calix`, key here https://github.com/3-w-c.keys

And I posted the reply, might take a few minutes to come through depending on email delay settings.


Autonomic Co-operative Wed 11 May 2022 2:57PM

Sorry, and I just saw this part:

Do you have a git.coop account -- I'd like to add you to the workers group and also do you have a public SSH key available and if so could you share the URL with me so I can create accounts on the servers, add your SSH public keys and give you sudo access? What username would you like to be used? Once you have SSH access to the servers you could drop the Keycloak admin password into /root on one of the server and I could copy, encrypt and save and then delete it.

I don't have a git.coop account for Autonomic, only via the IWW. I think Autonomic are possibly a member through a client project, if that's the case could you authorise @autonomic.zone email addresses on git.coop, and I'll make an alias there.


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 4:38PM

I'm afraid there is no record of Autonomic being members of Webarchitects in our membership register, if you would like to join please see the details on our website.


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 4:58PM

Thanks, you should now be able to ssh [email protected] and then:

sudo -i
su - cloud
cd sites/nexcloud
php occ status
vi config/config.php

BTW please don't upgrade to version 24.0.0 as we have had to roll back two clients sites already because of issues with the latest version of Nextcloud.


Chris Croome (Webarchitects Co-operative) Mon 16 May 2022 1:29PM

Hi @autonomiccooperative have you had a chance to sort out Nextcloud SSO -- I think once that has been done we should perhaps arrange a session with the Workers Co-op Council to show them how to create accounts for people and how to use the initial tools we have set up for them and also ask what is needed next!


Autonomic Co-operative Tue 17 May 2022 11:29AM

@Chris Croome (Webarchitects Co-operative) thanks for the ping!

Nextcloud SSO is now set up. You should be able to log in with your Keycloak account; if you need to access via your existing local account, you can visit https://office.workerscoop.uk/login?noredir=1

I also set up auto-redirect-to-SSO for Discourse; I'm not aware if there's an override login there, but you should also still be logged in via your existing session(s) if you need to do anything.

I also enabled Keycloak self-registration; there's a button at the bottom of the login page.

Definitely down to have a how-to session.


Chris Croome (Webarchitects Co-operative) Tue 17 May 2022 11:57AM

Thanks! But I really don't think we want open account creation for all to access all systems do we?

It would be fine for Discourse, as it has plenty of anti-abuse features built-in but Nextcloud is more designed on the assumption that only trusted users have accounts, I'd suggest that it would be wide open to be abused if anyone can create accounts and gain access.

Does Keycloak have the ability to limit what systems accounts have access to?

Could we have an allow list of email domains that can create accounts without approval (on the CoTech Discourse forum we automatically promote users to groups that allow access to private categories based on the domain of their email address)? Or is there another way we could solve this?


Chris Croome (Webarchitects Co-operative) Thu 19 May 2022 12:42PM

@Autonomic Co-operative any thoughts on my comment above?


Autonomic Co-operative Thu 19 May 2022 12:48PM

Thanks! But I really don't think we want open account creation for all to access all systems do we?

It would be fine for Discourse, as it has plenty of anti-abuse features built-in but Nextcloud is more designed on the assumption that only trusted users have accounts...

I don't know as much about Nextcloud admin, but I think I'd agree with you.

Does Keycloak have the ability to limit what systems accounts have access to?

Yes; I think the easiest way to do this is with a Keycloak role. What should we call it? i.e. what's the name for users who should have access to Nextcloud as well?

Could we have an allow list of email domains that can create accounts without approval

Possibly, not investigated yet, but Keycloak is intricately configurable. In the meantime I think the manual admin burden of adding accounts to the group that also gives access to Nextcloud seems bearable, given we'll only need to do it once per user, even if we get more apps.


Chris Croome (Webarchitects Co-operative) Thu 19 May 2022 1:17PM

what's the name for users who should have access to Nextcloud as well?

I guess that would be "members"?

Does this extension look viable for managing a list of email domains which are allowed to automatically create accounts?


Chris Croome (Webarchitects Co-operative) Fri 20 May 2022 3:16PM

@autonomiccooperative any thoughts on this extension -- it looks well supported, could it be installed and enabled on your instance of KeyCloak?

Also the good news is that @sionwhellens has secured some .coop domains for the project, the bad news is that we now have to reconfigure all the services to use them ;-)


Chris Croome (Webarchitects Co-operative) Mon 23 May 2022 11:09AM

@autonomiccooperative I have started reconfiguring everything so that:

Could you please look at updating the KeyCloak instance so it works at the new URL and also consider installing this extension so we can have an allow list of domains that are able to create accounts without intervention?

I think we also need to have a website at www.workers.coop, I could quickly spin up a WordPress site at this URL if anyone else is able to take on changing the theme or at least the theme colours and logo and adding some content to it... any volunteers? If not I could create a very basic static HTML page with links to the other sites?


Dan Holden Mon 23 May 2022 1:03PM

Might as well just be a static site with links for now, the site isn't going to be public facing yet really - plus the marketing/outreach circle might have views on what actually goes on the landing page

+1 for the domain whitelist functionality, btw


Chris Croome (Webarchitects Co-operative) Mon 23 May 2022 6:38PM

the marketing/outreach circle might have views on what actually goes on the landing page

That's actually a good reason to use WordPress -- they could be given logins and then probably get on with adding and editing content and changing the look of the site without help since it's the most popular and used open source website content management system...

Item removed


Liam MacLeod (MediaBlaze Hosts) Wed 11 May 2022 2:08PM

Would it be possible for myself to have admin access please?


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 2:16PM

Sure, to, Nextcloud, Discourse and Keycloak?


Autonomic Co-operative Wed 11 May 2022 2:17PM

I'll create an account for Liam on Keycloak so he can log into Discourse. Once we have Nextcloud SSO set up, I'll share the Keycloak admin password there with him too.


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 2:26PM

Liam already has an account on Dicourse that I have granted admin to and he now also has a Nextcloud account on office.workerscoop.uk and can request a password reset at this URL using the username liam.


Liam MacLeod (MediaBlaze Hosts) Wed 11 May 2022 3:59PM

Yes please


Liam MacLeod (MediaBlaze Hosts) Wed 11 May 2022 4:00PM



Liam MacLeod (MediaBlaze Hosts) Wed 11 May 2022 4:00PM

Thanks Chris


Autonomic Co-operative Thu 19 May 2022 12:49PM

@Liam MacLeod (MediaBlaze Hosts) I shared the admin password with you on Nextcloud earlier today, did you get it?


Liam MacLeod (MediaBlaze Hosts) Thu 19 May 2022 3:02PM

Hey, nothing shared with me. Was it on the worker coop nextcloud?


Autonomic Co-operative Fri 27 May 2022 1:09PM



Autonomic Co-operative Wed 11 May 2022 4:41PM

I don't know if this is possible but can we move this thread to this separate section: https://www.loomio.org/worker-co-operatives-mobilising-for-the-federation/


Chris Croome (Webarchitects Co-operative) Wed 11 May 2022 5:01PM

If that is possible it would probably have to be done by someone who is an admin here and I'm not one. Another alternative could be to create a (infrastructure?) category on the Discourse forum and take this there?


Liam MacLeod (MediaBlaze Hosts) Thu 12 May 2022 7:04PM

I vote discord and advertising people to join it


John Atherton Thu 26 May 2022 7:16PM

Just in the process of writing a paper for Co-operatives UK Board on progress and specifically going to highlight the good work of this team. You will be setting up an official discussion forum for the new federal quicker than we ever set one up for Co-ops UK! So thanks for be excellent and when you need a normal test person to go through the process send me an email to my gmail account if you know it as love to have a nosy about, but don't be giving me complicated admin rights or anything!


Chris Croome (Webarchitects Co-operative) Fri 27 May 2022 8:29AM

Thanks @johnatherton but I'm afraid that nothing is working at the moment as we need help from @autonomiccooperative to update the domain name and install a plugin for SSO and if they don't have the capacity for this I guess @liammacleod and I had better look at hosting our own SSO server.


Autonomic Co-operative Fri 27 May 2022 1:12PM

We didn't plan around needing to do the set-up twice, or the system stopping working in the meantime.

It'd be helpful if you could switch back to the old domain names for the time being, and redirect from the new ones to the old ones.

If that's not possible, you have the necessary access yourself to update Keycloak to make these changes.

Otherwise, if none of the above, we'll get to it when we can.


Chris Croome (Webarchitects Co-operative) Fri 27 May 2022 1:31PM

Sorry @autonomiccooperative that it wasn't clear to you that the workerscoop.uk domain name was a provisional one that was registered as an interim measure while getting workers.coop was being sorted out, I did mention this above but Loomio threads are hard to follow so I can understand why you missed / misunderstood this.

I've looked at the KeyCloak admin interface and I can't see a way in which it grants access to the filesystem, access to the plugin directory is required to install the email domain based access controls that I think are necessary so I think your assistance is required for this.

Would it help if we had a video call to try to clear up and misunderstandings and agree on the next steps?

Note that to login to Discourse as an admin, by-passing SSO, you can use this URL to generate a email containing a URL to automatically login you in, however for now I have deactivated openid connect on the forum.

I have also deactivated SSO on the Nextcloud server for all logins to allow for the reconfiguring.

So for now we have:

  • forum.workers.coop -- a Discourse forum with open registration.
  • office.workers.coop -- a Nextcloud instance with account creation limited to admins, please post requests for accounts in this thread.

Autonomic Co-operative Mon 30 May 2022 9:39AM

@Chris Croome (Webarchitects Co-operative) 2 options I can see:

  1. If you can revert the DNS changes, and commit to coördinating with us on future infra changes, we'd be happy to keep going on the SSO set-up with the current infra. You made the plan on when to change the DNS, so it seems like it was your responsibility to tell us about it ahead of time, get our consent to doing the config twice, and make a plan with us for when we actually had capacity to do it – saying "it wasn't clear to you" makes it seem like these are things we could have or should have intuited (disagree with both), and cutting straight to holding us responsible when we hadn't accommodated your change quickly enough, rather than asking us, or offering to help, is not the start of a collaboration we want to have.

  2. Alternatively, we'd be happy to run the Discourse and Nextcloud instances ourselves, with anyone else welcome to help. In this case, we'd communicate about infrastructure changes with collaborators using some agreed communications channel, and get consent from everyone involved on new technical plans before implementing them.

Let us know how you'd like to proceed. —3wc


Liam MacLeod (MediaBlaze Hosts) Mon 30 May 2022 12:43PM

Could I propose that for the meantime we implement and LDAP server for the purpose of "SSO" (Users would still only have 1 set of login credentials for both Nextcloud and Discourse), until we can make the necessary changes re domain. LDAP is an easy solution which I have experience with and we can create groups (members/non-members) to restrict access to the worker coop Nextcloud, because at this time, whilst open membership is great, it is unnecessary for everyone to have access to it. This would form a simple SSO which we can then look to make the switch over to a full SSO platform such as Keycloak. We can easily sync across the LDAP users to Keycloak. I'd be happy to get straight into it and get it all setup, unless someone has objections, to which I'd be happy to discuss. 🙂


Autonomic Co-operative Mon 30 May 2022 12:55PM

Sorry @Liam MacLeod (MediaBlaze Hosts) could you please hold off on implementing an additional authentication method while we're still trying to work out how to co-operate with each other. Thanks, Luke.


Liam MacLeod (MediaBlaze Hosts) Mon 30 May 2022 1:10PM

Hey Luke, hope you're well.

My reasoning for implementing such a service, was due to availability and capacity. Whilst I understand you are using your own servers, it's difficult for either myself or Chris to make changes to provide full functionality. It would be a pretty simple setup and wouldn't take me long and could be bridge until things can get worked out your end.

Plus, who doesn't like redundancy haha 🙂


Chris Croome (Webarchitects Co-operative) Mon 30 May 2022 1:26PM

11 days ago I asked @Autonomic Co-operative :

Does this extension look viable for managing a list of email domains which are allowed to automatically create accounts?

And I'm still not clear if this is a possibility or not, the question has not been answered.

What was "working" previously -- open account creation that allowed anyone in the world to get a Nextcloud account wasn't a viable solution, this was acknowledged above by @Autonomic Co-operative.

It doesn't make sense to switch the Discourse forum and Nextcloud instance, which are currently running on the workers.coop domain, over to run on the workerscoop.uk domain since that is not the desired domain for the project.

Regarding the two options above from @Autonomic Co-operative , if those are the only two options that @Autonomic Co-operative can offer then I think the offer from @Liam MacLeod (MediaBlaze Hosts) is a better option.


Autonomic Co-operative Mon 30 May 2022 2:03PM

@Chris Croome (Webarchitects Co-operative) the issue we're raising is about communications; even if we go along with your LDAP suggestion, we don't seem to agree about whether you need to get consensus before implementing changes that will cause more work for others, and how to communicate with the rest of WCF about situations where that's happened.

If you'd like to approach this collectively, we're down to help, if you'd prefer to keep making unilateral decisions about the tech then best of luck with things. —3wc


Chris Croome (Webarchitects Co-operative) Mon 30 May 2022 2:28PM

It was clear at the Workers Co-op Weekend that workers.coop was the desired domain name for this project. I though we all understood that workerscoop.uk was an interim domain name that we would only use prior to switching to the desired domain.

The only communication channel I'm aware of that we are using for co-ordinating this work is this Loomio thread and I posted in this thread on 19th May that:

the good news is that @sionwhellens has secured some .coop domains for the project, the bad news is that we now have to reconfigure all the services to use them ;-)

I heard nothing from you, I assumed that there would be no objection and that there was consent to switch to the desired domain name, I had no reason to think that there was a problem, but I waited to see if there was a response before doing anything.

Three days later, on the 23th May, I started making the changes to the Discourse server and Nextcloud sever so that they would run on the workers.coop domain, not anticipating that this would be an issue because this was the domain that we had agreed on, there had been no objections or issues raised in the three days since I have informed people that we now had the desired domain name and because the Keycloak configuration that had been implemented so far wasn't one that we could continue using because it:

  • Didn't provide the ability for email domains to be added to an allow list for Nextcloud access.

  • Did allow anyone in the world to create accounts that granted Nextcloud access and we had agreement that this was not acceptable.

It wasn't until the 27th May, 8 days after I had posted a notification that we had secured the desired domain names and that services would need to be reconfigured and four days after I had updated the Discourse and Nextcloud servers that you raised an objection to the Nextcloud and Discourse services running on the desired domain name.

At the face-to-face discussion where we made these plans, we were specifically asked to get things up and running as quickly as possible, as far as I recall @Autonomic Co-operative were not present at this discussion in the barn.

I'm sorry that by getting on with the work, that I thought was needed and for which I understood there was agreement to do, at what I thought was a reasonable speed, I have upset you, this was not my intention.


Liam MacLeod (MediaBlaze Hosts) Mon 30 May 2022 7:48PM

Just going to echo the request that was made by several people at the worker coop weekend, which was "get things up and running quick" I'll admit that my much time was given to have discussions around infrastructure, however within the coop communities, both Chris and myself have set up nextcloud, discourse and mailcow servers for various coops.

You mention the issue regarding communications, which is absolutely valid and I agree, could be better, but at this moment in time, this thread has been the go to for all things infrastructure related. It's also down to individuals to take part in the conversations we have here, if they don't, I'd like to think they know what we're doing.

If anyone feels that loomio isn't the place to have theses discussions, where do we think they would be best place in order to reach all concerned parties?

I'll admit, I missed out the conversion about SSO in the first place, the recommendation which was implemented (Keycloak) was one that personally I didn't originally have a say on, as I'm sure we can all agree, we're only doing what's in the best interest of the federation and it's users, hence it's implementation.

My recommendation of using LDAP, is just that, a recommendation and opinion, at no point did I set up an LDAP server and plug it into nextcloud or discourse. I have the capacity to do something to contribute to this project and that was my 2 cents.

At the barn meeting, only Maria, Chris, Dan and myself took part in brainstorming solutions, my apologies if I missed anyone out.

The point is we all want to work on this, so going forward we need to find a way that is practical, has parties that are tech minded in order to build infrastructure and those that wish to actually use the services we implement for the purpose of user testing and input, but at the same time we need to acknowledge that having drawn out discussions over what we do and don't implement will be detrimental to the infrastructure as a whole. We need to be proactive and find solutions that benefit the project and it's users.

Some of the issues raised with the current keycloak server make it difficult to move forward if we don't know the setup used, i.e is this on a shared platform, a VM or docker container, access to the server itself in order to implement the plugins that would facilitate a better user experience and from what I can see within the admin backend, a link to id.autonomic.zone as an identifier, can we not just spin up our own worker fed instance?

Something we can easily do whilst also keeping everyone who wants to be, involved in.

I apologise if this has upset or angered others in this group, it is not my intention, but let's focus on what matters, we all have a varied range of skills, let's put them to good use and work together to build something awesome.


Liam MacLeod (MediaBlaze Hosts) Tue 31 May 2022 4:49PM

Hey @Autonomic Co-operative where are we at with moving forward?


John Atherton Wed 1 Jun 2022 9:52AM

It would be good if we could create a shared google doc just listing the infrastructure: already built, in progress, planned to be built with a section on basic requirement gatherings, so we can can get a bit of a future plan as its quite fast moving. Let me know if you want me to set this up?

Just to focus it in, things like a discord forum etc will be great, but for me personally the main thing it would be useful to have up soon, in time for Congress on the 17th June is just a basic landing page so if people go to workers.coop there is a basic message (I can provide of give direct access and I'll write something) even better if we can a simple email sign-up form to be kept informed?

But don't push to quickly if it means making longer terms decisions we can't roll-back on.

I'll let you guys decide the best way, but a simple Wordpress site or something.



Thanks @johnatherton, that all sound good but we don't need to use a Google document since we have a Nextcloud server!

I've created a document on there, shared with and editable by all members of the workerscoopuk group, that is a available at this URL that starts to document the infrastructure we have and who has access to what.

I've also provisioned a WordPress site at www.workers.coop via this git commit and installed a email signup form as requested, you should have a email with a link to reset you admin account. I've also added admin accounts for @cathcornerstone, @danholden, @liammacleod and @sionwhellens, would anyone else like to help to configure / edit / theme the site?


Simon Ball (Blake House) Tue 7 Jun 2022 12:36PM

I'm currently doing some intensive work for Co-ops Fortnight, but once that's concluded I'd like to contribute to building the website. Going by this thread, I imagine that it would work out more efficiently if I built a site, and then interested parties could contribute suggestions/changes if they wanted to.

My credentials being that I've been building websites since I was 11 and usually package up wordpress sites as a gratis extra to display some of our video projects. I could probably have something good, with original graphics/branding etc up in a couple of days worth of time.


Chris Croome (Webarchitects Co-operative) Tue 7 Jun 2022 12:50PM

We already have a WordPress site but it does need some content and theming!

I'm not sure what the best way to co-ordinate this is, perhaps we should start a new thread on the forum for this?


Simon Ball (Blake House) Tue 7 Jun 2022 12:55PM

I've started a thread on loomio to notify as many people as possible, but I will also set one up on the new forum to facilitate more detailed discussions if I'm able to get an account (it's not obvious where the registration button is).


Thanks @simonball, I had manually disabled the SSO plugin but it had been re-enabled via Ansible, I have now disabled it via Ansible and once the Docker container has been rebuilt there should be a sign up link at the top right of the forum.


I also needed to enable local logins and allow new registrations -- the Sign Up link is now active again at forum.workers.coop so feel free to create accounts and threads there. Also if anyone would like a Nextcloud account creating please post a request in this thread.


John Atherton Tue 7 Jun 2022 5:47PM

I’ve been working on a shared doc on next cloud to start getting things organised. Or at least keeping stuff in one place.


Happy to help with the website Simon, not sure whether it makes sense to create a new circle for it or just make it part of the digital or probably the marketing circle? Sion is working on some branding and key messaging stuff so def involve him so its all co-ordinated.


Would it make sense to create a Circles category on the forum with a sub-category for each one? For Example like this:

└── Circles
├── Accountability
├── Business Planning
├── Digital Infrastructure
├── Fundraising
├── Marketing
├── Mobilising
└── Policy

Discourse categories can contain multiple threads and people can set their account notifications so they are only informed about posts in specific ones, the options for each category are:

  • Watched: You will automatically watch all topics in these categories. You will be notified of all new posts and topics, and a count of new posts will also appear next to the topic.
  • Tracked: You will automatically track all topics in these categories. A count of new posts will appear next to the topic.
  • Watching First Post: You will be notified of the first post in each new topic in these categories.
  • Muted: You will not be notified of anything about new topics in these categories, and they will not appear on the categories or latest pages.

John Atherton Wed 8 Jun 2022 8:49AM

Yep sound like a great idea to me, and we can add new circles if we need them in the future