From 1e6446d889dda93b45ca7db7c370562b152214e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Sun, 4 Jul 2021 20:13:53 +0200
Subject: [PATCH] Turns out my systemd version didn't yet support
 LoadCredential.

---
 manifests/setup.pp        | 16 +++++++++-------
 templates/znc.service.epp |  8 ++++----
 2 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/manifests/setup.pp b/manifests/setup.pp
index 6b77948..847cf79 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -57,20 +57,22 @@ class irc_bouncer::setup {
     owner   => 'znc',
   }
 
+  $certname = $facts['fqdn']
+
   file_line { 'Set ZNC SSL Cert File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLCertFile',
-    line  => 'SSLCertFile = /run/credentials/fullchain.pem',
+    line  => "SSLCertFile = /etc/letsencrypt/live/${certname}/fullchain.pem",
   }
   file_line { 'Set ZNC SSL DH Param File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLDHParamFile',
-    line  => 'SSLDHParamFile = /run/credentials/fullchain.pem',
+    line  => "SSLDHParamFile = /etc/letsencrypt/live/${certname}/fullchain.pem",
   }
   file_line { 'Set ZNC SSL Key File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLKeyFile',
-    line  => 'SSLKeyFile = /run/credentials/privkey.pem',
+    line  => "SSLKeyFile = /etc/letsencrypt/live/${certname}/privkey.pem",
   }
 
   # lysconf module comes bundled with lysator-version of znc
@@ -108,7 +110,7 @@ class irc_bouncer::setup {
     propagation_seconds => 10,
     manage_package      => true,
   }
-  -> letsencrypt::certonly { $facts['fqdn']:
+  -> letsencrypt::certonly { $certname:
     ensure               => 'present',
     domains              => [ $facts['fqdn'], ],
     plugin               => 'dns-rfc2136',
@@ -116,11 +118,11 @@ class irc_bouncer::setup {
     suppress_cron_output => true,
   }
 
-  # transient config to undo earlier change
   file { ['/etc/letsencrypt/live',
           '/etc/letsencrypt/archive', ]:
     ensure => directory,
-    mode   => '0700',
+    mode   => '0750',
+    group  => 'znc',
   }
 
   file { '/var/lib/znc/moddata/cyrusauth/.registry':
@@ -140,6 +142,6 @@ class irc_bouncer::setup {
 
   systemd::unit_file { 'znc.service':
     content       => epp('irc_bouncer/znc.service.epp',
-      { 'keyname' => $facts['fqdn'], })
+      { 'keyname' => $certname, })
   }
 }
diff --git a/templates/znc.service.epp b/templates/znc.service.epp
index 9d93c6d..866a8c9 100644
--- a/templates/znc.service.epp
+++ b/templates/znc.service.epp
@@ -3,14 +3,14 @@
 [Unit]
 Description=ZNC, an advanced IRC bouncer
 After=network-online.target
-     
+
 [Service]
 ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=znc
 
-LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
-LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
-     
+# LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
+# LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
+
 [Install]
 WantedBy=multi-user.target
-- 
GitLab