Turns out my systemd version didn't yet support LoadCredential.

manifests/setup.pp

@@ -57,20 +57,22 @@ class irc_bouncer::setup {
     owner   => 'znc',
   }
 
+  $certname = $facts['fqdn']
+
   file_line { 'Set ZNC SSL Cert File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLCertFile',
-    line  => 'SSLCertFile = /run/credentials/fullchain.pem',
+    line  => "SSLCertFile = /etc/letsencrypt/live/${certname}/fullchain.pem",
   }
   file_line { 'Set ZNC SSL DH Param File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLDHParamFile',
-    line  => 'SSLDHParamFile = /run/credentials/fullchain.pem',
+    line  => "SSLDHParamFile = /etc/letsencrypt/live/${certname}/fullchain.pem",
   }
   file_line { 'Set ZNC SSL Key File':
     path  => '/var/lib/znc/configs/znc.conf',
     match => '^SSLKeyFile',
-    line  => 'SSLKeyFile = /run/credentials/privkey.pem',
+    line  => "SSLKeyFile = /etc/letsencrypt/live/${certname}/privkey.pem",
   }
 
   # lysconf module comes bundled with lysator-version of znc
@@ -108,7 +110,7 @@ class irc_bouncer::setup {
     propagation_seconds => 10,
     manage_package      => true,
   }
-  -> letsencrypt::certonly { $facts['fqdn']:
+  -> letsencrypt::certonly { $certname:
     ensure               => 'present',
     domains              => [ $facts['fqdn'], ],
     plugin               => 'dns-rfc2136',
@@ -116,11 +118,11 @@ class irc_bouncer::setup {
     suppress_cron_output => true,
   }
 
-  # transient config to undo earlier change
   file { ['/etc/letsencrypt/live',
           '/etc/letsencrypt/archive', ]:
     ensure => directory,
-    mode   => '0700',
+    mode   => '0750',
+    group  => 'znc',
   }
 
   file { '/var/lib/znc/moddata/cyrusauth/.registry':
@@ -140,6 +142,6 @@ class irc_bouncer::setup {
 
   systemd::unit_file { 'znc.service':
     content       => epp('irc_bouncer/znc.service.epp',
-      { 'keyname' => $facts['fqdn'], })
+      { 'keyname' => $certname, })
   }
 }

templates/znc.service.epp

@@ -3,14 +3,14 @@
 [Unit]
 Description=ZNC, an advanced IRC bouncer
 After=network-online.target
-     
+
 [Service]
 ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=znc
 
-LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
-LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
-     
+# LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
+# LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
+
 [Install]
 WantedBy=multi-user.target