diff --git a/manifests/setup.pp b/manifests/setup.pp
index d8f925d3ad3ebe50b545502230a17320334813b3..6b77948727c39e6cfd73946bd3057fe8b3afead9 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -57,6 +57,22 @@ class irc_bouncer::setup {
     owner   => 'znc',
   }
 
+  file_line { 'Set ZNC SSL Cert File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLCertFile',
+    line  => 'SSLCertFile = /run/credentials/fullchain.pem',
+  }
+  file_line { 'Set ZNC SSL DH Param File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLDHParamFile',
+    line  => 'SSLDHParamFile = /run/credentials/fullchain.pem',
+  }
+  file_line { 'Set ZNC SSL Key File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLKeyFile',
+    line  => 'SSLKeyFile = /run/credentials/privkey.pem',
+  }
+
   # lysconf module comes bundled with lysator-version of znc
 
   irc_bouncer::module { [ 'webadmin',
@@ -100,13 +116,11 @@ class irc_bouncer::setup {
     suppress_cron_output => true,
   }
 
-  # Allow world to read our certificates so znc can access them.
-  # In theory slightly unsafe, but noone else should have filesystem
-  # access.
+  # transient config to undo earlier change
   file { ['/etc/letsencrypt/live',
           '/etc/letsencrypt/archive', ]:
     ensure => directory,
-    mode   => '0755',
+    mode   => '0700',
   }
 
   file { '/var/lib/znc/moddata/cyrusauth/.registry':
@@ -125,6 +139,7 @@ class irc_bouncer::setup {
 
 
   systemd::unit_file { 'znc.service':
-    source => 'puppet:///modules/irc_bouncer/znc.service',
+    content       => epp('irc_bouncer/znc.service.epp',
+      { 'keyname' => $facts['fqdn'], })
   }
 }
diff --git a/files/znc.service b/templates/znc.service.epp
similarity index 55%
rename from files/znc.service
rename to templates/znc.service.epp
index ee008c0340524181c63cbdca5aed3a238fe045b6..9d93c6d01bdfd6b7b8df59a5d4aeebf8f052fda5 100644
--- a/files/znc.service
+++ b/templates/znc.service.epp
@@ -1,3 +1,5 @@
+<%- | String $keyname
+| -%>
 [Unit]
 Description=ZNC, an advanced IRC bouncer
 After=network-online.target
@@ -6,6 +8,9 @@ After=network-online.target
 ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=znc
+
+LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
+LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
      
 [Install]
 WantedBy=multi-user.target