From da606a293db8edba1c3c41263f9e103a7f7587cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Sun, 4 Jul 2021 00:18:28 +0200
Subject: [PATCH] Update systemd service to use LoadCredential:s

---
 manifests/setup.pp                            | 25 +++++++++++++++----
 .../znc.service => templates/znc.service.epp  |  5 ++++
 2 files changed, 25 insertions(+), 5 deletions(-)
 rename files/znc.service => templates/znc.service.epp (55%)

diff --git a/manifests/setup.pp b/manifests/setup.pp
index d8f925d..6b77948 100644
--- a/manifests/setup.pp
+++ b/manifests/setup.pp
@@ -57,6 +57,22 @@ class irc_bouncer::setup {
     owner   => 'znc',
   }
 
+  file_line { 'Set ZNC SSL Cert File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLCertFile',
+    line  => 'SSLCertFile = /run/credentials/fullchain.pem',
+  }
+  file_line { 'Set ZNC SSL DH Param File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLDHParamFile',
+    line  => 'SSLDHParamFile = /run/credentials/fullchain.pem',
+  }
+  file_line { 'Set ZNC SSL Key File':
+    path  => '/var/lib/znc/configs/znc.conf',
+    match => '^SSLKeyFile',
+    line  => 'SSLKeyFile = /run/credentials/privkey.pem',
+  }
+
   # lysconf module comes bundled with lysator-version of znc
 
   irc_bouncer::module { [ 'webadmin',
@@ -100,13 +116,11 @@ class irc_bouncer::setup {
     suppress_cron_output => true,
   }
 
-  # Allow world to read our certificates so znc can access them.
-  # In theory slightly unsafe, but noone else should have filesystem
-  # access.
+  # transient config to undo earlier change
   file { ['/etc/letsencrypt/live',
           '/etc/letsencrypt/archive', ]:
     ensure => directory,
-    mode   => '0755',
+    mode   => '0700',
   }
 
   file { '/var/lib/znc/moddata/cyrusauth/.registry':
@@ -125,6 +139,7 @@ class irc_bouncer::setup {
 
 
   systemd::unit_file { 'znc.service':
-    source => 'puppet:///modules/irc_bouncer/znc.service',
+    content       => epp('irc_bouncer/znc.service.epp',
+      { 'keyname' => $facts['fqdn'], })
   }
 }
diff --git a/files/znc.service b/templates/znc.service.epp
similarity index 55%
rename from files/znc.service
rename to templates/znc.service.epp
index ee008c0..9d93c6d 100644
--- a/files/znc.service
+++ b/templates/znc.service.epp
@@ -1,3 +1,5 @@
+<%- | String $keyname
+| -%>
 [Unit]
 Description=ZNC, an advanced IRC bouncer
 After=network-online.target
@@ -6,6 +8,9 @@ After=network-online.target
 ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 User=znc
+
+LoadCredential=fullchain.pem:/etc/letsencrypt/live/<%= $keyname %>/fullchain.pem
+LoadCredential=privkey.pem:/etc/letsencrypt/live/<%= $keyname %>/privkey.pem
      
 [Install]
 WantedBy=multi-user.target
-- 
GitLab