From 1975ac785727e1a19931e202d0e670e8c0905641 Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Sun, 22 Sep 2019 13:03:02 +0800
Subject: znc: Use multiple servers and enable SSL

But accept all certificates, because most IRC servers use self-signed
certificates.
---
 group_vars/all/vars.yml         | 13 ++++++++++---
 roles/znc/templates/znc.conf.j2 | 12 ++++++++----
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 107aa41..665f8bd 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -174,9 +174,16 @@ znc:
   networks:
     # EFNet: http://www.efnet.org/?module=servers
     - name: efnet
-      server: efnet.port80.se
-      port: 6667
-      ssl: false
+      servers:
+        - name: irc.choopa.net
+          port: 9999
+          ssl: true
+        - name: irc.underworld.no
+          port: 6697
+          ssl: true
+        - name: efnet.port80.se
+          port: 6697
+          ssl: true
       # Without the beginning '#'
       channels:
         - dragonflybsd
diff --git a/roles/znc/templates/znc.conf.j2 b/roles/znc/templates/znc.conf.j2
index 6b96611..2380ad4 100644
--- a/roles/znc/templates/znc.conf.j2
+++ b/roles/znc/templates/znc.conf.j2
@@ -22,6 +22,8 @@ SSLCertFile = {{ znc.data_dir }}/ssl.crt
 SSLKeyFile = {{ znc.data_dir }}/ssl.key
 SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
 
+LoadModule = adminlog
+
 // NOTE: DragonFly BSD doesn't allow using "IPV6_V6ONLY=0" to bind on
 //       both IPv4 & IPv6, therefore bind them separately.
 {% for listener in ["ipv4", "ipv6"] %}
@@ -89,10 +91,12 @@ SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
         // Auth with NickServ
         LoadModule = nickserv
 
-        Server = {{ net.server }} {% if net.ssl|default(false) %}+{% endif%}{{ net.port }} {{ net.password|default("") }}
-        {% if net.fingerprint is defined -%}
-        TrustedServerFingerprint = {{ net.fingerprint }}
-        {% endif %}
+        {% for server in net.servers -%}
+        Server = {{ server.name }} {% if server.ssl|default(false) %}+{% endif%}{{ server.port }} {{ server.password|default("") }}
+        {% endfor %}
+
+        TrustPKI = true
+        TrustAllCerts = true
 
         {% for ch in net.channels -%}
         <Chan #{{ ch | regex_replace('^#', '') }}>
-- 
cgit v1.2.2