From 551a067e37b4aaf9dce260460ce50dc69360da9d Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Sun, 22 Sep 2019 10:56:27 +0800 Subject: znc: Update certificate deployment w.r.t. acme.sh --- roles/znc/tasks/main.yml | 21 ++++++++++++++++----- roles/znc/templates/acme/znc.j2 | 34 ---------------------------------- roles/znc/templates/deploy_ssl.sh.j2 | 22 ++++++++++++++++++++++ roles/znc/templates/znc.conf.j2 | 16 +++++----------- 4 files changed, 43 insertions(+), 50 deletions(-) delete mode 100644 roles/znc/templates/acme/znc.j2 create mode 100644 roles/znc/templates/deploy_ssl.sh.j2 diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml index 93754ff..bf6ecb4 100644 --- a/roles/znc/tasks/main.yml +++ b/roles/znc/tasks/main.yml @@ -22,6 +22,15 @@ mode: 0600 notify: reload-znc +- name: znc - generate SSL cert deploy script + template: + src: deploy_ssl.sh.j2 + dest: "{{ znc.data_dir }}/deploy_ssl.sh" + mode: 0755 + +- name: znc - deploy SSL cert + command: sh {{ znc.data_dir }}/deploy_ssl.sh + - name: znc - enable service blockinfile: path: /etc/rc.conf @@ -31,10 +40,12 @@ znc_enable="YES" - name: znc - start service - command: rcstart znc + service: + name: znc + state: started -- name: acme - generate deployment script - template: - src: acme/znc.j2 - dest: /usr/local/etc/acme/deploy.d/znc +- name: acme - add znc to deploy + lineinfile: + path: "{{ web.acme_home }}/deploy.local.sh" + line: sh {{ znc.data_dir }}/deploy_ssl.sh tags: acme diff --git a/roles/znc/templates/acme/znc.j2 b/roles/znc/templates/acme/znc.j2 deleted file mode 100644 index 0be5dc0..0000000 --- a/roles/znc/templates/acme/znc.j2 +++ /dev/null @@ -1,34 +0,0 @@ -#!/bin/sh -# -# ACME deployment script -# - -# NOTE: -# ZNC supports SSLKeyFile and SSLDHParamFile since v1.7 -# -#cp -v /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \ -# {{ znc.data_dir }}/znc.ssl.key -#cp -v /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \ -# {{ znc.data_dir }}/znc.ssl.crt -#chown znc:znc {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt -#chmod 0400 {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt - -# SSL: https://wiki.znc.in/Signed_SSL_certificate -# Everything in a single file, in the order from the most *private* to -# the most *public* entries, except for the root certificate. -# i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem -# -cat /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \ - /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \ - /usr/local/etc/ssl/dhparam4096.pem \ - > {{ znc.data_dir }}/znc.allinone.pem -chown znc:znc {{ znc.data_dir }}/znc.allinone.pem -chmod 0400 {{ znc.data_dir }}/znc.allinone.pem - -if pgrep -x znc >/dev/null; then - echo "Reloading service znc: ..." - killall -SIGHUP znc - echo "ok" -else - echo "WARNING: service znc is not running" >&2 -fi diff --git a/roles/znc/templates/deploy_ssl.sh.j2 b/roles/znc/templates/deploy_ssl.sh.j2 new file mode 100644 index 0000000..679ea4d --- /dev/null +++ b/roles/znc/templates/deploy_ssl.sh.j2 @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Copy the issued SSL key and certificate to deploy them for ZNC. +# +# Reference: https://wiki.znc.in/Signed_SSL_certificate +# + +cp -v {{ web.ssl_root }}/{{ network.domain }}/key \ + {{ znc.data_dir }}/ssl.key +cp -v {{ web.ssl_root }}/{{ network.domain }}/fullchain \ + {{ znc.data_dir }}/ssl.crt +chown znc:znc {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt +chmod 0400 {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt + +if pgrep -x znc >/dev/null; then + echo -n "Reloading service znc ... " + # ZNC's service file doesn't support 'reload' command + killall -SIGHUP znc + echo "done" +else + echo "WARNING: service znc is not running" >&2 +fi diff --git a/roles/znc/templates/znc.conf.j2 b/roles/znc/templates/znc.conf.j2 index 17034d4..6b96611 100644 --- a/roles/znc/templates/znc.conf.j2 +++ b/roles/znc/templates/znc.conf.j2 @@ -12,21 +12,15 @@ // Also check http://wiki.znc.in/Configuration // -Version = 1.6.5 +Version = 1.7.4 HideVersion = true MaxBufferSize = {{ znc.buffer_size }} SSLProtocols = +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2 -// SSL: https://wiki.znc.in/Signed_SSL_certificate -// Everything in a single file, in the order from the most *private* to -// the most *public* entries, except for the root certificate. -// i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem -SSLCertFile = {{ znc.data_dir }}/znc.allinone.pem - -// NOTE: SSLKeyFile & SSLDHParamFile requires version >=1.7 -//SSLCertFile = {{ znc.data_dir }}/znc.ssl.crt -//SSLKeyFile = {{ znc.data_dir }}/znc.ssl.key -//SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem +// NOTE: SSLKeyFile & SSLDHParamFile require version >=1.7 +SSLCertFile = {{ znc.data_dir }}/ssl.crt +SSLKeyFile = {{ znc.data_dir }}/ssl.key +SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem // NOTE: DragonFly BSD doesn't allow using "IPV6_V6ONLY=0" to bind on // both IPv4 & IPv6, therefore bind them separately. -- cgit v1.2.2