From 551a067e37b4aaf9dce260460ce50dc69360da9d Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Sun, 22 Sep 2019 10:56:27 +0800
Subject: znc: Update certificate deployment w.r.t. acme.sh

---
 roles/znc/tasks/main.yml             | 21 ++++++++++++++++-----
 roles/znc/templates/acme/znc.j2      | 34 ----------------------------------
 roles/znc/templates/deploy_ssl.sh.j2 | 22 ++++++++++++++++++++++
 roles/znc/templates/znc.conf.j2      | 16 +++++-----------
 4 files changed, 43 insertions(+), 50 deletions(-)
 delete mode 100644 roles/znc/templates/acme/znc.j2
 create mode 100644 roles/znc/templates/deploy_ssl.sh.j2

diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml
index 93754ff..bf6ecb4 100644
--- a/roles/znc/tasks/main.yml
+++ b/roles/znc/tasks/main.yml
@@ -22,6 +22,15 @@
     mode: 0600
   notify: reload-znc
 
+- name: znc - generate SSL cert deploy script
+  template:
+    src: deploy_ssl.sh.j2
+    dest: "{{ znc.data_dir }}/deploy_ssl.sh"
+    mode: 0755
+
+- name: znc - deploy SSL cert
+  command: sh {{ znc.data_dir }}/deploy_ssl.sh
+
 - name: znc - enable service
   blockinfile:
     path: /etc/rc.conf
@@ -31,10 +40,12 @@
       znc_enable="YES"
 
 - name: znc - start service
-  command: rcstart znc
+  service:
+    name: znc
+    state: started
 
-- name: acme - generate deployment script
-  template:
-    src: acme/znc.j2
-    dest: /usr/local/etc/acme/deploy.d/znc
+- name: acme - add znc to deploy
+  lineinfile:
+    path: "{{ web.acme_home }}/deploy.local.sh"
+    line: sh {{ znc.data_dir }}/deploy_ssl.sh
   tags: acme
diff --git a/roles/znc/templates/acme/znc.j2 b/roles/znc/templates/acme/znc.j2
deleted file mode 100644
index 0be5dc0..0000000
--- a/roles/znc/templates/acme/znc.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# ACME deployment script
-#
-
-# NOTE:
-# ZNC supports SSLKeyFile and SSLDHParamFile since v1.7
-#
-#cp -v /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \
-#      {{ znc.data_dir }}/znc.ssl.key
-#cp -v /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \
-#      {{ znc.data_dir }}/znc.ssl.crt
-#chown znc:znc {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt
-#chmod 0400    {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt
-
-# SSL: https://wiki.znc.in/Signed_SSL_certificate
-# Everything in a single file, in the order from the most *private* to
-# the most *public* entries, except for the root certificate.
-# i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem
-#
-cat /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \
-    /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \
-    /usr/local/etc/ssl/dhparam4096.pem \
-    > {{ znc.data_dir }}/znc.allinone.pem
-chown znc:znc {{ znc.data_dir }}/znc.allinone.pem
-chmod 0400    {{ znc.data_dir }}/znc.allinone.pem
-
-if pgrep -x znc >/dev/null; then
-    echo "Reloading service znc: ..."
-    killall -SIGHUP znc
-    echo "ok"
-else
-    echo "WARNING: service znc is not running" >&2
-fi
diff --git a/roles/znc/templates/deploy_ssl.sh.j2 b/roles/znc/templates/deploy_ssl.sh.j2
new file mode 100644
index 0000000..679ea4d
--- /dev/null
+++ b/roles/znc/templates/deploy_ssl.sh.j2
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copy the issued SSL key and certificate to deploy them for ZNC.
+#
+# Reference: https://wiki.znc.in/Signed_SSL_certificate
+#
+
+cp -v {{ web.ssl_root }}/{{ network.domain }}/key \
+    {{ znc.data_dir }}/ssl.key
+cp -v {{ web.ssl_root }}/{{ network.domain }}/fullchain \
+    {{ znc.data_dir }}/ssl.crt
+chown znc:znc {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt
+chmod 0400    {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt
+
+if pgrep -x znc >/dev/null; then
+    echo -n "Reloading service znc ... "
+    # ZNC's service file doesn't support 'reload' command
+    killall -SIGHUP znc
+    echo "done"
+else
+    echo "WARNING: service znc is not running" >&2
+fi
diff --git a/roles/znc/templates/znc.conf.j2 b/roles/znc/templates/znc.conf.j2
index 17034d4..6b96611 100644
--- a/roles/znc/templates/znc.conf.j2
+++ b/roles/znc/templates/znc.conf.j2
@@ -12,21 +12,15 @@
 // Also check http://wiki.znc.in/Configuration
 //
 
-Version = 1.6.5
+Version = 1.7.4
 HideVersion = true
 MaxBufferSize = {{ znc.buffer_size }}
 SSLProtocols = +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2
 
-// SSL: https://wiki.znc.in/Signed_SSL_certificate
-// Everything in a single file, in the order from the most *private* to
-// the most *public* entries, except for the root certificate.
-// i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem
-SSLCertFile = {{ znc.data_dir }}/znc.allinone.pem
-
-// NOTE: SSLKeyFile & SSLDHParamFile requires version >=1.7
-//SSLCertFile = {{ znc.data_dir }}/znc.ssl.crt
-//SSLKeyFile = {{ znc.data_dir }}/znc.ssl.key
-//SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
+// NOTE: SSLKeyFile & SSLDHParamFile require version >=1.7
+SSLCertFile = {{ znc.data_dir }}/ssl.crt
+SSLKeyFile = {{ znc.data_dir }}/ssl.key
+SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
 
 // NOTE: DragonFly BSD doesn't allow using "IPV6_V6ONLY=0" to bind on
 //       both IPv4 & IPv6, therefore bind them separately.
-- 
cgit v1.2.2