add znc setup from sovereign (verbatim)

7 files changed, 171 insertions, 0 deletions

diff --git a/roles/znc/defaults/main.yml b/roles/znc/defaults/main.yml
new file mode 100644
index 0000000..41370ff
--- /dev/null
+++ b/roles/znc/defaults/main.yml
@@ -0,0 +1 @@
+irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"
diff --git a/roles/znc/files/etc_systemd_system_znc.service b/roles/znc/files/etc_systemd_system_znc.service
new file mode 100644
index 0000000..866607b
--- /dev/null
+++ b/roles/znc/files/etc_systemd_system_znc.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=ZNC, an IRC bouncer
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/znc --datadir=/usr/lib/znc
+PIDFile=/var/run/znc/znc.pid
+User=znc
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/znc/handlers/main.yml b/roles/znc/handlers/main.yml
new file mode 100644
index 0000000..d39db67
--- /dev/null
+++ b/roles/znc/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: restart znc
+  service: name=znc state=restarted
\ No newline at end of file
diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml
new file mode 100644
index 0000000..4b2f51d
--- /dev/null
+++ b/roles/znc/tasks/main.yml
@@ -0,0 +1 @@
+- include: znc.yml tags=znc
\ No newline at end of file
diff --git a/roles/znc/tasks/znc.yml b/roles/znc/tasks/znc.yml
new file mode 100644
index 0000000..e5f7ab5
--- /dev/null
+++ b/roles/znc/tasks/znc.yml
@@ -0,0 +1,65 @@
+# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
+
+- name: Install znc
+  apt: pkg={{ item }} state=installed
+  with_items:
+    - znc
+
+- name: Create znc group
+  group: name=znc state=present
+
+- name: Create znc user
+  user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin
+
+- name: Ensure pid directory exists
+  file: state=directory path=/var/run/znc group=znc owner=znc
+
+- name: Ensure configuration folders exist
+  file: state=directory path=/usr/lib/znc/{{ item }} group=znc owner=znc
+  with_items:
+    - moddata
+    - modules
+    - users
+
+- name: Copy znc service file into place
+  copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
+
+- name: Create a combined version of the SSL private key and full certificate chain
+  shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem
+    /etc/letsencrypt/live/{{ domain }}/fullchain.pem >
+    /usr/lib/znc/znc.pem
+    creates=/usr/lib/znc/znc.pem
+  notify: restart znc
+
+- name: Update post-certificate-renewal task
+  template:
+    src: etc_letsencrypt_postrenew_znc.sh.j2
+    dest: /etc/letsencrypt/postrenew/znc.sh
+    owner: root
+    group: root
+    mode: 0755
+
+- name: Ensure znc user and group can read cert
+  file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=0640
+  notify: restart znc
+
+- name: Check for existing config file
+  command: cat /usr/lib/znc/configs/znc.conf
+  register: znc_config
+  ignore_errors: True
+  changed_when: False  # never report as "changed"
+
+- name: Create znc config directory
+  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
+
+- name: Copy znc configuration file into place
+  template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
+  when: znc_config.rc != 0
+  notify: restart znc
+
+- name: Set firewall rule for znc
+  ufw: rule=allow port=6697 proto=tcp
+  tags: ufw
+
+- name: Ensure znc is a system service
+  service: name=znc state=restarted enabled=true
diff --git a/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2 b/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2
new file mode 100644
index 0000000..bcdfae1
--- /dev/null
+++ b/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Executed by /etc/cron.daily/letsencrypt-renew
+
+cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem
+chown znc.znc /usr/lib/znc/znc.pem
+chmod 640 /usr/lib/znc/znc.pem
+service znc restart
diff --git a/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2 b/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2
new file mode 100644
index 0000000..1ff626b
--- /dev/null
+++ b/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2
@@ -0,0 +1,84 @@
+// WARNING
+//
+// Do NOT edit this file while ZNC is running!
+// Use webadmin or *controlpanel instead.
+//
+// Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash.
+// Also check http://en.znc.in/wiki/Configuration
+
+AnonIPLimit = 10
+ConnectDelay = 5
+LoadModule = webadmin
+LoadModule = fail2ban
+LoadModule = lastseen
+LoadModule = partyline
+MaxBufferSize = 500
+Motd = Connected to ZNC
+PidFile = /var/run/znc/znc.pid
+ProtectWebSessions = true
+SSLCertFile = /usr/lib/znc/znc.pem
+ServerThrottle = 30
+Skin = _default_
+StatusPrefix = *
+Version = 1.0
+
+<Listener listener0>
+	AllowIRC = true
+	AllowWeb = false
+	IPv4 = true
+	IPv6 = true
+	Port = 6697
+	SSL = true
+</Listener>
+
+<Listener listener1>
+	AllowIRC = false
+	AllowWeb = true
+	IPv4 = true
+	IPv6 = true
+	Port = 6643
+	SSL = false
+</Listener>
+
+<User {{ irc_nick }}>
+	Admin = true
+	Allow = *
+	AltNick = {{ irc_nick }}_
+	AppendTimestamp = false
+	AutoClearChanBuffer = true
+	Buffer = 5000
+	ChanModes = +stn
+	DenyLoadMod = false
+	DenySetBindHost = false
+	Ident = {{ irc_ident }}
+	JoinTries = 10
+	LoadModule = controlpanel
+	LoadModule = perform
+	LoadModule = block_motd
+	LoadModule = clientnotify
+	MaxNetworks = 1
+	MultiClients = true
+	Nick = {{ irc_nick }}
+	PrependTimestamp = true
+	QuitMsg = {{ irc_quitmsg }}
+	RealName = {{ irc_realname }}
+	TimestampFormat = [%H:%M:%S]
+	Timezone = {{ irc_timezone }}
+
+	<Pass password>
+	        Method = sha256
+	        Hash = {{ irc_password_hash }}
+	        Salt = {{ irc_password_salt }}
+	</Pass>
+
+	<Network freenode>
+		BindHost = 0.0.0.0
+		FloodBurst = 4
+		FloodRate = 1.00
+		IRCConnectEnabled = true
+		LoadModule = kickrejoin
+		LoadModule = nickserv
+		LoadModule = savebuff
+		Server = chat.freenode.net +6697
+	</Network>
+</User>