From d1a62b36a6d8b350e3088ec59de088669b271994 Mon Sep 17 00:00:00 2001 From: bnewbold Date: Fri, 22 Jul 2016 18:38:16 -0700 Subject: add znc setup from sovereign (verbatim) --- roles/znc/defaults/main.yml | 1 + roles/znc/files/etc_systemd_system_znc.service | 11 +++ roles/znc/handlers/main.yml | 2 + roles/znc/tasks/main.yml | 1 + roles/znc/tasks/znc.yml | 65 +++++++++++++++++ .../templates/etc_letsencrypt_postrenew_znc.sh.j2 | 7 ++ .../znc/templates/usr_lib_znc_configs_znc.conf.j2 | 84 ++++++++++++++++++++++ 7 files changed, 171 insertions(+) create mode 100644 roles/znc/defaults/main.yml create mode 100644 roles/znc/files/etc_systemd_system_znc.service create mode 100644 roles/znc/handlers/main.yml create mode 100644 roles/znc/tasks/main.yml create mode 100644 roles/znc/tasks/znc.yml create mode 100644 roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2 create mode 100644 roles/znc/templates/usr_lib_znc_configs_znc.conf.j2 diff --git a/roles/znc/defaults/main.yml b/roles/znc/defaults/main.yml new file mode 100644 index 0000000..41370ff --- /dev/null +++ b/roles/znc/defaults/main.yml @@ -0,0 +1 @@ +irc_timezone: "{{ common_timezone|default('Etc/UTC') }}" diff --git a/roles/znc/files/etc_systemd_system_znc.service b/roles/znc/files/etc_systemd_system_znc.service new file mode 100644 index 0000000..866607b --- /dev/null +++ b/roles/znc/files/etc_systemd_system_znc.service @@ -0,0 +1,11 @@ +[Unit] +Description=ZNC, an IRC bouncer +After=network.target + +[Service] +ExecStart=/usr/bin/znc --datadir=/usr/lib/znc +PIDFile=/var/run/znc/znc.pid +User=znc + +[Install] +WantedBy=multi-user.target diff --git a/roles/znc/handlers/main.yml b/roles/znc/handlers/main.yml new file mode 100644 index 0000000..d39db67 --- /dev/null +++ b/roles/znc/handlers/main.yml @@ -0,0 +1,2 @@ +- name: restart znc + service: name=znc state=restarted \ No newline at end of file diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml new file mode 100644 index 0000000..4b2f51d --- /dev/null +++ b/roles/znc/tasks/main.yml @@ -0,0 +1 @@ +- include: znc.yml tags=znc \ No newline at end of file diff --git a/roles/znc/tasks/znc.yml b/roles/znc/tasks/znc.yml new file mode 100644 index 0000000..e5f7ab5 --- /dev/null +++ b/roles/znc/tasks/znc.yml @@ -0,0 +1,65 @@ +# more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon + +- name: Install znc + apt: pkg={{ item }} state=installed + with_items: + - znc + +- name: Create znc group + group: name=znc state=present + +- name: Create znc user + user: name=znc state=present home=/usr/lib/znc system=yes group=znc shell=/usr/sbin/nologin + +- name: Ensure pid directory exists + file: state=directory path=/var/run/znc group=znc owner=znc + +- name: Ensure configuration folders exist + file: state=directory path=/usr/lib/znc/{{ item }} group=znc owner=znc + with_items: + - moddata + - modules + - users + +- name: Copy znc service file into place + copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644 + +- name: Create a combined version of the SSL private key and full certificate chain + shell: cat /etc/letsencrypt/live/{{ domain }}/privkey.pem + /etc/letsencrypt/live/{{ domain }}/fullchain.pem > + /usr/lib/znc/znc.pem + creates=/usr/lib/znc/znc.pem + notify: restart znc + +- name: Update post-certificate-renewal task + template: + src: etc_letsencrypt_postrenew_znc.sh.j2 + dest: /etc/letsencrypt/postrenew/znc.sh + owner: root + group: root + mode: 0755 + +- name: Ensure znc user and group can read cert + file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=0640 + notify: restart znc + +- name: Check for existing config file + command: cat /usr/lib/znc/configs/znc.conf + register: znc_config + ignore_errors: True + changed_when: False # never report as "changed" + +- name: Create znc config directory + file: state=directory path=/usr/lib/znc/configs group=znc owner=znc + +- name: Copy znc configuration file into place + template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc + when: znc_config.rc != 0 + notify: restart znc + +- name: Set firewall rule for znc + ufw: rule=allow port=6697 proto=tcp + tags: ufw + +- name: Ensure znc is a system service + service: name=znc state=restarted enabled=true diff --git a/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2 b/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2 new file mode 100644 index 0000000..bcdfae1 --- /dev/null +++ b/roles/znc/templates/etc_letsencrypt_postrenew_znc.sh.j2 @@ -0,0 +1,7 @@ +#!/bin/bash +# Executed by /etc/cron.daily/letsencrypt-renew + +cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /usr/lib/znc/znc.pem +chown znc.znc /usr/lib/znc/znc.pem +chmod 640 /usr/lib/znc/znc.pem +service znc restart diff --git a/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2 b/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2 new file mode 100644 index 0000000..1ff626b --- /dev/null +++ b/roles/znc/templates/usr_lib_znc_configs_znc.conf.j2 @@ -0,0 +1,84 @@ +// WARNING +// +// Do NOT edit this file while ZNC is running! +// Use webadmin or *controlpanel instead. +// +// Buf if you feel risky, you might want to read help on /znc saveconfig and /znc rehash. +// Also check http://en.znc.in/wiki/Configuration + +AnonIPLimit = 10 +ConnectDelay = 5 +LoadModule = webadmin +LoadModule = fail2ban +LoadModule = lastseen +LoadModule = partyline +MaxBufferSize = 500 +Motd = Connected to ZNC +PidFile = /var/run/znc/znc.pid +ProtectWebSessions = true +SSLCertFile = /usr/lib/znc/znc.pem +ServerThrottle = 30 +Skin = _default_ +StatusPrefix = * +Version = 1.0 + + + AllowIRC = true + AllowWeb = false + IPv4 = true + IPv6 = true + Port = 6697 + SSL = true + + + + AllowIRC = false + AllowWeb = true + IPv4 = true + IPv6 = true + Port = 6643 + SSL = false + + + + Admin = true + Allow = * + AltNick = {{ irc_nick }}_ + AppendTimestamp = false + AutoClearChanBuffer = true + Buffer = 5000 + ChanModes = +stn + DenyLoadMod = false + DenySetBindHost = false + Ident = {{ irc_ident }} + JoinTries = 10 + LoadModule = controlpanel + LoadModule = perform + LoadModule = block_motd + LoadModule = clientnotify + MaxNetworks = 1 + MultiClients = true + Nick = {{ irc_nick }} + PrependTimestamp = true + QuitMsg = {{ irc_quitmsg }} + RealName = {{ irc_realname }} + TimestampFormat = [%H:%M:%S] + Timezone = {{ irc_timezone }} + + + Method = sha256 + Hash = {{ irc_password_hash }} + Salt = {{ irc_password_salt }} + + + + BindHost = 0.0.0.0 + FloodBurst = 4 + FloodRate = 1.00 + IRCConnectEnabled = true + LoadModule = kickrejoin + LoadModule = nickserv + LoadModule = savebuff + Server = chat.freenode.net +6697 + + -- cgit v1.2.3