Secure ZNC with Let’s Encrypt and CloudFlare DNS

# install ZNC
apt install znc
useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf
# Note: you need to finish interactive config wizard here

# set up dehydrated with CloudFlare DNS support
apt install curl python3 python3-pip
cd /usr/local/src
git clone https://github.com/lukas2511/dehydrated
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook
addgroup letsencrypt
adduser root letsencrypt
adduser znc letsencrypt
chgrp letsencrypt dehydrated/dehydrated
chmod 2755 dehydrated/dehydrated
sed -i "s/python/python3/g" letsencrypt-cloudflare-hook/hook.py
pip3 install -r letsencrypt-cloudflare-hook/requirements.py
mkdir -p /etc/dehyderated/accounts
chgrp letsencrypt -R /etc/dehyderated
chmod g+rwx -R /etc/dehyderated

# config dehydrated
cat > /etc/dehydrated/config <<EOF
export CF_EMAIL='[email protected]'
export CF_KEY='your_cloudflare_api_key'
EOF
chmod 640 /etc/dehydrated/config

# set up initial certificate
mkdir -p /etc/znc/cert
chown znc:znc -R /etc/znc
chgrp letsencrypt /etc/znc/cert
/usr/local/src/dehydrated/dehydrated --cron --domain example.com --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms
rm /var/lib/znc/znc.pem
touch /var/lib/znc/znc.pem
chown znc:znc /var/lib/znc/znc.pem

# set up systemd service
cat > /etc/systemd/system/znc.service <<EOF
[Unit]
Description=ZNC, an advanced IRC bouncer
After=network-online.target znc-update-cert.service

[Service]
ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
User=znc

[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/znc-update-cert.service <<EOF
[Unit]
Description=Update SSL certificate for ZNC
After=network-online.target

[Service]
ExecStart=/bin/bash -c "(/usr/local/src/dehydrated/dehydrated --cron --domain irc.swineson.me --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms || /bin/true) && cat /etc/znc/cert/irc.swineson.me/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem"
User=znc
Type=oneshot

[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/znc-update-cert.timer <<EOF
[Unit]
Description=Update ZNC SSL certificate automatically

[Timer]
OnBootSec=5min
OnUnitInactiveSec=1d
Unit=znc-update-cert.service

[Install]
WantedBy=timers.target
EOF

# start everything
systemctl daemon-reload
systemctl start znc.service znc-update-cert.service znc-update-cert.timer
systemctl enable znc.service znc-update-cert.service znc-update-cert.timer

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据