Secure ZNC with Let’s Encrypt and CloudFlare DNS

# install ZNC
apt install znc
useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf
# Note: you need to finish interactive config wizard here

# set up dehydrated with CloudFlare DNS support
apt install curl python3 python3-pip
cd /usr/local/src
git clone https://github.com/lukas2511/dehydrated
git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook
addgroup letsencrypt
adduser root letsencrypt
adduser znc letsencrypt
chgrp letsencrypt dehydrated/dehydrated
chmod 2755 dehydrated/dehydrated
sed -i "s/python/python3/g" letsencrypt-cloudflare-hook/hook.py
pip3 install -r letsencrypt-cloudflare-hook/requirements.py
mkdir -p /etc/dehyderated/accounts
chgrp letsencrypt -R /etc/dehyderated
chmod g+rwx -R /etc/dehyderated

# config dehydrated
cat > /etc/dehydrated/config <<EOF
export CF_EMAIL='user@example.com'
export CF_KEY='your_cloudflare_api_key'
EOF
chmod 640 /etc/dehydrated/config

# set up initial certificate
mkdir -p /etc/znc/cert
chown znc:znc -R /etc/znc
chgrp letsencrypt /etc/znc/cert
/usr/local/src/dehydrated/dehydrated --cron --domain example.com --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms
rm /var/lib/znc/znc.pem
touch /var/lib/znc/znc.pem
chown znc:znc /var/lib/znc/znc.pem

# set up systemd service
cat > /etc/systemd/system/znc.service <<EOF
[Unit]
Description=ZNC, an advanced IRC bouncer
After=network-online.target znc-update-cert.service

[Service]
ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
User=znc

[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/znc-update-cert.service <<EOF
[Unit]
Description=Update SSL certificate for ZNC
After=network-online.target

[Service]
ExecStart=/bin/bash -c "(/usr/local/src/dehydrated/dehydrated --cron --domain irc.swineson.me --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms || /bin/true) && cat /etc/znc/cert/irc.swineson.me/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem"
User=znc
Type=oneshot

[Install]
WantedBy=multi-user.target
EOF
cat > /etc/systemd/system/znc-update-cert.timer <<EOF
[Unit]
Description=Update ZNC SSL certificate automatically

[Timer]
OnBootSec=5min
OnUnitInactiveSec=1d
Unit=znc-update-cert.service

[Install]
WantedBy=timers.target
EOF

# start everything
systemctl daemon-reload
systemctl start znc.service znc-update-cert.service znc-update-cert.timer
systemctl enable znc.service znc-update-cert.service znc-update-cert.timer

# install ZNC

apt install znc

useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc

sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf

# Note: you need to finish interactive config wizard here

# set up dehydrated with CloudFlare DNS support

apt install curl python3 python3-pip

cd /usr/local/src

git clone https://github.com/lukas2511/dehydrated

git clone https://github.com/kappataumu/letsencrypt-cloudflare-hook

addgroup letsencrypt

adduser root letsencrypt

adduser znc letsencrypt

chgrp letsencrypt dehydrated/dehydrated

chmod 2755 dehydrated/dehydrated

sed -i "s/python/python3/g" letsencrypt-cloudflare-hook/hook.py

pip3 install -r letsencrypt-cloudflare-hook/requirements.py

mkdir -p /etc/dehyderated/accounts

chgrp letsencrypt -R /etc/dehyderated

chmod g+rwx -R /etc/dehyderated

# config dehydrated

cat > /etc/dehydrated/config <<EOF

export CF_EMAIL='[email protected]'

export CF_KEY='your_cloudflare_api_key'

EOF

chmod 640 /etc/dehydrated/config

# set up initial certificate

mkdir -p /etc/znc/cert

chown znc:znc -R /etc/znc

chgrp letsencrypt /etc/znc/cert

/usr/local/src/dehydrated/dehydrated --cron --domain example.com --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms

rm /var/lib/znc/znc.pem

touch /var/lib/znc/znc.pem

chown znc:znc /var/lib/znc/znc.pem

# set up systemd service

cat > /etc/systemd/system/znc.service <<EOF

[Unit]

Description=ZNC, an advanced IRC bouncer

After=network-online.target znc-update-cert.service

[Service]

ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc

User=znc

[Install]

WantedBy=multi-user.target

EOF

cat > /etc/systemd/system/znc-update-cert.service <<EOF

[Unit]

Description=Update SSL certificate for ZNC

After=network-online.target

[Service]

ExecStart=/bin/bash -c "(/usr/local/src/dehydrated/dehydrated --cron --domain irc.swineson.me --challenge dns-01 -k '/usr/local/src/letsencrypt-cloudflare-hook/hook.py' --out /etc/znc/cert --accept-terms || /bin/true) && cat /etc/znc/cert/irc.swineson.me/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem"

User=znc

Type=oneshot

[Install]

WantedBy=multi-user.target

EOF

cat > /etc/systemd/system/znc-update-cert.timer <<EOF

[Unit]

Description=Update ZNC SSL certificate automatically

[Timer]

OnBootSec=5min

OnUnitInactiveSec=1d

Unit=znc-update-cert.service

[Install]

WantedBy=timers.target

EOF

# start everything

systemctl daemon-reload

systemctl start znc.service znc-update-cert.service znc-update-cert.timer

systemctl enable znc.service znc-update-cert.service znc-update-cert.timer

Drown in Codes

I was sixteen with an open heart…

Secure ZNC with Let’s Encrypt and CloudFlare DNS

发表回复取消回复

发表回复 取消回复

发表回复取消回复