Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • TPA team TPA team
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 178
    • Issues 178
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • TPA teamTPA team
  • Issues
  • #40266
Closed
Open
Issue created May 25, 2021 by anarcat@anarcatOwner

remove ircbouncer from ssl-cert group

we're going to move the ircbouncer cert out of /etc/ssl/private for security reasons. i'd move them in /home/ircbouncer/ssl and remove the user from the ssl-cert group, would that be okay for you?

this is the actual puppet diff:

diff --git c/modules/profile/manifests/ircbouncer.pp i/modules/profile/manifests/ircbouncer.pp
index 37cd3166..83a87ff5 100644
--- c/modules/profile/manifests/ircbouncer.pp
+++ i/modules/profile/manifests/ircbouncer.pp
@@ -3,7 +3,9 @@ class profile::ircbouncer {
     ensure => installed,
   }
   ssl::service { 'ircbouncer.torproject.org':
-    key   => true,
+    key     => true,
+    certdir => '/home/ircbouncer/ssl',
+    keydir  => '/home/ircbouncer/ssl',
   }
   onion::service { 'ircbouncer.torproject.org':
     port           => 80,
@@ -16,7 +18,7 @@ class profile::ircbouncer {
     port        => ['2001'],
   }
   user { 'ircbouncer':
-    groups     => ['ircbouncer', 'ssl-cert'],
+    groups     => 'ircbouncer',
     membership => 'inclusive',
   }
   file { '/home/ircbouncer':
@@ -25,6 +27,12 @@ class profile::ircbouncer {
     owner  => 'ircbouncer',
     group  => 'ircbouncer';
   }
+  file { '/home/ircbouncer/ssl/':
+    ensure => 'directory',
+    mode   => '0755',
+    owner  => 'ircbouncer',
+    group  => 'ircbouncer';
+  }
   file { '/etc/sudoers.d/ircbouncer':
     mode    => '0440',
     content => '%ircbouncer ALL=(ircbouncer) ALL',

/cc @pastly

Assignee
Assign to
Time tracking