remove ircbouncer from ssl-cert group
we're going to move the ircbouncer cert out of /etc/ssl/private for security reasons. i'd move them in /home/ircbouncer/ssl
and remove the user from the ssl-cert
group, would that be okay for you?
this is the actual puppet diff:
diff --git c/modules/profile/manifests/ircbouncer.pp i/modules/profile/manifests/ircbouncer.pp
index 37cd3166..83a87ff5 100644
--- c/modules/profile/manifests/ircbouncer.pp
+++ i/modules/profile/manifests/ircbouncer.pp
@@ -3,7 +3,9 @@ class profile::ircbouncer {
ensure => installed,
}
ssl::service { 'ircbouncer.torproject.org':
- key => true,
+ key => true,
+ certdir => '/home/ircbouncer/ssl',
+ keydir => '/home/ircbouncer/ssl',
}
onion::service { 'ircbouncer.torproject.org':
port => 80,
@@ -16,7 +18,7 @@ class profile::ircbouncer {
port => ['2001'],
}
user { 'ircbouncer':
- groups => ['ircbouncer', 'ssl-cert'],
+ groups => 'ircbouncer',
membership => 'inclusive',
}
file { '/home/ircbouncer':
@@ -25,6 +27,12 @@ class profile::ircbouncer {
owner => 'ircbouncer',
group => 'ircbouncer';
}
+ file { '/home/ircbouncer/ssl/':
+ ensure => 'directory',
+ mode => '0755',
+ owner => 'ircbouncer',
+ group => 'ircbouncer';
+ }
file { '/etc/sudoers.d/ircbouncer':
mode => '0440',
content => '%ircbouncer ALL=(ircbouncer) ALL',
/cc @pastly