GitLab

we're going to move the ircbouncer cert out of /etc/ssl/private for security reasons. i'd move them in /home/ircbouncer/ssl and remove the user from the ssl-cert group, would that be okay for you?

this is the actual puppet diff:

diff --git c/modules/profile/manifests/ircbouncer.pp i/modules/profile/manifests/ircbouncer.pp
index 37cd3166..83a87ff5 100644
--- c/modules/profile/manifests/ircbouncer.pp
+++ i/modules/profile/manifests/ircbouncer.pp
@@ -3,7 +3,9 @@ class profile::ircbouncer {
     ensure => installed,
   }
   ssl::service { 'ircbouncer.torproject.org':
-    key   => true,
+    key     => true,
+    certdir => '/home/ircbouncer/ssl',
+    keydir  => '/home/ircbouncer/ssl',
   }
   onion::service { 'ircbouncer.torproject.org':
     port           => 80,
@@ -16,7 +18,7 @@ class profile::ircbouncer {
     port        => ['2001'],
   }
   user { 'ircbouncer':
-    groups     => ['ircbouncer', 'ssl-cert'],
+    groups     => 'ircbouncer',
     membership => 'inclusive',
   }
   file { '/home/ircbouncer':
@@ -25,6 +27,12 @@ class profile::ircbouncer {
     owner  => 'ircbouncer',
     group  => 'ircbouncer';
   }
+  file { '/home/ircbouncer/ssl/':
+    ensure => 'directory',
+    mode   => '0755',
+    owner  => 'ircbouncer',
+    group  => 'ircbouncer';
+  }
   file { '/etc/sudoers.d/ircbouncer':
     mode    => '0440',
     content => '%ircbouncer ALL=(ircbouncer) ALL',

/cc @pastly