From 48f68ec8fd5bbae7d3d5785ed0517567f59cfb86 Mon Sep 17 00:00:00 2001
From: godog <godog@autistici.org>
Date: Mon, 21 Apr 2025 12:16:13 +0200
Subject: [PATCH] irc: fix tls configuration

---
 roles/irc/tasks/main.yml                   | 5 -----
 roles/irc/templates/inspircd/inspircd.conf | 6 +++---
 roles/irc/templates/inspircd/modules.conf  | 9 +++++----
 3 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/roles/irc/tasks/main.yml b/roles/irc/tasks/main.yml
index c3ccfbd2..0c55ef41 100644
--- a/roles/irc/tasks/main.yml
+++ b/roles/irc/tasks/main.yml
@@ -31,11 +31,6 @@
     - motd.txt
     - rules.txt
 
-- name: Generate dhparams
-  command: openssh dhparams -out /etc/inspircd/dhparams 2048
-  args:
-    creates: /etc/inspircd/dhparams
-
 # Install anope configuration.
 
 - file:
diff --git a/roles/irc/templates/inspircd/inspircd.conf b/roles/irc/templates/inspircd/inspircd.conf
index a72fae64..0a1140d3 100644
--- a/roles/irc/templates/inspircd/inspircd.conf
+++ b/roles/irc/templates/inspircd/inspircd.conf
@@ -18,13 +18,13 @@
        email="irc@{{ domain_public[0] }}">
 
 # note: for the TLS configuration check out modules.conf
-<bind address="" port="16697" type="clients" ssl="gnutls">
-<bind address="" port="19999" type="clients" ssl="gnutls">
+<bind address="" port="16697" type="clients" profile="gnutls">
+<bind address="" port="19999" type="clients" profile="gnutls">
 # note: if you change the server port remember to also update links.conf
 # services
 <bind address="127.0.0.1" port="7000" type="servers">
 # linked irc servers
-<bind address="" port="17029" type="servers" ssl="gnutls">
+<bind address="" port="17029" type="servers" profile="gnutls">
 
 <sasl target="services.irc.{{ irc_network_name }}" requiressl="yes">
 
diff --git a/roles/irc/templates/inspircd/modules.conf b/roles/irc/templates/inspircd/modules.conf
index 028ce111..c66e6431 100644
--- a/roles/irc/templates/inspircd/modules.conf
+++ b/roles/irc/templates/inspircd/modules.conf
@@ -60,11 +60,12 @@
 
 # TLS configuration
 <module name="m_ssl_gnutls.so">
-<sslprofile certfile="/etc/credentials/public/irc.autistici.org/fullchain.pem"
+<sslprofile
+        name="gnutls"
+        certfile="/etc/credentials/public/irc.autistici.org/fullchain.pem"
         keyfile="/etc/credentials/public/irc.autistici.org/privkey.pem"
-        hash="sha1" priority="NORMAL:-MD5"
-        dhfile="/etc/inspircd/dhparams"
-        dhbits="1024">
+        priority="SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:+VERS-TLS1.3:-RSA:-DHE-DSS"
+        >
 
 <module name="m_sslinfo.so">
 <module name="m_svshold.so">
-- 
GitLab