===== Setting up ZNC: an IRC bouncer =====
\\

==== Firewall ====

The following ports have to be opened in your firewall:

<code>
6697/tcp  # IRC SSL
</code>

----
\\

==== ZNC ====

> [[https://en.wikipedia.org/wiki/ZNC|ZNC]] is an IRC network bouncer or BNC. It can detach the client from the actual IRC server, and also from selected channels. Multiple clients from different locations can connect to a single ZNC account simultaneously and therefore appear under the same nickname on IRC.\\
\\

=== Installation ===

<code bash>
sudo apt install znc
</code>
\\

=== Creating a user account ===

<code bash>
sudo useradd --create-home -d /var/lib/znc --system --shell /bin/false --comment "ZNC IRC Bouncer" --user-group znc
</code>
\\

=== Creating a systemd unit file ===

<file bash /etc/systemd/system/znc.service>
[Unit]
Description=ZNC, an advanced IRC bouncer
After=network-online.target

[Service]
ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
User=znc

[Install]
WantedBy=multi-user.target
</file>
\\

=== Configuration ===

<code bash>
sudo -u znc /usr/bin/znc --datadir=/var/lib/znc --makeconf
</code>

<code bash>
[ ?? ] Listen on port (1025 to 65534): 6697
[ ?? ] Listen using SSL (yes/no) [no]: yes
[ ?? ] Listen using both IPv4 and IPv6 (yes/no) [yes]: yes


[ ?? ] Username (alphanumeric): user1
[ ?? ] Enter password: ******
[ ?? ] Confirm password: *****
[ ?? ] Nick [admin]: user1
[ ?? ] Alternate nick [admin_]: user1_
[ ?? ] Ident [admin]: user1
[ ?? ] Real name [Got ZNC?]: User One


[ ?? ] Set up a network? (yes/no) [yes]: yes
[ ?? ] Name [freenode]: freenode
[ ?? ] Server host [chat.freenode.net]: chat.freenode.net
[ ?? ] Server uses SSL? (yes/no) [yes]: yes
[ ?? ] Server port (1 to 65535) [6697]: 6697
[ ?? ] Server password (probably empty):


[ ?? ] Launch ZNC now? (yes/no) [yes]: no
</code>
\\


=== SSL certificates ===

The ''znc.pem'' is a concatination of the private key and the full certficate chain.
In case you use Let's Encrypt:

<code bash>
sudo su -c 'cat /etc/letsencrypt/live/quietlife.nl/{privkey,fullchain}.pem > /var/lib/znc/znc.pem'
</code>

== Strong ciphers ==

<file bash /var/lib/znc/configs/znc.conf>
SSLCertFile = /var/lib/znc/znc.pem
SSLProtocols = -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCiphers = AES384+EECDH:AES384+EDH:AES256+EECDH:AES256+EDH
</file>
\\

=== Enabling and starting the daemon ===

<code bash>
sudo systemctl enable znc.service
sudo systemctl start znc.service
</code>

----
\\


==== Client configuration ====

<code bash>
sudo apt install hexchat
</code>
\\

<code>
HexChat > Network List > Add > quietlife.nl

Edit >
        Servers: quietlife.nl/+6697
        [x] Connect to this network automatically
        [x] Use SSL for all the servers on this network
        Login method: Default
        Password: <ZNC user password>
        Character set: UTF-8 (Unicode)
        
Close > Connect
</code>
\\

=== Enabling SASL for NickServ authentication ===

From the Freenode menu, run:

<code>
/znc LoadMod sasl
/query *sasl
</code>

From the SASL menu, run:

<code>
set $username $password
</code>

(Use your Freenode NickServ credentials.)

----
\\
==== SSL certificate renewal ====

Unlike Apache, nginx, Dovecot and Postfix, ZNC does not shortly run as root when started in order to read from ''/etc/ssl/'' or ''/etc/letsencrypt/''. So certificates have to be copied to the ''/var/lib/znc'' directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.

This can be automated with a script you run as ''root'':

<code bash>
#!/bin/bash

cat /etc/letsencrypt/live/quietlife.nl/{privkey,fullchain}.pem > /var/lib/znc/znc.pem

chown znc:znc /var/lib/znc/znc.pem
chmod 600 /var/lib/znc/znc.pem

systemctl restart znc.service
</code>