ZNC

znc --makeconf

Edit ~/.znc/configs/znc.conf to preference. I disable the web interface using AllowWeb in the Listener section. I set BindHost for my user section to drislock.org. Most other config can be done via messaging on IRC.

For sasl authentication with a cert the cert and sasl modules need to be loaded for that network. Then the certificate needs to be placed at ~/.znc/users/<username>/networks/<network>/moddata/cert/user.pem.

Some example configuration done via IRC (/msg *status):

AddNetwork <name>
JumpNetwork <name>
AddServer irc.example.com +6697
LoadModule sasl
LoadModule cert
Connect
SaveConfig

Changing the password is via manual invocation of znc --makepass. Then the ZNC needs to be taken down and the config edited to change the Hash, Method, and Salt fields.

My typical ZNC server entry in hexchat. Each network gets its own entry like this. You can also do this through the GUI.

N=drislock/EFnet
I=Nickname
i=Nickname_
U=Username/EFnet
R=user
P=<password>
L=7
E=UTF-8 (Unicode)
F=61
D=0
S=myznc.com/43025

There are some issues with inconsistent SSL protocol support. By default ZNC only enables TLS 1.1 and 1.2. You can enable other supported protocols with:

SSLProtocols = -SSLv2 -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

In order to check supported SSL protocols on a server use nmap:

nmap --script ssl-enum-ciphers -p 9999 example.com -Pn

I never could get the service to autostart despite enabling linger, and trying different WantedBy targets (multi-user, default). Leaving here for reference, and because using the systemd unit keeps a log of output whereas running znc in the background does not.

systemctl --user edit --force --full znc

[Unit]
Description=ZNC IRC Bouncer
After=network-online.target

[Service]
ExecStart=/usr/bin/znc -f --datadir=%h/.znc

[Install]
WantedBy=default.target

systemctl --user start znc.service
systemctl --user enable znc.service
sudo loginctl enable-linger <username>