浏览代码

ZNC password hash and salt generation was not working. Now using builtin znc tool to generate it. Also changed znc config options slightly.

Thomas Buck 5 年前
父节点
当前提交
484ee1eb99

+ 0
- 15
filter_plugins/password_hash.py 查看文件

@@ -2,40 +2,25 @@ from ansible.errors import AnsibleError, AnsibleUndefinedVariable
2 2
 from jinja2 import StrictUndefined
3 3
 __metaclass__ = type
4 4
 
5
-
6 5
 try:
7 6
     import passlib.hash
8 7
     HAS_LIB = True
9 8
 except ImportError:
10 9
     HAS_LIB = False
11 10
 
12
-
13 11
 def check_lib():
14 12
     if not HAS_LIB:
15 13
         raise AnsibleError('You need to install "passlib" prior to running '
16 14
                            'password_hash-based filters')
17 15
 
18
-
19 16
 def doveadm_pw_hash(password):
20 17
     check_lib()
21 18
     if type(password) is StrictUndefined:
22 19
         raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
23 20
     return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
24 21
 
25
-
26
-def znc_pw_salt(password):
27
-    return doveadm_pw_hash(password).split("$")[0]
28
-
29
-
30
-def znc_pw_hash(password):
31
-    return doveadm_pw_hash(password).split("$")[1]
32
-
33
-
34 22
 class FilterModule(object):
35
-
36 23
     def filters(self):
37 24
         return {
38 25
             'doveadm_pw_hash': doveadm_pw_hash,
39
-            'znc_pw_salt': znc_pw_salt,
40
-            'znc_pw_hash': znc_pw_hash,
41 26
         }

+ 0
- 1
group_vars/sovereign 查看文件

@@ -45,7 +45,6 @@ irc_nick: (required)
45 45
 irc_ident: (required)
46 46
 irc_realname: (required)
47 47
 irc_quitmsg: (required)
48
-irc_password: TODO
49 48
 
50 49
 # xmpp
51 50
 prosody_admin: "{{ admin_email }}"

+ 14
- 1
roles/ircbouncer/defaults/main.yml 查看文件

@@ -1 +1,14 @@
1
-irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+irc_admin_username: "{{ main_user_name }}"
6
+irc_admin_password: "{{ lookup('password', secret + '/' + 'irc_admin_password length=32') }}"
7
+
8
+irc_nick: "{{ main_user_name }}"
9
+irc_altnick: "{{ irc_nick }}_"
10
+irc_ident: "{{ main_user_name }}"
11
+irc_realname: "{{ main_user_name }}"
12
+irc_quitmsg: "Bye folks"
13
+
14
+irc_timezone: "{{ common_timezone | default('Etc/UTC') }}"

+ 27
- 5
roles/ircbouncer/tasks/znc.yml 查看文件

@@ -1,9 +1,14 @@
1
+---
1 2
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2 3
 
3 4
 - name: Install znc
4
-  apt: pkg={{ item }} state=present
5
-  with_items:
5
+  apt:
6
+    name: "{{ packages }}"
7
+    state: present
8
+  vars:
9
+    packages:
6 10
     - znc
11
+    - expect
7 12
   tags:
8 13
     - dependencies
9 14
 
@@ -22,6 +27,7 @@
22 27
     - moddata
23 28
     - modules
24 29
     - users
30
+    - configs
25 31
 
26 32
 - name: Copy znc service file into place
27 33
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
@@ -51,14 +57,30 @@
51 57
   ignore_errors: True
52 58
   changed_when: False  # never report as "changed"
53 59
 
54
-- name: Create znc config directory
55
-  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
56
-
57 60
 - name: Copy znc configuration file into place
58 61
   template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
59 62
   when: znc_config.rc != 0
60 63
   notify: restart znc
61 64
 
65
+- name: Copy expect script for znc password generation
66
+  template: src=root_znc_pw.j2 dest=/root/znc_pw mode=0777
67
+  when: znc_config.rc != 0
68
+
69
+- name: Run script to generate znc hash and salt
70
+  shell: /root/znc_pw | head --lines=-1 | tail --lines=+7
71
+  register: znc_config_pass
72
+  when: znc_config.rc != 0
73
+
74
+- name: Put generated hash and salt into configuration file
75
+  blockinfile:
76
+    block: "{{ znc_config_pass.stdout }}"
77
+    path: /usr/lib/znc/configs/znc.conf
78
+    marker: "// {mark} ANSIBLE MANAGED BLOCK"
79
+  when: znc_config.rc != 0
80
+
81
+- name: Remove expect script
82
+  file: path=/root/znc_pw state=absent
83
+
62 84
 - name: Set firewall rule for znc
63 85
   ufw: rule=allow port=6697 proto=tcp
64 86
   tags: ufw

+ 11
- 0
roles/ircbouncer/templates/root_znc_pw.j2 查看文件

@@ -0,0 +1,11 @@
1
+#!/usr/bin/expect -f
2
+
3
+spawn /usr/bin/znc --makepass
4
+
5
+expect "Enter password:"
6
+send -- "{{ irc_admin_password }}\r"
7
+
8
+expect "Confirm password:"
9
+send -- "{{ irc_admin_password }}\r"
10
+
11
+interact

+ 5
- 8
roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2 查看文件

@@ -40,10 +40,10 @@ Version = 1.0
40 40
 	SSL = false
41 41
 </Listener>
42 42
 
43
-<User {{ irc_nick }}>
43
+<User {{ irc_admin_username }}>
44 44
 	Admin = true
45 45
 	Allow = *
46
-	AltNick = {{ irc_nick }}_
46
+	AltNick = {{ irc_altnick }}
47 47
 	AppendTimestamp = false
48 48
 	AutoClearChanBuffer = true
49 49
 	Buffer = 5000
@@ -56,7 +56,7 @@ Version = 1.0
56 56
 	LoadModule = perform
57 57
 	LoadModule = block_motd
58 58
 	LoadModule = clientnotify
59
-	MaxNetworks = 1
59
+	MaxNetworks = 5
60 60
 	MultiClients = true
61 61
 	Nick = {{ irc_nick }}
62 62
 	PrependTimestamp = true
@@ -65,11 +65,8 @@ Version = 1.0
65 65
 	TimestampFormat = [%H:%M:%S]
66 66
 	Timezone = {{ irc_timezone }}
67 67
 
68
-	<Pass password>
69
-	        Method = sha256
70
-	        Hash = {{ irc_password | znc_pw_hash }}
71
-	        Salt = {{ irc_password | znc_pw_salt }}
72
-	</Pass>
68
+// BEGIN ANSIBLE MANAGED BLOCK
69
+// END ANSIBLE MANAGED BLOCK
73 70
 
74 71
 	<Network freenode>
75 72
 		BindHost = 0.0.0.0

正在加载...
取消
保存