thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

ZNC password hash and salt generation was not working. Now using builtin znc tool to generate it. Also changed znc config options slightly.

Thomas Buck 5 years ago
parent
7aa67f1506
commit
484ee1eb99
6 changed files with 57 additions and 30 deletions
Unified View Show Diff Stats
  1. 0
    15
      filter_plugins/password_hash.py
  2. 0
    1
      group_vars/sovereign
  3. 14
    1
      roles/ircbouncer/defaults/main.yml
  4. 27
    5
      roles/ircbouncer/tasks/znc.yml
  5. 11
    0
      roles/ircbouncer/templates/root_znc_pw.j2
  6. 5
    8
      roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2

+ 0
- 15
filter_plugins/password_hash.py View File

2 
 from jinja2 import StrictUndefined
 2 
 from jinja2 import StrictUndefined
3 
 __metaclass__ = type
 3 
 __metaclass__ = type
4
4
5 
-
6 
 try:
 5 
 try:
7 
     import passlib.hash
 6 
     import passlib.hash
8 
     HAS_LIB = True
 7 
     HAS_LIB = True
9 
 except ImportError:
 8 
 except ImportError:
10 
     HAS_LIB = False
 9 
     HAS_LIB = False
11
10
12 
-
13 
 def check_lib():
 11 
 def check_lib():
14 
     if not HAS_LIB:
 12 
     if not HAS_LIB:
15 
         raise AnsibleError('You need to install "passlib" prior to running '
 13 
         raise AnsibleError('You need to install "passlib" prior to running '
16 
                            'password_hash-based filters')
 14 
                            'password_hash-based filters')
17
15
18 
-
19 
 def doveadm_pw_hash(password):
 16 
 def doveadm_pw_hash(password):
20 
     check_lib()
 17 
     check_lib()
21 
     if type(password) is StrictUndefined:
 18 
     if type(password) is StrictUndefined:
22 
         raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
 19 
         raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
23 
     return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
 20 
     return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
24
21
25 
-
26 
-def znc_pw_salt(password):
27 
-    return doveadm_pw_hash(password).split("$")[0]
28 
-
29 
-
30 
-def znc_pw_hash(password):
31 
-    return doveadm_pw_hash(password).split("$")[1]
32 
-
33 
-
34 
 class FilterModule(object):
 22 
 class FilterModule(object):
35 
-
36 
     def filters(self):
 23 
     def filters(self):
37 
         return {
 24 
         return {
38 
             'doveadm_pw_hash': doveadm_pw_hash,
 25 
             'doveadm_pw_hash': doveadm_pw_hash,
39 
-            'znc_pw_salt': znc_pw_salt,
40 
-            'znc_pw_hash': znc_pw_hash,
41 
         }
 26 
         }

+ 0
- 1
group_vars/sovereign View File

45 
 irc_ident: (required)
 45 
 irc_ident: (required)
46 
 irc_realname: (required)
 46 
 irc_realname: (required)
47 
 irc_quitmsg: (required)
 47 
 irc_quitmsg: (required)
48 
-irc_password: TODO
49
48
50 
 # xmpp
 49 
 # xmpp
51 
 prosody_admin: "{{ admin_email }}"
 50 
 prosody_admin: "{{ admin_email }}"

+ 14
- 1
roles/ircbouncer/defaults/main.yml View File

1 
-irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"
1 
+secret_root: '{{ inventory_dir | realpath }}'
2 
+secret_name: 'secret'
3 
+secret: '{{ secret_root + "/" + secret_name }}'
4 
+
5 
+irc_admin_username: "{{ main_user_name }}"
6 
+irc_admin_password: "{{ lookup('password', secret + '/' + 'irc_admin_password length=32') }}"
7 
+
8 
+irc_nick: "{{ main_user_name }}"
9 
+irc_altnick: "{{ irc_nick }}_"
10 
+irc_ident: "{{ main_user_name }}"
11 
+irc_realname: "{{ main_user_name }}"
12 
+irc_quitmsg: "Bye folks"
13 
+
14 
+irc_timezone: "{{ common_timezone | default('Etc/UTC') }}"

+ 27
- 5
roles/ircbouncer/tasks/znc.yml View File

1 
+---
1 
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
 2 
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2
3
3 
 - name: Install znc
 4 
 - name: Install znc
4 
-  apt: pkg={{ item }} state=present
5 
-  with_items:
5 
+  apt:
6 
+    name: "{{ packages }}"
7 
+    state: present
8 
+  vars:
9 
+    packages:
6 
     - znc
 10 
     - znc
11 
+    - expect
7 
   tags:
 12 
   tags:
8 
     - dependencies
 13 
     - dependencies
9
14
22 
     - moddata
 27 
     - moddata
23 
     - modules
 28 
     - modules
24 
     - users
 29 
     - users
30 
+    - configs
25
31
26 
 - name: Copy znc service file into place
 32 
 - name: Copy znc service file into place
27 
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
 33 
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
51 
   ignore_errors: True
 57 
   ignore_errors: True
52 
   changed_when: False  # never report as "changed"
 58 
   changed_when: False  # never report as "changed"
53
59
54 
-- name: Create znc config directory
55 
-  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
56 
-
57 
 - name: Copy znc configuration file into place
 60 
 - name: Copy znc configuration file into place
58 
   template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
 61 
   template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
59 
   when: znc_config.rc != 0
 62 
   when: znc_config.rc != 0
60 
   notify: restart znc
 63 
   notify: restart znc
61
64
65 
+- name: Copy expect script for znc password generation
66 
+  template: src=root_znc_pw.j2 dest=/root/znc_pw mode=0777
67 
+  when: znc_config.rc != 0
68 
+
69 
+- name: Run script to generate znc hash and salt
70 
+  shell: /root/znc_pw | head --lines=-1 | tail --lines=+7
71 
+  register: znc_config_pass
72 
+  when: znc_config.rc != 0
73 
+
74 
+- name: Put generated hash and salt into configuration file
75 
+  blockinfile:
76 
+    block: "{{ znc_config_pass.stdout }}"
77 
+    path: /usr/lib/znc/configs/znc.conf
78 
+    marker: "// {mark} ANSIBLE MANAGED BLOCK"
79 
+  when: znc_config.rc != 0
80 
+
81 
+- name: Remove expect script
82 
+  file: path=/root/znc_pw state=absent
83 
+
62 
 - name: Set firewall rule for znc
 84 
 - name: Set firewall rule for znc
63 
   ufw: rule=allow port=6697 proto=tcp
 85 
   ufw: rule=allow port=6697 proto=tcp
64 
   tags: ufw
 86 
   tags: ufw

+ 11
- 0
roles/ircbouncer/templates/root_znc_pw.j2 View File

1 
+#!/usr/bin/expect -f
2 
+
3 
+spawn /usr/bin/znc --makepass
4 
+
5 
+expect "Enter password:"
6 
+send -- "{{ irc_admin_password }}\r"
7 
+
8 
+expect "Confirm password:"
9 
+send -- "{{ irc_admin_password }}\r"
10 
+
11 
+interact

+ 5
- 8
roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2 View File

40 
 	SSL = false
 40 
 	SSL = false
41 
 </Listener>
 41 
 </Listener>
42
42
43 
-<User {{ irc_nick }}>
43 
+<User {{ irc_admin_username }}>
44 
 	Admin = true
 44 
 	Admin = true
45 
 	Allow = *
 45 
 	Allow = *
46 
-	AltNick = {{ irc_nick }}_
46 
+	AltNick = {{ irc_altnick }}
47 
 	AppendTimestamp = false
 47 
 	AppendTimestamp = false
48 
 	AutoClearChanBuffer = true
 48 
 	AutoClearChanBuffer = true
49 
 	Buffer = 5000
 49 
 	Buffer = 5000
56 
 	LoadModule = perform
 56 
 	LoadModule = perform
57 
 	LoadModule = block_motd
 57 
 	LoadModule = block_motd
58 
 	LoadModule = clientnotify
 58 
 	LoadModule = clientnotify
59 
-	MaxNetworks = 1
59 
+	MaxNetworks = 5
60 
 	MultiClients = true
 60 
 	MultiClients = true
61 
 	Nick = {{ irc_nick }}
 61 
 	Nick = {{ irc_nick }}
62 
 	PrependTimestamp = true
 62 
 	PrependTimestamp = true
65 
 	TimestampFormat = [%H:%M:%S]
 65 
 	TimestampFormat = [%H:%M:%S]
66 
 	Timezone = {{ irc_timezone }}
 66 
 	Timezone = {{ irc_timezone }}
67
67
68 
-	<Pass password>
69 
-	        Method = sha256
70 
-	        Hash = {{ irc_password | znc_pw_hash }}
71 
-	        Salt = {{ irc_password | znc_pw_salt }}
72 
-	</Pass>
68 
+// BEGIN ANSIBLE MANAGED BLOCK
69 
+// END ANSIBLE MANAGED BLOCK
73
70
74 
 	<Network freenode>
 71 
 	<Network freenode>
75 
 		BindHost = 0.0.0.0
 72 
 		BindHost = 0.0.0.0

Write Preview
Loading…
Cancel
Save