Browse Source

ZNC password hash and salt generation was not working. Now using builtin znc tool to generate it. Also changed znc config options slightly.

Thomas Buck 5 years ago
parent
commit
484ee1eb99

+ 0
- 15
filter_plugins/password_hash.py View File

2
 from jinja2 import StrictUndefined
2
 from jinja2 import StrictUndefined
3
 __metaclass__ = type
3
 __metaclass__ = type
4
 
4
 
5
-
6
 try:
5
 try:
7
     import passlib.hash
6
     import passlib.hash
8
     HAS_LIB = True
7
     HAS_LIB = True
9
 except ImportError:
8
 except ImportError:
10
     HAS_LIB = False
9
     HAS_LIB = False
11
 
10
 
12
-
13
 def check_lib():
11
 def check_lib():
14
     if not HAS_LIB:
12
     if not HAS_LIB:
15
         raise AnsibleError('You need to install "passlib" prior to running '
13
         raise AnsibleError('You need to install "passlib" prior to running '
16
                            'password_hash-based filters')
14
                            'password_hash-based filters')
17
 
15
 
18
-
19
 def doveadm_pw_hash(password):
16
 def doveadm_pw_hash(password):
20
     check_lib()
17
     check_lib()
21
     if type(password) is StrictUndefined:
18
     if type(password) is StrictUndefined:
22
         raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
19
         raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
23
     return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
20
     return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
24
 
21
 
25
-
26
-def znc_pw_salt(password):
27
-    return doveadm_pw_hash(password).split("$")[0]
28
-
29
-
30
-def znc_pw_hash(password):
31
-    return doveadm_pw_hash(password).split("$")[1]
32
-
33
-
34
 class FilterModule(object):
22
 class FilterModule(object):
35
-
36
     def filters(self):
23
     def filters(self):
37
         return {
24
         return {
38
             'doveadm_pw_hash': doveadm_pw_hash,
25
             'doveadm_pw_hash': doveadm_pw_hash,
39
-            'znc_pw_salt': znc_pw_salt,
40
-            'znc_pw_hash': znc_pw_hash,
41
         }
26
         }

+ 0
- 1
group_vars/sovereign View File

45
 irc_ident: (required)
45
 irc_ident: (required)
46
 irc_realname: (required)
46
 irc_realname: (required)
47
 irc_quitmsg: (required)
47
 irc_quitmsg: (required)
48
-irc_password: TODO
49
 
48
 
50
 # xmpp
49
 # xmpp
51
 prosody_admin: "{{ admin_email }}"
50
 prosody_admin: "{{ admin_email }}"

+ 14
- 1
roles/ircbouncer/defaults/main.yml View File

1
-irc_timezone: "{{ common_timezone|default('Etc/UTC') }}"
1
+secret_root: '{{ inventory_dir | realpath }}'
2
+secret_name: 'secret'
3
+secret: '{{ secret_root + "/" + secret_name }}'
4
+
5
+irc_admin_username: "{{ main_user_name }}"
6
+irc_admin_password: "{{ lookup('password', secret + '/' + 'irc_admin_password length=32') }}"
7
+
8
+irc_nick: "{{ main_user_name }}"
9
+irc_altnick: "{{ irc_nick }}_"
10
+irc_ident: "{{ main_user_name }}"
11
+irc_realname: "{{ main_user_name }}"
12
+irc_quitmsg: "Bye folks"
13
+
14
+irc_timezone: "{{ common_timezone | default('Etc/UTC') }}"

+ 27
- 5
roles/ircbouncer/tasks/znc.yml View File

1
+---
1
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2
 # more or less as per http://wiki.znc.in/Running_ZNC_as_a_system_daemon
2
 
3
 
3
 - name: Install znc
4
 - name: Install znc
4
-  apt: pkg={{ item }} state=present
5
-  with_items:
5
+  apt:
6
+    name: "{{ packages }}"
7
+    state: present
8
+  vars:
9
+    packages:
6
     - znc
10
     - znc
11
+    - expect
7
   tags:
12
   tags:
8
     - dependencies
13
     - dependencies
9
 
14
 
22
     - moddata
27
     - moddata
23
     - modules
28
     - modules
24
     - users
29
     - users
30
+    - configs
25
 
31
 
26
 - name: Copy znc service file into place
32
 - name: Copy znc service file into place
27
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
33
   copy: src=etc_systemd_system_znc.service dest=/etc/systemd/system/znc.service mode=0644
51
   ignore_errors: True
57
   ignore_errors: True
52
   changed_when: False  # never report as "changed"
58
   changed_when: False  # never report as "changed"
53
 
59
 
54
-- name: Create znc config directory
55
-  file: state=directory path=/usr/lib/znc/configs group=znc owner=znc
56
-
57
 - name: Copy znc configuration file into place
60
 - name: Copy znc configuration file into place
58
   template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
61
   template: src=usr_lib_znc_configs_znc.conf.j2 dest=/usr/lib/znc/configs/znc.conf owner=znc group=znc
59
   when: znc_config.rc != 0
62
   when: znc_config.rc != 0
60
   notify: restart znc
63
   notify: restart znc
61
 
64
 
65
+- name: Copy expect script for znc password generation
66
+  template: src=root_znc_pw.j2 dest=/root/znc_pw mode=0777
67
+  when: znc_config.rc != 0
68
+
69
+- name: Run script to generate znc hash and salt
70
+  shell: /root/znc_pw | head --lines=-1 | tail --lines=+7
71
+  register: znc_config_pass
72
+  when: znc_config.rc != 0
73
+
74
+- name: Put generated hash and salt into configuration file
75
+  blockinfile:
76
+    block: "{{ znc_config_pass.stdout }}"
77
+    path: /usr/lib/znc/configs/znc.conf
78
+    marker: "// {mark} ANSIBLE MANAGED BLOCK"
79
+  when: znc_config.rc != 0
80
+
81
+- name: Remove expect script
82
+  file: path=/root/znc_pw state=absent
83
+
62
 - name: Set firewall rule for znc
84
 - name: Set firewall rule for znc
63
   ufw: rule=allow port=6697 proto=tcp
85
   ufw: rule=allow port=6697 proto=tcp
64
   tags: ufw
86
   tags: ufw

+ 11
- 0
roles/ircbouncer/templates/root_znc_pw.j2 View File

1
+#!/usr/bin/expect -f
2
+
3
+spawn /usr/bin/znc --makepass
4
+
5
+expect "Enter password:"
6
+send -- "{{ irc_admin_password }}\r"
7
+
8
+expect "Confirm password:"
9
+send -- "{{ irc_admin_password }}\r"
10
+
11
+interact

+ 5
- 8
roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2 View File

40
 	SSL = false
40
 	SSL = false
41
 </Listener>
41
 </Listener>
42
 
42
 
43
-<User {{ irc_nick }}>
43
+<User {{ irc_admin_username }}>
44
 	Admin = true
44
 	Admin = true
45
 	Allow = *
45
 	Allow = *
46
-	AltNick = {{ irc_nick }}_
46
+	AltNick = {{ irc_altnick }}
47
 	AppendTimestamp = false
47
 	AppendTimestamp = false
48
 	AutoClearChanBuffer = true
48
 	AutoClearChanBuffer = true
49
 	Buffer = 5000
49
 	Buffer = 5000
56
 	LoadModule = perform
56
 	LoadModule = perform
57
 	LoadModule = block_motd
57
 	LoadModule = block_motd
58
 	LoadModule = clientnotify
58
 	LoadModule = clientnotify
59
-	MaxNetworks = 1
59
+	MaxNetworks = 5
60
 	MultiClients = true
60
 	MultiClients = true
61
 	Nick = {{ irc_nick }}
61
 	Nick = {{ irc_nick }}
62
 	PrependTimestamp = true
62
 	PrependTimestamp = true
65
 	TimestampFormat = [%H:%M:%S]
65
 	TimestampFormat = [%H:%M:%S]
66
 	Timezone = {{ irc_timezone }}
66
 	Timezone = {{ irc_timezone }}
67
 
67
 
68
-	<Pass password>
69
-	        Method = sha256
70
-	        Hash = {{ irc_password | znc_pw_hash }}
71
-	        Salt = {{ irc_password | znc_pw_salt }}
72
-	</Pass>
68
+// BEGIN ANSIBLE MANAGED BLOCK
69
+// END ANSIBLE MANAGED BLOCK
73
 
70
 
74
 	<Network freenode>
71
 	<Network freenode>
75
 		BindHost = 0.0.0.0
72
 		BindHost = 0.0.0.0

Loading…
Cancel
Save