Implementing password hashing for ircbouncer and mailserver inside password_hash filter plugin

README.md

 Modify the settings in the `group_vars/sovereign` folder to your liking. If you want to see how they’re used in context, just search for the corresponding string.
 All of the variables in `group_vars/sovereign` must be set for sovereign to function.
 
-Setting `password_hash` for your mail users is a bit tricky. You can generate one using [doveadm-pw](http://wiki2.dovecot.org/Tools/Doveadm/Pw).
-
-    # doveadm pw -p'YOUR_PASSWORD' -s SHA512-CRYPT | sed -e 's/{.*}//'
-    $6$drlIN9fx7Aj7/iLu$XvjeuQh5tlzNpNfs4NwxN7.HGRLglTKism0hxs2C1OvD02d3x8OBN9KQTueTr53nTJwVShtCYiW80SGXAjSyM0
-
-`sed` is used here to truncate the hash type from the beginning of the `doveadm pw` output.
-
-Alternatively, if you don’t already have `doveadm` installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is `password`):
-
-    python3 -c 'import crypt; print(crypt.crypt("password", salt=crypt.METHOD_SHA512))'
-
-On OS X and other platforms the [passlib](https://pythonhosted.org/passlib/) package may be used to generate the required string:
-
-    python -c 'import passlib.hash; print(passlib.hash.sha512_crypt.encrypt("password", rounds=5000))'
-
-Same for the IRC password hash…
-
-    # znc --makepass
-    [ ** ] Type your new password.
-    [ ?? ] Enter Password: foo
-    [ ?? ] Confirm Password: foo
-    [ ** ] Kill ZNC process, if it's running.
-    [ ** ] Then replace password in the <User> section of your config with this:
-    <Pass password>
-            Method = sha256
-            Hash = 310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed
-            Salt = YdlPM5yjBmc/;JO6cfL5
-    </Pass>
-    [ ** ] After that start ZNC again, and you should be able to login with the new password.
-
-Take the strings after `Hash =` and `Salt =` and insert them as the value for `irc_password_hash` and `irc_password_salt` respectively.
-
-Alternatively, if you don’t already have `znc` installed, Python 3.3 or higher on Linux will generate the appropriate string for you (assuming your password is `password`):
-
-    python3 -c 'import crypt; print("irc_password_salt: {}\nirc_password_hash: {}".format(*crypt.crypt("password", salt=crypt.METHOD_SHA256).split("$")[2:]))'
-
-On OS X and other platforms the passlib:https://pythonhosted.org/passlib/ package may be used to generate the required string:
-
-    python -c 'import passlib.hash; print("irc_password_salt: {}\nirc_password_hash: {}".format(*passlib.hash.sha256_crypt.encrypt("password", rounds=5000).split("$")[2:]))'
-
 For Git hosting, copy your public key into place:
 
 	cp ~/.ssh/id_rsa.pub roles/git/files/gitolite.pub

filter_plugins/password_hash.py

+from ansible.errors import AnsibleError, AnsibleUndefinedVariable
+from jinja2 import StrictUndefined
+__metaclass__ = type
+
+
+try:
+    import passlib.hash
+    HAS_LIB = True
+except ImportError:
+    HAS_LIB = False
+
+
+def check_lib():
+    if not HAS_LIB:
+        raise AnsibleError('You need to install "passlib" prior to running '
+                           'password_hash-based filters')
+
+
+def doveadm_pw_hash(password):
+    check_lib()
+    if type(password) is StrictUndefined:
+        raise AnsibleUndefinedVariable('Please pass a string into this password_hash-based filter')
+    return passlib.hash.sha512_crypt.encrypt(password, rounds=5000)
+
+
+def znc_pw_salt(password):
+    return doveadm_pw_hash(password).split("$")[0]
+
+
+def znc_pw_hash(password):
+    return doveadm_pw_hash(password).split("$")[1]
+
+
+class FilterModule(object):
+
+    def filters(self):
+        return {
+            'doveadm_pw_hash': doveadm_pw_hash,
+            'znc_pw_salt': znc_pw_salt,
+            'znc_pw_hash': znc_pw_hash,
+        }

group_vars/sovereign

 mail_virtual_users:
   - account: "{{ main_user_name }}"
     domain: "{{ domain }}"
-    password_hash: TODO
+    password: TODO
     domain_pk_id: 1
 mail_virtual_aliases:
   - source: "root@{{ domain }}"
 irc_ident: (required)
 irc_realname: (required)
 irc_quitmsg: (required)
-irc_password_hash: (required)
-irc_password_salt: (required)
+irc_password: TODO
 
 # xmpp
 prosody_admin: "{{ admin_email }}"

group_vars/testing

 mail_virtual_users:
   - account: "{{ main_user_name }}"
     domain: "{{ domain }}"
-    password_hash: "$6$IYJfaF3jvmbAzlSe$1HBkbIdrOTWA31WYon7VSE2xAcFzYSZuVb8d3I0NDWzPxXBaqkHqKs4rLeNO9CVQEKv7wA15QctCyXbdRqFDy." #foo
+    password: "foo"
     domain_pk_id: 1
 mail_virtual_aliases:
   - source: "root@{{ domain }}"
 irc_ident: sovereign
 irc_realname: Mr. Sovereign
 irc_quitmsg: Bye
-irc_password_hash: "310c5f99825e80d5b1d663a0a993b8701255f16b2f6056f335ba6e3e720e57ed" #foo
-irc_password_salt: "YdlPM5yjBmc/;JO6cfL5"
+irc_password: "foo"
 irc_timezone: "America/New_York" #Example: "America/New_York"
 
 # xmpp

requirements.txt

 ansible>=1.9.3,<2
+passlib

roles/ircbouncer/templates/usr_lib_znc_configs_znc.conf.j2

 
 	<Pass password>
 	        Method = sha256
-	        Hash = {{ irc_password_hash }}
-	        Salt = {{ irc_password_salt }}
+	        Hash = {{ irc_password | znc_pw_hash }}
+	        Salt = {{ irc_password | znc_pw_salt }}
 	</Pass>
 
 	<Network freenode>

roles/mailserver/templates/mailserver.sql.j2

 INSERT INTO "virtual_users"  ("domain_id", "password" , "email")
 	VALUES (
 		'{{ virtual_user.domain_pk_id }}',
-		'{{ virtual_user.password_hash }}',
+		'{{ virtual_user.password | doveadm_pw_hash }}',
 		'{{ virtual_user.account }}@{{ virtual_user.domain }}'
 	);
 {% endfor %}