matrix-docker-ansible-deploy

History

Slavi Pantaleev 34c01da9d2 Ensure consistent password_hash results regardless of whether crypt or passlib is used Ansible recently started showing warnings about `crypt` being deprecated. If one installs `passlib`, the `password_hash` values that are generated would be different by default. With this patch, we ensure consistency regardless of which one is used. After this patch, password hashes (and UUIDs derived from them) will change once, but they should be stable after that. These hashes changing is not a problem, because the playbook changes all references to the new values. Changes are only a problem if they're done partially and with different tools. For example: - `--tags=setup-COMPONENT` with `passlib` - `--tags=setup-postgres` with `crypt` (no `passlib`) If so, the Postgres database password's value will differ for the configuration generated for `COMPONENT`. The `rounds=` value is arbitrary. It doesn't matter what it is, as long as it's different than the default for `crypt` (5000) and the default for `passlib` for `sha512` (656000). Source (https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html): > To ensure idempotency, specify rounds to be neither crypt’s nor passlib’s default, which is 5000 for crypt and a variable value (535000 for sha256, 656000 for sha512) for passlib	2022-11-25 11:41:16 +02:00
..
matrix_servers	Ensure consistent password_hash results regardless of whether crypt or passlib is used	2022-11-25 11:41:16 +02:00

Slavi Pantaleev 34c01da9d2 Ensure consistent password_hash results regardless of whether crypt or passlib is used

Ansible recently started showing warnings about `crypt` being
deprecated. If one installs `passlib`, the `password_hash` values that
are generated would be different by default. With this patch, we ensure
consistency regardless of which one is used.

After this patch, password hashes (and UUIDs derived from them) will
change once, but they should be stable after that.

These hashes changing is not a problem, because the playbook
changes all references to the new values. Changes are only a problem if
they're done partially and with different tools.
For example:
- `--tags=setup-COMPONENT` with `passlib`
- `--tags=setup-postgres` with `crypt` (no `passlib`)
If so, the Postgres database password's value will differ for the
configuration generated for `COMPONENT`.

The `rounds=` value is arbitrary. It doesn't matter what it is,
as long as it's different than the default for `crypt` (5000)
and the default for `passlib` for `sha512` (656000).

Source (https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_filters.html):

> To ensure idempotency, specify rounds to be neither crypt’s nor passlib’s default, which is 5000 for crypt and a variable value (535000 for sha256, 656000 for sha512) for passlib

2022-11-25 11:41:16 +02:00

matrix_servers

Ensure consistent password_hash results regardless of whether crypt or passlib is used

2022-11-25 11:41:16 +02:00