From 9282c52d010a4c204a358fbcf53cd5880ee6f184 Mon Sep 17 00:00:00 2001
From: Christian Heusel <christian@heusel.eu>
Date: Sat, 26 Oct 2024 02:40:11 +0200
Subject: [PATCH] postfix_null: Use fixed amount of rounds for password_hash

As it turns out the value for this filters "rounds" parameter strongly
differs depending on the installed python crypto backend, since
python-crypt uses 5000 rounds while python-passlib uses 535000 rounds
set a default parameter according to ansible documentation.

As really high values for "rounds" lead to some login timeouts it makes
sense for us to use a fixed value for this parameter. In this case 5000
have been chosen as this value reflects the defaults from python-crypt
aswell as /etc/login.defs in the shadow package.

Link: https://github.com/ansible/ansible/pull/77963/files
Related-to: https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/250
Signed-off-by: Christian Heusel <christian@heusel.eu>
---
 roles/postfix_null/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/postfix_null/tasks/main.yml b/roles/postfix_null/tasks/main.yml
index 91d08dd64..15f3f5eaa 100644
--- a/roles/postfix_null/tasks/main.yml
+++ b/roles/postfix_null/tasks/main.yml
@@ -15,7 +15,7 @@
     name: "{{ inventory_hostname_short }}"
     comment: "SMTP Relay Account for {{ inventory_hostname }}"
     group: nobody
-    password: "{{ postfix_relay_password | password_hash('sha512') }}"
+    password: "{{ postfix_relay_password | password_hash('sha512', rounds=5000) }}"
     shell: /sbin/nologin
     update_password: always
     home: /home/"{{ inventory_hostname }}"  # Set home directory so shadow.service does not fail
-- 
GitLab