refactor(dovecot): replace template hashing with openssl command

- Add `openssl` to the list of installed packages to ensure CLI availability. - Introduce a new task to generate user password hashes using `openssl passwd -6` on the target host instead of relying on the Jinja2 `password_hash` filter. - Update `dovecot-users.j2` template to utilize the registered output from the new OpenSSL task. - This ensures consistent SHA512-CRYPT hash generation independent of the controller's Python environment or hashing libraries.
2026-02-10 18:10:01 -03:00
parent 589d3e0d12
commit e350a39a29
2 changed files with 17 additions and 3 deletions
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -57,7 +57,7 @@
 - name: "DOVECOT | Install Dovecot packages"
  when: dovecot_enabled | default(false)
  ansible.builtin.apt:
-    name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
+    name: "{{ ['dovecot-core', 'dovecot-imapd', 'dovecot-pop3d', 'openssl'] + (['dovecot-lmtpd'] if dovecot_postfix_lmtp_enable | default(false) else []) }}"
    state: present
  tags:
    - dovecot_install
@@ -108,6 +108,18 @@
  tags:
    - dovecot_config

+- name: "DOVECOT | Generate user password hashes"
+  when: dovecot_enabled | default(false) and dovecot_users | length > 0
+  ansible.builtin.command:
+    cmd: "openssl passwd -6 -salt {{ dovecot_token_value | quote }} {{ (dovecot_token_value + item.pass) | quote }}"
+  loop: "{{ dovecot_users }}"
+  register: dovecot_user_hashes
+  changed_when: false
+  vars:
+    dovecot_token_value: "{{ dovecot_token_file['content'] | b64decode | trim }}"
+  tags:
+    - dovecot_config
+
 - name: "DOVECOT | Create users password file"
  when: dovecot_enabled | default(false)
  ansible.builtin.template: