support unhashed password files

mail-server/common.nix

@@ -45,12 +45,19 @@ rec {
     in
     lib.mapAttrs (
       name: value:
-      if value.hashedPasswordFile == null then
+      if value.hashedPasswordFile != null then
+        value.hashedPasswordFile
+      else if value.hashedPassword != null then
         builtins.toString (mkHashFile name value.hashedPassword)
       else
-        value.hashedPasswordFile
+        value.passwordFile
     ) cfg.loginAccounts;
 
+  # Collect accounts with plain text passwords that require hashing
+  accountsWithPlaintextPasswordFiles = lib.filter (
+    name: cfg.loginAccounts.${name}.passwordFile != null
+  ) (builtins.attrNames cfg.loginAccounts);
+
   # Appends the LDAP bind password to files to avoid writing this
   # password into the Nix store.
   appendLdapBindPwd =

mail-server/dovecot.nix

@@ -121,7 +121,11 @@ let
     cat <<EOF > ${passwdFile}
     ${lib.concatStringsSep "\n" (
       lib.mapAttrsToList (
-        name: _: "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
+        name: _:
+        if lib.elem name accountsWithPlaintextPasswordFiles then
+          "${name}:${"$(sed -n '1{p;p;q}' ${passwordFiles."${name}"} | ${lib.getExe' pkgs.dovecot "doveadm"} pw)"}::::::"
+        else
+          "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}::::::"
       ) cfg.loginAccounts
     )}
     EOF

mail-server/users.nix

@@ -90,8 +90,15 @@ in
   config = lib.mkIf enable {
     # assert that all accounts provide a password
     assertions = map (acct: {
-      assertion = acct.hashedPassword != null || acct.hashedPasswordFile != null;
-      message = "${acct.name} must provide either a hashed password or a password hash file";
+      assertion =
+        lib.length (
+          lib.filter (value: value != null) [
+            acct.hashedPassword
+            acct.hashedPasswordFile
+            acct.passwordFile
+          ]
+        ) == 1;
+      message = "Login account ${acct.name} must provide exactly one of password file, hashed password, or hashed password file";
     }) (lib.attrValues loginAccounts);
 
     # warn for accounts that specify both password and file