From ff9b046f0f9c8ca689b47f1d2ddf132ffdfb7c9c Mon Sep 17 00:00:00 2001
From: Martin Weinelt <hexa@darmstadt.ccc.de>
Date: Sun, 16 Nov 2025 18:27:29 +0100
Subject: [PATCH] Stop recommending bcrypt everywhere

By passing no method to mkpasswd we make it select the strongest cipher
that libxcrypt recommends.

Replaces the example hashes with yescrypt hashes, which is the current
default.
---
 default.nix            | 12 ++++++------
 docs/setup-example.nix |  2 +-
 tests/internal.nix     |  2 +-
 tests/multiple.nix     |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/default.nix b/default.nix
index 60ba271..6b4cad4 100644
--- a/default.nix
+++ b/default.nix
@@ -152,12 +152,12 @@ in
               hashedPassword = mkOption {
                 type = with types; nullOr str;
                 default = null;
-                example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
+                example = "$y$j9T$vfGrwkAaXCjCEWtVNMQck1$383uIXQmn2z0hnmVAA8kwFQmjNj78.nYbvWeyNLIaP1";
                 description = ''
                   The user's hashed password. Use `mkpasswd` as follows
 
                   ```
-                  nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+                  nix-shell -p mkpasswd --run 'mkpasswd -s'
                   ```
 
                   Warning: this is stored in plaintext in the Nix store!
@@ -173,7 +173,7 @@ in
                   A file containing the user's hashed password. Use `mkpasswd` as follows
 
                   ```
-                  nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+                  nix-shell -p mkpasswd --run 'mkpasswd -s'
                   ```
                 '';
               };
@@ -275,10 +275,10 @@ in
       );
       example = {
         user1 = {
-          hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
+          hashedPassword = "$y$j9T$y6eZ1o.IvVNfdGMAsUEvh1$6K/llP52uw2iDh4iSwtAn54/JYy7FzCcoCHmjmx00H5";
         };
         user2 = {
-          hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/";
+          hashedPassword = "$y$j9T$hZ.ubq0M897Hw.znxnGG9.$14EJBoOwbwKeWt.W4vpnBPEBZC9mYz4fWI9kOCLoZf4";
         };
       };
       description = ''
@@ -287,7 +287,7 @@ in
         follows
 
         ```
-        nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+        nix-shell -p mkpasswd --run 'mkpasswd -s'
         ```
       '';
       default = { };
diff --git a/docs/setup-example.nix b/docs/setup-example.nix
index 8a4134a..0a9fb53 100644
--- a/docs/setup-example.nix
+++ b/docs/setup-example.nix
@@ -32,7 +32,7 @@
     x509.useACMEHost = config.mailserver.fqdn;
 
     # A list of all login accounts. To create the password hashes, use
-    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    # nix-shell -p mkpasswd --run 'mkpasswd -s'
     loginAccounts = {
       "user1@example.com" = {
         hashedPasswordFile = "/a/file/containing/a/hashed/password";
diff --git a/tests/internal.nix b/tests/internal.nix
index a23c152..988d5c4 100644
--- a/tests/internal.nix
+++ b/tests/internal.nix
@@ -38,7 +38,7 @@ let
         inherit password;
       }
       ''
-        mkpasswd -sm bcrypt <<<"$password" > $out
+        mkpasswd -s <<<"$password" > $out
       '';
 
   hashedPasswordFile = hashPassword "my-password";
diff --git a/tests/multiple.nix b/tests/multiple.nix
index 94d2527..19b7aee 100644
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@@ -15,7 +15,7 @@ let
         inherit password;
       }
       ''
-        mkpasswd -sm bcrypt <<<"$password" > $out
+        mkpasswd -s <<<"$password" > $out
       '';
 
   password = pkgs.writeText "password" "password";