aither/simple-nixos-mailserver
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Stop recommending bcrypt everywhere

Browse Source 
By passing no method to mkpasswd we make it select the strongest cipher
that libxcrypt recommends.

Replaces the example hashes with yescrypt hashes, which is the current
default.
This commit is contained in:
Martin Weinelt
2025-11-16 18:27:29 +01:00
parent 33ba1ff52b
commit ff9b046f0f
4 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
default.nix
+6 -6
View File
@@ -152,12 +152,12 @@ in
hashedPassword = mkOption { hashedPassword = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = null;
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/"; example = "$y$j9T$vfGrwkAaXCjCEWtVNMQck1$383uIXQmn2z0hnmVAA8kwFQmjNj78.nYbvWeyNLIaP1";
description = '' description = ''
The user's hashed password. Use `mkpasswd` as follows The user's hashed password. Use `mkpasswd` as follows
``` ```
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' nix-shell -p mkpasswd --run 'mkpasswd -s'
``` ```
Warning: this is stored in plaintext in the Nix store! Warning: this is stored in plaintext in the Nix store!
@@ -173,7 +173,7 @@ in
A file containing the user's hashed password. Use `mkpasswd` as follows A file containing the user's hashed password. Use `mkpasswd` as follows
``` ```
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' nix-shell -p mkpasswd --run 'mkpasswd -s'
``` ```
''; '';
}; };
@@ -275,10 +275,10 @@ in
); );
example = { example = {
user1 = { user1 = {
hashedPassword = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/"; hashedPassword = "$y$j9T$y6eZ1o.IvVNfdGMAsUEvh1$6K/llP52uw2iDh4iSwtAn54/JYy7FzCcoCHmjmx00H5";
}; };
user2 = { user2 = {
hashedPassword = "$6$oE0ZNv2n7Vk9gOf$9xcZWCCLGdMflIfuA0vR1Q1Xblw6RZqPrP94mEit2/81/7AKj2bqUai5yPyWE.QYPyv6wLMHZvjw3Rlg7yTCD/"; hashedPassword = "$y$j9T$hZ.ubq0M897Hw.znxnGG9.$14EJBoOwbwKeWt.W4vpnBPEBZC9mYz4fWI9kOCLoZf4";
}; };
}; };
description = '' description = ''
@@ -287,7 +287,7 @@ in
follows follows
``` ```
nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' nix-shell -p mkpasswd --run 'mkpasswd -s'
``` ```
''; '';
default = { }; default = { };
docs/setup-example.nix
+1 -1
View File
@@ -32,7 +32,7 @@
x509.useACMEHost = config.mailserver.fqdn; x509.useACMEHost = config.mailserver.fqdn;
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' # nix-shell -p mkpasswd --run 'mkpasswd -s'
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {
hashedPasswordFile = "/a/file/containing/a/hashed/password"; hashedPasswordFile = "/a/file/containing/a/hashed/password";
tests/internal.nix
+1 -1
View File
@@ -38,7 +38,7 @@ let
inherit password; inherit password;
} }
'' ''
mkpasswd -sm bcrypt <<<"$password" > $out mkpasswd -s <<<"$password" > $out
''; '';
hashedPasswordFile = hashPassword "my-password"; hashedPasswordFile = hashPassword "my-password";
tests/multiple.nix
+1 -1
View File
@@ -15,7 +15,7 @@ let
inherit password; inherit password;
} }
'' ''
mkpasswd -sm bcrypt <<<"$password" > $out mkpasswd -s <<<"$password" > $out
''; '';
password = pkgs.writeText "password" "password"; password = pkgs.writeText "password" "password";