Recommend bcrypt passwords everywhere
This commit is contained in:
parent
c00fc587f5
commit
89bd89c706
8 changed files with 19 additions and 15 deletions
|
@ -96,7 +96,7 @@ See the [mailing list archive](https://www.freelists.org/archive/snm/)
|
||||||
domains = [ "example.com" "example2.com" ];
|
domains = [ "example.com" "example2.com" ];
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"user1@example.com" = {
|
"user1@example.com" = {
|
||||||
# mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location
|
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
|
||||||
hashedPasswordFile = "/hashed/password/file/location";
|
hashedPasswordFile = "/hashed/password/file/location";
|
||||||
|
|
||||||
aliases = [
|
aliases = [
|
||||||
|
|
12
default.nix
12
default.nix
|
@ -59,10 +59,10 @@ in
|
||||||
default = null;
|
default = null;
|
||||||
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
|
||||||
description = ''
|
description = ''
|
||||||
The user's hashed password. Use `mkpasswd` as follows
|
The user's hashed password. Use `htpasswd` as follows
|
||||||
|
|
||||||
```
|
```
|
||||||
mkpasswd -m sha-512 "super secret password"
|
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
|
||||||
```
|
```
|
||||||
|
|
||||||
Warning: this is stored in plaintext in the Nix store!
|
Warning: this is stored in plaintext in the Nix store!
|
||||||
|
@ -75,10 +75,10 @@ in
|
||||||
default = null;
|
default = null;
|
||||||
example = "/run/keys/user1-passwordhash";
|
example = "/run/keys/user1-passwordhash";
|
||||||
description = ''
|
description = ''
|
||||||
A file containing the user's hashed password. Use `mkpasswd` as follows
|
A file containing the user's hashed password. Use `htpasswd` as follows
|
||||||
|
|
||||||
```
|
```
|
||||||
mkpasswd -m sha-512 "super secret password"
|
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
|
||||||
```
|
```
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
@ -171,11 +171,11 @@ in
|
||||||
};
|
};
|
||||||
description = ''
|
description = ''
|
||||||
The login account of the domain. Every account is mapped to a unix user,
|
The login account of the domain. Every account is mapped to a unix user,
|
||||||
e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as
|
e.g. `user1@example.com`. To generate the passwords use `htpasswd` as
|
||||||
follows
|
follows
|
||||||
|
|
||||||
```
|
```
|
||||||
mkpasswd -m sha-512 "super secret password"
|
nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
|
||||||
```
|
```
|
||||||
'';
|
'';
|
||||||
default = {};
|
default = {};
|
||||||
|
|
|
@ -3,6 +3,10 @@ How to Add Radicale to SNM
|
||||||
|
|
||||||
Configuration by @dotlambda
|
Configuration by @dotlambda
|
||||||
|
|
||||||
|
Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
|
||||||
|
crypt passwords, as generated by `mkpasswd`, are no longer supported. Instead
|
||||||
|
bcrypt passwords have to be used which can be generated using `htpasswd`.
|
||||||
|
|
||||||
.. code:: nix
|
.. code:: nix
|
||||||
|
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
@ -24,7 +28,7 @@ Configuration by @dotlambda
|
||||||
[auth]
|
[auth]
|
||||||
type = htpasswd
|
type = htpasswd
|
||||||
htpasswd_filename = ${htpasswd}
|
htpasswd_filename = ${htpasswd}
|
||||||
htpasswd_encryption = crypt
|
htpasswd_encryption = bcrypt
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ Quick Start
|
||||||
domains = [ "example.com" "example2.com" ];
|
domains = [ "example.com" "example2.com" ];
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"user1@example.com" = {
|
"user1@example.com" = {
|
||||||
# mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location
|
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
|
||||||
hashedPasswordFile = "/hashed/password/file/location";
|
hashedPasswordFile = "/hashed/password/file/location";
|
||||||
|
|
||||||
aliases = [
|
aliases = [
|
||||||
|
|
|
@ -46,7 +46,7 @@ should be the most common ones.
|
||||||
domains = [ <domains> ];
|
domains = [ <domains> ];
|
||||||
|
|
||||||
# A list of all login accounts. To create the password hashes, use
|
# A list of all login accounts. To create the password hashes, use
|
||||||
# mkpasswd -m sha-512 "super secret password"
|
# nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
|
||||||
loginAccounts = {
|
loginAccounts = {
|
||||||
"user1@example.com" = {
|
"user1@example.com" = {
|
||||||
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
|
||||||
|
|
|
@ -70,7 +70,7 @@ let
|
||||||
|
|
||||||
cat <<EOF > ${passwdFile}
|
cat <<EOF > ${passwdFile}
|
||||||
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
|
||||||
"${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
"${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
|
||||||
+ (if lib.isString value.quota
|
+ (if lib.isString value.quota
|
||||||
then "userdb_quota_rule=*:storage=${value.quota}"
|
then "userdb_quota_rule=*:storage=${value.quota}"
|
||||||
else "")
|
else "")
|
||||||
|
|
|
@ -29,8 +29,8 @@ let
|
||||||
|
|
||||||
hashPassword = password: pkgs.runCommand
|
hashPassword = password: pkgs.runCommand
|
||||||
"password-${password}-hashed"
|
"password-${password}-hashed"
|
||||||
{ buildInputs = [ pkgs.mkpasswd ]; } ''
|
{ buildInputs = [ pkgs.apacheHttpd ]; } ''
|
||||||
mkpasswd -m sha-512 ${password} > $out
|
htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
in
|
in
|
||||||
|
|
|
@ -5,9 +5,9 @@
|
||||||
let
|
let
|
||||||
hashPassword = password: pkgs.runCommand
|
hashPassword = password: pkgs.runCommand
|
||||||
"password-${password}-hashed"
|
"password-${password}-hashed"
|
||||||
{ buildInputs = [ pkgs.mkpasswd ]; }
|
{ buildInputs = [ pkgs.apacheHttpd ]; }
|
||||||
''
|
''
|
||||||
mkpasswd -m sha-512 ${password} > $out
|
htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
|
||||||
'';
|
'';
|
||||||
|
|
||||||
password = pkgs.writeText "password" "password";
|
password = pkgs.writeText "password" "password";
|
||||||
|
|
Loading…
Reference in a new issue