From 6b8724f44137e85206980d83cf9c02a3a43f154b Mon Sep 17 00:00:00 2001
From: SebastianStork <sebastian.stork@pm.me>
Date: Thu, 18 Sep 2025 15:41:36 +0200
Subject: [PATCH] radicale: Use hashed instead of plain password

---
 hosts/srv-private/secrets.json       | 76 ++++++++++++++--------------
 modules/system/services/radicale.nix |  6 +--
 2 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/hosts/srv-private/secrets.json b/hosts/srv-private/secrets.json
index e869d2c..5423054 100644
--- a/hosts/srv-private/secrets.json
+++ b/hosts/srv-private/secrets.json
@@ -1,40 +1,40 @@
 {
-  "seb-password": "ENC[AES256_GCM,data:5RF/qbpMl1zq0SAdDNyI4EaSkN7dwSyG2K8wsAs77tZEOQxNzNasLiuGeQwJdzNXVaVeIx53nWSGPtdYSBQjkGPN3Q+0YX/S+Q==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:tqmBxOc62IhJGxXvjzugYw==,type:str]",
-  "tailscale": {
-    "auth-key": "ENC[AES256_GCM,data:p/CZOdluFGXpY+Pqfd1XBQnjOo4bMYx4NNiEIVuLZXkEIJLQmXyQCpQ6jCszzcr6O6YIootcjyASyx3sFw==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:Nh+fP6VqpxfZpx8LliY6tw==,type:str]",
-    "service-auth-key": "ENC[AES256_GCM,data:KLaSMrOXEeHI0RmKK83eTPjCsr07SMOJnk1ywmtg/VIire/629UYSIzOIu/AAeHxWUiUsku4ADzyAFnr6ak=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:dql6J+VDZ3mAds1ogilceg==,type:str]"
-  },
-  "restic": {
-    "password": "ENC[AES256_GCM,data:bHQGGxWLEeXtq/6Kcl8HzrEb8Z46WJwNQgNOJjZz,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:0og/qnjxvGsilAV2LWKSHw==,type:str]"
-  },
-  "backblaze": {
-    "key-id": "ENC[AES256_GCM,data:tA0VKR3AhXqtHImTfiXDeIINCwkBxVNS/w==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:JPKf8qUzfXDXTqNUl95+2Q==,type:str]",
-    "application-key": "ENC[AES256_GCM,data:o1CFIZiPiuY1cdAFVQpmYRzog7/Lzu9sGbZqczd4vw==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:CIgb4GeFD/seHS0o7nxsgg==,type:str]"
-  },
-  "healthchecks": {
-    "ping-key": "ENC[AES256_GCM,data:fUcldy97AWJOGIemkKwRzRNw5IUPzw==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:28ssHfDMjVnTG+GfBVjT2g==,type:str]"
-  },
-  "syncthing": {
-    "cert": "ENC[AES256_GCM,data:8G697avMrmghzc8m1h7K0bbo4cK4tlToyaweU85N+GQgyjbHj34USvdMTBzdQs0yz/lgzhzxHURnwM/bWINCXUxhxI0aoH3ULU4KH0PvCV9I9Xbsvj4PNO+fBsMqExL11m0fyCngk7GwBavNpQw+X62a+SwGfyuPdLdjRUqSAdXgTpk9bZ3PIUjb+XLMpiQ2hElFKtzp85WTY1GcSyjG98ineSB/p31SX2svtvojy9dNwpVeYirXeh2ZJLj/EyS+hOfrYicQ6X8KnrGdH1FKXaci3xAhDg45PJLiuh0Dxi+sX1bZ62S3cHWDhq5S/GucwNrd1dZN5T8m9HPVmIaJcGk5mEst4oKiCugYEeio39JWShTDNgIBXlFm+Srt+2aKEqOrnukl1hnvnVPcTPfhYVaUiQdlQadWB3qLtZpTuSjvKvclrhpSzzFz/l1gjo3kWLBOQ+WaFMsHFi2Lx484NP6MkShRTvhDMDDByAP0neZGLMCB3Ckiavzl10Irp9ozjb2CIWJCdKoz1oeJ7knDAn1omCM3Dg12pKOjuy5Xh+WdZeatZyiM1HgJCBWxEhlFpLWPaSVgYsrp57ewBH0gfjBI8LTEx3hukabMM3QD7Xk1pdKlSAKaTcs4ZSqDPHN0CReDha/EKKG/Za3qy8IHAIokggkVp8cDbw+fI+Z3moV1YWHzU+nM6GaFUzboXZH7omYhhvlAQnRp+MHEZHk7wzhNUxKigOEiG2UBL9YpLOgSkZYz/DIw6qBp7CziVVwYu22ppYtpiMP00RwnBZEoB6llIvN6uKD5gq/4kE56XJU/nEet206E7ckvfMg96XScNIZrJNdQiyDZl3zIUEBBhMIuNL61wtr5+d8+JteAN5IFbEIaHGw7BY+yE9fHvi8yiSRXW/DYQYdHNtK9xyMEGs/TD8xubWVjjF9iYKAwy0uDEBOof7cNFVWBZJRcFoeuqg1CK8RoMxdVJo7KWERwC3e5z13t+SX62andWGtFfqS2zTHvyYGtvyjVBG89wROKfllS3Pl820LVHu4qiDudC2o3BlGYLhVbknU=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:OMtxG6KxSVQ2bbskeLIu1g==,type:str]",
-    "key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]"
-  },
-  "radicale": {
-    "admin-password": "ENC[AES256_GCM,data:7ih6SO+ZSMGo59i+VL00lOvXpbRBmd1fpbErwRft,iv:/qElkFDygxJvcQKLIoQph3WyeWdtSx9DquuDs/x8HPU=,tag:zIWEaS93VNY4ulOXh45hHQ==,type:str]"
-  },
-  "sops": {
-    "age": [
-      {
-        "recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
-        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdEtRd2R6YzVUS0xtOUFM\nSmg2L0x0WnhrazN6dlNGK295OWFvNlV4ekY0CnpCQmtRSjErZlk3UUFuR2R3Yy9P\nREtRcEg2Y09WSFJkbWNwcVRJNnpRWVUKLS0tIHdpOWZBVlhrR203Q05tVXR4eTdV\nRzVHRncrdWV2eGtBUnl0SjhDTm1mWWsKH8YnoFLn8GZehS60rpWZ0dTtOKxpMOPM\ny0266elas/kr+w0DRlBH1HdtXv+kwo22KK3t/Q966Fkc5rxCYa++CQ==\n-----END AGE ENCRYPTED FILE-----\n"
-      },
-      {
-        "recipient": "age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t",
-        "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcGVRNzRrM2RTeFJScDBR\nZUFSOUd2dXhZaGh3TDdVYVdWZVBYYjNDUm5nCnl3RHJBM0F0RUlIWjJ3ZEVRVEVI\neXZMSVkvbU1Qamc0VGZIeW1lekVTeFEKLS0tIHVpTGtoSytuZFlIdzBtNEI0a1lh\naURRQUR4cVBhNmRFOTQ2MFdBN3p3OEkKJjy8KnruglNwYOuOcWIspJZq3+0VqHGx\nV6cldtjSabCks3xtTUYjvb8/mMwHT1ANW/bRkJ/BrBClZGGEM3hZgQ==\n-----END AGE ENCRYPTED FILE-----\n"
-      }
-    ],
-    "lastmodified": "2025-09-17T20:40:25Z",
-    "mac": "ENC[AES256_GCM,data:QOG+QD86rh+GB+9fFD8JENzHocBMAG4fVPcY/KRK7kVpOPVAsNOy+AOiOMfGPoZw4yB5SjK65sd2py+KwIdGsveGxKlksMsgh55zLCswlM4hJ+IAFiC6DlSC1AIZY58fRyraOMjvDEnYj3Erv9DscdUna9hUpbMmNn9MSR2Gk/U=,iv:I6UV6V9N5i+y3xa7UWa8eoqoWEhGEejjhqe7hW5ayrI=,tag:ey9A5vrA/u3aJ4CH/S8fgw==,type:str]",
-    "unencrypted_suffix": "_unencrypted",
-    "version": "3.10.2"
-  }
+	"seb-password": "ENC[AES256_GCM,data:5RF/qbpMl1zq0SAdDNyI4EaSkN7dwSyG2K8wsAs77tZEOQxNzNasLiuGeQwJdzNXVaVeIx53nWSGPtdYSBQjkGPN3Q+0YX/S+Q==,iv:GpBQNm1jspU8PCN+SzfAUKSps3YySg6JJVYOLOFetOI=,tag:tqmBxOc62IhJGxXvjzugYw==,type:str]",
+	"tailscale": {
+		"auth-key": "ENC[AES256_GCM,data:p/CZOdluFGXpY+Pqfd1XBQnjOo4bMYx4NNiEIVuLZXkEIJLQmXyQCpQ6jCszzcr6O6YIootcjyASyx3sFw==,iv:imh6BrNPf2jVQ6eVaB9Mt+gX9zGq6mHX1+9yhY/KzrI=,tag:Nh+fP6VqpxfZpx8LliY6tw==,type:str]",
+		"service-auth-key": "ENC[AES256_GCM,data:KLaSMrOXEeHI0RmKK83eTPjCsr07SMOJnk1ywmtg/VIire/629UYSIzOIu/AAeHxWUiUsku4ADzyAFnr6ak=,iv:1e7sWm+CEXOBt7p74b9O5Hhs5+NYv6v6QfdqiKHNn18=,tag:dql6J+VDZ3mAds1ogilceg==,type:str]"
+	},
+	"restic": {
+		"password": "ENC[AES256_GCM,data:bHQGGxWLEeXtq/6Kcl8HzrEb8Z46WJwNQgNOJjZz,iv:q5qJkB3+feZyEm778hKI8ikNz9/9dj+Z1hda6M4eHfQ=,tag:0og/qnjxvGsilAV2LWKSHw==,type:str]"
+	},
+	"backblaze": {
+		"key-id": "ENC[AES256_GCM,data:tA0VKR3AhXqtHImTfiXDeIINCwkBxVNS/w==,iv:TEtsDdGmB5MVuIOPVr6UxOaLAfbGKOeZxXwaW86X+t8=,tag:JPKf8qUzfXDXTqNUl95+2Q==,type:str]",
+		"application-key": "ENC[AES256_GCM,data:o1CFIZiPiuY1cdAFVQpmYRzog7/Lzu9sGbZqczd4vw==,iv:UTn1iz3fTCVleFSe1yP6fOJB4DKKQJEG7naZclJ+i2M=,tag:CIgb4GeFD/seHS0o7nxsgg==,type:str]"
+	},
+	"healthchecks": {
+		"ping-key": "ENC[AES256_GCM,data:fUcldy97AWJOGIemkKwRzRNw5IUPzw==,iv:caY1tuMTxNyl8USsgKiSuAOIczvn/Xdx6Taj7BQRCyE=,tag:28ssHfDMjVnTG+GfBVjT2g==,type:str]"
+	},
+	"syncthing": {
+		"cert": "ENC[AES256_GCM,data:8G697avMrmghzc8m1h7K0bbo4cK4tlToyaweU85N+GQgyjbHj34USvdMTBzdQs0yz/lgzhzxHURnwM/bWINCXUxhxI0aoH3ULU4KH0PvCV9I9Xbsvj4PNO+fBsMqExL11m0fyCngk7GwBavNpQw+X62a+SwGfyuPdLdjRUqSAdXgTpk9bZ3PIUjb+XLMpiQ2hElFKtzp85WTY1GcSyjG98ineSB/p31SX2svtvojy9dNwpVeYirXeh2ZJLj/EyS+hOfrYicQ6X8KnrGdH1FKXaci3xAhDg45PJLiuh0Dxi+sX1bZ62S3cHWDhq5S/GucwNrd1dZN5T8m9HPVmIaJcGk5mEst4oKiCugYEeio39JWShTDNgIBXlFm+Srt+2aKEqOrnukl1hnvnVPcTPfhYVaUiQdlQadWB3qLtZpTuSjvKvclrhpSzzFz/l1gjo3kWLBOQ+WaFMsHFi2Lx484NP6MkShRTvhDMDDByAP0neZGLMCB3Ckiavzl10Irp9ozjb2CIWJCdKoz1oeJ7knDAn1omCM3Dg12pKOjuy5Xh+WdZeatZyiM1HgJCBWxEhlFpLWPaSVgYsrp57ewBH0gfjBI8LTEx3hukabMM3QD7Xk1pdKlSAKaTcs4ZSqDPHN0CReDha/EKKG/Za3qy8IHAIokggkVp8cDbw+fI+Z3moV1YWHzU+nM6GaFUzboXZH7omYhhvlAQnRp+MHEZHk7wzhNUxKigOEiG2UBL9YpLOgSkZYz/DIw6qBp7CziVVwYu22ppYtpiMP00RwnBZEoB6llIvN6uKD5gq/4kE56XJU/nEet206E7ckvfMg96XScNIZrJNdQiyDZl3zIUEBBhMIuNL61wtr5+d8+JteAN5IFbEIaHGw7BY+yE9fHvi8yiSRXW/DYQYdHNtK9xyMEGs/TD8xubWVjjF9iYKAwy0uDEBOof7cNFVWBZJRcFoeuqg1CK8RoMxdVJo7KWERwC3e5z13t+SX62andWGtFfqS2zTHvyYGtvyjVBG89wROKfllS3Pl820LVHu4qiDudC2o3BlGYLhVbknU=,iv:bJfo1JZ8muYmxoZfCx3x40DOrnstSChjUnzF+ZJjc2s=,tag:OMtxG6KxSVQ2bbskeLIu1g==,type:str]",
+		"key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]"
+	},
+	"radicale": {
+		"seb-password": "ENC[AES256_GCM,data:0r9+B52+U2cI7WaHvQJAv03UPS149AcBaUq65943npP0+97sFEm/58egtqHjW5WRaBkUnP6dnFSSQwQn,iv:x95hIJKqvqZPryccTsl5b7uL4xyK192Hwla1HUWDCB4=,tag:7desX0XrW5xuwgTvvrsYSA==,type:str]"
+	},
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1mpq8m4p7dnxh5ze3fh7etd2k6sp85zdnmp9te3e9chcw4pw07pcq960zh5",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmdEtRd2R6YzVUS0xtOUFM\nSmg2L0x0WnhrazN6dlNGK295OWFvNlV4ekY0CnpCQmtRSjErZlk3UUFuR2R3Yy9P\nREtRcEg2Y09WSFJkbWNwcVRJNnpRWVUKLS0tIHdpOWZBVlhrR203Q05tVXR4eTdV\nRzVHRncrdWV2eGtBUnl0SjhDTm1mWWsKH8YnoFLn8GZehS60rpWZ0dTtOKxpMOPM\ny0266elas/kr+w0DRlBH1HdtXv+kwo22KK3t/Q966Fkc5rxCYa++CQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1qz04yg4h4g22wxqca2pd5k0z574223f6m5c9jy5ny37nlgcd6u4styf06t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcGVRNzRrM2RTeFJScDBR\nZUFSOUd2dXhZaGh3TDdVYVdWZVBYYjNDUm5nCnl3RHJBM0F0RUlIWjJ3ZEVRVEVI\neXZMSVkvbU1Qamc0VGZIeW1lekVTeFEKLS0tIHVpTGtoSytuZFlIdzBtNEI0a1lh\naURRQUR4cVBhNmRFOTQ2MFdBN3p3OEkKJjy8KnruglNwYOuOcWIspJZq3+0VqHGx\nV6cldtjSabCks3xtTUYjvb8/mMwHT1ANW/bRkJ/BrBClZGGEM3hZgQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-09-18T13:35:54Z",
+		"mac": "ENC[AES256_GCM,data:bzM1Z/7KtQTPKrDDuHkFWEZnA4mPwDo+eDwcKpboyKJbZsyIi0Qnk+Wm4bTl6KTIg1gZtbGnO050D4cnUL/kxzlbaXCN1GB7wEBe7RSNS3vuel8TEsd/XbfEIzoxo7slNsUMnrg+4eKQwxOPGBsI93ulZHSHpArr/3MBkj7aNck=,iv:NT0WMuL8fqJjzRZNmhxqm1Ymw1n7a3a+umxiuIJPmgE=,tag:aJoFjoYrj2m+7v2i4WcO6g==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
 }
diff --git a/modules/system/services/radicale.nix b/modules/system/services/radicale.nix
index 287e32f..ad644db 100644
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@@ -29,10 +29,10 @@ in
     };
 
     sops = {
-      secrets."radicale/admin-password" = { };
+      secrets."radicale/seb-password" = { };
       templates."radicale/htpasswd" = {
         owner = config.users.users.radicale.name;
-        content = "seb:${config.sops.placeholder."radicale/admin-password"}";
+        content = "seb:${config.sops.placeholder."radicale/seb-password"}";
         restartUnits = [ "radicale.service" ];
       };
     };
@@ -44,7 +44,7 @@ in
         auth = {
           type = "htpasswd";
           htpasswd_filename = config.sops.templates."radicale/htpasswd".path;
-          htpasswd_encryption = "plain";
+          htpasswd_encryption = "bcrypt";
         };
         storage.filesystem_folder = "/var/lib/radicale/collections";