radicale: Use hashed instead of plain password

2026-01-21 17:31:34 +01:00 · 2025-09-18 15:41:36 +02:00 · 2025-09-18 15:41:36 +02:00 · 6b8724f441
commit 6b8724f441
parent 2240bc9c91
2 changed files with 41 additions and 41 deletions
--- a/hosts/srv-private/secrets.json
+++ b/hosts/srv-private/secrets.json
@ -19,7 +19,7 @@
 		"key": "ENC[AES256_GCM,data:Lg+YGdXdJxV/3ixMi46BL+m7WkU2yJZg0ygrGEQHsqdfQ0Lqawid/TCchdf3ep00tnF+NNcfhDy8qMZ/Qy4EBIMOHyEBmaAP7XhfumMncLGdxWXpAdtclvjjfrIwLZTH9F2wV79uo3Ir3FxLe/OS32pH3vTeERod/l1uOEfwksXXCOcZg1bTF9nxoxtwGrc2QnH3xYRgc2RNp344p+v2HApfy6ctkG/bWQjhJmi8a1aBGzwOVEeWptU+A/sP7C8kntZvjlMHnr+4Lkg7HxKGya7AnpqcgWGyPWhK/Sa5aKBBn9yZzIGxI7181UhyHYHMs+CJFxoH71RR+C45tXP2vey+hwVZUAZQb3Y8ZO+tZ1q9kWyzW+k0VIsRxyjctsPl,iv:IXlcy7FmBJHf6fP0B/HhkcGZxKUu3VivhFm8u3jYxkc=,tag:CChxY4hOHY/Yua3p1veoCw==,type:str]"
 	},
 	"radicale": {
-    "admin-password": "ENC[AES256_GCM,data:7ih6SO+ZSMGo59i+VL00lOvXpbRBmd1fpbErwRft,iv:/qElkFDygxJvcQKLIoQph3WyeWdtSx9DquuDs/x8HPU=,tag:zIWEaS93VNY4ulOXh45hHQ==,type:str]"
+		"seb-password": "ENC[AES256_GCM,data:0r9+B52+U2cI7WaHvQJAv03UPS149AcBaUq65943npP0+97sFEm/58egtqHjW5WRaBkUnP6dnFSSQwQn,iv:x95hIJKqvqZPryccTsl5b7uL4xyK192Hwla1HUWDCB4=,tag:7desX0XrW5xuwgTvvrsYSA==,type:str]"
 	},
 	"sops": {
 		"age": [
@ -32,8 +32,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpcGVRNzRrM2RTeFJScDBR\nZUFSOUd2dXhZaGh3TDdVYVdWZVBYYjNDUm5nCnl3RHJBM0F0RUlIWjJ3ZEVRVEVI\neXZMSVkvbU1Qamc0VGZIeW1lekVTeFEKLS0tIHVpTGtoSytuZFlIdzBtNEI0a1lh\naURRQUR4cVBhNmRFOTQ2MFdBN3p3OEkKJjy8KnruglNwYOuOcWIspJZq3+0VqHGx\nV6cldtjSabCks3xtTUYjvb8/mMwHT1ANW/bRkJ/BrBClZGGEM3hZgQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-    "lastmodified": "2025-09-17T20:40:25Z",
-    "mac": "ENC[AES256_GCM,data:QOG+QD86rh+GB+9fFD8JENzHocBMAG4fVPcY/KRK7kVpOPVAsNOy+AOiOMfGPoZw4yB5SjK65sd2py+KwIdGsveGxKlksMsgh55zLCswlM4hJ+IAFiC6DlSC1AIZY58fRyraOMjvDEnYj3Erv9DscdUna9hUpbMmNn9MSR2Gk/U=,iv:I6UV6V9N5i+y3xa7UWa8eoqoWEhGEejjhqe7hW5ayrI=,tag:ey9A5vrA/u3aJ4CH/S8fgw==,type:str]",
+		"lastmodified": "2025-09-18T13:35:54Z",
+		"mac": "ENC[AES256_GCM,data:bzM1Z/7KtQTPKrDDuHkFWEZnA4mPwDo+eDwcKpboyKJbZsyIi0Qnk+Wm4bTl6KTIg1gZtbGnO050D4cnUL/kxzlbaXCN1GB7wEBe7RSNS3vuel8TEsd/XbfEIzoxo7slNsUMnrg+4eKQwxOPGBsI93ulZHSHpArr/3MBkj7aNck=,iv:NT0WMuL8fqJjzRZNmhxqm1Ymw1n7a3a+umxiuIJPmgE=,tag:aJoFjoYrj2m+7v2i4WcO6g==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.2"
 	}
--- a/modules/system/services/radicale.nix
+++ b/modules/system/services/radicale.nix
@ -29,10 +29,10 @@ in
    };

    sops = {
-      secrets."radicale/admin-password" = { };
+      secrets."radicale/seb-password" = { };
      templates."radicale/htpasswd" = {
        owner = config.users.users.radicale.name;
-        content = "seb:${config.sops.placeholder."radicale/admin-password"}";
+        content = "seb:${config.sops.placeholder."radicale/seb-password"}";
        restartUnits = [ "radicale.service" ];
      };
    };
@ -44,7 +44,7 @@ in
        auth = {
          type = "htpasswd";
          htpasswd_filename = config.sops.templates."radicale/htpasswd".path;
-          htpasswd_encryption = "plain";
+          htpasswd_encryption = "bcrypt";
        };
        storage.filesystem_folder = "/var/lib/radicale/collections";