From 8c57406bfb8e75bb1574a303941560cea207506e Mon Sep 17 00:00:00 2001
From: Benedikt Peetz <benedikt.peetz@b-peetz.de>
Date: Fri, 11 Apr 2025 11:57:54 +0200
Subject: modules/stalwart-mail: Explicitly list out valid password hashes

If a password hash does not match stalwart's know ones, it will just
treat it as plaintext. This is obviously very bad, and should be
avoided.
---
 modules/by-name/st/stalwart-mail/module.nix | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

(limited to 'modules/by-name')

diff --git a/modules/by-name/st/stalwart-mail/module.nix b/modules/by-name/st/stalwart-mail/module.nix
index 1e39e81..ec10188 100644
--- a/modules/by-name/st/stalwart-mail/module.nix
+++ b/modules/by-name/st/stalwart-mail/module.nix
@@ -61,7 +61,32 @@ in {
           };
 
           secret = lib.mkOption {
-            type = lib.types.str;
+            type = let
+              prefix = pre: lib.types.strMatching "^${lib.strings.escapeRegex pre}.*";
+            in
+              lib.types.oneOf [
+                (prefix "$argon2")
+                (prefix "$pbkdf2")
+                (prefix "$scrypt")
+                (prefix "$2") # bcrypt
+                (prefix "$6$") # sha-512
+                (prefix "$5$") # sha-256
+                (prefix "$sha1")
+                (prefix "$1") # md5
+                (prefix "_") # BSDi crypt
+                (prefix "{SHA}") # base64 sha
+                (prefix "{SSHA}") # base64 salted sha
+
+                # unix crypt
+                (prefix "{CRYPT}")
+                (prefix "{crypt}")
+
+                # Plain text
+                (prefix "{PLAIN}")
+                (prefix "{plain}")
+                (prefix "{CLEAR}")
+                (prefix "{clear}")
+              ];
             description = ''
               Sets the password for the user account.
               Passwords can be stored hashed or in plain text (not recommended).
-- 
cgit 1.4.1