Confused about passwordFile options

I’m a bit confused about how passwordFile options fit into the flake ecosystem and also about the contents of the users.users..passwordFile. Here are my questions

  1. As far as I can tell one of the flakes selling features is their hermetic or ‘pure’ evaluation of nix code which results in more reproducible outputs. This means that you can’t do things like readFile or fetchGit. However, it seems to me that passwordFile options are just as ‘impure’ as they rely on an external file that can change between evaluations thus producing different outputs. How is the passwordFile mechanism different?

  2. Are the contents of the passwordFile file copied to the nix store or only the path to the file?

  3. Regarding the users.users..passwordFile option, the docs say:

The file should contain exactly one line, which should be the password in an encrypted form that is suitable for the chpasswd -e command.

Would any type of encryption work? Will NixOS automatically recognize the encryption method used? I’ve seen people use mkpasswd -m sha-512 to generate the hash but I don’t know if it’s because Linux (or NixOS) uses sha-512 as the default algo for user login or it’s because you can use any algo you want. Is the algo used for user logins defined somewhere?

Thanks you.

passwordFile is not meant to be a path e.g. ./myfile but should be a file that exists at runtime on the system outside of the nix store for boot e.g. /my/location/to/the/hashedPasswordFile