movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-19 16:40:32 +03:00
Code Activity
nixpkgs/nixos/modules/services/networking/cloudflare-dyndns.nix
Jeremy Fleischman 9c02a1e422
services/cloudflare-dyndns: require that apiTokenFile be an api token 
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:

- That's not an api token. It's an env file fit for passing to systemd's
  `EnvironmentFile` option. The user could typo the variable name, or
  intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
  usually just the secret, and don't leak details about how the secret
  is passed to the service.
- This increases friction for people switching between cloudflare dyndns
  services, such as `services.cloudflare-dyndns` and
  `services.cfdyndns`, which both have a `apiToken` option, but (before
  this change) with different semantics.
2025-03-19 18:19:29 -05:00

129 lines
3.6 KiB
Nix
Raw Blame History

{
config,
pkgs,
lib,
...
}:
let
cfg = config.services.cloudflare-dyndns;
in
{
options = {
services.cloudflare-dyndns = {
enable = lib.mkEnableOption "Cloudflare Dynamic DNS Client";
package = lib.mkPackageOption pkgs "cloudflare-dyndns" { };
apiTokenFile = lib.mkOption {
type = lib.types.pathWith {
absolute = true;
inStore = false;
};
description = ''
The path to a file containing the CloudFlare API token.
'';
};
domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
description = ''
List of domain names to update records for.
'';
};
frequency = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = "*:0/5";
description = ''
Run cloudflare-dyndns with the given frequency (see
{manpage}`systemd.time(7)` for the format).
If null, do not run automatically.
'';
};
proxied = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether this is a DNS-only record, or also being proxied through CloudFlare.
'';
};
ipv4 = lib.mkOption {
type = lib.types.bool;
default = true;
description = ''
Whether to enable setting IPv4 A records.
'';
};
ipv6 = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to enable setting IPv6 AAAA records.
'';
};
deleteMissing = lib.mkOption {
type = lib.types.bool;
default = false;
description = ''
Whether to delete the record when no IP address is found.
'';
};
};
};
config = lib.mkIf cfg.enable {
systemd.services.cloudflare-dyndns =
{
description = "CloudFlare Dynamic DNS Client";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
environment = {
CLOUDFLARE_DOMAINS = toString cfg.domains;
};
serviceConfig = {
Type = "simple";
DynamicUser = true;
StateDirectory = "cloudflare-dyndns";
Environment = [ "XDG_CACHE_HOME=%S/cloudflare-dyndns/.cache" ];
LoadCredential = [
"apiToken:${cfg.apiTokenFile}"
];
};
script =
let
args =
[ "--cache-file /var/lib/cloudflare-dyndns/ip.cache" ]
++ (if cfg.ipv4 then [ "-4" ] else [ "-no-4" ])
++ (if cfg.ipv6 then [ "-6" ] else [ "-no-6" ])
++ lib.optional cfg.deleteMissing "--delete-missing"
++ lib.optional cfg.proxied "--proxied";
in
''
export CLOUDFLARE_API_TOKEN=$(< "''${CREDENTIALS_DIRECTORY}/apiToken")
# Added 2025-03-10: `cfg.apiTokenFile` used to be passed as an
# `EnvironmentFile` to the service, which required it to be of
# the form "CLOUDFLARE_API_TOKEN=" rather than just the secret.
# If we detect this legacy usage, error out.
if [[ $CLOUDFLARE_API_TOKEN == CLOUDFLARE_API_TOKEN* ]]; then
echo "Error: your api token starts with 'CLOUDFLARE_API_TOKEN='. Remove that, and instead specify just the token." >&2
exit 1
fi
exec ${lib.getExe cfg.package} ${toString args}
'';
}
// lib.optionalAttrs (cfg.frequency != null) {
startAt = cfg.frequency;
};
};
}
View git blame Copy permalink