talexander/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Releases Activity

services/cloudflare-dyndns: require that apiTokenFile be an api token

Browse Source 
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:

- That's not an api token. It's an env file fit for passing to systemd's
  `EnvironmentFile` option. The user could typo the variable name, or
  intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
  usually just the secret, and don't leak details about how the secret
  is passed to the service.
- This increases friction for people switching between cloudflare dyndns
  services, such as `services.cloudflare-dyndns` and
  `services.cfdyndns`, which both have a `apiToken` option, but (before
  this change) with different semantics.
This commit is contained in:
Jeremy Fleischman 2025-03-10 16:58:13 -07:00
parent 269a2c324e
commit 9c02a1e422
No known key found for this signature in database
2 changed files with 34 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2505.section.md
View File

@ -227,6 +227,8 @@
- `pkgs.nextcloud28` has been removed since it's out of support upstream.
- `services.cloudflare-dyndns.apiTokenFile` now must be just your Cloudflare api token. Previously it was supposed to be a file of the form `CLOUDFLARE_API_TOKEN=...`.
- `buildGoModule` now passes environment variables via the `env` attribute. `CGO_ENABLED` should now be specified with `env.CGO_ENABLED` when passing to buildGoModule. Direct specification of `CGO_ENABLED` is now redirected by a compatibility layer with a warning, but will become an error in future releases.
Go-related environment variables previously shadowed by `buildGoModule` now results in errors when specified directly. Such variables include `GOOS` and `GOARCH`.

47
nixos/modules/services/networking/cloudflare-dyndns.nix
View File

@ -15,12 +15,13 @@ in
package = lib.mkPackageOption pkgs "cloudflare-dyndns" { };
apiTokenFile = lib.mkOption {
type = lib.types.nullOr lib.types.str;
default = null;
type = lib.types.pathWith {
absolute = true;
inStore = false;
};
description = ''
The path to a file containing the CloudFlare API token.
The file must have the form `CLOUDFLARE_API_TOKEN=...`
'';
};
@ -91,19 +92,35 @@ in
Type = "simple";
DynamicUser = true;
StateDirectory = "cloudflare-dyndns";
EnvironmentFile = cfg.apiTokenFile;
Environment = [ "XDG_CACHE_HOME=%S/cloudflare-dyndns/.cache" ];
ExecStart =
let
args =
[ "--cache-file /var/lib/cloudflare-dyndns/ip.cache" ]
++ (if cfg.ipv4 then [ "-4" ] else [ "-no-4" ])
++ (if cfg.ipv6 then [ "-6" ] else [ "-no-6" ])
++ lib.optional cfg.deleteMissing "--delete-missing"
++ lib.optional cfg.proxied "--proxied";
in
"${lib.getExe cfg.package} ${toString args}";
LoadCredential = [
"apiToken:${cfg.apiTokenFile}"
];
};
script =
let
args =
[ "--cache-file /var/lib/cloudflare-dyndns/ip.cache" ]
++ (if cfg.ipv4 then [ "-4" ] else [ "-no-4" ])
++ (if cfg.ipv6 then [ "-6" ] else [ "-no-6" ])
++ lib.optional cfg.deleteMissing "--delete-missing"
++ lib.optional cfg.proxied "--proxied";
in
''
export CLOUDFLARE_API_TOKEN=$(< "''${CREDENTIALS_DIRECTORY}/apiToken")
# Added 2025-03-10: `cfg.apiTokenFile` used to be passed as an
# `EnvironmentFile` to the service, which required it to be of
# the form "CLOUDFLARE_API_TOKEN=" rather than just the secret.
# If we detect this legacy usage, error out.
if [[ $CLOUDFLARE_API_TOKEN == CLOUDFLARE_API_TOKEN* ]]; then
echo "Error: your api token starts with 'CLOUDFLARE_API_TOKEN='. Remove that, and instead specify just the token." >&2
exit 1
fi
exec ${lib.getExe cfg.package} ${toString args}
'';
}
// lib.optionalAttrs (cfg.frequency != null) {
startAt = cfg.frequency;