Unverified Commit 40d35924 authored by Yt's avatar Yt Committed by GitHub
Browse files

services/cloudflare-dyndns: require that apiTokenFile be an api token (#388853)

parents 55fc12ae 9c02a1e4

nixos/doc/manual/release-notes/rl-2505.section.md

+2 −0
Original line number Diff line number Diff line
@@ -227,6 +227,8 @@ 


- `pkgs.nextcloud28` has been removed since it's out of support upstream.



- `services.cloudflare-dyndns.apiTokenFile` now must be just your Cloudflare api token. Previously it was supposed to be a file of the form `CLOUDFLARE_API_TOKEN=...`.



- `buildGoModule` now passes environment variables via the `env` attribute. `CGO_ENABLED` should now be specified with `env.CGO_ENABLED` when passing to buildGoModule. Direct specification of `CGO_ENABLED` is now redirected by a compatibility layer with a warning, but will become an error in future releases.



  Go-related environment variables previously shadowed by `buildGoModule` now results in errors when specified directly. Such variables include `GOOS` and `GOARCH`.

nixos/modules/services/networking/cloudflare-dyndns.nix

+32 −15
Original line number Diff line number Diff line
@@ -15,12 +15,13 @@ in 
      package = lib.mkPackageOption pkgs "cloudflare-dyndns" { };



      apiTokenFile = lib.mkOption {

        type = lib.types.nullOr lib.types.str;

        default = null;

        type = lib.types.pathWith {

          absolute = true;

          inStore = false;

        };



        description = ''

          The path to a file containing the CloudFlare API token.



          The file must have the form `CLOUDFLARE_API_TOKEN=...`

        '';

      };
@@ -91,9 +92,13 @@ in 
          Type = "simple";

          DynamicUser = true;

          StateDirectory = "cloudflare-dyndns";

          EnvironmentFile = cfg.apiTokenFile;

          Environment = [ "XDG_CACHE_HOME=%S/cloudflare-dyndns/.cache" ];

          ExecStart =

          LoadCredential = [

            "apiToken:${cfg.apiTokenFile}"

          ];

        };



        script =

          let

            args =

              [ "--cache-file /var/lib/cloudflare-dyndns/ip.cache" ]
@@ -102,8 +107,20 @@ in 
              ++ lib.optional cfg.deleteMissing "--delete-missing"

              ++ lib.optional cfg.proxied "--proxied";

          in

            "${lib.getExe cfg.package} ${toString args}";

        };

          ''

            export CLOUDFLARE_API_TOKEN=$(< "''${CREDENTIALS_DIRECTORY}/apiToken")



            # Added 2025-03-10: `cfg.apiTokenFile` used to be passed as an

            # `EnvironmentFile` to the service, which required it to be of

            # the form "CLOUDFLARE_API_TOKEN=" rather than just the secret.

            # If we detect this legacy usage, error out.

            if [[ $CLOUDFLARE_API_TOKEN == CLOUDFLARE_API_TOKEN* ]]; then

              echo "Error: your api token starts with 'CLOUDFLARE_API_TOKEN='. Remove that, and instead specify just the token." >&2

              exit 1

            fi



            exec ${lib.getExe cfg.package} ${toString args}

          '';

      }

      // lib.optionalAttrs (cfg.frequency != null) {

        startAt = cfg.frequency;