Unverified Commit bfc202f8 authored by Felix Bühler's avatar Felix Bühler Committed by GitHub
Browse files

nixos/oink: update service options to pass secrets via file (#457573)

parents d66143a3 34870c39

doc/release-notes/rl-2511.section.md

+2 −0
Original line number Diff line number Diff line
@@ -225,6 +225,8 @@ 


- `rocmPackages.triton` has been removed in favor of `python3Packages.triton`.



- `oink` service no longer accepts `settings.apiKey` and `settings.secretApiKey` options as these have been replaced by `apiKeyFile` and `secretApiKeyFile`.



- `linpinyin`, which is used for Chinese character input, has migrated from the unmaintained BDB database format to the newer KyotoCabinet database format. If you want to migrate your user input statistics you can consider using [bdbtokyotodb](https://codeberg.org/raboof/bdbtokyotodb).



- `go-mockery` has been updated to v3. For migration instructions see the [upstream documentation](https://vektra.github.io/mockery/latest/v3/). If v2 is still required `go-mockery_v2` has been added but will be removed on or before 2029-12-31 in-line with its [upstream support lifecycle](https://vektra.github.io/mockery/)

nixos/modules/services/networking/oink.nix

+28 −9
Original line number Diff line number Diff line
@@ -20,15 +20,17 @@ in 
  options.services.oink = {

    enable = lib.mkEnableOption "Oink, a dynamic DNS client for Porkbun";

    package = lib.mkPackageOption pkgs "oink" { };

    settings = {

      apiKey = lib.mkOption {

        type = lib.types.str;

        description = "API key to use when modifying DNS records.";

    apiKeyFile = lib.mkOption {

      type = lib.types.path;

      example = "/run/keys/oink-api-key";

      description = "Path to a file containing the API key to use when modifying DNS records.";

    };

      secretApiKey = lib.mkOption {

        type = lib.types.str;

        description = "Secret API key to use when modifying DNS records.";

    secretApiKeyFile = lib.mkOption {

      type = lib.types.path;

      example = "/run/keys/oink-secret-api-key";

      description = "Path to a file containing the secret API key to use when modifying DNS records.";

    };

    settings = {

      interval = lib.mkOption {

        # https://github.com/rlado/oink/blob/v1.1.1/src/main.go#L364

        type = lib.types.ints.between 60 172800; # 48 hours
@@ -79,12 +81,29 @@ in 
    };

  };



  imports = [

    (lib.mkRemovedOptionModule [ "services" "oink" "settings" "apiKey" ] ''

      This option has been removed because it would make the API key world-readable.

      Use {option}`apiKeyFile` instead.

      If you insist on keeping the API key world-readable, you can use `oink.apiKeyFile = pkgs.writeText "api-key" "secret";`.

    '')

    (lib.mkRemovedOptionModule [ "services" "oink" "settings" "secretApiKey" ] ''

      This option has been removed because it would make the API key world-readable.

      Use {option}`secretApiKeyFile` instead.

      If you insist on keeping the API key world-readable, you can use `oink.secretApiKeyFile = pkgs.writeText "secret-api-key" "secret";`.

    '')

  ];

  config = lib.mkIf cfg.enable {

    systemd.services.oink = {

      description = "Dynamic DNS client for Porkbun";

      after = [ "network.target" ];

      wantedBy = [ "multi-user.target" ];

      script = "${cfg.package}/bin/oink -c ${oinkConfig}";

      script =

        lib.optionalString (cfg.apiKeyFile != null) "OINK_OVERRIDE_APIKEY=\"$(cat ${cfg.apiKeyFile})\" "

        + lib.optionalString (

          cfg.secretApiKeyFile != null

        ) "OINK_OVERRIDE_SECRETAPIKEY=\"$(cat ${cfg.secretApiKeyFile})\" "

        + "${cfg.package}/bin/oink -c ${oinkConfig}";

      serviceConfig = {

        Restart = "on-failure";

        RestartSec = "10";