summary refs log tree commit diff
path: root/nixos/modules/services/networking/ddclient.nix
diff options
context:
space:
mode:
authorFelix Tenley <dev@felschr.com>2021-10-29 19:08:14 +0200
committerFelix Tenley <dev@felschr.com>2021-10-30 10:26:24 +0200
commitf880f906b93bb3729be8e3acd1adb3612327d4a3 (patch)
tree296acd7df3e0a278e0d4a7d89f7a1ca2342f2c35 /nixos/modules/services/networking/ddclient.nix
parent7565e8eb3278125807f7f7abafcd3232f77746d9 (diff)
downloadnixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar.gz
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar.bz2
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar.lz
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar.xz
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.tar.zst
nixpkgs-f880f906b93bb3729be8e3acd1adb3612327d4a3.zip
nixos/ddclient: replace password with passwordFile option
Diffstat (limited to 'nixos/modules/services/networking/ddclient.nix')
-rw-r--r--nixos/modules/services/networking/ddclient.nix47


1 files changed, 26 insertions, 21 deletions
diff --git a/nixos/modules/services/networking/ddclient.nix b/nixos/modules/services/networking/ddclient.nix
index 7820eedd932..833b0cbcdcf 100644
--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@@ -4,14 +4,16 @@ let
   cfg = config.services.ddclient;
   boolToStr = bool: if bool then "yes" else "no";
   dataDir = "/var/lib/ddclient";
+  StateDirectory = builtins.baseNameOf dataDir;
+  RuntimeDirectory = StateDirectory;
 
-  configText = ''
+  configFile' = pkgs.writeText "ddclient.conf" ''
     # This file can be used as a template for configFile or is automatically generated by Nix options.
     cache=${dataDir}/ddclient.cache
     foreground=YES
     use=${cfg.use}
     login=${cfg.username}
-    password=${cfg.password}
+    password=
     protocol=${cfg.protocol}
     ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
     ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
@@ -24,6 +26,7 @@ let
     ${cfg.extraConfig}
     ${lib.concatStringsSep "," cfg.domains}
   '';
+  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
 
 in
 
@@ -37,6 +40,7 @@ with lib;
         let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
         in if value != "" then [ value ] else []))
     (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
+    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
   ];
 
   ###### interface
@@ -69,11 +73,11 @@ with lib;
         '';
       };
 
-      password = mkOption {
-        default = "";
-        type = str;
+      passwordFile = mkOption {
+        default = null;
+        type = nullOr str;
         description = ''
-          Password. WARNING: The password becomes world readable in the Nix store.
+          A file containing the password.
         '';
       };
 
@@ -87,12 +91,11 @@ with lib;
       };
 
       configFile = mkOption {
-        default = "/etc/ddclient.conf";
-        type = path;
+        default = null;
+        type = nullOr path;
         description = ''
           Path to configuration file.
-          When set to the default '/etc/ddclient.conf' it will be populated with the various other options in this module. When it is changed (for example: '/root/nixos/secrets/ddclient.conf') the file read directly to configure ddclient. This is a source of impurity.
-          The purpose of this is to avoid placing secrets into the store.
+          When set this overrides the generated configuration from module options.
         '';
         example = "/root/nixos/secrets/ddclient.conf";
       };
@@ -184,26 +187,28 @@ with lib;
   ###### implementation
 
   config = mkIf config.services.ddclient.enable {
-    environment.etc."ddclient.conf" = {
-      enable = cfg.configFile == "/etc/ddclient.conf";
-      mode = "0600";
-      text = configText;
-    };
-
     systemd.services.ddclient = {
       description = "Dynamic DNS Client";
       wantedBy = [ "multi-user.target" ];
       after = [ "network.target" ];
-      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
+      restartTriggers = optional (cfg.configFile != null) cfg.configFile;
 
-      serviceConfig = rec {
+      serviceConfig = {
         DynamicUser = true;
-        RuntimeDirectory = StateDirectory;
-        StateDirectory = builtins.baseNameOf dataDir;
+        inherit RuntimeDirectory;
+        inherit StateDirectory;
         Type = "oneshot";
-        ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf";
         ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
       };
+      preStart = ''
+        install -m 600 ${configFile} /run/${RuntimeDirectory}/ddclient.conf
+        ${optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then ''
+          password=$(head -n 1 ${cfg.passwordFile})
+          sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf
+        '' else ''
+          sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
+        '')}
+      '';
     };
 
     systemd.timers.ddclient = {

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-17 20:59:38 +0000