nixos/ddclient: replace password with passwordFile option

2021-10-29 19:08:14 +02:00 · 2021-10-29 19:08:14 +02:00 · f880f906b9
commit f880f906b9
parent 7565e8eb32
3 changed files with 35 additions and 21 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@ -1183,6 +1183,13 @@ Superuser created successfully.
          <link xlink:href="options.html#opt-virtualisation.additionalPaths"><literal>virtualisation.additionalPaths</literal></link>.
        </para>
      </listitem>
      <listitem>
        <para>
          The <literal>services.ddclient.password</literal> option was
          removed, and replaced with
          <literal>services.ddclient.passwordFile</literal>.
        </para>
      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-21.11-notable-changes">
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@ -365,6 +365,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The `virtualisation.pathsInNixDB` option was renamed
  [`virtualisation.additionalPaths`](options.html#opt-virtualisation.additionalPaths).
 - The `services.ddclient.password` option was removed, and replaced with `services.ddclient.passwordFile`.
 ## Other Notable Changes {#sec-release-21.11-notable-changes}
--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@ -4,14 +4,16 @@ let
  cfg = config.services.ddclient;
  boolToStr = bool: if bool then "yes" else "no";
  dataDir = "/var/lib/ddclient";
  StateDirectory = builtins.baseNameOf dataDir;
  RuntimeDirectory = StateDirectory;
-  configText = ''
+  configFile' = pkgs.writeText "ddclient.conf" ''
    # This file can be used as a template for configFile or is automatically generated by Nix options.
    cache=${dataDir}/ddclient.cache
    foreground=YES
    use=${cfg.use}
    login=${cfg.username}
-    password=${cfg.password}
+    password=
    protocol=${cfg.protocol}
    ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
    ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
@ -24,6 +26,7 @@ let
    ${cfg.extraConfig}
    ${lib.concatStringsSep "," cfg.domains}
  '';
  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';
 in
@ -37,6 +40,7 @@ with lib;
        let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
        in if value != "" then [ value ] else []))
    (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
  ];
  ###### interface
@ -69,11 +73,11 @@ with lib;
        '';
      };
-      password = mkOption {
+      passwordFile = mkOption {
-        default = "";
+        default = null;
-        type = str;
+        type = nullOr str;
        description = ''
-          Password. WARNING: The password becomes world readable in the Nix store.
+          A file containing the password.
        '';
      };
@ -87,12 +91,11 @@ with lib;
      };
      configFile = mkOption {
-        default = "/etc/ddclient.conf";
+        default = null;
-        type = path;
+        type = nullOr path;
        description = ''
          Path to configuration file.
-          When set to the default '/etc/ddclient.conf' it will be populated with the various other options in this module. When it is changed (for example: '/root/nixos/secrets/ddclient.conf') the file read directly to configure ddclient. This is a source of impurity.
+          When set this overrides the generated configuration from module options.
          The purpose of this is to avoid placing secrets into the store.
        '';
        example = "/root/nixos/secrets/ddclient.conf";
      };
@ -184,26 +187,28 @@ with lib;
  ###### implementation
  config = mkIf config.services.ddclient.enable {
    environment.etc."ddclient.conf" = {
      enable = cfg.configFile == "/etc/ddclient.conf";
      mode = "0600";
      text = configText;
    };
    systemd.services.ddclient = {
      description = "Dynamic DNS Client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
-      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
+      restartTriggers = optional (cfg.configFile != null) cfg.configFile;
-      serviceConfig = rec {
+      serviceConfig = {
        DynamicUser = true;
-        RuntimeDirectory = StateDirectory;
+        inherit RuntimeDirectory;
-        StateDirectory = builtins.baseNameOf dataDir;
+        inherit StateDirectory;
        Type = "oneshot";
        ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf";
        ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
      };
      preStart = ''
        install -m 600 ${configFile} /run/${RuntimeDirectory}/ddclient.conf
        ${optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then ''
          password=$(head -n 1 ${cfg.passwordFile})
          sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf
        '' else ''
          sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
        '')}
      '';
    };
    systemd.timers.ddclient = {