nixos/ddclient: replace password with passwordFile option

3 years ago · f880f906b9
parent 7565e8eb32
commit f880f906b9
3 changed files with 35 additions and 21 deletions
--- a/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
@ -1183,6 +1183,13 @@ Superuser created successfully.
          <link xlink:href="options.html#opt-virtualisation.additionalPaths"><literal>virtualisation.additionalPaths</literal></link>.
        </para>
      </listitem>
+      <listitem>
+        <para>
+          The <literal>services.ddclient.password</literal> option was
+          removed, and replaced with
+          <literal>services.ddclient.passwordFile</literal>.
+        </para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="sec-release-21.11-notable-changes">
--- a/nixos/doc/manual/release-notes/rl-2111.section.md
+++ b/nixos/doc/manual/release-notes/rl-2111.section.md
@ -365,6 +365,8 @@ In addition to numerous new and upgraded packages, this release has the followin
 - The `virtualisation.pathsInNixDB` option was renamed
  [`virtualisation.additionalPaths`](options.html#opt-virtualisation.additionalPaths).

+- The `services.ddclient.password` option was removed, and replaced with `services.ddclient.passwordFile`.
+
 ## Other Notable Changes {#sec-release-21.11-notable-changes}


--- a/nixos/modules/services/networking/ddclient.nix
+++ b/nixos/modules/services/networking/ddclient.nix
@ -4,14 +4,16 @@ let
  cfg = config.services.ddclient;
  boolToStr = bool: if bool then "yes" else "no";
  dataDir = "/var/lib/ddclient";
+  StateDirectory = builtins.baseNameOf dataDir;
+  RuntimeDirectory = StateDirectory;

-  configText = ''
+  configFile' = pkgs.writeText "ddclient.conf" ''
    # This file can be used as a template for configFile or is automatically generated by Nix options.
    cache=${dataDir}/ddclient.cache
    foreground=YES
    use=${cfg.use}
    login=${cfg.username}
-    password=${cfg.password}
+    password=
    protocol=${cfg.protocol}
    ${lib.optionalString (cfg.script != "") "script=${cfg.script}"}
    ${lib.optionalString (cfg.server != "") "server=${cfg.server}"}
@ -24,6 +26,7 @@ let
    ${cfg.extraConfig}
    ${lib.concatStringsSep "," cfg.domains}
  '';
+  configFile = if (cfg.configFile != null) then cfg.configFile else configFile';

 in

@ -37,6 +40,7 @@ with lib;
        let value = getAttrFromPath [ "services" "ddclient" "domain" ] config;
        in if value != "" then [ value ] else []))
    (mkRemovedOptionModule [ "services" "ddclient" "homeDir" ] "")
+    (mkRemovedOptionModule [ "services" "ddclient" "password" ] "Use services.ddclient.passwordFile instead.")
  ];

  ###### interface
@ -69,11 +73,11 @@ with lib;
        '';
      };

-      password = mkOption {
-        default = "";
-        type = str;
+      passwordFile = mkOption {
+        default = null;
+        type = nullOr str;
        description = ''
-          Password. WARNING: The password becomes world readable in the Nix store.
+          A file containing the password.
        '';
      };

@ -87,12 +91,11 @@ with lib;
      };

      configFile = mkOption {
-        default = "/etc/ddclient.conf";
-        type = path;
+        default = null;
+        type = nullOr path;
        description = ''
          Path to configuration file.
-          When set to the default '/etc/ddclient.conf' it will be populated with the various other options in this module. When it is changed (for example: '/root/nixos/secrets/ddclient.conf') the file read directly to configure ddclient. This is a source of impurity.
-          The purpose of this is to avoid placing secrets into the store.
+          When set this overrides the generated configuration from module options.
        '';
        example = "/root/nixos/secrets/ddclient.conf";
      };
@ -184,26 +187,28 @@ with lib;
  ###### implementation

  config = mkIf config.services.ddclient.enable {
-    environment.etc."ddclient.conf" = {
-      enable = cfg.configFile == "/etc/ddclient.conf";
-      mode = "0600";
-      text = configText;
-    };
-
    systemd.services.ddclient = {
      description = "Dynamic DNS Client";
      wantedBy = [ "multi-user.target" ];
      after = [ "network.target" ];
-      restartTriggers = [ config.environment.etc."ddclient.conf".source ];
+      restartTriggers = optional (cfg.configFile != null) cfg.configFile;

-      serviceConfig = rec {
+      serviceConfig = {
        DynamicUser = true;
-        RuntimeDirectory = StateDirectory;
-        StateDirectory = builtins.baseNameOf dataDir;
+        inherit RuntimeDirectory;
+        inherit StateDirectory;
        Type = "oneshot";
-        ExecStartPre = "!${lib.getBin pkgs.coreutils}/bin/install -m666 ${cfg.configFile} /run/${RuntimeDirectory}/ddclient.conf";
        ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf";
      };
+      preStart = ''
+        install -m 600 ${configFile} /run/${RuntimeDirectory}/ddclient.conf
+        ${optionalString (cfg.configFile == null) (if (cfg.passwordFile != null) then ''
+          password=$(head -n 1 ${cfg.passwordFile})
+          sed -i "s/^password=$/password=$password/" /run/${RuntimeDirectory}/ddclient.conf
+        '' else ''
+          sed -i '/^password=$/d' /run/${RuntimeDirectory}/ddclient.conf
+        '')}
+      '';
    };

    systemd.timers.ddclient = {