Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

services/cloudflare-dyndns: require that apiTokenFile be an api token #388853

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

services/cloudflare-dyndns: require that apiTokenFile be an api token #388853

wants to merge 1 commit into from
+34 −15

Conversation

jfly
Copy link
Contributor

@jfly jfly commented Mar 11, 2025

Previously, this option was supposed to be a file of the form CLOUDFLARE_API_TOKEN=..., which has a few problems:

  • That's not an api token. It's an env file fit for passing to systemd's EnvironmentFile option. The user could typo the variable name, or intentionally/unintentionally include unrelated environment variables.
  • It's not how secret files usually work in NixOS. Secret files are usually just the secret, and don't leak details about how the secret is passed to the service.
  • This increases friction for people switching between cloudflare dyndns services, such as services.cloudflare-dyndns and services.cfdyndns, which both have a apiToken option, but (before this change) with different semantics.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: module (update) This PR changes an existing module in `nixos/` 8.has: documentation This PR adds or changes documentation labels Mar 11, 2025
@jfly jfly force-pushed the cloudflare-api-token-rework branch from d84c825 to 0f66f3b Compare March 11, 2025 00:06
@jfly jfly changed the title services/cloudflare-dyndns: require that apiTokenFile be a api token services/cloudflare-dyndns: require that apiTokenFile be an api token Mar 11, 2025
@jfly
services/cloudflare-dyndns: require that apiTokenFile be an api token
bf37f5e 
Previously, this option was supposed to be a file of the form
`CLOUDFLARE_API_TOKEN=...`, which has a few problems:

- That's not an api token. It's an env file fit for passing to systemd's
  `EnvironmentFile` option. The user could typo the variable name, or
  intentionally/unintentionally include unrelated environment variables.
- It's not how secret files usually work in NixOS. Secret files are
  usually just the secret, and don't leak details about how the secret
  is passed to the service.
- This increases friction for people switching between cloudflare dyndns
  services, such as `services.cloudflare-dyndns` and
  `services.cfdyndns`, which both have a `apiToken` option, but (before
  this change) with different semantics.
@jfly jfly force-pushed the cloudflare-api-token-rework branch from 0f66f3b to bf37f5e Compare March 11, 2025 00:10
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels Mar 11, 2025
@happysalada
Copy link
Contributor

Im fine with this change, can you ping me again in 1 week ? I just want to make sure other potential users of the service have time to have a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@happysalada happysalada Awaiting requested review from happysalada

@lovesegfault lovesegfault Awaiting requested review from lovesegfault

Assignees
No one assigned
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jfly @happysalada