4ce76d9e1a
Couple of changes: - move home to /var/lib/ddclient so we can enable ProtectSystem=full - do not stick binary into systemPackages as it will only run as a daemon - run as dedicated user/group - document why we cannot run as type=forking (output is swallowed) - secure things by running with ProtectSystem and PrivateTmp - .pid file goes into /run/ddclient - let nix create the home directory instead of handling it manually - make the interval configurable
195 lines
4.9 KiB
Nix
195 lines
4.9 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
let
|
|
cfg = config.services.ddclient;
|
|
boolToStr = bool: if bool then "yes" else "no";
|
|
|
|
configText = ''
|
|
# This file can be used as a template for configFile or is automatically generated by Nix options.
|
|
daemon=${toString cfg.interval}
|
|
cache=${cfg.homeDir}/ddclient.cache
|
|
pid=/run/ddclient/ddclient.pid
|
|
foreground=NO
|
|
use=${cfg.use}
|
|
login=${cfg.username}
|
|
password=${cfg.password}
|
|
protocol=${cfg.protocol}
|
|
${let server = cfg.server; in
|
|
lib.optionalString (server != "") "server=${server}"}
|
|
ssl=${boolToStr cfg.ssl}
|
|
wildcard=YES
|
|
quiet=${boolToStr cfg.quiet}
|
|
verbose=${boolToStr cfg.verbose}
|
|
${cfg.domain}
|
|
${cfg.extraConfig}
|
|
'';
|
|
|
|
in
|
|
|
|
with lib;
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.ddclient = with lib.types; {
|
|
|
|
enable = mkOption {
|
|
default = false;
|
|
type = bool;
|
|
description = ''
|
|
Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org).
|
|
'';
|
|
};
|
|
|
|
homeDir = mkOption {
|
|
default = "/var/lib/ddclient";
|
|
type = str;
|
|
description = "Home directory for the daemon user.";
|
|
};
|
|
|
|
domain = mkOption {
|
|
default = "";
|
|
type = str;
|
|
description = ''
|
|
Domain name to synchronize.
|
|
'';
|
|
};
|
|
|
|
username = mkOption {
|
|
default = "";
|
|
type = str;
|
|
description = ''
|
|
Username.
|
|
'';
|
|
};
|
|
|
|
password = mkOption {
|
|
default = "";
|
|
type = str;
|
|
description = ''
|
|
Password. WARNING: The password becomes world readable in the Nix store.
|
|
'';
|
|
};
|
|
|
|
interval = mkOption {
|
|
default = 600;
|
|
type = int;
|
|
description = "The interval at which to run the check and update.";
|
|
};
|
|
|
|
configFile = mkOption {
|
|
default = "/etc/ddclient.conf";
|
|
type = path;
|
|
description = ''
|
|
Path to configuration file.
|
|
When set to the default '/etc/ddclient.conf' it will be populated with the various other options in this module. When it is changed (for example: '/root/nixos/secrets/ddclient.conf') the file read directly to configure ddclient. This is a source of impurity.
|
|
The purpose of this is to avoid placing secrets into the store.
|
|
'';
|
|
example = "/root/nixos/secrets/ddclient.conf";
|
|
};
|
|
|
|
protocol = mkOption {
|
|
default = "dyndns2";
|
|
type = str;
|
|
description = ''
|
|
Protocol to use with dynamic DNS provider (see http://sourceforge.net/apps/trac/ddclient/wiki/Protocols).
|
|
'';
|
|
};
|
|
|
|
server = mkOption {
|
|
default = "";
|
|
type = str;
|
|
description = ''
|
|
Server address.
|
|
'';
|
|
};
|
|
|
|
ssl = mkOption {
|
|
default = true;
|
|
type = bool;
|
|
description = ''
|
|
Whether to use to use SSL/TLS to connect to dynamic DNS provider.
|
|
'';
|
|
};
|
|
|
|
extraConfig = mkOption {
|
|
default = "";
|
|
type = lines;
|
|
description = ''
|
|
Extra configuration. Contents will be added verbatim to the configuration file.
|
|
'';
|
|
};
|
|
|
|
use = mkOption {
|
|
default = "web, web=checkip.dyndns.com/, web-skip='Current IP Address: '";
|
|
type = str;
|
|
description = ''
|
|
Method to determine the IP address to send to the dynamic DNS provider.
|
|
'';
|
|
};
|
|
|
|
verbose = mkOption {
|
|
default = true;
|
|
type = bool;
|
|
description = ''
|
|
Print verbose information.
|
|
'';
|
|
};
|
|
|
|
quiet = mkOption {
|
|
default = false;
|
|
type = bool;
|
|
description = ''
|
|
Print no messages for unnecessary updates.
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf config.services.ddclient.enable {
|
|
|
|
users = {
|
|
extraGroups.ddclient.gid = config.ids.gids.ddclient;
|
|
|
|
extraUsers.ddclient = {
|
|
uid = config.ids.uids.ddclient;
|
|
description = "ddclient daemon user";
|
|
group = "ddclient";
|
|
home = cfg.homeDir;
|
|
createHome = true;
|
|
};
|
|
};
|
|
|
|
environment.etc."ddclient.conf" = {
|
|
enable = cfg.configFile == "/etc/ddclient.conf";
|
|
uid = config.ids.uids.ddclient;
|
|
gid = config.ids.gids.ddclient;
|
|
mode = "0600";
|
|
text = configText;
|
|
};
|
|
|
|
systemd.services.ddclient = {
|
|
description = "Dynamic DNS Client";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
restartTriggers = [ config.environment.etc."ddclient.conf".source ];
|
|
|
|
serviceConfig = {
|
|
RuntimeDirectory = "ddclient";
|
|
# we cannot run in forking mode as it swallows all the program output
|
|
Type = "simple";
|
|
User = "ddclient";
|
|
Group = "ddclient";
|
|
ExecStart = "${lib.getBin pkgs.ddclient}/bin/ddclient -foreground -file ${cfg.configFile}";
|
|
ProtectSystem = "full";
|
|
PrivateTmp = true;
|
|
};
|
|
};
|
|
};
|
|
}
|