Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/ddclient: replace password with passwordFile option #143705

Merged
merged 1 commit into from
Nov 2, 2021
Merged

nixos/ddclient: replace password with passwordFile option #143705

merged 1 commit into from
Nov 2, 2021

Conversation

felschr
Copy link
Member

@felschr felschr commented Oct 29, 2021
edited
Loading

Motivation for this change

#24288

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@felschr felschr marked this pull request as ready for review October 29, 2021 17:47
@aanderse aanderse self-requested a review October 30, 2021 01:59
aanderse
aanderse reviewed Oct 30, 2021
View reviewed changes
Copy link
Member

@aanderse aanderse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome PR!

nixos/modules/services/networking/ddclient.nix Outdated Show resolved Hide resolved
@aanderse
Copy link
Member

aanderse commented Nov 2, 2021

Thanks @felschr!

All tested? Manual builds fine? ... time to merge?

@felschr
Copy link
Member Author

felschr commented Nov 2, 2021

Yes, I've tested various options locally, it all works as expected.
Manual should be fine as far as I can tell (first time I changed it). I invoked the update script after the markdown changes as required.
From my point, it's good to merge.

@aanderse aanderse merged commit 45891c5 into NixOS:master Nov 2, 2021
@aanderse
Copy link
Member

aanderse commented Nov 2, 2021

Great! Thank you for your contribution 🚀

@arcnmx
Copy link
Member

arcnmx commented Nov 6, 2021
edited
Loading

@felschr @aanderse Given that ddclient is DynamicUser=true and doesn't use a privileged ExecStartPre to generate the config, what are the intended permissions for passwordFile that would allow the service to read it without the password being world-readable?

EDIT: also configFile may contain passwords, and should be similarly handled.

@aanderse
Copy link
Member

aanderse commented Nov 6, 2021

@arcnmx I missed that! So this PR doesn't actually improve things... yet! Thanks for bringing this up.
@felschr can you please create a PR to utilize LoadCredential so the passwordFile can have secure permissions?

@arcnmx
Copy link
Member

arcnmx commented Nov 6, 2021

So this PR doesn't actually improve things... yet!

This is actually a regression, since previously a privileged ExecStartPre was used via "!"

@aanderse
Copy link
Member

aanderse commented Nov 6, 2021

@arcnmx if you're familiar with LoadCredential and can get to this before @felschr or myself, please feel free. Thanks!

@arcnmx arcnmx mentioned this pull request Nov 6, 2021
Merged
12 tasks
@felschr
Copy link
Member Author

felschr commented Nov 6, 2021

I'm very sorry for messing this up. Thank you so much, @arcnmx, for providing a fix.

@felschr felschr deleted the ddclient-password-file branch November 6, 2021 16:23
@Michcioperz Michcioperz mentioned this pull request Dec 3, 2021
Closed
@drupol drupol mentioned this pull request Aug 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanderse aanderse aanderse left review comments

Assignees
No one assigned
Labels
6.topic: nixos 8.has: changelog 8.has: documentation 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@felschr @aanderse @arcnmx