-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/duckdns: init module #294489
base: master
Are you sure you want to change the base?
nixos/duckdns: init module #294489
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Echoing the query string like this exposes the secret to all (unprivileged) processes on the system -- can we avoid that?
If not, please add a big warning in the option description.
You updated at the same time I commented 😀 However, the secret is still visible in process listings. |
I think "curl -K ./secret_params.txt ..." where secret_params.txt contains lines of "-d key=value" is the way to go. "replace-secret" in nixpkgs might help with securely preparing the file. (Untested.) |
Used the -K parameter and some shell redirection to hide the secrets in the process list |
Thanks! Please rebase / squash the commits and I can take another look. (I think those 11 commits are just fixups to the one "init" commit?) |
Done :) |
{ | ||
assertion = cfg.domains != null || cfg.domainsFile != null; | ||
message = "Either services.duckdns.domains or services.duckdns.domainsFile has to be defined"; | ||
} | ||
{ | ||
assertion = !(cfg.domains != null && cfg.domainsFile != null); | ||
message = "Only one of services.duckdns.domains and services.duckdns.domainsFile can be defined"; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I know this is about the third time someone has commented on these assertions. Hopefully final time.
{ | |
assertion = cfg.domains != null || cfg.domainsFile != null; | |
message = "Either services.duckdns.domains or services.duckdns.domainsFile has to be defined"; | |
} | |
{ | |
assertion = !(cfg.domains != null && cfg.domainsFile != null); | |
message = "Only one of services.duckdns.domains and services.duckdns.domainsFile can be defined"; | |
} | |
{ | |
assertion = lib.xor (cfg.domains != null) (cfg.domainsFile != null); | |
message = "Only one of services.duckdns.domains and services.duckdns.domainsFile can be defined"; | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think with the xor assert, the error message gets slightly confusing. I tried rewording it to One of services.duckdns.domains and services.duckdns.domainsFile must be defined, but not both
, but I'm not happy with that either. (Think of the case when neither is set.) So I think I prefer separate assert/message. (But no strong feelings, just ignore if you want.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On one hand, it feels overkill having two assertions to cover for what is essentially one assertion (or at least it is in my head), but you do have a good point about the error message. I'll leave the decision to the PR author. Sorry about the additional noise and iteration
dacff5c
to
5ad76ee
Compare
Description of changes
Added a Systemd service for updating DuckDNS domains
Things done
nix.conf
? (See Nix manual)sandbox = relaxed
sandbox = true
nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)Add a 👍 reaction to pull requests you find important.