From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cCrhZ0THcz30LP for ; Fri, 29 Aug 2025 08:16:46 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cCrhY2Tf9z2xDp for ; Fri, 29 Aug 2025 08:16:45 +0000 (UTC) Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cCrhX4cqwzLs for ; Fri, 29 Aug 2025 08:16:44 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=gQtsSzTj; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mail01.ipfire.org: domain of chris.v.anton@gmail.com designates 2607:f8b0:4864:20::1132 as permitted sender) smtp.mailfrom=chris.v.anton@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1756455404; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=vl6UlywgAxN/D8Z3NGi0rNwkP/xfobHwL4IJKzULYQc=; b=EzBJ03N92BfZZoQlWrSizfzoQhtP+QDKEcsZvdmA44ICwV81tIg+AVkkyqLfxXQjQMkUEJ a004nHKwK2W2n/TTuTkmn7URdU939UksFyX8aphAcyDumXk0T1+QQt9xP9+T819Wi5sL44 mvS4V2ozTdybbS0nELihXXbQjyp1FrX0PwdXvaPO7wYrM6aBRB3GuLtvQUjjOsL5s+nML6 k8ZWerI6QbhiAqsz8lVNNUmEBEfuT3INlPuBTtauLI5fvggijzs2jL8f1JI8UkbhKJaDEw 2kKk7DNLzxuSd8pgM9Hbfq5M4dER3AreDwTgykFR+1BMXltXRPhNg69FJKHfAw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=gQtsSzTj; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mail01.ipfire.org: domain of chris.v.anton@gmail.com designates 2607:f8b0:4864:20::1132 as permitted sender) smtp.mailfrom=chris.v.anton@gmail.com ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1756455404; a=rsa-sha256; cv=none; b=gegRgD89+H+27LVOpMHp4ApT9BdcNH9sURgazEmUPBFV7gwbSUsSQASIuV5Yjq/Dg942lP YaeZSQq04cB5/9BaJf5F6TG1VXxM/2ZVWTAAFaTNll10n6cvdyixm6uJNXtB4pvblBiMWw GdLHfKu48heiWnqTk+jBMZbZAIk79/0rNYGxlNwWAshjcz+SGwQxz0TU7A8t3Q4kh50B2E nwFCkaR12WdVdEyavlcLtMz2xIBp302kODelxa1v+6vv936Et1vzIWHWNIymRECXHbbxmC XgWuBuNH83I658gXYgeQavN0AIO4aW7hy7fHsmN9LI1DZQt73ZyD0qJbMMyHug== Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-71fab75fc97so13531767b3.3 for ; Fri, 29 Aug 2025 01:16:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756455403; x=1757060203; darn=lists.ipfire.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vl6UlywgAxN/D8Z3NGi0rNwkP/xfobHwL4IJKzULYQc=; b=gQtsSzTjcjtPLjUW/KjQi+BAKVAQG9oWhkx2ImwRScKqWVNqP7j3keQfACJv3sN+z+ rh3HEJKDhwWbPSFs+xvYVz+sUPAMrXvfTaIYiPqAspLd76cGhr631jC6LMr+eN++ySDW A53Q/a+rgPfKhEPT6upvSVB/M92fMs3PabKbpm3TTzqicO+UHbi/snavEV9ll1JPdvdv j7YZhNSNT1GO128717MXkF96VuVqPS1nsqrVWviPgiG8VVBDiQjyp2BN4jgksbnCyRAi xQnEonTbMUYrSjrEir7s4p6IOLBtlrCLlkBstLHx6yhdvH7MfIBf9oqMw9s9lOIydJn9 ZLXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756455403; x=1757060203; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vl6UlywgAxN/D8Z3NGi0rNwkP/xfobHwL4IJKzULYQc=; b=nC3hntvHhl/GzoUhapXOp9bI+rDkQm5H6D8RqJcK+KQQgPe9wMnLN/liZ4GB9zkovf 1AeYsrEs8WSSk1i5vHNUwh9e9szQFzBLZ1hOYPxX3kWkR2CIshJNdQNL5F0jkyKATB4p WZRl0P+qRWNsMqHDV753u/dRebTKa2RMfpI5qtnPbINivR2VjqTyc73BiGKnCtecB33c WVzWuDlrVehT5ogT7Z1kDmTw6U5GLeQYfefNWcNCyC0u9xky2lHajiJQVUe1R8B0DGyO OjdhxmD/DiW7aP2N3NOULlu3HDBPtzUrFXnCSDp1I7H2vNOkFPk3eHinpwAWHQtuUfYJ 6/RQ== X-Gm-Message-State: AOJu0Yyo/YVFgngbbTqLuFmgcTr6OpXK0/iKtx7u+MjGqS/skEwXyTGL 9bxOugY98mwPj4k9h27niSrYG+ZYkcyq92Dprdhx+Q8tn9wYhdTbKl0+qmtFSCOuRpnU6x4/GGg v+2+FpG3v2OjA45BZBqWpIUz7z3R6Az3s4Pr5F/BURQ== X-Gm-Gg: ASbGncuCQWQpRkqDzakrlsW0uCR7IwedXmeODyUyo0QBhtX+iI0SecUwHltVe9xU9lZ XXeu1Do0nckQQHEF4qHxkmV9kSGMqvVKtdXwCWDz2HhLC9cnWbmC5PuC9FfYXTHumn9EO8wtnSY W5TWh8/U1vtNEpKnRIMvrDLFNJ6kj2UclRuxpzUZc5V0g1Mc1q7xQ8Hjwsgo1uLEup7VvUoyLbk ibJqDiyfW87ddFXX08= X-Google-Smtp-Source: AGHT+IHx6uUI1EWvkmXtpVkDyp77FIbn1JTYKSvWqQm2XNec00jK9Z/gCEH5klilx4CkXeiT7dVQ+IVenkZg66tgVLg= X-Received: by 2002:a05:690c:892:b0:71f:b944:1035 with SMTP id 00721157ae682-71fdc5313b3mr288118647b3.50.1756455402862; Fri, 29 Aug 2025 01:16:42 -0700 (PDT) Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 From: Chris Anton Date: Fri, 29 Aug 2025 03:16:32 -0500 X-Gm-Features: Ac12FXx3uTwYvMArPCdBr6aQah3fXYBy7c3-bdxo2qLTLlPdthTUGit9XiD-L0c Message-ID: Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token To: ddns@lists.ipfire.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4cCrhX4cqwzLs X-Rspamd-Action: no action X-Spamd-Result: default: False [-5.84 / 11.00]; BAYES_HAM(-2.89)[99.55%]; SPF_REPUTATION_SPAM(2.28)[0.75968136624106]; R_DKIM_ALLOW(-1.67)[gmail.com:s=20230601]; NEURAL_HAM(-1.00)[-1.000]; DKIM_REPUTATION(-0.93)[-0.93496531228549]; IP_REPUTATION_HAM(-0.82)[asn: 15169(-0.04), country: US(-0.01), ip: 2607:f8b0:4864:20::(-0.77)]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; ARC_NA(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; TAGGED_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[ddns@lists.ipfire.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MISSING_XM_UA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::1132:from]; DKIM_TRACE(0.00)[gmail.com:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1] From: faithinchaos21 <45313722+faithinchaos21@users.noreply.github.com> Date: Wed, 27 Aug 2025 01:22:46 -0500 Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit This adds a provider =E2=80=9Ccloudflare.com-v4=E2=80=9D that updates an A = record via Cloudflare=E2=80=99s v4 API using a Bearer token. The token is accepted from either =E2=80=98token=E2=80=99 or legacy =E2=80=98password=E2=80=99 fo= r UI compatibility. Tested on IPFire 2.29 / Core 196: - no-op if A already matches WAN IP - successful update when WAN IP changes - logs include CFv4 breadcrumbs for troubleshooting Signed-off-by: Chris Anton --- 563f089d0820bd61ad4aecac248d5cc1f2adfc81 src/ddns/providers.py | 121 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) diff --git a/src/ddns/providers.py b/src/ddns/providers.py index 59f9665..df0f3a9 100644 --- a/src/ddns/providers.py +++ b/src/ddns/providers.py @@ -341,6 +341,127 @@ def have_address(self, proto): return False +class DDNSProviderCloudflareV4(DDNSProvider): + """ + Cloudflare v4 API using a Bearer Token. + Put the API Token in the 'token' OR 'password' field of the DDNS entry= . + Optional in ddns.conf: + proxied =3D false|true (default false; keep false for WireGuard) + ttl =3D 1|60|120... (default 1 =3D 'automatic') + """ + handle =3D "cloudflare.com-v4" + name =3D "Cloudflare (v4)" + website =3D "https://www.cloudflare.com/" + protocols =3D ("ipv4",) + supports_token_auth =3D True + holdoff_failure_days =3D 0 + + def _bool(self, key, default=3DFalse): + v =3D str(self.get(key, default)).strip().lower() + return v in ("1", "true", "yes", "on") + + def update(self): + import json, urllib.request, urllib.error + + tok =3D self.get("token") or self.get("password") + if not tok: + raise DDNSConfigurationError("API Token (password/token) is missing.") + + proxied =3D self._bool("proxied", False) + try: + ttl =3D int(self.get("ttl", 1)) + except Exception: + ttl =3D 1 + + headers =3D { + "Authorization": "Bearer {0}".format(tok), + "Content-Type": "application/json", + "User-Agent": "IPFireDDNSUpdater/CFv4", + } + + # --- find zone --- + parts =3D self.hostname.split(".") + if len(parts) < 2: + raise DDNSRequestError("Hostname '{0}' is not a valid domain.".format(self.hostname)) + + zone_id =3D None + zone_name =3D None + for i in range(len(parts) - 1): + candidate =3D ".".join(parts[i:]) + url =3D f"https://api.cloudflare.com/client/v4/zones?name=3D{candidate}" + try: + req =3D urllib.request.Request(url, headers=3Dheaders, method=3D"GET") + with urllib.request.urlopen(req, timeout=3D20) as r: + data =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to query Cloudflare zones API: {e}") + + if data.get("success") and data.get("result"): + zone_id =3D data["result"][0]["id"] + zone_name =3D candidate + break + + if not zone_id: + raise DDNSRequestError(f"Could not find a Cloudflare Zone for '{self.hostname}'.") + + logger.info("CFv4: zone=3D%s id=3D%s", zone_name, zone_id) + + # --- get record --- + rec_url =3D f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=3DA= &name=3D{self.hostname}" + try: + req =3D urllib.request.Request(rec_url, headers=3Dheaders, method=3D"GET") + with urllib.request.urlopen(req, timeout=3D20) as r: + rec_data =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to query Cloudflare DNS records API: {e}") + + if not rec_data.get("success"): + errs =3D rec_data.get("errors") or [] + if any("Authentication error" in (e.get("message", "") or "") for e in errs): + raise DDNSAuthenticationError("Invalid API Token.") + raise DDNSUpdateError(f"Cloudflare API error finding record: {errs}") + + results =3D rec_data.get("result") or [] + if not results: + raise DDNSRequestError(f"No A record found for '{self.hostname}' in zone '{zone_name}'.") + + record_id =3D results[0]["id"] + stored_ip =3D results[0]["content"] + logger.info("CFv4: record_id=3D%s stored_ip=3D%s", record_id, stor= ed_ip) + + # --- compare IPs --- + current_ip =3D self.get_address("ipv4") + logger.info("CFv4: current_ip=3D%s vs stored_ip=3D%s", current_ip, stored_ip) + if current_ip =3D=3D stored_ip: + logger.info("CFv4: no update needed") + return + + # --- update --- + upd_url =3D f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_= id}" + payload =3D { + "type": "A", + "name": self.hostname, + "content": current_ip, + "ttl": ttl, + "proxied": proxied, + } + logger.info("CFv4: updating %s -> %s (proxied=3D%s ttl=3D%s)", self.hostname, current_ip, proxied, ttl) + + try: + req =3D urllib.request.Request( + upd_url, data=3Djson.dumps(payload).encode(), headers=3Dheaders, method=3D"PUT" + ) + with urllib.request.urlopen(req, timeout=3D20) as r: + upd =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to send update request to Cloudflare: {e}") + + if not upd.get("success"): + raise DDNSUpdateError(f"Cloudflare API error on update: {upd.get('errors')}") + + logger.info("CFv4: update ok for %s -> %s", self.hostname, current= _ip) + return + class DDNSProtocolDynDNS2(object): """