From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cBc1S5glYz30Hp for ; Wed, 27 Aug 2025 07:42:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cBc1P1KTfz2xLt for ; Wed, 27 Aug 2025 07:42:01 +0000 (UTC) Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4cBc1M4WYlz2N for ; Wed, 27 Aug 2025 07:41:59 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=O5cQL9Zo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mail01.ipfire.org: domain of chris.v.anton@gmail.com designates 2607:f8b0:4864:20::b35 as permitted sender) smtp.mailfrom=chris.v.anton@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=lists.ipfire.org; s=202003rsa; t=1756280520; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding:dkim-signature; bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=; b=guZG378dvw/cSftNvOmX/zFmP2D/Qh2+s0RI+y+uvvTAzoh345L+T8xWresQYG70n3sZD8 D9QQvcwtVhNlJJ8Uc9Vhdsiw2Jx+fYASswzfM6EChFnOLrlPmkZ/FhAkD+ab495RrBTXpv BEEMAVgeQxpJjteiov0/KX1pnCfz/O9jXPd+hR657Gk0Hcjcs1UDy/j0Nj8wfmaOs2zYhX eOfaGw2mJ8xteTP/Y7ILQJf7V5x/Kf7KrhcDyDcmypQOMrJJtM5nJay+O5/KXvFvNoqN2L jTKLe3SWBd6jPBRQlBENhqoDPQHo+bKAgq/xuVibQSiPejLm9De8hP+OppqaxA== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=O5cQL9Zo; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mail01.ipfire.org: domain of chris.v.anton@gmail.com designates 2607:f8b0:4864:20::b35 as permitted sender) smtp.mailfrom=chris.v.anton@gmail.com ARC-Seal: i=1; s=202003rsa; d=lists.ipfire.org; t=1756280520; a=rsa-sha256; cv=none; b=BRCGeHbbU6gn/9huoDpJf9If1xy52ENEQqM7RpEAr31xxCNS2h6A1kUxD8440zmQ4Y56oM Wzqpvs3fIDORMc182W81P7WE+uzWPpMeIPMeG2p7JkcYY5TXcuwUzUxidgsD3qgLxX2MOe cVNwnSjIuF6OlrnebjY9jTwEfk4zzQlrO2VZ/432iuD0Hy4VEROzHn3BYMW8Poc9gf0nyk cX1O8P9v68pR5/5LRhfyeTOgdObNvxwt2WCTtTfubXBJzoZMCtkn2lSSc7d7TGXM/Clvje wjpmURdhw/+RwxTeVQP9LF+3X75UhFV4e6xWBjO1WX6hbllaEhj4pdvygaCHMg== Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-e96c48e7101so2665392276.2 for ; Wed, 27 Aug 2025 00:41:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1756280518; x=1756885318; darn=lists.ipfire.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=; b=O5cQL9Zo80jXR6pwn7hxeMMzl4v1/pgbLMpr0XLscNjR0udGhqQjEE64fo+qH0Afw2 7WGkElt5Xm1webuaCiQLvBhe+71p/f/4fjqsQMUIUjzQstyNEFrb9wFOL0NdpsQnhD4W bSASjOR4JOOUbDlYs6kuRo06rYm1i+i/DJ4Ae7PH/4FXZuIRaM2F9tEFus6BAP45Ak1w YTPb96o3Z4n8F6gqhCXE0AvaY8Yr0QE+dha2HQMtF57FxHrztZdz7ucH7M6ncCY8vAA5 DInEFBXzAC2MOo6AK7qIAlFGIviG7EXMqThXBiflABzzd0sHJ4UiLZpe8Kk5i0jR88fl vQSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1756280518; x=1756885318; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HPVcWYn02e1ShlqC96vYfJgvWc5Xt/hEm0wnDjZ/vog=; b=s3X6/jsRioUNmRlbsDB7eYLCl4JySCGENJx0l/F3DcPIZYBN9UjpO++HRTvop9h1EA QokS8tluvpgKYdu5v08sBOg/9wcws9ELFaDG02Y/JnhqhQaJiFSYezIfQ+QhMa+zV/eR kdpZJQhi+DhSlr59bzmwwdtmgqJQV/G3Jk/l21yzd95sI8O8e/Nhv5tMWruQJZNKOBsC d6r/bmufXwk6zz/3khWaUhOcjueYSqcexTFUrM65Jm3d5dSqgAxEdQ7tm8G/LG5ow3Jy dp+s52qF6AHJEp1LkoB5PqPBLoWa8Qq4I3QJFqzDnxlKnt691rqzCAY2xRQzbm8PW4mV MIRw== X-Gm-Message-State: AOJu0Yytq2orwTZDORjZK1/GeBJr+cHMkJMWnf2FfiS1L2K1ZHyJ2eQf WvsIOCTK6qUIM8Jej/omIHHojCd58GO/XKDPL61AT+/EllL3JMf7ZX7i2Qgg+QjhoKRJqzI4Fmg qU6v8uA1cLTmw5W7BlUk98N94d75efIpPjkEGRx4= X-Gm-Gg: ASbGnct7ntVmGyxgyAME0rQFiwq42aGGVAmXQgusRaVL0/evuo4P4RcLZtD+xXSjt6v t65AcmYKz0Bn46fe+Z+fyj/PMVei6iv/pxVr1rhQggshy7Z3UM1GUVPiyGaHyDa3QrhvPYfvei0 X1H2cmRcQVt7kcynCrgh2SyQkel1C1Z7ZUFuU2daJht9wpkY+3206CdaFizgASdMDXm7SS9/nAu ZgTN1SQu8yN8Jjv6Zs= X-Google-Smtp-Source: AGHT+IESJCfK+3FBU00qzVkp7lk/lNw49apMsz7a1B0YxpEcmdskFyjVU2V7Hes0boLTLjmVxajYHhvqgzuwZxZSo1I= X-Received: by 2002:a05:690c:6803:b0:71f:b944:1033 with SMTP id 00721157ae682-71fdc43970emr220270107b3.48.1756280517647; Wed, 27 Aug 2025 00:41:57 -0700 (PDT) Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 From: Chris Anton Date: Wed, 27 Aug 2025 02:41:46 -0500 X-Gm-Features: Ac12FXyO2TwyK_IVLnCg-JwmdTyMAnVffvxOyYC8Xutw0v6ePtjQ-3J_vcc9vkE Message-ID: Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token To: development@lists.ipfire.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4cBc1M4WYlz2N X-Rspamd-Action: no action X-Spamd-Result: default: False [-5.89 / 11.00]; BAYES_HAM(-2.92)[99.67%]; SPF_REPUTATION_SPAM(2.23)[0.74223115471093]; R_DKIM_ALLOW(-1.66)[gmail.com:s=20230601]; NEURAL_HAM(-1.00)[-1.000]; DKIM_REPUTATION(-0.93)[-0.93241538019747]; IP_REPUTATION_HAM(-0.79)[asn: 15169(-0.03), country: US(-0.01), ip: 2607:f8b0:4864:20::(-0.76)]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.10)[text/plain]; MX_GOOD(-0.01)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; MIME_TRACE(0.00)[0:+]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim]; FREEMAIL_FROM(0.00)[gmail.com]; FROM_HAS_DN(0.00)[]; TAGGED_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[development@lists.ipfire.org]; MID_RHS_MATCH_FROMTLD(0.00)[]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MISSING_XM_UA(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b35:from]; DKIM_TRACE(0.00)[gmail.com:+]; ARC_SIGNED(0.00)[lists.ipfire.org:s=202003rsa:i=1] >From 563f089d0820bd61ad4aecac248d5cc1f2adfc81 Mon Sep 17 00:00:00 2001 From: faithinchaos21 <45313722+faithinchaos21@users.noreply.github.com> Date: Wed, 27 Aug 2025 01:22:46 -0500 Subject: [PATCH] ddns: add Cloudflare (v4) provider using API token MIME-Version: 1.0 Content-Type: text/plain; charset=3DUTF-8 Content-Transfer-Encoding: 8bit This adds a provider =E2=80=9Ccloudflare.com-v4=E2=80=9D that updates an A = record via Cloudflare=E2=80=99s v4 API using a Bearer token. The token is accepted from either =E2=80=98token=E2=80=99 or legacy =E2=80=98password=E2=80=99 fo= r UI compatibility. Tested on IPFire 2.29 / Core 196: - no-op if A already matches WAN IP - successful update when WAN IP changes - logs include CFv4 breadcrumbs for troubleshooting Signed-off-by: Chris Anton --- src/ddns/providers.py | 121 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) diff --git a/src/ddns/providers.py b/src/ddns/providers.py index 59f9665..df0f3a9 100644 --- a/src/ddns/providers.py +++ b/src/ddns/providers.py @@ -341,6 +341,127 @@ def have_address(self, proto): return False +class DDNSProviderCloudflareV4(DDNSProvider): + """ + Cloudflare v4 API using a Bearer Token. + Put the API Token in the 'token' OR 'password' field of the DDNS entry= . + Optional in ddns.conf: + proxied =3D false|true (default false; keep false for WireGuard) + ttl =3D 1|60|120... (default 1 =3D 'automatic') + """ + handle =3D "cloudflare.com-v4" + name =3D "Cloudflare (v4)" + website =3D "https://www.cloudflare.com/" + protocols =3D ("ipv4",) + supports_token_auth =3D True + holdoff_failure_days =3D 0 + + def _bool(self, key, default=3DFalse): + v =3D str(self.get(key, default)).strip().lower() + return v in ("1", "true", "yes", "on") + + def update(self): + import json, urllib.request, urllib.error + + tok =3D self.get("token") or self.get("password") + if not tok: + raise DDNSConfigurationError("API Token (password/token) is missing.") + + proxied =3D self._bool("proxied", False) + try: + ttl =3D int(self.get("ttl", 1)) + except Exception: + ttl =3D 1 + + headers =3D { + "Authorization": "Bearer {0}".format(tok), + "Content-Type": "application/json", + "User-Agent": "IPFireDDNSUpdater/CFv4", + } + + # --- find zone --- + parts =3D self.hostname.split(".") + if len(parts) < 2: + raise DDNSRequestError("Hostname '{0}' is not a valid domain.".format(self.hostname)) + + zone_id =3D None + zone_name =3D None + for i in range(len(parts) - 1): + candidate =3D ".".join(parts[i:]) + url =3D f"https://api.cloudflare.com/client/v4/zones?name=3D{candidate}" + try: + req =3D urllib.request.Request(url, headers=3Dheaders, method=3D"GET") + with urllib.request.urlopen(req, timeout=3D20) as r: + data =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to query Cloudflare zones API: {e}") + + if data.get("success") and data.get("result"): + zone_id =3D data["result"][0]["id"] + zone_name =3D candidate + break + + if not zone_id: + raise DDNSRequestError(f"Could not find a Cloudflare Zone for '{self.hostname}'.") + + logger.info("CFv4: zone=3D%s id=3D%s", zone_name, zone_id) + + # --- get record --- + rec_url =3D f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?type=3DA= &name=3D{self.hostname}" + try: + req =3D urllib.request.Request(rec_url, headers=3Dheaders, method=3D"GET") + with urllib.request.urlopen(req, timeout=3D20) as r: + rec_data =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to query Cloudflare DNS records API: {e}") + + if not rec_data.get("success"): + errs =3D rec_data.get("errors") or [] + if any("Authentication error" in (e.get("message", "") or "") for e in errs): + raise DDNSAuthenticationError("Invalid API Token.") + raise DDNSUpdateError(f"Cloudflare API error finding record: {errs}") + + results =3D rec_data.get("result") or [] + if not results: + raise DDNSRequestError(f"No A record found for '{self.hostname}' in zone '{zone_name}'.") + + record_id =3D results[0]["id"] + stored_ip =3D results[0]["content"] + logger.info("CFv4: record_id=3D%s stored_ip=3D%s", record_id, stor= ed_ip) + + # --- compare IPs --- + current_ip =3D self.get_address("ipv4") + logger.info("CFv4: current_ip=3D%s vs stored_ip=3D%s", current_ip, stored_ip) + if current_ip =3D=3D stored_ip: + logger.info("CFv4: no update needed") + return + + # --- update --- + upd_url =3D f"https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_= id}" + payload =3D { + "type": "A", + "name": self.hostname, + "content": current_ip, + "ttl": ttl, + "proxied": proxied, + } + logger.info("CFv4: updating %s -> %s (proxied=3D%s ttl=3D%s)", self.hostname, current_ip, proxied, ttl) + + try: + req =3D urllib.request.Request( + upd_url, data=3Djson.dumps(payload).encode(), headers=3Dheaders, method=3D"PUT" + ) + with urllib.request.urlopen(req, timeout=3D20) as r: + upd =3D json.loads(r.read().decode()) + except Exception as e: + raise DDNSUpdateError(f"Failed to send update request to Cloudflare: {e}") + + if not upd.get("success"): + raise DDNSUpdateError(f"Cloudflare API error on update: {upd.get('errors')}") + + logger.info("CFv4: update ok for %s -> %s", self.hostname, current= _ip) + return + class DDNSProtocolDynDNS2(object): """