From 0d02578ab3e239a0d631b36f59ff04639800620e Mon Sep 17 00:00:00 2001
From: Christine Elisabeth Koppel <kuutruu@posteo.net>
Date: Tue, 3 Mar 2026 13:47:00 +0100
Subject: [PATCH] More debugs.

---
 nix-system-configs/modules/system/traefik.nix | 48 ++++++++++++++++---
 1 file changed, 42 insertions(+), 6 deletions(-)

diff --git a/nix-system-configs/modules/system/traefik.nix b/nix-system-configs/modules/system/traefik.nix
index 40933e0..e7e0818 100644
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@@ -650,6 +650,15 @@ in {
           exit 2
         fi
 
+        # Debug: log auth status
+        ${pkgs.util-linux}/bin/logger -s "DDNS Updater: auth_key length: ''${#auth_key}, auth_email: '$auth_email', auth_method: '$auth_method'"
+
+        # Fail fast if we don't have auth credentials
+        if [ -z "$auth_key" ]; then
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: auth_key is empty — cannot authenticate with Cloudflare."
+          exit 2
+        fi
+
         ###########################################
         ## Check and set the proper auth header
         ###########################################
@@ -669,6 +678,9 @@ in {
                               -H "''$auth_header ''$auth_key" \
                               -H "Content-Type: application/json")
 
+        # Debug: log first 200 chars of response
+        ${pkgs.util-linux}/bin/logger -s "DDNS Updater: Record fetch response (first 200 chars): ''${record:0:200}"
+
         ###########################################
         ## Check if the domain has an A record
         ###########################################
@@ -677,6 +689,12 @@ in {
           exit 1
         fi
 
+        # Check if the API returned an error
+        if [[ $record == *"\\"success\\":false"* ]]; then
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: Cloudflare API returned error: $record"
+          exit 1
+        fi
+
         ###########################################
         ## Get existing IP
         ###########################################
@@ -692,6 +710,14 @@ in {
         ###########################################
         record_identifier=$(echo "$record" | sed -E 's/.*"id":"([A-Za-z0-9_]+)".*/\\1/')
 
+        # Fail fast if we couldn't extract the record ID
+        if [ -z "$record_identifier" ] || [[ $record_identifier == *"{"* ]]; then
+          ${pkgs.util-linux}/bin/logger -s "DDNS Updater: Failed to extract record_identifier from response. Got: '$record_identifier'"
+          exit 1
+        fi
+
+        ${pkgs.util-linux}/bin/logger -s "DDNS Updater: Using record_identifier: '$record_identifier'"
+
         ###########################################
         ## Change the IP@Cloudflare using the API
         ###########################################
@@ -714,18 +740,18 @@ in {
             ${pkgs.curl}/bin/curl -L -X POST "''${slackuri}" --data-raw "{\"channel\":\"''${slackchannel}\",\"text\":\"''${msg}\"}"
           fi
           if [[ $discorduri != "" ]]; then
-            msg="''${sitename} DDNS Update Failed: ''${record_name}: ''${record_identifier} (''${CURRENT_IP})."
-            ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data-raw "{\"content\":\"''${msg}\"}" "''${discorduri}"
+            msg="$${sitename} DDNS Update Failed: $${record_name}: $${record_identifier} ($${CURRENT_IP})."
+            ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data-raw "{\"content\":\"$${msg}\"}" "$${discorduri}"
           fi
           exit 1;;
         *)
-          msg="''${sitename} Updated: ''${record_name}'s new IP Address is ''${CURRENT_IP}"
-          ${pkgs.util-linux}/bin/logger "DDNS Updater: ''${CURRENT_IP} ''${record_name} DDNS updated."
+          msg="$${sitename} Updated: $${record_name}'s new IP Address is $${CURRENT_IP}"
+          ${pkgs.util-linux}/bin/logger "DDNS Updater: $${CURRENT_IP} $${record_name} DDNS updated."
           if [[ $slackuri != "" ]]; then
-            ${pkgs.curl}/bin/curl -L -X POST "''${slackuri}" --data-raw "{\"channel\":\"''${slackchannel}\",\"text\":\"''${msg}\"}"
+            ${pkgs.curl}/bin/curl -L -X POST "$${slackuri}" --data-raw "{\"channel\":\"$${slackchannel}\",\"text\":\"$${msg}\"}"
           fi
           if [[ $discorduri != "" ]]; then
-            ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data-raw "{\"content\":\"''${msg}\"}" "''${discorduri}"
+            ${pkgs.curl}/bin/curl -i -H "Accept: application/json" -H "Content-Type:application/json" -X POST --data-raw "{\"content\":\"$${msg}\"}" "$${discorduri}"
           fi
           exit 0;;
         esac
@@ -751,14 +777,24 @@ in {
           export auth_key="''${CLOUDFLARE_DNS_API_TOKEN:-}"
         elif [ -n "''${CLOUDFLARE_API_TOKEN:-}" ]; then
           export auth_key="''${CLOUDFLARE_API_TOKEN:-}"
+        else
+          echo "ERROR: No Cloudflare API token found in environment file" >&2
+          exit 1
         fi
+
         if [ -n "''${CLOUDFLARE_USERNAME:-}" ]; then
           export auth_email="''${CLOUDFLARE_USERNAME:-}"
         fi
 
+        # Export auth_method for the single-run script
+        export auth_method="token"
+
         # Ensure zone id is exported for the single-run script
         export zone_identifier="${zoneId}"
 
+        # Debug: log that we're starting with credentials
+        echo "Starting DDNS update with auth_key length: ''${#auth_key}, auth_email: '$auth_email'" >&2
+
         # Loop records from the Nix list. "@" maps to the base domain
         for r in ${recordsStr}; do
           if [ "$r" = "@" ]; then