pyrox.dev / nixpkgs
lol
fork atom

nixos/zwave-js: allow non-world-readable secrets (#411496)

authored by Sandro and committed by GitHub 29484ab6 ddc77f88

+12 -12
unified split
+2 -1
nixos/modules/services/home-automation/zwave-js.nix
··· 108 108 description = "Z-Wave JS Server"; 109 109 serviceConfig = { 110 110 ExecStartPre = '' 111 - /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}" 111 + /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}" 112 112 ''; 113 + LoadCredential = "secrets.json:${cfg.secretsConfigFile}"; 113 114 ExecStart = lib.concatStringsSep " " [ 114 115 "${cfg.package}/bin/zwave-server" 115 116 "--config ${mergedConfigFile}"
+10 -11
nixos/tests/zwave-js.nix
··· 1 - { pkgs, lib, ... }: 1 + { lib, ... }: 2 2 3 - let 4 - secretsConfigFile = pkgs.writeText "secrets.json" ( 5 - builtins.toJSON { 6 - securityKeys = { 7 - "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 8 - }; 9 - } 10 - ); 11 - in 12 3 { 13 4 name = "zwave-js"; 14 5 meta.maintainers = with lib.maintainers; [ graham33 ]; 15 6 16 7 nodes = { 17 8 machine = { 9 + # show that 0400 secrets can be used by the DynamicUser; ideally 10 + # this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json 11 + environment.etc."zwavejs/secrets.json" = { 12 + mode = "0400"; 13 + text = builtins.toJSON { 14 + securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 15 + }; 16 + }; 18 17 services.zwave-js = { 19 18 enable = true; 20 19 serialPort = "/dev/null"; 21 20 extraFlags = [ "--mock-driver" ]; 22 - inherit secretsConfigFile; 21 + secretsConfigFile = "/etc/zwavejs/secrets.json"; 23 22 }; 24 23 }; 25 24 };