commit 29484ab6548f7ba4caffe5735376da1f2c41c5af · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixos/zwave-js: allow non-world-readable secrets (#411496)

authored by Sandro and committed by GitHub 6 months ago 29484ab6 ddc77f88

+12 -12

2 changed files

expand all

unified split

nixos

modules

services

home-automation

zwave-js.nix

tests

zwave-js.nix

+2 -1

nixos/modules/services/home-automation/zwave-js.nix

··· 108 description = "Z-Wave JS Server"; 109 serviceConfig = { 110 ExecStartPre = '' 111 - /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}" 112 ''; 113 ExecStart = lib.concatStringsSep " " [ 114 "${cfg.package}/bin/zwave-server" 115 "--config ${mergedConfigFile}"

··· 108 description = "Z-Wave JS Server"; 109 serviceConfig = { 110 ExecStartPre = '' 111 + /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}" 112 ''; 113 + LoadCredential = "secrets.json:${cfg.secretsConfigFile}"; 114 ExecStart = lib.concatStringsSep " " [ 115 "${cfg.package}/bin/zwave-server" 116 "--config ${mergedConfigFile}"

+10 -11

nixos/tests/zwave-js.nix

··· 1 - { pkgs, lib, ... }: 2 3 - let 4 - secretsConfigFile = pkgs.writeText "secrets.json" ( 5 - builtins.toJSON { 6 - securityKeys = { 7 - "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 8 - }; 9 - } 10 - ); 11 - in 12 { 13 name = "zwave-js"; 14 meta.maintainers = with lib.maintainers; [ graham33 ]; 15 16 nodes = { 17 machine = { 18 services.zwave-js = { 19 enable = true; 20 serialPort = "/dev/null"; 21 extraFlags = [ "--mock-driver" ]; 22 - inherit secretsConfigFile; 23 }; 24 }; 25 };

··· 1 + { lib, ... }: 2 3 { 4 name = "zwave-js"; 5 meta.maintainers = with lib.maintainers; [ graham33 ]; 6 7 nodes = { 8 machine = { 9 + # show that 0400 secrets can be used by the DynamicUser; ideally 10 + # this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json 11 + environment.etc."zwavejs/secrets.json" = { 12 + mode = "0400"; 13 + text = builtins.toJSON { 14 + securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 15 + }; 16 + }; 17 services.zwave-js = { 18 enable = true; 19 serialPort = "/dev/null"; 20 extraFlags = [ "--mock-driver" ]; 21 + secretsConfigFile = "/etc/zwavejs/secrets.json"; 22 }; 23 }; 24 };