nixos/zwave-js: allow non-world-readable secrets

Currently the module's `DyanmicUser` does not exist at build time and therefore this module's secrets file can't be assigned appropriate (e.g. 0400) permissions without additional configuration. This change uses `LoadCredential` to read the secrets file with elevated privileges and place then into the service-specific credentials directory, where the dynamic user can access them. This will allow using standard approaches to nix secrets (such as sops, agenix), which by default provide an out-of-store `0400 root:root` file. Fixes https://github.com/NixOS/nixpkgs/issues/408780
2025-05-27 12:38:24 -06:00
parent cdd9f0bc0c
commit 18dc3dd0b9
2 changed files with 12 additions and 12 deletions
--- a/nixos/modules/services/home-automation/zwave-js.nix
+++ b/nixos/modules/services/home-automation/zwave-js.nix
@@ -108,8 +108,9 @@ in
        description = "Z-Wave JS Server";
        serviceConfig = {
          ExecStartPre = ''
-            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}"
+            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}"
          '';
+          LoadCredential = "secrets.json:${cfg.secretsConfigFile}";
          ExecStart = lib.concatStringsSep " " [
            "${cfg.package}/bin/zwave-server"
            "--config ${mergedConfigFile}"
--- a/nixos/tests/zwave-js.nix
+++ b/nixos/tests/zwave-js.nix
@@ -1,25 +1,24 @@
-{ pkgs, lib, ... }:
+{ lib, ... }:

-let
-  secretsConfigFile = pkgs.writeText "secrets.json" (
-    builtins.toJSON {
-      securityKeys = {
-        "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
-      };
-    }
-  );
-in
 {
  name = "zwave-js";
  meta.maintainers = with lib.maintainers; [ graham33 ];

  nodes = {
    machine = {
+      # show that 0400 secrets can be used by the DynamicUser; ideally
+      # this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json
+      environment.etc."zwavejs/secrets.json" = {
+        mode = "0400";
+        text = builtins.toJSON {
+          securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+        };
+      };
      services.zwave-js = {
        enable = true;
        serialPort = "/dev/null";
        extraFlags = [ "--mock-driver" ];
-        inherit secretsConfigFile;
+        secretsConfigFile = "/etc/zwavejs/secrets.json";
      };
    };
  };