From 18dc3dd0b9977e17c11f449b57188aca6261f454 Mon Sep 17 00:00:00 2001
From: Nathan Henrie <nate@n8henrie.com>
Date: Tue, 27 May 2025 12:38:24 -0600
Subject: [PATCH] nixos/zwave-js: allow non-world-readable secrets

Currently the module's `DyanmicUser` does not exist at build time and therefore this module's secrets file can't be assigned appropriate (e.g. 0400) permissions without additional configuration.
This change uses `LoadCredential` to read the secrets file with elevated privileges and place then into the service-specific credentials directory, where the dynamic user can access them.

This will allow using standard approaches to nix secrets (such as sops, agenix), which by default provide an out-of-store `0400 root:root` file.

Fixes https://github.com/NixOS/nixpkgs/issues/408780
---
 .../services/home-automation/zwave-js.nix     |  3 ++-
 nixos/tests/zwave-js.nix                      | 21 +++++++++----------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/services/home-automation/zwave-js.nix b/nixos/modules/services/home-automation/zwave-js.nix
index 3d04ad7fa558..ab5deeefecd2 100644
--- a/nixos/modules/services/home-automation/zwave-js.nix
+++ b/nixos/modules/services/home-automation/zwave-js.nix
@@ -108,8 +108,9 @@ in
         description = "Z-Wave JS Server";
         serviceConfig = {
           ExecStartPre = ''
-            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}"
+            /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}"
           '';
+          LoadCredential = "secrets.json:${cfg.secretsConfigFile}";
           ExecStart = lib.concatStringsSep " " [
             "${cfg.package}/bin/zwave-server"
             "--config ${mergedConfigFile}"
diff --git a/nixos/tests/zwave-js.nix b/nixos/tests/zwave-js.nix
index 2815508211f8..a4d9dbdc98b2 100644
--- a/nixos/tests/zwave-js.nix
+++ b/nixos/tests/zwave-js.nix
@@ -1,25 +1,24 @@
-{ pkgs, lib, ... }:
+{ lib, ... }:
 
-let
-  secretsConfigFile = pkgs.writeText "secrets.json" (
-    builtins.toJSON {
-      securityKeys = {
-        "S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
-      };
-    }
-  );
-in
 {
   name = "zwave-js";
   meta.maintainers = with lib.maintainers; [ graham33 ];
 
   nodes = {
     machine = {
+      # show that 0400 secrets can be used by the DynamicUser; ideally
+      # this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json
+      environment.etc."zwavejs/secrets.json" = {
+        mode = "0400";
+        text = builtins.toJSON {
+          securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+        };
+      };
       services.zwave-js = {
         enable = true;
         serialPort = "/dev/null";
         extraFlags = [ "--mock-driver" ];
-        inherit secretsConfigFile;
+        secretsConfigFile = "/etc/zwavejs/secrets.json";
       };
     };
   };