Dawoox/nixpkgs
1
1
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

nixos/zwave-js: allow non-world-readable secrets

Browse Source 
Currently the module's `DyanmicUser` does not exist at build time and therefore this module's secrets file can't be assigned appropriate (e.g. 0400) permissions without additional configuration.
This change uses `LoadCredential` to read the secrets file with elevated privileges and place then into the service-specific credentials directory, where the dynamic user can access them.

This will allow using standard approaches to nix secrets (such as sops, agenix), which by default provide an out-of-store `0400 root:root` file.

Fixes https://github.com/NixOS/nixpkgs/issues/408780
This commit is contained in:
Nathan Henrie
2025-05-27 12:38:24 -06:00
parent cdd9f0bc0c
commit 18dc3dd0b9
2 changed files with 12 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
nixos/modules/services/home-automation/zwave-js.nix
View File

@@ -108,8 +108,9 @@ in
description = "Z-Wave JS Server"; description = "Z-Wave JS Server";
serviceConfig = { serviceConfig = {
ExecStartPre = '' ExecStartPre = ''
/bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} ${cfg.secretsConfigFile} > ${mergedConfigFile}" /bin/sh -c "${pkgs.jq}/bin/jq -s '.[0] * .[1]' ${configFile} %d/secrets.json > ${mergedConfigFile}"
''; '';
LoadCredential = "secrets.json:${cfg.secretsConfigFile}";
ExecStart = lib.concatStringsSep " " [ ExecStart = lib.concatStringsSep " " [
"${cfg.package}/bin/zwave-server" "${cfg.package}/bin/zwave-server"
"--config ${mergedConfigFile}" "--config ${mergedConfigFile}"

21
nixos/tests/zwave-js.nix
View File

@@ -1,25 +1,24 @@
{ pkgs, lib, ... }: { lib, ... }:
let
secretsConfigFile = pkgs.writeText "secrets.json" (
builtins.toJSON {
securityKeys = {
"S0_Legacy" = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
};
}
);
in
{ {
name = "zwave-js"; name = "zwave-js";
meta.maintainers = with lib.maintainers; [ graham33 ]; meta.maintainers = with lib.maintainers; [ graham33 ];
nodes = { nodes = {
machine = { machine = {
# show that 0400 secrets can be used by the DynamicUser; ideally
# this would be an out-of-store file, e.g. /run/secrets/jwavejs/secrets.json
environment.etc."zwavejs/secrets.json" = {
mode = "0400";
text = builtins.toJSON {
securityKeys.S0_Legacy = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
};
};
services.zwave-js = { services.zwave-js = {
enable = true; enable = true;
serialPort = "/dev/null"; serialPort = "/dev/null";
extraFlags = [ "--mock-driver" ]; extraFlags = [ "--mock-driver" ];
inherit secretsConfigFile; secretsConfigFile = "/etc/zwavejs/secrets.json";
}; };
}; };
}; };