Zwave-js-ui doest honor settings

trumee · November 2, 2025, 10:06pm

Hello,

I am trying to setup zwave-js-ui. The software allows to set KEY_S0_Legacy key to be set using environment variables as mentioned here. I tried to set them up using systemd.environmentfile but they show up unpopulated in the web-ui.

Here is how i setup the config.

  sops.secrets.zwave-js-ui-KEY_S0_Legacy = {};
  sops.secrets.zwave-js-ui-KEY_S2_Unauthenticated = {};
  sops.secrets.zwave-js-ui-KEY_S2_Authenticated = {};
  sops.secrets.zwave-js-ui-KEY_S2_AccessControl = {};
  sops.secrets.zwave-js-ui-KEY_LR_S2_Authenticated = {};
  sops.secrets.zwave-js-ui-KEY_LR_S2_AccessControl = {};
  sops.templates."zwave-js-ui-secrets.yaml".content = ''
    KEY_S0_Legacy="${config.sops.placeholder.zwave-js-ui-KEY_S0_Legacy}"
    KEY_S2_Unauthenticated="${config.sops.placeholder.zwave-js-ui-KEY_S2_Unauthenticated}"
    KEY_S2_Authenticated="${config.sops.placeholder.zwave-js-ui-KEY_S2_Authenticated}"
    KEY_S2_AccessControl="${config.sops.placeholder.zwave-js-ui-KEY_S2_AccessControl}"
    KEY_LR_S2_Authenticated="${config.sops.placeholder.zwave-js-ui-KEY_LR_S2_Authenticated}"
    KEY_LR_S2_AccessControl="${config.sops.placeholder.zwave-js-ui-KEY_LR_S2_AccessControl}"
  '';
  systemd.services.zwave-js-ui.serviceConfig.DynamicUser = lib.mkForce false;
  sops.templates."zwave-js-ui-secrets.yaml".owner = "zwave-js-ui";
  sops.templates."zwave-js-ui-secrets.yaml".group = "zwave-js-ui";

  services.zwave-js-ui = {
    enable = true;
    serialPort = "/dev/serial/by-id/usb-Nabu_Casa_ZWA-2"; 
    settings = 
    {
      HOST = 127.0.0.1;
      PORT = "8091";
    };


   };
   systemd.services.zwave-js-ui.serviceConfig = 
    {
      User = "zwave-js-ui";
      Group = "zwave-js-ui";
      EnvironmentFile=config.sops.templates."zwave-js-ui-secrets.yaml".path;
    };

I can see the keys in the environmentfile,

ls -lad /run/secrets/rendered/zwave-js-ui-secrets.yaml
-r-------- 1 zwave-js-ui zwave-js-ui 337 Nov  2 08:25 /run/secrets/rendered/zwave-js-ui-secrets.yaml

Where did i go wrong?

nicolas-goudry · November 4, 2025, 8:37am

Did you try using the settings key from swave-js-ui?

From the code, it passes any options in there to the environment key of the service, which are then passed by systemd to the service process.

Worth trying.

Edit: read too fast your snippet, didn’t see that you were already using it. Why aren’t you using it for the variables you set in sops? Are those “real” secrets that you don’t want to end up in the Nix store?

trumee · November 4, 2025, 11:28am

These are encryption keys to talk with the end devices, so i wanted to protect them.

nicolas-goudry · November 4, 2025, 3:49pm

Did you look at the unit logs? There may be some insights in there:

journalctl -fxeu zwave-js-ui

Also, did you check the content of the file generated by sops-nix? It should be in /run/secrets. You need sudo to read them.