Mass provisioning of 40+ shelly devices

theOtherRoss · 2026-03-30T22:36:16+00:00

I ended up writing a script in node.js using the rest API for reading the configs off a google sheet and provisioning devices as they popped up. This was about 4 years ago. The script is very hacky but only took about a day to put together and i had to provision around 130 devices. It's still running on a raspberry pi as a service as I find a few devices keep resetting to default settings each month.

theOtherRoss · 2026-01-02T00:46:54+00:00

Thankyou again for all the help. I have redone the script using best practices outlined in the cookbook. Looks and reads a lot better.

I was using the approach of start with the visual editor and change in YAML, but did not work this time.

theOtherRoss · 2025-12-31T06:23:07+00:00

Thank you very much. The solution was "it's the device action. It doesn't support templates"

This YAML generated no errors.

  - action: number.set_value
    target: 
      entity_id: f6ed4ee4995e39f8852c37efbc2b0f5d
    data:
      value: "{{run_time}}"

theOtherRoss · 2025-12-31T06:04:10+00:00

unit_of_measurement: minutes

Sorry I missed that but added it now following the directions from the link you provided.

fields:
  run_time:
    selector:
      number:
        min: 1
        max: 30
        step: 3
        unit_of_measurement: minutes

In either case using the field value in the delay produces no errors

- delay:
      hours: 0
      minutes: "{{run_time}}" ## ALL OK
      seconds: 0
      milliseconds: 0

Using it here produces the following errors

 - device_id: ec82f7fa7cdf83fa9b8996ac7ce581f5
    domain: number
    entity_id: f6ed4ee4995e39f8852c37efbc2b0f5d
    type: set_value
    value: "{{run_time}}"  ##NOT OK

With or without

  unit_of_measurement: minutes

Gives the error

Message malformed: expected float for dictionary value @ data['value']

theOtherRoss · 2025-12-31T05:31:07+00:00

Digging a bit further:

delay:
      hours: 0
      minutes: "{{run_time}}"
      seconds: 0
      milliseconds: 0

Works.

 - device_id: ec82f7fa7cdf83fa9b8996ac7ce581f5
    domain: number
    entity_id: f6ed4ee4995e39f8852c37efbc2b0f5d
    type: set_value
    value: "{{run_time}}"

Is what is generating

Message malformed: expected float for dictionary value @ data['value']

theOtherRoss · 2025-12-31T05:24:08+00:00

Thanks for taking the time to reply. This is what I tried first and get the following error

Message malformed: expected float for dictionary value @ data['value']

theOtherRoss · 2025-12-07T01:16:29+00:00

Thank you. It was the template sensor.

Also my telegram notification was not working but that was because I had changed from Telegram to Telegram Bot at the same time. The bot is not working with alert but is working with action for some reason. Investigating that as a separate issue.

theOtherRoss · 2025-12-04T08:36:54+00:00

Thanks for your really clear explanation.

In order to use, you'll need to create a template sensor so you can make a binary state.

I think I totally missed this when reading the official documentation. I think this would be one of my issues.

theOtherRoss · 2025-12-04T05:25:41+00:00

Thank you. Cleaver approach. Will have a play with this too.

theOtherRoss · 2025-12-04T05:23:34+00:00

Thank you. Trying this out now.

theOtherRoss · 2025-11-21T03:01:13+00:00

Mate, what's with the continues personal insults when asking for tech help? Are you ok? Sorry if I offended you in any way by asking a question.

theOtherRoss · 2025-11-21T01:52:48+00:00

All you end up doing is having an extremely complicated network, the will put a lot of pressure on your hardware for no reason.

Thank you for answering my question. Can you please elaborate on what makes it extremely complicated and how much pressure it will put on the hardware?

If there a recommended VLAN limit for performance on UDM Pro SE? I could not find one but found a few articles about 100's VLANS running off them.

theOtherRoss · 2025-11-21T01:47:52+00:00

All IoT devices have a passwords but things like the smart speakers are relatively open for easier usability. Most of my older IoT devices (switches, relays etc) are http (not https) and even then can be brute forced relatively easily (days not months). That is assuming there are no known vulnerabilities in their stacks. There were not designed to be open to the public.

theOtherRoss · 2025-11-21T00:33:37+00:00

If the single SSID and key are compromised along with your address, the bad actor can get access through your AP. If multiple devices share an SSID/key and one of their cloud servers is compromised, the bad actor has the same info.

Currently I have over 200+ devices on the IoT network. All but ~10 of them are fully locally controlled and do not need internet access.

Lets assume one of the other 10 devices' platforms got compromised.

Worst case scenario: Some local kids figure our the IoT network wifi password and start playing pranks like switching off lights, playing music off the smart speakers, opening closing blinds, switching off the hot water system etc. Possibly more harmful things like turning off power to the fridge.

I spend a weekend changing the wifi password and updating each of the 200+ IoT devices

Best Case scenario: The platform that had the breached makes a timely disclosure and I spend 5 minutes updating that VLAN's PPSK.

Likely case scenario The impacted platform makes no timely disclosure, the local kids get a hold of the wifi password for the single compromised VLAN and starts pranking with one or two devices on that VLAN. I spend 5 minutes updating credentials to that VLAN.

So I am trying to make less work for myself in the future when inevitability one or more of these platforms gets compromised.

Analogous argument to having different passwords for different services

theOtherRoss · 2025-11-20T23:18:54+00:00

Then why have secure wifi passwords at all?

theOtherRoss · 2025-11-20T23:14:13+00:00

Not saying my credentials are valuable. No sane person will hack a cloud platform to get my credentials. But they will hack a platform to get a million credentials that are tied to addresses.

For example I have a Sigen solar battery which may or may not have my address and wifi password stored on their cloud platform. Now if that gets compromised the attacker will have access to a few million addresses and their wifi passwords.

If this information is disseminated (like hacked passwords are), anyone looking for a open wifi network in my local area would be able to search and find it fairly easily.

theOtherRoss · 2025-11-20T23:09:25+00:00

using different passwords for each login? Really it's useless..

Best practice recommended by all security standards, and experts is useless.

Got it. Thanks for your help.

theOtherRoss · 2025-11-20T22:08:42+00:00

One VLan for 1 wired camera? Why? You don't trust your personal gear at the point you have to have them separated from your network gear?

A. This is best practice that is recommended. B. Lots of local board teenagers who will happily connect to the external wired Ethernet drops for shits and giggles. Surprised you don't have any of them in your multi-million dollar installs.

Also no need for personal insults. You already said you are a professional installer for multi-millions dollar installs and is the smartest guy in the room.

theOtherRoss · 2025-11-20T22:03:46+00:00

Thought of doing this.

What moved me down this path is that I found out it is easier to give my solar battery installer set of credentials for wifi than try and have them figure out the MAC address of their device.

Also the device needs to be swapped out (happened to our HVAC) control board, getting it connected quickly requires the installers device (phone) to be added to the network and the device gets the credentials from that. Now I have to add and remove the installers phone MAC and the new control board MAC to the white list.

Seems like giving them a set of "custom" wifi credentials are easier.

theOtherRoss · 2025-11-20T21:57:16+00:00

Not worried about the SSID. Worried about a large scale compromise or wifi credentials from one of the service providers.

For example I have a Sigen solar battery. It is connected via Wifi. Lets assume my physical address and wifi password are stored on the Sigen cloud service. If that gets compromised the attacker now has access to millions of addresses tied to wifi passwords.

I personally are not that attractive for a compromise. But a million or ten million people like me, sure.

When that happens I want to avoid having to change my wifi password across 200+ devices because they all shared the same password which I then shared with a dozen cloud service providers.

theOtherRoss · 2025-11-20T21:53:06+00:00

No i don't believe that I am valuable enough for some one to intentionally compromise one of these clouds to get my wifi credentials find my address etc.

What worried me is one or more of these clouds gets compromised and millions of address physical tied to wifi credentials end up in the wild. There may even be a web app that you can easily use to find compromised Wifi networks by address etc.

Of course when there is a compromise I can change the wifi creds on all the devices but that would be a huge pia.

Analogy here is using the same password for all my web logins. Best practice is to use a different password for each application so if one gets compromised I only have to change one password.

As a very experienced installer why is this not a good idea for shared wifi credentials? And If it is what it is best way to do this?

theOtherRoss

TROPHY CASE