Open johnjameswhitman opened 1 year ago
Does systemd replace ${CREDENTIALS_DIRECTORY}/inadyn.conf in ExecStart? Didn't knew that.
Yep -- Here are a few key snippets from the systemd docs:
The data is accessible from the unit's processes via the file system, at a read-only location that (if possible and permitted) is backed by non-swappable memory. The data is only accessible to the user associated with the unit, via the User=/DynamicUser= settings (as well as the superuser).
The LoadCredential= setting takes a textual ID to use as name for a credential plus a file system path, separated by a colon.
In order to reference the path a credential may be read from within a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred".
Apparently this came out with v247 which released in 2020, so it's relatively recent.
Note: Systemd ran into an issue loading the credential when the name of my sops.template
lead with a /
(e.g. /etc/inadyn.conf
instead of just inadyn.conf
), I think because the resulting file path included a double-slash //
.
Thanks for adding
sops.template
-- it really simplified getting a key into myinadyn
service.Along the way I learned that you can pass credentials into a systemd unit that runs w/
DynamicUser = true
. The key bit in the example below isLoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
, which exposes the template to the unit at${CREDENTIALS_DIRECTORY}/inadyn.conf
.Wonder if it'd be worth updating the docs with these bits since I think it's pretty common to set the
DynamicUser
for better security? If not, figure at least having an example in this issue could be helpful to others in the future.