You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Thanks for adding sops.template -- it really simplified getting a key into my inadyn service.
Along the way I learned that you can pass credentials into a systemd unit that runs w/ DynamicUser = true. The key bit in the example below is LoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";, which exposes the template to the unit at ${CREDENTIALS_DIRECTORY}/inadyn.conf.
Wonder if it'd be worth updating the docs with these bits since I think it's pretty common to set the DynamicUser for better security? If not, figure at least having an example in this issue could be helpful to others in the future.
Yep -- Here are a few key snippets from the systemd docs:
The data is accessible from the unit's processes via the file system, at a read-only location that (if possible and permitted) is backed by non-swappable memory. The data is only accessible to the user associated with the unit, via the User=/DynamicUser= settings (as well as the superuser).
The LoadCredential= setting takes a textual ID to use as name for a credential plus a file system path, separated by a colon.
In order to reference the path a credential may be read from within a ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g. "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred".
Apparently this came out with v247 which released in 2020, so it's relatively recent.
Note: Systemd ran into an issue loading the credential when the name of my sops.template lead with a / (e.g. /etc/inadyn.conf instead of just inadyn.conf), I think because the resulting file path included a double-slash //.
Thanks for adding
sops.template
-- it really simplified getting a key into myinadyn
service.Along the way I learned that you can pass credentials into a systemd unit that runs w/
DynamicUser = true
. The key bit in the example below isLoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
, which exposes the template to the unit at${CREDENTIALS_DIRECTORY}/inadyn.conf
.Wonder if it'd be worth updating the docs with these bits since I think it's pretty common to set the
DynamicUser
for better security? If not, figure at least having an example in this issue could be helpful to others in the future.The text was updated successfully, but these errors were encountered: