{"id":15171859,"url":"https://github.com/numtide/systemd-vaultd","last_synced_at":"2025-08-18T04:32:36.340Z","repository":{"id":46871612,"uuid":"503739134","full_name":"numtide/systemd-vaultd","owner":"numtide","description":"Provide access to vault secrets to systemd services","archived":false,"fork":false,"pushed_at":"2025-08-10T12:22:29.000Z","size":134,"stargazers_count":75,"open_issues_count":5,"forks_count":2,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-08-18T01:33:34.973Z","etag":null,"topics":["buildbot-numtide","nix","nixos","secrets","vault"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/numtide.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-06-15T11:37:34.000Z","updated_at":"2025-07-14T15:29:15.000Z","dependencies_parsed_at":"2023-02-13T22:00:32.559Z","dependency_job_id":"b3dcc819-3df0-46d8-a396-028088e91d3a","html_url":"https://github.com/numtide/systemd-vaultd","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/numtide/systemd-vaultd","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/numtide%2Fsystemd-vaultd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/numtide%2Fsystemd-vaultd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/numtide%2Fsystemd-vaultd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/numtide%2Fsystemd-vaultd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/numtide","download_url":"https://codeload.github.com/numtide/systemd-vaultd/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/numtide%2Fsystemd-vaultd/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270945172,"owners_count":24672873,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buildbot-numtide","nix","nixos","secrets","vault"],"created_at":"2024-09-27T09:20:49.506Z","updated_at":"2025-08-18T04:32:36.037Z","avatar_url":"https://github.com/numtide.png","language":"Nix","readme":"# systemd-vaultd - load vault credentials with systemd units\n\n\u003e Mostly written in a train\n\n- Jörg Thalheim\n\nsystemd-vaultd is a proxy between systemd and [vault agent](https://vaultproject.io).\nIt provides a unix socket that can be used in systemd services in the\n`LoadCredential` option and then waits for vault agent to write these secrets in\njson format at `/run/systemd-vaultd/\u003cservice_name\u003e.service.json`.\n\nThis project's goal is to simplify the loading of [HashiCorp\nVault](https://www.vaultproject.io/) secrets from\n[systemd](https://systemd.io/) units.\n\n## Problem statement\n\nSystemd has an option called `LoadCredentials` that allows to provide\ncredentials to a service:\n\n```conf\n# myservice.service\n[Service]\nExecStart=/usr/bin/myservice.sh\nLoadCredential=foobar:/etc/myfoobarcredential.txt\n```\n\nIn this case systemd will load credential the file\n`/etc/myfoobarcredential.txt` and provide it to the service at\n`$CREDENTIAL_PATH/foobar`.\n\nIt's handy because it bypasses file permission issues.\n/etc/myfoobarcredential.txt can be owned by root, and the unit run as a\ndifferent or dynamic user.\n\nWhile vault agent also supports writing these secrets, a major issue is that\nthe consumer service may be started before vault agent was able to retrieve\nsecrets from vault. In that case, systemd would fail to start the service.\n\n## The solution\n\nIn order to do so, I wrote a `systemd-vaultd` service which acts as a proxy\nbetween systemd and vault agent that is running on the machine. It provides a\nunix socket that can be used in systemd services in the `LoadCredential`\noption and then waits for vault agent to write these secrets at\n`/run/systemd-vaultd/\u003cservice_name\u003e.json`.\n\nWe take advantage that in addition to normal paths, systemd also supports\nloading credentials from unix sockets.\n\nWith `systemd-vaultd` the service `myservice.service` would look like this:\n\n```conf\n[Service]\nExecStart=/usr/bin/myservice.sh\nLoadCredential=foobar:/run/systemd-vaultd/sock\n```\n\nvault agent is then expected to write secrets to `/run/systemd-vaultd/` in json format.\n\n```\ntemplate {\n  # this exposes all secrets in `secret/my-secret` to the service\n  contents = \"#{{ with secret \\\"secret/my-secret\\\" }}{{ .Data.data | toJSON }}{{ end }}\"\n\n  # an alternative is to expose only selected secrets like this:\n  #  contents = \u003c\u003cEOF\n  #  {{ with secret \"secret/my-secret\" }}{{ scratch.MapSet \"secrets\" \"foobar\" .Data.data.foo }}{{ end }}\n  #  {{ scratch.Get \"foobar\" | explodeMap | toJSON }}\n  #  EOF\n\n  destination  = \"/run/systemd-vaultd/secrets/myservice.service.json\"\n}\n```\n\nWhen `myservice` is started, systemd will open a connection to\n`systemd-vaultd`'s socket. `systemd-vaultd` then either serve the secrets\nfrom `/run/systemd-vaultd/secrets/myservice.service.json` or it waits with\ninotify on secret directory for vault agent to write the secret.\n\nOnce the file `/run/systemd-vaultd/secrets/myservice.service.json` is present,\nsystemd-vaultd will parse it into a json map and lookup the keys specified in\n`LoadCredential`.\n\n⋈\n\n## Installation\n\nThe installation requires a `go` compiler and `make` to be installed.\n\nThis command will install the `systemd-vaultd` binary to\n`/usr/bin/systemd-vaultd` as well as installing a following systemd unit\nfiles: `systemd-vaultd.service`, `systemd-vaultd.socket`:\n\n```shell\nmake install\n```\n\n## Known limitations\n\nsystemd's LoadCredential option will not update credentials if a service is\nreloaded. However systemd-vaultd called `systemd-vaultd-update-secrets` comes\nwith a helper program that can write secrets from the json file generated by\nsystemd-vaultd to a directory readable by the service. Checkout\n`systemd-vaultd/nix/checks/systemd-vaultd-test.nix` for more details.\n\n## License\n\nCopyright (c) 2022 [Jörg Thalheim](https://github.com/mic92) and contributors.\n\nThis project is free software, and may be redistributed under the terms\nspecified in the [LICENSE](LICENSE) file.\n\n## About\n\nThis project is maintained by Numtide.\n\nNeed help or support? [Contact us](https://numtide.com/contact)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnumtide%2Fsystemd-vaultd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnumtide%2Fsystemd-vaultd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnumtide%2Fsystemd-vaultd/lists"}