Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/yaxitech/systemd-credsubst

envsubst for systemd credentials
https://github.com/yaxitech/systemd-credsubst

Last synced: about 1 month ago
JSON representation

envsubst for systemd credentials

Host: GitHub
URL: https://github.com/yaxitech/systemd-credsubst
Owner: yaxitech
License: apache-2.0
Created: 2024-08-02T11:58:48.000Z (5 months ago)
Default Branch: main
Last Pushed: 2024-10-28T14:05:28.000Z (2 months ago)
Last Synced: 2024-10-28T16:37:35.942Z (2 months ago)
Language: Rust
Homepage:
Size: 31.3 KB
Stars: 1
Watchers: 2
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# systemd-credsubst

[![codecov](https://codecov.io/github/yaxitech/systemd-credsubst/graph/badge.svg?token=CBIaFMVIjQ)](https://codecov.io/github/yaxitech/systemd-credsubst)

[`envsubst`](https://github.com/a8m/envsubst) for systemd credentials.

Given a systemd unit with any of the credential provisioning settings (e.g, `LoadCredential=ID` or `SetCredentialEncrypted=ID`, see systemd.exec(5)),
`systemd-credsubst` substitutes references to `${ID}` with the contents of the credential when called from `ExecStartPre=` or `ExecStart=`.

## Example

Consider a service which needs to read a configuration file `appsettings.json` in its `ExecStart=` process.
For the service to start successfully, the file also needs to contain a secret license key.
To separate the secret values from (public) configuration options, the file should not contain the license key directly.
Instead, systemd should insert the credential into the configuration file before starting the main service process, i.e., in an `ExecStartPre=` command line.

Using `systemd-credsubst`, the file `/etc/appsettings.json` may contain a reference to a systemd credential ID:

```json
{
"license": "${license}",
"name": "Wurzelpfropf Banking"
}
```

The following service unit `credsubst-showcase.service` uses `systemd-credsubst` to insert the secret license key provisioned through `LoadCredential=`:

```ini
[Unit]
Description=Showcase systemd-credsubst

[Service]
ExecStart=tail -f -n +1 /run/credsubst-showcase/appsettings.json
ExecStartPre=systemd-credsubst --input /etc/appsettings.json --output /run/credsubst-showcase/appsettings.json
LoadCredential=license:/run/secrets/wurzelpfropf-license.secret
DynamicUser=yes
RuntimeDirectory=credsubst-showcase
```

The secret file `/run/secrets/wurzelpfropf-license.secret` contains `my-secret-license`.
Note that `systemd-creds` strips any trailing newlines.

After running `systemd-credsubst` in `ExecStartPre=`, the file `/run/credsubst-showcase/appsettings.json` has the following contents:

```json
{
"license": "my-secret-license",
"name": "Wurzelpfropf Banking"
}
```

## Usage

`systemd-credsubst` (loosely) resembles the command line options of [`envsubst`](https://github.com/a8m/envsubst):

```
Substitute systemd credential references from ExecStart=/ExecStartPre= calls

Usage: systemd-credsubst [OPTIONS]

Options:
-i, --input If no input file is given, read from stdin.
-o, --output If no output file is given, write to stdout.
-p, --pattern Regex pattern to replace. Must at least provide a named group 'id'. By default matches ${id}. [default: \$\{(?P[^\$\{\}/]+)\}]
-c, --copy-if-no-creds Copy input to output if $CREDENTIALS_DIRECTORY is not set.
-m, --make-parents Make parent directories of the output file as needed.
-h, --help Print help
-V, --version Print version
```