repositorypackage
0.1.0
Repository: https://github.com/josh/systemd-age-creds.git
Documentation: pkg.go.dev
# README
systemd-age-creds
Load age encrypted credentials in systemd units.
At the moment, systemd-creds only support symmetric encryption requiring secrets to be encrypted on the machine with the TPM itself. Though, it's on the systemd TODO to add one day.
Solutions like SOPS allow secrets to be encrypted elsewhere, checked into git and then only decrypted on the deployment host. It would be nice if a similar pattern could be applied to systemd credentials.
systemd-age-creds provides a service credential server over AF_UNIX socket to provide age encrypted credentials to systemd units using LoadCredential.
Usage
systemd-age-creds.socket
[Unit]
Description=age credential socket
[Socket]
ListenStream=%t/systemd-age-creds.sock
SocketMode=0600
Service=systemd-age-creds.service
[Install]
WantedBy=sockets.target
systemd-age-creds.service
[Unit]
Description=age credential server
Requires=systemd-age-creds.socket
# After=tpm
[Service]
Type=simple
ExecStart=/path/to/bin/systemd-age-creds -i /path/to/age-key.txt /path/to/secrets
foo.service
[Service]
ExecStart=/usr/bin/myservice.sh
# Instead of loading a symmetrically encrypted systemd cred from a file,
# LoadCredentialEncrypted=foobar:/etc/credstore/myfoobarcredential.txt
#
# You can reference the credential id loading from the systemd-age-creds socket.
LoadCredential=foobar:%t/systemd-age-creds.sock
Nix
TK explain Nix usage