Load age encrypted credentials in systemd units.
At the moment, systemd-creds only support symmetric encryption requiring secrets to be encrypted on the machine with the TPM itself. Though, it's on the systemd TODO to add one day.
Solutions like SOPS allow secrets to be encrypted elsewhere, checked into git and then only decrypted on the deployment host. It would be nice if a similar pattern could be applied to systemd credentials.
systemd-age-creds provides a service credential server over AF_UNIX socket to provide age encrypted credentials to systemd units using LoadCredential.
systemd-age-creds.socket
[Unit]
Description=age credential socket
[Socket]
ListenStream=%t/systemd-age-creds.sock
SocketMode=0600
Service=systemd-age-creds.service
[Install]
WantedBy=sockets.targetsystemd-age-creds.service
[Unit]
Description=age credential server
Requires=systemd-age-creds.socket
# After=tpm
[Service]
Type=simple
ExecStart=/path/to/bin/systemd-age-creds -i /path/to/age-key.txt /path/to/secretsfoo.service
[Service]
ExecStart=/usr/bin/myservice.sh
# Instead of loading a symmetrically encrypted systemd cred from a file,
# LoadCredentialEncrypted=foobar:/etc/credstore/myfoobarcredential.txt
#
# You can reference the credential id loading from the systemd-age-creds socket.
LoadCredential=foobar:%t/systemd-age-creds.sockThis project was originally written to meet the needs of NixOS systems. However, nothing about the service itself is dependent on Nix. But if you are using NixOS, you can use this repository as a flake input to get access to NixOS modules that make defining the necessary system units easier.
{ config, inputs }: {
imports = [ inputs.systemd-age-creds.nixosModules.default ];
services.systemd-age-creds = {
enable = true;
identity = "/path/to/age/key.txt";
directory = ./path/to/secrets;
};
systemd.services.example = {
serviceConfig = {
LoadCredential = [
"foobar:${config.services.systemd-age-creds.socket}"
];
};
};
}