ryan
/
systemd-openbao
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Like numtide/systemd-vault but for OpenBao.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
36 Commits
1 Branch
0 Tags
192 KiB
Nix 46.5%
Go 34.3%
Python 14.1%
HCL 1.7%
Shell 1.4%
Other 2%
 
 
 
 
 
 
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '44746e793b'
${ noResults }
Go to file
Jörg Thalheim 44746e793b allow processes to read from secrets directory 2 years ago
etc update Description of systemd-vaultd systemd units 2 years ago
nix nixos/systemd-vaultd: don't stop on nixos upgrades 2 years ago
tests update end-to-end procfile example 2 years ago
.gitignore update end-to-end procfile example 2 years ago
Makefile add README + services 2 years ago
Procfile Procfile: avoid using sudo 2 years ago
README.md Update README.md 2 years ago
default.nix add flake and fix tests 2 years ago
epoll.go epoll: don't log errors if fd already has been removed 2 years ago
flake.lock switch to nixpkgs fork 2 years ago
flake.nix switch to nixpkgs fork 2 years ago
go.mod rename project to systemd-vaultd 2 years ago
justfile fix defaults for systemd runtime directory 2 years ago
main.go fix defaults for systemd runtime directory 2 years ago
setup.cfg
shell.nix add just tasks 2 years ago
systemd_sockets.go implement systemd socket activation 2 years ago
treefmt.toml add more formatter 2 years ago
watcher.go allow processes to read from secrets directory 2 years ago

README.md

systemd-vaultd

systemd-vaultd is a proxy between systemd and vault agent. It provides a unix socket that can be used in systemd services in the LoadCredential option and then waits for vault agent to write these secrets at /run/systemd-vaultd/<service_name>-<secret_name>.

Systemd's LoadCredential option

Systemd has an option called LoadCredentials that allows to provide credentials to a service:

# myservice.service
[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/etc/myfoobarcredential.txt

In this case systemd will load credential the file /etc/myfoobarcredential.txt and provide it to the service at $CREDENTIAL_PATH/foobar.

While vault agent also supports writing these secrets, a service may be started before vault agent was able to retrieve secrets from vault, in which case systemd would fail to start the service.

Here is where systemd-vaultd is put to use: In additional to normal paths, systemd also supports loading credentials from unix sockets.

With systemd-vaultd the service myservice.service would look like this:

[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/run/systemd-vaultd/sock

vault agent is then expected to write secrets to /run/systemd-vaultd/

template {
  contents     = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
  destination  = "/run/systemd-vaultd/secrets/myservice.service-foo"
}

When myservice is started, systemd will open a connection to systemd-vaultd's socket. systemd-vaultd then either serve the secrets from /run/systemd-vaultd/secrets/myservice.service-foo or it waits with inotify on secret directory for vault agent to write the secret.

Installation

The installation requires a go compiler and make to be installed.

This command will install the systemd-vaultd binary to /usr/bin/systemd-vaultd as well as installing a following systemd unit files: systemd-vaultd.service, systemd-vaultd.socket:

make install