Like numtide/systemd-vault but for OpenBao.
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
Jörg Thalheim 46bc2aa7a1 add systemd-vaultd nixos module and test 2 years ago
bin epoll: don't log errors if fd already has been removed 2 years ago
etc update Description of systemd-vaultd systemd units 2 years ago
nix add systemd-vaultd nixos module and test 2 years ago
tests comment out work in progress test 2 years ago
.gitignore rename project to systemd-vaultd 2 years ago
Makefile add README + services 2 years ago
Procfile procfile: setup vault server 2 years ago
README.md Update README.md 2 years ago
default.nix add flake and fix tests 2 years ago
epoll.go epoll: don't log errors if fd already has been removed 2 years ago
flake.lock add flake and fix tests 2 years ago
flake.nix add systemd-vaultd nixos module and test 2 years ago
go.mod rename project to systemd-vaultd 2 years ago
justfile fix defaults for systemd runtime directory 2 years ago
main.go fix defaults for systemd runtime directory 2 years ago
setup.cfg mvp + tests 2 years ago
shell.nix add just tasks 2 years ago
systemd_sockets.go implement systemd socket activation 2 years ago
treefmt.toml add more formatter 2 years ago
watcher.go watcher: don't exit event loop if there is no connection for a path 2 years ago

README.md

systemd-vaultd

systemd-vaultd is a proxy between systemd and vault agent. It provides a unix socket that can be used in systemd services in the LoadCredential option and then waits for vault agent to write these secrets at /run/systemd-vaultd/<service_name>-<secret_name>.

Systemd's LoadCredential option

Systemd has an option called LoadCredentials that allows to provide credentials to a service:

# myservice.service
[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/etc/myfoobarcredential.txt

In this case systemd will load credential the file /etc/myfoobarcredential.txt and provide it to the service at $CREDENTIAL_PATH/foobar.

While vault agent also supports writing these secrets, a service may be started before vault agent was able to retrieve secrets from vault, in which case systemd would fail to start the service.

Here is where systemd-vaultd is put to use: In additional to normal paths, systemd also supports loading credentials from unix sockets.

With systemd-vaultd the service myservice.service would look like this:

[Service]
ExecStart=/usr/bin/myservice.sh
LoadCredential=foobar:/run/systemd-vaultd/sock

vault agent is then expected to write secrets to /run/systemd-vaultd/

template {
  contents     = "{{ with secret \"secret/my-secret\" }}{{ .Data.data.foo }}{{ end }}"
  destination  = "/run/systemd-vaultd/secrets/myservice.service-foo"
}

When myservice is started, systemd will open a connection to systemd-vaultd's socket. systemd-vaultd then either serve the secrets from /run/systemd-vaultd/secrets/myservice.service-foo or it waits with inotify on secret directory for vault agent to write the secret.

Installation

The installation requires a go compiler and make to be installed.

This command will install the systemd-vaultd binary to /usr/bin/systemd-vaultd as well as installing a following systemd unit files: systemd-vaultd.service, systemd-vaultd.socket:

make install