Signing back into the Community for the first time? You'll need to reset your password to access your account. Find out more.
Forum Discussion
Feature request: Integrate better with Systemd Credentials
As per https://systemd.io/CREDENTIALS/ the only way of using systemd credentials is via it's built in store, that is essentially a on-demand encrypted folder where each file in it has secret value.
...
Just wanted to share my approach to using the CLI with a systemd mount unit. It may not be exactly what you want because it creates a credential file on disk for the duration of the mount, but with root ownership and tight permissions I personally think that's an acceptable risk.
Essentially, you encrypt the service account token in systemd and create a systemd service that uses the CLI to create a credentials file for the mount command, then modify the mount unit by adding a requirement for that service.
Steps
Create a temporary text file containing the service account token, encrypt it with systemd to another file, the contents of which you can use in the service unit:
txt
$ sudo systemd-creds encrypt --name=service-account --pretty token.txt out.cred
$ shred -u token.txt
Create a template of the mount credentials file (e.g. /usr/local/etc/myshare-mount-creds-template.txt):
txt
username=op://secrets-vault/myshare-mount-user/username
password=op://secrets-vault/myshare-mount-user/password
domain=op://secrets-vault/myshare-mount-user/domain
Use the contents of out.cred to create a service unit (e.g. mnt-myshare-credentials.service):
```txt
[Unit]
Description=Inject myshare mount credentials file
[Service]
Type=oneshot
RemainAfterExit=yes
SetCredentialEncrypted=service-account: \
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn \
... this is the contents of out.cred ...
ExecStart=/usr/bin/bash -c "mkdir -p /var/run/myshare"
ExecStart=/usr/bin/bash -c "OP_SERVICE_ACCOUNT_TOKEN=$(cat %d/service-account) op inject -i /usr/local/etc/myshare-mount-creds-template.txt -o /var/run/myshare/creds.txt"
ExecStart=/usr/bin/bash -c "chmod 0600 /var/run/myshare/creds.txt"
ExecStop=/usr/bin/bash -c "rm /var/run/myshare/creds.txt"
[Install]
WantedBy=multi-user.target
```
Add the service requirement and credential file reference to the mount unit:
```txt
[Unit]
Description=Mount my SMB share
Requires=mnt-myshare-credentials.service
[Mount]
What=//smb-server/myshare
Where=/mnt/myshare
Type=cifs
Options=rw,credentials=/var/run/myshare/creds.txt,uid=1000
...
```
The credential file should be removed with a dismount or a reboot.
If anyone has a way to improve on this please comment.
