feature request: Support systemd-creds

[blissd]

The example for running Vykar as a systemd unit requires the password to be stored in plaintext in an env file on the file system:

# Passphrase via environment file (optional)
# EnvironmentFile=/etc/vykar/env

Instead, I'd like to store the passphrase using systemd-creds. This allows a passphrase to be stored in an encrypted file, but be exposed through an unencrypted plaintext file to the running systemd unit.

This could be supported in Vykar through a new passfile encryption option:

encryption:
    passfile: "${CREDENTIALS_DIRECTORY}/vykcar-passphrase"

Which could have a sibling environment variable:

VYKAR_PASSFILE="${CREDENTIALS_DIRECTORY}/vykcar-passphrase"

Or perhaps a the existing passcommand in config.yaml could have a sibling environment variable:

VYKAR_PASSCOMMAND="cat ${CREDENTIALS_DIRECTORY}/vykcar-passphrase"

[m3nu]

Never heard of it but will look into it. Thanks for the suggestion!

[blaggacao]

It'd be:

# Passphrase via systemd-creds (optional, recommended)
# LoadCredentialEncrypted=env:/etc/credstore/vykar/env
# EnvironmentFile=%d/env

[blissd]

For the life of me, I cannot get LoadCredentailEncrypted to work with EnvironmentFile. Service startup will complain that the environment file cannot be loaded with vykar.service: Failed to load environment files: No such file or directory. So I think this means that at the credential hasn't been loaded and decrypted at the point in time systemd evaluates EnvironmentFile.

What has worked for me is this in my vykar.service file:

[Service]
# Passphrase via systemd-creds (optional, recommended)
# Encrypted env file stored under ~/.config/credstore.encrypted
LoadCredentialEncrypted=vykar-daemon-env

# Fails to start with an error about not finding the environment file
# See env_file in ~/.config/vykar/config-daemon.yaml file.
#EnvironmentFile=%d/vykar-daemon-env

And then in my vykar config:

env_file:
  # Apparently cannot use $CREDENTIALS_DIRECTORY here :-(
  # - ${CREDENTIALS_DIRECTORY}/vykar-daemon-env
  - /run/user/1000/credentials/vykar.service/vykar-daemon-env

[blaggacao]

@blissd True, ty! I figured that out a little later after commenting above. The explanation was on some freedesktop man page. The order is such that this doesn't work. It may even be on purpose as systemd considers env variables insecure - for example: the propagate down to child processes.

The solution is to have the application load secrets from files, as you ended up doing where vykar wouldn't do env interpolation.

[blissd]

To support systemd-creds, I think vykar would benefit from one or more of:

• Native support for systemd-creds, which would probably take the form of understanding the $CREDENTIALS_DIRECTORY in some way.
• Support for loading credentials from a file (like I proposed in the issue description).
• Support for expanding environment variables in the env_files configuration block.
• A CLI argument to specify one or more env files to load, like vykar --env-file=$CREDENTIALS_DIRECTORY/vykar.env

As far as I can tell, environment variables aren't expanded in the env_files configuration block. I tried with using ${HOME} (which I use elsewhere in the config file), and vykar fails with:

Error: configuration error: cannot read env_file '/var/home/david/.config/vykar/${HOME}/.config/systemd/user/vykar.env' (referenced in '/var/home/david/.config/vykar/config-daemon.yaml'): No such file or directory (os error 2)

I think the shortest path to supporting systemd-creds might be allowing environment variable expansion in the env_files configuration block so that the $CREDENTIALS_DIRECTORY env from systemd can be used.

[blaggacao]

A CLI argument to specify one or more env files to load, like vykar --env-file=$CREDENTIALS_DIRECTORY/vykar.env

That sounds like the best option to me. It also ensures expansion behaviour is well-known from the execution environment is run from (shell, etc) and avoids custom behaviour that moght or might not behave as accustomed.