GitOps with systemd secrets

Created by Wapcaplet in Blender., CC BY-SA 3.0 http://creativecommons.org/licenses/by-sa/3.0/, via Wikimedia Commons
I highly recommend checking out https://systemd.io/CREDENTIALS/ and the official systemd repo in addition to https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Credentials.
You can do something similar to "sealed secrets" or secret gitops using "just" systemd. Which I find amazing. Whether it's a good and ergonomic solution is another thing. I am not going into details about that, this is supposed to be just a short-form post.
On the host (or recipient) you execute something like:
systemd-creds encrypt --name=the_saas_api_key plaintext.txt ciphertext.cred
You then throw away the plain secret and take the encrypted secret and put it into your infrastructure git. And you are basically done.
[Service]
ExecStart=/nix/store/FFFFFFFFFFFFF/bin/my-service
SetCredentialEncrypted=the_saas_api_key:ENCRYPTED_PAYLOAD
Shortcomings
-
This is somewhat less convenient as it requires to get the secret to the host in the first place and makes things like sops/age/rage et al. "superior".
-
The payload by default contains newlines and I have not figured out (tried it for 2 minutes) how to put this into a nix systemd service definition. Ideally I can provide a follow up to this in the future. Although I would probably just go the sops/rage road.
References
- SOPS https://getsops.io/docs/
- Age/Rage (yes I prefer the Rust version because I am a fanboy) https://github.com/FiloSottile/age + https://github.com/str4d/rage