You can define those secrets on /etc/robotsecret.txt, and then on your unit you do `EnvironmentFile=/etc/robotsecret.txt`
then you protect /etc/robotsecret.txt as you would normally do Alvaro Leiva Geisse On Mon, Nov 12, 2018 at 4:49 PM David Parsley <pars...@linuxjedi.org> wrote: > It's a fairly common practice to configure services and provide secrets > with environment variables. For instance, both Hubot (made by Github) and > Gopherbot (made by me) can get their Slack token from an environment > variable. In my case, github.com/lnxjedi/ansible-role-gopherbot stores > the Slack bot token with "Environtment=GOPHER_SLACK_TOKEN=xxx" in the > systemd unit file. I had hoped to keep this info to the robot user by > marking the unit file world-inaccessible. I was dismayed to see the log > warning about values being accessible via the API, though super glad that > my unprivileged user couldn't fetch it with a simple systemctl cat > gopherbot. I know very little about DBUS or any APIs for systemd, so > wanted to ask - is there some means by which a non-privileged user can > access the values provided with "Environment=..." lines? Can I disable > this by disabling dbus-daemon on server systems? > > Thanks, > -David > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > https://lists.freedesktop.org/mailman/listinfo/systemd-devel >
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel