From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH backup v3 7/7] docs: client: add section about system credentials
Date: Wed, 2 Apr 2025 14:30:09 +0200 [thread overview]
Message-ID: <20250402123009.331461-7-m.sandoval@proxmox.com> (raw)
In-Reply-To: <20250402123009.331461-1-m.sandoval@proxmox.com>
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
docs/backup-client.rst | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/docs/backup-client.rst b/docs/backup-client.rst
index e11c0142a..bc80525be 100644
--- a/docs/backup-client.rst
+++ b/docs/backup-client.rst
@@ -44,6 +44,9 @@ user\@pbs!token@host:store ``user@pbs!token`` host:8007 store
[ff80::51]:1234:mydatastore ``root@pam`` [ff80::51]:1234 mydatastore
================================ ================== ================== ===========
+
+.. _environment-variables:
+
Environment Variables
---------------------
@@ -89,6 +92,43 @@ Environment Variables
you can add arbitrary comments after the first newline.
+System and Service Credentials
+------------------------------
+
+Some of the :ref:`environment variables <environment-variables>` above can be
+set using `system and service credentials <https://systemd.io/CREDENTIALS/>`_
+instead.
+
+============================ ==============================================
+Environment Variable Credential Name Equivalent
+============================ ==============================================
+``PBS_REPOSITORY`` ``proxmox-backup-client.repository``
+``PBS_PASSWORD`` ``proxmox-backup-client.password``
+``PBS_ENCRYPTION_PASSWORD`` ``proxmox-backup-client.encryption-password``
+``PBS_FINGERPRINT`` ``proxmox-backup-client.fingerprint``
+============================ ==============================================
+
+For example, the repository password can be stored in an encrypted file as
+follows:
+
+.. code-block:: console
+
+ # systemd-ask-password -n | systemd-creds encrypt --name=proxmox-backup-client.password - my-api-token.cred
+
+The credential can then be reused inside of unit files or in a transient scope
+unit as follows:
+
+.. code-block:: console
+
+ # systemd-run --pipe --wait \
+ --property=LoadCredentialEncrypted=proxmox-backup-client.password:/full/path/to/my-api-token.cred \
+ --property=SetCredential=proxmox-backup-client.repository:'my_default_repository' \
+ proxmox-backup-client ...
+
+Additionally, system credentials (e.g. passed down from the hypervisor to a
+virtual machine via SMBIOS type 11) can be loaded on a service via
+`LoadCredential=` as described in the manual page ``systemd.exec(5)``.
+
Output Format
-------------
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-02 12:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-02 12:30 [pbs-devel] [PATCH backup v3 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Maximiliano Sandoval
2025-04-02 12:30 ` [pbs-devel] [PATCH backup v3 2/7] pbs-client: add helper for getting UTF-8 secrets Maximiliano Sandoval
2025-04-02 12:30 ` [pbs-devel] [PATCH backup v3 3/7] pbs-client: use helper for getting UTF-8 password Maximiliano Sandoval
2025-04-02 12:30 ` [pbs-devel] [PATCH backup v3 4/7] pbs-client: make get_encryption_password return a String Maximiliano Sandoval
2025-04-02 12:30 ` [pbs-devel] [PATCH backup v3 5/7] pbs-client: allow reading default repository from system credential Maximiliano Sandoval
2025-04-02 12:30 ` [pbs-devel] [PATCH backup v3 6/7] pbs-client: allow reading fingerprint " Maximiliano Sandoval
2025-04-02 12:30 ` Maximiliano Sandoval [this message]
2025-04-03 16:07 ` [pbs-devel] applied-series: [PATCH backup v3 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250402123009.331461-7-m.sandoval@proxmox.com \
--to=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.