From: Christian Ebner <c.ebner@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Maximiliano Sandoval <m.sandoval@proxmox.com>
Subject: Re: [pbs-devel] [PATCH backup v2 7/7] docs: client: add section about system credentials
Date: Wed, 2 Apr 2025 11:57:22 +0200 [thread overview]
Message-ID: <f7133e37-d16b-4484-ba61-8ffb63f6a3d8@proxmox.com> (raw)
In-Reply-To: <20250327104730.199623-7-m.sandoval@proxmox.com>
some nits inline
On 3/27/25 11:47, Maximiliano Sandoval wrote:
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> docs/backup-client.rst | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
>
> diff --git a/docs/backup-client.rst b/docs/backup-client.rst
> index e11c0142..aea63bd1 100644
> --- a/docs/backup-client.rst
> +++ b/docs/backup-client.rst
> @@ -44,6 +44,9 @@ user\@pbs!token@host:store ``user@pbs!token`` host:8007 store
> [ff80::51]:1234:mydatastore ``root@pam`` [ff80::51]:1234 mydatastore
> ================================ ================== ================== ===========
>
> +
> +.. _environment-variables:
> +
> Environment Variables
> ---------------------
>
> @@ -89,6 +92,39 @@ Environment Variables
> you can add arbitrary comments after the first newline.
>
>
> +System Credentials
> +------------------
> +
> +Some of the :ref:`environment variables <environment-variables>` above can be
> +set using `system credentials <https://systemd.io/CREDENTIALS/>`_ instead.
> +
> +============================ ==============================================
> +Environment Variable Credential Name Equivalent
> +============================ ==============================================
> +``PBS_REPOSITORY`` ``proxmox-backup-client.repository``
> +``PBS_PASSWORD`` ``proxmox-backup-client.password``
> +``PBS_ENCRYPTION_PASSWORD`` ``proxmox-backup-client.encryption-password``
> +``PBS_FINGERPRINT`` ``proxmox-backup-client.fingerprint``
> +============================ ==============================================
> +
> +For example, a credential for the repository password can be stored in an
this sounds a bit redundant, maybe just
```
For example, the repository password can ...
```
> +encrypted file as follows:
> +
> +.. code-block:: console
> +
> + # systemd-ask-password -n | systemd-creds encrypt --name=proxmox-backup-client.password - my-api-token.cred
> +
> +The credential can be then reused inside of unit files or in a transient scope
The credential can then be reused ...
> +unit as follows:
> +
> +.. code-block:: console
> +
> + # systemd-run --pipe --wait \
> + --property=LoadCredentialEncrypted=proxmox-backup-client.password:my-api-token.cred \
This required the full path to the encrypted file to work as expected,
so maybe that should be mentioned as otherwise this trips up first users
(me included).
> + --property=SetCredential=proxmox-backup-client.repository:'my_default_repository' \
> + proxmox-backup-client ...
> +
> +
> Output Format
> -------------
>
Further, it might be nice to have an example on how to invoke the client
if the credentials are passed in as system credentials instead, e.g.
```
systemd-run --pipe --wait \\
--property=LoadCredential=proxmox-backup-client.repository \\
--property=LoadCredential=proxmox-backup-client.password \\
--property=LoadCredential=proxmox-backup-client.encryption-password \\
--property=LoadCredential=proxmox-backup-client.fingerprint \\
proxmox-backup-client ...
```
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-02 9:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:47 [pbs-devel] [PATCH backup v2 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 2/7] pbs-client: add helper for getting UTF-8 secrets Maximiliano Sandoval
2025-03-27 11:57 ` Christian Ebner
2025-03-27 12:16 ` Maximiliano Sandoval
2025-03-27 12:41 ` Christian Ebner
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 3/7] pbs-client: use helper for getting UTF-8 password Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 4/7] pbs-client: make get_encryption_password return a String Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 5/7] pbs-client: allow reading default repository from system credential Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 6/7] pbs-client: allow reading fingerprint " Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 7/7] docs: client: add section about system credentials Maximiliano Sandoval
2025-04-02 9:57 ` Christian Ebner [this message]
2025-04-02 10:05 ` [pbs-devel] [PATCH backup v2 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7133e37-d16b-4484-ba61-8ffb63f6a3d8@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.