From: Christian Ebner <c.ebner@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>,
Maximiliano Sandoval <m.sandoval@proxmox.com>
Subject: Re: [pbs-devel] [PATCH backup v2 7/7] docs: client: add section about system credentials
Date: Wed, 2 Apr 2025 11:57:22 +0200 [thread overview]
Message-ID: <f7133e37-d16b-4484-ba61-8ffb63f6a3d8@proxmox.com> (raw)
In-Reply-To: <20250327104730.199623-7-m.sandoval@proxmox.com>
some nits inline
On 3/27/25 11:47, Maximiliano Sandoval wrote:
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> docs/backup-client.rst | 36 ++++++++++++++++++++++++++++++++++++
> 1 file changed, 36 insertions(+)
>
> diff --git a/docs/backup-client.rst b/docs/backup-client.rst
> index e11c0142..aea63bd1 100644
> --- a/docs/backup-client.rst
> +++ b/docs/backup-client.rst
> @@ -44,6 +44,9 @@ user\@pbs!token@host:store ``user@pbs!token`` host:8007 store
> [ff80::51]:1234:mydatastore ``root@pam`` [ff80::51]:1234 mydatastore
> ================================ ================== ================== ===========
>
> +
> +.. _environment-variables:
> +
> Environment Variables
> ---------------------
>
> @@ -89,6 +92,39 @@ Environment Variables
> you can add arbitrary comments after the first newline.
>
>
> +System Credentials
> +------------------
> +
> +Some of the :ref:`environment variables <environment-variables>` above can be
> +set using `system credentials <https://systemd.io/CREDENTIALS/>`_ instead.
> +
> +============================ ==============================================
> +Environment Variable Credential Name Equivalent
> +============================ ==============================================
> +``PBS_REPOSITORY`` ``proxmox-backup-client.repository``
> +``PBS_PASSWORD`` ``proxmox-backup-client.password``
> +``PBS_ENCRYPTION_PASSWORD`` ``proxmox-backup-client.encryption-password``
> +``PBS_FINGERPRINT`` ``proxmox-backup-client.fingerprint``
> +============================ ==============================================
> +
> +For example, a credential for the repository password can be stored in an
this sounds a bit redundant, maybe just
```
For example, the repository password can ...
```
> +encrypted file as follows:
> +
> +.. code-block:: console
> +
> + # systemd-ask-password -n | systemd-creds encrypt --name=proxmox-backup-client.password - my-api-token.cred
> +
> +The credential can be then reused inside of unit files or in a transient scope
The credential can then be reused ...
> +unit as follows:
> +
> +.. code-block:: console
> +
> + # systemd-run --pipe --wait \
> + --property=LoadCredentialEncrypted=proxmox-backup-client.password:my-api-token.cred \
This required the full path to the encrypted file to work as expected,
so maybe that should be mentioned as otherwise this trips up first users
(me included).
> + --property=SetCredential=proxmox-backup-client.repository:'my_default_repository' \
> + proxmox-backup-client ...
> +
> +
> Output Format
> -------------
>
Further, it might be nice to have an example on how to invoke the client
if the credentials are passed in as system credentials instead, e.g.
```
systemd-run --pipe --wait \\
--property=LoadCredential=proxmox-backup-client.repository \\
--property=LoadCredential=proxmox-backup-client.password \\
--property=LoadCredential=proxmox-backup-client.encryption-password \\
--property=LoadCredential=proxmox-backup-client.fingerprint \\
proxmox-backup-client ...
```
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-04-02 9:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-27 10:47 [pbs-devel] [PATCH backup v2 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 2/7] pbs-client: add helper for getting UTF-8 secrets Maximiliano Sandoval
2025-03-27 11:57 ` Christian Ebner
2025-03-27 12:16 ` Maximiliano Sandoval
2025-03-27 12:41 ` Christian Ebner
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 3/7] pbs-client: use helper for getting UTF-8 password Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 4/7] pbs-client: make get_encryption_password return a String Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 5/7] pbs-client: allow reading default repository from system credential Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 6/7] pbs-client: allow reading fingerprint " Maximiliano Sandoval
2025-03-27 10:47 ` [pbs-devel] [PATCH backup v2 7/7] docs: client: add section about system credentials Maximiliano Sandoval
2025-04-02 9:57 ` Christian Ebner [this message]
2025-04-02 10:05 ` [pbs-devel] [PATCH backup v2 1/7] pbs-client: use a const for the PBS_REPOSITORY env variable Christian Ebner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f7133e37-d16b-4484-ba61-8ffb63f6a3d8@proxmox.com \
--to=c.ebner@proxmox.com \
--cc=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal