[thirdparty/systemd.git] / man / systemd.system-credentials.xml

<?xml version='1.0'?> <!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd.system-credentials</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>systemd.system-credentials</refentrytitle>
    <manvolnum>7</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>systemd.system-credentials</refname>
    <refpurpose>System Credentials</refpurpose>
  </refnamediv>

  <refsect1>
    <title>Description</title>

    <para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
    that may be passed into booted systems or system services as they are invoked. They can be acquired from
    various external sources, and propagated into the system and from there into system services. Credentials
    may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
    only decrypted when the consuming service is invoked.</para>

    <para>System credentials may be used to provision and configure various aspects of the system. Depending
    on the consuming component credentials are only used on initial invocations or are needed for all
    invocations.</para>

    <para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
    certificates, cryptographic key material, identity information, configuration, and more.</para>
  </refsect1>

  <refsect1>
    <title>Well known system credentials</title>

    <variablelist class='system-credentials'>
      <varlistentry>
        <term><varname>firstboot.keymap</varname></term>
        <listitem>
          <para>The console key mapping to set (e.g. <literal>de</literal>).  Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no console keymap has been configured before.</para>

        <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.locale</varname></term>
        <term><varname>firstboot.locale-messages</varname></term>
        <listitem>
          <para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
          <literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
          <literal>LC_MESSAGES</literal>.</para>

        <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>firstboot.timezone</varname></term>
        <listitem>
          <para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>).  Read by
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no system timezone has been configured before.</para>

        <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>login.issue</varname></term>
        <listitem>
          <para>The data of this credential is written to
          <filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
          <citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          reads this file and shows its contents at the login prompt of terminal logins. See
          <citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>login.motd</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
          if the file doesn't exist yet.
          <citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          reads this file and shows its contents as "message of the day" during terminal logins. See
          <citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.hosts</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
          doesn't exist yet. See
          <citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          for details.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.dns</varname></term>
        <term><varname>network.search_domains</varname></term>
        <listitem>
          <para>DNS server information and search domains. Read by
          <citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v253"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.conf.*</varname></term>
        <term><varname>network.link.*</varname></term>
        <term><varname>network.netdev.*</varname></term>
        <term><varname>network.network.*</varname></term>
        <listitem>
          <para>Configures network devices. Read by
          <citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
          These credentials should contain valid
          <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
          <citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
          <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
          <citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          configuration data. From each matching credential a separate file is created. Example: the contents
          of a credential <filename>network.link.50-foobar</filename> will be copied into a file
          <filename>50-foobar.link</filename>.</para>

          <para>Note that the resulting files are created world-readable, it's hence recommended to not include
          secrets in these credentials, but supply them via separate credentials directly to
          <filename>systemd-networkd.service</filename>, e.g. <varname>network.wireguard.*</varname>
          as described below.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>network.wireguard.*</varname></term>
        <listitem>
          <para>Configures secrets for WireGuard netdevs. Read by
          <citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
          For more information, refer to the <option>[WireGuard]</option> section of
          <citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
          </para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>passwd.hashed-password.root</varname></term>
        <term><varname>passwd.plaintext-password.root</varname></term>
        <listitem>
          <para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
          Read by both
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
          and
          <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no root password has been configured before.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>passwd.shell.root</varname></term>
        <listitem>
          <para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user.  Read by
          both
          <citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
          and
          <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
          and only honoured if no root shell has been configured before.</para>

        <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>ssh.authorized_keys.root</varname></term>
        <listitem>
          <para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
          the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>

          <para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>ssh.listen</varname></term>
        <listitem>
          <para>May be used to configure SSH sockets the system shall be reachable on. See
          <citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          for details.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>sysusers.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          lines to process during boot.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>sysctl.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
          to process during boot.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>tmpfiles.extra</varname></term>
        <listitem>
          <para>Additional
          <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
          lines to process during boot.</para>

          <xi:include href="version-info.xml" xpointer="v252"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>fstab.extra</varname></term>

        <listitem>
          <para>Additional mounts to establish at boot. For details, see
          <citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v254"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>vconsole.keymap</varname></term>
        <term><varname>vconsole.keymap_toggle</varname></term>
        <term><varname>vconsole.font</varname></term>
        <term><varname>vconsole.font_map</varname></term>
        <term><varname>vconsole.font_unimap</varname></term>
        <listitem>
          <para>Console settings to apply, see
          <citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>

          <xi:include href="version-info.xml" xpointer="v253"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>getty.ttys.serial</varname></term>
        <term><varname>getty.ttys.container</varname></term>

        <listitem><para>Used for spawning additional login prompts, see
        <citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>

        <xi:include href="version-info.xml" xpointer="v254"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>journal.forward_to_socket</varname></term>
        <listitem>
          <para>Used by
          <citerefentry><refentrytitle>systemd-journald</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          to determine where to forward log messages for socket forwarding, see
          <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>vmm.notify_socket</varname></term>
        <listitem>
          <para>Configures an
          <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
          compatible <constant>AF_VSOCK</constant> socket the service manager will report status information,
          ready notification and exit status on. For details see
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v253"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>system.machine_id</varname></term>
        <listitem>
          <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
          the service manager (PID 1). For details see
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v254"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>system.hostname</varname></term>
        <listitem>
          <para>Accepts a (transient) hostname to configure during early boot. The static hostname specified
            in <filename>/etc/hostname</filename>, if configured, takes precedence over this setting.
            Interpreted by the service manager (PID 1). For details see
            <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v254"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>home.create.*</varname></term>
        <listitem>
          <para>Creates a home area for the specified user with the user record data passed in. For details see
          <citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>cryptsetup.passphrase</varname></term>
        <term><varname>cryptsetup.tpm2-pin</varname></term>
        <term><varname>cryptsetup.fido2-pin</varname></term>
        <term><varname>cryptsetup.pkcs11-pin</varname></term>
        <term><varname>cryptsetup.luks2-pin</varname></term>
        <listitem>
          <para>Specifies the passphrase/PINs to use for unlock encrypted storage volumes. For details see
          <citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>systemd.extra-unit.*</varname></term>
        <term><varname>systemd.unit-dropin.*</varname></term>

        <listitem><para>These credentials specify extra units and drop-ins to add to the system. For details
        see <citerefentry><refentrytitle>systemd-debug-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>

        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
      </varlistentry>

      <varlistentry>
        <term><varname>udev.conf.*</varname></term>
        <term><varname>udev.rules.*</varname></term>

        <listitem>
          <para>Configures udev configuration file and udev rules. Read by
          <filename>systemd-udev-load-credentials.service</filename>, which invokes
          <command>udevadm control --load-credentials</command>. These credentials directly translate to a
          matching
          <citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> or
          <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rules
          file. Example: the contents of a credential
          <filename>udev.conf.50-foobar</filename> will be copied into a file
          <filename>/run/udev/udev.conf.d/50-foobar.conf</filename>, and
          <filename>udev.rules.50-foobar</filename> will be copied into a file
          <filename>/run/udev/rules.d/50-foobar.rules</filename>. See
          <citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
          <citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
          <citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
          for details.</para>

          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
      <title>See Also</title>
      <para><simplelist type="inline">
        <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
        <member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
        <member><citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
      </simplelist></para>
  </refsect1>

</refentry>
Commit	Line	Data
0bbc5a56 LP	1	<?xml version='1.0'?> <!---nxml--->
0bbc5a56 LP	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
eea10b26	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
0bbc5a56 LP	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
0bbc5a56 LP	5
4623eecb	6	<refentry id="systemd.system-credentials" xmlns:xi="http://www.w3.org/2001/XInclude">
0bbc5a56 LP	7
	8	<refentryinfo>
	9	<title>systemd.system-credentials</title>
	10	<productname>systemd</productname>
	11	</refentryinfo>
	12
	13	<refmeta>
	14	<refentrytitle>systemd.system-credentials</refentrytitle>
	15	<manvolnum>7</manvolnum>
	16	</refmeta>
	17
	18	<refnamediv>
	19	<refname>systemd.system-credentials</refname>
	20	<refpurpose>System Credentials</refpurpose>
	21	</refnamediv>
	22
	23	<refsect1>
	24	<title>Description</title>
	25
	26	<para><ulink url="https://systemd.io/CREDENTIALS">System and Service Credentials</ulink> are data objects
	27	that may be passed into booted systems or system services as they are invoked. They can be acquired from
	28	various external sources, and propagated into the system and from there into system services. Credentials
	29	may optionally be encrypted with a machine-specific key and/or locked to the local TPM2 device, and are
	30	only decrypted when the consuming service is invoked.</para>
	31
	32	<para>System credentials may be used to provision and configure various aspects of the system. Depending
	33	on the consuming component credentials are only used on initial invocations or are needed for all
	34	invocations.</para>
	35
	36	<para>Credentials may be used for any kind of data, binary or text, and may carry passwords, secrets,
	37	certificates, cryptographic key material, identity information, configuration, and more.</para>
	38	</refsect1>
	39
	40	<refsect1>
	41	<title>Well known system credentials</title>
	42
8914f7e8	43	<variablelist class='system-credentials'>
0bbc5a56 LP	44	<varlistentry>
	45	<term><varname>firstboot.keymap</varname></term>
	46	<listitem>
	47	<para>The console key mapping to set (e.g. <literal>de</literal>). Read by
	48	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	49	and only honoured if no console keymap has been configured before.</para>
ec07c3c8 AK	50
ec07c3c8 AK	51	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	52	</listitem>
	53	</varlistentry>
	54
	55	<varlistentry>
	56	<term><varname>firstboot.locale</varname></term>
8914f7e8	57	<term><varname>firstboot.locale-messages</varname></term>
0bbc5a56 LP	58	<listitem>
	59	<para>The system locale to set (e.g. <literal>de_DE.UTF-8</literal>). Read by
	60	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	61	and only honoured if no locale has been configured before. <varname>firstboot.locale</varname> sets
	62	<literal>LANG</literal>, while <varname>firstboot.locale-message</varname> sets
	63	<literal>LC_MESSAGES</literal>.</para>
aefdc112 AK	64
aefdc112 AK	65	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	66	</listitem>
	67	</varlistentry>
	68
	69	<varlistentry>
	70	<term><varname>firstboot.timezone</varname></term>
	71	<listitem>
	72	<para>The system timezone to set (e.g. <literal>Europe/Berlin</literal>). Read by
	73	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	74	and only honoured if no system timezone has been configured before.</para>
ec07c3c8 AK	75
ec07c3c8 AK	76	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	77	</listitem>
	78	</varlistentry>
	79
	80	<varlistentry>
	81	<term><varname>login.issue</varname></term>
	82	<listitem>
	83	<para>The data of this credential is written to
f37f0f35 ZJS	84	<filename>/etc/issue.d/50-provision.conf</filename>, if the file doesn't exist yet.
	85	<citerefentry project='man-pages'><refentrytitle>agetty</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	86	reads this file and shows its contents at the login prompt of terminal logins. See
	87	<citerefentry project='man-pages'><refentrytitle>issue</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	88	for details.</para>
0bbc5a56 LP	89
	90	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	91	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
ec07c3c8 AK	92
ec07c3c8 AK	93	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	94	</listitem>
	95	</varlistentry>
	96
	97	<varlistentry>
	98	<term><varname>login.motd</varname></term>
	99	<listitem>
	100	<para>The data of this credential is written to <filename>/etc/motd.d/50-provision.conf</filename>,
f37f0f35 ZJS	101	if the file doesn't exist yet.
f37f0f35 ZJS	102	<citerefentry project='man-pages'><refentrytitle>pam_motd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
0bbc5a56	103	reads this file and shows its contents as "message of the day" during terminal logins. See
f37f0f35 ZJS	104	<citerefentry project='man-pages'><refentrytitle>motd</refentrytitle><manvolnum>5</manvolnum></citerefentry>
f37f0f35 ZJS	105	for details.</para>
0bbc5a56 LP	106
	107	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	108	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
ec07c3c8 AK	109
ec07c3c8 AK	110	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	111	</listitem>
	112	</varlistentry>
	113
	114	<varlistentry>
	115	<term><varname>network.hosts</varname></term>
	116	<listitem>
	117	<para>The data of this credential is written to <filename>/etc/hosts</filename>, if the file
f37f0f35 ZJS	118	doesn't exist yet. See
	119	<citerefentry project='man-pages'><refentrytitle>hosts</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	120	for details.</para>
0bbc5a56 LP	121
	122	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	123	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
ec07c3c8 AK	124
ec07c3c8 AK	125	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	126	</listitem>
	127	</varlistentry>
	128
116687f2 LP	129	<varlistentry>
	130	<term><varname>network.dns</varname></term>
	131	<term><varname>network.search_domains</varname></term>
	132	<listitem>
	133	<para>DNS server information and search domains. Read by
	134	<citerefentry><refentrytitle>systemd-resolved.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
ec07c3c8 AK	135
ec07c3c8 AK	136	<xi:include href="version-info.xml" xpointer="v253"/>
116687f2 LP	137	</listitem>
	138	</varlistentry>
	139
1a302855	140	<varlistentry>
e12e16e9	141	<term><varname>network.conf.*</varname></term>
1a302855	142	<term><varname>network.link.*</varname></term>
e12e16e9	143	<term><varname>network.netdev.*</varname></term>
1a302855 LP	144	<term><varname>network.network.*</varname></term>
	145	<listitem>
	146	<para>Configures network devices. Read by
e12e16e9 YW	147	<citerefentry><refentrytitle>systemd-network-generator.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
	148	These credentials should contain valid
	149	<citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1a302855	150	<citerefentry><refentrytitle>systemd.link</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
e12e16e9	151	<citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
1a302855	152	<citerefentry><refentrytitle>systemd.network</refentrytitle><manvolnum>5</manvolnum></citerefentry>
e12e16e9 YW	153	configuration data. From each matching credential a separate file is created. Example: the contents
	154	of a credential <filename>network.link.50-foobar</filename> will be copied into a file
	155	<filename>50-foobar.link</filename>.</para>
1a302855 LP	156
	157	<para>Note that the resulting files are created world-readable, it's hence recommended to not include
	158	secrets in these credentials, but supply them via separate credentials directly to
fa724cd5 MY	159	<filename>systemd-networkd.service</filename>, e.g. <varname>network.wireguard.*</varname>
	160	as described below.</para>
	161
	162	<xi:include href="version-info.xml" xpointer="v256"/>
	163	</listitem>
	164	</varlistentry>
	165
	166	<varlistentry>
	167	<term><varname>network.wireguard.*</varname></term>
	168	<listitem>
	169	<para>Configures secrets for WireGuard netdevs. Read by
	170	<citerefentry><refentrytitle>systemd-networkd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
	171	For more information, refer to the <option>[WireGuard]</option> section of
	172	<citerefentry><refentrytitle>systemd.netdev</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
	173	</para>
1a302855 LP	174
	175	<xi:include href="version-info.xml" xpointer="v256"/>
	176	</listitem>
	177	</varlistentry>
	178
0bbc5a56 LP	179	<varlistentry>
	180	<term><varname>passwd.hashed-password.root</varname></term>
	181	<term><varname>passwd.plaintext-password.root</varname></term>
	182	<listitem>
	183	<para>May contain the password (either in UNIX hashed format, or in plaintext) for the root users.
	184	Read by both
	185	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	186	and
	187	<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	188	and only honoured if no root password has been configured before.</para>
ec07c3c8 AK	189
ec07c3c8 AK	190	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	191	</listitem>
	192	</varlistentry>
	193
	194	<varlistentry>
	195	<term><varname>passwd.shell.root</varname></term>
	196	<listitem>
	197	<para>The path to the shell program (e.g. <literal>/bin/bash</literal>) for the root user. Read by
	198	both
	199	<citerefentry><refentrytitle>systemd-firstboot</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	200	and
	201	<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	202	and only honoured if no root shell has been configured before.</para>
ec07c3c8 AK	203
ec07c3c8 AK	204	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	205	</listitem>
	206	</varlistentry>
	207
	208	<varlistentry>
	209	<term><varname>ssh.authorized_keys.root</varname></term>
	210	<listitem>
	211	<para>The data of this credential is written to <filename>/root/.ssh/authorized_keys</filename>, if
	212	the file doesn't exist yet. This allows provisioning SSH access for the system's root user.</para>
	213
	214	<para>Consumed by <filename>/usr/lib/tmpfiles.d/provision.conf</filename>, see
	215	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
ec07c3c8 AK	216
ec07c3c8 AK	217	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	218	</listitem>
	219	</varlistentry>
	220
0e322068 LP	221	<varlistentry>
	222	<term><varname>ssh.listen</varname></term>
	223	<listitem>
	224	<para>May be used to configure SSH sockets the system shall be reachable on. See
	225	<citerefentry><refentrytitle>systemd-ssh-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	226	for details.</para>
	227
	228	<xi:include href="version-info.xml" xpointer="v256"/>
	229	</listitem>
	230	</varlistentry>
	231
0bbc5a56 LP	232	<varlistentry>
	233	<term><varname>sysusers.extra</varname></term>
	234	<listitem>
	235	<para>Additional
	236	<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	237	lines to process during boot.</para>
ec07c3c8 AK	238
ec07c3c8 AK	239	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	240	</listitem>
	241	</varlistentry>
	242
	243	<varlistentry>
	244	<term><varname>sysctl.extra</varname></term>
	245	<listitem>
	246	<para>Additional
	247	<citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> lines
	248	to process during boot.</para>
ec07c3c8 AK	249
ec07c3c8 AK	250	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	251	</listitem>
	252	</varlistentry>
	253
	254	<varlistentry>
	255	<term><varname>tmpfiles.extra</varname></term>
	256	<listitem>
	257	<para>Additional
	258	<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
	259	lines to process during boot.</para>
ec07c3c8 AK	260
ec07c3c8 AK	261	<xi:include href="version-info.xml" xpointer="v252"/>
0bbc5a56 LP	262	</listitem>
	263	</varlistentry>
	264
6ac62485 LP	265	<varlistentry>
	266	<term><varname>fstab.extra</varname></term>
	267
	268	<listitem>
	269	<para>Additional mounts to establish at boot. For details, see
	270	<citerefentry><refentrytitle>systemd-fstab-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
ec07c3c8 AK	271
ec07c3c8 AK	272	<xi:include href="version-info.xml" xpointer="v254"/>
6ac62485 LP	273	</listitem>
	274	</varlistentry>
	275
ea575e17 LP	276	<varlistentry>
	277	<term><varname>vconsole.keymap</varname></term>
	278	<term><varname>vconsole.keymap_toggle</varname></term>
	279	<term><varname>vconsole.font</varname></term>
	280	<term><varname>vconsole.font_map</varname></term>
	281	<term><varname>vconsole.font_unimap</varname></term>
	282	<listitem>
	283	<para>Console settings to apply, see
	284	<citerefentry><refentrytitle>systemd-vconsole-setup.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
ec07c3c8 AK	285
ec07c3c8 AK	286	<xi:include href="version-info.xml" xpointer="v253"/>
ea575e17 LP	287	</listitem>
	288	</varlistentry>
	289
cdd133b3 LP	290	<varlistentry>
	291	<term><varname>getty.ttys.serial</varname></term>
	292	<term><varname>getty.ttys.container</varname></term>
	293
	294	<listitem><para>Used for spawning additional login prompts, see
ec07c3c8 AK	295	<citerefentry><refentrytitle>systemd-getty-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry> for details.</para>
	296
	297	<xi:include href="version-info.xml" xpointer="v254"/></listitem>
cdd133b3 LP	298	</varlistentry>
cdd133b3 LP	299
f31cff84 SL	300	<varlistentry>
	301	<term><varname>journal.forward_to_socket</varname></term>
	302	<listitem>
	303	<para>Used by
	304	<citerefentry><refentrytitle>systemd-journald</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	305	to determine where to forward log messages for socket forwarding, see
	306	<citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para>
	307
	308	<xi:include href="version-info.xml" xpointer="v256"/>
	309	</listitem>
	310	</varlistentry>
	311
4a91ace5 LB	312	<varlistentry>
	313	<term><varname>vmm.notify_socket</varname></term>
	314	<listitem>
452cfd98 LP	315	<para>Configures an
	316	<citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry>
	317	compatible <constant>AF_VSOCK</constant> socket the service manager will report status information,
	318	ready notification and exit status on. For details see
	319	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
ec07c3c8 AK	320
ec07c3c8 AK	321	<xi:include href="version-info.xml" xpointer="v253"/>
4a91ace5 LB	322	</listitem>
4a91ace5 LB	323	</varlistentry>
deb0d489 LP	324
	325	<varlistentry>
	326	<term><varname>system.machine_id</varname></term>
	327	<listitem>
	328	<para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
	329	the service manager (PID 1). For details see
	330	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
ec07c3c8	331
a97476c8 IS	332	<xi:include href="version-info.xml" xpointer="v254"/>
	333	</listitem>
	334	</varlistentry>
	335
	336	<varlistentry>
	337	<term><varname>system.hostname</varname></term>
	338	<listitem>
	339	<para>Accepts a (transient) hostname to configure during early boot. The static hostname specified
	340	in <filename>/etc/hostname</filename>, if configured, takes precedence over this setting.
	341	Interpreted by the service manager (PID 1). For details see
	342	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
	343
ec07c3c8	344	<xi:include href="version-info.xml" xpointer="v254"/>
deb0d489 LP	345	</listitem>
deb0d489 LP	346	</varlistentry>
3ccadbce LP	347
	348	<varlistentry>
	349	<term><varname>home.create.*</varname></term>
	350	<listitem>
	351	<para>Creates a home area for the specified user with the user record data passed in. For details see
	352	<citerefentry><refentrytitle>homectl</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
	353
	354	<xi:include href="version-info.xml" xpointer="v256"/>
	355	</listitem>
	356	</varlistentry>
732285eb LP	357
	358	<varlistentry>
	359	<term><varname>cryptsetup.passphrase</varname></term>
	360	<term><varname>cryptsetup.tpm2-pin</varname></term>
	361	<term><varname>cryptsetup.fido2-pin</varname></term>
	362	<term><varname>cryptsetup.pkcs11-pin</varname></term>
	363	<term><varname>cryptsetup.luks2-pin</varname></term>
	364	<listitem>
	365	<para>Specifies the passphrase/PINs to use for unlock encrypted storage volumes. For details see
	366	<citerefentry><refentrytitle>systemd-cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
	367
	368	<xi:include href="version-info.xml" xpointer="v256"/>
	369	</listitem>
	370	</varlistentry>
8595f578 DDM	371
	372	<varlistentry>
	373	<term><varname>systemd.extra-unit.*</varname></term>
	374	<term><varname>systemd.unit-dropin.*</varname></term>
	375
	376	<listitem><para>These credentials specify extra units and drop-ins to add to the system. For details
	377	see <citerefentry><refentrytitle>systemd-debug-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
	378
	379	<xi:include href="version-info.xml" xpointer="v256"/></listitem>
	380	</varlistentry>
5700e755 YW	381
	382	<varlistentry>
	383	<term><varname>udev.conf.*</varname></term>
	384	<term><varname>udev.rules.*</varname></term>
	385
	386	<listitem>
	387	<para>Configures udev configuration file and udev rules. Read by
	388	<filename>systemd-udev-load-credentials.service</filename>, which invokes
	389	<command>udevadm control --load-credentials</command>. These credentials directly translate to a
	390	matching
	391	<citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> or
	392	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry> rules
	393	file. Example: the contents of a credential
	394	<filename>udev.conf.50-foobar</filename> will be copied into a file
	395	<filename>/run/udev/udev.conf.d/50-foobar.conf</filename>, and
	396	<filename>udev.rules.50-foobar</filename> will be copied into a file
	397	<filename>/run/udev/rules.d/50-foobar.rules</filename>. See
	398	<citerefentry><refentrytitle>udev</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
	399	<citerefentry><refentrytitle>udev.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>, and
	400	<citerefentry><refentrytitle>udevadm</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	401	for details.</para>
	402
	403	<xi:include href="version-info.xml" xpointer="v256"/>
	404	</listitem>
	405	</varlistentry>
0bbc5a56 LP	406	</variablelist>
	407	</refsect1>
	408
	409	<refsect1>
	410	<title>See Also</title>
13a69c12 DT	411	<para><simplelist type="inline">
	412	<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
	413	<member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
	414	<member><citerefentry><refentrytitle>smbios-type-11</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
	415	</simplelist></para>
0bbc5a56 LP	416	</refsect1>
	417
	418	</refentry>