docs: mention tmpfiles.d in CREDENTIALS.md and add example

diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md
index 52741082f277d4aa95ea5efd8c00cb415f45702a..70e2ea36d5819177c529f12e953a32d723ad0039 100644 (file)
--- a/docs/CREDENTIALS.md
+++ b/docs/CREDENTIALS.md
@@ -342,6 +342,10 @@ Various services shipped with `systemd` consume credentials for tweaking behavio
   `firstboot.keymap`, `firstboot.timezone`, that configure locale, keymap or
   timezone settings in case the data is not yet set in `/etc/`.
 
+* [`tmpfiles.d(5)`](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html)
+  will look for the credentials `tmpfiles.extra` with arbitrary tmpfiles.d lines.
+  Can be encoded in base64 to allow easily passing it on the command line.
+
 In future more services are likely to gain support for consuming credentials.
 
 Example:
@@ -377,6 +381,23 @@ qemu-system-x86_64 \
         -smbios type=11,value=io.systemd.credential:firstboot.locale=C.UTF-8
 ```
 
+This boots the specified disk image via qemu, provisioning public key SSH access
+for the root user from the caller's key:
+
+```
+qemu-system-x86_64 \
+        -machine type=q35,accel=kvm,smm=on \
+        -smp 2 \
+        -m 1G \
+        -cpu host \
+        -nographic \
+        -nodefaults \
+        -serial mon:stdio \
+        -drive if=none,id=hd,file=test.raw,format=raw \
+        -device virtio-scsi-pci,id=scsi \
+        -device scsi-hd,drive=hd,bootindex=1 \
+        -smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=$(echo "f~ /root/.ssh/authorized_keys 700 root root - $(ssh-add -L | base64 -w 0)" | base64 -w 0)
+```
 ## Relevant Paths
 
 From *service* perspective the runtime path to find loaded credentials in is