use encrypted token in systemd service

3 files changed, 12 insertions, 4 deletions

diff --git a/hetzner-ddns.sh b/hetzner-ddns.sh
index 7ad8e28..5e6de74 100755
--- a/hetzner-ddns.sh
+++ b/hetzner-ddns.sh
@@ -3,6 +3,8 @@
 # Copyright 2022 David Vazgenovich Shakaryan
 #
 # HETZNER_TOKEN=<token> hetzner-ddns.sh <domain>
+# HETZNER_TOKEN_FILE=/path/to/token hetzner-ddns.sh <domain>
+# systemctl enable --now "hetzner-ddns@$(systemd-escape <domain>).timer"
 
 IP_RESOLVER='https://ifconfig.co'
 TARGET="${1}"
@@ -20,6 +22,13 @@ hetzcurl() {
 		"${@:2}"
 }
 
+if [[ -z "${HETZNER_TOKEN}" ]] && [[ -n "${HETZNER_TOKEN_FILE}" ]]; then
+	[[ -f "${HETZNER_TOKEN_FILE}" ]] || die 'Specified token file' \
+		"(${HETZNER_TOKEN_FILE}) does not exist"
+	HETZNER_TOKEN="$(<"${HETZNER_TOKEN_FILE}")"
+fi
+[[ -n "${HETZNER_TOKEN}" ]] || die 'Missing token'
+
 ip="$(curl -sf4 "${IP_RESOLVER}")" || die 'IP lookup failed'
 
 zone_re="${TARGET}"
diff --git a/systemd/hetzner-ddns@.service b/systemd/hetzner-ddns@.service
index 28a25fd..58e6e6f 100644
--- a/systemd/hetzner-ddns@.service
+++ b/systemd/hetzner-ddns@.service
@@ -2,6 +2,7 @@
 Description=Hetzner DDNS updater
 
 [Service]
-Type=oneshot
-ExecStart=hetzner-ddns.sh %i
+ExecStart=hetzner-ddns.sh %I
 DynamicUser=yes
+LoadCredentialEncrypted=hetzner_token.cred
+Environment=HETZNER_TOKEN_FILE=%d/hetzner_token.cred
diff --git a/systemd/hetzner-ddns@home.example.org.service.d/opts.conf b/systemd/hetzner-ddns@home.example.org.service.d/opts.conf
deleted file mode 100644
index 1e62794..0000000
--- a/systemd/hetzner-ddns@home.example.org.service.d/opts.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Environment="HETZNER_TOKEN=access_token"