<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi,</p>
<p>so for context, I want to isolate most services I plan on running
inside containers, with each its own nginx, php, etc.</p>
<p><br>
</p>
<p>My issue is with credentials. I would like the host to handle the
renewal of tls certificate, and to have the credentials propagated
via systemd-nspawn to the services that run within each container.
I get the basic idea of how to implement this, but from what I'm
reading, once the credentials are loaded, they are immutable for
as long as the service runs -- in this case I'm assuming as long
as the nspawn container itself runs.</p>
<p><br>
</p>
<p>So how would I best handle renewal of the certificate? Would I
have to restart each container via machinectl in order to reload
this, thus causing very brief downtime on all of my services?</p>
<p><br>
</p>
<p>Is there a better way of doing what I'm trying to accomplish
here? Nginx can access the certificate normally, but I would like
to run it as a totally dynamic user combo. I also host other
services that do not run as root first before dropping privileges,
so they require access to the certificate another way. So I
thought of systemd's credentials management to give access without
compromising on security and isolation.</p>
</body>
</html>