Is 2FAUTH_IMAGE an environment variable?
If so, systemd.exec manual says this:
The names of the variables can contain ASCII letters, digits, and the underscore character. Variable names cannot be empty or start with a digit. In variable values, most characters are allowed, but non-printable characters are currently rejected.
Note that environment variables are not suitable for passing secrets (such as passwords, key material, …) to service processes. Environment variables set for a unit are exposed to unprivileged clients via D-Bus IPC, and generally not understood as being data that requires protection. Moreover, environment variables are propagated down the process tree, including across security boundaries (such as setuid/setgid executables), and hence might leak to processes that should not have access to the secret data. Use
LoadCredential=,LoadCredentialEncrypted=orSetCredentialEncrypted=(see below) to pass data to unit processes securely.
As I’m clueless when it comes to podman, docker, containers et all, and there seems to be general environment variables as well as podman environment variables restricted to each container, take it as a grain of salt.
Unrelated to your question but related to Better Secrets Management for NS8 Apps - #5 by Tbaile, regarding handling of passwords/secrets without using podman --secret, I think the code with --env refers to podman environment vars (so scope is constrained to container, but defined in a systemd file). But if devs have already taken these things into account and it is a widely accepted and spread method, I’m surely non the wiser.