From d814008006906aff623253e340360c5cc8753753 Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Tue, 16 Dec 2025 15:03:10 +0900
Subject: [PATCH] docs/installation: document systemd-less creds

---
 docs/installation.md | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/docs/installation.md b/docs/installation.md
index 5f7fb33..ef01900 100644
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -48,7 +48,9 @@ If you named it differently, please edit `/etc/muscl/muscl.conf` accordingly.
 
 For systemd-based setups, we recommend using `systemd-creds` to provide the database password, see the section below.
 
-## Setting the myscl password with `systemd-creds`
+## Setting the myscl password ...
+
+### ... with `systemd-creds`
 
 The debian package assumes that you will provide the password for `muscl`'s database user with `systemd-creds`.
 
@@ -77,6 +79,19 @@ If you are running systemd older than version 254 (see `systemctl --version`), y
 LoadCredentialEncrypted=muscl_mysql_password:/etc/credstore.encrypted/muscl_mysql_password
 ```
 
+### ... without `systemd-creds`
+
+If you do not have systemd, or if you do not want to use `systemd-creds`, you can also set the password in any other file on the system.
+Be careful to ensure that the file is not readable by unprivileged users, as it would yield them too much access to the mysql server.
+Edit `/etc/muscl/muscl.conf` and set the `mysql_password_file` option below `[database]` to point to the file containing the password.
+
+If you are using systemd, you should also create an override to unset the `ImportCredential=` line. Run `systemctl edit muscl.service` and add the following lines:
+
+```ini
+[Service]
+ImportCredential=
+```
+
 ## Configuring group denylists
 
 In `/etc/muscl/muscl.conf`, you will find an option below `[authorization]` named `group_denylist_file`,