Existe uma maneira típica de passar uma senha para um arquivo da Unidade Systemd?

Existem duas abordagens possíveis aqui, dependendo dos seus requisitos. Se você não quiser receber uma solicitação de senha quando o serviço for ativado, use a diretiva EnvironmentFile . De man systemd.exec :

Similar to Environment= but reads the environment variables from a text file. The text file should contain new-line-separated variable assignments.

Se você fizer quiser ser solicitado, você usaria uma das diretivas systemd-ask-password . De man systemd-ask-password :

systemd-ask-password may be used to query a system password or passphrase from the user, using a question message specified on the command line. When run from a TTY it will query a password on the TTY and print it to standard output. When run with no TTY or with --no-tty it will use the system-wide query mechanism, which allows active users to respond via several agents

Há uma terceira alternativa para isso, assim como a sugestão de @jasonwryan.

The current best way to do this is to run systemctl edit myservice, which will create an override file for you or let you edit an existing one.

In normal installations this will create a directory /etc/systemd/system/myservice.service.d, and inside that directory create a file whose name ends in .conf (typically, override.conf), and in this file you can add to or override any part of the unit shipped by the distribution.

For instance, in a file /etc/systemd/system/myservice.service.d/myenv.conf:

[Service]
Environment="SECRET=pGNqduRFkB4K9C2vijOmUDa2kPtUhArN"
Environment="ANOTHER_SECRET=JP8YLOc2bsNlrGuD6LVTq7L36obpjzxd"

Also note that if the directory exists and is empty, your service will be disabled! If you don't intend to put something in the directory, ensure that it does not exist.