Merge pull request #131 from kfox1111/step-ssh-bump2

Bump spiffe-step-ssh version

examples/rpms/Dockerfile

@@ -1,7 +1,9 @@
 ARG STEPVER="0.28.2"
+ARG STEPCAVER="0.28.4"
 
 FROM docker.io/library/almalinux:9 AS rpm-builder
 ARG STEPVER
+ARG STEPCAVER
 
 WORKDIR /tmp
 
@@ -17,6 +19,8 @@ RUN --mount=type=secret,id=gpg \
   dnf install -y which rpmdevtools rpm-build rpm-sign git make && \
   spectool -g -R spire.spec && \
   rpmbuild -ba spire.spec && \
+  spectool -g -R spire-controller-manager.spec && \
+  rpmbuild -ba spire-controller-manager.spec && \
   spectool -g -R spiffe-helper.spec && \
   rpmbuild -ba spiffe-helper.spec && \
   spectool -g -R spiffe-step-ssh.spec && \
@@ -33,6 +37,10 @@ RUN --mount=type=secret,id=gpg \
   rpmbuild -ba spire-agent-nodeattestor-tpmdirect.spec && \
   spectool -g -R spire-server-attestor-tpm.spec && \
   rpmbuild -ba spire-server-attestor-tpm.spec && \
+  spectool -g -R spire-credentialcomposer-cel.spec && \
+  rpmbuild -ba spire-credentialcomposer-cel.spec && \
+  spectool -g -R aws-spiffe-workload-helper.spec && \
+  rpmbuild -ba aws-spiffe-workload-helper.spec && \
   if [ -f /run/secrets/gpg ]; then \
     gpg --import /run/secrets/gpg && \
     gpg --import rpm.pub && \
@@ -43,10 +51,12 @@ RUN --mount=type=secret,id=gpg \
 
 RUN \
   dnf localinstall -y https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli-${STEPVER}-1.$(uname -i).rpm && \
+  dnf localinstall -y https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca-${STEPCAVER}-1.$(uname -i).rpm && \
   dnf localinstall -y /root/rpmbuild/RPMS/*/*.rpm
 
 FROM docker.io/library/ubuntu:latest AS deb-builder
 ARG STEPVER
+ARG STEPCAVER
 
 COPY --from=rpm-builder /root/rpmbuild/RPMS /root/rpmbuild/RPMS
 
@@ -63,7 +73,9 @@ RUN \
 
 RUN \
   curl -L -o step-cli.deb https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli_${STEPVER}-1_$(dpkg --print-architecture).deb && \
+  curl -L -o step-ca.deb https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca_${STEPCAVER}-1_$(dpkg --print-architecture).deb && \
   apt-get install -y ./step-cli.deb && \
+  apt-get install -y ./step-ca.deb && \
   apt-get install -y /root/debbuild/*/*.deb
 
 FROM docker.io/library/nginx:latest

examples/rpms/Dockerfile.repos

@@ -1,10 +1,8 @@
-FROM docker.io/library/almalinux:9 AS rpm-builder
+FROM docker.io/library/almalinux:9 AS rpm-builder9
 
 WORKDIR /tmp
-
 COPY RPMS /tmp/packages/RPMS
 COPY DEBS /tmp/packages/DEBS
-
 RUN \
   dnf install -y createrepo_c && \
   mkdir -p /tmp/packages/RPMS/x86_64/el9 && \
@@ -14,7 +12,35 @@ RUN \
   cd /tmp/packages/RPMS/aarch64 && \
   createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el9/ .
 
+FROM docker.io/library/almalinux:10 AS rpm-builder10
+WORKDIR /tmp
+COPY RPMS /tmp/packages/RPMS
+RUN \
+  dnf install -y createrepo_c && \
+  mkdir -p /tmp/packages/RPMS/x86_64/el10 && \
+  mkdir -p /tmp/packages/RPMS/aarch64/el10 && \
+  cd /tmp/packages/RPMS/x86_64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el10/ . && \
+  cd /tmp/packages/RPMS/aarch64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el10/ .
+
+FROM docker.io/library/almalinux:8 AS rpm-builder8
+WORKDIR /tmp
+COPY RPMS /tmp/packages/RPMS
+RUN \
+  dnf install -y createrepo_c && \
+  mkdir -p /tmp/packages/RPMS/x86_64/el8 && \
+  mkdir -p /tmp/packages/RPMS/aarch64/el8 && \
+  cd /tmp/packages/RPMS/x86_64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el8/ . && \
+  cd /tmp/packages/RPMS/aarch64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el8/ .
+
 FROM docker.io/library/nginx:latest
 RUN rm -rf /usr/share/nginx/html/*
-COPY --from=rpm-builder /tmp/packages/RPMS /usr/share/nginx/html/RPMS
+COPY --from=rpm-builder9 /tmp/packages/RPMS /usr/share/nginx/html/RPMS
-COPY --from=rpm-builder /tmp/packages/DEBS /usr/share/nginx/html/DEBS
+COPY --from=rpm-builder9 /tmp/packages/DEBS /usr/share/nginx/html/DEBS
+COPY --from=rpm-builder10 /tmp/packages/RPMS/x86_64/el10 /usr/share/nginx/html/RPMS/x86_64/el10
+COPY --from=rpm-builder10 /tmp/packages/RPMS/aarch64/el10 /usr/share/nginx/html/RPMS/aarch64/el10
+COPY --from=rpm-builder8 /tmp/packages/RPMS/x86_64/el8 /usr/share/nginx/html/RPMS/x86_64/el8
+COPY --from=rpm-builder8 /tmp/packages/RPMS/aarch64/el8 /usr/share/nginx/html/RPMS/aarch64/el8

examples/rpms/aws-spiffe-workload-helper.spec

@@ -0,0 +1,54 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    AWS SPIFFE Workload Helper
+Name:       aws-spiffe-workload-helper
+Version:    0.0.4
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/aws-spiffe-workload-helper/releases/download/v%{version}/aws-spiffe-workload-helper_Linux_%{ARCH}.tar.gz
+
+%global __strip /bin/true
+
+%description
+AWS SPIFFE Workload Helper
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+mkdir -p "%{buildroot}/usr/bin"
+cp -a aws-spiffe-workload-helper %{buildroot}/usr/bin
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/bin/aws-spiffe-workload-helper
+

examples/rpms/k8s-spiffe-workload-auth-config.spec

@@ -21,8 +21,8 @@
 
 Summary:    Kubernetes SPIFFE Workload Auth Config
 Name:       k8s-spiffe-workload-auth-config
-Version:    0.2.0
+Version:    0.2.1
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io

examples/rpms/k8s-spiffe-workload-jwt-exec-auth.spec

@@ -21,7 +21,7 @@
 
 Summary:    K8s SPIFFE Workload JWT Exec Auth Plugin
 Name:       k8s-spiffe-workload-jwt-exec-auth
-Version:    0.0.6
+Version:    0.0.7
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0

examples/rpms/spiffe-step-ssh.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIFFE Step SSH
 Name:       spiffe-step-ssh
-Version:    0.0.6
+Version:    0.0.9
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
@@ -35,6 +35,13 @@ Requires:   spiffe-helper
 %description
 SPIFFE Step SSH
 
+%package -n spiffe-step-ssh-server
+Summary: SPIFFE Step SSH Server
+Requires: step-ca
+Requires: spiffe-helper
+%description -n spiffe-step-ssh-server
+SPIFFE Step SSH Server
+
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 
@@ -47,6 +54,7 @@ SPIFFE Step SSH
 %install
 cd spiffe-step-ssh-%{version}
 make install DESTDIR="%{buildroot}"
+make install-server DESTDIR="%{buildroot}"
 
 %clean
 rm -rf %{buildroot}
@@ -57,3 +65,14 @@ rm -rf %{buildroot}
 /usr/lib/systemd/system/spiffe-step-ssh@.service
 /usr/lib/systemd/system/spiffe-step-ssh-cleanup.service
 %config(noreplace) /etc/spiffe/step-ssh
+
+%files -n spiffe-step-ssh-server
+/usr/lib/systemd/system/spiffe-step-ssh-server@.service
+/usr/lib/systemd/system/spiffe-step-ssh-fetchca@.service
+/usr/libexec/spiffe/step-ssh-server/main
+/usr/libexec/spiffe/step-ssh-server/ssh_x5c.tpl
+/usr/libexec/spiffe/step-ssh-server/nginx-fetchca.conf
+/usr/libexec/spiffe/step-ssh-server/helper-fetchca.conf
+/usr/sbin/setup-spiffe-step-ssh-server
+/usr/sbin/spiffe-step-ssh-get-cert-authority
+%config(noreplace) /etc/spiffe/step-ssh-server

examples/rpms/spire-agent-nodeattestor-tpmdirect.spec

@@ -21,18 +21,18 @@
 
 Summary:    SPIRE Agent Node Attestor TPM Direct
 Name:       spire-agent-nodeattestor-tpmdirect
-Version:    1.8.7
+Version:    1.9.0
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
-Source1:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
+Source1:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
 
 %global __strip /bin/true
 
 %description
-K8s SPIFFE Workload JWT Exec Auth Plugin
+SPIRE Agent Node Attestor TPM Direct
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire-controller-manager.spec

@@ -0,0 +1,74 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+
+Summary:    SPIRE Controller Manager
+Name:       spire-controller-manager
+Version:    0.6.2
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Requires:   spire-common
+#FIXME Switch to binaries once released
+Source0:    https://github.com/spiffe/spire-controller-manager/archive/refs/tags/v%{version}.tar.gz
+Source1:    spire-extras-systemd.tar.gz
+
+%global __strip /bin/true
+
+%description
+SPIRE Controller Manager
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup
+%setup -T -D -a 1
+
+%build
+curl -L -o go.tar.gz https://go.dev/dl/go1.24.2.linux-%{ARCH}.tar.gz
+tar -xvf go.tar.gz
+export PATH=$PATH:$(pwd)/go/bin
+export CGO_ENABLED=0
+go build -o spire-controller-manager cmd/main.go
+
+%install
+mkdir -p %{buildroot}/usr/bin
+cp spire-controller-manager %{buildroot}/usr/bin
+cd systemd
+make install DESTDIR="%{buildroot}"
+rm -f "%{buildroot}/etc/spiffe/default-trust-domain.env"
+rm -f "%{buildroot}/etc/spire/agent/default".*
+rm -f "%{buildroot}/etc/spire/server/default".*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-agent"*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-server"*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire.target"
+rm -f "%{buildroot}/usr/libexec/spire/server/start.sh"
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/lib/systemd/system/spire-controller-manager@.service
+/usr/bin/spire-controller-manager
+/usr/libexec/spire/controller-manager/start.sh
+%config(noreplace) /etc/spire/controller-manager/default.conf

examples/rpms/spire-credentialcomposer-cel.spec

@@ -0,0 +1,53 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    SPIRE Credential Composer CEL
+Name:       spire-credentialcomposer-cel
+Version:    0.0.2
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spire-credentialcomposer-cel/releases/download/v%{version}/spire-credentialcomposer-cel_Linux_%{ARCH}.tar.gz
+
+%global __strip /bin/true
+
+%description
+SPIRE Credential Composer CEL
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
+cp -a spire-credentialcomposer-cel %{buildroot}/usr/libexec/spire/plugins/credentialcomposer-cel
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/libexec/spire/plugins/credentialcomposer-cel

examples/rpms/spire-ha-agent.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIRE HA Agent
 Name:       spire-ha-agent
-Version:    0.0.12
+Version:    0.0.13
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io

examples/rpms/spire-server-nodeattestor-tpmdirect.spec

@@ -21,17 +21,17 @@
 
 Summary:    SPIRE Server Node Attestor TPM Direct
 Name:       spire-server-nodeattestor-tpmdirect
-Version:    1.8.7
+Version:    1.9.0
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
 
 %global __strip /bin/true
 
 %description
-K8s SPIFFE Workload JWT Exec Auth Plugin
+SPIRE Server Node Attestor TPM Direct
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIRE components
 Name:       spire-common
-Version:    1.12.0
+Version:    1.12.4
-Release:    2
+Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
@@ -93,6 +93,9 @@ cp "spire-%{version}"/bin/* "%{buildroot}/bin"
 cp "spire-extras-%{version}"/bin/oidc-discovery-provider "%{buildroot}/bin/spiffe-oidc-discovery-provider"
 cd systemd
 make install DESTDIR="%{buildroot}"
+rm -f "%{buildroot}/etc/spire/controller-manager/default.conf"
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-controller-manager@.service"
+rm -f "%{buildroot}/usr/libexec/spire/controller-manager/start.sh"
 
 %clean
 rm -rf %{buildroot}

examples/systemd/Makefile

@@ -5,9 +5,12 @@ default:
 install:
 	mkdir -p $(DESTDIR)/usr/lib/systemd/system/
 	mkdir -p $(DESTDIR)/usr/libexec/spire/server/
+	mkdir -p $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install scripts/server/start.sh $(DESTDIR)/usr/libexec/spire/server/
+	install scripts/controller-manager/start.sh $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install system/* $(DESTDIR)/usr/lib/systemd/system/
 	([ ! -f $(DESTDIR)/etc/spire/agent/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/default.conf $(DESTDIR)/etc/spire/agent/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.conf $(DESTDIR)/etc/spire/server/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.env ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.env $(DESTDIR)/etc/spire/server/default.env) || true
+	([ ! -f $(DESTDIR)/etc/spire/controller-manager/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/controller-manager && install conf/controller-manager/default.conf $(DESTDIR)/etc/spire/controller-manager/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spiffe/default-trust-domain.env ] && mkdir -p $(DESTDIR)/etc/spiffe && install conf/spiffe/default-trust-domain.env $(DESTDIR)/etc/spiffe/default-trust-domain.env) || true

examples/systemd/conf/controller-manager/default.conf

@@ -0,0 +1,16 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ControllerManagerConfig
+metadata:
+  name: config
+metrics:
+  bindAddress: 0.0.0.0:9123
+health:
+  healthProbeBindAddress: 0.0.0.0:9124
+trustDomain: "${SPIFFE_TRUST_DOMAIN}"
+entryIDPrefix: "scm-${INSTANCE}"
+clusterName: "scm-${INSTANCE}"
+clusterDomain: local
+watchClassless: true
+spireServerSocketPath: "/var/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock"
+staticManifestPath: "/etc/spire/server/${SYSTEMD_INSTANCE}/manifests"
+logLevel: info

examples/systemd/scripts/controller-manager/start.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Set default variables
+export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
+export SCM_CLASSNAME="${SCM_CLASSNAME:-scm-${SYSTEMD_INSTANCE}}"
+export SCM_ENTRYID_PREFIX="${SCM_ENTRYID_PREFIX:-${SCM_CLASSNAME}}"
+export SCM_CLUSTERNAME="${SCM_CLUSTERNAME:-${SCM_CLASSNAME}}"
+
+mkdir -p "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}"
+
+if [ -f "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" ]; then
+	cp -a "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
+else
+	cp -a /etc/spire/controller-manager/default.conf "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
+fi
+
+/bin/spire-controller-manager -config "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config" -expand-env

examples/systemd/system/spire-controller-manager@.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=SPIRE Controller Manager Daemon %i
+PartOf=spire-server.target
+After=network-online.target local-fs.target time-sync.target
+Before=remote-fs-pre.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target
+StartLimitIntervalSec=0
+
+[Service]
+WorkingDirectory=/var/lib/spire/controller-manager/%i
+StateDirectory=spire/controller-manager/%i
+RuntimeDirectory=spire/controller-manager/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/controller-manager
+EnvironmentFile=-/etc/spiffe/default-trust-domain.env
+EnvironmentFile=-/etc/spiffe/server/default.env
+EnvironmentFile=-/etc/spire/server/%i.env
+EnvironmentFile=-/etc/spire/server/%i/env
+EnvironmentFile=-/etc/spire/controller-manager/%i.env
+EnvironmentFile=-/etc/spire/server/%i/controller-manager.env
+Environment=SYSTEMD_INSTANCE=%i
+ExecStart=/usr/libexec/spire/controller-manager/start.sh
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+Restart=always
+RestartSec=5s
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-server.target