examples/rpms/Dockerfile

@@ -1,9 +1,7 @@
 ARG STEPVER="0.28.2"
-ARG STEPCAVER="0.28.4"
 
 FROM docker.io/library/almalinux:9 AS rpm-builder
 ARG STEPVER
-ARG STEPCAVER
 
 WORKDIR /tmp
 
@@ -19,8 +17,6 @@ RUN --mount=type=secret,id=gpg \
   dnf install -y which rpmdevtools rpm-build rpm-sign git make && \
   spectool -g -R spire.spec && \
   rpmbuild -ba spire.spec && \
-  spectool -g -R spire-controller-manager.spec && \
-  rpmbuild -ba spire-controller-manager.spec && \
   spectool -g -R spiffe-helper.spec && \
   rpmbuild -ba spiffe-helper.spec && \
   spectool -g -R spiffe-step-ssh.spec && \
@@ -37,10 +33,6 @@ RUN --mount=type=secret,id=gpg \
   rpmbuild -ba spire-agent-nodeattestor-tpmdirect.spec && \
   spectool -g -R spire-server-attestor-tpm.spec && \
   rpmbuild -ba spire-server-attestor-tpm.spec && \
-  spectool -g -R spire-credentialcomposer-cel.spec && \
-  rpmbuild -ba spire-credentialcomposer-cel.spec && \
-  spectool -g -R aws-spiffe-workload-helper.spec && \
-  rpmbuild -ba aws-spiffe-workload-helper.spec && \
   if [ -f /run/secrets/gpg ]; then \
     gpg --import /run/secrets/gpg && \
     gpg --import rpm.pub && \
@@ -51,12 +43,10 @@ RUN --mount=type=secret,id=gpg \
 
 RUN \
   dnf localinstall -y https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli-${STEPVER}-1.$(uname -i).rpm && \
-  dnf localinstall -y https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca-${STEPCAVER}-1.$(uname -i).rpm && \
   dnf localinstall -y /root/rpmbuild/RPMS/*/*.rpm
 
 FROM docker.io/library/ubuntu:latest AS deb-builder
 ARG STEPVER
-ARG STEPCAVER
 
 COPY --from=rpm-builder /root/rpmbuild/RPMS /root/rpmbuild/RPMS
 
@@ -73,9 +63,7 @@ RUN \
 
 RUN \
   curl -L -o step-cli.deb https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli_${STEPVER}-1_$(dpkg --print-architecture).deb && \
-  curl -L -o step-ca.deb https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca_${STEPCAVER}-1_$(dpkg --print-architecture).deb && \
   apt-get install -y ./step-cli.deb && \
-  apt-get install -y ./step-ca.deb && \
   apt-get install -y /root/debbuild/*/*.deb
 
 FROM docker.io/library/nginx:latest

examples/rpms/Dockerfile.repos

@@ -1,8 +1,10 @@
-FROM docker.io/library/almalinux:9 AS rpm-builder9
+FROM docker.io/library/almalinux:9 AS rpm-builder
 
 WORKDIR /tmp
+
 COPY RPMS /tmp/packages/RPMS
 COPY DEBS /tmp/packages/DEBS
+
 RUN \
   dnf install -y createrepo_c && \
   mkdir -p /tmp/packages/RPMS/x86_64/el9 && \
@@ -12,35 +14,7 @@ RUN \
   cd /tmp/packages/RPMS/aarch64 && \
   createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el9/ .
 
-FROM docker.io/library/almalinux:10 AS rpm-builder10
-WORKDIR /tmp
-COPY RPMS /tmp/packages/RPMS
-RUN \
-  dnf install -y createrepo_c && \
-  mkdir -p /tmp/packages/RPMS/x86_64/el10 && \
-  mkdir -p /tmp/packages/RPMS/aarch64/el10 && \
-  cd /tmp/packages/RPMS/x86_64 && \
-  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el10/ . && \
-  cd /tmp/packages/RPMS/aarch64 && \
-  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el10/ .
-
-FROM docker.io/library/almalinux:8 AS rpm-builder8
-WORKDIR /tmp
-COPY RPMS /tmp/packages/RPMS
-RUN \
-  dnf install -y createrepo_c && \
-  mkdir -p /tmp/packages/RPMS/x86_64/el8 && \
-  mkdir -p /tmp/packages/RPMS/aarch64/el8 && \
-  cd /tmp/packages/RPMS/x86_64 && \
-  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el8/ . && \
-  cd /tmp/packages/RPMS/aarch64 && \
-  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el8/ .
-
 FROM docker.io/library/nginx:latest
 RUN rm -rf /usr/share/nginx/html/*
-COPY --from=rpm-builder9 /tmp/packages/RPMS /usr/share/nginx/html/RPMS
-COPY --from=rpm-builder9 /tmp/packages/DEBS /usr/share/nginx/html/DEBS
-COPY --from=rpm-builder10 /tmp/packages/RPMS/x86_64/el10 /usr/share/nginx/html/RPMS/x86_64/el10
-COPY --from=rpm-builder10 /tmp/packages/RPMS/aarch64/el10 /usr/share/nginx/html/RPMS/aarch64/el10
-COPY --from=rpm-builder8 /tmp/packages/RPMS/x86_64/el8 /usr/share/nginx/html/RPMS/x86_64/el8
-COPY --from=rpm-builder8 /tmp/packages/RPMS/aarch64/el8 /usr/share/nginx/html/RPMS/aarch64/el8
+COPY --from=rpm-builder /tmp/packages/RPMS /usr/share/nginx/html/RPMS
+COPY --from=rpm-builder /tmp/packages/DEBS /usr/share/nginx/html/DEBS

examples/rpms/aws-spiffe-workload-helper.spec

@@ -1,54 +0,0 @@
-##############################################################################
-#
-# To you, dear reader:
-#
-# If you are a normal user, we recommend not reading further. Its probably not
-# the file your looking for.
-#
-# If you are looking at using this file as a base for your own work, please
-# don't. It is a horrible example. Please look elsewhere.
-#
-# If you are a package maintainer, please read on. We recognize this spec file
-# is blasphemous, a terrible abomination, a crime against nature, and more. We
-# regret needing to produce it, but had to in order to attract enough users to
-# find you. We beseech thee, kind and generous package maintainer, please help
-# us mend our wicked ways by joining us and help us produce proper packaging.
-# You are our only hope.
-#
-##############################################################################
-
-%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
-
-Summary:    AWS SPIFFE Workload Helper
-Name:       aws-spiffe-workload-helper
-Version:    0.0.4
-Release:    1
-Group:      Applications/Internet
-License:    Apache-2.0
-URL:        https://spiffe.io
-Source0:    https://github.com/spiffe/aws-spiffe-workload-helper/releases/download/v%{version}/aws-spiffe-workload-helper_Linux_%{ARCH}.tar.gz
-
-%global __strip /bin/true
-
-%description
-AWS SPIFFE Workload Helper
-
-%global _missing_build_ids_terminate_build 0
-%global debug_package %{nil}
-
-%prep
-
-%setup -c
-
-%build
-
-%install
-mkdir -p "%{buildroot}/usr/bin"
-cp -a aws-spiffe-workload-helper %{buildroot}/usr/bin
-
-%clean
-rm -rf %{buildroot}
-
-%files
-/usr/bin/aws-spiffe-workload-helper
-

examples/rpms/k8s-spiffe-workload-auth-config.spec

@@ -21,8 +21,8 @@
 
 Summary:    Kubernetes SPIFFE Workload Auth Config
 Name:       k8s-spiffe-workload-auth-config
-Version:    0.2.1
-Release:    1
+Version:    0.2.0
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io

examples/rpms/k8s-spiffe-workload-jwt-exec-auth.spec

@@ -21,7 +21,7 @@
 
 Summary:    K8s SPIFFE Workload JWT Exec Auth Plugin
 Name:       k8s-spiffe-workload-jwt-exec-auth
-Version:    0.0.7
+Version:    0.0.6
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0

examples/rpms/spiffe-step-ssh.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIFFE Step SSH
 Name:       spiffe-step-ssh
-Version:    0.0.9
-Release:    1
+Version:    0.0.6
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
@@ -35,13 +35,6 @@ Requires:   spiffe-helper
 %description
 SPIFFE Step SSH
 
-%package -n spiffe-step-ssh-server
-Summary: SPIFFE Step SSH Server
-Requires: step-ca
-Requires: spiffe-helper
-%description -n spiffe-step-ssh-server
-SPIFFE Step SSH Server
-
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 
@@ -54,7 +47,6 @@ SPIFFE Step SSH Server
 %install
 cd spiffe-step-ssh-%{version}
 make install DESTDIR="%{buildroot}"
-make install-server DESTDIR="%{buildroot}"
 
 %clean
 rm -rf %{buildroot}
@@ -65,14 +57,3 @@ rm -rf %{buildroot}
 /usr/lib/systemd/system/spiffe-step-ssh@.service
 /usr/lib/systemd/system/spiffe-step-ssh-cleanup.service
 %config(noreplace) /etc/spiffe/step-ssh
-
-%files -n spiffe-step-ssh-server
-/usr/lib/systemd/system/spiffe-step-ssh-server@.service
-/usr/lib/systemd/system/spiffe-step-ssh-fetchca@.service
-/usr/libexec/spiffe/step-ssh-server/main
-/usr/libexec/spiffe/step-ssh-server/ssh_x5c.tpl
-/usr/libexec/spiffe/step-ssh-server/nginx-fetchca.conf
-/usr/libexec/spiffe/step-ssh-server/helper-fetchca.conf
-/usr/sbin/setup-spiffe-step-ssh-server
-/usr/sbin/spiffe-step-ssh-get-cert-authority
-%config(noreplace) /etc/spiffe/step-ssh-server

examples/rpms/spire-agent-nodeattestor-tpmdirect.spec

@@ -21,18 +21,18 @@
 
 Summary:    SPIRE Agent Node Attestor TPM Direct
 Name:       spire-agent-nodeattestor-tpmdirect
-Version:    1.9.0
-Release:    1
+Version:    1.8.7
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
-Source1:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
+Source1:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
 
 %global __strip /bin/true
 
 %description
-SPIRE Agent Node Attestor TPM Direct
+K8s SPIFFE Workload JWT Exec Auth Plugin
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire-controller-manager.spec

@@ -1,74 +0,0 @@
-##############################################################################
-#
-# To you, dear reader:
-#
-# If you are a normal user, we recommend not reading further. Its probably not
-# the file your looking for.
-#
-# If you are looking at using this file as a base for your own work, please
-# don't. It is a horrible example. Please look elsewhere.
-#
-# If you are a package maintainer, please read on. We recognize this spec file
-# is blasphemous, a terrible abomination, a crime against nature, and more. We
-# regret needing to produce it, but had to in order to attract enough users to
-# find you. We beseech thee, kind and generous package maintainer, please help
-# us mend our wicked ways by joining us and help us produce proper packaging.
-# You are our only hope.
-#
-##############################################################################
-
-%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
-
-Summary:    SPIRE Controller Manager
-Name:       spire-controller-manager
-Version:    0.6.2
-Release:    1
-Group:      Applications/Internet
-License:    Apache-2.0
-URL:        https://spiffe.io
-Requires:   spire-common
-#FIXME Switch to binaries once released
-Source0:    https://github.com/spiffe/spire-controller-manager/archive/refs/tags/v%{version}.tar.gz
-Source1:    spire-extras-systemd.tar.gz
-
-%global __strip /bin/true
-
-%description
-SPIRE Controller Manager
-
-%global _missing_build_ids_terminate_build 0
-%global debug_package %{nil}
-
-%prep
-
-%setup
-%setup -T -D -a 1
-
-%build
-curl -L -o go.tar.gz https://go.dev/dl/go1.24.2.linux-%{ARCH}.tar.gz
-tar -xvf go.tar.gz
-export PATH=$PATH:$(pwd)/go/bin
-export CGO_ENABLED=0
-go build -o spire-controller-manager cmd/main.go
-
-%install
-mkdir -p %{buildroot}/usr/bin
-cp spire-controller-manager %{buildroot}/usr/bin
-cd systemd
-make install DESTDIR="%{buildroot}"
-rm -f "%{buildroot}/etc/spiffe/default-trust-domain.env"
-rm -f "%{buildroot}/etc/spire/agent/default".*
-rm -f "%{buildroot}/etc/spire/server/default".*
-rm -f "%{buildroot}/usr/lib/systemd/system/spire-agent"*
-rm -f "%{buildroot}/usr/lib/systemd/system/spire-server"*
-rm -f "%{buildroot}/usr/lib/systemd/system/spire.target"
-rm -f "%{buildroot}/usr/libexec/spire/server/start.sh"
-
-%clean
-rm -rf %{buildroot}
-
-%files
-/usr/lib/systemd/system/spire-controller-manager@.service
-/usr/bin/spire-controller-manager
-/usr/libexec/spire/controller-manager/start.sh
-%config(noreplace) /etc/spire/controller-manager/default.conf

examples/rpms/spire-credentialcomposer-cel.spec

@@ -1,53 +0,0 @@
-##############################################################################
-#
-# To you, dear reader:
-#
-# If you are a normal user, we recommend not reading further. Its probably not
-# the file your looking for.
-#
-# If you are looking at using this file as a base for your own work, please
-# don't. It is a horrible example. Please look elsewhere.
-#
-# If you are a package maintainer, please read on. We recognize this spec file
-# is blasphemous, a terrible abomination, a crime against nature, and more. We
-# regret needing to produce it, but had to in order to attract enough users to
-# find you. We beseech thee, kind and generous package maintainer, please help
-# us mend our wicked ways by joining us and help us produce proper packaging.
-# You are our only hope.
-#
-##############################################################################
-
-%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
-
-Summary:    SPIRE Credential Composer CEL
-Name:       spire-credentialcomposer-cel
-Version:    0.0.2
-Release:    1
-Group:      Applications/Internet
-License:    Apache-2.0
-URL:        https://spiffe.io
-Source0:    https://github.com/spiffe/spire-credentialcomposer-cel/releases/download/v%{version}/spire-credentialcomposer-cel_Linux_%{ARCH}.tar.gz
-
-%global __strip /bin/true
-
-%description
-SPIRE Credential Composer CEL
-
-%global _missing_build_ids_terminate_build 0
-%global debug_package %{nil}
-
-%prep
-
-%setup -c
-
-%build
-
-%install
-mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
-cp -a spire-credentialcomposer-cel %{buildroot}/usr/libexec/spire/plugins/credentialcomposer-cel
-
-%clean
-rm -rf %{buildroot}
-
-%files
-/usr/libexec/spire/plugins/credentialcomposer-cel

examples/rpms/spire-ha-agent.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIRE HA Agent
 Name:       spire-ha-agent
-Version:    0.0.13
-Release:    1
+Version:    0.0.12
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io

examples/rpms/spire-server-nodeattestor-tpmdirect.spec

@@ -21,17 +21,17 @@
 
 Summary:    SPIRE Server Node Attestor TPM Direct
 Name:       spire-server-nodeattestor-tpmdirect
-Version:    1.9.0
-Release:    1
+Version:    1.8.7
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
 
 %global __strip /bin/true
 
 %description
-SPIRE Server Node Attestor TPM Direct
+K8s SPIFFE Workload JWT Exec Auth Plugin
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire.spec

@@ -21,8 +21,8 @@
 
 Summary:    SPIRE components
 Name:       spire-common
-Version:    1.12.4
-Release:    1
+Version:    1.12.0
+Release:    2
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
@@ -93,9 +93,6 @@ cp "spire-%{version}"/bin/* "%{buildroot}/bin"
 cp "spire-extras-%{version}"/bin/oidc-discovery-provider "%{buildroot}/bin/spiffe-oidc-discovery-provider"
 cd systemd
 make install DESTDIR="%{buildroot}"
-rm -f "%{buildroot}/etc/spire/controller-manager/default.conf"
-rm -f "%{buildroot}/usr/lib/systemd/system/spire-controller-manager@.service"
-rm -f "%{buildroot}/usr/libexec/spire/controller-manager/start.sh"
 
 %clean
 rm -rf %{buildroot}

examples/systemd/Makefile

@@ -5,12 +5,9 @@ default:
 install:
 	mkdir -p $(DESTDIR)/usr/lib/systemd/system/
 	mkdir -p $(DESTDIR)/usr/libexec/spire/server/
-	mkdir -p $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install scripts/server/start.sh $(DESTDIR)/usr/libexec/spire/server/
-	install scripts/controller-manager/start.sh $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install system/* $(DESTDIR)/usr/lib/systemd/system/
 	([ ! -f $(DESTDIR)/etc/spire/agent/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/default.conf $(DESTDIR)/etc/spire/agent/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.conf $(DESTDIR)/etc/spire/server/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.env ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.env $(DESTDIR)/etc/spire/server/default.env) || true
-	([ ! -f $(DESTDIR)/etc/spire/controller-manager/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/controller-manager && install conf/controller-manager/default.conf $(DESTDIR)/etc/spire/controller-manager/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spiffe/default-trust-domain.env ] && mkdir -p $(DESTDIR)/etc/spiffe && install conf/spiffe/default-trust-domain.env $(DESTDIR)/etc/spiffe/default-trust-domain.env) || true

examples/systemd/conf/controller-manager/default.conf

@@ -1,16 +0,0 @@
-apiVersion: spire.spiffe.io/v1alpha1
-kind: ControllerManagerConfig
-metadata:
-  name: config
-metrics:
-  bindAddress: 0.0.0.0:9123
-health:
-  healthProbeBindAddress: 0.0.0.0:9124
-trustDomain: "${SPIFFE_TRUST_DOMAIN}"
-entryIDPrefix: "scm-${INSTANCE}"
-clusterName: "scm-${INSTANCE}"
-clusterDomain: local
-watchClassless: true
-spireServerSocketPath: "/var/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock"
-staticManifestPath: "/etc/spire/server/${SYSTEMD_INSTANCE}/manifests"
-logLevel: info

examples/systemd/scripts/controller-manager/start.sh

@@ -1,17 +0,0 @@
-#!/bin/bash
-
-# Set default variables
-export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
-export SCM_CLASSNAME="${SCM_CLASSNAME:-scm-${SYSTEMD_INSTANCE}}"
-export SCM_ENTRYID_PREFIX="${SCM_ENTRYID_PREFIX:-${SCM_CLASSNAME}}"
-export SCM_CLUSTERNAME="${SCM_CLUSTERNAME:-${SCM_CLASSNAME}}"
-
-mkdir -p "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}"
-
-if [ -f "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" ]; then
-	cp -a "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
-else
-	cp -a /etc/spire/controller-manager/default.conf "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
-fi
-
-/bin/spire-controller-manager -config "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config" -expand-env

examples/systemd/system/spire-controller-manager@.service

@@ -1,47 +0,0 @@
-[Unit]
-Description=SPIRE Controller Manager Daemon %i
-PartOf=spire-server.target
-After=network-online.target local-fs.target time-sync.target
-Before=remote-fs-pre.target
-Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target
-StartLimitIntervalSec=0
-
-[Service]
-WorkingDirectory=/var/lib/spire/controller-manager/%i
-StateDirectory=spire/controller-manager/%i
-RuntimeDirectory=spire/controller-manager/sockets/%i
-RuntimeDirectoryPreserve=true
-ConfigurationDirectory=spire/controller-manager
-EnvironmentFile=-/etc/spiffe/default-trust-domain.env
-EnvironmentFile=-/etc/spiffe/server/default.env
-EnvironmentFile=-/etc/spire/server/%i.env
-EnvironmentFile=-/etc/spire/server/%i/env
-EnvironmentFile=-/etc/spire/controller-manager/%i.env
-EnvironmentFile=-/etc/spire/server/%i/controller-manager.env
-Environment=SYSTEMD_INSTANCE=%i
-ExecStart=/usr/libexec/spire/controller-manager/start.sh
-# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
-LockPersonality=true
-MemoryDenyWriteExecute=true
-NoNewPrivileges=true
-PrivateDevices=false
-# Needed by plugins
-PrivateTmp=false
-ProtectControlGroups=true
-ProtectHome=true
-ProtectHostname=true
-ProtectKernelLogs=true
-ProtectKernelModules=true
-ProtectKernelTunables=true
-ProtectSystem=strict
-ReadOnlyPaths=/
-Restart=always
-RestartSec=5s
-RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
-RestrictNamespaces=true
-RestrictRealtime=yes
-RestrictSUIDSGID=yes
-TasksMax=infinity
-
-[Install]
-WantedBy=spire-server.target