Skip to content

Commit

Permalink
Add reference systemd units
Browse files Browse the repository at this point in the history
  • Loading branch information
@kfox1111
kfox1111 committed Nov 16, 2024
1 parent fb77a54 commit f1b4001
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 0 deletions.
42 changes: 42 additions & 0 deletions systemd/spire-ha-agent@.service
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
[Unit]
Description=SPIRE HA Agent Daemon %i
PartOf=spire-agent.target
After=network-online.target local-fs.target time-sync.target
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target
StartLimitIntervalSec=0

[Service]
WorkingDirectory=/var/lib/spire/agent/%i
StateDirectory=spire/agent/%i
RuntimeDirectory=spire/agent/sockets/%i
RuntimeDirectoryPreserve=true
ConfigurationDirectory=spire/agent
ExecStart=/bin/spire-ha-agent
ExecStartPre=mkdir -p /var/lib/spire/agent/%i /var/run/spire/agent/sockets/%i/public
ExecStartPre=rm -f /var/run/spire/agent/sockets/main/public/api.sock
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=false
# Needed by plugins
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/
ReadWritePaths=/var/lib/spire/agent /run/spire/agent
Restart=always
RestartSec=5s
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK
RestrictNamespaces=true
RestrictRealtime=yes
RestrictSUIDSGID=yes
TasksMax=infinity

[Install]
WantedBy=spire-agent.target
43 changes: 43 additions & 0 deletions systemd/spire-socat@.service
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@

[Unit]
Description=SPIRE socat %i
PartOf=spire-agent.target
After=network-online.target local-fs.target time-sync.target
Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target
StartLimitIntervalSec=0

[Service]
WorkingDirectory=/tmp
StateDirectory=spire/agent/%i
RuntimeDirectory=spire/agent/sockets/%i
RuntimeDirectoryPreserve=true
ConfigurationDirectory=spire/socat
EnvironmentFile=-/etc/spire/socat/%i.conf
ExecStart=socat UNIX-LISTEN:/var/run/spire/agent/sockets/%i/public/api.sock,fork VSOCK-CONNECT:2:${SPIRE_SOCAT_PORT}
ExecStartPre=mkdir -p /var/run/spire/agent/sockets/%i/public
# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=false
# Needed by plugins
PrivateTmp=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/
ReadWritePaths=/var/lib/spire/agent /var/run/spire/agent
Restart=always
RestartSec=5s
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK
RestrictNamespaces=true
RestrictRealtime=yes
RestrictSUIDSGID=yes
TasksMax=infinity

[Install]
WantedBy=spire-agent.target

0 comments on commit f1b4001

Please sign in to comment.