diff --git a/systemd/spire-ha-agent@.service b/systemd/spire-ha-agent@.service
new file mode 100644
index 0000000..1c15cc5
--- /dev/null
+++ b/systemd/spire-ha-agent@.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=SPIRE HA Agent Daemon %i
+PartOf=spire-agent.target
+After=network-online.target local-fs.target time-sync.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target
+StartLimitIntervalSec=0
+
+[Service]
+WorkingDirectory=/var/lib/spire/agent/%i
+StateDirectory=spire/agent/%i
+RuntimeDirectory=spire/agent/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/agent
+ExecStart=/bin/spire-ha-agent
+ExecStartPre=mkdir -p /var/lib/spire/agent/%i /var/run/spire/agent/sockets/%i/public
+ExecStartPre=rm -f /var/run/spire/agent/sockets/main/public/api.sock
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/spire/agent /run/spire/agent
+Restart=always
+RestartSec=5s
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-agent.target
diff --git a/systemd/spire-socat@.service b/systemd/spire-socat@.service
new file mode 100644
index 0000000..b2438cc
--- /dev/null
+++ b/systemd/spire-socat@.service
@@ -0,0 +1,43 @@
+
+[Unit]
+Description=SPIRE socat %i
+PartOf=spire-agent.target
+After=network-online.target local-fs.target time-sync.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target
+StartLimitIntervalSec=0
+
+[Service]
+WorkingDirectory=/tmp
+StateDirectory=spire/agent/%i
+RuntimeDirectory=spire/agent/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/socat
+EnvironmentFile=-/etc/spire/socat/%i.conf
+ExecStart=socat UNIX-LISTEN:/var/run/spire/agent/sockets/%i/public/api.sock,fork VSOCK-CONNECT:2:${SPIRE_SOCAT_PORT}
+ExecStartPre=mkdir -p /var/run/spire/agent/sockets/%i/public
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/spire/agent /var/run/spire/agent
+Restart=always
+RestartSec=5s
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_VSOCK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-agent.target