spiffe · amartinezfayo · Jul 17, 2024 · Apr 7, 2024 · Apr 7, 2024 · Apr 9, 2024
diff --git a/examples/systemd/Makefile b/examples/systemd/Makefile
@@ -0,0 +1,9 @@
+default:
+	@echo Targets:
+	@echo "  install"
+
+install:
+	mkdir -p $(DESTDIR)/usr/lib/systemd/system/
+	install system/* $(DESTDIR)/usr/lib/systemd/system/
+	([ ! -f $(DESTDIR)/etc/spire/agent/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/main.conf $(DESTDIR)/etc/spire/agent/main.conf) || true
+	([ ! -f $(DESTDIR)/etc/spire/server/main.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/main.conf $(DESTDIR)/etc/spire/server/main.conf) || true
diff --git a/examples/systemd/README.md b/examples/systemd/README.md
@@ -0,0 +1,46 @@
+To install, download the newest spire-server and spire-agent binaries from the SPIRE website and place in /bin
+
+Run:
+```
+make install
+```
+
+Edit /etc/spire/server/main.conf and update with settings as needed.
+
+Enable the main server:
+
+```
+systemctl enable spire-server@main
+```
+
+Start the main server:
+
+```
+systemctl start spire-server@main
+```
+
+
+# Create a join token
+```
+spire-server token generate -spiffeID spiffe://example.org/changeme -socketPath /run/spire/server/sockets/main/private/api.sock
+```
+
+Edit /etc/spire/agent/main.conf and update with settings as needed, in particular the join token.
+
+Enable the main agent:
+
+```
+systemctl enable spire-agent@main
+```
+
+Start the main agent:
+
+```
+systemctl start spire-agent@main
+```
+
+
+# Show Entries from the main server
+```
+spire-server entry show -socketPath /run/spire/server/sockets/main/private/api.sock
+```
diff --git a/examples/systemd/conf/agent/main.conf b/examples/systemd/conf/agent/main.conf
@@ -0,0 +1,28 @@
+agent {
+    log_level = "DEBUG"
+    trust_domain = "example.org"
+    server_address = "localhost"
+    server_port = 8081
+
+    # Insecure bootstrap is NOT appropriate for production use but is ok for
+    # simple testing/evaluation purposes.
+    insecure_bootstrap = true
+
+    join_token = "cdf1885a-1db8-4a83-aa16-ad8c84761fa8"
+}
+
+plugins {
+   KeyManager "disk" {
+        plugin_data {
+            directory = "./"
+        }
+    }
+
+    NodeAttestor "join_token" {
+        plugin_data {}
+    }
+
+    WorkloadAttestor "systemd" {
+        plugin_data {}
+    }
+}
diff --git a/examples/systemd/conf/server/main.conf b/examples/systemd/conf/server/main.conf
@@ -0,0 +1,27 @@
+server {
+    bind_address = "127.0.0.1"
+    bind_port = "8081"
+    trust_domain = "example.org"
+    log_level = "DEBUG"
+    ca_ttl = "168h"
+    default_x509_svid_ttl = "48h"
+}
+
+plugins {
+    DataStore "sql" {
+        plugin_data {
+            database_type = "sqlite3"
+            connection_string = "./datastore.sqlite3"
+        }
+    }
+
+    KeyManager "disk" {
+        plugin_data {
+            keys_path = "./keys.json"
+        }
+    }
+
+    NodeAttestor "join_token" {
+        plugin_data {}
+    }
+}
diff --git a/examples/systemd/system/spire-agent.target b/examples/systemd/system/spire-agent.target
@@ -0,0 +1,8 @@
+[Unit]
+Description=SPIRE Agent target allowing to start/stop all spire-agent@.service instances at once
+PartOf=spire.target
+Before=spire.target
+Wants=spire.target
+
+[Install]
+WantedBy=multi-user.target spire.target
diff --git a/examples/systemd/system/spire-agent@.service b/examples/systemd/system/spire-agent@.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=SPIRE Agent Daemon %i
+PartOf=spire-agent.target
+After=network-online.target local-fs.target time-sync.target
+Before=remote-fs-pre.target spire-agent.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-agent.target
+
+[Service]
+WorkingDirectory=/var/lib/spire/agent/%i
+StateDirectory=spire/agent/%i
+RuntimeDirectory=spire/agent/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/agent
+ExecStart=/bin/spire-agent run -config /etc/spire/agent/%i.conf -dataDir /var/lib/spire/agent/%i -socketPath /run/spire/agent/sockets/%i/public/api.sock -expandEnv
+ExecStartPre=mkdir -p /var/lib/spire/agent/%i /run/spire/agent/%i/public
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/spire/agent /run/spire/agent
+Restart=on-failure
+RestartSec=15
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+StartLimitBurst=3
+StartLimitInterval=30min
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-agent.target
diff --git a/examples/systemd/system/spire-server.target b/examples/systemd/system/spire-server.target
@@ -0,0 +1,8 @@
+[Unit]
+Description=SPIRE Server target allowing to start/stop all spire-server@.service instances at once
+PartOf=spire.target
+Before=spire.target
+Wants=spire.target
+
+[Install]
+WantedBy=multi-user.target spire.target
diff --git a/examples/systemd/system/spire-server@.service b/examples/systemd/system/spire-server@.service
@@ -0,0 +1,43 @@
+[Unit]
+Description=SPIRE Server Daemon %i
+PartOf=spire-server.target
+After=network-online.target local-fs.target time-sync.target
+Before=remote-fs-pre.target spire-server.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target
+
+[Service]
+WorkingDirectory=/var/lib/spire/server/%i
+StateDirectory=spire/server/%i
+RuntimeDirectory=spire/server/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/server
+ExecStart=/bin/spire-server run -config /etc/spire/server/%i.conf -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv
+ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+ReadWritePaths=/var/lib/spire/server /run/spire/server
+Restart=on-failure
+RestartSec=15
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+StartLimitBurst=3
+StartLimitInterval=30min
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-server.target
diff --git a/examples/systemd/system/spire.target b/examples/systemd/system/spire.target
@@ -0,0 +1,5 @@
+[Unit]
+Description=SPIRE target allowing to start/stop all spire*@.service instances at once
+
+[Install]
+WantedBy=multi-user.target