From 08436433ef951716c359e86d4f37e4ea9a7a0068 Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Fri, 24 Apr 2026 01:03:58 -0400
Subject: [PATCH] fix(deploy): relocate StandardOutput/StandardError below
 multi-line ExecStart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Four templates use backslash line-continuation on ExecStart
(decnet-bus, decnet-forwarder, decnet-listener, decnet-updater). My
earlier sed inserted StandardOutput= and StandardError= right after
the first ExecStart= line, which split the command and systemd fed
those two lines back to the binary as extra positional arguments —
the bus in particular crashed with:

  Got unexpected extra argument
  (StandardOutput=append:/var/log/decnet/decnet.bus.log)

Walk the ExecStart block (follow \-continuation lines) and insert
the two Standard* directives AFTER the last continuation line. The
nine single-line ExecStart templates are unaffected in shape but
re-written through the same path to keep the whole set uniform.
---
 deploy/decnet-bus.service.j2       | 4 ++--
 deploy/decnet-forwarder.service.j2 | 4 ++--
 deploy/decnet-listener.service.j2  | 4 ++--
 deploy/decnet-updater.service.j2   | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/deploy/decnet-bus.service.j2 b/deploy/decnet-bus.service.j2
index 266b0824..058056d0 100644
--- a/deploy/decnet-bus.service.j2
+++ b/deploy/decnet-bus.service.j2
@@ -18,10 +18,10 @@ RuntimeDirectory=decnet
 RuntimeDirectoryMode=0755
 Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.bus.log
 ExecStart={{ venv_dir }}/bin/decnet bus \
-StandardOutput=append:/var/log/decnet/decnet.bus.log
-StandardError=append:/var/log/decnet/decnet.bus.log
     --socket /run/decnet/bus.sock \
     --group decnet
+StandardOutput=append:/var/log/decnet/decnet.bus.log
+StandardError=append:/var/log/decnet/decnet.bus.log
 
 # No privileged network operations — UNIX-domain socket only.
 CapabilityBoundingSet=
diff --git a/deploy/decnet-forwarder.service.j2 b/deploy/decnet-forwarder.service.j2
index 1872dc29..79ffbc94 100644
--- a/deploy/decnet-forwarder.service.j2
+++ b/deploy/decnet-forwarder.service.j2
@@ -17,12 +17,12 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # worker identity when it connects to the master's listener.
 Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.forwarder.log
 ExecStart={{ venv_dir }}/bin/decnet forwarder \
-StandardOutput=append:/var/log/decnet/decnet.forwarder.log
-StandardError=append:/var/log/decnet/decnet.forwarder.log
     --log-file /var/log/decnet/decnet.log \
     --master-host ${DECNET_SWARM_MASTER_HOST} \
     --master-port 6514 \
     --agent-dir /etc/decnet/agent
+StandardOutput=append:/var/log/decnet/decnet.forwarder.log
+StandardError=append:/var/log/decnet/decnet.forwarder.log
 
 # TLS client connection; no special capabilities.
 CapabilityBoundingSet=
diff --git a/deploy/decnet-listener.service.j2 b/deploy/decnet-listener.service.j2
index 938b3457..b9704001 100644
--- a/deploy/decnet-listener.service.j2
+++ b/deploy/decnet-listener.service.j2
@@ -14,12 +14,12 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # privileged port (≥1024), so no CAP_NET_BIND_SERVICE is required.
 Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.listener.log
 ExecStart={{ venv_dir }}/bin/decnet listener \
-StandardOutput=append:/var/log/decnet/decnet.listener.log
-StandardError=append:/var/log/decnet/decnet.listener.log
     --host 0.0.0.0 --port 6514 \
     --ca-dir /etc/decnet/ca \
     --log-path /var/log/decnet/master.log \
     --json-path /var/log/decnet/master.json
+StandardOutput=append:/var/log/decnet/decnet.listener.log
+StandardError=append:/var/log/decnet/decnet.listener.log
 
 # Pure TLS server; no privileged network operations.
 CapabilityBoundingSet=
diff --git a/deploy/decnet-updater.service.j2 b/deploy/decnet-updater.service.j2
index 577bb74d..256797bf 100644
--- a/deploy/decnet-updater.service.j2
+++ b/deploy/decnet-updater.service.j2
@@ -14,12 +14,12 @@ WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.updater.log
 ExecStart={{ venv_dir }}/bin/decnet updater \
-StandardOutput=append:/var/log/decnet/decnet.updater.log
-StandardError=append:/var/log/decnet/decnet.updater.log
     --host 0.0.0.0 --port 8766 \
     --updater-dir /etc/decnet/updater \
     --install-dir {{ install_dir }} \
     --agent-dir /etc/decnet/agent
+StandardOutput=append:/var/log/decnet/decnet.updater.log
+StandardError=append:/var/log/decnet/decnet.updater.log
 
 # The updater SIGTERMs the agent and spawns a new one. Same User=decnet means
 # signalling is allowed without CAP_KILL. It does not need NET_ADMIN/NET_RAW