feat(fleet): systemd unit + bus signal for fleet reconciler

Two pieces, one PR because they share a deployment surface: 1. systemd. decnet-reconciler.service.j2 mirrors the orchestrator unit shape (docker group, hardened sandbox, append-logs). Read-only /var/lib/decnet so it can read decnet-state.json without write access. Auto-discovered by `decnet init` via the existing decnet-*.service.j2 glob — no init.py change needed. Added to decnet.target so `systemctl start decnet.target` brings it up alongside collector / sniffer / mutator / etc. Also added to the agent reaper script so self-destruct cleans it up on workers. 2. Bus signal. reconcile_once now publishes `decky.<host_uuid:name>.state` on every insert / delete / state-changed transition. Reuses the existing DECKY_STATE topic family (no bus/topics.py change → no wiki update needed per the bus-signals doc rule). Composite host_uuid:name segment keeps fleet rows distinguishable from MazeNET TopologyDecky rows whose ids are bare UUIDs. Quiet ticks publish nothing — convergence means silence. Bus is plumbed through the worker, defaults to None for unit-test callers. publish_safely keeps the source-of-truth contract: DB write is authoritative, the publish is best-effort notification. Captures previous_state into a local before update_fleet_decky_state runs — a fake repo that mutates rows in-place would otherwise see the post-update state and report previous == current. Real repos don't have this concern but the fix is cheap and makes the function less order-dependent.
2026-04-26 21:21:36 -04:00
parent a8441481b5
commit 430262e01a
6 changed files with 212 additions and 5 deletions
--- a/deploy/decnet-reconciler.service.j2
+++ b/deploy/decnet-reconciler.service.j2
@@ -0,0 +1,47 @@
+[Unit]
+Description=DECNET Fleet Reconciler (converges decnet-state.json ↔ fleet_deckies DB ↔ docker)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#reconciler
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User={{ user }}
+Group={{ group }}
+WorkingDirectory={{ install_dir }}
+EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.reconciler.log
+ExecStart={{ venv_dir }}/bin/decnet reconcile
+StandardOutput=append:/var/log/decnet/decnet.reconciler.log
+StandardError=append:/var/log/decnet/decnet.reconciler.log
+
+# The reconciler queries the docker daemon (via `docker.from_env()`) to
+# observe per-container state.  Membership in the docker group lets it
+# read /var/run/docker.sock without root.  It does NOT exec into
+# containers, bind to the network, or spawn new containers.
+SupplementaryGroups=docker
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+# Read-only access to /var/lib/decnet so we can read decnet-state.json.
+# Read-write access only to install_dir + log dir.
+ReadOnlyPaths=/var/lib/decnet
+ReadWritePaths={{ install_dir }} /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet.target
+++ b/deploy/decnet.target
@@ -13,6 +13,7 @@ Wants=decnet-bus.service \
      decnet-sniffer.service \
      decnet-prober.service \
      decnet-mutator.service \
+      decnet-reconciler.service \
      decnet-reuse-correlator.service \
      decnet-enrich.service \
      decnet-clusterer.service \