merge: testing → main (reconcile 2-week divergence)

decnet/web/templates/decnet-agent.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=DECNET worker agent (mTLS control plane) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.agent.log
+ExecStart=/usr/local/bin/decnet agent --no-forwarder
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.agent.log
+StandardError=append:/var/log/decnet/decnet.agent.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-collector.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description=DECNET container log collector — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target decnet-agent.service
+Wants=network-online.target
+PartOf=decnet-agent.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_MODE=agent
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.collector.log
+ExecStart=/usr/local/bin/decnet collect --log-file /var/log/decnet/decnet.log
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.collector.log
+StandardError=append:/var/log/decnet/decnet.collector.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-engine.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=DECNET deckie orchestrator (decnet deploy) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target decnet-agent.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+WorkingDirectory=/opt/decnet
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.log
+ExecStart=/usr/local/bin/decnet deploy
+StandardOutput=append:/var/log/decnet/decnet.log
+StandardError=append:/var/log/decnet/decnet.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-forwarder.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=DECNET log forwarder (syslog-over-TLS → master) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target
+Wants=network-online.target
+PartOf=decnet-agent.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.forwarder.log
+ExecStart=/usr/local/bin/decnet forwarder --master-host {{ master_host }} --master-port 6514 --agent-dir /etc/decnet/agent --log-file /var/log/decnet/decnet.log
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.forwarder.log
+StandardError=append:/var/log/decnet/decnet.forwarder.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-prober.service.j2

@@ -0,0 +1,20 @@
+[Unit]
+Description=DECNET attacker prober (JARM/HASSH/TCP fingerprint) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target decnet-agent.service
+Wants=network-online.target
+PartOf=decnet-agent.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_MODE=agent
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.prober.log
+ExecStart=/usr/local/bin/decnet probe --log-file /var/log/decnet/decnet.log --interval 300
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.prober.log
+StandardError=append:/var/log/decnet/decnet.prober.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-sniffer.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=DECNET network sniffer — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target decnet-agent.service
+Wants=network-online.target
+PartOf=decnet-agent.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_MODE=agent
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.sniffer.log
+# scapy needs raw sockets; forwarder already runs with these caps, so we
+# mirror the same ambient set here.
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+ExecStart=/usr/local/bin/decnet sniffer --log-file /var/log/decnet/decnet.log
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.sniffer.log
+StandardError=append:/var/log/decnet/decnet.sniffer.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-updater.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=DECNET self-updater (accepts tarball pushes from master) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/decnet
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.updater.log
+ExecStart=/usr/local/bin/decnet updater --updater-dir /etc/decnet/updater --install-dir /opt/decnet --agent-dir /etc/decnet/agent
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.updater.log
+StandardError=append:/var/log/decnet/decnet.updater.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/enroll_bootstrap.sh.j2

@@ -0,0 +1,86 @@
+#!/usr/bin/env bash
+# DECNET bootstrap installer for agent {{ agent_name }} -> master {{ master_host }}.
+# Fetches the code+certs payload, installs, and starts the agent daemon.
+# Generated by the master at {{ generated_at }}. Expires {{ expires_at }}.
+set -euo pipefail
+
+[[ $EUID -eq 0 ]] || { echo "decnet-install: must run as root (use sudo)"; exit 1; }
+for bin in python3 curl tar systemctl; do
+  command -v "$bin" >/dev/null || { echo "decnet-install: $bin required"; exit 1; }
+done
+
+WORK="$(mktemp -d)"
+trap 'rm -rf "$WORK"' EXIT
+
+echo "[DECNET] fetching payload..."
+curl -fsSL "{{ tarball_url }}" | tar -xz -C "$WORK"
+
+INSTALL_DIR=/opt/decnet
+RELEASE_DIR="$INSTALL_DIR/releases/active"
+VENV_DIR="$INSTALL_DIR/venv"
+# Mirror the updater's layout from day one so `decnet updater` can rotate
+# releases/active in-place and the shared venv is the thing on PATH.
+mkdir -p "$RELEASE_DIR"
+cp -a "$WORK/." "$RELEASE_DIR/"
+ln -sfn "$RELEASE_DIR" "$INSTALL_DIR/current"
+cd "$RELEASE_DIR"
+
+echo "[DECNET] building shared venv at $VENV_DIR..."
+python3 -m venv "$VENV_DIR"
+"$VENV_DIR/bin/pip" install -q --upgrade pip
+"$VENV_DIR/bin/pip" install -q "$RELEASE_DIR"
+
+install -Dm0644 etc/decnet/decnet.ini /etc/decnet/decnet.ini
+[[ -f services.ini ]] && install -Dm0644 services.ini /etc/decnet/services.ini
+
+# Log directory the baked-in INI points at — must exist before `decnet` imports config.
+install -d -m0755 /var/log/decnet
+
+# Certs live under /etc/decnet/ (root-owned, 0600 keys) — this is a root
+# daemon's data, not a user's. The baked INI's `agent-dir`/`updater-dir`
+# point at these paths.
+for f in ca.crt worker.crt worker.key; do
+  install -Dm0600 -o root -g root \
+    "home/.decnet/agent/$f" "/etc/decnet/agent/$f"
+done
+chmod 0755 /etc/decnet/agent
+
+WITH_UPDATER="{{ with_updater }}"
+if [[ "$WITH_UPDATER" == "true" && -d home/.decnet/updater ]]; then
+  for f in ca.crt updater.crt updater.key; do
+    install -Dm0600 -o root -g root \
+      "home/.decnet/updater/$f" "/etc/decnet/updater/$f"
+  done
+  chmod 0755 /etc/decnet/updater
+fi
+
+# Guarantee the pip-installed entrypoint is executable (some setuptools+editable
+# combos drop it with mode 0644) and expose it on PATH.
+chmod 0755 "$VENV_DIR/bin/decnet"
+ln -sf "$VENV_DIR/bin/decnet" /usr/local/bin/decnet
+
+echo "[DECNET] installing systemd units..."
+for unit in \
+  decnet-agent decnet-forwarder decnet-engine \
+  decnet-collector decnet-prober decnet-sniffer; do
+  install -Dm0644 "etc/systemd/system/${unit}.service" "/etc/systemd/system/${unit}.service"
+done
+if [[ "$WITH_UPDATER" == "true" ]]; then
+  install -Dm0644 etc/systemd/system/decnet-updater.service /etc/systemd/system/decnet-updater.service
+fi
+systemctl daemon-reload
+
+# Agent + forwarder are the control plane; collector/prober/profiler/sniffer
+# are the per-host microservices that used to require `decnet deploy` to
+# auto-spawn. With systemd units they come up at boot and auto-restart.
+ACTIVE_UNITS=(
+  decnet-agent.service decnet-forwarder.service
+  decnet-collector.service decnet-prober.service
+  decnet-sniffer.service
+)
+if [[ "$WITH_UPDATER" == "true" ]]; then
+  ACTIVE_UNITS+=(decnet-updater.service)
+fi
+systemctl enable --now "${ACTIVE_UNITS[@]}"
+
+echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Units: ${ACTIVE_UNITS[*]} active."