merge: testing → main (reconcile 2-week divergence)

2026-04-28 18:36:00 -04:00
parent 499836c9e4
commit 862e4dbb31
1235 changed files with 160255 additions and 7996 deletions
--- a/deploy/decnet-webhook.service.j2
+++ b/deploy/decnet-webhook.service.j2
@@ -0,0 +1,38 @@
+[Unit]
+Description=DECNET Webhook Dispatcher (external SIEM/SOAR egress)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#webhook
+After=network-online.target decnet-bus.service decnet-api.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User={{ user }}
+Group={{ group }}
+WorkingDirectory={{ install_dir }}
+EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.webhook.log
+ExecStart={{ venv_dir }}/bin/decnet webhook
+StandardOutput=append:/var/log/decnet/decnet.webhook.log
+StandardError=append:/var/log/decnet/decnet.webhook.log
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths={{ install_dir }} /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target