feat(enroll): systemd units for agent/forwarder/engine + log-directory INI key

Rename log-file-path -> log-directory (maps to DECNET_LOG_DIRECTORY). Bundle
now ships three systemd units rendered with agent_name/master_host and installs
them into /etc/systemd/system/. Bootstrap replaces direct 'decnet X --daemon'
calls with systemctl enable --now. Each unit pins DECNET_SYSTEM_LOGS so agent,
forwarder, and deckies logs land at decnet.{agent,forwarder}.log and decnet.log
under /var/log/decnet.

decnet/web/router/swarm_mgmt/api_enroll_bundle.py

@@ -172,7 +172,7 @@ def _render_decnet_ini(master_host: str) -> bytes:
         "[decnet]\n"
         "mode = agent\n"
         "disallow-master = true\n"
-        "log-file-path = /var/log/decnet/decnet.log\n"
+        "log-directory = /var/log/decnet\n"
         "\n"
         "[agent]\n"
         f"master-host = {master_host}\n"
@@ -193,6 +193,7 @@ def _add_bytes(tar: tarfile.TarFile, name: str, data: bytes, mode: int = 0o644)
 
 def _build_tarball(
     master_host: str,
+    agent_name: str,
     issued: pki.IssuedCert,
     services_ini: Optional[str],
     updater_issued: Optional[pki.IssuedCert] = None,
@@ -216,6 +217,12 @@ def _build_tarball(
             tar.add(path, arcname=rel, recursive=False)
 
         _add_bytes(tar, "etc/decnet/decnet.ini", _render_decnet_ini(master_host))
+        for unit in _SYSTEMD_UNITS:
+            _add_bytes(
+                tar,
+                f"etc/systemd/system/{unit}.service",
+                _render_systemd_unit(unit, agent_name, master_host),
+            )
         _add_bytes(tar, "home/.decnet/agent/ca.crt", issued.ca_cert_pem)
         _add_bytes(tar, "home/.decnet/agent/worker.crt", issued.cert_pem)
         _add_bytes(tar, "home/.decnet/agent/worker.key", issued.key_pem, mode=0o600)
@@ -231,6 +238,18 @@ def _build_tarball(
     return buf.getvalue()
 
 
+_SYSTEMD_UNITS = ("decnet-agent", "decnet-forwarder", "decnet-engine")
+
+
+def _render_systemd_unit(name: str, agent_name: str, master_host: str) -> bytes:
+    tpl_path = pathlib.Path(__file__).resolve().parents[1].parent / "templates" / f"{name}.service.j2"
+    tpl = tpl_path.read_text()
+    return (
+        tpl.replace("{{ agent_name }}", agent_name)
+           .replace("{{ master_host }}", master_host)
+    ).encode()
+
+
 def _render_bootstrap(
     agent_name: str,
     master_host: str,
@@ -314,7 +333,7 @@ async def create_enroll_bundle(
     )
 
     # 3. Render payload + bootstrap.
-    tarball = _build_tarball(req.master_host, issued, req.services_ini, updater_issued)
+    tarball = _build_tarball(req.master_host, req.agent_name, issued, req.services_ini, updater_issued)
     token = secrets.token_urlsafe(24)
     expires_at = datetime.now(timezone.utc) + BUNDLE_TTL
 

decnet/web/templates/decnet-agent.service.j2

@@ -0,0 +1,17 @@
+[Unit]
+Description=DECNET worker agent (mTLS control plane) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.agent.log
+ExecStart=/usr/local/bin/decnet agent --no-forwarder
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.agent.log
+StandardError=append:/var/log/decnet/decnet.agent.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-engine.service.j2

@@ -0,0 +1,16 @@
+[Unit]
+Description=DECNET deckie orchestrator (decnet deploy) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target decnet-agent.service
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.log
+ExecStart=/usr/local/bin/decnet deploy
+StandardOutput=append:/var/log/decnet/decnet.log
+StandardError=append:/var/log/decnet/decnet.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/decnet-forwarder.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=DECNET log forwarder (syslog-over-TLS → master) — {{ agent_name }}
+Documentation=https://github.com/anti/DECNET
+After=network-online.target
+Wants=network-online.target
+PartOf=decnet-agent.service
+
+[Service]
+Type=simple
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.forwarder.log
+ExecStart=/usr/local/bin/decnet forwarder --master-host {{ master_host }} --master-port 6514 --agent-dir /etc/decnet/agent --log-file /var/log/decnet/decnet.log
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/decnet/decnet.forwarder.log
+StandardError=append:/var/log/decnet/decnet.forwarder.log
+
+[Install]
+WantedBy=multi-user.target

decnet/web/templates/enroll_bootstrap.sh.j2

@@ -5,7 +5,7 @@
 set -euo pipefail
 
 [[ $EUID -eq 0 ]] || { echo "decnet-install: must run as root (use sudo)"; exit 1; }
-for bin in python3 curl tar; do
+for bin in python3 curl tar systemctl; do
   command -v "$bin" >/dev/null || { echo "decnet-install: $bin required"; exit 1; }
 done
 
@@ -53,8 +53,15 @@ fi
 # combos drop it with mode 0644) and expose it on PATH.
 chmod 0755 "$INSTALL_DIR/.venv/bin/decnet"
 ln -sf "$INSTALL_DIR/.venv/bin/decnet" /usr/local/bin/decnet
-/usr/local/bin/decnet agent --daemon
+
+echo "[DECNET] installing systemd units..."
+install -Dm0644 etc/systemd/system/decnet-agent.service /etc/systemd/system/decnet-agent.service
+install -Dm0644 etc/systemd/system/decnet-forwarder.service /etc/systemd/system/decnet-forwarder.service
+install -Dm0644 etc/systemd/system/decnet-engine.service /etc/systemd/system/decnet-engine.service
+systemctl daemon-reload
+systemctl enable --now decnet-agent.service decnet-forwarder.service
+
 if [[ "$WITH_UPDATER" == "true" ]]; then
   /usr/local/bin/decnet updater --daemon
 fi
-echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Forwarder auto-spawned."
+echo "[DECNET] agent {{ agent_name }} enrolled -> {{ master_host }}. Units: decnet-agent, decnet-forwarder active."