fix(deploy): wire per-unit log files on master systemd services

The agent-side enroll-bundle templates (decnet/web/templates/*) always
set DECNET_SYSTEM_LOGS + StandardOutput/StandardError to a per-unit
file under /var/log/decnet. The master-side init templates (deploy/*)
never did, so every 'decnet init'-installed service:

- inherited the default DECNET_SYSTEM_LOGS=decnet.system.log — a
  relative path, landing in the unit's WorkingDirectory. All 13 units
  shared the same cwd and fought for the same file, or more often
  just failed to write it under ProtectSystem=full,
- emitted stdout/stderr to the journal by default, which is fine for
  uvicorn's INFO banter but makes per-service grepping a pain when
  you're chasing a single worker's trace.

Mirror the agent-side wiring on all 13 master templates:
- Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.<name>.log
- StandardOutput=append:/var/log/decnet/decnet.<name>.log
- StandardError=append:/var/log/decnet/decnet.<name>.log

/var/log/decnet is already in ReadWritePaths so ProtectSystem=full
stays compatible. Operators now get a dedicated
/var/log/decnet/decnet.<unit>.log per service, both from the app's
structured logger and from any stray stderr — journalctl still
works too, but no longer the only option.

deploy/decnet-agent.service.j2

@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.agent.log
 ExecStart={{ venv_dir }}/bin/decnet agent --host 0.0.0.0 --port 8765 --agent-dir /etc/decnet/agent
+StandardOutput=append:/var/log/decnet/decnet.agent.log
+StandardError=append:/var/log/decnet/decnet.agent.log
 
 # MACVLAN/IPVLAN management + scapy raw sockets. Granted via ambient caps so
 # the process starts unprivileged and keeps only these two bits.

deploy/decnet-api.service.j2

@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.api.log
 ExecStart={{ venv_dir }}/bin/decnet api
+StandardOutput=append:/var/log/decnet/decnet.api.log
+StandardError=append:/var/log/decnet/decnet.api.log
 
 # MACVLAN/IPVLAN setup runs from the API lifespan when the embedded sniffer is on.
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW

deploy/decnet-bus.service.j2

@@ -16,7 +16,10 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # connect.
 RuntimeDirectory=decnet
 RuntimeDirectoryMode=0755
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.bus.log
 ExecStart={{ venv_dir }}/bin/decnet bus \
+StandardOutput=append:/var/log/decnet/decnet.bus.log
+StandardError=append:/var/log/decnet/decnet.bus.log
     --socket /run/decnet/bus.sock \
     --group decnet
 

deploy/decnet-collector.service.j2

@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.collector.log
 ExecStart={{ venv_dir }}/bin/decnet collect
+StandardOutput=append:/var/log/decnet/decnet.collector.log
+StandardError=append:/var/log/decnet/decnet.collector.log
 
 # No privileged network operations.
 CapabilityBoundingSet=

deploy/decnet-forwarder.service.j2

@@ -15,7 +15,10 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # Replace <master-host> with the master's LAN address or hostname. The agent
 # cert bundle at /etc/decnet/agent is reused — the forwarder presents the same
 # worker identity when it connects to the master's listener.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.forwarder.log
 ExecStart={{ venv_dir }}/bin/decnet forwarder \
+StandardOutput=append:/var/log/decnet/decnet.forwarder.log
+StandardError=append:/var/log/decnet/decnet.forwarder.log
     --log-file /var/log/decnet/decnet.log \
     --master-host ${DECNET_SWARM_MASTER_HOST} \
     --master-port 6514 \

deploy/decnet-listener.service.j2

@@ -12,7 +12,10 @@ WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 # Binds 0.0.0.0:6514 so workers across the LAN can connect. 6514 is not a
 # privileged port (≥1024), so no CAP_NET_BIND_SERVICE is required.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.listener.log
 ExecStart={{ venv_dir }}/bin/decnet listener \
+StandardOutput=append:/var/log/decnet/decnet.listener.log
+StandardError=append:/var/log/decnet/decnet.listener.log
     --host 0.0.0.0 --port 6514 \
     --ca-dir /etc/decnet/ca \
     --log-path /var/log/decnet/master.log \

deploy/decnet-mutator.service.j2

@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.mutator.log
 ExecStart={{ venv_dir }}/bin/decnet mutate --watch
+StandardOutput=append:/var/log/decnet/decnet.mutator.log
+StandardError=append:/var/log/decnet/decnet.mutator.log
 
 CapabilityBoundingSet=
 AmbientCapabilities=

deploy/decnet-prober.service.j2

@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.prober.log
 ExecStart={{ venv_dir }}/bin/decnet probe
+StandardOutput=append:/var/log/decnet/decnet.prober.log
+StandardError=append:/var/log/decnet/decnet.prober.log
 
 # TCP connect probes only — no raw sockets required.
 CapabilityBoundingSet=

deploy/decnet-profiler.service.j2

@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.profiler.log
 ExecStart={{ venv_dir }}/bin/decnet profiler
+StandardOutput=append:/var/log/decnet/decnet.profiler.log
+StandardError=append:/var/log/decnet/decnet.profiler.log
 
 CapabilityBoundingSet=
 AmbientCapabilities=

deploy/decnet-sniffer.service.j2

@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.sniffer.log
 ExecStart={{ venv_dir }}/bin/decnet sniffer
+StandardOutput=append:/var/log/decnet/decnet.sniffer.log
+StandardError=append:/var/log/decnet/decnet.sniffer.log
 
 # scapy needs raw packet access on the MACVLAN host interface.
 CapabilityBoundingSet=CAP_NET_RAW

deploy/decnet-swarmctl.service.j2

@@ -12,7 +12,10 @@ WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 # Default bind is loopback — the controller is a master-local orchestrator
 # reached by the CLI and the web dashboard, not by workers.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.swarmctl.log
 ExecStart={{ venv_dir }}/bin/decnet swarmctl --host 127.0.0.1 --port 8770
+StandardOutput=append:/var/log/decnet/decnet.swarmctl.log
+StandardError=append:/var/log/decnet/decnet.swarmctl.log
 
 # No special capabilities — the controller issues mTLS certs and talks to
 # workers over TCP on unprivileged ports.

deploy/decnet-updater.service.j2

@@ -12,7 +12,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.updater.log
 ExecStart={{ venv_dir }}/bin/decnet updater \
+StandardOutput=append:/var/log/decnet/decnet.updater.log
+StandardError=append:/var/log/decnet/decnet.updater.log
     --host 0.0.0.0 --port 8766 \
     --updater-dir /etc/decnet/updater \
     --install-dir {{ install_dir }} \

deploy/decnet-web.service.j2

@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.web.log
 ExecStart={{ venv_dir }}/bin/decnet web
+StandardOutput=append:/var/log/decnet/decnet.web.log
+StandardError=append:/var/log/decnet/decnet.web.log
 
 # Uncomment if you bind the dashboard to a privileged port (80/443):
 # CapabilityBoundingSet=CAP_NET_BIND_SERVICE