From d4b714dc394d7b26b7b200304876a4bc754c063e Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Fri, 24 Apr 2026 00:57:23 -0400
Subject: [PATCH] fix(deploy): wire per-unit log files on master systemd
 services
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The agent-side enroll-bundle templates (decnet/web/templates/*) always
set DECNET_SYSTEM_LOGS + StandardOutput/StandardError to a per-unit
file under /var/log/decnet. The master-side init templates (deploy/*)
never did, so every 'decnet init'-installed service:

- inherited the default DECNET_SYSTEM_LOGS=decnet.system.log — a
  relative path, landing in the unit's WorkingDirectory. All 13 units
  shared the same cwd and fought for the same file, or more often
  just failed to write it under ProtectSystem=full,
- emitted stdout/stderr to the journal by default, which is fine for
  uvicorn's INFO banter but makes per-service grepping a pain when
  you're chasing a single worker's trace.

Mirror the agent-side wiring on all 13 master templates:
- Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.<name>.log
- StandardOutput=append:/var/log/decnet/decnet.<name>.log
- StandardError=append:/var/log/decnet/decnet.<name>.log

/var/log/decnet is already in ReadWritePaths so ProtectSystem=full
stays compatible. Operators now get a dedicated
/var/log/decnet/decnet.<unit>.log per service, both from the app's
structured logger and from any stray stderr — journalctl still
works too, but no longer the only option.
---
 deploy/decnet-agent.service.j2     | 3 +++
 deploy/decnet-api.service.j2       | 3 +++
 deploy/decnet-bus.service.j2       | 3 +++
 deploy/decnet-collector.service.j2 | 3 +++
 deploy/decnet-forwarder.service.j2 | 3 +++
 deploy/decnet-listener.service.j2  | 3 +++
 deploy/decnet-mutator.service.j2   | 3 +++
 deploy/decnet-prober.service.j2    | 3 +++
 deploy/decnet-profiler.service.j2  | 3 +++
 deploy/decnet-sniffer.service.j2   | 3 +++
 deploy/decnet-swarmctl.service.j2  | 3 +++
 deploy/decnet-updater.service.j2   | 3 +++
 deploy/decnet-web.service.j2       | 3 +++
 13 files changed, 39 insertions(+)

diff --git a/deploy/decnet-agent.service.j2 b/deploy/decnet-agent.service.j2
index 703c074b..b80c5b80 100644
--- a/deploy/decnet-agent.service.j2
+++ b/deploy/decnet-agent.service.j2
@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.agent.log
 ExecStart={{ venv_dir }}/bin/decnet agent --host 0.0.0.0 --port 8765 --agent-dir /etc/decnet/agent
+StandardOutput=append:/var/log/decnet/decnet.agent.log
+StandardError=append:/var/log/decnet/decnet.agent.log
 
 # MACVLAN/IPVLAN management + scapy raw sockets. Granted via ambient caps so
 # the process starts unprivileged and keeps only these two bits.
diff --git a/deploy/decnet-api.service.j2 b/deploy/decnet-api.service.j2
index 5f0f7a33..4a717c8d 100644
--- a/deploy/decnet-api.service.j2
+++ b/deploy/decnet-api.service.j2
@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.api.log
 ExecStart={{ venv_dir }}/bin/decnet api
+StandardOutput=append:/var/log/decnet/decnet.api.log
+StandardError=append:/var/log/decnet/decnet.api.log
 
 # MACVLAN/IPVLAN setup runs from the API lifespan when the embedded sniffer is on.
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
diff --git a/deploy/decnet-bus.service.j2 b/deploy/decnet-bus.service.j2
index 8b6100fe..266b0824 100644
--- a/deploy/decnet-bus.service.j2
+++ b/deploy/decnet-bus.service.j2
@@ -16,7 +16,10 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # connect.
 RuntimeDirectory=decnet
 RuntimeDirectoryMode=0755
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.bus.log
 ExecStart={{ venv_dir }}/bin/decnet bus \
+StandardOutput=append:/var/log/decnet/decnet.bus.log
+StandardError=append:/var/log/decnet/decnet.bus.log
     --socket /run/decnet/bus.sock \
     --group decnet
 
diff --git a/deploy/decnet-collector.service.j2 b/deploy/decnet-collector.service.j2
index 76cf4fce..d8691088 100644
--- a/deploy/decnet-collector.service.j2
+++ b/deploy/decnet-collector.service.j2
@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.collector.log
 ExecStart={{ venv_dir }}/bin/decnet collect
+StandardOutput=append:/var/log/decnet/decnet.collector.log
+StandardError=append:/var/log/decnet/decnet.collector.log
 
 # No privileged network operations.
 CapabilityBoundingSet=
diff --git a/deploy/decnet-forwarder.service.j2 b/deploy/decnet-forwarder.service.j2
index e8789c6d..1872dc29 100644
--- a/deploy/decnet-forwarder.service.j2
+++ b/deploy/decnet-forwarder.service.j2
@@ -15,7 +15,10 @@ EnvironmentFile=-{{ install_dir }}/.env.local
 # Replace <master-host> with the master's LAN address or hostname. The agent
 # cert bundle at /etc/decnet/agent is reused — the forwarder presents the same
 # worker identity when it connects to the master's listener.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.forwarder.log
 ExecStart={{ venv_dir }}/bin/decnet forwarder \
+StandardOutput=append:/var/log/decnet/decnet.forwarder.log
+StandardError=append:/var/log/decnet/decnet.forwarder.log
     --log-file /var/log/decnet/decnet.log \
     --master-host ${DECNET_SWARM_MASTER_HOST} \
     --master-port 6514 \
diff --git a/deploy/decnet-listener.service.j2 b/deploy/decnet-listener.service.j2
index d1739f2e..938b3457 100644
--- a/deploy/decnet-listener.service.j2
+++ b/deploy/decnet-listener.service.j2
@@ -12,7 +12,10 @@ WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 # Binds 0.0.0.0:6514 so workers across the LAN can connect. 6514 is not a
 # privileged port (≥1024), so no CAP_NET_BIND_SERVICE is required.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.listener.log
 ExecStart={{ venv_dir }}/bin/decnet listener \
+StandardOutput=append:/var/log/decnet/decnet.listener.log
+StandardError=append:/var/log/decnet/decnet.listener.log
     --host 0.0.0.0 --port 6514 \
     --ca-dir /etc/decnet/ca \
     --log-path /var/log/decnet/master.log \
diff --git a/deploy/decnet-mutator.service.j2 b/deploy/decnet-mutator.service.j2
index c1f648f4..8353cee8 100644
--- a/deploy/decnet-mutator.service.j2
+++ b/deploy/decnet-mutator.service.j2
@@ -13,7 +13,10 @@ Group={{ group }}
 SupplementaryGroups=docker
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.mutator.log
 ExecStart={{ venv_dir }}/bin/decnet mutate --watch
+StandardOutput=append:/var/log/decnet/decnet.mutator.log
+StandardError=append:/var/log/decnet/decnet.mutator.log
 
 CapabilityBoundingSet=
 AmbientCapabilities=
diff --git a/deploy/decnet-prober.service.j2 b/deploy/decnet-prober.service.j2
index 3deca708..f4e930f7 100644
--- a/deploy/decnet-prober.service.j2
+++ b/deploy/decnet-prober.service.j2
@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.prober.log
 ExecStart={{ venv_dir }}/bin/decnet probe
+StandardOutput=append:/var/log/decnet/decnet.prober.log
+StandardError=append:/var/log/decnet/decnet.prober.log
 
 # TCP connect probes only — no raw sockets required.
 CapabilityBoundingSet=
diff --git a/deploy/decnet-profiler.service.j2 b/deploy/decnet-profiler.service.j2
index bee9a51e..3f521627 100644
--- a/deploy/decnet-profiler.service.j2
+++ b/deploy/decnet-profiler.service.j2
@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.profiler.log
 ExecStart={{ venv_dir }}/bin/decnet profiler
+StandardOutput=append:/var/log/decnet/decnet.profiler.log
+StandardError=append:/var/log/decnet/decnet.profiler.log
 
 CapabilityBoundingSet=
 AmbientCapabilities=
diff --git a/deploy/decnet-sniffer.service.j2 b/deploy/decnet-sniffer.service.j2
index cc39b479..affed379 100644
--- a/deploy/decnet-sniffer.service.j2
+++ b/deploy/decnet-sniffer.service.j2
@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.sniffer.log
 ExecStart={{ venv_dir }}/bin/decnet sniffer
+StandardOutput=append:/var/log/decnet/decnet.sniffer.log
+StandardError=append:/var/log/decnet/decnet.sniffer.log
 
 # scapy needs raw packet access on the MACVLAN host interface.
 CapabilityBoundingSet=CAP_NET_RAW
diff --git a/deploy/decnet-swarmctl.service.j2 b/deploy/decnet-swarmctl.service.j2
index 8da048b6..9dcdbd20 100644
--- a/deploy/decnet-swarmctl.service.j2
+++ b/deploy/decnet-swarmctl.service.j2
@@ -12,7 +12,10 @@ WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
 # Default bind is loopback — the controller is a master-local orchestrator
 # reached by the CLI and the web dashboard, not by workers.
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.swarmctl.log
 ExecStart={{ venv_dir }}/bin/decnet swarmctl --host 127.0.0.1 --port 8770
+StandardOutput=append:/var/log/decnet/decnet.swarmctl.log
+StandardError=append:/var/log/decnet/decnet.swarmctl.log
 
 # No special capabilities — the controller issues mTLS certs and talks to
 # workers over TCP on unprivileged ports.
diff --git a/deploy/decnet-updater.service.j2 b/deploy/decnet-updater.service.j2
index bf3244d2..577bb74d 100644
--- a/deploy/decnet-updater.service.j2
+++ b/deploy/decnet-updater.service.j2
@@ -12,7 +12,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.updater.log
 ExecStart={{ venv_dir }}/bin/decnet updater \
+StandardOutput=append:/var/log/decnet/decnet.updater.log
+StandardError=append:/var/log/decnet/decnet.updater.log
     --host 0.0.0.0 --port 8766 \
     --updater-dir /etc/decnet/updater \
     --install-dir {{ install_dir }} \
diff --git a/deploy/decnet-web.service.j2 b/deploy/decnet-web.service.j2
index 8695ffde..376980a1 100644
--- a/deploy/decnet-web.service.j2
+++ b/deploy/decnet-web.service.j2
@@ -10,7 +10,10 @@ User={{ user }}
 Group={{ group }}
 WorkingDirectory={{ install_dir }}
 EnvironmentFile=-{{ install_dir }}/.env.local
+Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.web.log
 ExecStart={{ venv_dir }}/bin/decnet web
+StandardOutput=append:/var/log/decnet/decnet.web.log
+StandardError=append:/var/log/decnet/decnet.web.log
 
 # Uncomment if you bind the dashboard to a privileged port (80/443):
 # CapabilityBoundingSet=CAP_NET_BIND_SERVICE