From f21453afdc406b0ad7938358710b857d050147ea Mon Sep 17 00:00:00 2001 From: anti Date: Wed, 22 Apr 2026 14:06:42 -0400 Subject: [PATCH] chore(systemd): add units for collector/profiler/sniffer/prober/mutator + decnet.target Adds the five missing worker units plus a grouping target so `systemctl start decnet.target` brings the whole fleet up in order. Sniffer gets CAP_NET_RAW for scapy; collector and mutator join the docker supplementary group for docker.sock access. Repoints Documentation= across all existing units to the canonical git.resacachile.cl wiki. --- deploy/decnet-agent.service | 2 +- deploy/decnet-api.service | 2 +- deploy/decnet-bus.service | 2 +- deploy/decnet-collector.service | 39 +++++++++++++++++++++++++++++++++ deploy/decnet-forwarder.service | 2 +- deploy/decnet-listener.service | 2 +- deploy/decnet-mutator.service | 38 ++++++++++++++++++++++++++++++++ deploy/decnet-prober.service | 36 ++++++++++++++++++++++++++++++ deploy/decnet-profiler.service | 35 +++++++++++++++++++++++++++++ deploy/decnet-sniffer.service | 36 ++++++++++++++++++++++++++++++ deploy/decnet-swarmctl.service | 2 +- deploy/decnet-updater.service | 2 +- deploy/decnet-web.service | 2 +- deploy/decnet.target | 19 ++++++++++++++++ 14 files changed, 211 insertions(+), 8 deletions(-) create mode 100644 deploy/decnet-collector.service create mode 100644 deploy/decnet-mutator.service create mode 100644 deploy/decnet-prober.service create mode 100644 deploy/decnet-profiler.service create mode 100644 deploy/decnet-sniffer.service create mode 100644 deploy/decnet.target diff --git a/deploy/decnet-agent.service b/deploy/decnet-agent.service index 1657932b..20e152f2 100644 --- a/deploy/decnet-agent.service +++ b/deploy/decnet-agent.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Worker Agent (mTLS) -Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode After=network-online.target docker.service Wants=network-online.target Requires=docker.service diff --git a/deploy/decnet-api.service b/deploy/decnet-api.service index e7b253d9..a8e6dfab 100644 --- a/deploy/decnet-api.service +++ b/deploy/decnet-api.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET API Service -Documentation=https://github.com/4nt11/DECNET/wiki/REST-API-Reference +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/REST-API-Reference After=network-online.target docker.service Wants=network-online.target Requires=docker.service diff --git a/deploy/decnet-bus.service b/deploy/decnet-bus.service index 80ae38d9..a324f6d6 100644 --- a/deploy/decnet-bus.service +++ b/deploy/decnet-bus.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Service Bus (host-local UNIX-socket pub/sub) -Documentation=https://github.com/4nt11/DECNET/wiki/Service-Bus +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Service-Bus After=network-online.target Wants=network-online.target diff --git a/deploy/decnet-collector.service b/deploy/decnet-collector.service new file mode 100644 index 00000000..4f2a47b9 --- /dev/null +++ b/deploy/decnet-collector.service @@ -0,0 +1,39 @@ +[Unit] +Description=DECNET Collector (Docker log ingestion) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#collector +After=network-online.target docker.service decnet-bus.service +Wants=network-online.target decnet-bus.service +Requires=docker.service + +[Service] +Type=simple +User=decnet +Group=decnet +# docker.sock is group-readable by 'docker'; the collector tails container logs. +SupplementaryGroups=docker +WorkingDirectory=/opt/decnet +EnvironmentFile=-/opt/decnet/.env.local +ExecStart=/opt/decnet/venv/bin/decnet collect + +# No privileged network operations. +CapabilityBoundingSet= +AmbientCapabilities= + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths=/opt/decnet /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet-forwarder.service b/deploy/decnet-forwarder.service index 35a6d36d..2537eb44 100644 --- a/deploy/decnet-forwarder.service +++ b/deploy/decnet-forwarder.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425) -Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog After=network-online.target Wants=network-online.target # The forwarder can run independently of the agent — it only needs the local diff --git a/deploy/decnet-listener.service b/deploy/decnet-listener.service index db43db66..add9fc5e 100644 --- a/deploy/decnet-listener.service +++ b/deploy/decnet-listener.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Syslog-over-TLS Listener (master, RFC 5425) -Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog After=network-online.target Wants=network-online.target diff --git a/deploy/decnet-mutator.service b/deploy/decnet-mutator.service new file mode 100644 index 00000000..b2c872a4 --- /dev/null +++ b/deploy/decnet-mutator.service @@ -0,0 +1,38 @@ +[Unit] +Description=DECNET Mutator (runtime fleet mutation watch loop) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#mutator +After=network-online.target docker.service decnet-bus.service +Wants=network-online.target decnet-bus.service +Requires=docker.service + +[Service] +Type=simple +User=decnet +Group=decnet +# Mutator recomposes decky services via docker compose. +SupplementaryGroups=docker +WorkingDirectory=/opt/decnet +EnvironmentFile=-/opt/decnet/.env.local +ExecStart=/opt/decnet/venv/bin/decnet mutate --watch + +CapabilityBoundingSet= +AmbientCapabilities= + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths=/opt/decnet /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet-prober.service b/deploy/decnet-prober.service new file mode 100644 index 00000000..a862730e --- /dev/null +++ b/deploy/decnet-prober.service @@ -0,0 +1,36 @@ +[Unit] +Description=DECNET Prober (active realism / attacker fingerprint probes) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#prober +After=network-online.target decnet-bus.service +Wants=network-online.target decnet-bus.service + +[Service] +Type=simple +User=decnet +Group=decnet +WorkingDirectory=/opt/decnet +EnvironmentFile=-/opt/decnet/.env.local +ExecStart=/opt/decnet/venv/bin/decnet probe + +# TCP connect probes only — no raw sockets required. +CapabilityBoundingSet= +AmbientCapabilities= + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths=/opt/decnet /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet-profiler.service b/deploy/decnet-profiler.service new file mode 100644 index 00000000..4ff9ee82 --- /dev/null +++ b/deploy/decnet-profiler.service @@ -0,0 +1,35 @@ +[Unit] +Description=DECNET Profiler (attacker profiling and scoring) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#profiler +After=network-online.target decnet-bus.service +Wants=network-online.target decnet-bus.service + +[Service] +Type=simple +User=decnet +Group=decnet +WorkingDirectory=/opt/decnet +EnvironmentFile=-/opt/decnet/.env.local +ExecStart=/opt/decnet/venv/bin/decnet profiler + +CapabilityBoundingSet= +AmbientCapabilities= + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths=/opt/decnet /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet-sniffer.service b/deploy/decnet-sniffer.service new file mode 100644 index 00000000..7320cf0d --- /dev/null +++ b/deploy/decnet-sniffer.service @@ -0,0 +1,36 @@ +[Unit] +Description=DECNET Sniffer (fleet-wide MACVLAN TLS fingerprinting) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#sniffer +After=network-online.target decnet-bus.service +Wants=network-online.target decnet-bus.service + +[Service] +Type=simple +User=decnet +Group=decnet +WorkingDirectory=/opt/decnet +EnvironmentFile=-/opt/decnet/.env.local +ExecStart=/opt/decnet/venv/bin/decnet sniffer + +# scapy needs raw packet access on the MACVLAN host interface. +CapabilityBoundingSet=CAP_NET_RAW +AmbientCapabilities=CAP_NET_RAW + +# Security Hardening +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=read-only +PrivateTmp=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictSUIDSGID=yes +LockPersonality=yes +ReadWritePaths=/opt/decnet /var/log/decnet + +Restart=on-failure +RestartSec=5 +TimeoutStopSec=15 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/decnet-swarmctl.service b/deploy/decnet-swarmctl.service index bda6d60a..64455281 100644 --- a/deploy/decnet-swarmctl.service +++ b/deploy/decnet-swarmctl.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Swarm Controller (master) -Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode After=network-online.target decnet-api.service Wants=network-online.target diff --git a/deploy/decnet-updater.service b/deploy/decnet-updater.service index 6b3a4570..db2b8dd3 100644 --- a/deploy/decnet-updater.service +++ b/deploy/decnet-updater.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Self-Updater (mTLS) -Documentation=https://github.com/4nt11/DECNET/wiki/Remote-Updates +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Remote-Updates After=network-online.target Wants=network-online.target # Deliberately NOT After=decnet-agent.service — the updater must come up even diff --git a/deploy/decnet-web.service b/deploy/decnet-web.service index e3b0e6dd..eb119eff 100644 --- a/deploy/decnet-web.service +++ b/deploy/decnet-web.service @@ -1,6 +1,6 @@ [Unit] Description=DECNET Web Dashboard Service -Documentation=https://github.com/4nt11/DECNET/wiki/Web-Dashboard +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Web-Dashboard After=network-online.target decnet-api.service Wants=network-online.target diff --git a/deploy/decnet.target b/deploy/decnet.target new file mode 100644 index 00000000..950e4697 --- /dev/null +++ b/deploy/decnet.target @@ -0,0 +1,19 @@ +[Unit] +Description=DECNET honeypot framework (all master-host workers) +Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers +# Bring workers up in dependency order: bus first (everything else publishes +# heartbeats to it), then the API + data-plane workers. systemd resolves the +# actual ordering via each unit's own After=/Wants= on decnet-bus.service — +# this target is a convenience grouping, not an ordering primitive. +Wants=decnet-bus.service \ + decnet-api.service \ + decnet-web.service \ + decnet-collector.service \ + decnet-profiler.service \ + decnet-sniffer.service \ + decnet-prober.service \ + decnet-mutator.service +After=decnet-bus.service + +[Install] +WantedBy=multi-user.target