anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(systemd): add units for collector/profiler/sniffer/prober/mutator + decnet.target

Browse Source 
Adds the five missing worker units plus a grouping target so
`systemctl start decnet.target` brings the whole fleet up in order.
Sniffer gets CAP_NET_RAW for scapy; collector and mutator join the
docker supplementary group for docker.sock access. Repoints
Documentation= across all existing units to the canonical
git.resacachile.cl wiki.
This commit is contained in:
anti
2026-04-22 14:06:42 -04:00
parent 90d0c3b206
commit f21453afdc
14 changed files with 211 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
deploy/decnet-agent.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Worker Agent (mTLS) Description=DECNET Worker Agent (mTLS)
Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode
After=network-online.target docker.service After=network-online.target docker.service
Wants=network-online.target Wants=network-online.target
Requires=docker.service Requires=docker.service

2
deploy/decnet-api.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET API Service Description=DECNET API Service
Documentation=https://github.com/4nt11/DECNET/wiki/REST-API-Reference Documentation=https://git.resacachile.cl/anti/DECNET/wiki/REST-API-Reference
After=network-online.target docker.service After=network-online.target docker.service
Wants=network-online.target Wants=network-online.target
Requires=docker.service Requires=docker.service

2
deploy/decnet-bus.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Service Bus (host-local UNIX-socket pub/sub) Description=DECNET Service Bus (host-local UNIX-socket pub/sub)
Documentation=https://github.com/4nt11/DECNET/wiki/Service-Bus Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Service-Bus
After=network-online.target After=network-online.target
Wants=network-online.target Wants=network-online.target

39
deploy/decnet-collector.service Normal file
View File

@@ -0,0 +1,39 @@
[Unit]
Description=DECNET Collector (Docker log ingestion)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#collector
After=network-online.target docker.service decnet-bus.service
Wants=network-online.target decnet-bus.service
Requires=docker.service
[Service]
Type=simple
User=decnet
Group=decnet
# docker.sock is group-readable by 'docker'; the collector tails container logs.
SupplementaryGroups=docker
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
ExecStart=/opt/decnet/venv/bin/decnet collect
# No privileged network operations.
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/opt/decnet /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target

2
deploy/decnet-forwarder.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425) Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425)
Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog
After=network-online.target After=network-online.target
Wants=network-online.target Wants=network-online.target
# The forwarder can run independently of the agent — it only needs the local # The forwarder can run independently of the agent — it only needs the local

2
deploy/decnet-listener.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Syslog-over-TLS Listener (master, RFC 5425) Description=DECNET Syslog-over-TLS Listener (master, RFC 5425)
Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog
After=network-online.target After=network-online.target
Wants=network-online.target Wants=network-online.target

38
deploy/decnet-mutator.service Normal file
View File

@@ -0,0 +1,38 @@
[Unit]
Description=DECNET Mutator (runtime fleet mutation watch loop)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#mutator
After=network-online.target docker.service decnet-bus.service
Wants=network-online.target decnet-bus.service
Requires=docker.service
[Service]
Type=simple
User=decnet
Group=decnet
# Mutator recomposes decky services via docker compose.
SupplementaryGroups=docker
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
ExecStart=/opt/decnet/venv/bin/decnet mutate --watch
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/opt/decnet /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target

36
deploy/decnet-prober.service Normal file
View File

@@ -0,0 +1,36 @@
[Unit]
Description=DECNET Prober (active realism / attacker fingerprint probes)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#prober
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service
[Service]
Type=simple
User=decnet
Group=decnet
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
ExecStart=/opt/decnet/venv/bin/decnet probe
# TCP connect probes only — no raw sockets required.
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/opt/decnet /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target

35
deploy/decnet-profiler.service Normal file
View File

@@ -0,0 +1,35 @@
[Unit]
Description=DECNET Profiler (attacker profiling and scoring)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#profiler
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service
[Service]
Type=simple
User=decnet
Group=decnet
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
ExecStart=/opt/decnet/venv/bin/decnet profiler
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/opt/decnet /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target

36
deploy/decnet-sniffer.service Normal file
View File

@@ -0,0 +1,36 @@
[Unit]
Description=DECNET Sniffer (fleet-wide MACVLAN TLS fingerprinting)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#sniffer
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service
[Service]
Type=simple
User=decnet
Group=decnet
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
ExecStart=/opt/decnet/venv/bin/decnet sniffer
# scapy needs raw packet access on the MACVLAN host interface.
CapabilityBoundingSet=CAP_NET_RAW
AmbientCapabilities=CAP_NET_RAW
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths=/opt/decnet /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target

2
deploy/decnet-swarmctl.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Swarm Controller (master) Description=DECNET Swarm Controller (master)
Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode
After=network-online.target decnet-api.service After=network-online.target decnet-api.service
Wants=network-online.target Wants=network-online.target

2
deploy/decnet-updater.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Self-Updater (mTLS) Description=DECNET Self-Updater (mTLS)
Documentation=https://github.com/4nt11/DECNET/wiki/Remote-Updates Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Remote-Updates
After=network-online.target After=network-online.target
Wants=network-online.target Wants=network-online.target
# Deliberately NOT After=decnet-agent.service — the updater must come up even # Deliberately NOT After=decnet-agent.service — the updater must come up even

2
deploy/decnet-web.service
View File

@@ -1,6 +1,6 @@
[Unit] [Unit]
Description=DECNET Web Dashboard Service Description=DECNET Web Dashboard Service
Documentation=https://github.com/4nt11/DECNET/wiki/Web-Dashboard Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Web-Dashboard
After=network-online.target decnet-api.service After=network-online.target decnet-api.service
Wants=network-online.target Wants=network-online.target

19
deploy/decnet.target Normal file
View File

@@ -0,0 +1,19 @@
[Unit]
Description=DECNET honeypot framework (all master-host workers)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers
# Bring workers up in dependency order: bus first (everything else publishes
# heartbeats to it), then the API + data-plane workers. systemd resolves the
# actual ordering via each unit's own After=/Wants= on decnet-bus.service —
# this target is a convenience grouping, not an ordering primitive.
Wants=decnet-bus.service \
decnet-api.service \
decnet-web.service \
decnet-collector.service \
decnet-profiler.service \
decnet-sniffer.service \
decnet-prober.service \
decnet-mutator.service
After=decnet-bus.service
[Install]
WantedBy=multi-user.target