chore(systemd): add units for collector/profiler/sniffer/prober/mutator + decnet.target

Adds the five missing worker units plus a grouping target so `systemctl start decnet.target` brings the whole fleet up in order. Sniffer gets CAP_NET_RAW for scapy; collector and mutator join the docker supplementary group for docker.sock access. Repoints Documentation= across all existing units to the canonical git.resacachile.cl wiki.
2026-04-22 14:06:42 -04:00
parent 90d0c3b206
commit f21453afdc
14 changed files with 211 additions and 8 deletions
--- a/deploy/decnet-agent.service
+++ b/deploy/decnet-agent.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Worker Agent (mTLS)
-Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode
 After=network-online.target docker.service
 Wants=network-online.target
 Requires=docker.service
--- a/deploy/decnet-api.service
+++ b/deploy/decnet-api.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET API Service
-Documentation=https://github.com/4nt11/DECNET/wiki/REST-API-Reference
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/REST-API-Reference
 After=network-online.target docker.service
 Wants=network-online.target
 Requires=docker.service
--- a/deploy/decnet-bus.service
+++ b/deploy/decnet-bus.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Service Bus (host-local UNIX-socket pub/sub)
-Documentation=https://github.com/4nt11/DECNET/wiki/Service-Bus
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Service-Bus
 After=network-online.target
 Wants=network-online.target

--- a/deploy/decnet-collector.service
+++ b/deploy/decnet-collector.service
@@ -0,0 +1,39 @@
+[Unit]
+Description=DECNET Collector (Docker log ingestion)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#collector
+After=network-online.target docker.service decnet-bus.service
+Wants=network-online.target decnet-bus.service
+Requires=docker.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+# docker.sock is group-readable by 'docker'; the collector tails container logs.
+SupplementaryGroups=docker
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+ExecStart=/opt/decnet/venv/bin/decnet collect
+
+# No privileged network operations.
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths=/opt/decnet /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet-forwarder.service
+++ b/deploy/decnet-forwarder.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425)
-Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog
 After=network-online.target
 Wants=network-online.target
 # The forwarder can run independently of the agent — it only needs the local
--- a/deploy/decnet-listener.service
+++ b/deploy/decnet-listener.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Syslog-over-TLS Listener (master, RFC 5425)
-Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog
 After=network-online.target
 Wants=network-online.target

--- a/deploy/decnet-mutator.service
+++ b/deploy/decnet-mutator.service
@@ -0,0 +1,38 @@
+[Unit]
+Description=DECNET Mutator (runtime fleet mutation watch loop)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#mutator
+After=network-online.target docker.service decnet-bus.service
+Wants=network-online.target decnet-bus.service
+Requires=docker.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+# Mutator recomposes decky services via docker compose.
+SupplementaryGroups=docker
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+ExecStart=/opt/decnet/venv/bin/decnet mutate --watch
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths=/opt/decnet /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet-prober.service
+++ b/deploy/decnet-prober.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=DECNET Prober (active realism / attacker fingerprint probes)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#prober
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+ExecStart=/opt/decnet/venv/bin/decnet probe
+
+# TCP connect probes only — no raw sockets required.
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths=/opt/decnet /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet-profiler.service
+++ b/deploy/decnet-profiler.service
@@ -0,0 +1,35 @@
+[Unit]
+Description=DECNET Profiler (attacker profiling and scoring)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#profiler
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+ExecStart=/opt/decnet/venv/bin/decnet profiler
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths=/opt/decnet /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet-sniffer.service
+++ b/deploy/decnet-sniffer.service
@@ -0,0 +1,36 @@
+[Unit]
+Description=DECNET Sniffer (fleet-wide MACVLAN TLS fingerprinting)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#sniffer
+After=network-online.target decnet-bus.service
+Wants=network-online.target decnet-bus.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+ExecStart=/opt/decnet/venv/bin/decnet sniffer
+
+# scapy needs raw packet access on the MACVLAN host interface.
+CapabilityBoundingSet=CAP_NET_RAW
+AmbientCapabilities=CAP_NET_RAW
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+ReadWritePaths=/opt/decnet /var/log/decnet
+
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=15
+
+[Install]
+WantedBy=multi-user.target
--- a/deploy/decnet-swarmctl.service
+++ b/deploy/decnet-swarmctl.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Swarm Controller (master)
-Documentation=https://github.com/4nt11/DECNET/wiki/SWARM-Mode
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/SWARM-Mode
 After=network-online.target decnet-api.service
 Wants=network-online.target

--- a/deploy/decnet-updater.service
+++ b/deploy/decnet-updater.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Self-Updater (mTLS)
-Documentation=https://github.com/4nt11/DECNET/wiki/Remote-Updates
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Remote-Updates
 After=network-online.target
 Wants=network-online.target
 # Deliberately NOT After=decnet-agent.service — the updater must come up even
--- a/deploy/decnet-web.service
+++ b/deploy/decnet-web.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=DECNET Web Dashboard Service
-Documentation=https://github.com/4nt11/DECNET/wiki/Web-Dashboard
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Web-Dashboard
 After=network-online.target decnet-api.service
 Wants=network-online.target

--- a/deploy/decnet.target
+++ b/deploy/decnet.target
@@ -0,0 +1,19 @@
+[Unit]
+Description=DECNET honeypot framework (all master-host workers)
+Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers
+# Bring workers up in dependency order: bus first (everything else publishes
+# heartbeats to it), then the API + data-plane workers.  systemd resolves the
+# actual ordering via each unit's own After=/Wants= on decnet-bus.service —
+# this target is a convenience grouping, not an ordering primitive.
+Wants=decnet-bus.service \
+      decnet-api.service \
+      decnet-web.service \
+      decnet-collector.service \
+      decnet-profiler.service \
+      decnet-sniffer.service \
+      decnet-prober.service \
+      decnet-mutator.service
+After=decnet-bus.service
+
+[Install]
+WantedBy=multi-user.target