feat(deploy): systemd units w/ capability-based hardening; updater restarts agent via systemctl

Add deploy/ unit files for every DECNET daemon (agent, updater, api, web, swarmctl, listener, forwarder). All run as User=decnet with NoNewPrivileges, ProtectSystem, PrivateTmp, LockPersonality; AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW only on the agent (MACVLAN/scapy). Existing api/web units migrated to /opt/decnet layout and the same hardening stanza. Make the updater's _spawn_agent systemd-aware: under systemd (detected via INVOCATION_ID + systemctl on PATH), `systemctl restart decnet-agent.service` replaces the Popen path so the new agent inherits the unit's ambient caps instead of the updater's empty set. _stop_agent becomes a no-op in that mode to avoid racing systemctl's own stop phase. Tests cover the dispatcher branch selection, MainPID parsing, and the systemd no-op stop.
2026-04-19 00:44:06 -04:00
parent 40d3e86e55
commit f5a5fec607
9 changed files with 381 additions and 19 deletions
--- a/deploy/decnet-forwarder.service
+++ b/deploy/decnet-forwarder.service
@@ -0,0 +1,46 @@
+[Unit]
+Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425)
+Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog
+After=network-online.target
+Wants=network-online.target
+# The forwarder can run independently of the agent — it only needs the local
+# log file to exist and the master to be reachable.
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/opt/decnet
+EnvironmentFile=-/opt/decnet/.env.local
+# Replace <master-host> with the master's LAN address or hostname. The agent
+# cert bundle at /etc/decnet/agent is reused — the forwarder presents the same
+# worker identity when it connects to the master's listener.
+ExecStart=/opt/decnet/venv/bin/decnet forwarder \
+    --log-file /var/log/decnet/decnet.log \
+    --master-host ${DECNET_SWARM_MASTER_HOST} \
+    --master-port 6514 \
+    --agent-dir /etc/decnet/agent
+
+# TLS client connection; no special capabilities.
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+# Reads the tailed log; writes a small byte-offset state file alongside it.
+ReadWritePaths=/var/log/decnet
+ReadOnlyPaths=/etc/decnet
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target