From fc99375c62ef5687078541d7a7541eabfa26772e Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Wed, 8 Apr 2026 01:46:47 -0400
Subject: [PATCH] feat: add systemd service templates for API and Web Dashboard

---
 deploy/decnet-api.service | 29 +++++++++++++++++++++++++++++
 deploy/decnet-web.service | 30 ++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 deploy/decnet-api.service
 create mode 100644 deploy/decnet-web.service

diff --git a/deploy/decnet-api.service b/deploy/decnet-api.service
new file mode 100644
index 0000000..c4a504a
--- /dev/null
+++ b/deploy/decnet-api.service
@@ -0,0 +1,29 @@
+[Unit]
+Description=DECNET API Service
+After=network.target docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/path/to/DECNET
+# Ensure environment is loaded from the .env file
+EnvironmentFile=/path/to/DECNET/.env
+# Use the virtualenv python to run the decnet api command
+ExecStart=/path/to/DECNET/.venv/bin/decnet api
+
+# Capabilities required to manage MACVLAN interfaces and network links without root
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/decnet-web.service b/deploy/decnet-web.service
new file mode 100644
index 0000000..d00d85b
--- /dev/null
+++ b/deploy/decnet-web.service
@@ -0,0 +1,30 @@
+[Unit]
+Description=DECNET Web Dashboard Service
+After=network.target decnet-api.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/path/to/DECNET
+# Ensure environment is loaded from the .env file
+EnvironmentFile=/path/to/DECNET/.env
+# Use the virtualenv python to run the decnet web command
+ExecStart=/path/to/DECNET/.venv/bin/decnet web
+
+# The Web Dashboard service does not require network administration privileges.
+# Enable the following lines if you wish to bind the Dashboard to a privileged port (e.g., 80 or 443) 
+# while still running as a non-root user.
+# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target