feat: add systemd service templates for API and Web Dashboard

deploy/decnet-api.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=DECNET API Service
+After=network.target docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/path/to/DECNET
+# Ensure environment is loaded from the .env file
+EnvironmentFile=/path/to/DECNET/.env
+# Use the virtualenv python to run the decnet api command
+ExecStart=/path/to/DECNET/.venv/bin/decnet api
+
+# Capabilities required to manage MACVLAN interfaces and network links without root
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

deploy/decnet-web.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=DECNET Web Dashboard Service
+After=network.target decnet-api.service
+
+[Service]
+Type=simple
+User=decnet
+Group=decnet
+WorkingDirectory=/path/to/DECNET
+# Ensure environment is loaded from the .env file
+EnvironmentFile=/path/to/DECNET/.env
+# Use the virtualenv python to run the decnet web command
+ExecStart=/path/to/DECNET/.venv/bin/decnet web
+
+# The Web Dashboard service does not require network administration privileges.
+# Enable the following lines if you wish to bind the Dashboard to a privileged port (e.g., 80 or 443) 
+# while still running as a non-root user.
+# CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+# AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# Security Hardening
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=read-only
+
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target