[Unit]
Description=DECNET Campaign Clusterer (identities → campaigns / operations)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#campaign-clusterer
After=network-online.target decnet-bus.service decnet-clusterer.service
Wants=network-online.target decnet-bus.service decnet-clusterer.service

[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.campaign-clusterer.log
# Subscribes to identity.>; falls back to a 60s slow-tick poll when
# the bus is idle or unavailable. Reads AttackerIdentity rows,
# projects them into the campaign-level similarity graph
# (phase-handoff / shared-infra / temporal overlap / cohort), runs
# union-find, writes campaigns rows + sets
# attacker_identities.campaign_id, and publishes campaign.formed /
# campaign.identity.assigned / campaign.merged / campaign.unmerged
# plus the cross-family identity.campaign.assigned for identity-side
# subscribers.
#
# Master-only: gated via MASTER_ONLY_COMMANDS in decnet/cli/gating.py.
# Sits one layer above decnet-clusterer (the After=/Wants= ensures the
# identity layer is up first; the campaign clusterer then wakes on
# identity.> events fired by it).
ExecStart={{ venv_dir }}/bin/decnet campaign-clusterer
StandardOutput=append:/var/log/decnet/decnet.campaign-clusterer.log
StandardError=append:/var/log/decnet/decnet.campaign-clusterer.log

CapabilityBoundingSet=
AmbientCapabilities=

# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadWritePaths={{ install_dir }} /var/log/decnet

Restart=on-failure
RestartSec=5
TimeoutStopSec=15

[Install]
WantedBy=multi-user.target