anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3a46864f30917312770a070eebb364b5664d2a88
DECNET/deploy/decnet-supervise-batch.service.j2
anti 3a46864f30 feat(1.1): decnet supervise batch group + systemd unit (C5) 
Hosts reconcile/enrich/orchestrate/mutate in one process via the
supervision primitive: one import floor, one shared repo/DB pool instead
of 4. Static group registry (membership is architectural, not a knob);
factories lazy-import only the hosted workers. systemd unit Conflicts=
the individual units it replaces and documents the union-of-privileges
cost. Worker code unchanged — any member is extractable by editing _build_specs.
2026-06-17 16:50:09 -04:00

50 lines
1.7 KiB
Django/Jinja
Raw Blame History

[Unit]
Description=DECNET Batch Supervisor (hosts reconcile + enrich + orchestrate + mutate in one process)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#supervisor
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service
# Replaces the individual decnet-reconciler / decnet-enrich / decnet-orchestrator
# / decnet-mutator units. Do NOT enable those alongside this one.
Conflicts=decnet-reconciler.service decnet-orchestrator.service decnet-mutator.service
[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.supervise-batch.log
ExecStart={{ venv_dir }}/bin/decnet supervise batch
StandardOutput=append:/var/log/decnet/decnet.supervise-batch.log
StandardError=append:/var/log/decnet/decnet.supervise-batch.log
# CONSOLIDATION COST: this unit holds the UNION of its members' privileges —
# docker socket (reconcile + mutate observe/mutate containers) AND network egress
# (enrich fans out to threat-intel providers). That is a wider blast radius than
# any single worker had. Acceptable for the batch group; weigh it before adding
# a member that needs materially more (e.g. raw sockets).
SupplementaryGroups=docker
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
ReadOnlyPaths=/var/lib/decnet
ReadWritePaths={{ install_dir }} /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=20
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink