anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
5df995fda16be30c3618da4a9955a0f874032162
DECNET/deploy/decnet-forwarder.service
anti f5a5fec607 feat(deploy): systemd units w/ capability-based hardening; updater restarts agent via systemctl 
Add deploy/ unit files for every DECNET daemon (agent, updater, api, web,
swarmctl, listener, forwarder). All run as User=decnet with NoNewPrivileges,
ProtectSystem, PrivateTmp, LockPersonality; AmbientCapabilities=CAP_NET_ADMIN
CAP_NET_RAW only on the agent (MACVLAN/scapy). Existing api/web units migrated
to /opt/decnet layout and the same hardening stanza.

Make the updater's _spawn_agent systemd-aware: under systemd (detected via
INVOCATION_ID + systemctl on PATH), `systemctl restart decnet-agent.service`
replaces the Popen path so the new agent inherits the unit's ambient caps
instead of the updater's empty set. _stop_agent becomes a no-op in that mode
to avoid racing systemctl's own stop phase.

Tests cover the dispatcher branch selection, MainPID parsing, and the
systemd no-op stop.
2026-04-19 00:44:06 -04:00

47 lines
1.3 KiB
Desktop File
Raw Blame History

[Unit]
Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425)
Documentation=https://github.com/4nt11/DECNET/wiki/Logging-and-Syslog
After=network-online.target
Wants=network-online.target
# The forwarder can run independently of the agent — it only needs the local
# log file to exist and the master to be reachable.
[Service]
Type=simple
User=decnet
Group=decnet
WorkingDirectory=/opt/decnet
EnvironmentFile=-/opt/decnet/.env.local
# Replace <master-host> with the master's LAN address or hostname. The agent
# cert bundle at /etc/decnet/agent is reused — the forwarder presents the same
# worker identity when it connects to the master's listener.
ExecStart=/opt/decnet/venv/bin/decnet forwarder \
--log-file /var/log/decnet/decnet.log \
--master-host ${DECNET_SWARM_MASTER_HOST} \
--master-port 6514 \
--agent-dir /etc/decnet/agent
# TLS client connection; no special capabilities.
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
# Reads the tailed log; writes a small byte-offset state file alongside it.
ReadWritePaths=/var/log/decnet
ReadOnlyPaths=/etc/decnet
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink