anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c17b9e01c8221f1d544cb25afb89a628d9809090
DECNET/deploy/decnet-emailgen.service.j2
anti f97ec4c2c1 feat(deploy): emailgen systemd unit + bring orchestrator + emailgen into decnet.target 
Plug emailgen into the systemd-supervised fleet:

- New deploy/decnet-emailgen.service.j2 mirroring decnet-orchestrator's
  shape: simple service, restart-on-failure, docker supplementary group
  (driver shells `docker exec` to drop EMLs into the spool), the same
  hardening directives as the rest of the fleet.

- decnet.target now Wants both decnet-emailgen.service and
  decnet-orchestrator.service.  Orchestrator's absence from the target
  was a historical oversight — fixing it here while the file is open.

`decnet init` already globs deploy/decnet-*.service.j2 so the new unit
ships automatically; no init-side change needed.  Emailgen-specific env
knobs (DECNET_EMAILGEN_LLM, _MODEL, _PERSONAS, _TIMEOUT) are documented
in the unit and operator-tunable via /opt/decnet/.env.local.
2026-04-26 22:49:16 -04:00

55 lines
1.9 KiB
Django/Jinja
Raw Blame History

[Unit]
Description=DECNET Emailgen (LLM-driven fake corporate email into IMAP/POP3 deckies)
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Workers#emailgen
After=network-online.target decnet-bus.service
Wants=network-online.target decnet-bus.service
[Service]
Type=simple
User={{ user }}
Group={{ group }}
WorkingDirectory={{ install_dir }}
EnvironmentFile=-{{ install_dir }}/.env.local
Environment=DECNET_SYSTEM_LOGS=/var/log/decnet/decnet.emailgen.log
# LLM backend selection + model are operator-tunable via .env.local:
# DECNET_EMAILGEN_LLM=ollama|fake (default: ollama)
# DECNET_EMAILGEN_MODEL=llama3.1 (default: llama3.1)
# DECNET_EMAILGEN_TIMEOUT=60 (LLM wall-clock cap, seconds)
# DECNET_EMAILGEN_PERSONAS=/etc/decnet/email_personas.json
# (override the global persona pool)
ExecStart={{ venv_dir }}/bin/decnet emailgen run
StandardOutput=append:/var/log/decnet/decnet.emailgen.log
StandardError=append:/var/log/decnet/decnet.emailgen.log
# Emailgen drives `docker exec` against IMAP/POP3 decky containers to drop
# .eml files into the spool, identical to the SSH-flavoured orchestrator.
# It does NOT bind to the network, launch new containers, or write outside
# its own logs and install dir.
SupplementaryGroups=docker
CapabilityBoundingSet=
AmbientCapabilities=
# Security Hardening
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
RestrictSUIDSGID=yes
LockPersonality=yes
# /etc/decnet is included so `decnet emailgen import-personas` can write
# the canonical /etc/decnet/email_personas.json without the worker losing
# read access (it lives outside ReadWritePaths so writes from the worker
# itself are still blocked — only the operator-run CLI writes here).
ReadWritePaths={{ install_dir }} /var/log/decnet
Restart=on-failure
RestartSec=5
TimeoutStopSec=15
[Install]
WantedBy=multi-user.target
Reference in New Issue View Git Blame Copy Permalink