anti
f21453afdc
Adds the five missing worker units plus a grouping target so `systemctl start decnet.target` brings the whole fleet up in order. Sniffer gets CAP_NET_RAW for scapy; collector and mutator join the docker supplementary group for docker.sock access. Repoints Documentation= across all existing units to the canonical git.resacachile.cl wiki.
47 lines
1.4 KiB
Desktop File
47 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=DECNET Syslog-over-TLS Forwarder (worker, RFC 5425)
|
|
Documentation=https://git.resacachile.cl/anti/DECNET/wiki/Logging-and-Syslog
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
# The forwarder can run independently of the agent — it only needs the local
|
|
# log file to exist and the master to be reachable.
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=decnet
|
|
Group=decnet
|
|
WorkingDirectory=/opt/decnet
|
|
EnvironmentFile=-/opt/decnet/.env.local
|
|
# Replace <master-host> with the master's LAN address or hostname. The agent
|
|
# cert bundle at /etc/decnet/agent is reused — the forwarder presents the same
|
|
# worker identity when it connects to the master's listener.
|
|
ExecStart=/opt/decnet/venv/bin/decnet forwarder \
|
|
--log-file /var/log/decnet/decnet.log \
|
|
--master-host ${DECNET_SWARM_MASTER_HOST} \
|
|
--master-port 6514 \
|
|
--agent-dir /etc/decnet/agent
|
|
|
|
# TLS client connection; no special capabilities.
|
|
CapabilityBoundingSet=
|
|
AmbientCapabilities=
|
|
|
|
# Security Hardening
|
|
NoNewPrivileges=yes
|
|
ProtectSystem=full
|
|
ProtectHome=read-only
|
|
PrivateTmp=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
ProtectControlGroups=yes
|
|
RestrictSUIDSGID=yes
|
|
LockPersonality=yes
|
|
# Reads the tailed log; writes a small byte-offset state file alongside it.
|
|
ReadWritePaths=/var/log/decnet
|
|
ReadOnlyPaths=/etc/decnet
|
|
|
|
Restart=on-failure
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|