anti
53d08e01e5
Worker unit mirrors decnet-webhook.service shape: simple type, runs as the decnet user/group, append-style log file, full security hardening (NoNewPrivileges/ProtectSystem/ProtectHome/PrivateTmp/ LockPersonality + the rest). Added /var/lib/decnet to ReadWritePaths because the API process persists operator-uploaded canary blobs there. CAP_NET_BIND_SERVICE granted (ambient + bounded) so an operator who overrides DECNET_CANARY_DNS_PORT to 53 or HTTP_PORT to 80/443 in .env.local doesn't need to fight systemd. The defaults stay unprivileged (5353 / 8088). Added decnet-canary.service to decnet.target so 'systemctl start decnet.target' brings it up alongside the rest of the workers. decnet init auto-discovers deploy/decnet-*.service.j2 files (per decnet/cli/init.py:_install_units) so no further wiring needed — running 'decnet init' on a fresh host installs the new unit. Static tests confirm the unit references decnet canary, depends on the bus, carries the standard security directives, and is listed in the master target.
1.0 KiB
1.0 KiB