From b26478d47bffac54894c1d68f9b000a630e54322 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Thu, 2 Apr 2026 20:39:20 -0700 Subject: [PATCH] Add mcp-master systemd service Runs the MCP v2 master as a systemd service on rift. Uses ConditionPathExists so the unit is a no-op on worker nodes (like orion) that import mcp.nix but don't have the binary. Starts after mcp-agent.service. Security hardened like the agent but with ProtectHome=true (master doesn't need /run/user). Co-Authored-By: Claude Opus 4.6 (1M context) --- configs/mcp.nix | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/configs/mcp.nix b/configs/mcp.nix index 30d91ba..c4a55ff 100644 --- a/configs/mcp.nix +++ b/configs/mcp.nix @@ -22,6 +22,41 @@ in users.groups.mcp = {}; + # MCP Master — multi-node orchestrator (v2). + # Runs on the master node only (rift). Coordinates deployments across + # agents, manages edge routing, and maintains cluster state. + # Uses ExecStartPre to skip startup if the binary is absent (safe on + # worker nodes that import this module but don't run the master). + systemd.services.mcp-master = { + description = "MCP Master"; + after = [ "network-online.target" "mcp-agent.service" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + unitConfig = { + ConditionPathExists = "/srv/mcp-master/mcp-master"; + }; + + serviceConfig = { + Type = "simple"; + ExecStart = "/srv/mcp-master/mcp-master server --config /srv/mcp-master/mcp-master.toml"; + Restart = "on-failure"; + RestartSec = 5; + + NoNewPrivileges = true; + ProtectSystem = "full"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + RestrictSUIDSGID = true; + LockPersonality = true; + RestrictRealtime = true; + ReadWritePaths = [ "/srv/mcp-master" ]; + }; + }; + systemd.services.mcp-agent = { description = "MCP Agent"; after = [ "network-online.target" ];