From f0f15fccb00df690534ea4615d4da9bbf69e0dfb Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 26 Mar 2026 13:30:06 -0700
Subject: [PATCH] Add mcp-agent systemd service to NixOS config

---
 .claude/settings.local.json |  9 ++++++++
 configs/mcp.nix             | 41 ++++++++++++++++++++++++++++++++++---
 2 files changed, 47 insertions(+), 3 deletions(-)
 create mode 100644 .claude/settings.local.json

diff --git a/.claude/settings.local.json b/.claude/settings.local.json
new file mode 100644
index 0000000..1552e97
--- /dev/null
+++ b/.claude/settings.local.json
@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(git push:*)"
+    ]
+  }
+}
diff --git a/configs/mcp.nix b/configs/mcp.nix
index be2ad00..4c53445 100644
--- a/configs/mcp.nix
+++ b/configs/mcp.nix
@@ -1,8 +1,7 @@
 # MCP (Metacircular Control Plane) agent user and configuration.
 #
-# Creates a dedicated 'mcp' system user with rootless podman support.
-# The agent runs as this user and manages containers for all platform
-# services via /srv/.
+# Creates a dedicated 'mcp' system user with rootless podman support
+# and a systemd service for the agent daemon.
 { pkgs, ... }:
 
 {
@@ -18,4 +17,40 @@
   };
 
   users.groups.mcp = {};
+
+  systemd.services.mcp-agent = {
+    description = "MCP Agent";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/usr/local/bin/mcp-agent server --config /srv/mcp/mcp-agent.toml";
+      Restart = "on-failure";
+      RestartSec = 5;
+
+      User = "mcp";
+      Group = "mcp";
+      Environment = [
+        "HOME=/srv/mcp"
+        "XDG_RUNTIME_DIR=/run/user/%U"
+      ];
+
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictSUIDSGID = true;
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      ReadWritePaths = "/srv";
+    };
+  };
 }