Add mcp-agent systemd service to NixOS config

.claude/settings.local.json

@@ -0,0 +1,9 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git add:*)",
+      "Bash(git commit:*)",
+      "Bash(git push:*)"
+    ]
+  }
+}

configs/mcp.nix

@@ -1,8 +1,7 @@
 # MCP (Metacircular Control Plane) agent user and configuration.
 #
-# Creates a dedicated 'mcp' system user with rootless podman support.
+# Creates a dedicated 'mcp' system user with rootless podman support
-# The agent runs as this user and manages containers for all platform
+# and a systemd service for the agent daemon.
-# services via /srv/.
 { pkgs, ... }:
 
 {
@@ -18,4 +17,40 @@
   };
 
   users.groups.mcp = {};
+
+  systemd.services.mcp-agent = {
+    description = "MCP Agent";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "/usr/local/bin/mcp-agent server --config /srv/mcp/mcp-agent.toml";
+      Restart = "on-failure";
+      RestartSec = 5;
+
+      User = "mcp";
+      Group = "mcp";
+      Environment = [
+        "HOME=/srv/mcp"
+        "XDG_RUNTIME_DIR=/run/user/%U"
+      ];
+
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictSUIDSGID = true;
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      ReadWritePaths = "/srv";
+    };
+  };
 }