Add systemd units and install script for MCNS deployment

Ship mcns.service, mcns-backup.service, mcns-backup.timer, and
deploy/scripts/install.sh adapted from MCR's deployment files.
Includes full security hardening block per engineering standards
and AmbientCapabilities=CAP_NET_BIND_SERVICE for DNS port 53.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

deploy/systemd/mcns-backup.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=MCNS Database Backup
+
+[Service]
+Type=oneshot
+User=mcns
+Group=mcns
+ExecStart=/usr/local/bin/mcns snapshot --config /srv/mcns/mcns.toml
+ExecStartPost=/usr/bin/find /srv/mcns/backups -name 'mcns-*.db' -mtime +30 -delete
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadWritePaths=/srv/mcns

deploy/systemd/mcns-backup.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=MCNS Daily Database Backup
+
+[Timer]
+OnCalendar=*-*-* 02:00:00 UTC
+RandomizedDelaySec=300
+Persistent=true
+
+[Install]
+WantedBy=timers.target

deploy/systemd/mcns.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=MCNS Networking Service
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=mcns
+Group=mcns
+ExecStart=/usr/local/bin/mcns server --config /srv/mcns/mcns.toml
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictSUIDSGID=true
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+ReadWritePaths=/srv/mcns
+
+# Allow binding to privileged ports (DNS port 53)
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target