Add systemd units and install script for MCNS deployment
Ship mcns.service, mcns-backup.service, mcns-backup.timer, and deploy/scripts/install.sh adapted from MCR's deployment files. Includes full security hardening block per engineering standards and AmbientCapabilities=CAP_NET_BIND_SERVICE for DNS port 53. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
25
deploy/systemd/mcns-backup.service
Normal file
25
deploy/systemd/mcns-backup.service
Normal file
@@ -0,0 +1,25 @@
|
||||
[Unit]
|
||||
Description=MCNS Database Backup
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
User=mcns
|
||||
Group=mcns
|
||||
ExecStart=/usr/local/bin/mcns snapshot --config /srv/mcns/mcns.toml
|
||||
ExecStartPost=/usr/bin/find /srv/mcns/backups -name 'mcns-*.db' -mtime +30 -delete
|
||||
|
||||
# Security hardening
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
RestrictSUIDSGID=true
|
||||
RestrictNamespaces=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictRealtime=true
|
||||
ReadWritePaths=/srv/mcns
|
||||
Reference in New Issue
Block a user