Use systemd unit files for disabling the remote access

[lslezak]

Problem

• Using the new inst.listen_on boot option to disable remote access to the server looks inconsistent (for disabling the SSH access you can use the systemd.mask=sshd.service boot option)
• Simplify the implementation, limiting access to some interface or IP address was not requested
• Related to Optionally disable remote access #3269

Solution

• Use systemd services to implement disabling the remote access
• Implement new agama-web-server-local and agama-web-server-remote services, ensure only one of them can be running and disabling one enables running the other one.

Testing

• Tested manually

The default behavior (no boot option specified): the local service is inactive, the remote service is running.

agama:~ # systemctl status agama-web-server-local.service 
○ agama-web-server-local.service - Agama Web Server (Local access only)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-local.service; enabled; preset: disabled)
     Active: inactive (dead)
agama:~ # systemctl status agama-web-server-remote.service
● agama-web-server-remote.service - Agama Web Server (Remote and local access)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-remote.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-03-26 20:41:50 CET; 10min ago
 Invocation: d0871c93d1d0486db99dfcb941441a98
   Main PID: 2299 (Zypp-main)
      Tasks: 22 (limit: 4525)
        CPU: 1.407s
     CGroup: /system.slice/agama-web-server-remote.service
             ├─2299 /usr/bin/agama-web-server serve --address :::80,0.0.0.0:80 --address :::443,0.0.0.0:443
             ├─3433 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/PublicKey --daemon
             ├─3435 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/PublicKey
             ├─3443 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/zypp-trusted-kr2SLwoo --daemon
             └─3445 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/zypp-trusted-kr2SLwoo

With the systemd.mask=agama-web-server-remote.service boot option the remote service is inactive and the local service is running:

agama:~ # systemctl status agama-web-server-remote.service
○ agama-web-server-remote.service
     Loaded: masked (Reason: Unit agama-web-server-remote.service is masked.)
     Active: inactive (dead)
agama:~ # systemctl status agama-web-server-local.service 
● agama-web-server-local.service - Agama Web Server (Local access only)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-local.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-03-26 21:06:17 CET; 1min 15s ago
 Invocation: e2ac57b5b4a349d285c9b745002a2e2e
   Main PID: 2276 (Zypp-main)
      Tasks: 21 (limit: 4525)
        CPU: 1.328s
     CGroup: /system.slice/agama-web-server-local.service
             ├─2276 /usr/bin/agama-web-server serve --address ::1:80,127.0.0.1:80 --address ::1:443,127.0.0.1:>
             ├─3418 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/PublicKey --daemon
             ├─3420 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/PublicKey
             ├─3428 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/zypp-trusted-kr17fHIU --daemon
             └─3430 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/zypp-trusted-kr17fHIU