feat: add systemd deployment support

gcmsg · claude · gcmsg · commit 36e223007ed3 · 2026-03-08T08:38:37.000+08:00
Add systemd unit file with security hardening, production config
template, env file for secrets, and install/uninstall scripts.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/Makefile b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: build test lint run clean proto fmt vet dashboard
+.PHONY: build test lint run clean proto fmt vet dashboard install uninstall
 
 BINARY := peerclawd
 BUILD_DIR := bin
@@ -33,6 +33,12 @@ vet:
 clean:
 	rm -rf $(BUILD_DIR) coverage.out coverage.html *.db
 
+install: build
+	sudo deploy/systemd/install.sh $(BUILD_DIR)/$(BINARY)
+
+uninstall:
+	sudo deploy/systemd/uninstall.sh
+
 docker-build:
 	docker build -t peerclaw-server:latest .
 
diff --git a/configs/peerclaw.production.yaml b/configs/peerclaw.production.yaml
@@ -0,0 +1,63 @@
+server:
+  http_addr: ":8080"
+  cors_origins: []                   # e.g. ["https://dashboard.example.com"]
+
+auth:
+  required: true
+
+database:
+  driver: "sqlite"                   # "sqlite" or "postgres"
+  dsn: "/var/lib/peerclaw/peerclaw.db"
+
+redis:
+  addr: "localhost:6379"
+  password: "${REDIS_PASSWORD}"
+  db: 0
+
+logging:
+  level: "info"
+  format: "json"
+
+user_auth:
+  enabled: true
+  jwt_secret: "${JWT_SECRET}"
+  access_ttl: "15m"
+  refresh_ttl: "168h"
+  bcrypt_cost: 12
+
+bridge:
+  a2a:
+    enabled: true
+  acp:
+    enabled: true
+  mcp:
+    enabled: true
+
+signaling:
+  enabled: true
+  turn:
+    urls: []                         # e.g. ["turn:turn.example.com:3478"]
+    username: ""
+    credential: "${TURN_CREDENTIAL}"
+
+rate_limit:
+  enabled: true
+  requests_per_sec: 100
+  burst_size: 200
+  max_connections: 1000
+
+observability:
+  enabled: false
+  otlp_endpoint: "localhost:4317"
+  service_name: "peerclaw-gateway"
+  traces_sampling: 0.1
+
+audit_log:
+  enabled: true
+  output: "file:/var/log/peerclaw/audit.log"
+
+federation:
+  enabled: false
+  node_name: "node-1"
+  auth_token: "${FEDERATION_TOKEN}"
+  peers: []
diff --git a/deploy/systemd/install.sh b/deploy/systemd/install.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+#
+# PeerClaw systemd installation script.
+# Usage: sudo ./install.sh [path-to-binary]
+#
+# This script:
+#   1. Creates the peerclaw system user and group
+#   2. Installs the binary to /usr/local/bin/
+#   3. Sets up configuration and data directories
+#   4. Installs and enables the systemd unit
+#
+set -euo pipefail
+
+BINARY="${1:-../../bin/peerclawd}"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+info()  { echo -e "${GREEN}[INFO]${NC}  $*"; }
+warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
+error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
+
+# Must run as root.
+if [[ $EUID -ne 0 ]]; then
+    error "This script must be run as root (use sudo)"
+fi
+
+# Check binary exists.
+if [[ ! -f "$BINARY" ]]; then
+    error "Binary not found: $BINARY\n       Build first with: make build"
+fi
+
+info "Installing PeerClaw..."
+
+# 1. Create system user.
+if ! id -u peerclaw &>/dev/null; then
+    useradd --system --no-create-home --shell /usr/sbin/nologin --user-group peerclaw
+    info "Created system user: peerclaw"
+else
+    info "System user peerclaw already exists"
+fi
+
+# 2. Install binary.
+install -m 0755 "$BINARY" /usr/local/bin/peerclawd
+info "Installed binary to /usr/local/bin/peerclawd"
+
+# 3. Create directories.
+install -d -m 0755 -o peerclaw -g peerclaw /var/lib/peerclaw
+install -d -m 0755 -o peerclaw -g peerclaw /var/log/peerclaw
+install -d -m 0750 -o root    -g peerclaw /etc/peerclaw
+info "Created directories: /var/lib/peerclaw, /var/log/peerclaw, /etc/peerclaw"
+
+# 4. Install config (don't overwrite existing).
+if [[ ! -f /etc/peerclaw/config.yaml ]]; then
+    install -m 0640 -o root -g peerclaw "$SCRIPT_DIR/../../configs/peerclaw.production.yaml" /etc/peerclaw/config.yaml
+    info "Installed config to /etc/peerclaw/config.yaml"
+else
+    warn "Config /etc/peerclaw/config.yaml already exists, skipping"
+fi
+
+if [[ ! -f /etc/peerclaw/peerclaw.env ]]; then
+    install -m 0640 -o root -g peerclaw "$SCRIPT_DIR/peerclaw.env" /etc/peerclaw/peerclaw.env
+    info "Installed env file to /etc/peerclaw/peerclaw.env"
+    warn "Edit /etc/peerclaw/peerclaw.env and set JWT_SECRET before starting"
+else
+    warn "Env file /etc/peerclaw/peerclaw.env already exists, skipping"
+fi
+
+# 5. Install systemd unit.
+install -m 0644 "$SCRIPT_DIR/peerclawd.service" /etc/systemd/system/peerclawd.service
+systemctl daemon-reload
+info "Installed systemd unit: peerclawd.service"
+
+# 6. Enable (but don't start yet).
+systemctl enable peerclawd.service
+info "Enabled peerclawd.service"
+
+echo ""
+info "Installation complete!"
+echo ""
+echo "  Next steps:"
+echo "    1. Edit /etc/peerclaw/peerclaw.env and set JWT_SECRET:"
+echo "       sudo nano /etc/peerclaw/peerclaw.env"
+echo ""
+echo "    2. Review /etc/peerclaw/config.yaml for your environment:"
+echo "       sudo nano /etc/peerclaw/config.yaml"
+echo ""
+echo "    3. Start the service:"
+echo "       sudo systemctl start peerclawd"
+echo ""
+echo "    4. Check status:"
+echo "       sudo systemctl status peerclawd"
+echo "       sudo journalctl -u peerclawd -f"
+echo ""
diff --git a/deploy/systemd/peerclaw.env b/deploy/systemd/peerclaw.env
@@ -0,0 +1,15 @@
+# PeerClaw environment variables for systemd.
+# Copy to /etc/peerclaw/peerclaw.env and fill in production values.
+# This file is referenced by EnvironmentFile= in the unit file.
+
+# JWT secret for user authentication (required, generate with: openssl rand -hex 32)
+JWT_SECRET=
+
+# Redis password (leave empty if Redis has no auth)
+REDIS_PASSWORD=
+
+# TURN server credential for WebRTC NAT traversal
+TURN_CREDENTIAL=
+
+# Federation auth token (required if federation is enabled)
+FEDERATION_TOKEN=
diff --git a/deploy/systemd/peerclawd.service b/deploy/systemd/peerclawd.service
@@ -0,0 +1,63 @@
+[Unit]
+Description=PeerClaw Agent Gateway
+Documentation=https://github.com/peerclaw/peerclaw-server
+After=network-online.target
+Wants=network-online.target
+# Uncomment if using PostgreSQL or Redis:
+# After=network-online.target postgresql.service redis.service
+
+[Service]
+Type=simple
+User=peerclaw
+Group=peerclaw
+
+ExecStart=/usr/local/bin/peerclawd -config /etc/peerclaw/config.yaml
+
+WorkingDirectory=/var/lib/peerclaw
+RuntimeDirectory=peerclaw
+StateDirectory=peerclaw
+LogsDirectory=peerclaw
+ConfigurationDirectory=peerclaw
+
+# Environment file for secrets (JWT_SECRET, REDIS_PASSWORD, etc.)
+EnvironmentFile=-/etc/peerclaw/peerclaw.env
+
+# Restart policy
+Restart=on-failure
+RestartSec=5
+StartLimitIntervalSec=60
+StartLimitBurst=5
+
+# Graceful shutdown
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=30
+
+# Security hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictSUIDSGID=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+MemoryDenyWriteExecute=yes
+LockPersonality=yes
+
+# Allow binding to port 8080 (non-privileged)
+AmbientCapabilities=
+CapabilityBoundingSet=
+
+# File descriptor limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+# Read-write paths for data and logs
+ReadWritePaths=/var/lib/peerclaw /var/log/peerclaw
+
+[Install]
+WantedBy=multi-user.target
diff --git a/deploy/systemd/uninstall.sh b/deploy/systemd/uninstall.sh
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+#
+# PeerClaw systemd uninstall script.
+# Usage: sudo ./uninstall.sh [--purge]
+#
+# --purge  Also removes config, data, logs, and the system user.
+#
+set -euo pipefail
+
+PURGE=false
+if [[ "${1:-}" == "--purge" ]]; then
+    PURGE=true
+fi
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+info()  { echo -e "${GREEN}[INFO]${NC}  $*"; }
+warn()  { echo -e "${YELLOW}[WARN]${NC}  $*"; }
+error() { echo -e "${RED}[ERROR]${NC} $*" >&2; exit 1; }
+
+if [[ $EUID -ne 0 ]]; then
+    error "This script must be run as root (use sudo)"
+fi
+
+info "Uninstalling PeerClaw..."
+
+# Stop and disable service.
+if systemctl is-active --quiet peerclawd 2>/dev/null; then
+    systemctl stop peerclawd
+    info "Stopped peerclawd service"
+fi
+
+if systemctl is-enabled --quiet peerclawd 2>/dev/null; then
+    systemctl disable peerclawd
+    info "Disabled peerclawd service"
+fi
+
+# Remove unit file.
+rm -f /etc/systemd/system/peerclawd.service
+systemctl daemon-reload
+info "Removed systemd unit"
+
+# Remove binary.
+rm -f /usr/local/bin/peerclawd
+info "Removed /usr/local/bin/peerclawd"
+
+if $PURGE; then
+    warn "Purging all data, config, and logs..."
+    rm -rf /var/lib/peerclaw
+    rm -rf /var/log/peerclaw
+    rm -rf /etc/peerclaw
+    info "Removed /var/lib/peerclaw, /var/log/peerclaw, /etc/peerclaw"
+
+    if id -u peerclaw &>/dev/null; then
+        userdel peerclaw 2>/dev/null || true
+        info "Removed system user: peerclaw"
+    fi
+fi
+
+echo ""
+info "Uninstall complete."
+if ! $PURGE; then
+    echo "  Config, data, and logs were preserved."
+    echo "  Run with --purge to remove everything."
+fi
