barycenter/deploy/systemd/README.md

# systemd Deployment

This directory contains systemd service files for running Barycenter on Linux systems.

## Installation

1. **Create the barycenter user:**
   ```bash
   sudo useradd -r -s /bin/false -d /var/lib/barycenter barycenter
   ```

2. **Create required directories:**
   ```bash
   sudo mkdir -p /etc/barycenter /var/lib/barycenter/data
   sudo chown -R barycenter:barycenter /var/lib/barycenter
   ```

3. **Install the binary:**
   ```bash
   sudo cargo build --release
   sudo cp target/release/barycenter /usr/local/bin/
   sudo chmod +x /usr/local/bin/barycenter
   ```

4. **Install the configuration:**
   ```bash
   sudo cp config.toml /etc/barycenter/config.toml
   sudo chown root:barycenter /etc/barycenter/config.toml
   sudo chmod 640 /etc/barycenter/config.toml
   ```

   Edit `/etc/barycenter/config.toml` and update paths:
   ```toml
   [database]
   url = "sqlite:///var/lib/barycenter/barycenter.db?mode=rwc"

   [keys]
   jwks_path = "/var/lib/barycenter/data/jwks.json"
   private_key_path = "/var/lib/barycenter/data/private_key.pem"
   ```

5. **Install the systemd service:**
   ```bash
   sudo cp deploy/systemd/barycenter.service /etc/systemd/system/
   sudo systemctl daemon-reload
   ```

6. **Enable and start the service:**
   ```bash
   sudo systemctl enable barycenter
   sudo systemctl start barycenter
   ```

## Management

**Check status:**
```bash
sudo systemctl status barycenter
```

**View logs:**
```bash
sudo journalctl -u barycenter -f
```

**Restart service:**
```bash
sudo systemctl restart barycenter
```

**Stop service:**
```bash
sudo systemctl stop barycenter
```

## Security

The service runs with extensive security hardening:
- Runs as non-root user
- Private /tmp directory
- Read-only filesystem (except data directory)
- System call filtering
- Memory protections
- No new privileges

## Environment Variables

You can override configuration using environment variables in the service file:

```ini
[Service]
Environment="BARYCENTER__SERVER__PUBLIC_BASE_URL=https://idp.example.com"
Environment="RUST_LOG=debug"
```
feat: add deployment configurations for multiple platforms Add comprehensive deployment support for: - Docker: Multi-stage Dockerfile with security hardening - Docker Compose: Production-ready compose file with volume persistence - Kubernetes: Complete Helm chart with configurable values, ingress, PVC - Linux: systemd service unit with extensive security hardening - FreeBSD: rc.d init script with proper daemon management - illumos/Solaris: SMF manifest with service contract management Each platform includes: - Installation scripts/manifests - Configuration examples - Management instructions - Security best practices - Troubleshooting guides The Helm chart provides: - Configurable resources and autoscaling - Security contexts and pod security - Health checks (liveness/readiness probes) - Ingress with TLS support - Persistent volume claims - Service account management All deployments follow security best practices: - Non-root user execution - Minimal privileges - Read-only root filesystems where applicable - Resource limits - Network policies Added DEPLOYMENT.md with comprehensive deployment guide covering all platforms, configuration options, and production checklist. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:30:46 +01:00			`# systemd Deployment`

			`This directory contains systemd service files for running Barycenter on Linux systems.`

			`## Installation`

			`1. Create the barycenter user:`
			```bash
			`sudo useradd -r -s /bin/false -d /var/lib/barycenter barycenter`
			```

			`2. Create required directories:`
			```bash
			`sudo mkdir -p /etc/barycenter /var/lib/barycenter/data`
			`sudo chown -R barycenter:barycenter /var/lib/barycenter`
			```

			`3. Install the binary:`
			```bash
			`sudo cargo build --release`
			`sudo cp target/release/barycenter /usr/local/bin/`
			`sudo chmod +x /usr/local/bin/barycenter`
			```

			`4. Install the configuration:`
			```bash
			`sudo cp config.toml /etc/barycenter/config.toml`
			`sudo chown root:barycenter /etc/barycenter/config.toml`
			`sudo chmod 640 /etc/barycenter/config.toml`
			```

			Edit `/etc/barycenter/config.toml` and update paths:
			```toml
			`[database]`
refactor: update crabidp references to barycenter and add Gateway API support Replace all remaining references to "crabidp" with "barycenter" across: - Source code (error diagnostics, CLI name, comments) - Configuration files and defaults - Environment variable prefixes (CRABIDP__ → BARYCENTER__) - Documentation (CLAUDE.md, README.md, DEPLOYMENT.md) - Deployment configurations (Docker Compose, Helm, systemd, FreeBSD, illumos) - Database filenames (crabidp.db → barycenter.db) Add Kubernetes Gateway API support to Helm chart: - New HTTPRoute template for Gateway API - Configurable parentRefs, hostnames, filters, and weights - Support for advanced traffic management features - Gateway API as modern alternative to traditional Ingress - Documentation and examples in DEPLOYMENT.md Benefits of Gateway API: - More expressive and extensible routing - Role-oriented design with separation of concerns - Better vendor portability - Advanced traffic management capabilities The Helm chart now supports both traditional Ingress and Gateway API, allowing users to choose based on their cluster capabilities and requirements. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:38:07 +01:00			`url = "sqlite:///var/lib/barycenter/barycenter.db?mode=rwc"`
feat: add deployment configurations for multiple platforms Add comprehensive deployment support for: - Docker: Multi-stage Dockerfile with security hardening - Docker Compose: Production-ready compose file with volume persistence - Kubernetes: Complete Helm chart with configurable values, ingress, PVC - Linux: systemd service unit with extensive security hardening - FreeBSD: rc.d init script with proper daemon management - illumos/Solaris: SMF manifest with service contract management Each platform includes: - Installation scripts/manifests - Configuration examples - Management instructions - Security best practices - Troubleshooting guides The Helm chart provides: - Configurable resources and autoscaling - Security contexts and pod security - Health checks (liveness/readiness probes) - Ingress with TLS support - Persistent volume claims - Service account management All deployments follow security best practices: - Non-root user execution - Minimal privileges - Read-only root filesystems where applicable - Resource limits - Network policies Added DEPLOYMENT.md with comprehensive deployment guide covering all platforms, configuration options, and production checklist. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:30:46 +01:00
			`[keys]`
			`jwks_path = "/var/lib/barycenter/data/jwks.json"`
			`private_key_path = "/var/lib/barycenter/data/private_key.pem"`
			```

			`5. Install the systemd service:`
			```bash
			`sudo cp deploy/systemd/barycenter.service /etc/systemd/system/`
			`sudo systemctl daemon-reload`
			```

			`6. Enable and start the service:`
			```bash
			`sudo systemctl enable barycenter`
			`sudo systemctl start barycenter`
			```

			`## Management`

			`Check status:`
			```bash
			`sudo systemctl status barycenter`
			```

			`View logs:`
			```bash
			`sudo journalctl -u barycenter -f`
			```

			`Restart service:`
			```bash
			`sudo systemctl restart barycenter`
			```

			`Stop service:`
			```bash
			`sudo systemctl stop barycenter`
			```

			`## Security`

			`The service runs with extensive security hardening:`
			`- Runs as non-root user`
			`- Private /tmp directory`
			`- Read-only filesystem (except data directory)`
			`- System call filtering`
			`- Memory protections`
			`- No new privileges`

			`## Environment Variables`

			`You can override configuration using environment variables in the service file:`

			```ini
			`[Service]`
refactor: update crabidp references to barycenter and add Gateway API support Replace all remaining references to "crabidp" with "barycenter" across: - Source code (error diagnostics, CLI name, comments) - Configuration files and defaults - Environment variable prefixes (CRABIDP__ → BARYCENTER__) - Documentation (CLAUDE.md, README.md, DEPLOYMENT.md) - Deployment configurations (Docker Compose, Helm, systemd, FreeBSD, illumos) - Database filenames (crabidp.db → barycenter.db) Add Kubernetes Gateway API support to Helm chart: - New HTTPRoute template for Gateway API - Configurable parentRefs, hostnames, filters, and weights - Support for advanced traffic management features - Gateway API as modern alternative to traditional Ingress - Documentation and examples in DEPLOYMENT.md Benefits of Gateway API: - More expressive and extensible routing - Role-oriented design with separation of concerns - Better vendor portability - Advanced traffic management capabilities The Helm chart now supports both traditional Ingress and Gateway API, allowing users to choose based on their cluster capabilities and requirements. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:38:07 +01:00			`Environment="BARYCENTER__SERVER__PUBLIC_BASE_URL=https://idp.example.com"`
feat: add deployment configurations for multiple platforms Add comprehensive deployment support for: - Docker: Multi-stage Dockerfile with security hardening - Docker Compose: Production-ready compose file with volume persistence - Kubernetes: Complete Helm chart with configurable values, ingress, PVC - Linux: systemd service unit with extensive security hardening - FreeBSD: rc.d init script with proper daemon management - illumos/Solaris: SMF manifest with service contract management Each platform includes: - Installation scripts/manifests - Configuration examples - Management instructions - Security best practices - Troubleshooting guides The Helm chart provides: - Configurable resources and autoscaling - Security contexts and pod security - Health checks (liveness/readiness probes) - Ingress with TLS support - Persistent volume claims - Service account management All deployments follow security best practices: - Non-root user execution - Minimal privileges - Read-only root filesystems where applicable - Resource limits - Network policies Added DEPLOYMENT.md with comprehensive deployment guide covering all platforms, configuration options, and production checklist. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:30:46 +01:00			`Environment="RUST_LOG=debug"`
			```