barycenter/deploy/systemd/barycenter.service

[Unit]
Description=Barycenter OpenID Connect Identity Provider
Documentation=https://github.com/yourusername/barycenter
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=barycenter
Group=barycenter

# Paths
WorkingDirectory=/var/lib/barycenter
ExecStart=/usr/local/bin/barycenter --config /etc/barycenter/config.toml

# Security hardening
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=/var/lib/barycenter
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictNamespaces=true
SystemCallFilter=@system-service
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

# Resource limits
LimitNOFILE=65535
LimitNPROC=512

# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=barycenter

# Environment
Environment="RUST_LOG=info"
# Override config with environment variables:
# Environment="CRABIDP__SERVER__PUBLIC_BASE_URL=https://idp.example.com"

# Restart policy
Restart=on-failure
RestartSec=5s
StartLimitInterval=60s
StartLimitBurst=3

[Install]
WantedBy=multi-user.target
feat: add deployment configurations for multiple platforms Add comprehensive deployment support for: - Docker: Multi-stage Dockerfile with security hardening - Docker Compose: Production-ready compose file with volume persistence - Kubernetes: Complete Helm chart with configurable values, ingress, PVC - Linux: systemd service unit with extensive security hardening - FreeBSD: rc.d init script with proper daemon management - illumos/Solaris: SMF manifest with service contract management Each platform includes: - Installation scripts/manifests - Configuration examples - Management instructions - Security best practices - Troubleshooting guides The Helm chart provides: - Configurable resources and autoscaling - Security contexts and pod security - Health checks (liveness/readiness probes) - Ingress with TLS support - Persistent volume claims - Service account management All deployments follow security best practices: - Non-root user execution - Minimal privileges - Read-only root filesystems where applicable - Resource limits - Network policies Added DEPLOYMENT.md with comprehensive deployment guide covering all platforms, configuration options, and production checklist. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-29 15:30:46 +01:00			`[Unit]`
			`Description=Barycenter OpenID Connect Identity Provider`
			`Documentation=https://github.com/yourusername/barycenter`
			`After=network-online.target`
			`Wants=network-online.target`

			`[Service]`
			`Type=simple`
			`User=barycenter`
			`Group=barycenter`

			`# Paths`
			`WorkingDirectory=/var/lib/barycenter`
			`ExecStart=/usr/local/bin/barycenter --config /etc/barycenter/config.toml`

			`# Security hardening`
			`NoNewPrivileges=true`
			`PrivateTmp=true`
			`ProtectSystem=strict`
			`ProtectHome=true`
			`ReadWritePaths=/var/lib/barycenter`
			`ProtectKernelTunables=true`
			`ProtectKernelModules=true`
			`ProtectControlGroups=true`
			`RestrictRealtime=true`
			`RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX`
			`LockPersonality=true`
			`MemoryDenyWriteExecute=true`
			`RestrictNamespaces=true`
			`SystemCallFilter=@system-service`
			`SystemCallErrorNumber=EPERM`
			`SystemCallArchitectures=native`

			`# Resource limits`
			`LimitNOFILE=65535`
			`LimitNPROC=512`

			`# Logging`
			`StandardOutput=journal`
			`StandardError=journal`
			`SyslogIdentifier=barycenter`

			`# Environment`
			`Environment="RUST_LOG=info"`
			`# Override config with environment variables:`
			`# Environment="CRABIDP__SERVER__PUBLIC_BASE_URL=https://idp.example.com"`

			`# Restart policy`
			`Restart=on-failure`
			`RestartSec=5s`
			`StartLimitInterval=60s`
			`StartLimitBurst=3`

			`[Install]`
			`WantedBy=multi-user.target`