# Cloudflare Mesh Systemd Units

Systemd service and timer units for the Autonomic Mesh.

## Services

| Unit | Description | Type |
|------|-------------|------|
| `drift-guardian.service` | Real-time configuration monitor | Continuous |
| `autonomous-remediator.service` | Self-healing infrastructure | Continuous |
| `tunnel-rotation.service` | Credential rotation | One-shot |
| `tunnel-rotation.timer` | Weekly rotation schedule | Timer |

## Installation

### 1. Create service user

```bash
sudo useradd -r -s /usr/sbin/nologin -d /var/lib/cloudflare-mesh cloudflare-mesh
sudo mkdir -p /var/lib/cloudflare-mesh /var/log/cloudflare-mesh
sudo chown cloudflare-mesh:cloudflare-mesh /var/lib/cloudflare-mesh /var/log/cloudflare-mesh
```

### 2. Install scripts

```bash
sudo mkdir -p /opt/cloudflare-mesh/scripts
sudo cp scripts/*.py /opt/cloudflare-mesh/scripts/
sudo chmod +x /opt/cloudflare-mesh/scripts/*.py
```

### 3. Create environment file

```bash
sudo mkdir -p /etc/cloudflare-mesh
cat << EOF | sudo tee /etc/cloudflare-mesh/environment
CLOUDFLARE_API_TOKEN=your_api_token_here
CLOUDFLARE_ZONE_ID=your_zone_id
CLOUDFLARE_ACCOUNT_ID=your_account_id
EOF
sudo chmod 600 /etc/cloudflare-mesh/environment
sudo chown root:cloudflare-mesh /etc/cloudflare-mesh/environment
```

### 4. Install systemd units

```bash
sudo cp systemd/*.service systemd/*.timer /etc/systemd/system/
sudo systemctl daemon-reload
```

### 5. Enable and start services

```bash
# Enable continuous services
sudo systemctl enable --now drift-guardian.service
sudo systemctl enable --now autonomous-remediator.service

# Enable rotation timer
sudo systemctl enable --now tunnel-rotation.timer
```

## Management

### Check status

```bash
sudo systemctl status drift-guardian.service
sudo systemctl status autonomous-remediator.service
sudo systemctl list-timers tunnel-rotation.timer
```

### View logs

```bash
# Drift guardian logs
journalctl -u drift-guardian.service -f

# Remediator logs
journalctl -u autonomous-remediator.service -f

# Rotation logs
journalctl -u tunnel-rotation.service
```

### Manual rotation

```bash
sudo systemctl start tunnel-rotation.service
```

### Stop all services

```bash
sudo systemctl stop drift-guardian.service autonomous-remediator.service
sudo systemctl stop tunnel-rotation.timer
```

## Security Notes

- All services run as non-root user `cloudflare-mesh`
- Services use systemd hardening directives
- API tokens stored with restricted permissions (600)
- Services have read-only filesystem access except for data directories