49 lines
1.4 KiB
Desktop File
49 lines
1.4 KiB
Desktop File
[Unit]
|
|
Description=Maintain SSH reverse tunnel for MCP endpoints
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
Environment="MCP_TUNNEL_HOST=mcp.example.com"
|
|
Environment="MCP_TUNNEL_USER=mcp"
|
|
Environment="MCP_TUNNEL_KEY=%h/.ssh/mcp_reverse"
|
|
Environment="MCP_REMOTE_STREAMABLE_PORT=8250"
|
|
Environment="MCP_LOCAL_STREAMABLE_PORT=14000"
|
|
Environment="MCP_REMOTE_BROWSER_PORT=8251"
|
|
Environment="MCP_LOCAL_BROWSER_PORT=14001"
|
|
Environment="MCP_TUNNEL_EXTRA_ARGS="
|
|
EnvironmentFile=-%h/.config/mcp-browser/tunnel.env
|
|
|
|
ExecStart=/usr/bin/env sh -c '\
|
|
set -eu; \
|
|
exec /usr/bin/ssh -F /dev/null -i "$MCP_TUNNEL_KEY" -NT \
|
|
-o ExitOnForwardFailure=yes \
|
|
-o ServerAliveInterval=15 \
|
|
-o ServerAliveCountMax=3 \
|
|
-o StreamLocalBindUnlink=yes \
|
|
-R 127.0.0.1:"$MCP_REMOTE_STREAMABLE_PORT":127.0.0.1:"$MCP_LOCAL_STREAMABLE_PORT" \
|
|
-R 127.0.0.1:"$MCP_REMOTE_BROWSER_PORT":127.0.0.1:"$MCP_LOCAL_BROWSER_PORT" \
|
|
$MCP_TUNNEL_EXTRA_ARGS \
|
|
"$MCP_TUNNEL_USER@$MCP_TUNNEL_HOST"'
|
|
|
|
Restart=always
|
|
RestartSec=5
|
|
NoNewPrivileges=yes
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
PrivateTmp=yes
|
|
ProtectControlGroups=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectKernelModules=yes
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictSUIDSGID=yes
|
|
RestrictRealtime=yes
|
|
RestrictNamespaces=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
ReadOnlyPaths=%h/.ssh
|
|
|
|
[Install]
|
|
WantedBy=default.target
|