chelydra
/
mcp-browser
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
mcp-browser/systemd/mcp-browser-proxy.service

67 lines
2.1 KiB
Desktop File
Raw Blame History

[Unit]
Description=Run mcp-browser in MCP stdio server mode (requires external HTTP bridge)
Documentation=https://github.com/Xilope0/mcp-browser
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
Environment="PYTHONUNBUFFERED=1"
Environment="MCP_BROWSER_BIN=%h/.local/bin/mcp-browser"
Environment="MCP_BROWSER_CONFIG=%h/.config/mcp-browser/config.yaml"
Environment="MCP_BROWSER_SERVER=default"
Environment="MCP_BROWSER_MODE=streamable-http"
Environment="MCP_BROWSER_NO_BUILTIN=false"
Environment="MCP_BROWSER_TRANSPORT="
Environment="MCP_BROWSER_TRANSPORT_URL="
Environment="MCP_BROWSER_EXTRA_ARGS="
Environment="MCP_BROWSER_HTTP_HOST=127.0.0.1"
Environment="MCP_BROWSER_HTTP_PORT=0"
Environment="MCP_BROWSER_HTTP_PATH=/mcp"
Environment="MCP_BROWSER_HTTP_ALLOW_ORIGIN="
EnvironmentFile=-%h/.config/mcp-browser/browser.env
ExecStart=/usr/bin/env bash -lc 'set -eu
# NOTE: mcp-browser speaks MCP over stdio only. To expose HTTP/SSE for
# clients (e.g. OpenAI), place an HTTP bridge or reverse proxy in front of this
# unit and pipe requests to its stdin/stdout (see examples/mcp.conf).
ARGS=()
if [[ "$MCP_BROWSER_NO_BUILTIN" == "true" ]]; then
ARGS+=(--no-builtin)
fi
if [[ -n "$MCP_BROWSER_TRANSPORT" ]]; then
ARGS+=(--transport "$MCP_BROWSER_TRANSPORT")
fi
if [[ -n "$MCP_BROWSER_TRANSPORT_URL" ]]; then
ARGS+=(--transport-url "$MCP_BROWSER_TRANSPORT_URL")
fi
exec "$MCP_BROWSER_BIN" \
--mode "$MCP_BROWSER_MODE" \
--config "$MCP_BROWSER_CONFIG" \
--server "$MCP_BROWSER_SERVER" \
--http-host "$MCP_BROWSER_HTTP_HOST" \
--http-port "$MCP_BROWSER_HTTP_PORT" \
--http-path "$MCP_BROWSER_HTTP_PATH" \
${MCP_BROWSER_HTTP_ALLOW_ORIGIN:+--http-allow-origin "$MCP_BROWSER_HTTP_ALLOW_ORIGIN"} \
"${ARGS[@]}" \
$MCP_BROWSER_EXTRA_ARGS'
Restart=on-failure
RestartSec=5
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
[Install]
WantedBy=default.target
Reference in New Issue View Git Blame Copy Permalink