Use systemd unit files for disabling the remote access

[lslezak]

Problem

• Using the new inst.listen_on boot option to disable remote access to the server looks inconsistent (for disabling the SSH access you can use the systemd.mask=sshd.service boot option)
• Simplify the implementation, limiting access to some interface or IP address was not requested
• Related to Optionally disable remote access #3269

Solution

• Use systemd services to implement disabling the remote access
• Implement new agama-web-server-local and agama-web-server-remote services
• Bude default the remote service is enabled, but the user can disable it and enable the local service instead using the systemd.mask=agama-web-server-remote.service systemd.wants=agama-web-server-local.service boot parameters.

Testing

• Tested manually

The default behavior (no boot option specified): the local service is inactive, the remote service is running.

agama:~ # systemctl status agama-web-server-local.service 
○ agama-web-server-local.service - Agama Web Server (Local access only)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-local.service; enabled; preset: disabled)
     Active: inactive (dead)
agama:~ # systemctl status agama-web-server-remote.service
● agama-web-server-remote.service - Agama Web Server (Remote and local access)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-remote.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-03-26 20:41:50 CET; 10min ago
 Invocation: d0871c93d1d0486db99dfcb941441a98
   Main PID: 2299 (Zypp-main)
      Tasks: 22 (limit: 4525)
        CPU: 1.407s
     CGroup: /system.slice/agama-web-server-remote.service
             ├─2299 /usr/bin/agama-web-server serve --address :::80,0.0.0.0:80 --address :::443,0.0.0.0:443
             ├─3433 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/PublicKey --daemon
             ├─3435 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/PublicKey
             ├─3443 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/zypp-trusted-kr2SLwoo --daemon
             └─3445 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.9pNBz4/zypp-trusted-kr2SLwoo

With the systemd.mask=agama-web-server-remote.service systemd.wants=agama-web-server-local.service boot options the remote service is inactive and the local service is running:

agama:~ # systemctl status agama-web-server-remote.service
○ agama-web-server-remote.service
     Loaded: masked (Reason: Unit agama-web-server-remote.service is masked.)
     Active: inactive (dead)
agama:~ # systemctl status agama-web-server-local.service 
● agama-web-server-local.service - Agama Web Server (Local access only)
     Loaded: loaded (/usr/lib/systemd/system/agama-web-server-local.service; enabled; preset: disabled)
     Active: active (running) since Thu 2026-03-26 21:06:17 CET; 1min 15s ago
 Invocation: e2ac57b5b4a349d285c9b745002a2e2e
   Main PID: 2276 (Zypp-main)
      Tasks: 21 (limit: 4525)
        CPU: 1.328s
     CGroup: /system.slice/agama-web-server-local.service
             ├─2276 /usr/bin/agama-web-server serve --address ::1:80,127.0.0.1:80 --address ::1:443,127.0.0.1:>
             ├─3418 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/PublicKey --daemon
             ├─3420 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/PublicKey
             ├─3428 gpg-agent --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/zypp-trusted-kr17fHIU --daemon
             └─3430 scdaemon --multi-server --homedir /var/tmp/zypp.tmp/zypp.ELoAQn/zypp-trusted-kr17fHIU

Notes

I tried several approaches but either they did not work or were a bit hacky:

1. First a wanted to be the both local and remote services enabled by default. Because of conflicts only one of them should be running at a time. I used Before and After so the remote service starts first and the conflict should block the local service from running. Disabling the remote service allows running the local service automatically.
   The problem was that there is probably some race condition and sometimes the local service was actually running instead of the remote by default. I tried several changes but nothing helped.
2. Then I added code to the local service to explicitly check whether the remote service is disabled or not (using ExecCondition attribute). But that feels a bit hacky and it is a hidden magic.
3. Finally I realized that the same way how you can disable a service at boot using systemd.mask option you can also enable a disabled service using the systemd.wants parameter. So instead of enabling both services enable only the default remote one. The users then can explicitly disable the remote service and enable the local one using the systemd.mask=agama-web-server-remote.service systemd.wants=agama-web-server-local.service boot options. That's a bit more complicated but does not use any hidden magic.

[kobliha]

So long story short, we have "systemd.mask=agama-web-server-remote.service systemd.wants=agama-web-server-local.service" instead of simple "inst.listen_on=local" because someone might want to disable sshd and they would have to use "systemd.mask".

[lslezak]

🤷‍♂️

[ancorgs]

I was originally envisioning something like:

systemd.mask=sshd systemd.mask=agama-remote

Consistent with the SSH case and easy to remember.

As it is currently in this pull request, I find it to be cumbersome (too detailed, too long and not memorable enough). Moreover, it defeats a bit the purpose of been symmetric to disabling ssh.

To be honest, I think I would prefer to use that "hidden magic" at alternative 2 (we can always find a better implementation over time) than to force the user to use a combination of two different boot arguments.

On the other hand, I got an honest question - can we simplify the name of the service(s)?