New branch

configs/systemd/vpn-auto-update.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=VPN Gateway Auto-Update Check
+Documentation=https://github.com/yourusername/vpn-gateway
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+User=root
+ExecStart=/usr/local/bin/vpn-update.sh --check-only
+StandardOutput=journal
+StandardError=journal

configs/systemd/vpn-auto-update.timer

@@ -0,0 +1,13 @@
+[Unit]
+Description=VPN Gateway Auto-Update Timer
+Documentation=https://github.com/yourusername/vpn-gateway
+
+[Timer]
+# Run daily at 3 AM
+OnCalendar=daily
+OnCalendar=*-*-* 03:00:00
+RandomizedDelaySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target

configs/systemd/vpn-killswitch.service

@@ -0,0 +1,38 @@
+[Unit]
+Description=VPN Killswitch - Permanent Network Protection
+Documentation=https://github.com/yourusername/vpn-gateway
+DefaultDependencies=no
+Before=network-pre.target
+Wants=network-pre.target
+
+# This service MUST start before networking
+After=local-fs.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+# Execute killswitch enable
+ExecStart=/usr/local/bin/vpn-killswitch.sh enable
+
+# On reload, restart the killswitch
+ExecReload=/usr/local/bin/vpn-killswitch.sh restart
+
+# On stop, we still keep killswitch active for security
+ExecStop=/bin/echo "Killswitch remains active for security"
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
+# Security
+User=root
+Group=root
+
+# We want this to always succeed
+SuccessExitStatus=0 1
+
+[Install]
+# Critical: Start at earliest possible stage
+WantedBy=sysinit.target
+RequiredBy=network.target

configs/systemd/vpn-security-monitor.service

@@ -0,0 +1,40 @@
+[Unit]
+Description=VPN Security Monitor - Continuous Protection Monitoring
+Documentation=https://github.com/yourusername/vpn-gateway
+After=vpn-killswitch.service network-online.target
+Requires=vpn-killswitch.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+
+# Execute monitoring script
+ExecStart=/usr/local/bin/vpn-security-monitor.sh
+
+# Restart policy
+Restart=always
+RestartSec=30
+StartLimitInterval=300
+StartLimitBurst=5
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+
+# Resource limits
+CPUQuota=10%
+MemoryLimit=100M
+
+# Security
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Kill settings
+KillMode=process
+KillSignal=SIGTERM
+TimeoutStopSec=10
+
+[Install]
+WantedBy=multi-user.target

configs/systemd/vpn-webui.service

@@ -0,0 +1,60 @@
+[Unit]
+Description=VPN Gateway WebUI Service
+Documentation=https://github.com/yourusername/vpn-gateway
+After=network-online.target vpn-killswitch.service
+Wants=network-online.target
+Requires=vpn-killswitch.service
+
+[Service]
+Type=simple
+User=root
+Group=root
+WorkingDirectory=/opt/vpn-gateway
+
+# Environment
+Environment="PATH=/opt/vpn-gateway/venv/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment="PYTHONPATH=/opt/vpn-gateway"
+Environment="FLASK_APP=app.py"
+Environment="FLASK_ENV=production"
+
+# Pre-start delay to ensure network is ready
+ExecStartPre=/bin/bash -c 'sleep 5'
+
+# Start command with gunicorn
+ExecStart=/opt/vpn-gateway/venv/bin/gunicorn \
+    --bind 0.0.0.0:5000 \
+    --workers 2 \
+    --threads 4 \
+    --worker-class sync \
+    --worker-connections 1000 \
+    --max-requests 1000 \
+    --max-requests-jitter 50 \
+    --timeout 120 \
+    --keepalive 5 \
+    --access-logfile /var/log/vpn-gateway-access.log \
+    --error-logfile /var/log/vpn-gateway-error.log \
+    --log-level info \
+    --capture-output \
+    app:app
+
+# Restart policy
+Restart=always
+RestartSec=10
+StartLimitInterval=60
+StartLimitBurst=3
+
+# Security settings
+NoNewPrivileges=true
+PrivateTmp=true
+
+# Resource limits
+LimitNOFILE=65536
+LimitNPROC=4096
+
+# Kill settings
+KillMode=mixed
+KillSignal=SIGTERM
+TimeoutStopSec=30
+
+[Install]
+WantedBy=multi-user.target