infra/scripts/claude-auth-sync@.service

[Unit]
Description=Validate and back up Claude OAuth credentials for %i
Documentation=https://github.com/ViktorBarzin/infra/blob/master/docs/runbooks/claude-auth-renew-workstation.md
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
User=%i
Group=%i
Environment=HOME=/home/%i
Environment=PATH=/usr/local/bin:/usr/bin:/bin:/home/%i/.local/bin
ExecStart=/usr/local/bin/claude-auth-sync

# Credential and Vault access are required; keep the remaining host surface narrow.
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=read-only
ReadWritePaths=-/home/%i/.claude -/home/%i/.claude.json -/home/%i/.config/claude-auth-sync -/home/%i/.local/state/claude-auth-sync
Add per-user Claude auth renewal Each workstation user needs a continuously valid Claude token under their own Enterprise identity. Store only that user's OAuth state in an isolated Vault path, renew and verify it automatically, recover from Vault when possible, and alert when interactive SSO is required. 2026-06-20 20:10:40 +00:00			`[Unit]`
			`Description=Validate and back up Claude OAuth credentials for %i`
			`Documentation=https://github.com/ViktorBarzin/infra/blob/master/docs/runbooks/claude-auth-renew-workstation.md`
			`Wants=network-online.target`
			`After=network-online.target`

			`[Service]`
			`Type=oneshot`
			`User=%i`
			`Group=%i`
			`Environment=HOME=/home/%i`
			`Environment=PATH=/usr/local/bin:/usr/bin:/bin:/home/%i/.local/bin`
			`ExecStart=/usr/local/bin/claude-auth-sync`

			`# Credential and Vault access are required; keep the remaining host surface narrow.`
			`NoNewPrivileges=true`
			`PrivateTmp=true`
			`ProtectSystem=strict`
			`ProtectHome=read-only`
			`ReadWritePaths=-/home/%i/.claude -/home/%i/.claude.json -/home/%i/.config/claude-auth-sync -/home/%i/.local/state/claude-auth-sync`