5549fc3672
Each workstation user needs a continuously valid Claude token under their own Enterprise identity. Store only that user's OAuth state in an isolated Vault path, renew and verify it automatically, recover from Vault when possible, and alert when interactive SSO is required.
20 lines
710 B
Desktop File
20 lines
710 B
Desktop File
[Unit]
|
|
Description=Validate and back up Claude OAuth credentials for %i
|
|
Documentation=https://github.com/ViktorBarzin/infra/blob/master/docs/runbooks/claude-auth-renew-workstation.md
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
User=%i
|
|
Group=%i
|
|
Environment=HOME=/home/%i
|
|
Environment=PATH=/usr/local/bin:/usr/bin:/bin:/home/%i/.local/bin
|
|
ExecStart=/usr/local/bin/claude-auth-sync
|
|
|
|
# Credential and Vault access are required; keep the remaining host surface narrow.
|
|
NoNewPrivileges=true
|
|
PrivateTmp=true
|
|
ProtectSystem=strict
|
|
ProtectHome=read-only
|
|
ReadWritePaths=-/home/%i/.claude -/home/%i/.claude.json -/home/%i/.config/claude-auth-sync -/home/%i/.local/state/claude-auth-sync
|