build: deploy as systemd --user unit on mRock

Convention on mRock is user-units for ML services (whisper-server,
mvoice-launcher, comfyui as of today). Switching mGPUmanager too:

- systemd/mgpumanager.service: rewritten as a user unit (%h-based
  WorkingDirectory + ExecStart, WantedBy=default.target). Drops the
  ProtectSystem/ProtectHome hardening that came from the system-unit
  template — user units don't need it, and ProtectHome=read-only
  blocks a user unit's own working dir.
- Makefile deploy target: rsync to ~/.config/systemd/user/ on the
  remote and use systemctl --user, no sudo. README documents the
  lingering prerequisite (loginctl enable-linger m).
- config/consumers.yaml: bind on 0.0.0.0:8770 instead of localhost so
  mRiver / Tailscale peers can actually reach the broker.

Refs: m/mGPUmanager#1 (deploy task).

Makefile

@@ -3,8 +3,8 @@
 # `make build`   — compile the Go binary into ./bin/mgpumanager.
 # `make test`    — go test ./...
 # `make run`     — run locally against ./config/consumers.yaml.
-# `make deploy`  — rsync binary + config + systemd unit to mRock,
+# `make deploy`  — rsync binary + config + user-unit to mRock and
-#                  reload systemd, restart the service.
+#                  (re)start it under `systemctl --user`.
 
 BIN := bin/mgpumanager
 PKG := ./cmd/mgpumanager
@@ -12,6 +12,7 @@ PKG := ./cmd/mgpumanager
 GO ?= go
 HOST ?= mrock
 REMOTE_DIR ?= /home/m/dev/mGPUmanager
+USER_UNIT_DIR ?= /home/m/.config/systemd/user
 
 .PHONY: build test run deploy clean
 
@@ -25,11 +26,13 @@ test:
 run: build
 	./$(BIN) --config config/consumers.yaml --log-level debug
 
+# Deploys to mRock as a user unit (systemd --user). User lingering must
+# be enabled on the target host: `sudo loginctl enable-linger m`.
 deploy: build
 	rsync -a --mkpath $(BIN) $(HOST):$(REMOTE_DIR)/$(BIN)
 	rsync -a --mkpath config/consumers.yaml $(HOST):$(REMOTE_DIR)/config/consumers.yaml
-	rsync -a --mkpath systemd/mgpumanager.service $(HOST):$(REMOTE_DIR)/systemd/mgpumanager.service
+	rsync -a --mkpath systemd/mgpumanager.service $(HOST):$(USER_UNIT_DIR)/mgpumanager.service
-	ssh $(HOST) "sudo cp $(REMOTE_DIR)/systemd/mgpumanager.service /etc/systemd/system/mgpumanager.service && sudo systemctl daemon-reload && sudo systemctl enable mgpumanager.service && sudo systemctl restart mgpumanager.service && sudo systemctl status mgpumanager.service --no-pager -l"
+	ssh $(HOST) "systemctl --user daemon-reload && systemctl --user enable mgpumanager.service && systemctl --user restart mgpumanager.service && systemctl --user status mgpumanager.service --no-pager -l"
 
 clean:
 	rm -rf bin

config/consumers.yaml

@@ -1,4 +1,4 @@
-listen: 127.0.0.1:8770
+listen: 0.0.0.0:8770
 
 gpu:
   total_mib: 16376        # RTX 4070 Ti SUPER

systemd/mgpumanager.service

@@ -1,30 +1,15 @@
 [Unit]
-Description=mGPUmanager — GPU-Inference-Control-Plane for mRock
+Description=mGPUmanager — GPU-Inference-Control-Plane
 Documentation=https://mgit.msbls.de/m/mGPUmanager
-After=network-online.target
+After=network.target
-Wants=network-online.target
 
 [Service]
 Type=simple
-User=m
+WorkingDirectory=%h/dev/mGPUmanager
-Group=m
+ExecStart=%h/dev/mGPUmanager/bin/mgpumanager --config %h/dev/mGPUmanager/config/consumers.yaml --log-level info
-WorkingDirectory=/home/m/dev/mGPUmanager
-ExecStart=/home/m/dev/mGPUmanager/bin/mgpumanager \
-    --config /home/m/dev/mGPUmanager/config/consumers.yaml \
-    --log-level info
 Restart=on-failure
-RestartSec=3
+RestartSec=5
 TimeoutStopSec=10
 
-# Hardening — broker has no need for elevated capabilities.
-NoNewPrivileges=true
-PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=read-only
-ReadWritePaths=/home/m/dev/mGPUmanager
-
-# The broker only proxies; nvidia-smi is the only GPU-touching call.
-PrivateDevices=false
-
 [Install]
-WantedBy=multi-user.target
+WantedBy=default.target