chore: add carbonio-proxy.slice to PKGBUILD

proxy/PKGBUILD

@@ -33,6 +33,7 @@ source=(
   "311-${pkgname}-setup.sh"
   "${pkgname}-sidecar.service"
   "${pkgname}.hcl"
+  "${pkgname}.slice"
   "${pkgname}.target"
   "${pkgname}.sh"
   "carbonio-clamav-signature-provider-sidecar.service"
@@ -50,11 +51,12 @@ source=(
 sha256sums=(
   'cbd42efea9c34bd8cd661a7f9a4902ee86a3ba2b07db5c2be07dc36ab894df7a'
   'bb536a6e911924cde7438acdfaffaf88efcc070089319bad5dc9c68f5e7a33e3'
-  '7fd2ca93d1c12f23a3fde073fa0f709004a68451625b1fcd50ba75fbf0e0e270'
+  '4a57b91e35ae5e130909514544ace070195c8cb390a533d789a3c168d59ca2d6'
   'd503d1f4b4d966999a546b00523a746ba2277495a840135e1878f7855c00114f'
+  '6dcc4241831a097f48ef834e40ea6acdecccaf4dcc874125fab83ec3547cbfda'
   '7e5765f837ccbde44c598c80be3576bea469d041b318ed558a67e7d1c15d9948'
   '98e5fccf13b8ca8691c19495e5e496d1daa24a5962178e3f7b86706507c56e55'
-  '6784bc6fb696c968808745abe3387d434e70ff48235b861516eb196d06473990'
+  'fe853cbaecd68a776d1b5a9da0f8c7be7663e0e43f88fb5c01d9580c1adf1fa7'
   'e31069c73e7326c68188381fd485866c8d083466a576ee9141b9fdbefbb2c157'
   '9cb0f1b78f9a93dc8c05d7dc3db1514ef9af5a4f165416a497b543a3d620438d'
   '5b9d7a1598959eec4d81994d8a3d9c912d77f0b75de84529d3b65a19ee13c724'
@@ -141,6 +143,8 @@ package() {
   # systemd units and target
   mkdir -p "${pkgdir}/usr/lib/systemd/system/carbonio.target.wants"
   mkdir "${pkgdir}/usr/lib/systemd/system/${pkgname}.target.wants"
+  install -Dm 644 "${pkgname}.slice" \
+    "${pkgdir}/usr/lib/systemd/system/${pkgname}.slice"
   install -Dm 644 "${pkgname}.target" \
     "${pkgdir}/usr/lib/systemd/system/${pkgname}.target"
   ln -sf "/usr/lib/systemd/system/${pkgname}.target" \

proxy/carbonio-clamav-signature-provider-sidecar.service

@@ -1,21 +1,42 @@
 [Unit]
-Description=NGINX Carbonio ClamAV signature provider sidecar
+Description=Carbonio ClamAV Signature Provider Sidecar
 Documentation=https://docs.zextras.com/
 Requires=network-online.target
 After=network-online.target
 PartOf=carbonio-proxy.target
 
 [Service]
+Slice=carbonio-proxy.slice
 User=carbonio-clamav-sig-provider
 ExecStart=/usr/bin/consul connect envoy \
     -token-file /etc/carbonio/clamav-signature-provider/service-discover/token \
     -admin-bind localhost:0 \
     -sidecar-for carbonio-clamav-signature-provider
 Restart=on-failure
-RestartSec=15
+RestartSec=15s
 ExecReload=/usr/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 LimitNOFILE=65536
 
+# Security hardening (strict)
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+CapabilityBoundingSet=
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelLogs=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+LockPersonality=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+SystemCallArchitectures=native
+ProtectHostname=yes
+ProtectClock=yes
+
 [Install]
 WantedBy=multi-user.target

proxy/carbonio-proxy-sidecar.service

@@ -1,18 +1,19 @@
 [Unit]
-Description=NGINX carbonio proxy sidecar
+Description=Carbonio Proxy Sidecar
 Documentation=https://docs.zextras.com/
 Requires=network-online.target
 After=network-online.target
 PartOf=carbonio-proxy.target
 
 [Service]
+Slice=carbonio-proxy.slice
 User=carbonio-proxy
 ExecStart=/usr/bin/consul connect envoy \
     -token-file /etc/carbonio/proxy/service-discover/token \
     -admin-bind localhost:0 \
     -sidecar-for carbonio-proxy
 Restart=on-failure
-RestartSec=15
+RestartSec=15s
 ExecReload=/usr/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 LimitNOFILE=65536

proxy/carbonio-proxy.slice

@@ -0,0 +1,30 @@
+[Unit]
+Description=Carbonio Proxy Slice
+Documentation=man:systemd.slice(5)
+Before=slices.target
+PartOf=carbonio-proxy.target
+StopWhenUnneeded=yes
+
+[Slice]
+# Proxy tier: nginx (reverse proxy), memcached (session cache)
+# SSL termination is CPU intensive, minimal disk I/O
+#
+# Scaling guide:
+#   Small  (8GB RAM):   ~480MB effective (6% of 8GB)
+#   Medium (32GB RAM):  ~1.9GB effective (6% of 32GB)
+#   Large  (64GB RAM):  ~3.8GB effective (6% of 64GB)
+#
+# Note: nginx + memcached have low memory footprint
+
+# Memory controls - percentage-based for automatic scaling
+MemoryMax=6%
+MemoryHigh=5%
+
+# CPU weight: high priority (SSL termination is user-facing)
+CPUWeight=90
+
+# I/O weight: low (mostly network, minimal disk)
+IOWeight=30
+
+# Process/thread limit (nginx workers + memcached threads)
+TasksMax=512