From 12172eec95450e244f628ec4ceed8479f991384d Mon Sep 17 00:00:00 2001
From: Scrum4Me Agent <30029041+madhura68@users.noreply.github.com>
Date: Wed, 13 May 2026 17:53:09 +0200
Subject: [PATCH] feat(deploy): add sudoers config + setup.sh integration for
 systemctl_restart

/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact
systemctl restart invocations whitelisted in commands.yml.
setup.sh installs and validates it via visudo -c.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 deploy/ops-agent/setup.sh | 4 ++++
 deploy/ops-agent/sudoers  | 9 +++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 deploy/ops-agent/sudoers

diff --git a/deploy/ops-agent/setup.sh b/deploy/ops-agent/setup.sh
index b69c3aa..b27c4fe 100644
--- a/deploy/ops-agent/setup.sh
+++ b/deploy/ops-agent/setup.sh
@@ -46,6 +46,10 @@ chmod 0640 "${CONFIG_DIR}/secret"
 echo "==> Installing systemd unit"
 cp "${REPO_DIR}/deploy/ops-agent/ops-agent.service" "${SERVICE_FILE}"
 
+echo "==> Installing sudoers config"
+install -m 0440 -o root -g root "${REPO_DIR}/deploy/ops-agent/sudoers" /etc/sudoers.d/ops-agent
+visudo -c -f /etc/sudoers.d/ops-agent
+
 echo "==> Enabling and starting ops-agent"
 systemctl daemon-reload
 systemctl enable --now ops-agent
diff --git a/deploy/ops-agent/sudoers b/deploy/ops-agent/sudoers
new file mode 100644
index 0000000..93c5646
--- /dev/null
+++ b/deploy/ops-agent/sudoers
@@ -0,0 +1,9 @@
+# /etc/sudoers.d/ops-agent
+# NOPASSWD for explicit systemctl restart invocations by the ops-agent service account.
+# Only the service names whitelisted in commands.yml are listed here.
+# Installed by deploy/ops-agent/setup.sh.
+
+ops-agent ALL=(root) NOPASSWD: \
+    /usr/bin/systemctl restart scrum4me-web, \
+    /usr/bin/systemctl restart ops-agent, \
+    /usr/bin/systemctl restart caddy