feat(deploy): add sudoers config + setup.sh integration for systemctl_restart

/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact
systemctl restart invocations whitelisted in commands.yml.
setup.sh installs and validates it via visudo -c.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy/ops-agent/setup.sh

@@ -46,6 +46,10 @@ chmod 0640 "${CONFIG_DIR}/secret"
 echo "==> Installing systemd unit"
 cp "${REPO_DIR}/deploy/ops-agent/ops-agent.service" "${SERVICE_FILE}"
 
+echo "==> Installing sudoers config"
+install -m 0440 -o root -g root "${REPO_DIR}/deploy/ops-agent/sudoers" /etc/sudoers.d/ops-agent
+visudo -c -f /etc/sudoers.d/ops-agent
+
 echo "==> Enabling and starting ops-agent"
 systemctl daemon-reload
 systemctl enable --now ops-agent

deploy/ops-agent/sudoers

@@ -0,0 +1,9 @@
+# /etc/sudoers.d/ops-agent
+# NOPASSWD for explicit systemctl restart invocations by the ops-agent service account.
+# Only the service names whitelisted in commands.yml are listed here.
+# Installed by deploy/ops-agent/setup.sh.
+
+ops-agent ALL=(root) NOPASSWD: \
+    /usr/bin/systemctl restart scrum4me-web, \
+    /usr/bin/systemctl restart ops-agent, \
+    /usr/bin/systemctl restart caddy