feat: ops-agent Fastify service met SSE, whitelist en systemd-unit

- ops-agent/: Node.js Fastify+TypeScript service - GET /agent/v1/health - POST /agent/v1/exec → SSE stream (stdout/stderr/exit events) - Whitelist geladen uit /etc/ops-agent/commands.yml bij opstart - Auth via Bearer shared secret (/etc/ops-agent/secret, mode 0640) - Vier standaard commando's: docker_ps, git_status, systemctl_status, caddy_show_config - deploy/ops-agent/ops-agent.service: systemd-unit (User=ops-agent, Restart=on-failure, StandardOutput=journal) - deploy/ops-agent/setup.sh: aanmaken system-user, build, deploy, systemctl enable --now ops-agent Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-13 17:15:44 +02:00 · 2026-05-13 17:15:44 +02:00 · 4bccbf28f3
commit 4bccbf28f3
parent ad9cde6fb7
12 changed files with 1030 additions and 0 deletions
--- a/ops-agent/src/auth.ts
+++ b/ops-agent/src/auth.ts
@ -0,0 +1,29 @@
+import fs from 'fs';
+import { FastifyRequest, FastifyReply } from 'fastify';
+
+const SECRET_PATH = process.env.OPS_AGENT_SECRET_PATH ?? '/etc/ops-agent/secret';
+
+let secret: string | null = null;
+
+export function loadSecret(): void {
+  if (!fs.existsSync(SECRET_PATH)) {
+    console.warn(`[auth] Secret file not found at ${SECRET_PATH} — auth disabled`);
+    return;
+  }
+  const stat = fs.statSync(SECRET_PATH);
+  // Warn if permissions are too open (should be 0600)
+  if ((stat.mode & 0o177) !== 0) {
+    console.warn(`[auth] Warning: ${SECRET_PATH} has loose permissions — expected 0600`);
+  }
+  secret = fs.readFileSync(SECRET_PATH, 'utf8').trim();
+}
+
+export async function authHook(req: FastifyRequest, reply: FastifyReply): Promise<void> {
+  if (secret === null) return; // auth disabled
+
+  const header = req.headers['authorization'] ?? '';
+  const token = header.startsWith('Bearer ') ? header.slice(7) : '';
+  if (token !== secret) {
+    await reply.status(401).send({ error: 'unauthorized' });
+  }
+}
--- a/ops-agent/src/index.ts
+++ b/ops-agent/src/index.ts
@ -0,0 +1,32 @@
+import Fastify from 'fastify';
+import cors from '@fastify/cors';
+import { loadWhitelist } from './whitelist.js';
+import { loadSecret, authHook } from './auth.js';
+import { healthRoutes } from './routes/health.js';
+import { execRoutes } from './routes/exec.js';
+
+const WHITELIST_PATH = process.env.OPS_AGENT_WHITELIST_PATH ?? '/etc/ops-agent/commands.yml';
+const PORT = parseInt(process.env.OPS_AGENT_PORT ?? '4242', 10);
+const HOST = process.env.OPS_AGENT_HOST ?? '127.0.0.1';
+
+async function main() {
+  loadWhitelist(WHITELIST_PATH);
+  loadSecret();
+
+  const app = Fastify({ logger: true });
+
+  await app.register(cors, { origin: false });
+
+  app.addHook('onRequest', authHook);
+
+  await app.register(healthRoutes);
+  await app.register(execRoutes);
+
+  await app.listen({ port: PORT, host: HOST });
+  console.log(`ops-agent listening on ${HOST}:${PORT}`);
+}
+
+main().catch((err) => {
+  console.error(err);
+  process.exit(1);
+});
--- a/ops-agent/src/routes/exec.ts
+++ b/ops-agent/src/routes/exec.ts
@ -0,0 +1,56 @@
+import { FastifyInstance, FastifyRequest } from 'fastify';
+import { spawn } from 'child_process';
+import { getCommand } from '../whitelist.js';
+
+interface ExecBody {
+  command_key: string;
+  args?: string[];
+}
+
+export async function execRoutes(app: FastifyInstance): Promise<void> {
+  app.post('/agent/v1/exec', async (req: FastifyRequest<{ Body: ExecBody }>, reply) => {
+    const { command_key, args = [] } = req.body;
+
+    const def = getCommand(command_key);
+    if (!def) {
+      return reply
+        .status(403)
+        .send({ error: `command_key '${command_key}' is not in the whitelist` });
+    }
+
+    reply.raw.writeHead(200, {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache',
+      Connection: 'keep-alive',
+    });
+
+    const sendEvent = (event: string, data: string) => {
+      reply.raw.write(`event: ${event}\ndata: ${JSON.stringify({ data })}\n\n`);
+    };
+
+    const [bin, ...staticArgs] = def.exec.split(' ');
+    const child = spawn(bin, [...staticArgs, ...args], { shell: false });
+
+    child.stdout.on('data', (chunk: Buffer) => {
+      sendEvent('stdout', chunk.toString());
+    });
+
+    child.stderr.on('data', (chunk: Buffer) => {
+      sendEvent('stderr', chunk.toString());
+    });
+
+    child.on('close', (code) => {
+      reply.raw.write(`event: exit\ndata: ${JSON.stringify({ code })}\n\n`);
+      reply.raw.end();
+    });
+
+    child.on('error', (err) => {
+      reply.raw.write(`event: error\ndata: ${JSON.stringify({ message: err.message })}\n\n`);
+      reply.raw.end();
+    });
+
+    req.raw.on('close', () => {
+      child.kill();
+    });
+  });
+}
--- a/ops-agent/src/routes/health.ts
+++ b/ops-agent/src/routes/health.ts
@ -0,0 +1,7 @@
+import { FastifyInstance } from 'fastify';
+
+export async function healthRoutes(app: FastifyInstance): Promise<void> {
+  app.get('/agent/v1/health', async (_req, reply) => {
+    return reply.send({ status: 'ok', uptime: process.uptime() });
+  });
+}
--- a/ops-agent/src/whitelist.ts
+++ b/ops-agent/src/whitelist.ts
@ -0,0 +1,26 @@
+import fs from 'fs';
+import yaml from 'js-yaml';
+
+export interface CommandDef {
+  exec: string;
+  args_allowed?: string[];
+  description?: string;
+}
+
+export type Whitelist = Record<string, CommandDef>;
+
+let whitelist: Whitelist = {};
+
+export function loadWhitelist(path: string): void {
+  const raw = fs.readFileSync(path, 'utf8');
+  const parsed = yaml.load(raw) as { commands: Whitelist };
+  whitelist = parsed.commands ?? {};
+}
+
+export function getCommand(key: string): CommandDef | undefined {
+  return whitelist[key];
+}
+
+export function listCommands(): string[] {
+  return Object.keys(whitelist);
+}