feat: ops-agent Fastify service met SSE, whitelist en systemd-unit

- ops-agent/: Node.js Fastify+TypeScript service
  - GET /agent/v1/health
  - POST /agent/v1/exec → SSE stream (stdout/stderr/exit events)
  - Whitelist geladen uit /etc/ops-agent/commands.yml bij opstart
  - Auth via Bearer shared secret (/etc/ops-agent/secret, mode 0640)
  - Vier standaard commando's: docker_ps, git_status, systemctl_status,
    caddy_show_config
- deploy/ops-agent/ops-agent.service: systemd-unit (User=ops-agent,
  Restart=on-failure, StandardOutput=journal)
- deploy/ops-agent/setup.sh: aanmaken system-user, build, deploy,
  systemctl enable --now ops-agent

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ops-agent/src/auth.ts

@@ -0,0 +1,29 @@
+import fs from 'fs';
+import { FastifyRequest, FastifyReply } from 'fastify';
+
+const SECRET_PATH = process.env.OPS_AGENT_SECRET_PATH ?? '/etc/ops-agent/secret';
+
+let secret: string | null = null;
+
+export function loadSecret(): void {
+  if (!fs.existsSync(SECRET_PATH)) {
+    console.warn(`[auth] Secret file not found at ${SECRET_PATH} — auth disabled`);
+    return;
+  }
+  const stat = fs.statSync(SECRET_PATH);
+  // Warn if permissions are too open (should be 0600)
+  if ((stat.mode & 0o177) !== 0) {
+    console.warn(`[auth] Warning: ${SECRET_PATH} has loose permissions — expected 0600`);
+  }
+  secret = fs.readFileSync(SECRET_PATH, 'utf8').trim();
+}
+
+export async function authHook(req: FastifyRequest, reply: FastifyReply): Promise<void> {
+  if (secret === null) return; // auth disabled
+
+  const header = req.headers['authorization'] ?? '';
+  const token = header.startsWith('Bearer ') ? header.slice(7) : '';
+  if (token !== secret) {
+    await reply.status(401).send({ error: 'unauthorized' });
+  }
+}