/etc/sudoers.d/ops-agent grants NOPASSWD to ops-agent for the exact systemctl restart invocations whitelisted in commands.yml. setup.sh installs and validates it via visudo -c. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- ops-agent/: Node.js Fastify+TypeScript service - GET /agent/v1/health - POST /agent/v1/exec → SSE stream (stdout/stderr/exit events) - Whitelist geladen uit /etc/ops-agent/commands.yml bij opstart - Auth via Bearer shared secret (/etc/ops-agent/secret, mode 0640) - Vier standaard commando's: docker_ps, git_status, systemctl_status, caddy_show_config - deploy/ops-agent/ops-agent.service: systemd-unit (User=ops-agent, Restart=on-failure, StandardOutput=journal) - deploy/ops-agent/setup.sh: aanmaken system-user, build, deploy, systemctl enable --now ops-agent Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
