1c51a0868f
- Extend commands.yml.example with caddy_list_certs (sh loop over /data/caddy/certificates/*/*.crt using openssl) - Add lib/parse-caddy.ts: parseCertList() parses CERTFILE/CERTEND delimited openssl output - Add shiki ^1.29.2 dependency for server-side Caddyfile syntax highlighting Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
72 lines
2.4 KiB
Text
72 lines
2.4 KiB
Text
# Whitelist of allowed commands for ops-agent.
|
|
# Copy to /etc/ops-agent/commands.yml on the host.
|
|
# Restart ops-agent after changes.
|
|
#
|
|
# Schema per command:
|
|
# cmd: required — command + static args as array (no shell, no interpolation)
|
|
# cwd: optional — working directory for the subprocess
|
|
# cwd_pattern: optional — working directory as a glob/pattern (resolved at runtime)
|
|
# args:
|
|
# allowed: optional — whitelist of argument values accepted from the caller
|
|
# If absent or empty, the command takes no extra arguments.
|
|
# description: optional — human-readable description
|
|
|
|
commands:
|
|
docker_ps:
|
|
cmd: ["docker", "ps", "--format", "table"]
|
|
description: "List running Docker containers"
|
|
|
|
git_status:
|
|
cmd: ["git", "status", "--short", "--branch"]
|
|
cwd_pattern: "/srv/"
|
|
description: "Git status with branch info (first arg = repo path, must start with /srv/)"
|
|
|
|
git_log_ahead:
|
|
cmd: ["git", "log", "@{upstream}..HEAD", "--oneline"]
|
|
cwd_pattern: "/srv/"
|
|
description: "Local commits not yet pushed (first arg = repo path)"
|
|
|
|
git_diff:
|
|
cmd: ["git", "diff", "HEAD"]
|
|
cwd_pattern: "/srv/"
|
|
description: "Uncommitted diff against HEAD (first arg = repo path)"
|
|
|
|
git_fetch:
|
|
cmd: ["git", "fetch", "--quiet"]
|
|
cwd_pattern: "/srv/"
|
|
description: "Fetch all remotes silently (first arg = repo path)"
|
|
|
|
systemctl_status:
|
|
cmd: ["systemctl", "status", "--no-pager", "-l"]
|
|
args:
|
|
allowed:
|
|
- scrum4me-web
|
|
- ops-agent
|
|
- caddy
|
|
- docker
|
|
- nginx
|
|
- postgresql
|
|
description: "Show systemctl status for an allowed service"
|
|
|
|
journalctl_recent:
|
|
cmd: ["journalctl", "--since", "1 hour ago", "-n", "100", "--no-pager", "-u"]
|
|
args:
|
|
allowed:
|
|
- scrum4me-web
|
|
- ops-agent
|
|
- caddy
|
|
- docker
|
|
- nginx
|
|
- postgresql
|
|
description: "Last 100 journal lines from the past hour for an allowed service"
|
|
|
|
caddy_show_config:
|
|
cmd: ["caddy", "fmt", "/etc/caddy/Caddyfile"]
|
|
description: "Print the formatted Caddy config"
|
|
|
|
caddy_list_certs:
|
|
cmd:
|
|
- sh
|
|
- -c
|
|
- "for f in /data/caddy/certificates/*/*.crt; do [ -f \"$f\" ] || continue; echo \"CERTFILE:$f\"; openssl x509 -noout -subject -issuer -dates -in \"$f\" 2>&1; echo \"CERTEND\"; done"
|
|
description: "List TLS cert info (subject, issuer, validity dates) from Caddy certificate store"
|