feat(actions): configurable SSH user + insecure-TLS for PVE; real action whitelist + Z wrapper

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/void-act

@@ -1,15 +1,20 @@
 #!/usr/bin/env bash
-# Forced command for the Void's restricted key. Maps a whitelisted action id to a
-# concrete systemctl restart. The id arrives via SSH_ORIGINAL_COMMAND; nothing else
-# is honoured. Edit the case list per host. Keep in sync with config/actions.json.
+# Forced command for the Void's restricted key on Z (installed in root's
+# authorized_keys via command="..."). Maps a whitelisted service-restart action
+# id to a FIXED `pct exec ... systemctl restart`. The id arrives via
+# SSH_ORIGINAL_COMMAND; nothing else is honoured — no input is interpolated into a
+# command. Guest power goes through the Proxmox API, NOT this wrapper. Keep the
+# case list in sync with config/actions.json (service_restart entries).
 #
-# Install on each target host:
+# Install on Z:
 #   install -m 755 void-act /usr/local/bin/void-act
-#   # in voidact's ~/.ssh/authorized_keys, prefix the Void's pubkey with:
-#   command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding <pubkey>
+#   # prefix the Void's pubkey in /root/.ssh/authorized_keys with:
+#   command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding <pubkey>
 set -euo pipefail
-id="${SSH_ORIGINAL_COMMAND:-}"
-case "$id" in
-  restart-caddy-ct100) exec systemctl restart caddy ;;
-  *) echo "void-act: refused '$id'" >&2; exit 13 ;;
+case "${SSH_ORIGINAL_COMMAND:-}" in
+  restart-pihole)      exec pct exec 106 -- systemctl restart pihole-FTL ;;
+  restart-gitea)       exec pct exec 105 -- systemctl restart gitea ;;
+  restart-n8n)         exec pct exec 110 -- systemctl restart n8n ;;
+  restart-magicmirror) exec pct exec 111 -- systemctl restart magicmirror ;;
+  *) echo "void-act: refused '${SSH_ORIGINAL_COMMAND:-}'" >&2; exit 13 ;;
 esac