#!/usr/bin/env bash
# Forced command for the Void's restricted key. Maps a whitelisted action id to a
# concrete systemctl restart. The id arrives via SSH_ORIGINAL_COMMAND; nothing else
# is honoured. Edit the case list per host. Keep in sync with config/actions.json.
#
# Install on each target host:
#   install -m 755 void-act /usr/local/bin/void-act
#   # in voidact's ~/.ssh/authorized_keys, prefix the Void's pubkey with:
#   command="/usr/local/bin/void-act",no-port-forwarding,no-pty,no-X11-forwarding <pubkey>
set -euo pipefail
id="${SSH_ORIGINAL_COMMAND:-}"
case "$id" in
  restart-caddy-ct100) exec systemctl restart caddy ;;
  *) echo "void-act: refused '$id'" >&2; exit 13 ;;
esac