From 58f542b96f7aed9d1990e6cdffcb397f78470733 Mon Sep 17 00:00:00 2001
From: j <j@842.be>
Date: Sun, 8 Mar 2026 13:51:55 +1300
Subject: [PATCH] Add sudo support for container/VM hypervisor commands

---
 app/gather_info.sh | 29 +++++++++++++++++++----------
 setup-remote.sh    | 26 +++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/app/gather_info.sh b/app/gather_info.sh
index 6cfc42d..82158cd 100755
--- a/app/gather_info.sh
+++ b/app/gather_info.sh
@@ -196,9 +196,18 @@ gather_container_stats() {
     [ -n "$uptime_s" ] && echo "uptime_seconds=$uptime_s"
 }
 
+# Use sudo if available and needed (infmap user won't have direct access)
+_sudo() {
+    if [ "$(id -u)" -eq 0 ]; then
+        "$@"
+    else
+        sudo -n "$@" 2>/dev/null
+    fi
+}
+
 # Proxmox LXC (pct)
 if command -v pct &>/dev/null; then
-    pct list 2>/dev/null | tail -n +2 | while read -r vmid status _ name _; do
+    _sudo pct list 2>/dev/null | tail -n +2 | while read -r vmid status _ name _; do
         [ -z "$vmid" ] && continue
         echo "[container:pct-${vmid}]"
         echo "type=lxc"
@@ -207,14 +216,14 @@ if command -v pct &>/dev/null; then
         echo "name=${name:-$vmid}"
         echo "status=$status"
         if [ "$status" = "running" ]; then
-            gather_container_stats "pct exec $vmid --"
+            gather_container_stats "_sudo pct exec $vmid --"
         fi
     done
 fi
 
 # Proxmox VMs (qm)
 if command -v qm &>/dev/null; then
-    qm list 2>/dev/null | tail -n +2 | while read -r vmid name status _ mem _; do
+    _sudo qm list 2>/dev/null | tail -n +2 | while read -r vmid name status _ mem _; do
         [ -z "$vmid" ] && continue
         echo "[container:qm-${vmid}]"
         echo "type=vm"
@@ -225,9 +234,9 @@ if command -v qm &>/dev/null; then
         [ -n "$mem" ] && echo "mem_allocated_mb=$mem"
         # VM stats require guest agent - best effort
         if [ "$status" = "running" ]; then
-            agent_test=$(qm guest exec "$vmid" -- cat /proc/meminfo 2>/dev/null)
+            agent_test=$(_sudo qm guest exec "$vmid" -- cat /proc/meminfo 2>/dev/null)
             if [ -n "$agent_test" ]; then
-                gather_container_stats "qm guest exec $vmid --"
+                gather_container_stats "_sudo qm guest exec $vmid --"
             fi
         fi
     done
@@ -235,7 +244,7 @@ fi
 
 # Plain LXC (lxc/lxd)
 if command -v lxc &>/dev/null && ! command -v pct &>/dev/null; then
-    lxc list --format csv -c nsN 2>/dev/null | while IFS=',' read -r name status network; do
+    _sudo lxc list --format csv -c nsN 2>/dev/null | while IFS=',' read -r name status network; do
         [ -z "$name" ] && continue
         echo "[container:lxc-${name}]"
         echo "type=lxc"
@@ -243,7 +252,7 @@ if command -v lxc &>/dev/null && ! command -v pct &>/dev/null; then
         echo "name=$name"
         echo "status=$status"
         if [ "$status" = "RUNNING" ]; then
-            gather_container_stats "lxc exec $name --"
+            gather_container_stats "_sudo lxc exec $name --"
             lxd_ip=$(echo "$network" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)
             [ -n "$lxd_ip" ] && echo "ip=$lxd_ip"
         fi
@@ -252,16 +261,16 @@ fi
 
 # libvirt VMs (virsh)
 if command -v virsh &>/dev/null; then
-    virsh list --all --name 2>/dev/null | while read -r name; do
+    _sudo virsh list --all --name 2>/dev/null | while read -r name; do
         [ -z "$name" ] && continue
-        state=$(virsh domstate "$name" 2>/dev/null | head -1)
+        state=$(_sudo virsh domstate "$name" 2>/dev/null | head -1)
         echo "[container:virsh-${name}]"
         echo "type=vm"
         echo "platform=libvirt"
         echo "name=$name"
         echo "status=$state"
         if [ "$state" = "running" ]; then
-            virsh_ip=$(virsh domifaddr "$name" --source agent 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)
+            virsh_ip=$(_sudo virsh domifaddr "$name" --source agent 2>/dev/null | grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -1)
             [ -n "$virsh_ip" ] && echo "ip=$virsh_ip"
         fi
     done
diff --git a/setup-remote.sh b/setup-remote.sh
index 7993a5a..27cf990 100755
--- a/setup-remote.sh
+++ b/setup-remote.sh
@@ -198,6 +198,27 @@ if [ "$OS" != "openwrt" ]; then
     done
 fi
 
+# --- Sudoers for container/VM commands ---
+
+SUDOERS_FILE="/etc/sudoers.d/infmap"
+SUDO_CMDS=""
+
+# Detect which hypervisor tools are present
+for cmd in pct qm lxc virsh; do
+    cmd_path=$(command -v "$cmd" 2>/dev/null)
+    if [ -n "$cmd_path" ]; then
+        SUDO_CMDS="${SUDO_CMDS}${USERNAME} ALL=(root) NOPASSWD: ${cmd_path}\n"
+    fi
+done
+
+if [ -n "$SUDO_CMDS" ]; then
+    printf "%b" "$SUDO_CMDS" > "$SUDOERS_FILE"
+    chmod 440 "$SUDOERS_FILE"
+    echo "Sudoers rules added for container/VM commands"
+else
+    echo "No hypervisor tools found, skipping sudoers"
+fi
+
 # --- Summary ---
 
 echo ""
@@ -207,6 +228,9 @@ echo "  Home:     $HOMEDIR"
 echo "  Auth:     key-only (password disabled)"
 echo "  SSH key:  restricted to 'bash -s' (no shell, no forwarding)"
 echo "  Packages: lm-sensors, pciutils, iproute2"
+if [ -n "$SUDO_CMDS" ]; then
+echo "  Sudo:     container/VM commands (pct, qm, lxc, virsh)"
+fi
 echo ""
 echo "Add to your infrastructure.conf:"
-echo "  ${USERNAME}@$(hostname)"
+echo "  $(hostname)"