# Allow observer user to run read-only system administration and monitoring commands
Cmnd_Alias IPTABLES_READONLY_OBSERVER = /usr/sbin/iptables -L, \
    /usr/sbin/iptables -L *, \
    /usr/sbin/iptables --list, \
    /usr/sbin/iptables --list *, \
    /usr/sbin/iptables -S, \
    /usr/sbin/iptables -S *, \
    /usr/sbin/iptables --list-rules, \
    /usr/sbin/iptables --list-rules *, \
    /usr/sbin/iptables -t * -L, \
    /usr/sbin/iptables -t * -L *, \
    /usr/sbin/iptables -t * -S, \
    /usr/sbin/iptables -t * -S *, \
    /usr/sbin/iptables --help, \
    /usr/sbin/iptables-save

Cmnd_Alias IPSET_READONLY_OBSERVER = /usr/sbin/ipset list, \
    /usr/sbin/ipset list *, \
    /usr/sbin/ipset -L, \
    /usr/sbin/ipset -L *, \
    /usr/sbin/ipset save, \
    /usr/sbin/ipset save *, \
    /usr/sbin/ipset -S, \
    /usr/sbin/ipset -S *, \
    /usr/sbin/ipset -T *, \
    /usr/sbin/ipset --help

Cmnd_Alias CONNTRACK_READONLY_OBSERVER = /usr/sbin/conntrack -L, \
    /usr/sbin/conntrack -L *, \
    /usr/sbin/conntrack --dump, \
    /usr/sbin/conntrack --dump *, \
    /usr/sbin/conntrack -S, \
    /usr/sbin/conntrack --stats, \
    /usr/sbin/conntrack -C, \
    /usr/sbin/conntrack --count, \
    /usr/sbin/conntrack -L -p tcp, \
    /usr/sbin/conntrack -L -p udp, \
    /usr/sbin/conntrack -L -p icmp, \
    /usr/sbin/conntrack -L -p * *, \
    /usr/sbin/conntrack --help, \
    /usr/sbin/conntrack -h

Cmnd_Alias IPSEC_READONLY_OBSERVER = /usr/sbin/ipsec status, \
    /usr/sbin/ipsec status *, \
    /usr/sbin/ipsec statusall, \
    /usr/sbin/ipsec --help

Cmnd_Alias SERVICE_READONLY_OBSERVER = /usr/sbin/service --status-all, \
    /usr/sbin/service * status

Cmnd_Alias SYSTEMCTL_READONLY_OBSERVER = /usr/bin/systemctl status, \
    /usr/bin/systemctl status *, \
    /usr/bin/systemctl list-units, \
    /usr/bin/systemctl list-units *, \
    /usr/bin/systemctl list-unit-files, \
    /usr/bin/systemctl list-unit-files *, \
    /usr/bin/systemctl is-active *, \
    /usr/bin/systemctl is-enabled *, \
    /usr/bin/systemctl is-failed *, \
    /usr/bin/systemctl -a, \
    /usr/bin/systemctl --all, \
    /usr/bin/systemctl --help

Cmnd_Alias REDIS_READONLY_OBSERVER = /usr/bin/redis-cli info, \
    /usr/bin/redis-cli info *, \
    /usr/bin/redis-cli ping, \
    /usr/bin/redis-cli config get *, \
    /usr/bin/redis-cli client list, \
    /usr/bin/redis-cli memory usage *, \
    /usr/bin/redis-cli dbsize, \
    /usr/bin/redis-cli lastsave, \
    /usr/bin/redis-cli time, \
    /usr/bin/redis-cli monitor, \
    /usr/bin/redis-cli keys *, \
    /usr/bin/redis-cli json.get *, \
    /usr/bin/redis-cli -n * config get *, \
    /usr/bin/redis-cli -n * keys *, \
    /usr/bin/redis-cli -n * json.get *, \
    /usr/bin/redis-cli -p * -n * llen *, \
    /usr/bin/redis-cli -p * -n * keys *, \
    /usr/bin/redis-cli --help

Cmnd_Alias CELERY_READONLY_OBSERVER = /bin/bash /opt/control.setloki/tools/collect_celery_states.sh, \
    /opt/venv3/bin/celery --workdir /opt/control.setloki -A tasks.task_manager inspect *, \
    /bin/bash /opt/control.setloki/tools/collect_debug_data.sh, \
    /usr/bin/mv /tmp/*.tar.xz /home/observer/

Cmnd_Alias NETSTAT_READONLY_OBSERVER = /usr/bin/netstat -a, \
    /usr/bin/netstat -l, \
    /usr/bin/netstat -n, \
    /usr/bin/netstat -r, \
    /usr/bin/netstat -s, \
    /usr/bin/netstat -i, \
    /usr/bin/netstat -p, \
    /usr/bin/netstat -tulpn, \
    /usr/bin/netstat -an, \
    /usr/bin/netstat -ln, \
    /usr/bin/netstat -nr

Cmnd_Alias VMSTAT_READONLY_OBSERVER = /usr/bin/vmstat -s, \
    /usr/bin/vmstat -d, \
    /usr/bin/vmstat -p, \
    /usr/bin/vmstat -S k, \
    /usr/bin/vmstat -S m, \
    /usr/bin/vmstat -S M, \
    /usr/bin/vmstat 1, \
    /usr/bin/vmstat 3, \
    /usr/bin/vmstat 5

Cmnd_Alias LSOF_READONLY_OBSERVER = /usr/bin/lsof -i, \
    /usr/bin/lsof -n, \
    /usr/bin/lsof -i -P, \
    /usr/bin/lsof -i -n

Cmnd_Alias ARP_READONLY_OBSERVER = /usr/sbin/arp -a, \
    /usr/sbin/arp -n, \
    /usr/sbin/arp -e, \
    /usr/sbin/arp -a -n, \
    /usr/sbin/arp -e -n

Cmnd_Alias IP_READONLY_OBSERVER = /usr/sbin/ip addr show, \
    /usr/sbin/ip addr list, \
    /usr/sbin/ip a show, \
    /usr/sbin/ip a list, \
    /usr/sbin/ip a, \
    /usr/sbin/ip link show, \
    /usr/sbin/ip link list, \
    /usr/sbin/ip route show, \
    /usr/sbin/ip route list, \
    /usr/sbin/ip route get *, \
    /usr/sbin/ip neigh show, \
    /usr/sbin/ip neigh list, \
    /usr/sbin/ip rule show, \
    /usr/sbin/ip rule list, \
    /usr/sbin/ip -s link, \
    /usr/sbin/ip -s link show, \
    /usr/sbin/ip -s link list, \
    /usr/sbin/ip -4 addr show, \
    /usr/sbin/ip -4 route show, \
    /usr/sbin/ip -6 addr show, \
    /usr/sbin/ip -6 route show

Cmnd_Alias APT_READONLY_OBSERVER = /usr/bin/apt list, \
    /usr/bin/apt list *, \
    /usr/bin/apt search *, \
    /usr/bin/apt show *, \
    /usr/bin/apt policy, \
    /usr/bin/apt policy *, \
    /usr/bin/apt-cache search *, \
    /usr/bin/apt-cache show *, \
    /usr/bin/apt-cache policy, \
    /usr/bin/apt-cache policy *, \
    /usr/bin/apt-cache depends *, \
    /usr/bin/apt-cache rdepends *, \
    /usr/bin/apt-cache pkgnames, \
    /usr/bin/apt-cache stats, \
    /usr/bin/dpkg -l, \
    /usr/bin/dpkg -l *, \
    /usr/bin/dpkg -L *, \
    /usr/bin/dpkg -s *, \
    /usr/bin/dpkg --list, \
    /usr/bin/dpkg --list *, \
    /usr/bin/dpkg --listfiles *, \
    /usr/bin/dpkg --status *, \
    /usr/bin/dpkg --get-selections, \
    /usr/bin/dpkg-query -l, \
    /usr/bin/dpkg-query -l *, \
    /usr/bin/dpkg-query -L *, \
    /usr/bin/dpkg-query -s *, \
    /usr/bin/dpkg-query -W, \
    /usr/bin/dpkg-query -W *

Cmnd_Alias WG_READONLY_OBSERVER = /usr/bin/wg show, \
    /usr/bin/wg show *, \
    /usr/bin/wg showconf *, \
    /usr/bin/wg help, \
    /usr/bin/wg --help

Cmnd_Alias TCPDUMP_ALL_OBSERVER = /usr/bin/tcpdump, \
    /usr/local/bin/tcpdump

Cmnd_Alias CMD_ALL_OBSERVER = /usr/bin/dmesg, \
    /usr/sbin/iftop, \
    /usr/sbin/traceroute, \
    /usr/bin/dig, \
    /usr/bin/journalctl

observer ALL=(ALL) NOPASSWD: IPTABLES_READONLY_OBSERVER, \
    IPSET_READONLY_OBSERVER, \
    CONNTRACK_READONLY_OBSERVER, \
    IPSEC_READONLY_OBSERVER, \
    SERVICE_READONLY_OBSERVER, \
    SYSTEMCTL_READONLY_OBSERVER, \
    REDIS_READONLY_OBSERVER, \
    CELERY_READONLY_OBSERVER, \
    NETSTAT_READONLY_OBSERVER, \
    VMSTAT_READONLY_OBSERVER, \
    LSOF_READONLY_OBSERVER, \
    ARP_READONLY_OBSERVER, \
    IP_READONLY_OBSERVER, \
    APT_READONLY_OBSERVER, \
    WG_READONLY_OBSERVER, \
    TCPDUMP_ALL_OBSERVER, \
    CMD_ALL_OBSERVER