infra/users/ai-worker.nix

{ pkgs, inputs, config, keys, ... }: {
  users.users.ai-worker = {
    isSystemUser = true;
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
    # ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)
    # Dangerous commands (exec, cp, commit) are blocked by a wrapper script.
    extraGroups = [ "docker" ];
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
      keys.users.ai-worker.main
    ];
    # No password login - SSH key only
    hashedPassword = "!";
  };
  users.groups.ai-worker = {};

  # Enable restricted AI worker SSH access
  # SECURITY: ai-worker is in docker group but docker commands are filtered:
  #   ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose
  #   BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push
  # The filtering is done by a docker wrapper in ai-worker's PATH.
  services.aiWorkerAccess = true;

  # Restricted sudo for ai-worker - security checks only (not for docker)
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
      commands = [
        # Firewall checks
        {
          command = "/run/wrappers/bin/sudo iptables -L -n -v";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/wrappers/bin/sudo iptables -S";
          options = [ "NOPASSWD" ];
        }
        # Fail2ban status
        {
          command = "/run/current-system/sw/bin/fail2ban-client status";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/fail2ban-client status *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
          options = [ "NOPASSWD" ];
        }
        # Log inspection
        {
          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
          options = [ "NOPASSWD" ];
        }
        # SSH config verification
        {
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/cat /proc/net/tcp";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
}
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`{ pkgs, inputs, config, keys, ... }: {`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`users.users.ai-worker = {`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`isSystemUser = true;`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`group = "ai-worker";`
fix: set correct working directory and create home for ai-worker 2026-04-04 17:07:13 -04:00			`home = "/home/ai-worker";`
			`createHome = true;`
fix: restrict docker commands for ai-worker (wrapper blacklist) SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update 2026-05-20 20:34:19 -04:00			`# ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)`
			`# Dangerous commands (exec, cp, commit) are blocked by a wrapper script.`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`extraGroups = [ "docker" ];`
			`shell = pkgs.bashInteractive;`
			`openssh.authorizedKeys.keys = [`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`keys.users.ai-worker.main`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`];`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00			`# No password login - SSH key only`
			`hashedPassword = "!";`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`};`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`users.groups.ai-worker = {};`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker (wrapper blacklist) SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update 2026-05-20 20:34:19 -04:00			`# Enable restricted AI worker SSH access`
			`# SECURITY: ai-worker is in docker group but docker commands are filtered:`
			`# ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose`
			`# BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push`
			`# The filtering is done by a docker wrapper in ai-worker's PATH.`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00			`services.aiWorkerAccess = true;`
fix: restrict docker commands for ai-worker (wrapper blacklist) SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update 2026-05-20 20:34:19 -04:00
			`# Restricted sudo for ai-worker - security checks only (not for docker)`
security: add restricted sudo for ai-worker with security audit commands - Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege. 2026-04-30 17:33:05 +00:00			`security.sudo.extraRules = [`
			`{`
			`users = [ "ai-worker" ];`
			`commands = [`
security: remove deployment commands from ai-worker sudo rules ai-worker only needs security audit commands, not deployment access. Removed: - nh os switch - nixos-rebuild switch Kept: - Firewall checks (iptables) - Fail2ban status - Log inspection (journalctl) - SSH config (sshd -T) - Docker service checks - Network diagnostics 2026-04-30 17:36:13 +00:00			`# Firewall checks`
security: add restricted sudo for ai-worker with security audit commands - Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege. 2026-04-30 17:33:05 +00:00			`{`
			`command = "/run/wrappers/bin/sudo iptables -L -n -v";`
			`options = [ "NOPASSWD" ];`
			`}`
			`{`
			`command = "/run/wrappers/bin/sudo iptables -S";`
			`options = [ "NOPASSWD" ];`
			`}`
security: remove deployment commands from ai-worker sudo rules ai-worker only needs security audit commands, not deployment access. Removed: - nh os switch - nixos-rebuild switch Kept: - Firewall checks (iptables) - Fail2ban status - Log inspection (journalctl) - SSH config (sshd -T) - Docker service checks - Network diagnostics 2026-04-30 17:36:13 +00:00			`# Fail2ban status`
security: add restricted sudo for ai-worker with security audit commands - Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege. 2026-04-30 17:33:05 +00:00			`{`
			`command = "/run/current-system/sw/bin/fail2ban-client status";`
			`options = [ "NOPASSWD" ];`
			`}`
			`{`
			`command = "/run/current-system/sw/bin/fail2ban-client status *";`
			`options = [ "NOPASSWD" ];`
			`}`
			`{`
			`command = "/run/current-system/sw/bin/fail2ban-client get * banned";`
			`options = [ "NOPASSWD" ];`
			`}`
security: remove deployment commands from ai-worker sudo rules ai-worker only needs security audit commands, not deployment access. Removed: - nh os switch - nixos-rebuild switch Kept: - Firewall checks (iptables) - Fail2ban status - Log inspection (journalctl) - SSH config (sshd -T) - Docker service checks - Network diagnostics 2026-04-30 17:36:13 +00:00			`# Log inspection`
security: add restricted sudo for ai-worker with security audit commands - Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege. 2026-04-30 17:33:05 +00:00			`{`
			`command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";`
			`options = [ "NOPASSWD" ];`
			`}`
			`{`
			`command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";`
			`options = [ "NOPASSWD" ];`
			`}`
security: remove deployment commands from ai-worker sudo rules ai-worker only needs security audit commands, not deployment access. Removed: - nh os switch - nixos-rebuild switch Kept: - Firewall checks (iptables) - Fail2ban status - Log inspection (journalctl) - SSH config (sshd -T) - Docker service checks - Network diagnostics 2026-04-30 17:36:13 +00:00			`{`
			`command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";`
			`options = [ "NOPASSWD" ];`
			`}`
			`# SSH config verification`
security: add restricted sudo for ai-worker with security audit commands - Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege. 2026-04-30 17:33:05 +00:00			`{`
			`command = "/run/current-system/sw/bin/sshd -T";`
			`options = [ "NOPASSWD" ];`
			`}`
			`# Network diagnostics`
			`{`
			`command = "/run/current-system/sw/bin/ss -tlnp";`
			`options = [ "NOPASSWD" ];`
			`}`
			`{`
			`command = "/run/current-system/sw/bin/cat /proc/net/tcp";`
			`options = [ "NOPASSWD" ];`
			`}`
			`];`
			`}`
			`];`
chore: add n8n-worker user and update authentication configuration 2026-01-01 02:25:34 -05:00			`}`