infra/users/ai-worker.nix

{ pkgs, inputs, config, keys, ... }: {
  users.users.ai-worker = {
    isSystemUser = true;
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
    extraGroups = [ "docker" ];
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
      keys.users.ai-worker.main
    ];
    # No password login - SSH key only
    hashedPassword = "!";
  };
  users.groups.ai-worker = {};

  # Enable restricted AI worker SSH access for ollama benchmarking
  # SECURITY: ai-worker can only:
  #   - SSH into host from Hermes container
  #   - Run docker commands (docker exec ollama ...) via docker group
  #   - NO access to infra repo (no bind mount)
  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
  services.aiWorkerAccess = true;
}
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`{ pkgs, inputs, config, keys, ... }: {`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`users.users.ai-worker = {`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`isSystemUser = true;`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`group = "ai-worker";`
fix: set correct working directory and create home for ai-worker 2026-04-04 17:07:13 -04:00			`home = "/home/ai-worker";`
			`createHome = true;`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`extraGroups = [ "docker" ];`
			`shell = pkgs.bashInteractive;`
			`openssh.authorizedKeys.keys = [`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`keys.users.ai-worker.main`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`];`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00			`# No password login - SSH key only`
			`hashedPassword = "!";`
docs: initialize NixOS infrastructure with AI assistant Creates PROJECT.md with vision and requirements. Creates config.json with interactive workflow mode. 2026-01-01 01:36:58 -05:00			`};`
Progress dump before ai agent 2026-04-04 04:57:47 -04:00			`users.groups.ai-worker = {};`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container. 2026-04-29 19:55:19 +00:00			`# Enable restricted AI worker SSH access for ollama benchmarking`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00			`# SECURITY: ai-worker can only:`
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container. 2026-04-29 19:55:19 +00:00			`# - SSH into host from Hermes container`
			`# - Run docker commands (docker exec ollama ...) via docker group`
			`# - NO access to infra repo (no bind mount)`
			`# - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)`
			`# WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/`
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch 2026-04-28 15:34:38 +00:00			`services.aiWorkerAccess = true;`
chore: add n8n-worker user and update authentication configuration 2026-01-01 02:25:34 -05:00			`}`