Add restricted AI worker access with deployment capabilities
- New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
This commit is contained in:
92
modules/nixos/security/README-ai-worker.md
Normal file
92
modules/nixos/security/README-ai-worker.md
Normal file
@@ -0,0 +1,92 @@
|
||||
# AI Worker Restricted Access
|
||||
|
||||
This module provides restricted access for the AI worker (hermes-agent) to manage the infra repository.
|
||||
|
||||
## Security Model
|
||||
|
||||
The `ai-worker` user has:
|
||||
|
||||
### Filesystem Access
|
||||
- **Bind mount**: `/home/ai-worker/infra` → `/home/gortium/infra` (read-write)
|
||||
- **Cannot access**: Any other files outside the bind mount and standard system paths
|
||||
|
||||
### Sudo Access (Whitelist Only)
|
||||
The following commands are allowed via sudo without password:
|
||||
- `/run/current-system/sw/bin/nh` - NixOS home manager
|
||||
- `/run/current-system/sw/bin/nixos-rebuild` - System rebuild
|
||||
- `/run/current-system/sw/bin/nixpkgs-fmt` - Nix formatter
|
||||
- `/run/current-system/sw/bin/nix` - Nix package manager
|
||||
|
||||
### Docker Access
|
||||
- Member of `docker` group - can manage containers
|
||||
- Cannot modify host system directly
|
||||
|
||||
### Audit Logging
|
||||
- All changes to `/home/gortium/infra` are logged via Linux audit subsystem
|
||||
- Audit rule: `-w /home/gortium/infra -p wa -k infra_changes`
|
||||
|
||||
## Workflow: Ask First, Always
|
||||
|
||||
**CRITICAL**: Before running any deployment command (`nh os switch` or `nixos-rebuild`), the AI MUST:
|
||||
|
||||
1. **Show the planned changes** to the user
|
||||
2. **Explain the impact** of the changes
|
||||
3. **Wait for explicit confirmation** before executing
|
||||
|
||||
### Example Workflow
|
||||
|
||||
```bash
|
||||
# AI prepares changes
|
||||
cd /home/ai-worker/infra
|
||||
# ... edits files ...
|
||||
nixpkgs-fmt .
|
||||
|
||||
# AI shows diff to user
|
||||
git diff
|
||||
|
||||
# AI asks: "Ready to deploy? This will restart the ai_stack service."
|
||||
# User responds: "Yes, proceed"
|
||||
|
||||
# Only then does AI run:
|
||||
sudo nh os switch --flake .#lazyworkhorse
|
||||
```
|
||||
|
||||
## SSH Access
|
||||
|
||||
Connect as:
|
||||
```bash
|
||||
ssh ai-worker@lazyworkhorse
|
||||
```
|
||||
|
||||
The working directory will be `/home/ai-worker`, with infra repo accessible at `/home/ai-worker/infra`.
|
||||
|
||||
## Verification
|
||||
|
||||
Check ai-worker permissions:
|
||||
```bash
|
||||
# On the host, as root or gortium:
|
||||
sudo -u ai-worker sudo -l
|
||||
```
|
||||
|
||||
Expected output should show only the whitelisted commands.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
If ai-worker cannot access infra:
|
||||
```bash
|
||||
# Check bind mount
|
||||
mount | grep ai-worker/infra
|
||||
|
||||
# Check permissions
|
||||
ls -la /home/gortium/infra
|
||||
ls -la /home/ai-worker/infra
|
||||
```
|
||||
|
||||
If sudo commands fail:
|
||||
```bash
|
||||
# Check sudo rules
|
||||
sudo cat /etc/sudoers.d/* | grep ai-worker
|
||||
|
||||
# Check audit logs
|
||||
sudo ausearch -k infra_changes
|
||||
```
|
||||
Reference in New Issue
Block a user