diff --git a/users/ai-worker.nix b/users/ai-worker.nix index a8f027c..67fe7e2 100644 --- a/users/ai-worker.nix +++ b/users/ai-worker.nix @@ -11,4 +11,72 @@ ]; }; users.groups.ai-worker = {}; + + # Restricted sudo for ai-worker - security checks and deployment only + security.sudo.extraRules = [ + { + users = [ "ai-worker" ]; + commands = [ + { + command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse"; + options = [ "NOPASSWD" ]; + } + # Security audit commands + { + command = "/run/wrappers/bin/sudo iptables -L -n -v"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/wrappers/bin/sudo iptables -S"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/fail2ban-client status"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/fail2ban-client status *"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/fail2ban-client get * banned"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/journalctl -t kernel -n 100"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/sshd -T"; + options = [ "NOPASSWD" ]; + } + # Docker commands for service checks + { + command = "/run/current-system/sw/bin/docker ps"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/docker inspect *"; + options = [ "NOPASSWD" ]; + } + # Network diagnostics + { + command = "/run/current-system/sw/bin/ss -tlnp"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/cat /proc/net/tcp"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; }