security: add restricted sudo for ai-worker with security audit commands

- Deployment: nh os switch, nixos-rebuild switch (flake path locked) - Firewall checks: iptables -L, iptables -S - Fail2ban: status, banned IPs - Logs: journalctl for kernel and fail2ban - SSH config: sshd -T for verification - Docker: ps, inspect (service health) - Network: ss -tlnp, /proc/net/tcp All commands are whitelisted with NOPASSWD. No shell access, no ALL command - principle of least privilege.
2026-04-30 17:33:05 +00:00
parent 7994aad8d8
commit 21bd4bb283
1 changed files with 68 additions and 0 deletions
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -11,4 +11,72 @@
    ];
  };
  users.groups.ai-worker = {};
+  
+  # Restricted sudo for ai-worker - security checks and deployment only
+  security.sudo.extraRules = [
+    {
+      users = [ "ai-worker" ];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse";
+          options = [ "NOPASSWD" ];
+        }
+        # Security audit commands
+        {
+          command = "/run/wrappers/bin/sudo iptables -L -n -v";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/wrappers/bin/sudo iptables -S";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client status";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client status *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/sshd -T";
+          options = [ "NOPASSWD" ];
+        }
+        # Docker commands for service checks
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
+        # Network diagnostics
+        {
+          command = "/run/current-system/sw/bin/ss -tlnp";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/cat /proc/net/tcp";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
 }