diff --git a/users/ai-worker.nix b/users/ai-worker.nix index 67fe7e2..b818426 100644 --- a/users/ai-worker.nix +++ b/users/ai-worker.nix @@ -12,20 +12,12 @@ }; users.groups.ai-worker = {}; - # Restricted sudo for ai-worker - security checks and deployment only + # Restricted sudo for ai-worker - security checks only security.sudo.extraRules = [ { users = [ "ai-worker" ]; commands = [ - { - command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse"; - options = [ "NOPASSWD" ]; - } - { - command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse"; - options = [ "NOPASSWD" ]; - } - # Security audit commands + # Firewall checks { command = "/run/wrappers/bin/sudo iptables -L -n -v"; options = [ "NOPASSWD" ]; @@ -34,6 +26,7 @@ command = "/run/wrappers/bin/sudo iptables -S"; options = [ "NOPASSWD" ]; } + # Fail2ban status { command = "/run/current-system/sw/bin/fail2ban-client status"; options = [ "NOPASSWD" ]; @@ -46,6 +39,7 @@ command = "/run/current-system/sw/bin/fail2ban-client get * banned"; options = [ "NOPASSWD" ]; } + # Log inspection { command = "/run/current-system/sw/bin/journalctl -t kernel -n 100"; options = [ "NOPASSWD" ]; @@ -54,11 +48,16 @@ command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50"; options = [ "NOPASSWD" ]; } + { + command = "/run/current-system/sw/bin/journalctl -u firewall -n 50"; + options = [ "NOPASSWD" ]; + } + # SSH config verification { command = "/run/current-system/sw/bin/sshd -T"; options = [ "NOPASSWD" ]; } - # Docker commands for service checks + # Docker service checks { command = "/run/current-system/sw/bin/docker ps"; options = [ "NOPASSWD" ];