From ed7852ac08c18e02431d4a73aa61e068f355247f Mon Sep 17 00:00:00 2001
From: Hermes Agent <hermes@lazyworkhorse.net>
Date: Thu, 30 Apr 2026 17:36:13 +0000
Subject: [PATCH] security: remove deployment commands from ai-worker sudo
 rules

ai-worker only needs security audit commands, not deployment access.

Removed:
- nh os switch
- nixos-rebuild switch

Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics
---
 users/ai-worker.nix | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/users/ai-worker.nix b/users/ai-worker.nix
index 67fe7e2..b818426 100644
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -12,20 +12,12 @@
   };
   users.groups.ai-worker = {};
   
-  # Restricted sudo for ai-worker - security checks and deployment only
+  # Restricted sudo for ai-worker - security checks only
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
       commands = [
-        {
-          command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse";
-          options = [ "NOPASSWD" ];
-        }
-        # Security audit commands
+        # Firewall checks
         {
           command = "/run/wrappers/bin/sudo iptables -L -n -v";
           options = [ "NOPASSWD" ];
@@ -34,6 +26,7 @@
           command = "/run/wrappers/bin/sudo iptables -S";
           options = [ "NOPASSWD" ];
         }
+        # Fail2ban status
         {
           command = "/run/current-system/sw/bin/fail2ban-client status";
           options = [ "NOPASSWD" ];
@@ -46,6 +39,7 @@
           command = "/run/current-system/sw/bin/fail2ban-client get * banned";
           options = [ "NOPASSWD" ];
         }
+        # Log inspection
         {
           command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
           options = [ "NOPASSWD" ];
@@ -54,11 +48,16 @@
           command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
           options = [ "NOPASSWD" ];
         }
+        {
+          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
+          options = [ "NOPASSWD" ];
+        }
+        # SSH config verification
         {
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
-        # Docker commands for service checks
+        # Docker service checks
         {
           command = "/run/current-system/sw/bin/docker ps";
           options = [ "NOPASSWD" ];