gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

security: remove deployment commands from ai-worker sudo rules

Browse Source 
ai-worker only needs security audit commands, not deployment access.

Removed:
- nh os switch
- nixos-rebuild switch

Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics
This commit is contained in:
Hermes Agent
2026-04-30 17:36:13 +00:00
parent b5b0d4c2d1
commit ed7852ac08
1 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
users/ai-worker.nix
View File

@@ -12,20 +12,12 @@
}; };
users.groups.ai-worker = {}; users.groups.ai-worker = {};
# Restricted sudo for ai-worker - security checks and deployment only # Restricted sudo for ai-worker - security checks only
security.sudo.extraRules = [ security.sudo.extraRules = [
{ {
users = [ "ai-worker" ]; users = [ "ai-worker" ];
commands = [ commands = [
{ # Firewall checks
command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse";
options = [ "NOPASSWD" ];
}
{
command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse";
options = [ "NOPASSWD" ];
}
# Security audit commands
{ {
command = "/run/wrappers/bin/sudo iptables -L -n -v"; command = "/run/wrappers/bin/sudo iptables -L -n -v";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
@@ -34,6 +26,7 @@
command = "/run/wrappers/bin/sudo iptables -S"; command = "/run/wrappers/bin/sudo iptables -S";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
# Fail2ban status
{ {
command = "/run/current-system/sw/bin/fail2ban-client status"; command = "/run/current-system/sw/bin/fail2ban-client status";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
@@ -46,6 +39,7 @@
command = "/run/current-system/sw/bin/fail2ban-client get * banned"; command = "/run/current-system/sw/bin/fail2ban-client get * banned";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
# Log inspection
{ {
command = "/run/current-system/sw/bin/journalctl -t kernel -n 100"; command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
@@ -54,11 +48,16 @@
command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50"; command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
{
command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
options = [ "NOPASSWD" ];
}
# SSH config verification
{ {
command = "/run/current-system/sw/bin/sshd -T"; command = "/run/current-system/sw/bin/sshd -T";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];
} }
# Docker commands for service checks # Docker service checks
{ {
command = "/run/current-system/sw/bin/docker ps"; command = "/run/current-system/sw/bin/docker ps";
options = [ "NOPASSWD" ]; options = [ "NOPASSWD" ];