SECURITY CHANGE: Keep ai-worker in docker group but block dangerous
docker subcommands via a wrapper script.
Approach:
- docker group membership preserved (ps, start, stop, compose still work)
- Docker binary wrapped with a script that blocks dangerous subcommands
- BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag
- ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi,
pull, build, run, compose, system, network ls, volume ls
The wrapper is installed in both system packages and ai-worker's
personal profile to ensure it takes precedence over the real docker.
This is effective for the LLM agent threat model — the agent uses CLI
commands and blocked subcommands simply return an error.
Files modified:
- users/ai-worker.nix — restored docker group, kept sudo audit rules
- modules/nixos/security/ai-worker-restricted.nix — added docker wrapper
script with blacklist logic and NixOS module integration
- modules/nixos/security/README-ai-worker.md — documentation update
Remove infra repo bind mount and sudo access from ai-worker user.
Now ai-worker can only:
- SSH into host from Hermes container
- Run docker commands via docker group membership
- Execute ollama benchmarks via docker exec
Results saved to /opt/data/ai-optimizer/ in Hermes container.
- New module: modules/nixos/security/ai-worker-restricted.nix
- Bind mount for infra repo access (RW)
- Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
- Audit logging for infra changes
- Documentation in README-ai-worker.md
- Updated users/ai-worker.nix:
- Enable services.aiWorkerAccess
- Lock password (SSH key only)
- Security documentation comments
- Updated flake.nix:
- Include new security module
SECURITY: AI must ask for user confirmation before running nh os switch
