fix: update compose submodule for network creation fix

- Submodule now creates networks as bridge instead of external
- Resolves backup_stack startup failure due to missing backup_net

AGENTS.md

@@ -5,7 +5,6 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
-- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting

assets/ollama/Dockerfile

@@ -1,106 +0,0 @@
-# ollama-gfx906/Dockerfile
-#
-# Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
-# The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
-# This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
-#
-# Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
-
-FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
-
-# Build dependencies (CMake, Ninja, Go)
-ARG CMAKEVERSION=3.31.2
-ARG NINJAVERSION=1.12.1
-ARG GOLANG_VERSION=1.22.0
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    curl git ccache build-essential pkg-config unzip \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install CMake from official binaries
-RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
-    | tar xz -C /usr/local --strip-components 1
-
-# Install Ninja
-RUN curl -fsSL -o /tmp/ninja.zip \
-    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
-    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
-
-# Install Go
-RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
-    | tar xz -C /usr/local
-ENV PATH=/usr/local/go/bin:$PATH
-
-ARG OLLAMA_VERSION=v0.23.2
-RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
-WORKDIR /build
-
-# ROCm paths
-ENV HIP_PATH=/opt/rocm
-ENV ROCM_PATH=/opt/rocm
-ENV CMAKE_GENERATOR=Ninja
-ENV LDFLAGS=-s
-
-# Step 1: Build CPU backends with GCC (no ROCm preset)
-# Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
-# finding a HIP compiler (it searches /opt/rocm even without PATH).
-# Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
-RUN mkdir -p build-cpu && \
-    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
-    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
-      -DCMAKE_HIP_COMPILER="" \
-      -DCMAKE_INSTALL_PREFIX=/build/dist && \
-    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
-    cmake --install build-cpu --component CPU --strip && \
-    echo "=== CPU install ===" && \
-    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
-
-# Step 2: Build HIP backend with ROCm preset + gfx906 target only
-# The ROCm 6 preset enables HIP language detection (enable_language(HIP))
-# which ensures GPU kernels are properly compiled for gfx906.
-# OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
-# Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
-# at /opt/rocm/lib/cmake/hip/hip-config.cmake.
-RUN mkdir -p build-hip && \
-    cmake -B build-hip \
-      --preset 'ROCm 6' \
-      -DAMDGPU_TARGETS="gfx906:xnack-" \
-      -DCMAKE_BUILD_TYPE=Release \
-      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
-    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
-    cmake --install build-hip --component HIP --strip && \
-    echo "=== HIP install ===" && \
-    find /build/dist/lib/ollama -type f -o -type l | head -20
-
-# Step 3: Build Go binary (GCC for CGo linking)
-ENV CGO_ENABLED=1
-RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
-
-# ---------- Runtime image ----------
-FROM ubuntu:24.04
-
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
-    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy ROCm 6.1 runtime libraries
-# These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
-COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
-COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
-
-# Copy ollama binary + all backends (CPU + HIP)
-# CPU install:  /build/dist/lib/ollama/libggml-*.so
-# HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
-COPY --from=builder /build/dist/ollama /usr/bin/ollama
-COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
-
-RUN ldconfig
-
-ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
-ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
-ENV HCC_AMDGPU_TARGET=gfx906
-ENV HSA_ENABLE_SDMA=0
-
-EXPOSE 11434
-ENTRYPOINT ["/bin/ollama"]
-CMD ["serve"]

flake.nix

@@ -61,7 +61,6 @@
               ./modules/nixos/services/open_code_server.nix
               ./modules/nixos/services/ollama_init_custom_models.nix
               ./modules/nixos/services/openclaw_node.nix
-              ./modules/nixos/security/ai-worker-restricted.nix
               ./users/gortium.nix
               ./users/ai-worker.nix
             ];

hosts/lazyworkhorse/configuration.nix

@@ -36,7 +36,7 @@
     "transparent_hugepage=always" # because mucho ram
   ];
   # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
+  boot.kernelModules = [ "nct6775" "lm96163" ];
   # 3. Force the nct6775 driver to recognize the chip if it's stubborn
   boot.extraModprobeConfig = ''
     options nct6775 force_id=0xd280
@@ -49,26 +49,6 @@
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
   networking.hostId = "deadbeef";
 
-  # WireGuard VPN client -- always up, connects to wg-easy server
-  # Create age-encrypted secrets before deploying (run on the host):
-  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
-  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
-  networking.wireguard.interfaces = {
-    wg0 = {
-      ips = [ "10.8.0.3/24" ];
-      privateKeyFile = config.age.secrets.wireguard_private_key.path;
-      peers = [
-        {
-          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
-          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
-          allowedIPs = [ "10.8.0.0/24" ];
-          endpoint = "vpn.lazyworkhorse.net:51820";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
   # Set your time zone.
   time.timeZone = "America/Montreal";
 
@@ -178,7 +158,7 @@
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
-      # Additional hardening settings below in SERVER HARDENING section
+      PermitRootLogin = "prohibit-password"; 
     };
     hostKeys = [
       {
@@ -241,11 +221,6 @@
       path = self + "/assets/compose/homepage";
     };
 
-    vpn = {
-      path = self + "/assets/compose/vpn";
-      envFile = config.age.secrets.containers_env.path;
-    };
-
     # tak = {
     #   path = self + "/assets/compose/tak";
     # };
@@ -289,20 +264,6 @@
         mode = "0440";
         path = "/run/secrets/openclaw_gateway_token";
       };
-      wireguard_private_key = {
-        file = ../../secrets/wireguard_private_key.age;
-        owner = "root";
-        group = "root";
-        mode = "0400";
-        path = "/run/secrets/wireguard_private_key";
-      };
-      wireguard_preshared_key = {
-        file = ../../secrets/wireguard_preshared_key.age;
-        owner = "root";
-        group = "root";
-        mode = "0400";
-        path = "/run/secrets/wireguard_preshared_key";
-      };
     };
   };
 
@@ -347,203 +308,6 @@
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
-  # =============================================================================
-  # SERVER HARDENING - Firewall, Fail2ban, SSH, Kernel
-  # =============================================================================
-  
-  # Firewall - default deny, explicit allow
-  networking.firewall = {
-    # Enable firewall with default deny policy (NixOS firewall denies all by default)
-    enable = true;
-    allowPing = true;
-    
-    # Only essential ports exposed to internet
-    allowedTCPPorts = [
-      2424  # SSH (non-standard port)
-      2222  # Gitea (version control)
-      80    # HTTP (Traefik redirect)
-      443   # HTTPS (Traefik)
-      # 8000  # Portainer - REVIEW: internal only?
-      # 4242  # Coms - REVIEW: internal only?
-      # 5000  # TAK API - REVIEW: internal only?
-      # 8087  # TAK Connect - REVIEW: internal only?
-      # 8089  # TAK Management - REVIEW: internal only?
-    ];
-    
-    allowedUDPPorts = [
-      51820 # WireGuard VPN
-    ];
-    
-    # Rate limiting and attack prevention
-    extraCommands = ''
-      # 1. Wipe the INPUT chain clean at the start of every activation
-      iptables -F INPUT
-      
-      # Rate limit SSH connections (max 20 new connections per 60 seconds)
-      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --set
-      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
-      
-      # Rate limit HTTP/HTTPS (protects Traefik)
-      iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-      iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-      
-      # Drop invalid packets
-      iptables -A INPUT -m state --state INVALID -j DROP
-      
-      # Log dropped packets (rate limited)
-      iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-
-      # 3. CRITICAL: Re-link the NixOS default firewall chain
-      # Without this line, the 'allowedTCPPorts' in your Nix config will be ignored!
-      iptables -A INPUT -j nixos-fw
-    '';
-  };
-
-  # Fail2ban - automatic IP banning
-  services.fail2ban = {
-    enable = true;
-    maxretry = 3;
-    bantime = "1h";
-    banaction = "iptables-multiport";
-    
-    jails = {
-      # SSH brute force protection (uses systemd journal backend)
-      sshd = {
-        enabled = true;
-        settings = {
-          filter = "sshd";
-          port = "2424";
-          maxretry = 3;
-          bantime = "1h";
-        };
-      };
-      
-      # Recidive - ban repeat offenders for 1 week
-      recidive = {
-        enabled = true;
-        settings = {
-          filter = "recidive";
-          logpath = "/var/log/fail2ban.log";
-          bantime = "1w";
-          findtime = "1d";
-          maxretry = 3;
-        };
-      };
-      
-      # HTTP authentication failures (Traefik)
-      http-auth = {
-        enabled = true;
-        settings = {
-          filter = "traefik-auth";
-          port = "80,443";
-          logpath = "/var/log/traefik/access.log";
-          maxretry = 5;
-          bantime = "1h";
-        };
-      };
-      
-      # HTTP scanning/attacks (Traefik)
-      http-botsearch = {
-        enabled = true;
-        settings = {
-          filter = "traefik-botsearch";
-          port = "80,443";
-          logpath = "/var/log/traefik/access.log";
-          maxretry = 2;
-          bantime = "2h";
-        };
-      };
-    };
-  };
-  
-  # Custom fail2ban filters for Traefik
-  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
-    [Definition]
-    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
-    ignoreregex =
-  '';
-  
-  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
-    [Definition]
-    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
-                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
-    ignoreregex =
-  '';
-
-  # SSH hardening
-  services.openssh.settings = {
-    PermitRootLogin = "no";
-    MaxAuthTries = 3;
-    MaxSessions = 20;
-    LoginGraceTime = 30;
-    ClientAliveInterval = 300;
-    ClientAliveCountMax = 2;
-    PermitEmptyPasswords = "no";
-    ChallengeResponseAuthentication = "no";
-    UsePAM = true;
-    LogLevel = "VERBOSE";
-    X11Forwarding = false;
-    AllowTcpForwarding = "no";
-    AllowAgentForwarding = "no";
-    PermitTunnel = "no";
-  };
-
-  # Kernel network hardening
-  boot.kernel.sysctl = {
-    # IP Spoofing protection
-    "net.ipv4.conf.all.rp_filter" = 1;
-    "net.ipv4.conf.default.rp_filter" = 1;
-    
-    # Ignore ICMP broadcasts
-    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
-    
-    # Disable source routing
-    "net.ipv4.conf.all.accept_source_route" = 0;
-    "net.ipv4.conf.default.accept_source_route" = 0;
-    "net.ipv6.conf.all.accept_source_route" = 0;
-    "net.ipv6.conf.default.accept_source_route" = 0;
-    
-    # Disable redirects
-    "net.ipv4.conf.all.send_redirects" = 0;
-    "net.ipv4.conf.default.send_redirects" = 0;
-    
-    # SYN flood protection
-    "net.ipv4.tcp_syncookies" = 1;
-    "net.ipv4.tcp_max_syn_backlog" = 2048;
-    "net.ipv4.tcp_synack_retries" = 2;
-    "net.ipv4.tcp_syn_retries" = 5;
-    
-    # Log martian packets
-    "net.ipv4.conf.all.log_martians" = 1;
-    "net.ipv4.conf.default.log_martians" = 1;
-    
-    # Ignore redirects
-    "net.ipv4.conf.all.accept_redirects" = 0;
-    "net.ipv4.conf.default.accept_redirects" = 0;
-    "net.ipv4.conf.all.secure_redirects" = 0;
-    "net.ipv4.conf.default.secure_redirects" = 0;
-    "net.ipv6.conf.all.accept_redirects" = 0;
-    "net.ipv6.conf.default.accept_redirects" = 0;
-    
-    # Connection tuning
-    "net.core.somaxconn" = 4096;
-    "net.core.netdev_max_backlog" = 65536;
-    "net.ipv4.tcp_max_orphans" = 65536;
-    "net.ipv4.tcp_fin_timeout" = 15;
-    "net.ipv4.tcp_keepalive_time" = 300;
-    "net.ipv4.tcp_keepalive_probes" = 5;
-    "net.ipv4.tcp_keepalive_intvl" = 15;
-  };
-
-  # Audit logging
-  security.auditd.enable = true;
-  
-  # Fail2ban log directory
-  systemd.tmpfiles.rules = [
-    "d /var/log/fail2ban 0755 root root -"
-    "d /var/log/traefik 0755 root root -"
-  ];
-
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
   # accidentally delete configuration.nix.

modules/nixos/security/README-ai-worker.md

@@ -1,105 +0,0 @@
-# AI Worker Restricted Access
-
-This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
-
-## Security Model
-
-The `ai-worker` user has:
-
-### Filesystem Access
-- **Home directory**: `/home/ai-worker` (standard user home)
-- **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
-- **Cannot access**: Any files outside standard system paths
-
-### Sudo Access
-- **NONE**: ai-worker has no sudo privileges
-- Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
-
-### Docker Access
-- Member of `docker` group - can run `docker` and `docker exec` commands
-- Primary use: `docker exec ollama ollama ...` for benchmarking
-- Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
-
-## Workflow: SSH + Docker Benchmarking
-
-The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
-
-### Example Workflow
-
-```bash
-# From Hermes container, SSH to host
-ssh -i /path/to/ssh/key ai-worker@host.docker.internal
-
-# On host, run ollama benchmarks via docker
-docker exec ollama ollama pull devstral-small-2:24b
-
-# Create test modelfile
-docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
-FROM devstral-small-2:24b
-PARAMETER num_ctx 65536
-PARAMETER num_gpu 99
-PARAMETER flash_attn true
-EOF'
-
-# Create and test model
-docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
-docker exec ollama ollama run test-model "Write a Python async function"
-
-# Check VRAM usage
-docker exec --privileged ollama rocm-smi --showmeminfo vram
-
-# Cleanup
-docker exec ollama ollama rm test-model
-
-# Exit SSH, return to Hermes container
-exit
-
-# Save results in Hermes container
-# /opt/data/ai-optimizer/state.json
-# /opt/data/ai-optimizer/results.csv
-```
-
-## SSH Access
-
-Connect as:
-```bash
-ssh ai-worker@lazyworkhorse
-```
-
-The working directory will be `/home/ai-worker`. No infra repo access.
-
-## Verification
-
-Check ai-worker permissions:
-```bash
-# On the host, as root or gortium:
-sudo -u ai-worker sudo -l
-# Should show: no sudo access
-
-# Check docker group membership
-groups ai-worker
-# Should show: ai-worker docker
-```
-
-## Troubleshooting
-
-If ai-worker cannot run docker commands:
-```bash
-# Check docker group membership
-groups ai-worker
-
-# Verify ollama container is running
-docker ps | grep ollama
-
-# Test docker access
-sudo -u ai-worker docker exec ollama ollama list
-```
-
-If SSH connection fails:
-```bash
-# Check SSH key is authorized
-cat /home/ai-worker/.ssh/authorized_keys
-
-# Check SSH service
-systemctl status sshd
-```

modules/nixos/security/ai-worker-restricted.nix

@@ -1,17 +0,0 @@
-{ config, pkgs, lib, ... }:
-
-with lib;
-
-{
-  options.services.aiWorkerAccess = mkOption {
-    type = types.bool;
-    default = false;
-    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
-  };
-
-  config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is member of docker group - can run docker commands via SSH
-    # No bind mounts, no sudo access - docker-only for ollama benchmarking
-    users.groups.docker.members = [ "ai-worker" ];
-  };
-}

modules/nixos/services/ollama_init_custom_models.nix

@@ -1,87 +1,45 @@
 { pkgs, ... }: {
   systemd.services.init-ollama-model = {
     description = "Initialize LLM models with extra context in Ollama Docker";
-    
-    # On s'assure que Docker tourne avant de lancer ce script
-    after = [ "docker.service" ];
+    after = [ "docker-ollama.service" ];
     wantedBy = [ "multi-user.target" ];
-    
     script = ''
-      # Fonction de création asynchrone pour ne pas bloquer le démarrage
-      (
-        echo "Starting asynchronous Ollama initialization..."
-        
-        # Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
-        TIMEOUT=60
-        COUNT=0
-        while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
-          if [ $COUNT -ge $TIMEOUT ]; then
-            echo "Ollama did not become ready in time. Exiting."
-            exit 1
-          fi
-          echo "Waiting for Ollama API to be reachable..."
-          sleep 5
-          COUNT=$((COUNT + 5))
-        done
+      # Wait for Ollama
+      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
+        sleep 2
+      done
 
-        create_model_if_missing() {
-          local model_name=$1
-          local base_model=$2
-          
-          # Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
-          if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
-            echo "$model_name not found, creating from $base_model..."
-            
-            # Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
-            TMP_FILE=$(mktemp)
-            cat <<EOF > "$TMP_FILE"
+      create_model_if_missing() {
+        local model_name=$1
+        local base_model=$2
+        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
+          echo "$model_name not found, creating from $base_model..."
+          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
 FROM $base_model
-TEMPLATE """{{- if .System }}
-[SYSTEM_PROMPT]
-{{ .System }}
-[/SYSTEM_PROMPT]
-{{- end }}
-{{- range .Messages }}
-{{- if eq .Role "user" }}
-[INST]
-{{ .Content }}
-[/INST]
-{{- else if eq .Role "assistant" }}
-{{ .Content }}
-{{- end }}
-{{- end }}"""
 PARAMETER num_ctx 131072
 PARAMETER num_predict 4096
 PARAMETER num_keep 1024
 PARAMETER repeat_penalty 1.1
 PARAMETER top_k 40
-PARAMETER stop "[INST]"
-PARAMETER stop "[/INST]"
-PARAMETER stop "</s>"
-EOF
+PARAMETER stop \"[INST]\"
+PARAMETER stop \"[/INST]\"
+PARAMETER stop \"</s>\"
+EOF"
+          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
+        else
+          echo "$model_name already exists, skipping."
+        fi
+      }
 
-            # Copie et création dans le conteneur
-            ${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
-            ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
-            ${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
-            rm -f "$TMP_FILE"
-          else
-            echo "$model_name already exists, skipping."
-          fi
-        }
-
-        # Create Nemotron
-        create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
-        
-        # Create Devstral
-        create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
-        
-      ) &
+      # Create Nemotron
+      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
+      
+      # Create Devstral
+      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
     '';
-
     serviceConfig = {
-      Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
-      User = "root";
+      Type = "oneshot";
+      RemainAfterExit = true;
     };
   };
 }

secrets/containers.env.age

@@ -1,36 +1,34 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBWNEpt
-cGFNeVBBaDRqb3pLSEZGQW0wb3VmVnBoZCswUFkzbnBLUnJ0QTNrClRqVkk4RUVO
-d29KYjd5YUcwankvaTFmVHUxQVpDT2ZYWHRaY3JXTUtQMU0KLT4gKXBtQ3UsXi1n
-cmVhc2UgNnwxYCBXVyA/KCQmIHt9NAo3OTZVUHR2UXkvaEFwY0ZBdEJsaFpsbHJ0
-cklKcDVHcEdWMEdPSkpnN0FiRU43RW5hUWFMdjR3WFRRSFBLSGlmClM3cTNJWlNM
-TExkdHdXUHJISkNIaE1TTUxUc1NUWkV1a09HeFU3bVZwQXMKLS0tIGhOcXFTUElS
-azJJNnEreUhMWTJBaVZGSTJPRUFqQkVYS01KRENUVVpZSDgK8+8onFejroBo7MeO
-dW+so4lOsq4zJKn3f0cxmCFg1f0X8zt6h4Uc3A5Cvr1uU+6yw1FWmJ7xa3jJz3lO
-EEaKQJXYC+xIIKGcA7qILa0SFp4a/4OuYjcg27HrlPhg7u5wDhQrd0LdVEe1Xngp
-ZivX7P7HwIna3X8C+TL+K2v/AG2N/z86cdKfRvxyMKNbHhYw+CfHEnWgh8tJ++4h
-G9evNniuNqte6cQaRe7jODfPNW4FuY/Sb7barlJ/M9iAQdYAdyLAzU1LABeHeUfD
-wtHjxy9DUZ55Vg8bB8M2JJU9MkoRT4ewiVd9LeC1GWeVmKsm93wsmrov714i7U2j
-wHtDkjqEF2MmzuQc18sjNaAHiwz8j6o5xU2L/Q4+Q707yISWG7RGZYh389Cr1rnw
-siUq/Vunqw2wk13+J/4vu9nqt5mMktBaCtp+QiWIurjwB5LUAyChrSm+dg5lb0Mt
-UhSc0lq1+E3vxAXM2Hmk+vP86VD+6WJvAU82VFApF1s6zG2FU1/AcOVVf54nan/q
-f+rgSFfASHQCYSblUJHyEtwLNsWEmTGmOEn1buUKD/H0zatPQnc0rYpjlx2V0Sjd
-6yB5+wPrZ0AkN1pjcsPKOv8Kaog2DzqIjib+SaSTaRxWHQEb9uzvaReAcYI5HOpE
-gkC040HN33BItATbo4+hz70Im8Ni/VXD+g6yzM6Hj1hJL+PinTKeg5keQRFIZjMx
-grzievB2wVBBgLgN3qMdTFmpplaL7iL702JjXZUTTK9Izp+9wiCsV1fTa53FWDht
-ylFL5SWElqXjK+QBXxAe+Jk6VQov5HI21YDXL67S554ABeRok23wxrQ31TCI4xq9
-PQV7VtNRjyVud7S29m3OwpWOsgTZhn+JclHj2v4bNJzJkJnZRTmcvGPktzRI5+R4
-e5vxVhGnJDzI71txaHl8+xS1lu9VzCQUrxX6TXyTRV4KjIOz0g06JOBgmBRBvJca
-7MZbC65xpisl/gyLRbgkVga3t94dPV+dpZsn8eq6427IyRbKslJefatggR9//c6I
-5N5fl0fR3gJQMB+HRbipBH2YsdbdWJyb4Nn6STZxIfrqoG/xC6C1raF0xK7hUx6i
-4DUDSPohM8fOIswQPfE+FH3eygfzu/Ln5+ghsgHTEhgFvmgMvyxaAt6kHIzIUhMX
-M3dASr4VPDpIXuXsRWwYLEifhzxsuvwVxfwtsnCaR6XKijsYECWGDdYOWHdleeqx
-wDPhxEesfFVhKxhrKY9Ir8k9/FFBKQU/3GjW4+SMAg5Al1YEzxshP9vKuVcsei7W
-JDwAwotNXaCm6NBckiyZJE53ou6+gckPY7V9cOfnuH74Z9ywkFzB3HW3ZlonaGyM
-oGmLGcccavFtyhg5s/As4i6X8ARIpDiwe59Pn3GNXMctySqIrrr2ogUoXgrfFCie
-6GOTdeMW7GeOSdJUxCofghlspS/nq01Og77VI/beWYrIwLubSka6Zaltww9zgObk
-/FGEMgFkEpq7iyCvYSPA8F46pJKvnMP3S84AWCPmcTcHeg4lwGPvs6btexXBGdoz
-nkCyq7wdH5Nngm7jUbl88LtaLZPAQkuqXphBVTnrF9Ofbnb4iRZ2Op4xpx9rGyvx
-mO6UEhL6V1i2YZFNkNMg/W8aoMiUgBdqbkxaxblT9L0aNdlFU9+LbWYolURVEadd
-Qjv0Z1gMA+tsuBbVszwsMfneZ5+B9Q==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBOL29w
+eGk1N2xxTHJtaUEvWWZmbkh1bk11Tjk3anNnMDB1cCtPYUMzdTNJCkdhQ08vblNG
+UlV1K2xVTGZVTzFWYXAzcjZaMWs0RTFWdStKSmlSTURvK1EKLT4gLC1zKU8zVkgt
+Z3JlYXNlIFUiXFcpS302IHByVn5jOy0gRDMKQjV3SHpDWUIybGFyQUg3ZlR0R2hV
+eWM3SFlCVW5mdlpBVUF3a0xpNlZCeGNUd1oxTTlkc1RkTXdZS0lFTmN3Ci0tLSA3
+VlBqM1VLWllZc0JnOTMvUFRjMU13OTdzMmhsdGJubkk5eGpERVVLYUk4Cnzh5UbU
+FlgqpM8jkJ6XlsaIDCw/G3D6uJ/GRJW4gIekuhAUxpZJrc8eOA8ZuHfGrBbH3acV
+tVafX5F0Kr2oOblqZ6gduZOUS52KmWH8stiBJM+e5ZZ7zRQVE4PJUKUPCzi+WdcH
+zr295T//FOdicrYHdsjfziKEHzBtUCFiATW05+O2zMjYjO6cPzePcCzPWinwiID6
+V+f6ngfkkQaj3wBGkzaieQJzRcdSwky21aVhGCCX/bvqx61iW2d5QAKxGbtQ2RcG
+X1okr+xunAM94nzDMv46vyN97KxY7cZd4pAaOxoICc2Tfhtw6F+iS6QkQh1odJzO
+7ZH+sSQCvndG+8z9shXGiHalASF5tdguM+JlEvAGljcaiAUtsQWxr9CoWiEkC6c6
+NCaECSYO8Il+SXBQnSZSGJSNDhuPYCYrsjXGSAONFixuyeslAkq9x2WUaUS4H063
+1QvRF7XO2tBPtgCLsSjdiGp0h+ImUaGdu6fDR7zrDsGsaAFCSFeH/rGNNXRQ2vP2
+CSfPfDDCqpUSCn0WuA30BtaPLxGmZT6OjFevKzYMNDmdeq9ia/q8K0hmjLUBdN3k
+tdYWbwoaf4gYbUWxSleD768b0Jgxss9Vod+sFQ+NYRksdGIeyND+aQIc312XehfA
+qHFBS8nlj7eUF5bdvCYQ64z741mH4cNlGxyjPBH1x8FHnEOocJXYt1l2AZSRJmJA
+c3z0QGXyuCbsrLBXWK1EKa/Juo4PGGsEVoLRhwJAQy9+i1JN0yrfRvSPyzvD4px6
+wRPzlZ80MQdb2lv84WS/zcOEZmZzlLntszTRRdIfAsuaavP2Rquh4rEXABYeTZwp
+5dem79s8bdW2nFsGMNz1OQKQwocyjYu1jJMHu6Gp7Ngdl1xyW7xfg0dezE1c0cIh
+xt1aLER9YJp4n5to5cOH16l3mjDHnAvABx38xE9loNL3399J/evw7LxpTYQ4v2Xv
+x8xnDHcqJ+deFSwyuUnMS5DkUeYuHmUl0Q2WYcfY+ibCmcgCb2ObTtuN1/ZxNYrL
+OKrnmfuSvBgyuIOj5e6uWW0+Zs8dHKXu2TgV8WignxOhl5zQgCpCBlqVfO0t+NCu
+Gi26hU/fhGWQ/1oQa3VkpGsypZbJpgQvfWxfcGHP/MMhnl01zzlP8/aexSY3pAxf
+fz9v0IVh6xxtu3zbiiVzUsXbfG7t+xY98jMphf4AS2mWva3GWVmhhu0lS3J3P+go
+YEEP4rOFHeU0Y1/6kLydTXvz4jMH0H92XQIzshd7vzQnEJPUPAzqRmw3LKYGgCI+
+wZEnxJ6ckqTkGBFnxTpy9LLllwmnz2Ky87nY3XAmqxlhb2Ap1XFAlfgszmGjc+Il
+KkIgoWQHTUm6QM9ta++oUTIDneOvxGd0zZsqoEhiC/7E01BNNZ6E58TeJU3fDlA3
+mX6n05XjwPRpgXZfayPoAgBlZc2H4KeiynxwNZ/dWu7qz7L6Ppk6Nvtly8giTbFx
+CA+tto7vq+D+CAEJ4bgyq4BCH4GL4APrhPcWp98Mko1WCiRTIKgkZxQCYvlg/LZq
+LNhMacP9T1qTvNC+yR1NEMiegE3APzk6CkDpVaO9+5f/sqifNPINCMothenI9ePw
+zjQLI3Mo1m73bkomytUZ7i1VstP5sEZ5LF72Sq7BpR3oQ3Gp0CAN9w==
 -----END AGE ENCRYPTED FILE-----

secrets/wireguard_preshared_key.age

@@ -1,9 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
-MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
-SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
-c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
-Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
-b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
-wDVB1LwC+Q==
------END AGE ENCRYPTED FILE-----

secrets/wireguard_private_key.age

@@ -1,11 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
-WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
-K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
-Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
-d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
-ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
-VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
-02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
-YB/F0dxSqgnq
------END AGE ENCRYPTED FILE-----

users/ai-worker.nix

@@ -9,85 +9,6 @@
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main
     ];
-    # No password login - SSH key only
-    hashedPassword = "!";
   };
   users.groups.ai-worker = {};
-
-  # Enable restricted AI worker SSH access for ollama benchmarking
-  # SECURITY: ai-worker can only:
-  #   - SSH into host from Hermes container
-  #   - Run docker commands (docker exec ollama ...) via docker group
-  #   - Run specific security audit commands
-  #   - NO access to infra repo (no bind mount)
-  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
-  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
-  services.aiWorkerAccess = true;
-  
-  # Restricted sudo for ai-worker - security checks only
-  security.sudo.extraRules = [
-    {
-      users = [ "ai-worker" ];
-      commands = [
-        # Firewall checks
-        {
-          command = "/run/wrappers/bin/sudo iptables -L -n -v";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/wrappers/bin/sudo iptables -S";
-          options = [ "NOPASSWD" ];
-        }
-        # Fail2ban status
-        {
-          command = "/run/current-system/sw/bin/fail2ban-client status";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/fail2ban-client status *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
-          options = [ "NOPASSWD" ];
-        }
-        # Log inspection
-        {
-          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
-          options = [ "NOPASSWD" ];
-        }
-        # SSH config verification
-        {
-          command = "/run/current-system/sw/bin/sshd -T";
-          options = [ "NOPASSWD" ];
-        }
-        # Docker service checks
-        {
-          command = "/run/current-system/sw/bin/docker ps";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker inspect *";
-          options = [ "NOPASSWD" ];
-        }
-        # Network diagnostics
-        {
-          command = "/run/current-system/sw/bin/ss -tlnp";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/cat /proc/net/tcp";
-          options = [ "NOPASSWD" ];
-        }
-      ];
-    }
-  ];
 }