fix: restrict docker commands for ai-worker user

Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
9 changed files with 212 additions and 571 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -2,34 +2,20 @@
  description = "Gortium infra flake";
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=25.11";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
    agenix = {
      url = "github:ryantm/agenix";
      inputs.darwin.follows = "";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lix = {
      url = "git+https://git.lix.systems/lix-project/lix?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixpkgs-uconsole = {
+    self.submodules = true;
      url = "github:nixos/nixpkgs/54170c54449ea4d6725efd30d719c5e505f1c10e";
    };
    nixos-uconsole = {
      url = "github:nixos-uconsole/nixos-uconsole/v1.1.0";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
    };
    nixos-raspberrypi = {
      url = "github:nvmd/nixos-raspberrypi/v1.20260317.0";
      inputs.nixpkgs.follows = "nixos-uconsole/nixpkgs";
    };
  };
-  outputs = { self, nixpkgs, agenix, disko, lix, nixos-uconsole, nixos-raspberrypi, ... }@inputs:
+  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
    let
      system = "x86_64-linux";
      keys = import ./lib/keys.nix;
@@ -40,7 +26,7 @@
          "/etc/ssh/ssh_host_ed25519_key"
          "/root/.age/bootstrap.key" ];
      };
-      overlays = [ agenix.overlays.default (import ./overlays/reticulum.nix) ];
+      overlays = [ agenix.overlays.default ];
      pkgs = import nixpkgs {
        inherit system overlays;
        config.allowUnfree = true;
@@ -94,24 +80,6 @@
              ./hosts/cyt-pi/hardware-configuration.nix
            ];
          };
          uConsole = nixos-uconsole.lib.mkUConsoleSystem {
            variant = "cm5";
            specialArgs = { inherit self keys paths inputs nixos-raspberrypi; };
            modules = [
              {
                nixpkgs.overlays = overlays;
                nixpkgs.config.allowUnfree = true;
                nixpkgs.config.permittedInsecurePackages = [
                  "openclaw-2026.3.12"
                ];
              }
              disko.nixosModules.disko
              ./hosts/uConsole/configuration.nix
              ./hosts/uConsole/hardware-configuration.nix
              ./hosts/uConsole/disko-config.nix
            ];
          };
        };
        devShells.${system}.default = devShell;
      };
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -11,10 +11,6 @@
  # Flakesss
  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
  nix.settings.trusted-users = [ "root" "gortium" ];
  nix.settings.extra-platforms = [ "aarch64-linux" ];
  # QEMU binfmt for cross-building aarch64 NixOS targets
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  # Garbage collection
  nix.gc = {
--- a/hosts/uConsole/configuration.nix
+++ b/hosts/uConsole/configuration.nix
@@ -1,286 +0,0 @@
 { config, lib, pkgs, paths, self, keys, ... }:
 let
  # Backlight fallback for CM5 display quirk
  # The kernel driver usually handles this, but some boots need a kick
  backlightFixScript = pkgs.writeShellScript "backlight-fix" ''
    # Try sysfs backlight control
    for bl in /sys/class/backlight/*/brightness; do
      if [ -f "$bl" ]; then
        max=$(cat "$(dirname "$bl")/max_brightness" 2>/dev/null || echo 100)
        echo "$max" > "$bl" 2>/dev/null || true
      fi
    done
  '';
 in
 {
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  # System State
  system.stateVersion = "25.11";
  # Boot & Hardware (migrated to kernel bootloader per nixos-raspberrypi deprecation notice)
  boot.loader.raspberry-pi.bootloader = "kernel";
  # kernel managed by nixos-raspberrypi module — don't override, patches are version-specific
  # boot.kernelPackages = pkgs.linuxPackages_latest;
  # Kernel parameters matching nixos-uconsole CM5 module
  # console=tty1 is critical — without it, console output goes to ttyAMA0 not fb0
  boot.kernelParams = [
    "8250.nr_uarts=1"
    "console=tty1"
  ];
  # Enable Mesa GPU drivers — REQUIRED for VC4 display pipeline to initialize
  hardware.graphics.enable = true;
  # Console font sized for the 5" 720x1280 display (from nixos-uconsole base module)
  console = {
    earlySetup = true;
    font = "ter-v24n";
    packages = with pkgs; [ terminus_font ];
  };
  # Networking
  networking.networkmanager.enable = true;
  services.openssh = {
    enable = true;
    # TODO: lock down after first deployment
    settings.PermitRootLogin = lib.mkForce "yes";
    settings.PasswordAuthentication = lib.mkForce true;
  };
  # User
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.gortium.gitea
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "gortium" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  # ============================================================
  # Package groups
  # ============================================================
  environment.systemPackages = with pkgs; [
    # ===== Base =====
    emacs-pgtk
    git
    ripgrep
    fd
    htop
    tmux
    neovim
    libgpiod                    # GPIO control (for internal USB hub, AIO modules)
    # ===== HAM Radio =====
    js8call
    wsjtx
    fldigi
    pat                        # Winlink client
    direwolf                   # AX.25 packet modem
    chirp                      # Radio programming tool
    hamlib                     # Ham radio control libraries
    trustedqsl                 # Logbook of the World (LoTW)
    # ===== SDR / RF =====
    sdrpp                      # SDR++ spectrum analyzer
    gqrx                       # SDR receiver GUI
    rtl-sdr                    # RTL-SDR drivers & utilities
    inspectrum                # Offline signal analysis
    soapysdr-with-plugins      # SoapySDR + hardware support plugins
    # ===== Mesh / LoRa =====
    # meshtastic not available in nixpkgs 25.11 stable; install manually:
    # nix shell nixpkgs#meshtastic -c meshtastic
    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
    lxmf                       # LXMF messaging protocol
    nomadnet                   # Nomad Network client
    # ===== Security =====
    nmap
    aircrack-ng
    kismet                     # Wi-Fi monitor / IDS
    bettercap                  # MITM/network attack framework
    wireshark                  # Packet analyzer
    hashcat                    # GPU password cracker
    john                       # John the Ripper
    sqlmap                     # SQL injection tool
    # ===== GPS / Maps =====
    foxtrotgps
    viking                     # GPS map editor
    gpsbabel                   # GPS data conversion
  ];
  # Packages noted but not in unstable nixpkgs:
  #   - metasploit: unfree; install manually via Git clone
  #   - burpsuite: unfree Java app (Community Edition available for download)
  #   - sidechannel: not a distinct PyPI package; functionality covered by
  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
  #     from github.com/markqvist/Sideband
  # ============================================================
  # Reticulum Service (rnsd)
  # ============================================================
  systemd.services.rnsd = {
    description = "Reticulum Network Stack Daemon";
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "gortium";
      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
      Restart = "always";
      RestartSec = "10s";
      LimitNOFILE = 65536;
    };
  };
  # ============================================================
  # Kismet Service (Wi-Fi monitoring / mesh node)
  # ============================================================
  systemd.services.kismet = {
    description = "Kismet Wi-Fi Monitor & IDS";
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "kismet";
      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
      Restart = "always";
      RestartSec = "10s";
    };
  };
  # ============================================================
  # Kernel modules for SDR, radio, and WiFi
  # ============================================================
  boot.kernelModules = [
    "mt7921u"         # MediaTek MT7921 USB WiFi (uConsole AC1200)
    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
    "rtl2832_sdr"     # RTL-SDR kernel module
    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
    # Display drivers — loaded AFTER RP1 PCIe southbridge init (~12s)
    # NOTHING in initrd — ALL RP1 hardware is behind PCIe
    "panel_cwu50"     # uConsole DSI panel driver
    "vc4"             # VideoCore 4 KMS GPU driver
    "rp1_dsi"         # RP1 DSI bridge driver
  ];
  boot.blacklistedKernelModules = [ ];
  # Rien dans initrd pour le display — tout RP1 est derrière PCIe
  boot.initrd.kernelModules = lib.mkForce [ ];
  # ============================================================
  # Extra udev rules for SDR and HAM radio devices
  # ============================================================
  services.udev.packages = with pkgs; [ rtl-sdr ];
  # ============================================================
  # Enable IPv6 for Reticulum mesh
  # ============================================================
  networking.enableIPv6 = true;
  # ============================================================
  # Firewall: open ports for Reticulum (optional)
  # ============================================================
  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
  networking.firewall.allowedUDPPorts = [ ];
  # Reticulum uses its own encryption and doesn't need open ports
  # for basic mesh operations (peer-to-peer discovery).
  # For TCP interfaces, open additional ports as needed.
  # ============================================================
  # Hyprland Wayland compositor (manual start)
  # No SDDM — boot to console, user starts Hyprland with command
  # Display modules (vc4/panel_cwu50) load late after RP1 PCIe init
  # ============================================================
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # SDDM disabled — was blocking boot when display isn't ready
  # services.displayManager.sddm = {
  #   enable = true;
  #   wayland.enable = true;
  # };
  # ============================================================
  # CM5 Config.txt Fix: use [pi5] section (not [cm5])
  # Rex's images use [pi5], the CM5 firmware may not detect [cm5]
  # ============================================================
  # Merge nixos-uconsole GPIO config with our [pi5] overrides
  # GPIO 10/11 are from nixos-uconsole configtxt.nix (audio amplifier)
  # [pi5] section fixes the CM5 detection issue — firmware matches [pi5] not [cm5]
  hardware.raspberry-pi.extra-config = ''
    [all]
    gpio=10=ip,np
    gpio=11=op,dh
    [pi5]
    dtparam=pciex1=off
    dtoverlay=clockworkpi-uconsole-cm5
    dtoverlay=dwc2,dr_mode=host
    dtoverlay=vc4-kms-v3d-pi5,cma-384
    dtparam=nohdmi1=off
  '';
  # ============================================================
  # CM5 Display Backlight Fix
  # The kernel driver initializes backlight, but some boots fail.
  # This service kicks it after boot as a reliable fallback.
  # ============================================================
  systemd.services.cm5-backlight-fix = {
    description = "CM5 Display Backlight Fix";
    after = [ "multi-user.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
      ExecStart = "${backlightFixScript}";
    };
  };
  # ============================================================
  # Internal USB Hub Enable (GPIO 23) — DISABLED
  # This service freeze the CM5 because gpioset 0 23=1 writes
  # to the wrong GPIO chip (BCM2712 native, not RP1).
  # Enable manually after boot once the correct chip is confirmed:
  #   gpioset 0 23=1   # on chip 0 (BCM2712, CORE_VOLT or critical)
  #   gpioset 512 23=1 # on chip 512 (RP1, likely correct)
  # ============================================================
  # systemd.services.enable-gpio23-usb-hub = {
  #   description = "Enable Internal USB Hub (GPIO 23)";
  #   before = [ "network.target" ];
  #   wantedBy = [ "multi-user.target" ];
  #   serviceConfig = {
  #     Type = "oneshot";
  #     RemainAfterExit = true;
  #     ExecStart = "${pkgs.libgpiod}/bin/gpioset 0 23=1";
  #     ExecStop = "${pkgs.libgpiod}/bin/gpioset 0 23=0";
  #   };
  # };
 }
--- a/hosts/uConsole/disko-config.nix
+++ b/hosts/uConsole/disko-config.nix
@@ -1,46 +0,0 @@
 { lib, ... }:
 {
  disko.devices.disk.main = {
    type = "disk";
    device = "/dev/mmcblk0";
    content = {
      type = "gpt";
      partitions = {
        boot = {
          name = "FIRMWARE";
          size = "1G";
          type = "EF00";
          content = {
            type = "filesystem";
            format = "vfat";
            mountpoint = "/boot/firmware";
            mountOptions = [
              "fmask=0022"
              "dmask=0022"
            ];
          };
        };
        root = {
          name = "NIXOS_UCM5";
          size = "30G";
          content = {
            type = "filesystem";
            format = "ext4";
            mountpoint = "/";
            mountOptions = [ "noatime" ];
          };
        };
        home = {
          name = "NIXOS_HOME";
          size = "100%";
          content = {
            type = "filesystem";
            format = "ext4";
            mountpoint = "/home";
            mountOptions = [ "noatime" ];
          };
        };
      };
    };
  };
 }
--- a/hosts/uConsole/hardware-configuration.nix
+++ b/hosts/uConsole/hardware-configuration.nix
@@ -1,39 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
  boot.initrd.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # Filesystems for NixOS install.
  # mkForce overrides disko's auto-generated paths so we can use
  # filesystem labels (by-label) which work with loop device installs.
  # Disko will set its own paths when nixos-anywhere is used.
  fileSystems."/" = lib.mkForce {
    device = "/dev/disk/by-label/NIXOS_UCM5";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  fileSystems."/boot/firmware" = lib.mkForce {
    device = "/dev/disk/by-label/FIRMWARE";
    fsType = "vfat";
    options = [ "fmask=0022" "dmask=0022" ];
  };
  fileSystems."/home" = lib.mkForce {
    device = "/dev/disk/by-label/NIXOS_HOME";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  hardware.enableRedistributableFirmware = true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/modules/nixos/security/README-ai-worker.md
+++ b/modules/nixos/security/README-ai-worker.md
@@ -1,10 +1,44 @@
 # AI Worker Restricted Access
-This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
 ## Security Model
-The `ai-worker` user has:
+### Overview
 The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
 - **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
 - **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
 - **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
 - **Disk cleanup**: `docker system`
 - **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
 ### EXPLICITLY BLOCKED (not in sudo whitelist)
 | Command | Risk | Result |
 |---------|------|--------|
 | `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
 | `docker cp` | Copy files between containers and host | Blocked by sudo |
 | `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
 | `docker diff` | Inspect filesystem changes | Blocked by sudo |
 | `docker export` | Export container filesystem | Blocked by sudo |
 | `docker import` | Import filesystem archives | Blocked by sudo |
 | `docker load` | Load docker images | Blocked by sudo |
 | `docker save` | Save docker images to tar | Blocked by sudo |
 | `docker attach` | Interactive access to containers | Blocked by sudo |
 | `docker push` | Push images to registries | Blocked by sudo |
 | `docker tag` | Rename images | Blocked by sudo |
 ### Why This Approach?
 Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
 - `docker exec -it container bash` — full shell access to any container
 - `docker cp /host/file container:/path` — file modification inside containers
 - `docker run -v /:/host alpine` — full host filesystem access
 By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
@@ -12,51 +46,33 @@ The `ai-worker` user has:
 - **Cannot access**: Any files outside standard system paths
 ### Sudo Access
- **NONE**: ai-worker has no sudo privileges
+- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
-### Docker Access
+## Workflow: SSH + Restricted Docker
 - Member of `docker` group - can run `docker` and `docker exec` commands
 - Primary use: `docker exec ollama ollama ...` for benchmarking
 - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
-## Workflow: SSH + Docker Benchmarking
+All docker commands must be prefixed with `sudo`:
 The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
 ### Example Workflow
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
-# On host, run ollama benchmarks via docker
+# Check container status (works)
-docker exec ollama ollama pull devstral-small-2:24b
+sudo docker ps
-# Create test modelfile
+# Restart a container (works)
-docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
+sudo docker restart ollama
 FROM devstral-small-2:24b
 PARAMETER num_ctx 65536
 PARAMETER num_gpu 99
 PARAMETER flash_attn true
 EOF'
-# Create and test model
+# Run benchmark (works - docker run is allowed)
-docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
+sudo docker run --rm alpine echo "test"
 docker exec ollama ollama run test-model "Write a Python async function"
-# Check VRAM usage
+# ANY of these will FAIL (not in whitelist):
-docker exec --privileged ollama rocm-smi --showmeminfo vram
+sudo docker exec ollama ollama list          # FAILS - docker exec blocked
 sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
 sudo docker commit container new-image       # FAILS - docker commit blocked
-# Cleanup
+# For ollama operations, use the HTTP API instead of docker exec:
-docker exec ollama ollama rm test-model
+curl http://ollama:11434/api/tags
 # Exit SSH, return to Hermes container
 exit
 # Save results in Hermes container
 # /opt/data/ai-optimizer/state.json
 # /opt/data/ai-optimizer/results.csv
 ```
 ## SSH Access
@@ -74,25 +90,30 @@ Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
-# Should show: no sudo access
+# Should show the whitelisted commands only (no docker exec/cp/commit)
-# Check docker group membership
+# Verify NOT in docker group
 groups ai-worker
-# Should show: ai-worker docker
+# Should show: ai-worker (NO docker group)
 ```
 ## Troubleshooting
-If ai-worker cannot run docker commands:
+If docker commands fail:
 ```bash
-# Check docker group membership
+# Check sudo permissions
 sudo -u ai-worker sudo -l | grep docker
 # Verify group membership
 groups ai-worker
-# Verify ollama container is running
+# Test allowed command
-docker ps | grep ollama
+sudo -u ai-worker sudo docker ps
-# Test docker access
+# Test blocked command (should fail)
-sudo -u ai-worker docker exec ollama ollama list
+sudo -u ai-worker sudo docker exec ollama ollama list
 # Expected: "Sorry, user ai-worker is not allowed to execute"
 ```
 If SSH connection fails:
--- a/modules/nixos/security/ai-worker-restricted.nix
+++ b/modules/nixos/security/ai-worker-restricted.nix
@@ -6,12 +6,19 @@ with lib;
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
-    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
+    description = "Enable AI worker SSH access with restricted sudo docker commands";
  };
  config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is member of docker group - can run docker commands via SSH
+    # SECURITY: ai-worker is NOT added to docker group.
-    # No bind mounts, no sudo access - docker-only for ollama benchmarking
+    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
-    users.groups.docker.members = [ "ai-worker" ];
+    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
    # The old approach (docker group membership) has been removed because:
    # - Docker group gives UNRESTRICTED access to the docker daemon socket
    # - No way to limit which docker subcommands a docker group member can run
    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
  };
 }
--- a/overlays/reticulum.nix
+++ b/overlays/reticulum.nix
@@ -1,92 +0,0 @@
 final: prev: let
  python3 = final.python3;
  pyPkgs = python3.pkgs;
 in
  {
    reticulumStack = python3.pkgs.buildPythonApplication rec {
      pname = "reticulum";
      version = "1.2.9";
      format = "setuptools";
      src = pyPkgs.fetchPypi {
        pname = "rns";
        inherit version;
        sha256 = "554814231c237b9caacf8df669312e57dd7d3f84b6d4810125087d1a79a75d75";
      };
      patchPhase = ''
        # Fix license_files syntax: ("LICENSE") is a string not tuple
        # Newer setuptools iterates over it char by char, fails on 'S'
        substituteInPlace setup.py \
          --replace-fail 'license_files = ("LICENSE")' 'license_files = ("LICENSE",)'
      '';
      propagatedBuildInputs = with pyPkgs; [ cryptography pyserial ];
      doCheck = false;
      pythonImportsCheck = [ "RNS" ];
      meta = with final.lib; {
        description = "Self-configuring, encrypted and resilient mesh networking stack";
        homepage = "https://reticulum.network/";
        license = licenses.mit;
        platforms = platforms.linux;
      };
    };
    lxmf = python3.pkgs.buildPythonApplication rec {
      pname = "lxmf";
      version = "0.9.8";
      format = "setuptools";
      src = pyPkgs.fetchPypi {
        inherit pname version;
        sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
      };
      propagatedBuildInputs = [ final.reticulumStack ];
      doCheck = false;
      pythonImportsCheck = [ "LXMF" ];
      meta = with final.lib; {
        description = "Lightweight Extensible Message Format for Reticulum";
        homepage = "https://github.com/markqvist/lxmf";
        license = licenses.mit;
        platforms = platforms.linux;
      };
    };
    nomadnet = python3.pkgs.buildPythonApplication rec {
      pname = "nomadnet";
      version = "1.1.1";
      format = "setuptools";
      src = pyPkgs.fetchPypi {
        inherit pname version;
        sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
      };
      propagatedBuildInputs = with pyPkgs; [ final.reticulumStack final.lxmf urwid qrcode ];
      doCheck = false;
      pythonImportsCheck = [ "nomadnet" ];
      meta = with final.lib; {
        description = "Nomad Network — resilient mesh communications platform";
        homepage = "https://github.com/markqvist/NomadNet";
        license = licenses.mit;
        platforms = platforms.linux;
      };
    };
    rnsh = python3.pkgs.buildPythonApplication rec {
      pname = "rnsh";
      version = "0.1.7";
      format = "setuptools";
      src = pyPkgs.fetchPypi {
        inherit pname version;
        sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";
      };
      propagatedBuildInputs = [ final.reticulumStack ];
      doCheck = false;
      pythonImportsCheck = [ "rnsh" ];
      meta = with final.lib; {
        description = "Remote shell over Reticulum";
        homepage = "https://github.com/acehoss/rnsh";
        license = licenses.mit;
        platforms = platforms.linux;
      };
    };
  }
  # meshtastic may not exist in all nixpkgs versions (e.g. not in 25.11)
  // prev.lib.optionalAttrs (prev ? meshtastic) {
    inherit (prev) meshtastic;
  }
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -4,7 +4,9 @@
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
-    extraGroups = [ "docker" ];
+    # SECURITY: ai-worker is NOT in the docker group.
    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
      keys.users.ai-worker.main
@@ -17,19 +19,134 @@
  # Enable restricted AI worker SSH access for ollama benchmarking
  # SECURITY: ai-worker can only:
  #   - SSH into host from Hermes container
-  #   - Run docker commands (docker exec ollama ...) via docker group
+  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
  #   - Run specific security audit commands
  #   - NO access to infra repo (no bind mount)
-  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
+  #   - NO nix/nixos-rebuild/nh commands
-  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
+  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
  services.aiWorkerAccess = true;
-  # Restricted sudo for ai-worker - security checks only
+  # Restricted sudo for ai-worker
  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
  # Only the subcommands listed below are allowed — everything else is denied.
  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
      commands = [
-        # Firewall checks
+        # === Docker commands: lifecycle management (NO file modification) ===
        # ps/inspect/logs — read-only status checks
        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker logs *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker images";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker info";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker version";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker stats *";
          options = [ "NOPASSWD" ];
        }
        # start/stop/restart — container lifecycle
        {
          command = "/run/current-system/sw/bin/docker start *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker stop *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker restart *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker rm *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker rmi *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker wait *";
          options = [ "NOPASSWD" ];
        }
        # pull/build/run — image management and container creation
        {
          command = "/run/current-system/sw/bin/docker pull *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker build *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker run *";
          options = [ "NOPASSWD" ];
        }
        # compose — orchestration
        {
          command = "/run/current-system/sw/bin/docker compose *";
          options = [ "NOPASSWD" ];
        }
        # system — disk cleanup
        {
          command = "/run/current-system/sw/bin/docker system *";
          options = [ "NOPASSWD" ];
        }
        # network — list only (create/modify not needed)
        {
          command = "/run/current-system/sw/bin/docker network ls";
          options = [ "NOPASSWD" ];
        }
        # volume — list only (create/modify not needed)
        {
          command = "/run/current-system/sw/bin/docker volume ls";
          options = [ "NOPASSWD" ];
        }
        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
        # docker cp       — copies files between containers and host (FILE ACCESS)
        # docker commit   — creates images from running containers (DATA EXFIL)
        # docker diff     — inspects filesystem changes (INFO LEAK)
        # docker export   — exports container filesystem (DATA EXFIL)
        # docker import   — imports filesystem archives
        # docker load     — loads docker images
        # docker save     — saves docker images to tar (DATA EXFIL)
        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
        # docker push     — pushes images to registries (DATA EXFIL)
        # docker tag      — renames images
        # docker create   — creates containers (use 'docker run' instead)
        # docker plugin   — manages plugins
        # docker network create/rm — network management
        # docker volume create/rm  — volume management
        # === Firewall checks ===
        {
          command = "/run/wrappers/bin/sudo iptables -L -n -v";
          options = [ "NOPASSWD" ];
@@ -38,7 +155,8 @@
          command = "/run/wrappers/bin/sudo iptables -S";
          options = [ "NOPASSWD" ];
        }
-        # Fail2ban status
+
        # === Fail2ban status ===
        {
          command = "/run/current-system/sw/bin/fail2ban-client status";
          options = [ "NOPASSWD" ];
@@ -51,7 +169,8 @@
          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
          options = [ "NOPASSWD" ];
        }
-        # Log inspection
+
        # === Log inspection ===
        {
          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
          options = [ "NOPASSWD" ];
@@ -64,21 +183,14 @@
          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
          options = [ "NOPASSWD" ];
        }
-        # SSH config verification
+
        # === SSH config verification ===
        {
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
-        # Docker service checks
+
-        {
+        # === Network diagnostics ===
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
          options = [ "NOPASSWD" ];