fix: restrict docker commands for ai-worker user

Remove ai-worker from docker group and enforce sudo whitelist.

SECURITY: Being in the docker group gives unrestricted access to the
Docker daemon socket (/var/run/docker.sock), allowing any docker command:
docker exec, docker cp, docker run -v /:/host, docker commit, etc.

Changes:
- Remove extraGroups = ["docker"] from ai-worker user definition
- Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands
  ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop,
  restart, rm, rmi, wait, pull, build, run, compose, system,
  network ls, volume ls
  BLOCKED (implicitly): exec, cp, commit, diff, export, import, load,
  save, attach, push, tag, create, plugin, network create, volume create
- Update ai-worker-restricted.nix module to reflect new approach
- Update README-ai-worker.md with new security model and examples

All docker commands must now be prefixed with sudo.
The Hermes agent's host_run tool needs to be updated to prepend sudo.

.planning/ROADMAP.md

@@ -13,9 +13,7 @@ None
 - ✅ **Phase 1: Foundation Setup** - Establish core NixOS configuration with flakes
 - ✅ **Phase 2: Docker Service Integration** - Integrate Docker Compose services
 - ✅ **Phase 3: AI Assistant Integration** - Enable AI-assisted infrastructure management
-- ✅ **Phase 4: Internet Access & MCP** - MCP server for web access
-- 🚨 **Security Hardening** - CRITICAL: Firewall, fail2ban, SSH hardening (PR #28)
-- [ ] **Phase 5: TAK Server** - Research, implementation, and validation
+- [ ] **Phase 4: Internet Access & MCP** - MCP server for web access
 
 
 ## Phase Details
@@ -135,25 +133,8 @@ Plans:
 
 ## Progress
 
-**Merge Priority Order** (CRITICAL - merge in this order):
-
-| Priority | PR | Description | Status | Notes |
-|----------|-----|-------------|--------|-------|
-| 🚨 1 | #28 | **Security hardening** (firewall, fail2ban, SSH) | Open | **MERGE FIRST** - protects all other services |
-| 2 | #22 | Matrix bridge dependency fix | Open | Blocks Hermes functionality |
-| 3 | #21 | Backup network creation fix | Open | Infrastructure fix |
-| 4 | #25 | Hermes voice GPU support | Open | Feature enhancement |
-| 5 | #24 | uConsole CM5 host | Open | New hardware support |
-| 6 | #23 | NixOS deployment infrastructure | Open | Deployment tooling |
-| 7 | #1 | AI worker restricted access | Open | Legacy PR (superseded by hardening) |
-
 **Execution Order:**
-Phases execute in numeric order: 1 → 2 → 3 → 4 → Security → 5 → 6 → 7
-
-**Merge vs Phase Execution:**
-- PRs can merge independently (no strict phase ordering for merges)
-- **EXCEPTION:** Security hardening (#28) must merge before any new services are exposed
-- After security merge, deploy with: `nh os switch --flake .#lazyworkhorse`
+Phases execute in numeric order: 1 → 2 → 3 → 4 → 5 → 6 → 7
 
 | Phase | Milestone | Plans Complete | Status | Completed |
 |-------|-----------|----------------|--------|-----------|

AGENTS.md

@@ -5,6 +5,7 @@ This document outlines the development conventions for this NixOS-based infrastr
 ## Build & Deployment
 
 - **Build/Deploy:** Use `nixos-rebuild switch --flake .#<hostname>` to build and deploy the configuration for a specific host.
+- **CRITICAL — Validate before pushing:** Always `nix build --no-link '.#nixosConfigurations.<hostname>.config.system.build.toplevel'` (or `nh os build`) and confirm it succeeds before pushing any changes. Never push untested NixOS configs.
 - **Development Shell:** Activate the development environment with `nix develop`.
 
 ## Linting & Formatting

assets/ollama/Dockerfile

@@ -0,0 +1,106 @@
+# ollama-gfx906/Dockerfile
+#
+# Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
+# The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
+# This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
+#
+# Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
+
+FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
+
+# Build dependencies (CMake, Ninja, Go)
+ARG CMAKEVERSION=3.31.2
+ARG NINJAVERSION=1.12.1
+ARG GOLANG_VERSION=1.22.0
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    curl git ccache build-essential pkg-config unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install CMake from official binaries
+RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
+    | tar xz -C /usr/local --strip-components 1
+
+# Install Ninja
+RUN curl -fsSL -o /tmp/ninja.zip \
+    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
+    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
+
+# Install Go
+RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
+    | tar xz -C /usr/local
+ENV PATH=/usr/local/go/bin:$PATH
+
+ARG OLLAMA_VERSION=v0.23.2
+RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
+WORKDIR /build
+
+# ROCm paths
+ENV HIP_PATH=/opt/rocm
+ENV ROCM_PATH=/opt/rocm
+ENV CMAKE_GENERATOR=Ninja
+ENV LDFLAGS=-s
+
+# Step 1: Build CPU backends with GCC (no ROCm preset)
+# Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
+# finding a HIP compiler (it searches /opt/rocm even without PATH).
+# Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
+RUN mkdir -p build-cpu && \
+    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_HIP_COMPILER="" \
+      -DCMAKE_INSTALL_PREFIX=/build/dist && \
+    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
+    cmake --install build-cpu --component CPU --strip && \
+    echo "=== CPU install ===" && \
+    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
+
+# Step 2: Build HIP backend with ROCm preset + gfx906 target only
+# The ROCm 6 preset enables HIP language detection (enable_language(HIP))
+# which ensures GPU kernels are properly compiled for gfx906.
+# OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
+# Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
+# at /opt/rocm/lib/cmake/hip/hip-config.cmake.
+RUN mkdir -p build-hip && \
+    cmake -B build-hip \
+      --preset 'ROCm 6' \
+      -DAMDGPU_TARGETS="gfx906:xnack-" \
+      -DCMAKE_BUILD_TYPE=Release \
+      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
+    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
+    cmake --install build-hip --component HIP --strip && \
+    echo "=== HIP install ===" && \
+    find /build/dist/lib/ollama -type f -o -type l | head -20
+
+# Step 3: Build Go binary (GCC for CGo linking)
+ENV CGO_ENABLED=1
+RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
+
+# ---------- Runtime image ----------
+FROM ubuntu:24.04
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
+    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy ROCm 6.1 runtime libraries
+# These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
+COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
+COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
+
+# Copy ollama binary + all backends (CPU + HIP)
+# CPU install:  /build/dist/lib/ollama/libggml-*.so
+# HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
+COPY --from=builder /build/dist/ollama /usr/bin/ollama
+COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
+
+RUN ldconfig
+
+ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
+ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
+ENV HCC_AMDGPU_TARGET=gfx906
+ENV HSA_ENABLE_SDMA=0
+
+EXPOSE 11434
+ENTRYPOINT ["/bin/ollama"]
+CMD ["serve"]

flake.nix

@@ -61,6 +61,7 @@
               ./modules/nixos/services/open_code_server.nix
               ./modules/nixos/services/ollama_init_custom_models.nix
               ./modules/nixos/services/openclaw_node.nix
+              ./modules/nixos/security/ai-worker-restricted.nix
               ./users/gortium.nix
               ./users/ai-worker.nix
             ];

hosts/lazyworkhorse/configuration.nix

@@ -36,7 +36,7 @@
     "transparent_hugepage=always" # because mucho ram
   ];
   # 2. Load the specific drivers found by sensors-detect
-  boot.kernelModules = [ "nct6775" "lm96163" ];
+  boot.kernelModules = [ "nct6775" "lm96163" "iptable_nat" "iptable_filter" ];
   # 3. Force the nct6775 driver to recognize the chip if it's stubborn
   boot.extraModprobeConfig = ''
     options nct6775 force_id=0xd280
@@ -49,6 +49,26 @@
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
   networking.hostId = "deadbeef";
 
+  # WireGuard VPN client -- always up, connects to wg-easy server
+  # Create age-encrypted secrets before deploying (run on the host):
+  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
+  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
+  networking.wireguard.interfaces = {
+    wg0 = {
+      ips = [ "10.8.0.3/24" ];
+      privateKeyFile = config.age.secrets.wireguard_private_key.path;
+      peers = [
+        {
+          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
+          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
+          allowedIPs = [ "10.8.0.0/24" ];
+          endpoint = "vpn.lazyworkhorse.net:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
   # Set your time zone.
   time.timeZone = "America/Montreal";
 
@@ -158,7 +178,7 @@
     settings = {
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
-      PermitRootLogin = "prohibit-password"; 
+      # Additional hardening settings below in SERVER HARDENING section
     };
     hostKeys = [
       {
@@ -187,6 +207,7 @@
     ai = {
       path = self + "/assets/compose/ai";
       envFile = config.age.secrets.containers_env.path;
+      ports = [ 22000 ];  # Syncthing TCP sync
     };
 
     cloudstorage = {
@@ -221,6 +242,11 @@
       path = self + "/assets/compose/homepage";
     };
 
+    vpn = {
+      path = self + "/assets/compose/vpn";
+      envFile = config.age.secrets.containers_env.path;
+    };
+
     # tak = {
     #   path = self + "/assets/compose/tak";
     # };
@@ -264,6 +290,20 @@
         mode = "0440";
         path = "/run/secrets/openclaw_gateway_token";
       };
+      wireguard_private_key = {
+        file = ../../secrets/wireguard_private_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+        path = "/run/secrets/wireguard_private_key";
+      };
+      wireguard_preshared_key = {
+        file = ../../secrets/wireguard_preshared_key.age;
+        owner = "root";
+        group = "root";
+        mode = "0400";
+        path = "/run/secrets/wireguard_preshared_key";
+      };
     };
   };
 
@@ -308,6 +348,203 @@
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;
 
+  # =============================================================================
+  # SERVER HARDENING - Firewall, Fail2ban, SSH, Kernel
+  # =============================================================================
+  
+  # Firewall - default deny, explicit allow
+  networking.firewall = {
+    # Enable firewall with default deny policy (NixOS firewall denies all by default)
+    enable = true;
+    allowPing = true;
+    
+    # Only essential ports exposed to internet
+    allowedTCPPorts = [
+      2424  # SSH (non-standard port)
+      2222  # Gitea (version control)
+      80    # HTTP (Traefik redirect)
+      443   # HTTPS (Traefik)
+      # 8000  # Portainer - REVIEW: internal only?
+      # 4242  # Coms - REVIEW: internal only?
+      # 5000  # TAK API - REVIEW: internal only?
+      # 8087  # TAK Connect - REVIEW: internal only?
+      # 8089  # TAK Management - REVIEW: internal only?
+    ];
+    
+    allowedUDPPorts = [
+      51820 # WireGuard VPN
+    ];
+    
+    # Rate limiting and attack prevention
+    extraCommands = ''
+      # 1. Wipe the INPUT chain clean at the start of every activation
+      iptables -F INPUT
+      
+      # Rate limit SSH connections (max 20 new connections per 60 seconds)
+      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --set
+      iptables -A INPUT -p tcp --dport 2424 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
+      
+      # Rate limit HTTP/HTTPS (protects Traefik)
+      iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
+      iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
+      
+      # Drop invalid packets
+      iptables -A INPUT -m state --state INVALID -j DROP
+      
+      # Log dropped packets (rate limited)
+      iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
+
+      # 3. CRITICAL: Re-link the NixOS default firewall chain
+      # Without this line, the 'allowedTCPPorts' in your Nix config will be ignored!
+      iptables -A INPUT -j nixos-fw
+    '';
+  };
+
+  # Fail2ban - automatic IP banning
+  services.fail2ban = {
+    enable = true;
+    maxretry = 3;
+    bantime = "1h";
+    banaction = "iptables-multiport";
+    
+    jails = {
+      # SSH brute force protection (uses systemd journal backend)
+      sshd = {
+        enabled = true;
+        settings = {
+          filter = "sshd";
+          port = "2424";
+          maxretry = 3;
+          bantime = "1h";
+        };
+      };
+      
+      # Recidive - ban repeat offenders for 1 week
+      recidive = {
+        enabled = true;
+        settings = {
+          filter = "recidive";
+          logpath = "/var/log/fail2ban.log";
+          bantime = "1w";
+          findtime = "1d";
+          maxretry = 3;
+        };
+      };
+      
+      # HTTP authentication failures (Traefik)
+      http-auth = {
+        enabled = true;
+        settings = {
+          filter = "traefik-auth";
+          port = "80,443";
+          logpath = "/var/log/traefik/access.log";
+          maxretry = 5;
+          bantime = "1h";
+        };
+      };
+      
+      # HTTP scanning/attacks (Traefik)
+      http-botsearch = {
+        enabled = true;
+        settings = {
+          filter = "traefik-botsearch";
+          port = "80,443";
+          logpath = "/var/log/traefik/access.log";
+          maxretry = 2;
+          bantime = "2h";
+        };
+      };
+    };
+  };
+  
+  # Custom fail2ban filters for Traefik
+  environment.etc."fail2ban/filter.d/traefik-auth.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" (401|403) \d+.*$
+    ignoreregex =
+  '';
+  
+  environment.etc."fail2ban/filter.d/traefik-botsearch.conf".text = ''
+    [Definition]
+    failregex = ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*" 404 \d+.*$
+                ^<HOST> -.*"(GET|POST|HEAD|PUT|DELETE).*/(\.|wp-|php|admin|login|xmlrpc|\.env|\.git|\.aws|\.azure).*" \d+.*$
+    ignoreregex =
+  '';
+
+  # SSH hardening
+  services.openssh.settings = {
+    PermitRootLogin = "no";
+    MaxAuthTries = 3;
+    MaxSessions = 20;
+    LoginGraceTime = 30;
+    ClientAliveInterval = 300;
+    ClientAliveCountMax = 2;
+    PermitEmptyPasswords = "no";
+    ChallengeResponseAuthentication = "no";
+    UsePAM = true;
+    LogLevel = "VERBOSE";
+    X11Forwarding = false;
+    AllowTcpForwarding = "no";
+    AllowAgentForwarding = "no";
+    PermitTunnel = "no";
+  };
+
+  # Kernel network hardening
+  boot.kernel.sysctl = {
+    # IP Spoofing protection
+    "net.ipv4.conf.all.rp_filter" = 1;
+    "net.ipv4.conf.default.rp_filter" = 1;
+    
+    # Ignore ICMP broadcasts
+    "net.ipv4.icmp_echo_ignore_broadcasts" = 1;
+    
+    # Disable source routing
+    "net.ipv4.conf.all.accept_source_route" = 0;
+    "net.ipv4.conf.default.accept_source_route" = 0;
+    "net.ipv6.conf.all.accept_source_route" = 0;
+    "net.ipv6.conf.default.accept_source_route" = 0;
+    
+    # Disable redirects
+    "net.ipv4.conf.all.send_redirects" = 0;
+    "net.ipv4.conf.default.send_redirects" = 0;
+    
+    # SYN flood protection
+    "net.ipv4.tcp_syncookies" = 1;
+    "net.ipv4.tcp_max_syn_backlog" = 2048;
+    "net.ipv4.tcp_synack_retries" = 2;
+    "net.ipv4.tcp_syn_retries" = 5;
+    
+    # Log martian packets
+    "net.ipv4.conf.all.log_martians" = 1;
+    "net.ipv4.conf.default.log_martians" = 1;
+    
+    # Ignore redirects
+    "net.ipv4.conf.all.accept_redirects" = 0;
+    "net.ipv4.conf.default.accept_redirects" = 0;
+    "net.ipv4.conf.all.secure_redirects" = 0;
+    "net.ipv4.conf.default.secure_redirects" = 0;
+    "net.ipv6.conf.all.accept_redirects" = 0;
+    "net.ipv6.conf.default.accept_redirects" = 0;
+    
+    # Connection tuning
+    "net.core.somaxconn" = 4096;
+    "net.core.netdev_max_backlog" = 65536;
+    "net.ipv4.tcp_max_orphans" = 65536;
+    "net.ipv4.tcp_fin_timeout" = 15;
+    "net.ipv4.tcp_keepalive_time" = 300;
+    "net.ipv4.tcp_keepalive_probes" = 5;
+    "net.ipv4.tcp_keepalive_intvl" = 15;
+  };
+
+  # Audit logging
+  security.auditd.enable = true;
+  
+  # Fail2ban log directory
+  systemd.tmpfiles.rules = [
+    "d /var/log/fail2ban 0755 root root -"
+    "d /var/log/traefik 0755 root root -"
+  ];
+
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you
   # accidentally delete configuration.nix.

modules/nixos/security/README-ai-worker.md

@@ -0,0 +1,126 @@
+# AI Worker Restricted Access
+
+This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
+
+## Security Model
+
+### Overview
+
+The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
+
+- **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
+- **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
+- **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
+- **Disk cleanup**: `docker system`
+- **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
+
+### EXPLICITLY BLOCKED (not in sudo whitelist)
+
+| Command | Risk | Result |
+|---------|------|--------|
+| `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
+| `docker cp` | Copy files between containers and host | Blocked by sudo |
+| `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
+| `docker diff` | Inspect filesystem changes | Blocked by sudo |
+| `docker export` | Export container filesystem | Blocked by sudo |
+| `docker import` | Import filesystem archives | Blocked by sudo |
+| `docker load` | Load docker images | Blocked by sudo |
+| `docker save` | Save docker images to tar | Blocked by sudo |
+| `docker attach` | Interactive access to containers | Blocked by sudo |
+| `docker push` | Push images to registries | Blocked by sudo |
+| `docker tag` | Rename images | Blocked by sudo |
+
+### Why This Approach?
+
+Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
+
+- `docker exec -it container bash` — full shell access to any container
+- `docker cp /host/file container:/path` — file modification inside containers
+- `docker run -v /:/host alpine` — full host filesystem access
+
+By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
+
+### Filesystem Access
+- **Home directory**: `/home/ai-worker` (standard user home)
+- **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
+- **Cannot access**: Any files outside standard system paths
+
+### Sudo Access
+- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
+- Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
+
+## Workflow: SSH + Restricted Docker
+
+All docker commands must be prefixed with `sudo`:
+
+```bash
+# From Hermes container, SSH to host
+ssh -i /path/to/ssh/key ai-worker@host.docker.internal
+
+# Check container status (works)
+sudo docker ps
+
+# Restart a container (works)
+sudo docker restart ollama
+
+# Run benchmark (works - docker run is allowed)
+sudo docker run --rm alpine echo "test"
+
+# ANY of these will FAIL (not in whitelist):
+sudo docker exec ollama ollama list          # FAILS - docker exec blocked
+sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
+sudo docker commit container new-image       # FAILS - docker commit blocked
+
+# For ollama operations, use the HTTP API instead of docker exec:
+curl http://ollama:11434/api/tags
+```
+
+## SSH Access
+
+Connect as:
+```bash
+ssh ai-worker@lazyworkhorse
+```
+
+The working directory will be `/home/ai-worker`. No infra repo access.
+
+## Verification
+
+Check ai-worker permissions:
+```bash
+# On the host, as root or gortium:
+sudo -u ai-worker sudo -l
+# Should show the whitelisted commands only (no docker exec/cp/commit)
+
+# Verify NOT in docker group
+groups ai-worker
+# Should show: ai-worker (NO docker group)
+```
+
+## Troubleshooting
+
+If docker commands fail:
+
+```bash
+# Check sudo permissions
+sudo -u ai-worker sudo -l | grep docker
+
+# Verify group membership
+groups ai-worker
+
+# Test allowed command
+sudo -u ai-worker sudo docker ps
+
+# Test blocked command (should fail)
+sudo -u ai-worker sudo docker exec ollama ollama list
+# Expected: "Sorry, user ai-worker is not allowed to execute"
+```
+
+If SSH connection fails:
+```bash
+# Check SSH key is authorized
+cat /home/ai-worker/.ssh/authorized_keys
+
+# Check SSH service
+systemctl status sshd
+```

modules/nixos/security/ai-worker-restricted.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+{
+  options.services.aiWorkerAccess = mkOption {
+    type = types.bool;
+    default = false;
+    description = "Enable AI worker SSH access with restricted sudo docker commands";
+  };
+
+  config = mkIf config.services.aiWorkerAccess {
+    # SECURITY: ai-worker is NOT added to docker group.
+    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
+    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
+    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
+    
+    # The old approach (docker group membership) has been removed because:
+    # - Docker group gives UNRESTRICTED access to the docker daemon socket
+    # - No way to limit which docker subcommands a docker group member can run
+    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
+    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
+  };
+}

modules/nixos/services/ollama_init_custom_models.nix

@@ -1,45 +1,87 @@
 { pkgs, ... }: {
   systemd.services.init-ollama-model = {
     description = "Initialize LLM models with extra context in Ollama Docker";
-    after = [ "docker-ollama.service" ];
+    
+    # On s'assure que Docker tourne avant de lancer ce script
+    after = [ "docker.service" ];
     wantedBy = [ "multi-user.target" ];
+    
     script = ''
-      # Wait for Ollama
-      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
-        sleep 2
-      done
+      # Fonction de création asynchrone pour ne pas bloquer le démarrage
+      (
+        echo "Starting asynchronous Ollama initialization..."
+        
+        # Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
+        TIMEOUT=60
+        COUNT=0
+        while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
+          if [ $COUNT -ge $TIMEOUT ]; then
+            echo "Ollama did not become ready in time. Exiting."
+            exit 1
+          fi
+          echo "Waiting for Ollama API to be reachable..."
+          sleep 5
+          COUNT=$((COUNT + 5))
+        done
 
-      create_model_if_missing() {
-        local model_name=$1
-        local base_model=$2
-        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
-          echo "$model_name not found, creating from $base_model..."
-          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
+        create_model_if_missing() {
+          local model_name=$1
+          local base_model=$2
+          
+          # Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
+          if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
+            echo "$model_name not found, creating from $base_model..."
+            
+            # Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
+            TMP_FILE=$(mktemp)
+            cat <<EOF > "$TMP_FILE"
 FROM $base_model
+TEMPLATE """{{- if .System }}
+[SYSTEM_PROMPT]
+{{ .System }}
+[/SYSTEM_PROMPT]
+{{- end }}
+{{- range .Messages }}
+{{- if eq .Role "user" }}
+[INST]
+{{ .Content }}
+[/INST]
+{{- else if eq .Role "assistant" }}
+{{ .Content }}
+{{- end }}
+{{- end }}"""
 PARAMETER num_ctx 131072
 PARAMETER num_predict 4096
 PARAMETER num_keep 1024
 PARAMETER repeat_penalty 1.1
 PARAMETER top_k 40
-PARAMETER stop \"[INST]\"
-PARAMETER stop \"[/INST]\"
-PARAMETER stop \"</s>\"
-EOF"
-          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
-        else
-          echo "$model_name already exists, skipping."
-        fi
-      }
+PARAMETER stop "[INST]"
+PARAMETER stop "[/INST]"
+PARAMETER stop "</s>"
+EOF
 
-      # Create Nemotron
-      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
-      
-      # Create Devstral
-      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
+            # Copie et création dans le conteneur
+            ${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
+            ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
+            ${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
+            rm -f "$TMP_FILE"
+          else
+            echo "$model_name already exists, skipping."
+          fi
+        }
+
+        # Create Nemotron
+        create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
+        
+        # Create Devstral
+        create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
+        
+      ) &
     '';
+
     serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
+      Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
+      User = "root";
     };
   };
 }

secrets/containers.env.age

@@ -1,34 +1,36 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBOL29w
-eGk1N2xxTHJtaUEvWWZmbkh1bk11Tjk3anNnMDB1cCtPYUMzdTNJCkdhQ08vblNG
-UlV1K2xVTGZVTzFWYXAzcjZaMWs0RTFWdStKSmlSTURvK1EKLT4gLC1zKU8zVkgt
-Z3JlYXNlIFUiXFcpS302IHByVn5jOy0gRDMKQjV3SHpDWUIybGFyQUg3ZlR0R2hV
-eWM3SFlCVW5mdlpBVUF3a0xpNlZCeGNUd1oxTTlkc1RkTXdZS0lFTmN3Ci0tLSA3
-VlBqM1VLWllZc0JnOTMvUFRjMU13OTdzMmhsdGJubkk5eGpERVVLYUk4Cnzh5UbU
-FlgqpM8jkJ6XlsaIDCw/G3D6uJ/GRJW4gIekuhAUxpZJrc8eOA8ZuHfGrBbH3acV
-tVafX5F0Kr2oOblqZ6gduZOUS52KmWH8stiBJM+e5ZZ7zRQVE4PJUKUPCzi+WdcH
-zr295T//FOdicrYHdsjfziKEHzBtUCFiATW05+O2zMjYjO6cPzePcCzPWinwiID6
-V+f6ngfkkQaj3wBGkzaieQJzRcdSwky21aVhGCCX/bvqx61iW2d5QAKxGbtQ2RcG
-X1okr+xunAM94nzDMv46vyN97KxY7cZd4pAaOxoICc2Tfhtw6F+iS6QkQh1odJzO
-7ZH+sSQCvndG+8z9shXGiHalASF5tdguM+JlEvAGljcaiAUtsQWxr9CoWiEkC6c6
-NCaECSYO8Il+SXBQnSZSGJSNDhuPYCYrsjXGSAONFixuyeslAkq9x2WUaUS4H063
-1QvRF7XO2tBPtgCLsSjdiGp0h+ImUaGdu6fDR7zrDsGsaAFCSFeH/rGNNXRQ2vP2
-CSfPfDDCqpUSCn0WuA30BtaPLxGmZT6OjFevKzYMNDmdeq9ia/q8K0hmjLUBdN3k
-tdYWbwoaf4gYbUWxSleD768b0Jgxss9Vod+sFQ+NYRksdGIeyND+aQIc312XehfA
-qHFBS8nlj7eUF5bdvCYQ64z741mH4cNlGxyjPBH1x8FHnEOocJXYt1l2AZSRJmJA
-c3z0QGXyuCbsrLBXWK1EKa/Juo4PGGsEVoLRhwJAQy9+i1JN0yrfRvSPyzvD4px6
-wRPzlZ80MQdb2lv84WS/zcOEZmZzlLntszTRRdIfAsuaavP2Rquh4rEXABYeTZwp
-5dem79s8bdW2nFsGMNz1OQKQwocyjYu1jJMHu6Gp7Ngdl1xyW7xfg0dezE1c0cIh
-xt1aLER9YJp4n5to5cOH16l3mjDHnAvABx38xE9loNL3399J/evw7LxpTYQ4v2Xv
-x8xnDHcqJ+deFSwyuUnMS5DkUeYuHmUl0Q2WYcfY+ibCmcgCb2ObTtuN1/ZxNYrL
-OKrnmfuSvBgyuIOj5e6uWW0+Zs8dHKXu2TgV8WignxOhl5zQgCpCBlqVfO0t+NCu
-Gi26hU/fhGWQ/1oQa3VkpGsypZbJpgQvfWxfcGHP/MMhnl01zzlP8/aexSY3pAxf
-fz9v0IVh6xxtu3zbiiVzUsXbfG7t+xY98jMphf4AS2mWva3GWVmhhu0lS3J3P+go
-YEEP4rOFHeU0Y1/6kLydTXvz4jMH0H92XQIzshd7vzQnEJPUPAzqRmw3LKYGgCI+
-wZEnxJ6ckqTkGBFnxTpy9LLllwmnz2Ky87nY3XAmqxlhb2Ap1XFAlfgszmGjc+Il
-KkIgoWQHTUm6QM9ta++oUTIDneOvxGd0zZsqoEhiC/7E01BNNZ6E58TeJU3fDlA3
-mX6n05XjwPRpgXZfayPoAgBlZc2H4KeiynxwNZ/dWu7qz7L6Ppk6Nvtly8giTbFx
-CA+tto7vq+D+CAEJ4bgyq4BCH4GL4APrhPcWp98Mko1WCiRTIKgkZxQCYvlg/LZq
-LNhMacP9T1qTvNC+yR1NEMiegE3APzk6CkDpVaO9+5f/sqifNPINCMothenI9ePw
-zjQLI3Mo1m73bkomytUZ7i1VstP5sEZ5LF72Sq7BpR3oQ3Gp0CAN9w==
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBWNEpt
+cGFNeVBBaDRqb3pLSEZGQW0wb3VmVnBoZCswUFkzbnBLUnJ0QTNrClRqVkk4RUVO
+d29KYjd5YUcwankvaTFmVHUxQVpDT2ZYWHRaY3JXTUtQMU0KLT4gKXBtQ3UsXi1n
+cmVhc2UgNnwxYCBXVyA/KCQmIHt9NAo3OTZVUHR2UXkvaEFwY0ZBdEJsaFpsbHJ0
+cklKcDVHcEdWMEdPSkpnN0FiRU43RW5hUWFMdjR3WFRRSFBLSGlmClM3cTNJWlNM
+TExkdHdXUHJISkNIaE1TTUxUc1NUWkV1a09HeFU3bVZwQXMKLS0tIGhOcXFTUElS
+azJJNnEreUhMWTJBaVZGSTJPRUFqQkVYS01KRENUVVpZSDgK8+8onFejroBo7MeO
+dW+so4lOsq4zJKn3f0cxmCFg1f0X8zt6h4Uc3A5Cvr1uU+6yw1FWmJ7xa3jJz3lO
+EEaKQJXYC+xIIKGcA7qILa0SFp4a/4OuYjcg27HrlPhg7u5wDhQrd0LdVEe1Xngp
+ZivX7P7HwIna3X8C+TL+K2v/AG2N/z86cdKfRvxyMKNbHhYw+CfHEnWgh8tJ++4h
+G9evNniuNqte6cQaRe7jODfPNW4FuY/Sb7barlJ/M9iAQdYAdyLAzU1LABeHeUfD
+wtHjxy9DUZ55Vg8bB8M2JJU9MkoRT4ewiVd9LeC1GWeVmKsm93wsmrov714i7U2j
+wHtDkjqEF2MmzuQc18sjNaAHiwz8j6o5xU2L/Q4+Q707yISWG7RGZYh389Cr1rnw
+siUq/Vunqw2wk13+J/4vu9nqt5mMktBaCtp+QiWIurjwB5LUAyChrSm+dg5lb0Mt
+UhSc0lq1+E3vxAXM2Hmk+vP86VD+6WJvAU82VFApF1s6zG2FU1/AcOVVf54nan/q
+f+rgSFfASHQCYSblUJHyEtwLNsWEmTGmOEn1buUKD/H0zatPQnc0rYpjlx2V0Sjd
+6yB5+wPrZ0AkN1pjcsPKOv8Kaog2DzqIjib+SaSTaRxWHQEb9uzvaReAcYI5HOpE
+gkC040HN33BItATbo4+hz70Im8Ni/VXD+g6yzM6Hj1hJL+PinTKeg5keQRFIZjMx
+grzievB2wVBBgLgN3qMdTFmpplaL7iL702JjXZUTTK9Izp+9wiCsV1fTa53FWDht
+ylFL5SWElqXjK+QBXxAe+Jk6VQov5HI21YDXL67S554ABeRok23wxrQ31TCI4xq9
+PQV7VtNRjyVud7S29m3OwpWOsgTZhn+JclHj2v4bNJzJkJnZRTmcvGPktzRI5+R4
+e5vxVhGnJDzI71txaHl8+xS1lu9VzCQUrxX6TXyTRV4KjIOz0g06JOBgmBRBvJca
+7MZbC65xpisl/gyLRbgkVga3t94dPV+dpZsn8eq6427IyRbKslJefatggR9//c6I
+5N5fl0fR3gJQMB+HRbipBH2YsdbdWJyb4Nn6STZxIfrqoG/xC6C1raF0xK7hUx6i
+4DUDSPohM8fOIswQPfE+FH3eygfzu/Ln5+ghsgHTEhgFvmgMvyxaAt6kHIzIUhMX
+M3dASr4VPDpIXuXsRWwYLEifhzxsuvwVxfwtsnCaR6XKijsYECWGDdYOWHdleeqx
+wDPhxEesfFVhKxhrKY9Ir8k9/FFBKQU/3GjW4+SMAg5Al1YEzxshP9vKuVcsei7W
+JDwAwotNXaCm6NBckiyZJE53ou6+gckPY7V9cOfnuH74Z9ywkFzB3HW3ZlonaGyM
+oGmLGcccavFtyhg5s/As4i6X8ARIpDiwe59Pn3GNXMctySqIrrr2ogUoXgrfFCie
+6GOTdeMW7GeOSdJUxCofghlspS/nq01Og77VI/beWYrIwLubSka6Zaltww9zgObk
+/FGEMgFkEpq7iyCvYSPA8F46pJKvnMP3S84AWCPmcTcHeg4lwGPvs6btexXBGdoz
+nkCyq7wdH5Nngm7jUbl88LtaLZPAQkuqXphBVTnrF9Ofbnb4iRZ2Op4xpx9rGyvx
+mO6UEhL6V1i2YZFNkNMg/W8aoMiUgBdqbkxaxblT9L0aNdlFU9+LbWYolURVEadd
+Qjv0Z1gMA+tsuBbVszwsMfneZ5+B9Q==
 -----END AGE ENCRYPTED FILE-----

secrets/wireguard_preshared_key.age

@@ -0,0 +1,9 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
+MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
+SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
+c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
+Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
+b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
+wDVB1LwC+Q==
+-----END AGE ENCRYPTED FILE-----

secrets/wireguard_private_key.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
+WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
+K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
+Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
+d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
+ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
+VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
+02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
+YB/F0dxSqgnq
+-----END AGE ENCRYPTED FILE-----

users/ai-worker.nix

@@ -4,11 +4,202 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    extraGroups = [ "docker" ];
+    # SECURITY: ai-worker is NOT in the docker group.
+    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
+    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main
     ];
+    # No password login - SSH key only
+    hashedPassword = "!";
   };
   users.groups.ai-worker = {};
+
+  # Enable restricted AI worker SSH access for ollama benchmarking
+  # SECURITY: ai-worker can only:
+  #   - SSH into host from Hermes container
+  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
+  #   - Run specific security audit commands
+  #   - NO access to infra repo (no bind mount)
+  #   - NO nix/nixos-rebuild/nh commands
+  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
+  services.aiWorkerAccess = true;
+
+  # Restricted sudo for ai-worker
+  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
+  # Only the subcommands listed below are allowed — everything else is denied.
+  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
+  security.sudo.extraRules = [
+    {
+      users = [ "ai-worker" ];
+      commands = [
+        # === Docker commands: lifecycle management (NO file modification) ===
+        # ps/inspect/logs — read-only status checks
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker logs *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker images";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker info";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker version";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker stats *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # start/stop/restart — container lifecycle
+        {
+          command = "/run/current-system/sw/bin/docker start *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker stop *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker restart *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker rm *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker rmi *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker wait *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # pull/build/run — image management and container creation
+        {
+          command = "/run/current-system/sw/bin/docker pull *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker build *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker run *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # compose — orchestration
+        {
+          command = "/run/current-system/sw/bin/docker compose *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # system — disk cleanup
+        {
+          command = "/run/current-system/sw/bin/docker system *";
+          options = [ "NOPASSWD" ];
+        }
+
+        # network — list only (create/modify not needed)
+        {
+          command = "/run/current-system/sw/bin/docker network ls";
+          options = [ "NOPASSWD" ];
+        }
+
+        # volume — list only (create/modify not needed)
+        {
+          command = "/run/current-system/sw/bin/docker volume ls";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
+        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
+        # docker cp       — copies files between containers and host (FILE ACCESS)
+        # docker commit   — creates images from running containers (DATA EXFIL)
+        # docker diff     — inspects filesystem changes (INFO LEAK)
+        # docker export   — exports container filesystem (DATA EXFIL)
+        # docker import   — imports filesystem archives
+        # docker load     — loads docker images
+        # docker save     — saves docker images to tar (DATA EXFIL)
+        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
+        # docker push     — pushes images to registries (DATA EXFIL)
+        # docker tag      — renames images
+        # docker create   — creates containers (use 'docker run' instead)
+        # docker plugin   — manages plugins
+        # docker network create/rm — network management
+        # docker volume create/rm  — volume management
+
+        # === Firewall checks ===
+        {
+          command = "/run/wrappers/bin/sudo iptables -L -n -v";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/wrappers/bin/sudo iptables -S";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === Fail2ban status ===
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client status";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client status *";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === Log inspection ===
+        {
+          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === SSH config verification ===
+        {
+          command = "/run/current-system/sw/bin/sshd -T";
+          options = [ "NOPASSWD" ];
+        }
+
+        # === Network diagnostics ===
+        {
+          command = "/run/current-system/sw/bin/ss -tlnp";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/cat /proc/net/tcp";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
 }