Empty initrd for display, add rp1_dsi module

ALL RP1 hardware (gpio, clocks, dsi) sits behind the RP1 PCIe
southbridge, which isn't ready until ~12s. Loading any display
module in initrd (~3s) crashes the system. Nothing in initrd now:
- boot.initrd.kernelModules: empty (nothing touches RP1 early)
- boot.kernelModules: vc4, panel_cwu50, rp1_dsi (stage-2)

flake.nix

@@ -2,20 +2,34 @@
   description = "Gortium infra flake";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    nixpkgs.url = "github:nixos/nixpkgs?ref=25.11";
     agenix = {
       url = "github:ryantm/agenix";
       inputs.darwin.follows = "";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     lix = {
       url = "git+https://git.lix.systems/lix-project/lix?ref=main";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    self.submodules = true;
+    nixpkgs-uconsole = {
+      url = "github:nixos/nixpkgs/54170c54449ea4d6725efd30d719c5e505f1c10e";
+    };
+    nixos-uconsole = {
+      url = "github:nixos-uconsole/nixos-uconsole/v1.1.0";
+      inputs.nixpkgs.follows = "nixpkgs-uconsole";
+    };
+    nixos-raspberrypi = {
+      url = "github:nvmd/nixos-raspberrypi/v1.20260317.0";
+      inputs.nixpkgs.follows = "nixos-uconsole/nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
+  outputs = { self, nixpkgs, agenix, disko, lix, nixos-uconsole, nixos-raspberrypi, ... }@inputs:
     let
       system = "x86_64-linux";
       keys = import ./lib/keys.nix;
@@ -26,7 +40,7 @@
           "/etc/ssh/ssh_host_ed25519_key"
           "/root/.age/bootstrap.key" ];
       };
-      overlays = [ agenix.overlays.default ];
+      overlays = [ agenix.overlays.default (import ./overlays/reticulum.nix) ];
       pkgs = import nixpkgs {
         inherit system overlays;
         config.allowUnfree = true;
@@ -80,6 +94,24 @@
               ./hosts/cyt-pi/hardware-configuration.nix
             ];
           };
+
+          uConsole = nixos-uconsole.lib.mkUConsoleSystem {
+            variant = "cm5";
+            specialArgs = { inherit self keys paths inputs nixos-raspberrypi; };
+            modules = [
+              {
+                nixpkgs.overlays = overlays;
+                nixpkgs.config.allowUnfree = true;
+                nixpkgs.config.permittedInsecurePackages = [
+                  "openclaw-2026.3.12"
+                ];
+              }
+              disko.nixosModules.disko
+              ./hosts/uConsole/configuration.nix
+              ./hosts/uConsole/hardware-configuration.nix
+              ./hosts/uConsole/disko-config.nix
+            ];
+          };
         };
         devShells.${system}.default = devShell;
       };

hosts/lazyworkhorse/configuration.nix

@@ -11,6 +11,10 @@
   # Flakesss
   nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
   nix.settings.trusted-users = [ "root" "gortium" ];
+  nix.settings.extra-platforms = [ "aarch64-linux" ];
+
+  # QEMU binfmt for cross-building aarch64 NixOS targets
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
   # Garbage collection
   nix.gc = {

hosts/uConsole/configuration.nix

@@ -0,0 +1,286 @@
+{ config, lib, pkgs, paths, self, keys, ... }:
+
+let
+  # Backlight fallback for CM5 display quirk
+  # The kernel driver usually handles this, but some boots need a kick
+  backlightFixScript = pkgs.writeShellScript "backlight-fix" ''
+    # Try sysfs backlight control
+    for bl in /sys/class/backlight/*/brightness; do
+      if [ -f "$bl" ]; then
+        max=$(cat "$(dirname "$bl")/max_brightness" 2>/dev/null || echo 100)
+        echo "$max" > "$bl" 2>/dev/null || true
+      fi
+    done
+  '';
+in
+
+{
+  # Basic Host Info
+  networking.hostName = "uConsole";
+  time.timeZone = "America/Montreal";
+  i18n.defaultLocale = "en_CA.UTF-8";
+
+  # System State
+  system.stateVersion = "25.11";
+
+  # Boot & Hardware (migrated to kernel bootloader per nixos-raspberrypi deprecation notice)
+  boot.loader.raspberry-pi.bootloader = "kernel";
+  # kernel managed by nixos-raspberrypi module — don't override, patches are version-specific
+  # boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # Kernel parameters matching nixos-uconsole CM5 module
+  # console=tty1 is critical — without it, console output goes to ttyAMA0 not fb0
+  boot.kernelParams = [
+    "8250.nr_uarts=1"
+    "console=tty1"
+  ];
+
+  # Enable Mesa GPU drivers — REQUIRED for VC4 display pipeline to initialize
+  hardware.graphics.enable = true;
+
+  # Console font sized for the 5" 720x1280 display (from nixos-uconsole base module)
+  console = {
+    earlySetup = true;
+    font = "ter-v24n";
+    packages = with pkgs; [ terminus_font ];
+  };
+
+  # Networking
+  networking.networkmanager.enable = true;
+  services.openssh = {
+    enable = true;
+    # TODO: lock down after first deployment
+    settings.PermitRootLogin = lib.mkForce "yes";
+    settings.PasswordAuthentication = lib.mkForce true;
+  };
+
+  # User
+  users.users.gortium = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
+    openssh.authorizedKeys.keys = [
+      keys.users.gortium.main
+      keys.users.gortium.gitea
+    ];
+  };
+  security.sudo.extraRules = [
+    {
+      users = [ "gortium" ];
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  # ============================================================
+  # Package groups
+  # ============================================================
+
+  environment.systemPackages = with pkgs; [
+    # ===== Base =====
+    emacs-pgtk
+    git
+    ripgrep
+    fd
+    htop
+    tmux
+    neovim
+    libgpiod                    # GPIO control (for internal USB hub, AIO modules)
+
+    # ===== HAM Radio =====
+    js8call
+    wsjtx
+    fldigi
+    pat                        # Winlink client
+    direwolf                   # AX.25 packet modem
+    chirp                      # Radio programming tool
+    hamlib                     # Ham radio control libraries
+    trustedqsl                 # Logbook of the World (LoTW)
+
+    # ===== SDR / RF =====
+    sdrpp                      # SDR++ spectrum analyzer
+    gqrx                       # SDR receiver GUI
+    rtl-sdr                    # RTL-SDR drivers & utilities
+    inspectrum                # Offline signal analysis
+    soapysdr-with-plugins      # SoapySDR + hardware support plugins
+
+    # ===== Mesh / LoRa =====
+    # meshtastic not available in nixpkgs 25.11 stable; install manually:
+    # nix shell nixpkgs#meshtastic -c meshtastic
+    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
+    lxmf                       # LXMF messaging protocol
+    nomadnet                   # Nomad Network client
+
+    # ===== Security =====
+    nmap
+    aircrack-ng
+    kismet                     # Wi-Fi monitor / IDS
+    bettercap                  # MITM/network attack framework
+    wireshark                  # Packet analyzer
+    hashcat                    # GPU password cracker
+    john                       # John the Ripper
+    sqlmap                     # SQL injection tool
+
+    # ===== GPS / Maps =====
+    foxtrotgps
+    viking                     # GPS map editor
+    gpsbabel                   # GPS data conversion
+  ];
+
+  # Packages noted but not in unstable nixpkgs:
+  #   - metasploit: unfree; install manually via Git clone
+  #   - burpsuite: unfree Java app (Community Edition available for download)
+  #   - sidechannel: not a distinct PyPI package; functionality covered by
+  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
+  #     from github.com/markqvist/Sideband
+
+  # ============================================================
+  # Reticulum Service (rnsd)
+  # ============================================================
+  systemd.services.rnsd = {
+    description = "Reticulum Network Stack Daemon";
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "gortium";
+      Group = "gortium";
+      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
+      Restart = "always";
+      RestartSec = "10s";
+      LimitNOFILE = 65536;
+    };
+  };
+
+  # ============================================================
+  # Kismet Service (Wi-Fi monitoring / mesh node)
+  # ============================================================
+  systemd.services.kismet = {
+    description = "Kismet Wi-Fi Monitor & IDS";
+    wants = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      User = "gortium";
+      Group = "kismet";
+      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
+      Restart = "always";
+      RestartSec = "10s";
+    };
+  };
+
+  # ============================================================
+  # Kernel modules for SDR, radio, and WiFi
+  # ============================================================
+  boot.kernelModules = [
+    "mt7921u"         # MediaTek MT7921 USB WiFi (uConsole AC1200)
+    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
+    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
+    "rtl2832_sdr"     # RTL-SDR kernel module
+    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
+    # Display drivers — loaded AFTER RP1 PCIe southbridge init (~12s)
+    # NOTHING in initrd — ALL RP1 hardware is behind PCIe
+    "panel_cwu50"     # uConsole DSI panel driver
+    "vc4"             # VideoCore 4 KMS GPU driver
+    "rp1_dsi"         # RP1 DSI bridge driver
+  ];
+
+  boot.blacklistedKernelModules = [ ];
+
+  # Rien dans initrd pour le display — tout RP1 est derrière PCIe
+  boot.initrd.kernelModules = lib.mkForce [ ];
+
+  # ============================================================
+  # Extra udev rules for SDR and HAM radio devices
+  # ============================================================
+  services.udev.packages = with pkgs; [ rtl-sdr ];
+
+
+
+  # ============================================================
+  # Enable IPv6 for Reticulum mesh
+  # ============================================================
+  networking.enableIPv6 = true;
+
+  # ============================================================
+  # Firewall: open ports for Reticulum (optional)
+  # ============================================================
+  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
+  networking.firewall.allowedUDPPorts = [ ];
+  # Reticulum uses its own encryption and doesn't need open ports
+  # for basic mesh operations (peer-to-peer discovery).
+  # For TCP interfaces, open additional ports as needed.
+
+  # ============================================================
+  # Hyprland Wayland compositor (manual start)
+  # No SDDM — boot to console, user starts Hyprland with command
+  # Display modules (vc4/panel_cwu50) load late after RP1 PCIe init
+  # ============================================================
+  programs.hyprland = {
+    enable = true;
+    xwayland.enable = true;
+  };
+  # SDDM disabled — was blocking boot when display isn't ready
+  # services.displayManager.sddm = {
+  #   enable = true;
+  #   wayland.enable = true;
+  # };
+
+  # ============================================================
+  # CM5 Config.txt Fix: use [pi5] section (not [cm5])
+  # Rex's images use [pi5], the CM5 firmware may not detect [cm5]
+  # ============================================================
+  # Merge nixos-uconsole GPIO config with our [pi5] overrides
+  # GPIO 10/11 are from nixos-uconsole configtxt.nix (audio amplifier)
+  # [pi5] section fixes the CM5 detection issue — firmware matches [pi5] not [cm5]
+  hardware.raspberry-pi.extra-config = ''
+    [all]
+    gpio=10=ip,np
+    gpio=11=op,dh
+
+    [pi5]
+    dtparam=pciex1=off
+    dtoverlay=clockworkpi-uconsole-cm5
+    dtoverlay=dwc2,dr_mode=host
+    dtoverlay=vc4-kms-v3d-pi5,cma-384
+    dtparam=nohdmi1=off
+  '';
+
+  # ============================================================
+  # CM5 Display Backlight Fix
+  # The kernel driver initializes backlight, but some boots fail.
+  # This service kicks it after boot as a reliable fallback.
+  # ============================================================
+  systemd.services.cm5-backlight-fix = {
+    description = "CM5 Display Backlight Fix";
+    after = [ "multi-user.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${backlightFixScript}";
+    };
+  };
+
+  # ============================================================
+  # Internal USB Hub Enable (GPIO 23) — DISABLED
+  # This service freeze the CM5 because gpioset 0 23=1 writes
+  # to the wrong GPIO chip (BCM2712 native, not RP1).
+  # Enable manually after boot once the correct chip is confirmed:
+  #   gpioset 0 23=1   # on chip 0 (BCM2712, CORE_VOLT or critical)
+  #   gpioset 512 23=1 # on chip 512 (RP1, likely correct)
+  # ============================================================
+  # systemd.services.enable-gpio23-usb-hub = {
+  #   description = "Enable Internal USB Hub (GPIO 23)";
+  #   before = [ "network.target" ];
+  #   wantedBy = [ "multi-user.target" ];
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     RemainAfterExit = true;
+  #     ExecStart = "${pkgs.libgpiod}/bin/gpioset 0 23=1";
+  #     ExecStop = "${pkgs.libgpiod}/bin/gpioset 0 23=0";
+  #   };
+  # };
+}

hosts/uConsole/disko-config.nix

@@ -0,0 +1,46 @@
+{ lib, ... }:
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/mmcblk0";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+          name = "FIRMWARE";
+          size = "1G";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/firmware";
+            mountOptions = [
+              "fmask=0022"
+              "dmask=0022"
+            ];
+          };
+        };
+        root = {
+          name = "NIXOS_UCM5";
+          size = "30G";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+            mountOptions = [ "noatime" ];
+          };
+        };
+        home = {
+          name = "NIXOS_HOME";
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/home";
+            mountOptions = [ "noatime" ];
+          };
+        };
+      };
+    };
+  };
+}

hosts/uConsole/hardware-configuration.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Filesystems for NixOS install.
+  # mkForce overrides disko's auto-generated paths so we can use
+  # filesystem labels (by-label) which work with loop device installs.
+  # Disko will set its own paths when nixos-anywhere is used.
+  fileSystems."/" = lib.mkForce {
+    device = "/dev/disk/by-label/NIXOS_UCM5";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  fileSystems."/boot/firmware" = lib.mkForce {
+    device = "/dev/disk/by-label/FIRMWARE";
+    fsType = "vfat";
+    options = [ "fmask=0022" "dmask=0022" ];
+  };
+
+  fileSystems."/home" = lib.mkForce {
+    device = "/dev/disk/by-label/NIXOS_HOME";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+  hardware.enableRedistributableFirmware = true;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

modules/nixos/security/README-ai-worker.md

@@ -1,74 +1,64 @@
 # AI Worker Restricted Access
 
-This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host with restrictions.
+This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 
 ## Security Model
 
-### Overview
+The `ai-worker` user has:
-
-The `ai-worker` user is a member of the `docker` group, but the `docker` binary is wrapped with a script that **blocks dangerous subcommands** while allowing safe operations.
-
-### Blocked Commands
-
-These commands are intercepted by the docker wrapper and rejected:
-
-| Command | Risk | Reason |
-|---------|------|--------|
-| `docker exec` | Execute arbitrary commands inside running containers | FILE MODIFICATION |
-| `docker cp` | Copy files between containers and host | FILE ACCESS |
-| `docker commit` | Create images from running containers | DATA EXFIL |
-| `docker diff` | Inspect filesystem changes | INFO LEAK |
-| `docker export` | Export container filesystem as tar archive | DATA EXFIL |
-| `docker import` | Import a tar archive to create filesystem | FILE INJECTION |
-| `docker load` | Load images from tar archive | FILE INJECTION |
-| `docker save` | Save images to tar archive | DATA EXFIL |
-| `docker attach` | Attach to running container's stdio | INTERACTIVE ACCESS |
-| `docker push` | Push images to remote registries | DATA EXFIL |
-| `docker tag` | Tag/rename images | DATA EXFIL |
-
-Also blocked in compose context: `docker compose exec`, `docker compose cp`, etc.
-
-### Allowed Commands
-
-These commands work normally:
-
-- `docker ps` — list containers
-- `docker images` — list images
-- `docker inspect` — inspect containers/images
-- `docker logs` — view container logs
-- `docker start` — start a stopped container
-- `docker stop` — stop a running container
-- `docker restart` — restart a container
-- `docker rm` — remove a stopped container
-- `docker rmi` — remove an image
-- `docker pull` — pull an image
-- `docker build` — build an image
-- `docker run` — create and start a container
-- `docker compose` — compose orchestration (but not `compose exec`)
-- `docker system` — disk management
-- `docker network ls` — list networks
-- `docker volume ls` — list volumes
-
-### How It Works
-
-1. A wrapper script intercepts `docker` calls in the user's PATH
-2. It parses the first non-flag argument to determine the subcommand
-3. If the subcommand is in the blocklist, it prints an error and exits
-4. Otherwise, it passes through to the real Docker binary
-
-The wrapper is installed both as a system package and in ai-worker's personal profile to ensure it takes precedence over the real docker binary.
-
-### Why Not Use Docker Authorization Plugins?
-
-Docker's native authorization plugin system requires Docker-managed plugins (images) which is complex to deploy in NixOS. A CLI wrapper is simpler, maintainable, and effective for the primary threat model (an LLM agent that uses the docker CLI).
-
-Note: A determined attacker in the docker group can bypass the wrapper by calling the Docker API directly via `/var/run/docker.sock`. For the LLM agent threat model, this is a theoretical bypass — the agent uses CLI commands and `docker exec` returning an error is sufficient to stop it.
 
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
 - **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
 - **Cannot access**: Any files outside standard system paths
 
+### Sudo Access
+- **NONE**: ai-worker has no sudo privileges
+- Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
+
+### Docker Access
+- Member of `docker` group - can run `docker` and `docker exec` commands
+- Primary use: `docker exec ollama ollama ...` for benchmarking
+- Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
+
+## Workflow: SSH + Docker Benchmarking
+
+The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
+
+### Example Workflow
+
+```bash
+# From Hermes container, SSH to host
+ssh -i /path/to/ssh/key ai-worker@host.docker.internal
+
+# On host, run ollama benchmarks via docker
+docker exec ollama ollama pull devstral-small-2:24b
+
+# Create test modelfile
+docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
+FROM devstral-small-2:24b
+PARAMETER num_ctx 65536
+PARAMETER num_gpu 99
+PARAMETER flash_attn true
+EOF'
+
+# Create and test model
+docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
+docker exec ollama ollama run test-model "Write a Python async function"
+
+# Check VRAM usage
+docker exec --privileged ollama rocm-smi --showmeminfo vram
+
+# Cleanup
+docker exec ollama ollama rm test-model
+
+# Exit SSH, return to Hermes container
+exit
+
+# Save results in Hermes container
+# /opt/data/ai-optimizer/state.json
+# /opt/data/ai-optimizer/results.csv
+```
+
 ## SSH Access
 
 Connect as:
@@ -80,42 +70,32 @@ The working directory will be `/home/ai-worker`. No infra repo access.
 
 ## Verification
 
+Check ai-worker permissions:
 ```bash
-# Verify wrapper is in PATH
+# On the host, as root or gortium:
-sudo -u ai-worker which docker
+sudo -u ai-worker sudo -l
-# Should show: /home/ai-worker/.nix-profile/bin/docker (wrapped version)
+# Should show: no sudo access
 
-# Test blocked command (should fail)
+# Check docker group membership
-sudo -u ai-worker docker exec ollama ollama list
-# Expected: ERROR: docker 'exec' is blocked by security policy
-
-# Test allowed command (should work)
-sudo -u ai-worker docker ps
-# Expected: CONTAINER ID   IMAGE   ...
-
-# Verify docker group membership
 groups ai-worker
 # Should show: ai-worker docker
 ```
 
 ## Troubleshooting
 
-If docker commands fail unexpectedly:
+If ai-worker cannot run docker commands:
-
 ```bash
-# Check which docker binary is being used
+# Check docker group membership
-which docker
+groups ai-worker
-# If this shows /run/current-system/sw/bin/docker, the wrapper is not in PATH
 
-# Check if the wrapper is installed
+# Verify ollama container is running
-ls -la $(which docker)
+docker ps | grep ollama
 
-# Verify you're running as the right user
+# Test docker access
-whoami
+sudo -u ai-worker docker exec ollama ollama list
 ```
 
 If SSH connection fails:
-
 ```bash
 # Check SSH key is authorized
 cat /home/ai-worker/.ssh/authorized_keys

modules/nixos/security/ai-worker-restricted.nix

@@ -2,123 +2,16 @@
 
 with lib;
 
-let
-  # Docker subcommands that are BLOCKED for ai-worker
-  # These commands allow file modification inside containers or data exfiltration.
-  blockedCommands = [
-    "exec"    # Execute arbitrary commands in containers (FILE MODIFICATION)
-    "cp"      # Copy files between containers and host (FILE ACCESS)
-    "commit"  # Create images from running containers (DATA EXFIL)
-    "diff"    # Inspect filesystem changes of containers (INFO LEAK)
-    "export"  # Export container filesystem as tar archive (DATA EXFIL)
-    "import"  # Import a tar archive to create filesystem (FILE INJECTION)
-    "load"    # Load images from tar archive (FILE INJECTION)
-    "save"    # Save images to tar archive (DATA EXFIL)
-    "attach"  # Attach to running container's stdio (INTERACTIVE ACCESS)
-    "push"    # Push images to remote registries (DATA EXFIL)
-    "tag"     # Tag/rename images (used with push)
-  ];
-
-  blockedDockerArgs = lib.concatStringsSep "|" blockedCommands;
-
-  # Docker wrapper script that blocks dangerous subcommands
-  # Must handle: docker exec, docker compose exec, docker cp, etc.
-  restrictedDockerScript = pkgs.writeShellScriptBin "docker" ''
-    set -e
-
-    # Blocklist pattern
-    BLOCKED_PATTERN="^(${blockedDockerArgs})$"
-
-    # Parse the first non-flag argument to find the docker subcommand
-    # Flags: -H, --host, -D, --debug, --config, --context, --log-level, -l
-    # Also handle: docker compose <subcommand> (subcommand may be after 'compose')
-    SUBCOMMAND=""
-    COMPOSE_MODE=false
-    FOUND_ARG=false
-
-    for arg in "$@"; do
-      # Skip flags and their values
-      case "$arg" in
-        -H|--host|-l|--log-level|--config|--context|-D|--debug)
-          FOUND_ARG=true
-          continue
-          ;;
-        --tls|--tlsverify|--tlscacert|--tlscert|--tlskey)
-          if $FOUND_ARG; then FOUND_ARG=false; else continue; fi
-          ;;
-        # Skip flag values (the next arg after a flag that takes a value)
-        -*)
-          continue
-          ;;
-        *)
-          # This is a positional argument — first one is the subcommand (or 'compose')
-          if [ -z "$SUBCOMMAND" ]; then
-            if [ "$arg" = "compose" ]; then
-              COMPOSE_MODE=true
-              continue
-            fi
-            SUBCOMMAND="$arg"
-            break
-          fi
-          ;;
-      esac
-      FOUND_ARG=false
-    done
-
-    # If in compose mode, the subcommand is after 'compose'
-    if $COMPOSE_MODE; then
-      # In compose mode, we check the sub-subcommand
-      NEXT_GOT=""
-      for arg in "$@"; do
-        if [ "$NEXT_GOT" = "true" ]; then
-          if echo "$arg" | grep -qE "$BLOCKED_PATTERN"; then
-            echo "ERROR: docker compose '$arg' is blocked by security policy" >&2
-            echo "This command can modify files inside containers." >&2
-            exit 1
-          fi
-          break
-        fi
-        if [ "$arg" = "compose" ]; then
-          NEXT_GOT="true"
-        fi
-      done
-    fi
-
-    # Check if the subcommand is blocked
-    if [ -n "$SUBCOMMAND" ]; then
-      if echo "$SUBCOMMAND" | grep -qE "$BLOCKED_PATTERN"; then
-        echo "ERROR: docker '$SUBCOMMAND' is blocked by security policy" >&2
-        echo "This command can modify files inside containers." >&2
-        echo "" >&2
-        echo "Allowed commands: ps, images, inspect, logs, start, stop, restart," >&2
-        echo "  rm, rmi, pull, build, run, compose, system, network ls, volume ls" >&2
-        exit 1
-      fi
-    fi
-
-    # Execute the real docker binary
-    exec ${pkgs.docker}/bin/docker "$@"
-  '';
-in
 {
   options.services.aiWorkerAccess = mkOption {
     type = types.bool;
     default = false;
-    description = "Enable AI worker SSH access with restricted docker commands";
+    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
   };
 
   config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is in docker group for normal docker operations
+    # ai-worker is member of docker group - can run docker commands via SSH
+    # No bind mounts, no sudo access - docker-only for ollama benchmarking
     users.groups.docker.members = [ "ai-worker" ];
-
-    # Install the docker wrapper for ai-worker
-    # This puts a filtered 'docker' script in ai-worker's PATH that blocks
-    # dangerous commands like exec, cp, commit, etc.
-    # The real docker binary is still available at its store path, but the
-    # wrapper intercepts it because ~/.nix-profile/bin/ comes before /run/.../sw/bin/ in PATH.
-    users.users.ai-worker.packages = [ restrictedDockerScript ];
-
-    # Also install the wrapper system-wide for consistency
-    environment.systemPackages = [ restrictedDockerScript ];
   };
 }

overlays/reticulum.nix

@@ -0,0 +1,92 @@
+final: prev: let
+  python3 = final.python3;
+  pyPkgs = python3.pkgs;
+in
+  {
+    reticulumStack = python3.pkgs.buildPythonApplication rec {
+      pname = "reticulum";
+      version = "1.2.9";
+      format = "setuptools";
+      src = pyPkgs.fetchPypi {
+        pname = "rns";
+        inherit version;
+        sha256 = "554814231c237b9caacf8df669312e57dd7d3f84b6d4810125087d1a79a75d75";
+      };
+      patchPhase = ''
+        # Fix license_files syntax: ("LICENSE") is a string not tuple
+        # Newer setuptools iterates over it char by char, fails on 'S'
+        substituteInPlace setup.py \
+          --replace-fail 'license_files = ("LICENSE")' 'license_files = ("LICENSE",)'
+      '';
+      propagatedBuildInputs = with pyPkgs; [ cryptography pyserial ];
+      doCheck = false;
+      pythonImportsCheck = [ "RNS" ];
+      meta = with final.lib; {
+        description = "Self-configuring, encrypted and resilient mesh networking stack";
+        homepage = "https://reticulum.network/";
+        license = licenses.mit;
+        platforms = platforms.linux;
+      };
+    };
+
+    lxmf = python3.pkgs.buildPythonApplication rec {
+      pname = "lxmf";
+      version = "0.9.8";
+      format = "setuptools";
+      src = pyPkgs.fetchPypi {
+        inherit pname version;
+        sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
+      };
+      propagatedBuildInputs = [ final.reticulumStack ];
+      doCheck = false;
+      pythonImportsCheck = [ "LXMF" ];
+      meta = with final.lib; {
+        description = "Lightweight Extensible Message Format for Reticulum";
+        homepage = "https://github.com/markqvist/lxmf";
+        license = licenses.mit;
+        platforms = platforms.linux;
+      };
+    };
+
+    nomadnet = python3.pkgs.buildPythonApplication rec {
+      pname = "nomadnet";
+      version = "1.1.1";
+      format = "setuptools";
+      src = pyPkgs.fetchPypi {
+        inherit pname version;
+        sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
+      };
+      propagatedBuildInputs = with pyPkgs; [ final.reticulumStack final.lxmf urwid qrcode ];
+      doCheck = false;
+      pythonImportsCheck = [ "nomadnet" ];
+      meta = with final.lib; {
+        description = "Nomad Network — resilient mesh communications platform";
+        homepage = "https://github.com/markqvist/NomadNet";
+        license = licenses.mit;
+        platforms = platforms.linux;
+      };
+    };
+
+    rnsh = python3.pkgs.buildPythonApplication rec {
+      pname = "rnsh";
+      version = "0.1.7";
+      format = "setuptools";
+      src = pyPkgs.fetchPypi {
+        inherit pname version;
+        sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";
+      };
+      propagatedBuildInputs = [ final.reticulumStack ];
+      doCheck = false;
+      pythonImportsCheck = [ "rnsh" ];
+      meta = with final.lib; {
+        description = "Remote shell over Reticulum";
+        homepage = "https://github.com/acehoss/rnsh";
+        license = licenses.mit;
+        platforms = platforms.linux;
+      };
+    };
+  }
+  # meshtastic may not exist in all nixpkgs versions (e.g. not in 25.11)
+  // prev.lib.optionalAttrs (prev ? meshtastic) {
+    inherit (prev) meshtastic;
+  }

users/ai-worker.nix

@@ -4,8 +4,6 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    # ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)
-    # Dangerous commands (exec, cp, commit) are blocked by a wrapper script.
     extraGroups = [ "docker" ];
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
@@ -16,14 +14,17 @@
   };
   users.groups.ai-worker = {};
 
-  # Enable restricted AI worker SSH access
+  # Enable restricted AI worker SSH access for ollama benchmarking
-  # SECURITY: ai-worker is in docker group but docker commands are filtered:
+  # SECURITY: ai-worker can only:
-  #   ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose
+  #   - SSH into host from Hermes container
-  #   BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push
+  #   - Run docker commands (docker exec ollama ...) via docker group
-  # The filtering is done by a docker wrapper in ai-worker's PATH.
+  #   - Run specific security audit commands
+  #   - NO access to infra repo (no bind mount)
+  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
+  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
   services.aiWorkerAccess = true;
-
+  
-  # Restricted sudo for ai-worker - security checks only (not for docker)
+  # Restricted sudo for ai-worker - security checks only
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
@@ -68,6 +69,15 @@
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
+        # Docker service checks
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
         # Network diagnostics
         {
           command = "/run/current-system/sw/bin/ss -tlnp";