Removed double file

Added access to the secret to version control
The key changed apparently? it works with that one anyway
2026-05-13 10:04:57 -04:00 · 2026-05-13 10:03:14 -04:00 · 2026-05-13 10:01:58 -04:00 · 2026-05-10 22:23:29 -04:00 · 2026-05-10 22:15:53 -04:00 · 2026-05-10 22:15:02 -04:00
8 changed files with 154 additions and 344 deletions
--- a/.gitea/workflows/build-nixos.yml
+++ b/.gitea/workflows/build-nixos.yml
@@ -0,0 +1,33 @@
 name: Build NixOS config
 on:
  pull_request:
    branches: [ master ]
    paths:
      - '**.nix'
      - 'flake.lock'
      - 'secrets/**'
      - 'hosts/**'
      - 'modules/**'
  push:
    branches: [ master ]
    paths:
      - '**.nix'
      - 'flake.lock'
      - 'secrets/**'
      - 'hosts/**'
      - 'modules/**'
 jobs:
  build:
    runs-on: nixos-builder
    steps:
      - name: Checkout
        run: |
          git clone -b "${{ github.head_ref || github.ref_name }}" \
            https://gitea:${{ secrets.GITHUB_TOKEN }}@code.lazyworkhorse.net/gortium/infra.git .
          git log --oneline -3
      - name: Build NixOS config (lazyworkhorse)
        run: |
          nix --version
          nh os build .#lazyworkhorse 2>&1
--- a/assets/compose
+++ b/assets/compose
--- a/assets/ollama/Dockerfile
+++ b/assets/ollama/Dockerfile
@@ -1,106 +0,0 @@
 # ollama-gfx906/Dockerfile
 #
 # Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
 # The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
 # This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
 #
 # Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
 FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
 # Build dependencies (CMake, Ninja, Go)
 ARG CMAKEVERSION=3.31.2
 ARG NINJAVERSION=1.12.1
 ARG GOLANG_VERSION=1.22.0
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    curl git ccache build-essential pkg-config unzip \
    && rm -rf /var/lib/apt/lists/*
 # Install CMake from official binaries
 RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
    | tar xz -C /usr/local --strip-components 1
 # Install Ninja
 RUN curl -fsSL -o /tmp/ninja.zip \
    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
 # Install Go
 RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
    | tar xz -C /usr/local
 ENV PATH=/usr/local/go/bin:$PATH
 ARG OLLAMA_VERSION=v0.23.2
 RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
 WORKDIR /build
 # ROCm paths
 ENV HIP_PATH=/opt/rocm
 ENV ROCM_PATH=/opt/rocm
 ENV CMAKE_GENERATOR=Ninja
 ENV LDFLAGS=-s
 # Step 1: Build CPU backends with GCC (no ROCm preset)
 # Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
 # finding a HIP compiler (it searches /opt/rocm even without PATH).
 # Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
 RUN mkdir -p build-cpu && \
    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_HIP_COMPILER="" \
      -DCMAKE_INSTALL_PREFIX=/build/dist && \
    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
    cmake --install build-cpu --component CPU --strip && \
    echo "=== CPU install ===" && \
    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
 # Step 2: Build HIP backend with ROCm preset + gfx906 target only
 # The ROCm 6 preset enables HIP language detection (enable_language(HIP))
 # which ensures GPU kernels are properly compiled for gfx906.
 # OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
 # Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
 # at /opt/rocm/lib/cmake/hip/hip-config.cmake.
 RUN mkdir -p build-hip && \
    cmake -B build-hip \
      --preset 'ROCm 6' \
      -DAMDGPU_TARGETS="gfx906:xnack-" \
      -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
    cmake --install build-hip --component HIP --strip && \
    echo "=== HIP install ===" && \
    find /build/dist/lib/ollama -type f -o -type l | head -20
 # Step 3: Build Go binary (GCC for CGo linking)
 ENV CGO_ENABLED=1
 RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
 # ---------- Runtime image ----------
 FROM ubuntu:24.04
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
    && rm -rf /var/lib/apt/lists/*
 # Copy ROCm 6.1 runtime libraries
 # These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
 COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
 COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
 # Copy ollama binary + all backends (CPU + HIP)
 # CPU install:  /build/dist/lib/ollama/libggml-*.so
 # HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
 COPY --from=builder /build/dist/ollama /usr/bin/ollama
 COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
 RUN ldconfig
 ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
 ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
 ENV HCC_AMDGPU_TARGET=gfx906
 ENV HSA_ENABLE_SDMA=0
 EXPOSE 11434
 ENTRYPOINT ["/bin/ollama"]
 CMD ["serve"]
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -191,6 +191,7 @@
  services.dockerStacks = {
    versioncontrol = {
      path = self + "/assets/compose/versioncontrol";
      envFile = config.age.secrets.containers_env.path;
      ports = [ 2222 ];
    };
@@ -207,7 +208,6 @@
    ai = {
      path = self + "/assets/compose/ai";
      envFile = config.age.secrets.containers_env.path;
      ports = [ 22000 ];  # Syncthing TCP sync
    };
    cloudstorage = {
@@ -475,7 +475,7 @@
  services.openssh.settings = {
    PermitRootLogin = "no";
    MaxAuthTries = 3;
-    MaxSessions = 20;
+    MaxSessions = 10;
    LoginGraceTime = 30;
    ClientAliveInterval = 300;
    ClientAliveCountMax = 2;
--- a/modules/nixos/security/README-ai-worker.md
+++ b/modules/nixos/security/README-ai-worker.md
@@ -1,74 +1,64 @@
 # AI Worker Restricted Access
-This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host with restrictions.
+This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 ## Security Model
-### Overview
+The `ai-worker` user has:
 The `ai-worker` user is a member of the `docker` group, but the `docker` binary is wrapped with a script that **blocks dangerous subcommands** while allowing safe operations.
 ### Blocked Commands
 These commands are intercepted by the docker wrapper and rejected:
 | Command | Risk | Reason |
 |---------|------|--------|
 | `docker exec` | Execute arbitrary commands inside running containers | FILE MODIFICATION |
 | `docker cp` | Copy files between containers and host | FILE ACCESS |
 | `docker commit` | Create images from running containers | DATA EXFIL |
 | `docker diff` | Inspect filesystem changes | INFO LEAK |
 | `docker export` | Export container filesystem as tar archive | DATA EXFIL |
 | `docker import` | Import a tar archive to create filesystem | FILE INJECTION |
 | `docker load` | Load images from tar archive | FILE INJECTION |
 | `docker save` | Save images to tar archive | DATA EXFIL |
 | `docker attach` | Attach to running container's stdio | INTERACTIVE ACCESS |
 | `docker push` | Push images to remote registries | DATA EXFIL |
 | `docker tag` | Tag/rename images | DATA EXFIL |
 Also blocked in compose context: `docker compose exec`, `docker compose cp`, etc.
 ### Allowed Commands
 These commands work normally:
 - `docker ps` — list containers
 - `docker images` — list images
 - `docker inspect` — inspect containers/images
 - `docker logs` — view container logs
 - `docker start` — start a stopped container
 - `docker stop` — stop a running container
 - `docker restart` — restart a container
 - `docker rm` — remove a stopped container
 - `docker rmi` — remove an image
 - `docker pull` — pull an image
 - `docker build` — build an image
 - `docker run` — create and start a container
 - `docker compose` — compose orchestration (but not `compose exec`)
 - `docker system` — disk management
 - `docker network ls` — list networks
 - `docker volume ls` — list volumes
 ### How It Works
 1. A wrapper script intercepts `docker` calls in the user's PATH
 2. It parses the first non-flag argument to determine the subcommand
 3. If the subcommand is in the blocklist, it prints an error and exits
 4. Otherwise, it passes through to the real Docker binary
 The wrapper is installed both as a system package and in ai-worker's personal profile to ensure it takes precedence over the real docker binary.
 ### Why Not Use Docker Authorization Plugins?
 Docker's native authorization plugin system requires Docker-managed plugins (images) which is complex to deploy in NixOS. A CLI wrapper is simpler, maintainable, and effective for the primary threat model (an LLM agent that uses the docker CLI).
 Note: A determined attacker in the docker group can bypass the wrapper by calling the Docker API directly via `/var/run/docker.sock`. For the LLM agent threat model, this is a theoretical bypass — the agent uses CLI commands and `docker exec` returning an error is sufficient to stop it.
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
 - **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
 - **Cannot access**: Any files outside standard system paths
 ### Sudo Access
 - **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 ### Docker Access
 - Member of `docker` group - can run `docker` and `docker exec` commands
 - Primary use: `docker exec ollama ollama ...` for benchmarking
 - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
 ## Workflow: SSH + Docker Benchmarking
 The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
 ### Example Workflow
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 # On host, run ollama benchmarks via docker
 docker exec ollama ollama pull devstral-small-2:24b
 # Create test modelfile
 docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
 FROM devstral-small-2:24b
 PARAMETER num_ctx 65536
 PARAMETER num_gpu 99
 PARAMETER flash_attn true
 EOF'
 # Create and test model
 docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
 docker exec ollama ollama run test-model "Write a Python async function"
 # Check VRAM usage
 docker exec --privileged ollama rocm-smi --showmeminfo vram
 # Cleanup
 docker exec ollama ollama rm test-model
 # Exit SSH, return to Hermes container
 exit
 # Save results in Hermes container
 # /opt/data/ai-optimizer/state.json
 # /opt/data/ai-optimizer/results.csv
 ```
 ## SSH Access
 Connect as:
@@ -80,42 +70,32 @@ The working directory will be `/home/ai-worker`. No infra repo access.
 ## Verification
 Check ai-worker permissions:
 ```bash
-# Verify wrapper is in PATH
+# On the host, as root or gortium:
-sudo -u ai-worker which docker
+sudo -u ai-worker sudo -l
-# Should show: /home/ai-worker/.nix-profile/bin/docker (wrapped version)
+# Should show: no sudo access
-# Test blocked command (should fail)
+# Check docker group membership
 sudo -u ai-worker docker exec ollama ollama list
 # Expected: ERROR: docker 'exec' is blocked by security policy
 # Test allowed command (should work)
 sudo -u ai-worker docker ps
 # Expected: CONTAINER ID   IMAGE   ...
 # Verify docker group membership
 groups ai-worker
 # Should show: ai-worker docker
 ```
 ## Troubleshooting
-If docker commands fail unexpectedly:
+If ai-worker cannot run docker commands:
 ```bash
-# Check which docker binary is being used
+# Check docker group membership
-which docker
+groups ai-worker
 # If this shows /run/current-system/sw/bin/docker, the wrapper is not in PATH
-# Check if the wrapper is installed
+# Verify ollama container is running
-ls -la $(which docker)
+docker ps | grep ollama
-# Verify you're running as the right user
+# Test docker access
-whoami
+sudo -u ai-worker docker exec ollama ollama list
 ```
 If SSH connection fails:
 ```bash
 # Check SSH key is authorized
 cat /home/ai-worker/.ssh/authorized_keys
--- a/modules/nixos/security/ai-worker-restricted.nix
+++ b/modules/nixos/security/ai-worker-restricted.nix
@@ -2,123 +2,16 @@
 with lib;
 let
  # Docker subcommands that are BLOCKED for ai-worker
  # These commands allow file modification inside containers or data exfiltration.
  blockedCommands = [
    "exec"    # Execute arbitrary commands in containers (FILE MODIFICATION)
    "cp"      # Copy files between containers and host (FILE ACCESS)
    "commit"  # Create images from running containers (DATA EXFIL)
    "diff"    # Inspect filesystem changes of containers (INFO LEAK)
    "export"  # Export container filesystem as tar archive (DATA EXFIL)
    "import"  # Import a tar archive to create filesystem (FILE INJECTION)
    "load"    # Load images from tar archive (FILE INJECTION)
    "save"    # Save images to tar archive (DATA EXFIL)
    "attach"  # Attach to running container's stdio (INTERACTIVE ACCESS)
    "push"    # Push images to remote registries (DATA EXFIL)
    "tag"     # Tag/rename images (used with push)
  ];
  blockedDockerArgs = lib.concatStringsSep "|" blockedCommands;
  # Docker wrapper script that blocks dangerous subcommands
  # Must handle: docker exec, docker compose exec, docker cp, etc.
  restrictedDockerScript = pkgs.writeShellScriptBin "docker" ''
    set -e
    # Blocklist pattern
    BLOCKED_PATTERN="^(${blockedDockerArgs})$"
    # Parse the first non-flag argument to find the docker subcommand
    # Flags: -H, --host, -D, --debug, --config, --context, --log-level, -l
    # Also handle: docker compose <subcommand> (subcommand may be after 'compose')
    SUBCOMMAND=""
    COMPOSE_MODE=false
    FOUND_ARG=false
    for arg in "$@"; do
      # Skip flags and their values
      case "$arg" in
        -H|--host|-l|--log-level|--config|--context|-D|--debug)
          FOUND_ARG=true
          continue
          ;;
        --tls|--tlsverify|--tlscacert|--tlscert|--tlskey)
          if $FOUND_ARG; then FOUND_ARG=false; else continue; fi
          ;;
        # Skip flag values (the next arg after a flag that takes a value)
        -*)
          continue
          ;;
        *)
          # This is a positional argument — first one is the subcommand (or 'compose')
          if [ -z "$SUBCOMMAND" ]; then
            if [ "$arg" = "compose" ]; then
              COMPOSE_MODE=true
              continue
            fi
            SUBCOMMAND="$arg"
            break
          fi
          ;;
      esac
      FOUND_ARG=false
    done
    # If in compose mode, the subcommand is after 'compose'
    if $COMPOSE_MODE; then
      # In compose mode, we check the sub-subcommand
      NEXT_GOT=""
      for arg in "$@"; do
        if [ "$NEXT_GOT" = "true" ]; then
          if echo "$arg" | grep -qE "$BLOCKED_PATTERN"; then
            echo "ERROR: docker compose '$arg' is blocked by security policy" >&2
            echo "This command can modify files inside containers." >&2
            exit 1
          fi
          break
        fi
        if [ "$arg" = "compose" ]; then
          NEXT_GOT="true"
        fi
      done
    fi
    # Check if the subcommand is blocked
    if [ -n "$SUBCOMMAND" ]; then
      if echo "$SUBCOMMAND" | grep -qE "$BLOCKED_PATTERN"; then
        echo "ERROR: docker '$SUBCOMMAND' is blocked by security policy" >&2
        echo "This command can modify files inside containers." >&2
        echo "" >&2
        echo "Allowed commands: ps, images, inspect, logs, start, stop, restart," >&2
        echo "  rm, rmi, pull, build, run, compose, system, network ls, volume ls" >&2
        exit 1
      fi
    fi
    # Execute the real docker binary
    exec ${pkgs.docker}/bin/docker "$@"
  '';
 in
 {
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
-    description = "Enable AI worker SSH access with restricted docker commands";
+    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
  };
  config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is in docker group for normal docker operations
+    # ai-worker is member of docker group - can run docker commands via SSH
    # No bind mounts, no sudo access - docker-only for ollama benchmarking
    users.groups.docker.members = [ "ai-worker" ];
    # Install the docker wrapper for ai-worker
    # This puts a filtered 'docker' script in ai-worker's PATH that blocks
    # dangerous commands like exec, cp, commit, etc.
    # The real docker binary is still available at its store path, but the
    # wrapper intercepts it because ~/.nix-profile/bin/ comes before /run/.../sw/bin/ in PATH.
    users.users.ai-worker.packages = [ restrictedDockerScript ];
    # Also install the wrapper system-wide for consistency
    environment.systemPackages = [ restrictedDockerScript ];
  };
 }
--- a/secrets/containers.env.age
+++ b/secrets/containers.env.age
@@ -1,36 +1,36 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBWNEpt
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSBMcVY2
-cGFNeVBBaDRqb3pLSEZGQW0wb3VmVnBoZCswUFkzbnBLUnJ0QTNrClRqVkk4RUVO
+eWRnb05sMEZVZUpicGVYN2ZSUm1mUmVsdUsrSHR4c2I2SXVRWDF3CnlhUkxoeEx5
-d29KYjd5YUcwankvaTFmVHUxQVpDT2ZYWHRaY3JXTUtQMU0KLT4gKXBtQ3UsXi1n
+M1NNcGR3bmx6ZW5RaHU3L2l4WEowdWYzQk0xa3E4ZUtwNkkKLT4gIi1ncmVhc2Ug
-cmVhc2UgNnwxYCBXVyA/KCQmIHt9NAo3OTZVUHR2UXkvaEFwY0ZBdEJsaFpsbHJ0
+SllwSzlIIEdAKltUKSBjSWpmCnljSXlZTXZBL2xuMEtma1NUNjdCM0dMNHJuVjFS
-cklKcDVHcEdWMEdPSkpnN0FiRU43RW5hUWFMdjR3WFRRSFBLSGlmClM3cTNJWlNM
+enV5LzF1NlYzbFNURW1rTlI2aUxCRFFxK2ZJdktsTTU1ZSsKNUZiZmVQWQotLS0g
-TExkdHdXUHJISkNIaE1TTUxUc1NUWkV1a09HeFU3bVZwQXMKLS0tIGhOcXFTUElS
+bTVrZEdWMHFWK0Q5RzZUc09PYmlEQjNweXRxU2FETWNWTXRUVEFKUUFpdwqtUbmM
-azJJNnEreUhMWTJBaVZGSTJPRUFqQkVYS01KRENUVVpZSDgK8+8onFejroBo7MeO
+kbnj4Q+9QlnJHuWBVu+BcWPl5HuiPUjrrxnWAuN6rFYd79H7qk9MagDB/2BAEk82
-dW+so4lOsq4zJKn3f0cxmCFg1f0X8zt6h4Uc3A5Cvr1uU+6yw1FWmJ7xa3jJz3lO
+iuQeqS0r8wAmp9bTzhbiMQEbtN96huSGA2aO9I/RoPU1jv1Upi8bNy+KX0jSsfV9
-EEaKQJXYC+xIIKGcA7qILa0SFp4a/4OuYjcg27HrlPhg7u5wDhQrd0LdVEe1Xngp
+cGFm0JsBZ4o5acq4isanC+3YkNq+IHxyDqUdwWMIHiEkR26pwndyMAaJTCBAgTN
-ZivX7P7HwIna3X8C+TL+K2v/AG2N/z86cdKfRvxyMKNbHhYw+CfHEnWgh8tJ++4h
+kmdWMK4PxR36ElY+8J0tiOv6VmGS73rVS4R/2Rdc5ICx6QO6oQQqETKYxqcmr8eD
-G9evNniuNqte6cQaRe7jODfPNW4FuY/Sb7barlJ/M9iAQdYAdyLAzU1LABeHeUfD
+8dgkZVpmBF/iuw7BYZ2U/p2PZSzgEVTVqfT3VO8WQ9ii2a4dw+2QEORgISbhxzoy
-wtHjxy9DUZ55Vg8bB8M2JJU9MkoRT4ewiVd9LeC1GWeVmKsm93wsmrov714i7U2j
+WGB0q4X33QWEYSp0FNyAG4Kc9yTphUq+hMHfNOtz3XmTZLltcVfA6XQbKwB/nDbq
-wHtDkjqEF2MmzuQc18sjNaAHiwz8j6o5xU2L/Q4+Q707yISWG7RGZYh389Cr1rnw
+G1gAfDwdEZ5OpN2IT0S6Zc2rKKeovqdFYWgqmDWiaBfqncl9qLH37KkpKqmUSQSe
-siUq/Vunqw2wk13+J/4vu9nqt5mMktBaCtp+QiWIurjwB5LUAyChrSm+dg5lb0Mt
+zyriQt8nZCzVrh4EKohjeLogVBsn0tPTYqiFnV+ZFK/kOWIYWduWDJcM3zwRVjx7
-UhSc0lq1+E3vxAXM2Hmk+vP86VD+6WJvAU82VFApF1s6zG2FU1/AcOVVf54nan/q
+Mr5l81gFv4WRHbnQB9eynGJLZYs1lI4/X9tKRUgUj0mN20Bt80NXGNPaJ3TAkrCO
-f+rgSFfASHQCYSblUJHyEtwLNsWEmTGmOEn1buUKD/H0zatPQnc0rYpjlx2V0Sjd
+rX0tgjsX/Sc59JTHaMOT419+ob9UtDoS7mGlxswKfyhvjzluu+EdHd0GRJ5PUsSq
-6yB5+wPrZ0AkN1pjcsPKOv8Kaog2DzqIjib+SaSTaRxWHQEb9uzvaReAcYI5HOpE
+8YlKYjRonBqhC0Ju9CRuZS0pk2bh72bG9z1Gb4LcJ0pLJ6lMfmF1j4zzfzsABe5G
-gkC040HN33BItATbo4+hz70Im8Ni/VXD+g6yzM6Hj1hJL+PinTKeg5keQRFIZjMx
+0bJF3ikzNxo6Wzsf3rk45/FvMhKjkI5O3Btnfp+Vkw+iRqDMh7wiD6cczNSp+Skd
-grzievB2wVBBgLgN3qMdTFmpplaL7iL702JjXZUTTK9Izp+9wiCsV1fTa53FWDht
+Et43NIobiLa6O95y2YEjqSkT5T0ug1nbLkygmxwffVn6RTWgScZSfBPvOKTINAVo
-ylFL5SWElqXjK+QBXxAe+Jk6VQov5HI21YDXL67S554ABeRok23wxrQ31TCI4xq9
+J/MU2c0DaBm4glLfm4IWaJNcEmZn8+FWG6m42WEWTMEfSeAo5XXaEb0FsK0Yqd3+
-PQV7VtNRjyVud7S29m3OwpWOsgTZhn+JclHj2v4bNJzJkJnZRTmcvGPktzRI5+R4
+RlE/b6a/DdoNEAQOlEPSASsoQhTVvsiEwH4Pq5G0STHtSBBIT/xJow4pa/GOiQnn
-e5vxVhGnJDzI71txaHl8+xS1lu9VzCQUrxX6TXyTRV4KjIOz0g06JOBgmBRBvJca
+yAFva9F7KFYWA7bjbRbv+B21bvss0T+BK9HRF+bklSzjxBNfDEWXW0GhwIiahwXW
-7MZbC65xpisl/gyLRbgkVga3t94dPV+dpZsn8eq6427IyRbKslJefatggR9//c6I
+Fxi3BUMZcfgoLg2NkhMb3irwJUoGqQFqn68e2jTJVyUATyVgGV5mzfjDBB8thcDt
-5N5fl0fR3gJQMB+HRbipBH2YsdbdWJyb4Nn6STZxIfrqoG/xC6C1raF0xK7hUx6i
+ehuIL/Y1bUVGWZteU/JAF7z+Fb1yBO2FJqpCKIcfd+JgkWVtQKaqYGjcuzbI7ce4
-4DUDSPohM8fOIswQPfE+FH3eygfzu/Ln5+ghsgHTEhgFvmgMvyxaAt6kHIzIUhMX
+fcrRDNCse2pBO1unE7HS160rK+dMWavlrsHHZKezsvNv7TwMj1SKjCKSVr8up7TC
-M3dASr4VPDpIXuXsRWwYLEifhzxsuvwVxfwtsnCaR6XKijsYECWGDdYOWHdleeqx
+NLW0I6uXGEcUBj+RNqF6frdpw/Ve1WTAkIbznMV6kZ8cTfAGhOzJ0wxHMBSQka8X
-wDPhxEesfFVhKxhrKY9Ir8k9/FFBKQU/3GjW4+SMAg5Al1YEzxshP9vKuVcsei7W
+uMatPuGywu+dvjrJXTwD0gJD/Jrd88K685ahu86nSt/DYnxIYfQhwo/oZMR7E6kN
-JDwAwotNXaCm6NBckiyZJE53ou6+gckPY7V9cOfnuH74Z9ywkFzB3HW3ZlonaGyM
+4NgGtYjRU0asmio6sF8D1uA2YgmxNPRw2GwTqpS2XyYaEh3B6yjqa4pJ1vfo6t/g
-oGmLGcccavFtyhg5s/As4i6X8ARIpDiwe59Pn3GNXMctySqIrrr2ogUoXgrfFCie
+aPLhMuT4qt/eKMvSiR+sTaOMNkcLWmCpY762aYk4XUZFTYAAY5XsNSAU+Hs7o/Eu
-6GOTdeMW7GeOSdJUxCofghlspS/nq01Og77VI/beWYrIwLubSka6Zaltww9zgObk
+9NSMrIrpqLAcgzr/nZZTLqswbsYtdVl5WUd9uqdQe+AhTbrkcvHibUrVgW/XU+oq
-/FGEMgFkEpq7iyCvYSPA8F46pJKvnMP3S84AWCPmcTcHeg4lwGPvs6btexXBGdoz
+QdHXUyfn/IByp2uE7WZpfRVhwjXg/LQJh/ogksbzrh4/anOivku+n1ouciAAgnQn
-nkCyq7wdH5Nngm7jUbl88LtaLZPAQkuqXphBVTnrF9Ofbnb4iRZ2Op4xpx9rGyvx
+04i6taBu+393ysMC/sp7wZkp//yAZj2SNPOTzbakG8xWoVGzbqxLCIOIE7I97KBv
-mO6UEhL6V1i2YZFNkNMg/W8aoMiUgBdqbkxaxblT9L0aNdlFU9+LbWYolURVEadd
+G49jiEOS42vZZXSGLxQND+N0aOqosZfQ1WKpI9XjirB8qVOt/sr6uqEIx311V+BJ
-Qjv0Z1gMA+tsuBbVszwsMfneZ5+B9Q==
+wrdoMa9hWmDFzf3+ThqfUuHOtxxJXReL7vC4J7K8iU6nCVIGJN7axifk
 -----END AGE ENCRYPTED FILE-----
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -4,8 +4,6 @@
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
    # ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)
    # Dangerous commands (exec, cp, commit) are blocked by a wrapper script.
    extraGroups = [ "docker" ];
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
@@ -16,14 +14,17 @@
  };
  users.groups.ai-worker = {};
-  # Enable restricted AI worker SSH access
+  # Enable restricted AI worker SSH access for ollama benchmarking
-  # SECURITY: ai-worker is in docker group but docker commands are filtered:
+  # SECURITY: ai-worker can only:
-  #   ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose
+  #   - SSH into host from Hermes container
-  #   BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push
+  #   - Run docker commands (docker exec ollama ...) via docker group
-  # The filtering is done by a docker wrapper in ai-worker's PATH.
+  #   - Run specific security audit commands
  #   - NO access to infra repo (no bind mount)
  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
  services.aiWorkerAccess = true;
-  # Restricted sudo for ai-worker - security checks only (not for docker)
+  # Restricted sudo for ai-worker - security checks only
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
@@ -68,6 +69,15 @@
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
        # Docker service checks
        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
Author	SHA1	Message	Date
Robert	ef7f06166b	Removed double file Some checks failed Build NixOS config / build (pull_request) Failing after 1s Details	2026-05-13 10:04:57 -04:00
Robert	e70516e78b	Added access to the secret to version control	2026-05-13 10:03:14 -04:00
Robert	ce3a327ff7	The key changed apparently? it works with that one anyway	2026-05-13 10:01:58 -04:00
Robert	af38655170	Adding the runner key Some checks failed Build NixOS config / build (pull_request) Failing after 55s Details	2026-05-10 22:23:29 -04:00
Hermes	dcf5ac6b5e	fix: use nixos-builder label for NixOS CI	2026-05-10 22:15:53 -04:00
Hermes	d78de94f94	feat: add NixOS build CI for infra PRs	2026-05-10 22:15:02 -04:00