feat: update compose submodule for ollama-gfx906 (v0.23.2) + add Dockerfile

flake.lock

@@ -70,11 +70,11 @@
         "pre-commit-hooks": "pre-commit-hooks"
       },
       "locked": {
-        "lastModified": 1774721317,
-        "narHash": "sha256-KS0ElyhZKdUFcfaxfwid3yi2Id3EP9i+dGL16/wx1T8=",
+        "lastModified": 1777373577,
+        "narHash": "sha256-K0sXr8tRA9L1FGE8Khl42NR+DmZOY9gNYCP8ljX7TAo=",
         "ref": "main",
-        "rev": "d0190cff6f2314cc1c727ff113aea20e086f4bcc",
-        "revCount": 19103,
+        "rev": "faaa14a303dabc6309a52cc8e5eba86f9e29ccaf",
+        "revCount": 19152,
         "type": "git",
         "url": "https://git.lix.systems/lix-project/lix"
       },
@@ -178,11 +178,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1774386573,
-        "narHash": "sha256-4hAV26quOxdC6iyG7kYaZcM3VOskcPUrdCQd/nx8obc=",
+        "lastModified": 1777268161,
+        "narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "46db2e09e1d3f113a13c0d7b81e2f221c63b8ce9",
+        "rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
         "type": "github"
       },
       "original": {

hosts/lazyworkhorse/configuration.nix

@@ -207,7 +207,6 @@
     ai = {
       path = self + "/assets/compose/ai";
       envFile = config.age.secrets.containers_env.path;
-      ports = [ 22000 ];  # Syncthing TCP sync
     };
 
     cloudstorage = {
@@ -475,7 +474,7 @@
   services.openssh.settings = {
     PermitRootLogin = "no";
     MaxAuthTries = 3;
-    MaxSessions = 20;
+    MaxSessions = 10;
     LoginGraceTime = 30;
     ClientAliveInterval = 300;
     ClientAliveCountMax = 2;

modules/nixos/security/README-ai-worker.md

@@ -1,44 +1,10 @@
 # AI Worker Restricted Access
 
-This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 
 ## Security Model
 
-### Overview
-
-The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
-
-- **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
-- **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
-- **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
-- **Disk cleanup**: `docker system`
-- **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
-
-### EXPLICITLY BLOCKED (not in sudo whitelist)
-
-| Command | Risk | Result |
-|---------|------|--------|
-| `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
-| `docker cp` | Copy files between containers and host | Blocked by sudo |
-| `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
-| `docker diff` | Inspect filesystem changes | Blocked by sudo |
-| `docker export` | Export container filesystem | Blocked by sudo |
-| `docker import` | Import filesystem archives | Blocked by sudo |
-| `docker load` | Load docker images | Blocked by sudo |
-| `docker save` | Save docker images to tar | Blocked by sudo |
-| `docker attach` | Interactive access to containers | Blocked by sudo |
-| `docker push` | Push images to registries | Blocked by sudo |
-| `docker tag` | Rename images | Blocked by sudo |
-
-### Why This Approach?
-
-Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
-
-- `docker exec -it container bash` — full shell access to any container
-- `docker cp /host/file container:/path` — file modification inside containers
-- `docker run -v /:/host alpine` — full host filesystem access
-
-By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
+The `ai-worker` user has:
 
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
@@ -46,33 +12,51 @@ By removing the `docker` group and using a sudo whitelist instead, we enforce th
 - **Cannot access**: Any files outside standard system paths
 
 ### Sudo Access
-- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
+- **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 
-## Workflow: SSH + Restricted Docker
+### Docker Access
+- Member of `docker` group - can run `docker` and `docker exec` commands
+- Primary use: `docker exec ollama ollama ...` for benchmarking
+- Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
 
-All docker commands must be prefixed with `sudo`:
+## Workflow: SSH + Docker Benchmarking
+
+The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
+
+### Example Workflow
 
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 
-# Check container status (works)
-sudo docker ps
+# On host, run ollama benchmarks via docker
+docker exec ollama ollama pull devstral-small-2:24b
 
-# Restart a container (works)
-sudo docker restart ollama
+# Create test modelfile
+docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
+FROM devstral-small-2:24b
+PARAMETER num_ctx 65536
+PARAMETER num_gpu 99
+PARAMETER flash_attn true
+EOF'
 
-# Run benchmark (works - docker run is allowed)
-sudo docker run --rm alpine echo "test"
+# Create and test model
+docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
+docker exec ollama ollama run test-model "Write a Python async function"
 
-# ANY of these will FAIL (not in whitelist):
-sudo docker exec ollama ollama list          # FAILS - docker exec blocked
-sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
-sudo docker commit container new-image       # FAILS - docker commit blocked
+# Check VRAM usage
+docker exec --privileged ollama rocm-smi --showmeminfo vram
 
-# For ollama operations, use the HTTP API instead of docker exec:
-curl http://ollama:11434/api/tags
+# Cleanup
+docker exec ollama ollama rm test-model
+
+# Exit SSH, return to Hermes container
+exit
+
+# Save results in Hermes container
+# /opt/data/ai-optimizer/state.json
+# /opt/data/ai-optimizer/results.csv
 ```
 
 ## SSH Access
@@ -90,30 +74,25 @@ Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
-# Should show the whitelisted commands only (no docker exec/cp/commit)
+# Should show: no sudo access
 
-# Verify NOT in docker group
+# Check docker group membership
 groups ai-worker
-# Should show: ai-worker (NO docker group)
+# Should show: ai-worker docker
 ```
 
 ## Troubleshooting
 
-If docker commands fail:
-
+If ai-worker cannot run docker commands:
 ```bash
-# Check sudo permissions
-sudo -u ai-worker sudo -l | grep docker
-
-# Verify group membership
+# Check docker group membership
 groups ai-worker
 
-# Test allowed command
-sudo -u ai-worker sudo docker ps
+# Verify ollama container is running
+docker ps | grep ollama
 
-# Test blocked command (should fail)
-sudo -u ai-worker sudo docker exec ollama ollama list
-# Expected: "Sorry, user ai-worker is not allowed to execute"
+# Test docker access
+sudo -u ai-worker docker exec ollama ollama list
 ```
 
 If SSH connection fails:

modules/nixos/security/ai-worker-restricted.nix

@@ -6,19 +6,12 @@ with lib;
   options.services.aiWorkerAccess = mkOption {
     type = types.bool;
     default = false;
-    description = "Enable AI worker SSH access with restricted sudo docker commands";
+    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
   };
 
   config = mkIf config.services.aiWorkerAccess {
-    # SECURITY: ai-worker is NOT added to docker group.
-    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
-    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
-    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
-    
-    # The old approach (docker group membership) has been removed because:
-    # - Docker group gives UNRESTRICTED access to the docker daemon socket
-    # - No way to limit which docker subcommands a docker group member can run
-    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
-    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
+    # ai-worker is member of docker group - can run docker commands via SSH
+    # No bind mounts, no sudo access - docker-only for ollama benchmarking
+    users.groups.docker.members = [ "ai-worker" ];
   };
 }

modules/nixos/services/ollama_init_custom_models.nix

@@ -1,87 +1,67 @@
 { pkgs, ... }: {
   systemd.services.init-ollama-model = {
     description = "Initialize LLM models with extra context in Ollama Docker";
-    
-    # On s'assure que Docker tourne avant de lancer ce script
-    after = [ "docker.service" ];
+    after = [ "docker-ollama.service" ];
     wantedBy = [ "multi-user.target" ];
-    
     script = ''
-      # Fonction de création asynchrone pour ne pas bloquer le démarrage
-      (
-        echo "Starting asynchronous Ollama initialization..."
-        
-        # Attente d'Ollama (maximum 120 secondes pour éviter une boucle infinie)
-        TIMEOUT=60
-        COUNT=0
-        while ! ${pkgs.curl}/bin/curl -s -f http://127.0.0.1:11434/api/tags > /dev/null; do
-          if [ $COUNT -ge $TIMEOUT ]; then
-            echo "Ollama did not become ready in time. Exiting."
-            exit 1
-          fi
-          echo "Waiting for Ollama API to be reachable..."
-          sleep 5
-          COUNT=$((COUNT + 5))
-        done
+      # Wait for Ollama
+      while ! ${pkgs.curl}/bin/curl -s http://localhost:11434/api/tags > /dev/null; do
+        sleep 2
+      done
 
-        create_model_if_missing() {
-          local model_name=$1
-          local base_model=$2
+      create_model_if_missing() {
+        local model_name=$1
+        local base_model=$2
+        if ! ${pkgs.docker}/bin/docker exec ollama ollama list | grep -q "$model_name"; then
+          echo "$model_name not found, creating from $base_model..."
           
-          # Vérification robuste via l'API HTTP d'Ollama plutôt que docker exec (évite les conflits de tty)
-          if ! ${pkgs.curl}/bin/curl -s http://127.0.0.1:11434/api/tags | ${pkgs.jq}/bin/jq -e ".models[] | select(.name == \"$model_name\")" > /dev/null; then
-            echo "$model_name not found, creating from $base_model..."
-            
-            # Utilisation d'un fichier temporaire sur l'hôte pour l'injecter proprement dans Docker
-            TMP_FILE=$(mktemp)
-            cat <<EOF > "$TMP_FILE"
+          # We use a custom TEMPLATE block to strip the 'currentDate' function 
+          # which is unsupported in Ollama 0.5.7 but present in Devstral's default manifest.
+          ${pkgs.docker}/bin/docker exec ollama sh -c "cat <<EOF > /root/.ollama/$model_name.modelfile
 FROM $base_model
-TEMPLATE """{{- if .System }}
+TEMPLATE \"\"\"{{- if .System }}
 [SYSTEM_PROMPT]
 {{ .System }}
 [/SYSTEM_PROMPT]
 {{- end }}
 {{- range .Messages }}
-{{- if eq .Role "user" }}
+{{- if eq .Role \"user\" }}
 [INST]
 {{ .Content }}
 [/INST]
-{{- else if eq .Role "assistant" }}
+{{- else if eq .Role \"assistant\" }}
 {{ .Content }}
 {{- end }}
-{{- end }}"""
+{{- end }}\"\"\"
 PARAMETER num_ctx 131072
 PARAMETER num_predict 4096
 PARAMETER num_keep 1024
 PARAMETER repeat_penalty 1.1
 PARAMETER top_k 40
-PARAMETER stop "[INST]"
-PARAMETER stop "[/INST]"
-PARAMETER stop "</s>"
-EOF
+PARAMETER stop \"[INST]\"
+PARAMETER stop \"[/INST]\"
+PARAMETER stop \"</s>\"
+EOF"
+          ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f "/root/.ollama/$model_name.modelfile"
+          ${pkgs.docker}/bin/docker exec ollama rm "/root/.ollama/$model_name.modelfile"
+        else
+          echo "$model_name already exists, skipping."
+        fi
+      }
 
-            # Copie et création dans le conteneur
-            ${pkgs.docker}/bin/docker cp "$TMP_FILE" ollama:/tmp/model.modelfile
-            ${pkgs.docker}/bin/docker exec ollama ollama create "$model_name" -f /tmp/model.modelfile
-            ${pkgs.docker}/bin/docker exec ollama rm /tmp/model.modelfile
-            rm -f "$TMP_FILE"
-          else
-            echo "$model_name already exists, skipping."
-          fi
-        }
-
-        # Create Nemotron
-        create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
-        
-        # Create Devstral
-        create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
-        
-      ) &
+      # Create Nemotron
+      create_model_if_missing "nemotron-3-nano:30b-128k" "nemotron-3-nano:30b"
+      
+      # Create Devstral
+      create_model_if_missing "devstral-small-2:24b-128k" "devstral-small-2:24b" 
+      
+      # create_model_if_missing "qwen2.5-coder:32b-128k" "qwen2.5-coder:32b"
+      
+      # create_model_if_missing "mistral-large-planner:123b" "mistral-large:123b-instruct-v2407-q4_K_S"
     '';
-
     serviceConfig = {
-      Type = "forking"; # Permet à systemd de savoir que le script passe en arrière-plan via '&'
-      User = "root";
+      Type = "oneshot";
+      RemainAfterExit = true;
     };
   };
 }

secrets/wireguard_preshared_key.age

@@ -1,9 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA3VG9Z
-MVFPVFc2VVJ3d0h0dmtBUnI3WHl2SzUxTkRZbjFCaGloWmV3dnd3ClcxdnVPeGd6
-SU4zR0Q0K1dtVjRRVHd0VW5XSFI0dVFpTjZnYk1DNjRxTVEKLT4gQzlgRy1ncmVh
-c2UKeUozOWgyUytSTVF0NjY2STBEb2VadwotLS0gblI3bmJCUWxxU3QrYTEyVFBI
-Snc4NC9rTkh0NnZYbUtxUE9hRWRkelpmMAq58fmH6cK13GeD7wGLxKmx10hmJeW4
-b7KqnCD1ZP7uG85s32xzVRwRG8RrG4xZo5nR9Mrtg1CoTSFfUGeFnf5xveN+Ej0X
-wDVB1LwC+Q==
------END AGE ENCRYPTED FILE-----

secrets/wireguard_private_key.age

@@ -1,11 +0,0 @@
------BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA5dzVG
-WUNvT3NlRmcrWS81bzJqSWlTekVYaDFFTE10SkI2dEgzaGpxcUI4Cmk5Y0FGYTRZ
-K0NGYzY3VUp4aS9ZZGRmWTgybDJFUURva2pZNmVOS3QxdEUKLT4gPnVRTCtldGMt
-Z3JlYXNlCk04OTJZeFRNeDI5aGpMVTk1ZTE0Y2FMMnFEMjlJalJpMHRlaTE4ZWIx
-d2lCRGQ5RHVjcktOMGJCb1VERlNWcTYKaSt0L1Z6dVJ0QWIyZkhsYzFEVjZSQWUr
-ZWpwVlo1TmhoUFJZdkEvR0gxNlVhcXF2ZTRnCi0tLSBLcmM2MThNVkdWclpHUXRr
-VTF6QVk2WUZlTXpZMVNLMlpBOFc3M1o5WjZzCs9xbPlIX+u5vRSQ/z9utu+I9S2c
-02DOsIb1kzxzb1OK91b8Kh4JucQSq3qkyEvRucsNn5QW8hIHDnRuND6EbPyN7p4S
-YB/F0dxSqgnq
------END AGE ENCRYPTED FILE-----

users/ai-worker.nix

@@ -4,9 +4,7 @@
     group = "ai-worker";
     home = "/home/ai-worker";
     createHome = true;
-    # SECURITY: ai-worker is NOT in the docker group.
-    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
-    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
+    extraGroups = [ "docker" ];
     shell = pkgs.bashInteractive;
     openssh.authorizedKeys.keys = [
       keys.users.ai-worker.main
@@ -19,134 +17,19 @@
   # Enable restricted AI worker SSH access for ollama benchmarking
   # SECURITY: ai-worker can only:
   #   - SSH into host from Hermes container
-  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
+  #   - Run docker commands (docker exec ollama ...) via docker group
   #   - Run specific security audit commands
   #   - NO access to infra repo (no bind mount)
-  #   - NO nix/nixos-rebuild/nh commands
-  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
+  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
+  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
   services.aiWorkerAccess = true;
-
-  # Restricted sudo for ai-worker
-  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
-  # Only the subcommands listed below are allowed — everything else is denied.
-  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
+  
+  # Restricted sudo for ai-worker - security checks only
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
       commands = [
-        # === Docker commands: lifecycle management (NO file modification) ===
-        # ps/inspect/logs — read-only status checks
-        {
-          command = "/run/current-system/sw/bin/docker ps";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker inspect *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker logs *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker images";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker info";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker version";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker stats *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # start/stop/restart — container lifecycle
-        {
-          command = "/run/current-system/sw/bin/docker start *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker stop *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker restart *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker rm *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker rmi *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker wait *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # pull/build/run — image management and container creation
-        {
-          command = "/run/current-system/sw/bin/docker pull *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker build *";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/docker run *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # compose — orchestration
-        {
-          command = "/run/current-system/sw/bin/docker compose *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # system — disk cleanup
-        {
-          command = "/run/current-system/sw/bin/docker system *";
-          options = [ "NOPASSWD" ];
-        }
-
-        # network — list only (create/modify not needed)
-        {
-          command = "/run/current-system/sw/bin/docker network ls";
-          options = [ "NOPASSWD" ];
-        }
-
-        # volume — list only (create/modify not needed)
-        {
-          command = "/run/current-system/sw/bin/docker volume ls";
-          options = [ "NOPASSWD" ];
-        }
-
-        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
-        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
-        # docker cp       — copies files between containers and host (FILE ACCESS)
-        # docker commit   — creates images from running containers (DATA EXFIL)
-        # docker diff     — inspects filesystem changes (INFO LEAK)
-        # docker export   — exports container filesystem (DATA EXFIL)
-        # docker import   — imports filesystem archives
-        # docker load     — loads docker images
-        # docker save     — saves docker images to tar (DATA EXFIL)
-        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
-        # docker push     — pushes images to registries (DATA EXFIL)
-        # docker tag      — renames images
-        # docker create   — creates containers (use 'docker run' instead)
-        # docker plugin   — manages plugins
-        # docker network create/rm — network management
-        # docker volume create/rm  — volume management
-
-        # === Firewall checks ===
+        # Firewall checks
         {
           command = "/run/wrappers/bin/sudo iptables -L -n -v";
           options = [ "NOPASSWD" ];
@@ -155,8 +38,7 @@
           command = "/run/wrappers/bin/sudo iptables -S";
           options = [ "NOPASSWD" ];
         }
-
-        # === Fail2ban status ===
+        # Fail2ban status
         {
           command = "/run/current-system/sw/bin/fail2ban-client status";
           options = [ "NOPASSWD" ];
@@ -169,8 +51,7 @@
           command = "/run/current-system/sw/bin/fail2ban-client get * banned";
           options = [ "NOPASSWD" ];
         }
-
-        # === Log inspection ===
+        # Log inspection
         {
           command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
           options = [ "NOPASSWD" ];
@@ -183,14 +64,21 @@
           command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
           options = [ "NOPASSWD" ];
         }
-
-        # === SSH config verification ===
+        # SSH config verification
         {
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
-
-        # === Network diagnostics ===
+        # Docker service checks
+        {
+          command = "/run/current-system/sw/bin/docker ps";
+          options = [ "NOPASSWD" ];
+        }
+        {
+          command = "/run/current-system/sw/bin/docker inspect *";
+          options = [ "NOPASSWD" ];
+        }
+        # Network diagnostics
         {
           command = "/run/current-system/sw/bin/ss -tlnp";
           options = [ "NOPASSWD" ];