feat: integrate rollback sentinel as NixOS module

Add rollback-sentinel NixOS module that: - Deploys sentinel-check.sh (inline) and nixos-rollback.sh (from file) as system packages - Runs a boot-time systemd oneshot service after multi-user.target with configurable delay — checks Tier-1 services, triggers rollback on failure - Runs a post-rebuild service via activation script after every nixos-rebuild switch - Exposes options for tier1Services, tier2Services, tier3InfoServices, bootDelay, rollbackMode (set-default/rollback-now/dry-run), and enablePostRebuild Module wired into flake.nix for lazyworkhorse and enabled in configuration.nix with standard Tier-1/2 service lists and 120s delay.
2026-05-25 00:09:20 -04:00
7 changed files with 683 additions and 208 deletions
--- a/flake.nix
+++ b/flake.nix
@@ -61,6 +61,7 @@
              ./modules/nixos/services/open_code_server.nix
              ./modules/nixos/services/ollama_init_custom_models.nix
              ./modules/nixos/services/openclaw_node.nix
              ./modules/nixos/services/rollback-sentinel.nix
              ./modules/nixos/security/ai-worker-restricted.nix
              ./users/gortium.nix
              ./users/ai-worker.nix
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -321,11 +321,41 @@
  environment.etc."ssh/ssh_host_ed25519_key.pub".text =
    "${keys.hosts.lazyworkhorse.main}";
  # ── Boot sentinel: auto-rollback on critical service failure ───────────────
  services.rollbackSentinel.enable = true;
  # Tier-1: failure triggers rollback
  services.rollbackSentinel.tier1Services = [
    "sshd" "docker" "traefik" "authelia"
  ];
  # Tier-2: warn only
  services.rollbackSentinel.tier2Services = [
    "gitea" "hermes" "ollama" "synapse" "nextcloud"
    "vaultwarden" "wireguard" "homeassistant" "fail2ban"
  ];
  # Wait 2 minutes after boot before checking (lets services initialize)
  services.rollbackSentinel.bootDelay = "120";
  # Change boot default only (not --rollback-now) for safety
  services.rollbackSentinel.rollbackMode = "set-default";
  services.fstrim.enable = true;
  services.zfs.autoSnapshot.enable = true;
  services.zfs.autoScrub.enable = true;
  # Ensure com.sun:auto-snapshot is set on ZFS datasets so auto-snapshots actually run
  systemd.services."zfs-set-auto-snapshot" = {
    description = "Set com.sun:auto-snapshot=true on ZFS datasets";
    after = [ "zfs-import.target" ];
    wants = [ "zfs-import.target" ];
    wantedBy = [ "multi-user.target" ];
    path = with pkgs; [ zfs ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      ExecStart = "${pkgs.zfs}/bin/zfs set -r com.sun:auto-snapshot=true rpool";
    };
  };
  # Mi50 config
  hardware.graphics = {
    enable = true;
--- a/modules/nixos/security/README-ai-worker.md
+++ b/modules/nixos/security/README-ai-worker.md
@@ -1,44 +1,10 @@
 # AI Worker Restricted Access
-This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
 ## Security Model
-### Overview
+The `ai-worker` user has:
 The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
 - **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
 - **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
 - **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
 - **Disk cleanup**: `docker system`
 - **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
 ### EXPLICITLY BLOCKED (not in sudo whitelist)
 | Command | Risk | Result |
 |---------|------|--------|
 | `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
 | `docker cp` | Copy files between containers and host | Blocked by sudo |
 | `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
 | `docker diff` | Inspect filesystem changes | Blocked by sudo |
 | `docker export` | Export container filesystem | Blocked by sudo |
 | `docker import` | Import filesystem archives | Blocked by sudo |
 | `docker load` | Load docker images | Blocked by sudo |
 | `docker save` | Save docker images to tar | Blocked by sudo |
 | `docker attach` | Interactive access to containers | Blocked by sudo |
 | `docker push` | Push images to registries | Blocked by sudo |
 | `docker tag` | Rename images | Blocked by sudo |
 ### Why This Approach?
 Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
 - `docker exec -it container bash` — full shell access to any container
 - `docker cp /host/file container:/path` — file modification inside containers
 - `docker run -v /:/host alpine` — full host filesystem access
 By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
@@ -46,33 +12,51 @@ By removing the `docker` group and using a sudo whitelist instead, we enforce th
 - **Cannot access**: Any files outside standard system paths
 ### Sudo Access
- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
+- **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
-## Workflow: SSH + Restricted Docker
+### Docker Access
 - Member of `docker` group - can run `docker` and `docker exec` commands
 - Primary use: `docker exec ollama ollama ...` for benchmarking
 - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
-All docker commands must be prefixed with `sudo`:
+## Workflow: SSH + Docker Benchmarking
 The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
 ### Example Workflow
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
-# Check container status (works)
+# On host, run ollama benchmarks via docker
-sudo docker ps
+docker exec ollama ollama pull devstral-small-2:24b
-# Restart a container (works)
+# Create test modelfile
-sudo docker restart ollama
+docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
 FROM devstral-small-2:24b
 PARAMETER num_ctx 65536
 PARAMETER num_gpu 99
 PARAMETER flash_attn true
 EOF'
-# Run benchmark (works - docker run is allowed)
+# Create and test model
-sudo docker run --rm alpine echo "test"
+docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
 docker exec ollama ollama run test-model "Write a Python async function"
-# ANY of these will FAIL (not in whitelist):
+# Check VRAM usage
-sudo docker exec ollama ollama list          # FAILS - docker exec blocked
+docker exec --privileged ollama rocm-smi --showmeminfo vram
 sudo docker cp file.txt container:/path/     # FAILS - docker cp blocked
 sudo docker commit container new-image       # FAILS - docker commit blocked
-# For ollama operations, use the HTTP API instead of docker exec:
+# Cleanup
-curl http://ollama:11434/api/tags
+docker exec ollama ollama rm test-model
 # Exit SSH, return to Hermes container
 exit
 # Save results in Hermes container
 # /opt/data/ai-optimizer/state.json
 # /opt/data/ai-optimizer/results.csv
 ```
 ## SSH Access
@@ -90,30 +74,25 @@ Check ai-worker permissions:
 ```bash
 # On the host, as root or gortium:
 sudo -u ai-worker sudo -l
-# Should show the whitelisted commands only (no docker exec/cp/commit)
+# Should show: no sudo access
-# Verify NOT in docker group
+# Check docker group membership
 groups ai-worker
-# Should show: ai-worker (NO docker group)
+# Should show: ai-worker docker
 ```
 ## Troubleshooting
-If docker commands fail:
+If ai-worker cannot run docker commands:
 ```bash
-# Check sudo permissions
+# Check docker group membership
 sudo -u ai-worker sudo -l | grep docker
 # Verify group membership
 groups ai-worker
-# Test allowed command
+# Verify ollama container is running
-sudo -u ai-worker sudo docker ps
+docker ps | grep ollama
-# Test blocked command (should fail)
+# Test docker access
-sudo -u ai-worker sudo docker exec ollama ollama list
+sudo -u ai-worker docker exec ollama ollama list
 # Expected: "Sorry, user ai-worker is not allowed to execute"
 ```
 If SSH connection fails:
--- a/modules/nixos/security/ai-worker-restricted.nix
+++ b/modules/nixos/security/ai-worker-restricted.nix
@@ -6,19 +6,12 @@ with lib;
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
-    description = "Enable AI worker SSH access with restricted sudo docker commands";
+    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
  };
  config = mkIf config.services.aiWorkerAccess {
-    # SECURITY: ai-worker is NOT added to docker group.
+    # ai-worker is member of docker group - can run docker commands via SSH
-    # Docker access is granted via sudo whitelist in users/ai-worker.nix.
+    # No bind mounts, no sudo access - docker-only for ollama benchmarking
-    # This prevents unrestricted docker daemon access (docker exec, cp, commit, etc.)
+    users.groups.docker.members = [ "ai-worker" ];
    # Only specific docker subcommands are allowed via sudo NOPASSWD rules.
    # The old approach (docker group membership) has been removed because:
    # - Docker group gives UNRESTRICTED access to the docker daemon socket
    # - No way to limit which docker subcommands a docker group member can run
    # - Allowed: docker exec, docker cp, docker run -v /:/host, etc.
    # users.groups.docker.members = [ "ai-worker" ];  // REMOVED
  };
 }
--- a/modules/nixos/services/nixos-rollback.sh
+++ b/modules/nixos/services/nixos-rollback.sh
@@ -0,0 +1,400 @@
 #!/usr/bin/env bash
 # =============================================================================
 # nixos-rollback.sh — NixOS systemd-boot Rollback Script
 #
 # Detects a failed NixOS generation (critical services not starting) and sets
 # the previous generation as the default boot option for systemd-boot.
 # Logs all actions to syslog/journald and a local logfile. Fails safely when
 # no previous generation exists or required files are missing.
 #
 # Integration with the boot sentinel:
 #   sentinel-check.sh  →  detects Tier-1 service failures (sshd, docker,
 #                          traefik, authelia) after a boot
 #   nixos-rollback.sh  ←  called when sentinel exits nonzero; sets previous
 #                          generation as default for next boot
 #
 # Usage:
 #   nixos-rollback.sh                        # auto-detect & set previous gen
 #   nixos-rollback.sh --dry-run              # show what would be done
 #   nixos-rollback.sh --rollback-now         # also run nixos-rebuild switch
 #                                            #   --rollback for immediate fix
 #   nixos-rollback.sh --help                 # full help text
 #
 # Exit codes:
 #   0 — rollback applied (or dry-run would apply)
 #   1 — preflight failure (missing files, permissions)
 #   2 — no previous generation available
 #   3 — nixos-rebuild --rollback failed (only with --rollback-now)
 #
 # Installation on NixOS:
 #   Place in /usr/local/bin/nixos-rollback.sh and make executable.
 #   Add a systemd oneshot service to run it after sentinel-check detects
 #   failures, or invoke directly from a sentinel timer.
 # =============================================================================
 set -euo pipefail
 # ── Configuration ────────────────────────────────────────────────────────────
 # These can be overridden via environment variables for testing.
 LOADER_CONF="${NIXOS_ROLLBACK_LOADER_CONF:-/boot/loader/loader.conf}"
 ENTRIES_DIR="${NIXOS_ROLLBACK_ENTRIES_DIR:-/boot/loader/entries}"
 LOGFILE="${NIXOS_ROLLBACK_LOGFILE:-/var/log/nixos-rollback.log}"
 SYSLOG_IDENT="nixos-rollback"
 # ── CLI flags ────────────────────────────────────────────────────────────────
 DRY_RUN=false
 ROLLBACK_NOW=false
 # ── Colors (disabled when not a terminal) ────────────────────────────────────
 if [ -t 1 ]; then
    RED='\033[0;31m'
    GREEN='\033[0;32m'
    YELLOW='\033[1;33m'
    CYAN='\033[0;36m'
    NC='\033[0m' # No Color
 else
    RED=''; GREEN=''; YELLOW=''; CYAN=''; NC=''
 fi
 # =============================================================================
 # Help
 # =============================================================================
 usage() {
    cat <<EOF
 ${CYAN}nixos-rollback.sh${NC} — Set the previous NixOS generation as systemd-boot default
 ${CYAN}USAGE${NC}
    nixos-rollback.sh [OPTIONS]
 ${CYAN}OPTIONS${NC}
    --dry-run           Show what would be done without making changes
    --rollback-now      Also run 'nixos-rebuild switch --rollback' for
                        immediate fix of the running system (requires
                        nixos-rebuild on PATH)
    -h, --help          Show this help text
 ${CYAN}DESCRIPTION${NC}
    Reads the current default boot entry from ${LOADER_CONF},
    determines the previous generation number, and writes it as the
    new default.  The script only modifies systemd-boot config —
    it does NOT touch the Nix store or system profile unless
    --rollback-now is passed.
    Designed as the rollback half of a boot sentinel:
      1. System boots into generation N
      2. sentinel-check.sh detects Tier-1 service failures
      3. nixos-rollback.sh sets default to generation N-1
      4. Next reboot uses the working generation
 ${CYAN}EXIT CODES${NC}
    0   Rollback applied (or dry-run would apply)
    1   Preflight failure (missing files, permissions)
    2   No previous generation available (only one generation)
    3   nixos-rebuild --rollback failed (with --rollback-now)
 ${CYAN}FILES${NC}
    ${LOADER_CONF}      systemd-boot loader configuration
    ${ENTRIES_DIR}/     generation entry .conf files
    ${LOGFILE}          action log (append-only)
 EOF
 }
 # =============================================================================
 # Logging
 # =============================================================================
 log() {
    local level="$1"; shift
    local msg="$*"
    local timestamp
    timestamp="$(date '+%Y-%m-%d %H:%M:%S')"
    echo "${timestamp} [${level}] ${msg}" >> "${LOGFILE}"
    logger -t "${SYSLOG_IDENT}" -p "user.${level}" "${msg}"
    # Also print to stderr for ERROR/WARN, stdout for INFO
    case "${level}" in
        ERROR) echo >&2 "${RED}[ERROR]${NC} ${msg}" ;;
        WARN)  echo >&2 "${YELLOW}[WARN]${NC}  ${msg}" ;;
        INFO)  echo " ${GREEN}[INFO]${NC}  ${msg}" ;;
    esac
 }
 info()  { log "INFO" "$@"; }
 warn()  { log "WARN" "$@"; }
 error() { log "ERROR" "$@"; }
 # =============================================================================
 # Preflight checks
 # =============================================================================
 preflight() {
    # Must run as root (need to write to /boot), unless overridden for testing
    if [ -z "${NIXOS_ROLLBACK_SKIP_ROOT_CHECK:-}" ] && [ "$(id -u)" -ne 0 ]; then
        error "This script must be run as root (needs write access to /boot/loader)"
        error "Set NIXOS_ROLLBACK_SKIP_ROOT_CHECK=1 for testing against mock paths."
        exit 1
    fi
    # Directories and files
    if [ ! -d "${ENTRIES_DIR}" ]; then
        error "Boot entries directory not found: ${ENTRIES_DIR}"
        exit 1
    fi
    if [ ! -f "${LOADER_CONF}" ]; then
        error "Loader config not found: ${LOADER_CONF}"
        exit 1
    fi
    if [ ! -r "${LOADER_CONF}" ]; then
        error "Cannot read loader config: ${LOADER_CONF}"
        exit 1
    fi
    # Check write access to /boot/loader (parent of loader.conf)
    local loader_dir
    loader_dir="$(dirname "${LOADER_CONF}")"
    if [ ! -w "${loader_dir}" ]; then
        error "Cannot write to ${loader_dir} (insufficient permissions)"
        exit 1
    fi
    # Logfile directory must exist
    local log_dir
    log_dir="$(dirname "${LOGFILE}")"
    if [ ! -d "${log_dir}" ]; then
        warn "Log directory ${log_dir} does not exist, creating it"
        mkdir -p "${log_dir}" 2>/dev/null || {
            error "Cannot create log directory ${log_dir}"
            exit 1
        }
    fi
    # Check --rollback-now dependencies
    if [ "${ROLLBACK_NOW}" = true ]; then
        if ! command -v nixos-rebuild &>/dev/null; then
            error "nixos-rebuild not found on PATH (required for --rollback-now)"
            exit 1
        fi
    fi
 }
 # =============================================================================
 # Generation helpers
 # =============================================================================
 # get_current_default: reads the current default entry from loader.conf
 # Returns: "nixos-generation-N.conf" or empty string
 get_current_default() {
    grep -E '^default\s+' "${LOADER_CONF}" 2>/dev/null \
        | awk '{print $2}' \
        || true
 }
 # extract_gen_number: extracts the numeric generation from a conf filename
 # Input:  "nixos-generation-367.conf"
 # Output: 367
 extract_gen_number() {
    echo "$1" | sed 's/nixos-generation-//;s/\.conf//'
 }
 # get_all_gen_numbers: returns sorted list of generation numbers from entries dir
 get_all_gen_numbers() {
    local -a gens=()
    local f n
    for f in "${ENTRIES_DIR}"/nixos-generation-*.conf; do
        [ -f "${f}" ] || continue
        n="$(basename "${f}" | sed 's/nixos-generation-//;s/\.conf//')"
        gens+=("${n}")
    done
    if [ "${#gens[@]}" -eq 0 ]; then
        return 1
    fi
    # Sort numerically and output
    printf '%s\n' "${gens[@]}" | sort -n
 }
 # get_previous_gen: given current generation number, find the previous one
 # from the list of all available generations
 get_previous_gen() {
    local current="$1"
    shift
    local -a gens=("$@")
    local prev=""
    local g
    for g in "${gens[@]}"; do
        if [ "${g}" -lt "${current}" ]; then
            prev="${g}"
        fi
    done
    if [ -z "${prev}" ]; then
        return 1
    fi
    echo "${prev}"
 }
 # =============================================================================
 # Main rollback logic
 # =============================================================================
 do_rollback() {
    # Step 1: Read current default
    local current_entry
    current_entry="$(get_current_default)"
    if [ -z "${current_entry}" ]; then
        error "No 'default' entry found in ${LOADER_CONF}"
        error "Cannot determine current generation — aborting"
        exit 1
    fi
    info "Current default boot entry: ${current_entry}"
    # Step 2: Build sorted list of all available generations
    local -a all_gens=()
    local line
    while IFS= read -r line; do
        all_gens+=("${line}")
    done < <(get_all_gen_numbers || true)
    if [ "${#all_gens[@]}" -eq 0 ]; then
        error "No NixOS generation .conf files found in ${ENTRIES_DIR}"
        exit 1
    fi
    info "Available generations: ${all_gens[*]}"
    # Step 3: Find current generation number
    local current_gen
    current_gen="$(extract_gen_number "${current_entry}")"
    # Verify current_gen is a valid number
    if ! [[ "${current_gen}" =~ ^[0-9]+$ ]]; then
        error "Could not parse generation number from '${current_entry}'"
        exit 1
    fi
    # Step 4: Find the previous generation
    local prev_gen
    prev_gen="$(get_previous_gen "${current_gen}" "${all_gens[@]}")" || {
        error "No previous generation found before generation ${current_gen}"
        error "This is the oldest available generation — cannot roll back further"
        exit 2
    }
    local prev_entry="nixos-generation-${prev_gen}.conf"
    local prev_conf_path="${ENTRIES_DIR}/${prev_entry}"
    if [ ! -f "${prev_conf_path}" ]; then
        error "Previous generation entry not found: ${prev_conf_path}"
        error "The .conf file for generation ${prev_gen} is missing — cannot roll back"
        exit 1
    fi
    info "Target rollback generation: ${prev_gen} → ${prev_entry}"
    # Step 5: Apply the rollback
    if [ "${DRY_RUN}" = true ]; then
        echo ""
        echo " ${CYAN}[DRY RUN]${NC} Would change ${LOADER_CONF}:"
        echo "   ${YELLOW}-${NC} default ${current_entry}"
        echo "   ${GREEN}+${NC} default ${prev_entry}"
        echo ""
        info "DRY RUN — no changes made"
        exit 0
    fi
    # Write new default
    # Use sed with a backup (.bak)
    sed -i.bak "s/^default\s\+${current_entry}/default ${prev_entry}/" "${LOADER_CONF}"
    # Verify the change was applied
    local new_default
    new_default="$(get_current_default)"
    if [ "${new_default}" != "${prev_entry}" ]; then
        error "Failed to set default boot entry to ${prev_entry}"
        error "Current default is still: ${new_default}"
        # Attempt to restore backup
        if [ -f "${LOADER_CONF}.bak" ]; then
            cp "${LOADER_CONF}.bak" "${LOADER_CONF}"
            info "Restored backup from ${LOADER_CONF}.bak"
        fi
        exit 1
    fi
    info "Successfully set default boot entry to ${prev_entry} (generation ${prev_gen})"
    info "Backup of previous config saved to ${LOADER_CONF}.bak"
    # Step 6: Optionally run nixos-rebuild switch --rollback
    if [ "${ROLLBACK_NOW}" = true ]; then
        echo ""
        info "Running nixos-rebuild switch --rollback for immediate effect..."
        if nixos-rebuild switch --rollback 2>&1 | while IFS= read -r line; do
            logger -t "${SYSLOG_IDENT}" "nixos-rebuild: ${line}"
            echo "    ${line}"
        done; then
            info "nixos-rebuild switch --rollback completed successfully"
        else
            local rc=$?
            error "nixos-rebuild switch --rollback failed with exit code ${rc}"
            error "The boot default has been changed but the current system was NOT rolled back"
            error "Reboot to apply the rollback"
            exit 3
        fi
    fi
    info "Rollback complete. Next boot will use generation ${prev_gen}."
    if [ "${ROLLBACK_NOW}" = false ]; then
        echo ""
        echo " ${YELLOW}NOTE:${NC} The current running system is unchanged."
        echo "       Reboot to boot into generation ${prev_gen}."
        echo "       Or re-run with --rollback-now for immediate effect."
    fi
 }
 # =============================================================================
 # Main
 # =============================================================================
 main() {
    # Parse arguments
    while [ $# -gt 0 ]; do
        case "$1" in
            --dry-run)
                DRY_RUN=true
                shift
                ;;
            --rollback-now)
                ROLLBACK_NOW=true
                shift
                ;;
            -h|--help)
                usage
                exit 0
                ;;
            *)
                echo >&2 "Unknown option: $1"
                echo >&2 "Use --help for usage information."
                exit 1
                ;;
        esac
    done
    echo ""
    echo " ${CYAN}═══ NixOS systemd-boot Rollback ═══${NC}"
    echo ""
    preflight
    if [ "${DRY_RUN}" = true ]; then
        info "DRY RUN mode — no changes will be made"
    fi
    if [ "${ROLLBACK_NOW}" = true ]; then
        info "ROLLBACK NOW mode — will also run nixos-rebuild switch --rollback"
    fi
    echo ""
    do_rollback
 }
 main "$@"
--- a/modules/nixos/services/rollback-sentinel.nix
+++ b/modules/nixos/services/rollback-sentinel.nix
@@ -0,0 +1,184 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.rollbackSentinel;
  # ── Scripts ────────────────────────────────────────────────────────────────
  # Sentinel check — verifies Tier-1 services are active after boot.
  # Exits nonzero when any Tier-1 service is down, which triggers the rollback.
  sentinelCheck = pkgs.writeShellScriptBin "sentinel-check.sh" ''
    #!/usr/bin/env bash
    set -euo pipefail
    SYSLOG_IDENT="nixos-sentinel"
    LOGFILE="/var/log/nixos-sentinel.log"
    echo "=== NixOS Sentinel Check ==="
    echo "Tier-1 services: ${builtins.toString cfg.tier1Services}"
    echo "Tier-2 services: ${builtins.toString cfg.tier2Services}"
    FAILED=0
    # Check Tier-1 services — any failure means rollback
    for svc in ${builtins.toString cfg.tier1Services}; do
      if systemctl is-active --quiet "$svc" 2>/dev/null; then
        echo "  [OK]  Tier-1: $svc"
      else
        echo "  [FAIL] Tier-1: $svc is NOT active"
        logger -t "$SYSLOG_IDENT" -p user.err "Tier-1 FAILURE: $svc is not active"
        FAILED=1
      fi
    done
    # Check Tier-2 services — warn only
    for svc in ${builtins.toString cfg.tier2Services}; do
      if systemctl is-active --quiet "$svc" 2>/dev/null; then
        echo "  [OK]  Tier-2: $svc"
      else
        echo "  [WARN] Tier-2: $svc is NOT active"
        logger -t "$SYSLOG_IDENT" -p user.warn "Tier-2 WARNING: $svc is not active"
      fi
    done
    echo "=== Sentinel result: $([ "$FAILED" -eq 0 ] && echo 'PASS' || echo 'FAIL') ==="
    echo "$(date '+%Y-%m-%d %H:%M:%S') [INFO] sentinel $([ "$FAILED" -eq 0 ] && echo 'PASS' || echo 'FAIL')" >> "$LOGFILE"
    exit $FAILED
  '';
  # Rollback script — package the companion shell script from this directory.
  # Uses builtins.readFile to embed the content at evaluation time.
  rollbackScript = pkgs.writeShellScriptBin "nixos-rollback.sh" (builtins.readFile ./nixos-rollback.sh);
  # Resolve rollback flags from config
  rollbackFlags =
    if cfg.rollbackMode == "dry-run" then "--dry-run"
    else if cfg.rollbackMode == "rollback-now" then "--rollback-now"
    else "";
 in {
  options.services.rollbackSentinel = {
    enable = mkEnableOption "NixOS Rollback Sentinel — auto-rollback on critical service failure";
    tier1Services = mkOption {
      type = types.listOf types.str;
      default = [ "sshd" "docker" "traefik" "authelia" ];
      description = ''
        Tier-1 services whose failure triggers an automatic systemd-boot rollback.
        On boot, the sentinel waits ${cfg.bootDelay} seconds, then checks each
        service. If ANY service in this list is inactive, it runs the rollback
        script which sets the previous NixOS generation as the default boot entry.
      '';
    };
    tier2Services = mkOption {
      type = types.listOf types.str;
      default = [
        "gitea" "hermes" "ollama" "synapse" "nextcloud"
        "vaultwarden" "wireguard" "homeassistant" "fail2ban"
      ];
      description = ''
        Tier-2 services whose failure is logged as a warning but does NOT trigger
        an automatic rollback. Useful for detecting non-critical service issues.
      '';
    };
    tier3InfoServices = mkOption {
      type = types.listOf types.str;
      default = [
        "act_runner" "syncthing" "restic" "fava"
        "homer" "cups" "fstrim"
      ];
      description = ''
        Tier-3 informational checks (log-only, no warning). These are services
        that the sentinel will note the status of for diagnostics.
      '';
    };
    bootDelay = mkOption {
      type = types.str;
      default = "120";
      description = ''
        Seconds to wait after multi-user.target before running the boot-time
        sentinel check. This gives Tier-1 services time to start before
        the sentinel decides they've failed.
      '';
    };
    rollbackMode = mkOption {
      type = types.enum [ "set-default" "rollback-now" "dry-run" ];
      default = "set-default";
      description = ''
        Rollback strategy when Tier-1 failures are detected:
        - set-default: Write the previous generation to loader.conf (next reboot).
        - rollback-now: Also run nixos-rebuild switch --rollback for immediate fix.
        - dry-run: Log what would happen but take no action (testing).
      '';
    };
    enablePostRebuild = mkOption {
      type = types.bool;
      default = true;
      description = ''
        When enabled, the sentinel check runs after every nixos-rebuild switch
        activation. If a newly deployed generation has Tier-1 failures, it
        triggers rollback immediately.
      '';
    };
  };
  config = mkIf cfg.enable {
    # ── Deploy scripts to PATH ───────────────────────────────────────────────
    environment.systemPackages = [ sentinelCheck rollbackScript ];
    # Ensure log directory exists
    systemd.tmpfiles.rules = [
      "d /var/log/nixos-sentinel 0755 root root -"
    ];
    # ── Boot-time sentinel service ───────────────────────────────────────────
    # Runs after multi-user.target with a configurable delay, checks Tier-1
    # services, and triggers rollback if any are down.
    systemd.services.nixos-sentinel = {
      description = "NixOS Boot Sentinel — check critical services, roll back on failure";
      after = [ "network.target" "multi-user.target" ];
      wants = [ "network.target" ];
      wantedBy = [ "multi-user.target" ];
      path = with pkgs; [ coreutils gawk gnused systemd ];
      serviceConfig = {
        Type = "oneshot";
        RemainAfterExit = true;
        ExecStartPre = "${pkgs.coreutils}/bin/sleep ${cfg.bootDelay}";
        ExecStart = "${sentinelCheck}/bin/sentinel-check.sh";
        ExecStartPost = "${rollbackScript}/bin/nixos-rollback.sh ${rollbackFlags}";
      };
    };
    # ── Post-rebuild sentinel service (triggered by activation script) ──────
    systemd.services.nixos-sentinel-rebuild = mkIf cfg.enablePostRebuild {
      description = "NixOS Post-Rebuild Sentinel — check services after nixos-rebuild";
      after = [ "network.target" ];
      path = with pkgs; [ coreutils gawk gnused systemd ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${sentinelCheck}/bin/sentinel-check.sh";
        ExecStartPost = "${rollbackScript}/bin/nixos-rollback.sh ${rollbackFlags}";
      };
    };
    # Activation script — fires after every nixos-rebuild switch
    system.activationScripts.rollback-sentinel = mkIf cfg.enablePostRebuild ''
      # Start the post-rebuild sentinel in the background.
      # This runs on every activation (boot + nixos-rebuild). On boot the
      # boot-time service handles it, so this is primarily for nixos-rebuild,
      # but running twice is safe (idempotent rollback).
      systemctl start nixos-sentinel-rebuild.service --no-block 2>/dev/null || true
    '';
  };
 }
--- a/users/ai-worker.nix
+++ b/users/ai-worker.nix
@@ -4,9 +4,7 @@
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
-    # SECURITY: ai-worker is NOT in the docker group.
+    extraGroups = [ "docker" ];
    # Docker access is restricted via sudo whitelist — only specific subcommands allowed.
    # extraGroups = [ "docker" ]; — REMOVED: docker group gives unrestricted docker daemon access
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
      keys.users.ai-worker.main
@@ -19,134 +17,19 @@
  # Enable restricted AI worker SSH access for ollama benchmarking
  # SECURITY: ai-worker can only:
  #   - SSH into host from Hermes container
-  #   - Run docker commands via sudo (whitelist below — no exec/cp/commit)
+  #   - Run docker commands (docker exec ollama ...) via docker group
  #   - Run specific security audit commands
  #   - NO access to infra repo (no bind mount)
-  #   - NO nix/nixos-rebuild/nh commands
+  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
-  # WORKFLOW: SSH from Hermes container, run docker commands via sudo, return and save results
+  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
  services.aiWorkerAccess = true;
-  # Restricted sudo for ai-worker
+  # Restricted sudo for ai-worker - security checks only
  # IMPORTANT: ai-worker is NOT in docker group. All docker access goes through sudo.
  # Only the subcommands listed below are allowed — everything else is denied.
  # This prevents: docker exec, docker cp, docker commit, and other file-modifying operations.
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
      commands = [
-        # === Docker commands: lifecycle management (NO file modification) ===
+        # Firewall checks
        # ps/inspect/logs — read-only status checks
        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker logs *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker images";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker info";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker version";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker stats *";
          options = [ "NOPASSWD" ];
        }
        # start/stop/restart — container lifecycle
        {
          command = "/run/current-system/sw/bin/docker start *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker stop *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker restart *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker rm *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker rmi *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker wait *";
          options = [ "NOPASSWD" ];
        }
        # pull/build/run — image management and container creation
        {
          command = "/run/current-system/sw/bin/docker pull *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker build *";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker run *";
          options = [ "NOPASSWD" ];
        }
        # compose — orchestration
        {
          command = "/run/current-system/sw/bin/docker compose *";
          options = [ "NOPASSWD" ];
        }
        # system — disk cleanup
        {
          command = "/run/current-system/sw/bin/docker system *";
          options = [ "NOPASSWD" ];
        }
        # network — list only (create/modify not needed)
        {
          command = "/run/current-system/sw/bin/docker network ls";
          options = [ "NOPASSWD" ];
        }
        # volume — list only (create/modify not needed)
        {
          command = "/run/current-system/sw/bin/docker volume ls";
          options = [ "NOPASSWD" ];
        }
        # === EXPLICITLY DENIED docker commands (not in whitelist — sudo rejects them) ===
        # docker exec     — executes arbitrary commands inside running containers (FILE MODIFICATION)
        # docker cp       — copies files between containers and host (FILE ACCESS)
        # docker commit   — creates images from running containers (DATA EXFIL)
        # docker diff     — inspects filesystem changes (INFO LEAK)
        # docker export   — exports container filesystem (DATA EXFIL)
        # docker import   — imports filesystem archives
        # docker load     — loads docker images
        # docker save     — saves docker images to tar (DATA EXFIL)
        # docker attach   — attaches to running containers (INTERACTIVE ACCESS)
        # docker push     — pushes images to registries (DATA EXFIL)
        # docker tag      — renames images
        # docker create   — creates containers (use 'docker run' instead)
        # docker plugin   — manages plugins
        # docker network create/rm — network management
        # docker volume create/rm  — volume management
        # === Firewall checks ===
        {
          command = "/run/wrappers/bin/sudo iptables -L -n -v";
          options = [ "NOPASSWD" ];
@@ -155,8 +38,7 @@
          command = "/run/wrappers/bin/sudo iptables -S";
          options = [ "NOPASSWD" ];
        }
-
+        # Fail2ban status
        # === Fail2ban status ===
        {
          command = "/run/current-system/sw/bin/fail2ban-client status";
          options = [ "NOPASSWD" ];
@@ -169,8 +51,7 @@
          command = "/run/current-system/sw/bin/fail2ban-client get * banned";
          options = [ "NOPASSWD" ];
        }
-
+        # Log inspection
        # === Log inspection ===
        {
          command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
          options = [ "NOPASSWD" ];
@@ -183,14 +64,21 @@
          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
          options = [ "NOPASSWD" ];
        }
-
+        # SSH config verification
        # === SSH config verification ===
        {
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
-
+        # Docker service checks
-        # === Network diagnostics ===
+        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
          options = [ "NOPASSWD" ];