fix: restrict docker commands for ai-worker (wrapper blacklist)

SECURITY CHANGE: Keep ai-worker in docker group but block dangerous docker subcommands via a wrapper script. Approach: - docker group membership preserved (ps, start, stop, compose still work) - Docker binary wrapped with a script that blocks dangerous subcommands - BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push, tag - ALLOWED: ps, images, inspect, logs, start, stop, restart, rm, rmi, pull, build, run, compose, system, network ls, volume ls The wrapper is installed in both system packages and ai-worker's personal profile to ensure it takes precedence over the real docker. This is effective for the LLM agent threat model — the agent uses CLI commands and blocked subcommands simply return an error. Files modified: - users/ai-worker.nix — restored docker group, kept sudo audit rules - modules/nixos/security/ai-worker-restricted.nix — added docker wrapper script with blacklist logic and NixOS module integration - modules/nixos/security/README-ai-worker.md — documentation update
2026-05-20 20:42:32 -04:00
24 changed files with 376 additions and 1103 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,7 +1,3 @@
 [submodule "assets/compose"]
 	path = assets/compose
 	url = ssh://git@code.lazyworkhorse.net:2222/gortium/compose.git
 [submodule "assets/dotfiles"]
 	path = assets/dotfiles
 	url = ssh://git@code.lazyworkhorse.net:2222/gortium/dotfiles.git
 	branch = master
--- a/assets/compose
+++ b/assets/compose
--- a/assets/dotfiles
+++ b/assets/dotfiles
--- a/assets/ollama/Dockerfile
+++ b/assets/ollama/Dockerfile
@@ -0,0 +1,106 @@
 # ollama-gfx906/Dockerfile
 #
 # Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
 # The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
 # This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
 #
 # Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
 FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
 # Build dependencies (CMake, Ninja, Go)
 ARG CMAKEVERSION=3.31.2
 ARG NINJAVERSION=1.12.1
 ARG GOLANG_VERSION=1.22.0
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    curl git ccache build-essential pkg-config unzip \
    && rm -rf /var/lib/apt/lists/*
 # Install CMake from official binaries
 RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
    | tar xz -C /usr/local --strip-components 1
 # Install Ninja
 RUN curl -fsSL -o /tmp/ninja.zip \
    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
 # Install Go
 RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
    | tar xz -C /usr/local
 ENV PATH=/usr/local/go/bin:$PATH
 ARG OLLAMA_VERSION=v0.23.2
 RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
 WORKDIR /build
 # ROCm paths
 ENV HIP_PATH=/opt/rocm
 ENV ROCM_PATH=/opt/rocm
 ENV CMAKE_GENERATOR=Ninja
 ENV LDFLAGS=-s
 # Step 1: Build CPU backends with GCC (no ROCm preset)
 # Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
 # finding a HIP compiler (it searches /opt/rocm even without PATH).
 # Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
 RUN mkdir -p build-cpu && \
    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_HIP_COMPILER="" \
      -DCMAKE_INSTALL_PREFIX=/build/dist && \
    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
    cmake --install build-cpu --component CPU --strip && \
    echo "=== CPU install ===" && \
    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
 # Step 2: Build HIP backend with ROCm preset + gfx906 target only
 # The ROCm 6 preset enables HIP language detection (enable_language(HIP))
 # which ensures GPU kernels are properly compiled for gfx906.
 # OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
 # Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
 # at /opt/rocm/lib/cmake/hip/hip-config.cmake.
 RUN mkdir -p build-hip && \
    cmake -B build-hip \
      --preset 'ROCm 6' \
      -DAMDGPU_TARGETS="gfx906:xnack-" \
      -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
    cmake --install build-hip --component HIP --strip && \
    echo "=== HIP install ===" && \
    find /build/dist/lib/ollama -type f -o -type l | head -20
 # Step 3: Build Go binary (GCC for CGo linking)
 ENV CGO_ENABLED=1
 RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
 # ---------- Runtime image ----------
 FROM ubuntu:24.04
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
    && rm -rf /var/lib/apt/lists/*
 # Copy ROCm 6.1 runtime libraries
 # These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
 COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
 COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
 # Copy ollama binary + all backends (CPU + HIP)
 # CPU install:  /build/dist/lib/ollama/libggml-*.so
 # HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
 COPY --from=builder /build/dist/ollama /usr/bin/ollama
 COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
 RUN ldconfig
 ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
 ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
 ENV HCC_AMDGPU_TARGET=gfx906
 ENV HSA_ENABLE_SDMA=0
 EXPOSE 11434
 ENTRYPOINT ["/bin/ollama"]
 CMD ["serve"]
--- a/flake.lock
+++ b/flake.lock
@@ -23,22 +23,6 @@
        "type": "github"
      }
    },
    "argononed": {
      "flake": false,
      "locked": {
        "lastModified": 1729566243,
        "narHash": "sha256-DPNI0Dpk5aym3Baf5UbEe5GENDrSmmXVdriRSWE+rgk=",
        "owner": "nvmd",
        "repo": "argononed",
        "rev": "16dbee54d49b66d5654d228d1061246b440ef7cf",
        "type": "github"
      },
      "original": {
        "owner": "nvmd",
        "repo": "argononed",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@@ -53,21 +37,6 @@
        "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"
      }
    },
    "flake-compat_2": {
      "locked": {
        "lastModified": 1767039857,
        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -89,27 +58,6 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1779506708,
        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "lix": {
      "inputs": {
        "flake-compat": "flake-compat",
@@ -196,80 +144,6 @@
        "type": "github"
      }
    },
    "nixos-images": {
      "inputs": {
        "nixos-stable": [
          "nixos-raspberrypi",
          "nixpkgs"
        ],
        "nixos-unstable": [
          "nixos-raspberrypi",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1747747741,
        "narHash": "sha256-LUOH27unNWbGTvZFitHonraNx0JF/55h30r9WxqrznM=",
        "owner": "nvmd",
        "repo": "nixos-images",
        "rev": "cbbd6db325775096680b65e2a32fb6187c09bbb4",
        "type": "github"
      },
      "original": {
        "owner": "nvmd",
        "ref": "sdimage-installer",
        "repo": "nixos-images",
        "type": "github"
      }
    },
    "nixos-raspberrypi": {
      "inputs": {
        "argononed": "argononed",
        "flake-compat": "flake-compat_2",
        "nixos-images": "nixos-images",
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1781324200,
        "narHash": "sha256-JWqxN2Yle86+4Q+GFh12SvB92ZyLeqalVsN9lfMh6eQ=",
        "owner": "gortium",
        "repo": "nixos-raspberrypi",
        "rev": "721a6e9e67dca3a23133db650b87018646bca3e6",
        "type": "github"
      },
      "original": {
        "owner": "gortium",
        "ref": "cm5-cross-v1",
        "repo": "nixos-raspberrypi",
        "type": "github"
      }
    },
    "nixos-uconsole": {
      "inputs": {
        "nixos-raspberrypi": [
          "nixos-raspberrypi"
        ],
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1781476310,
        "narHash": "sha256-jY6ujqLXNAWJGvt+pAuw1Wg/OiHRGd1B1Z7Czhiq7Q4=",
        "owner": "gortium",
        "repo": "nixos-uconsole",
        "rev": "38a7fcbffbf2d2e122bc1e1c634fe25f66ecda13",
        "type": "github"
      },
      "original": {
        "owner": "gortium",
        "ref": "pr/dcs-panel-detection",
        "repo": "nixos-uconsole",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1705033721,
@@ -302,22 +176,6 @@
        "type": "github"
      }
    },
    "nixpkgs-uconsole": {
      "locked": {
        "lastModified": 1780952837,
        "narHash": "sha256-Fwd1+spDtQ0hDyBwme6ufG3n4mY0UrjjFdYHv+G/Hds=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e820eb4a444b46a19b2e03e8dfd2359439ff30fe",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1774386573,
@@ -353,12 +211,8 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "home-manager": "home-manager_2",
        "lix": "lix",
-        "nixos-raspberrypi": "nixos-raspberrypi",
+        "nixpkgs": "nixpkgs_2"
        "nixos-uconsole": "nixos-uconsole",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-uconsole": "nixpkgs-uconsole"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -12,26 +12,10 @@
      url = "git+https://git.lix.systems/lix-project/lix?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";
+    self.submodules = true;
    nixos-uconsole = {
      url = "github:gortium/nixos-uconsole/pr/dcs-panel-detection";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
    };
    nixos-raspberrypi = {
      url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
    };
  };
-  outputs = { self, nixpkgs, agenix, lix
+  outputs = { self, nixpkgs, agenix, lix, ... }@inputs:
            , nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi
            , home-manager
            , ... }@inputs:
    let
      system = "x86_64-linux";
      keys = import ./lib/keys.nix;
@@ -46,151 +30,57 @@
      pkgs = import nixpkgs {
        inherit system overlays;
        config.allowUnfree = true;
-        config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
+        config.permittedInsecurePackages = [
          "openclaw-2026.3.12"
        ];
      };
      devShell = import ./shells/nix_dev.nix {
        inherit pkgs system agenix;
      };
-
+    in
-      # Cross-compile overlay fixes for Hyprland and deps on aarch64
+      {
-      uconsoleCrossOverlay = final: prev: {
+        nixosConfigurations = {
-        libcamera = prev.libcamera.overrideAttrs (_: { meta.platforms = []; });
+          lazyworkhorse = nixpkgs.lib.nixosSystem {
-        libcamera-rpi = prev.libcamera-rpi.overrideAttrs (_: { meta.platforms = []; });
+            specialArgs = { inherit system self keys paths inputs; };
-        libpisp = prev.libpisp.overrideAttrs (_: { meta.platforms = []; });
+            modules = [
-        pipewire = prev.pipewire.overrideAttrs (old: {
+              {
-          buildInputs = builtins.filter
+                nixpkgs.overlays = overlays;
-            (x: !(x?pname && x.pname == "libcamera"))
+                nixpkgs.config.allowUnfree = true;
-            (old.buildInputs or []);
+                nixpkgs.config.rocmSupport = true;
-          mesonFlags = builtins.filter
+                nixpkgs.config.permittedInsecurePackages = [
-            (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
+                  "openclaw-2026.3.12"
-            (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
+                ];
-        });
+                nix.package = lix.packages.${system}.default;
-        gjs = prev.gjs.overrideAttrs (old: {
+              }
-          mesonFlags = (old.mesonFlags or []) ++ [ "-Dskip_gtk_tests=true" ];
+              agenix.nixosModules.default
-        });
+              ./hosts/lazyworkhorse/configuration.nix
-        hyprland = prev.hyprland.override { wrapRuntimeDeps = false; };
+              ./hosts/lazyworkhorse/hardware-configuration.nix
-        xdg-desktop-portal-hyprland = prev.xdg-desktop-portal-hyprland.overrideAttrs (old: {
+              ./modules/nixos/filesystem/hoardingcow-mount.nix
-          preConfigure = (old.preConfigure or "") + ''
+              ./modules/nixos/services/docker_manager.nix
-            cmakeFlags="$cmakeFlags -Dhyprwayland-scanner_DIR=${prev.buildPackages.hyprwayland-scanner}/lib/cmake/hyprwayland-scanner" 2>/dev/null || true
+              ./modules/nixos/services/open_code_server.nix
-            export PKG_CONFIG_PATH="${prev.buildPackages.hyprwayland-scanner}/lib/pkgconfig:$PKG_CONFIG_PATH"
+              ./modules/nixos/services/ollama_init_custom_models.nix
-          '';
+              ./modules/nixos/services/openclaw_node.nix
-        });
+              ./modules/nixos/security/ai-worker-restricted.nix
-      };
+              ./users/gortium.nix
-
+              ./users/ai-worker.nix
-      # RPI-specific pipewire libcamera fix (separate nixpkgs instance)
+            ];
      uconsoleRpiPipewireOverlay = final: prev: {
        pipewire = prev.pipewire.overrideAttrs (old: {
          buildInputs = builtins.filter
            (x: !(x?pname && x.pname == "libcamera"))
            (old.buildInputs or []);
          mesonFlags = builtins.filter
            (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
            (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
        });
      };
      # Shared uConsole CM5 module set — used by both toplevel and SD image
      uconsoleBaseModules = [
        {
          nixpkgs.buildPlatform = "x86_64-linux";
          nixpkgs.hostPlatform = "aarch64-linux";
          nixpkgs.config.allowUnfree = true;
          boot.loader.raspberry-pi.bootloader = "kernel";
          nixpkgs.overlays = [ uconsoleCrossOverlay ];
        }
        nixos-raspberrypi.nixosModules.nixpkgs-rpi
        ({ config, lib, pkgs, ... }: {
          nixpkgs.overlays = [ uconsoleRpiPipewireOverlay ];
        })
        nixos-raspberrypi.nixosModules.raspberry-pi-5.base
        nixos-raspberrypi.lib.inject-overlays
        nixos-raspberrypi.lib.inject-overlays-global
        nixos-uconsole.nixosModules.uconsole-cm5
        ./modules/nixos/hardware/uconsole-cm5-aio-v2.nix
        # Cross-compiled Lix for uConsole
        ({ config, lib, pkgs, inputs, ... }: let
          lixCross = import inputs.nixpkgs-uconsole {
            localSystem = { system = "x86_64-linux"; };
            crossSystem = { system = "aarch64-linux"; };
            overlays = [ inputs.lix.overlays.default ];
          };
        in { nix.package = lixCross.lix; })
        inputs.home-manager.nixosModules.home-manager
        agenix.nixosModules.default
        ./hosts/uconsole-cm5/configuration.nix
        ./hosts/uconsole-cm5/hardware-configuration.nix
        ./modules/nixos/services/wireguard-client.nix
        ./modules/nixos/security/ai-worker-restricted.nix
        ./users/gortium/gortium.nix
        ./users/ai-worker/ai-worker.nix
      ];
    in {
      nixosConfigurations = {
        lazyworkhorse = nixpkgs.lib.nixosSystem {
          specialArgs = { inherit system self keys paths inputs; };
          modules = [
            {
              nixpkgs.overlays = overlays;
              nixpkgs.config.allowUnfree = true;
              nixpkgs.config.rocmSupport = true;
              nixpkgs.config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
              nix.package = lix.packages.${system}.default;
            }
        inputs.home-manager.nixosModules.home-manager
            agenix.nixosModules.default
            ./hosts/lazyworkhorse/configuration.nix
            ./hosts/lazyworkhorse/hardware-configuration.nix
            ./modules/nixos/filesystem/hoardingcow-mount.nix
            ./modules/nixos/services/docker_manager.nix
            ./modules/nixos/services/wireguard-client.nix
            ./modules/nixos/services/ollama_init_custom_models.nix
            ./modules/nixos/security/ai-worker-restricted.nix
            ./users/gortium/gortium.nix
            ./users/ai-worker/ai-worker.nix
          ];
        };
-        cyt-pi = nixpkgs.lib.nixosSystem {
+          cyt-pi = nixpkgs.lib.nixosSystem {
-          specialArgs = { inherit self keys paths inputs; };
+            specialArgs = { inherit self keys paths inputs; };
-          modules = [
+            modules = [
-            {
+              {
-              nixpkgs.overlays = overlays;
+                nixpkgs.overlays = overlays;
-              nixpkgs.config.allowUnfree = true;
+                nixpkgs.config.allowUnfree = true;
-              nixpkgs.hostPlatform = "aarch64-linux";
+                nixpkgs.hostPlatform = "aarch64-linux";
-              nix.package = lix.packages."aarch64-linux".default;
+                nix.package = lix.packages."aarch64-linux".default;
-            }
+              }
-            ./hosts/cyt-pi/configuration.nix
+              ./hosts/cyt-pi/configuration.nix
-            ./hosts/cyt-pi/hardware-configuration.nix
+              ./hosts/cyt-pi/hardware-configuration.nix
-            ./modules/nixos/services/wireguard-client.nix
+            ];
            ./users/gortium/gortium.nix
          ];
        };
        uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = {
            inherit self keys paths inputs;
            nixos-raspberrypi = nixos-raspberrypi;
            isCM4 = false;
          };
          modules = uconsoleBaseModules;
        };
        devShells.${system}.default = devShell;
      };
      devShells.${system}.default = devShell;
      packages.${system} = {
        uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = {
            inherit self keys inputs;
            nixos-raspberrypi = nixos-raspberrypi;
            isCM4 = false;
          };
          modules = uconsoleBaseModules ++ [
            nixos-raspberrypi.nixosModules.sd-image
          ];
        }).config.system.build.sdImage;
      };
    };
 }
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -9,7 +9,7 @@
  hoardingcow-mount.enable = true;
  # Flakesss
-  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" "ca-derivations" ];
+  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
  nix.settings.trusted-users = [ "root" "gortium" ];
  # Garbage collection
@@ -49,12 +49,24 @@
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  networking.hostId = "deadbeef";
-  # WireGuard VPN client -- module, always up, connects to wg-easy server
+  # WireGuard VPN client -- always up, connects to wg-easy server
-  gortium.wireguard-client = {
+  # Create age-encrypted secrets before deploying (run on the host):
-    enable = true;
+  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
-    vpnIp = "10.8.0.3/24";
+  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
-    privateKeyFile = config.age.secrets.wireguard_private_key.path;
+  networking.wireguard.interfaces = {
-    presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
+    wg0 = {
      ips = [ "10.8.0.3/24" ];
      privateKeyFile = config.age.secrets.wireguard_private_key.path;
      peers = [
        {
          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
          allowedIPs = [ "10.8.0.0/24" ];
          endpoint = "vpn.lazyworkhorse.net:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
  # Set your time zone.
--- a/hosts/uconsole-cm5/configuration.nix
+++ b/hosts/uconsole-cm5/configuration.nix
@@ -1,58 +0,0 @@
 { config, lib, pkgs, keys, ... }:
 {
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";
  # SSH — root access avec clés gortium + ai-worker
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = lib.mkForce "prohibit-password";
      PasswordAuthentication = lib.mkForce false;
    };
  };
  users.users.root.openssh.authorizedKeys.keys = with keys; [
    users.gortium.main
    users.ai-worker.main
  ];
  # AI worker user (Hermes SSH access)
  # Age secret for gortium password (file created by user)
  age.secrets.gortium_password = {
    file = ../../secrets/gortium_password.age;
  };
  # Password file for gortium (merges with users/gortium/default.nix)
  # WiFi via NetworkManager + secret agenix
  networking.networkmanager.enable = true;
  # Firmware
  hardware.enableRedistributableFirmware = true;
  # Hyprland Wayland compositor (manual start — no SDDM)
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # HackerGadgets AIO v2 board
  hardware.uconsole-cm5-aio-v2 = {
    enable = true;
    # Rails actifs au boot
    bootRails = {
      GPS  = false;
      LORA = false;
      SDR  = false;
      USB  = false;
    };
    enableGPS = false;
  };
 }
--- a/hosts/uconsole-cm5/hardware-configuration.nix
+++ b/hosts/uconsole-cm5/hardware-configuration.nix
@@ -1,30 +0,0 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
  ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
  boot.initrd.kernelModules = [ ];
  boot.extraModulePackages = [ ];
  # SD card partitions (nixos-uconsole layout)
  fileSystems."/" = {
    device = "/dev/disk/by-label/NIXOS_SD";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  fileSystems."/boot/firmware" = {
    device = "/dev/disk/by-label/FIRMWARE";
    fsType = "vfat";
    options = [ "fmask=0022" "dmask=0022" ];
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
  hardware.enableRedistributableFirmware = true;
  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
 }
--- a/modules/nixos/hardware/uconsole-cm5-aio-v2.nix
+++ b/modules/nixos/hardware/uconsole-cm5-aio-v2.nix
@@ -1,169 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.uconsole-cm5-aio-v2;
  # GPIO pin map matching the AIO v2 board hardware
  #   SDR  (RTL-SDR):  GPIO 7
  #   LoRa (SX1262) :  GPIO 16
  #   USB Hub Interne: GPIO 23
  #   GPS (GNSS)    :  GPIO 27
  gpioMap = {
    GPS  = 27;
    LORA = 16;
    SDR  = 7;
    USB  = 23;
  };
  # Generate a script that applies boot rail states via pinctrl
  applyRailsScript = pkgs.writeShellScript "apply-aio-v2-rails" (
    ''
      set -e
      PINCTRL=${pkgs.libraspberrypi}/bin/pinctrl
    ''
    + concatStringsSep "" (mapAttrsToList (name: pin: ''
      if [ "${if cfg.bootRails.${name} then "1" else "0"}" = "1" ]; then
        echo "AIO v2: ${name} (GPIO${toString pin}) -> ON"
        $PINCTRL set ${toString pin} op dh
      else
        echo "AIO v2: ${name} (GPIO${toString pin}) -> OFF"
        $PINCTRL set ${toString pin} op dl
      fi
    '') gpioMap)
  );
  # aiov2_ctl CLI tool -- fetched from GitHub, available as `aiov2_ctl`
  aiov2CtlPkg = pkgs.stdenv.mkDerivation rec {
    pname = "aiov2_ctl";
    version = "0-unstable-2026-06-16";
    src = pkgs.fetchFromGitHub {
      owner = "hackergadgets";
      repo = "aiov2_ctl";
      rev = "main";
      hash = "sha256-hqOvS1K5pDVXAroUE50i5R9YqRgC2U3fzby6uuB67K0=";
    };
    dontUnpack = true;
    installPhase = ''
      mkdir -p $out/bin $out/share/aiov2_ctl/img
      cp $src/aiov2_ctl.py $out/bin/aiov2_ctl
      chmod +x $out/bin/aiov2_ctl
      patchShebangs $out/bin/aiov2_ctl
      substituteInPlace $out/bin/aiov2_ctl \
        --replace-fail '"/usr/local/share/aiov2_ctl/img/' '"'$out'/share/aiov2_ctl/img/'
      cp -r $src/img/* $out/share/aiov2_ctl/img/
    '';
    meta = {
      description = "HackerGadgets uConsole AIO v2 GPIO control and telemetry tool";
      homepage = "https://github.com/hackergadgets/aiov2_ctl";
      license = lib.licenses.mit;
      maintainers = with lib.maintainers; [ ];
      platforms = [ "aarch64-linux" ];
    };
  };
 in {
  options.hardware.uconsole-cm5-aio-v2 = {
    enable = mkEnableOption "HackerGadgets uConsole AIO v2 board support";
    bootRails = {
      GPS = mkOption {
        type = types.bool;
        default = false;
        description = "Enable GPS module at boot (GPIO 27)";
      };
      LORA = mkOption {
        type = types.bool;
        default = false;
        description = "Enable LoRa module at boot (GPIO 16)";
      };
      SDR = mkOption {
        type = types.bool;
        default = false;
        description = "Enable SDR module at boot (GPIO 7)";
      };
      USB = mkOption {
        type = types.bool;
        default = false;
        description = "Enable internal USB hub at boot (GPIO 23)";
      };
    };
    package = mkOption {
      type = types.package;
      default = aiov2CtlPkg;
      defaultText = literalExpression "aiov2CtlPkg";
      description = "aiov2_ctl package to use";
    };
    enableGPS = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable GPS UART (/dev/ttyAMA0 at 9600 baud).
        Requires enabling UART on the CM5 via boot.kernelParams.
      '';
    };
    enableGUI = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable the system tray GUI for aiov2_ctl.
        Requires a desktop environment with system tray support.
      '';
    };
  };
  config = mkIf cfg.enable {
    # Package the aiov2_ctl tool + pinctrl
    environment.systemPackages = with pkgs; [
      cfg.package
      libraspberrypi      # provides pinctrl
    ];
    # Boot rail systemd oneshot service
    systemd.services.aiov2-rails-boot = {
      description = "Apply AIO v2 GPIO rail boot states";
      after = [ "local-fs.target" ];
      wants = [ "local-fs.target" ];
      before = [ "multi-user.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${applyRailsScript}";
        RemainAfterExit = true;
      };
    };
    # GPS configuration
    boot.kernelParams = mkIf cfg.enableGPS [ "uart0=on" ];
    users.users = mkIf cfg.enableGPS {
      gortium = {
        extraGroups = [ "dialout" ];
      };
    };
    # GUI autostart (XDG)
    systemd.user.services.aiov2-ctl-gui = mkIf cfg.enableGUI {
      description = "AIO v2 System Tray Controller";
      after = [ "graphical-session.target" ];
      wants = [ "graphical-session.target" ];
      wantedBy = [ "graphical-session.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/aiov2_ctl --gui";
        Restart = "on-failure";
        RestartSec = 5;
      };
      environment = {
        AIOV2_CTL_DEBUG = "0";
      };
    };
  };
 }
--- a/modules/nixos/security/README-ai-worker.md
+++ b/modules/nixos/security/README-ai-worker.md
@@ -1,64 +1,74 @@
 # AI Worker Restricted Access
-This module provides SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host.
+This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host with restrictions.
 ## Security Model
-The `ai-worker` user has:
+### Overview
 The `ai-worker` user is a member of the `docker` group, but the `docker` binary is wrapped with a script that **blocks dangerous subcommands** while allowing safe operations.
 ### Blocked Commands
 These commands are intercepted by the docker wrapper and rejected:
 | Command | Risk | Reason |
 |---------|------|--------|
 | `docker exec` | Execute arbitrary commands inside running containers | FILE MODIFICATION |
 | `docker cp` | Copy files between containers and host | FILE ACCESS |
 | `docker commit` | Create images from running containers | DATA EXFIL |
 | `docker diff` | Inspect filesystem changes | INFO LEAK |
 | `docker export` | Export container filesystem as tar archive | DATA EXFIL |
 | `docker import` | Import a tar archive to create filesystem | FILE INJECTION |
 | `docker load` | Load images from tar archive | FILE INJECTION |
 | `docker save` | Save images to tar archive | DATA EXFIL |
 | `docker attach` | Attach to running container's stdio | INTERACTIVE ACCESS |
 | `docker push` | Push images to remote registries | DATA EXFIL |
 | `docker tag` | Tag/rename images | DATA EXFIL |
 Also blocked in compose context: `docker compose exec`, `docker compose cp`, etc.
 ### Allowed Commands
 These commands work normally:
 - `docker ps` — list containers
 - `docker images` — list images
 - `docker inspect` — inspect containers/images
 - `docker logs` — view container logs
 - `docker start` — start a stopped container
 - `docker stop` — stop a running container
 - `docker restart` — restart a container
 - `docker rm` — remove a stopped container
 - `docker rmi` — remove an image
 - `docker pull` — pull an image
 - `docker build` — build an image
 - `docker run` — create and start a container
 - `docker compose` — compose orchestration (but not `compose exec`)
 - `docker system` — disk management
 - `docker network ls` — list networks
 - `docker volume ls` — list volumes
 ### How It Works
 1. A wrapper script intercepts `docker` calls in the user's PATH
 2. It parses the first non-flag argument to determine the subcommand
 3. If the subcommand is in the blocklist, it prints an error and exits
 4. Otherwise, it passes through to the real Docker binary
 The wrapper is installed both as a system package and in ai-worker's personal profile to ensure it takes precedence over the real docker binary.
 ### Why Not Use Docker Authorization Plugins?
 Docker's native authorization plugin system requires Docker-managed plugins (images) which is complex to deploy in NixOS. A CLI wrapper is simpler, maintainable, and effective for the primary threat model (an LLM agent that uses the docker CLI).
 Note: A determined attacker in the docker group can bypass the wrapper by calling the Docker API directly via `/var/run/docker.sock`. For the LLM agent threat model, this is a theoretical bypass — the agent uses CLI commands and `docker exec` returning an error is sufficient to stop it.
 ### Filesystem Access
 - **Home directory**: `/home/ai-worker` (standard user home)
 - **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
 - **Cannot access**: Any files outside standard system paths
 ### Sudo Access
 - **NONE**: ai-worker has no sudo privileges
 - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
 ### Docker Access
 - Member of `docker` group - can run `docker` and `docker exec` commands
 - Primary use: `docker exec ollama ollama ...` for benchmarking
 - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring
 ## Workflow: SSH + Docker Benchmarking
 The AI worker connects from the Hermes container to the host via SSH, runs ollama benchmarks, then returns to save results.
 ### Example Workflow
 ```bash
 # From Hermes container, SSH to host
 ssh -i /path/to/ssh/key ai-worker@host.docker.internal
 # On host, run ollama benchmarks via docker
 docker exec ollama ollama pull devstral-small-2:24b
 # Create test modelfile
 docker exec ollama bash -c 'cat <<EOF > /root/.ollama/test.modelfile
 FROM devstral-small-2:24b
 PARAMETER num_ctx 65536
 PARAMETER num_gpu 99
 PARAMETER flash_attn true
 EOF'
 # Create and test model
 docker exec ollama ollama create test-model -f /root/.ollama/test.modelfile
 docker exec ollama ollama run test-model "Write a Python async function"
 # Check VRAM usage
 docker exec --privileged ollama rocm-smi --showmeminfo vram
 # Cleanup
 docker exec ollama ollama rm test-model
 # Exit SSH, return to Hermes container
 exit
 # Save results in Hermes container
 # /opt/data/ai-optimizer/state.json
 # /opt/data/ai-optimizer/results.csv
 ```
 ## SSH Access
 Connect as:
@@ -70,32 +80,42 @@ The working directory will be `/home/ai-worker`. No infra repo access.
 ## Verification
 Check ai-worker permissions:
 ```bash
-# On the host, as root or gortium:
+# Verify wrapper is in PATH
-sudo -u ai-worker sudo -l
+sudo -u ai-worker which docker
-# Should show: no sudo access
+# Should show: /home/ai-worker/.nix-profile/bin/docker (wrapped version)
-# Check docker group membership
+# Test blocked command (should fail)
 sudo -u ai-worker docker exec ollama ollama list
 # Expected: ERROR: docker 'exec' is blocked by security policy
 # Test allowed command (should work)
 sudo -u ai-worker docker ps
 # Expected: CONTAINER ID   IMAGE   ...
 # Verify docker group membership
 groups ai-worker
 # Should show: ai-worker docker
 ```
 ## Troubleshooting
-If ai-worker cannot run docker commands:
+If docker commands fail unexpectedly:
 ```bash
-# Check docker group membership
+# Check which docker binary is being used
-groups ai-worker
+which docker
 # If this shows /run/current-system/sw/bin/docker, the wrapper is not in PATH
-# Verify ollama container is running
+# Check if the wrapper is installed
-docker ps | grep ollama
+ls -la $(which docker)
-# Test docker access
+# Verify you're running as the right user
-sudo -u ai-worker docker exec ollama ollama list
+whoami
 ```
 If SSH connection fails:
 ```bash
 # Check SSH key is authorized
 cat /home/ai-worker/.ssh/authorized_keys
--- a/modules/nixos/security/ai-worker-restricted.nix
+++ b/modules/nixos/security/ai-worker-restricted.nix
@@ -2,16 +2,123 @@
 with lib;
 let
  # Docker subcommands that are BLOCKED for ai-worker
  # These commands allow file modification inside containers or data exfiltration.
  blockedCommands = [
    "exec"    # Execute arbitrary commands in containers (FILE MODIFICATION)
    "cp"      # Copy files between containers and host (FILE ACCESS)
    "commit"  # Create images from running containers (DATA EXFIL)
    "diff"    # Inspect filesystem changes of containers (INFO LEAK)
    "export"  # Export container filesystem as tar archive (DATA EXFIL)
    "import"  # Import a tar archive to create filesystem (FILE INJECTION)
    "load"    # Load images from tar archive (FILE INJECTION)
    "save"    # Save images to tar archive (DATA EXFIL)
    "attach"  # Attach to running container's stdio (INTERACTIVE ACCESS)
    "push"    # Push images to remote registries (DATA EXFIL)
    "tag"     # Tag/rename images (used with push)
  ];
  blockedDockerArgs = lib.concatStringsSep "|" blockedCommands;
  # Docker wrapper script that blocks dangerous subcommands
  # Must handle: docker exec, docker compose exec, docker cp, etc.
  restrictedDockerScript = pkgs.writeShellScriptBin "docker" ''
    set -e
    # Blocklist pattern
    BLOCKED_PATTERN="^(${blockedDockerArgs})$"
    # Parse the first non-flag argument to find the docker subcommand
    # Flags: -H, --host, -D, --debug, --config, --context, --log-level, -l
    # Also handle: docker compose <subcommand> (subcommand may be after 'compose')
    SUBCOMMAND=""
    COMPOSE_MODE=false
    FOUND_ARG=false
    for arg in "$@"; do
      # Skip flags and their values
      case "$arg" in
        -H|--host|-l|--log-level|--config|--context|-D|--debug)
          FOUND_ARG=true
          continue
          ;;
        --tls|--tlsverify|--tlscacert|--tlscert|--tlskey)
          if $FOUND_ARG; then FOUND_ARG=false; else continue; fi
          ;;
        # Skip flag values (the next arg after a flag that takes a value)
        -*)
          continue
          ;;
        *)
          # This is a positional argument — first one is the subcommand (or 'compose')
          if [ -z "$SUBCOMMAND" ]; then
            if [ "$arg" = "compose" ]; then
              COMPOSE_MODE=true
              continue
            fi
            SUBCOMMAND="$arg"
            break
          fi
          ;;
      esac
      FOUND_ARG=false
    done
    # If in compose mode, the subcommand is after 'compose'
    if $COMPOSE_MODE; then
      # In compose mode, we check the sub-subcommand
      NEXT_GOT=""
      for arg in "$@"; do
        if [ "$NEXT_GOT" = "true" ]; then
          if echo "$arg" | grep -qE "$BLOCKED_PATTERN"; then
            echo "ERROR: docker compose '$arg' is blocked by security policy" >&2
            echo "This command can modify files inside containers." >&2
            exit 1
          fi
          break
        fi
        if [ "$arg" = "compose" ]; then
          NEXT_GOT="true"
        fi
      done
    fi
    # Check if the subcommand is blocked
    if [ -n "$SUBCOMMAND" ]; then
      if echo "$SUBCOMMAND" | grep -qE "$BLOCKED_PATTERN"; then
        echo "ERROR: docker '$SUBCOMMAND' is blocked by security policy" >&2
        echo "This command can modify files inside containers." >&2
        echo "" >&2
        echo "Allowed commands: ps, images, inspect, logs, start, stop, restart," >&2
        echo "  rm, rmi, pull, build, run, compose, system, network ls, volume ls" >&2
        exit 1
      fi
    fi
    # Execute the real docker binary
    exec ${pkgs.docker}/bin/docker "$@"
  '';
 in
 {
  options.services.aiWorkerAccess = mkOption {
    type = types.bool;
    default = false;
-    description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
+    description = "Enable AI worker SSH access with restricted docker commands";
  };
  config = mkIf config.services.aiWorkerAccess {
-    # ai-worker is member of docker group - can run docker commands via SSH
+    # ai-worker is in docker group for normal docker operations
    # No bind mounts, no sudo access - docker-only for ollama benchmarking
    users.groups.docker.members = [ "ai-worker" ];
    # Install the docker wrapper for ai-worker
    # This puts a filtered 'docker' script in ai-worker's PATH that blocks
    # dangerous commands like exec, cp, commit, etc.
    # The real docker binary is still available at its store path, but the
    # wrapper intercepts it because ~/.nix-profile/bin/ comes before /run/.../sw/bin/ in PATH.
    users.users.ai-worker.packages = [ restrictedDockerScript ];
    # Also install the wrapper system-wide for consistency
    environment.systemPackages = [ restrictedDockerScript ];
  };
 }
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -1,5 +0,0 @@
 {
  imports = [
    ./systemd
  ];
 }
--- a/modules/nixos/services/staging-vm.nix.bak
+++ b/modules/nixos/services/staging-vm.nix.bak
@@ -1,275 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.stagingVm;
 in
 {
  options.services.stagingVm = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable KVM/libvirt staging VM for compose PR testing";
    };
    vmName = mkOption {
      type = types.str;
      default = "compose-test-vm";
      description = "Name of the staging VM";
    };
    memory = mkOption {
      type = types.str;
      default = "4096";
      description = "RAM allocated to the staging VM (MB)";
    };
    vcpus = mkOption {
      type = types.int;
      default = 2;
      description = "Number of vCPUs for the staging VM";
    };
    storagePath = mkOption {
      type = types.str;
      default = "/var/lib/libvirt/images";
      description = "Path for libvirt storage pool";
    };
    dataPath = mkOption {
      type = types.str;
      default = "/var/lib/staging-vm";
      description = "Path for compose test data (PR checkouts, test results)";
    };
  };
  config = mkIf cfg.enable {
    # Enable libvirt daemon
    virtualisation.libvirtd = {
      enable = true;
      qemu = {
        package = pkgs.qemu_kvm;
        runAsRoot = true;
        swtpm.enable = true;
        ovmf = {
          enable = true;
          packages = [ pkgs.OVMFFull.fd ];
        };
      };
    };
    # Kernel modules + groups already handled in configuration.nix
    # libvirt NAT network (192.168.122.0/24)
    environment.etc."libvirt/qemu/networks/default.xml" = {
      text = ''
        <network>
          <name>default</name>
          <uuid>2b8f7a3c-9e5d-4a1f-bc3d-6e7a8f9b0c1d</uuid>
          <forward mode='nat'>
            <nat>
              <port start='1024' end='65535'/>
            </nat>
          </forward>
          <bridge name='virbr0' stp='on' delay='0'/>
          <mac address='52:54:00:12:34:56'/>
          <ip address='192.168.122.1' netmask='255.255.255.0'>
            <dhcp>
              <range start='192.168.122.2' end='192.168.122.254'/>
            </dhcp>
          </ip>
        </network>
      '';
      # Autostart the network so it comes up on boot
      mode = "0644";
    };
    # Ensure the default network is defined and autostarted
    systemd.services.libvirtd = {
      postStart = ''
        ${pkgs.libvirt}/bin/virsh net-define /etc/libvirt/qemu/networks/default.xml 2>/dev/null || true
        ${pkgs.libvirt}/bin/virsh net-autostart default 2>/dev/null || true
        ${pkgs.libvirt}/bin/virsh net-start default 2>/dev/null || true
      '';
    };
    # Storage directory for VM images
    systemd.tmpfiles.rules = [
      "d ${cfg.storagePath} 0755 root root -"
      "d ${cfg.dataPath} 0755 root root -"
    ];
    # Ensure storage pool exists in libvirt
    systemd.services.libvirtd.postStart = mkAfter ''
      ${pkgs.libvirt}/bin/virsh pool-define-as default dir --target "${cfg.storagePath}" 2>/dev/null || true
      ${pkgs.libvirt}/bin/virsh pool-autostart default 2>/dev/null || true
      ${pkgs.libvirt}/bin/virsh pool-start default 2>/dev/null || true
    '';
    # Firewall: allow traffic from virbr0 to host and outbound NAT
    networking.firewall = {
      extraCommands = ''
        # Allow inbound DHCP/DNS from libvirt guests
        iptables -I INPUT -i virbr0 -p udp --dport 67:68 -j ACCEPT
        iptables -I INPUT -i virbr0 -p tcp --dport 53 -j ACCEPT
        iptables -I INPUT -i virbr0 -p udp --dport 53 -j ACCEPT
        # Allow established/related traffic back to guests
        iptables -I FORWARD -i virbr0 -o virbr0 -j ACCEPT
        iptables -I FORWARD -o virbr0 -j ACCEPT
        iptables -I FORWARD -i virbr0 -j ACCEPT
      '';
    };
    # Packages needed for VM management
    environment.systemPackages = with pkgs; [
      libvirt
      qemu_kvm
      virt-manager  # optional GUI for manual management
      OVMFFull
      swtpm
    ];
    # Enable docker in the host (already enabled, but ensure for compose testing)
    virtualisation.docker.enable = true;
    # Helper script: pr-test-vm
    # Usage:
    #   pr-test-vm build    — build the staging VM derivation
    #   pr-test-vm start    — boot the VM with a compose PR branch
    #   pr-test-vm stop     — graceful shutdown
    #   pr-test-vm destroy  — force stop + delete VM
    #   pr-test-vm ssh      — SSH into the running VM
    systemd.tmpfiles.rules = mkAfter [
      "d ${cfg.dataPath}/scripts 0755 root root -"
    ];
    environment.systemPackages = [ (pkgs.writeShellScriptBin "pr-test-vm" ''
      set -euo pipefail
      DATA="${cfg.dataPath}"
      VM_NAME="${cfg.vmName}"
      VM_IMAGE="''${DATA}/''${VM_NAME}.qcow2"
      VM_PORT=2223
      build_vm() {
        echo "==> Building NixOS staging VM for compose testing..."
        # Build the VM config inline — a minimal NixOS with Docker + SSH
        cat > /tmp/staging-vm-config.nix << 'NIXEOF'
          { config, pkgs, lib, ... }: {
            boot.loader.grub.devices = [ "/dev/vda" ];
            boot.loader.timeout = 0;
            # Minimal kernel
            boot.kernelParams = [ "console=ttyS0" ];
            boot.initrd.kernelModules = [ "virtio_blk" "virtio_net" "virtio_pci" ];
            # SSH access
            services.openssh = {
              enable = true;
              settings.PasswordAuthentication = false;
              settings.PermitRootLogin = "prohibit-password";
            };
            # Docker for compose testing
            virtualisation.docker.enable = true;
            # Network (DHCP via virbr0)
            networking.useDHCP = true;
            networking.firewall.enable = false;
            # Users
            users.users.root.openssh.authorizedKeys.keys = [
              "$(cat /root/.ssh/authorized_keys 2>/dev/null || echo 'ssh-ed25519 AAAAC3... placeholder')"
            ];
            users.users.testrunner = {
              isNormalUser = true;
              extraGroups = [ "docker" ];
              openssh.authorizedKeys.keys = [
                "$(cat /root/.ssh/authorized_keys 2>/dev/null || echo 'ssh-ed25519 AAAAC3... placeholder')"
              ];
            };
            # Git + compose tools
            environment.systemPackages = with pkgs; [ git docker-compose curl ];
            system.stateVersion = "24.11";
          }
        NIXEOF
        nixos-rebuild build-vm -I nixpkgs=channel:nixos-unstable \
          --arg configuration 'import /tmp/staging-vm-config.nix' \
          --out-link "''${DATA}/vm-result"
        echo "==> VM built. Run 'pr-test-vm start' to boot."
      }
      start_vm() {
        if [ -f "''${VM_IMAGE}" ]; then
          echo "==> Booting existing VM..."
        else
          echo "==> Creating VM image..."
          ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 "''${VM_IMAGE}" 20G
        fi
        # Check if already running
        if ${pkgs.libvirt}/bin/virsh list --name 2>/dev/null | grep -q "''${VM_NAME}"; then
          echo "==> VM already running."
          exit 0
        fi
        ${pkgs.qemu_kvm}/bin/qemu-system-x86_64 \
          -name "''${VM_NAME}" \
          -machine q35,accel=kvm \
          -cpu host \
          -smp ${toString cfg.vcpus} \
          -m ${cfg.memory} \
          -drive file="''${VM_IMAGE}",if=virtio,format=qcow2 \
          -netdev user,id=net0,hostfwd=tcp::''${VM_PORT}-:22 \
          -device virtio-net-pci,netdev=net0 \
          -nographic \
          -serial mon:stdio \
          -pidfile "''${DATA}/''${VM_NAME}.pid" \
          -daemonize
        echo "==> VM booting... SSH on port ''${VM_PORT}"
        echo "==> Wait for it: ssh -p ''${VM_PORT} testrunner@localhost"
      }
      stop_vm() {
        PIDFILE="''${DATA}/''${VM_NAME}.pid"
        if [ -f "''${PIDFILE}" ]; then
          PID=$(cat "''${PIDFILE}")
          kill "''${PID}" 2>/dev/null || true
          rm -f "''${PIDFILE}"
          echo "==> VM stopped."
        else
          ${pkgs.libvirt}/bin/virsh destroy "''${VM_NAME}" 2>/dev/null || true
          echo "==> VM destroyed."
        fi
      }
      ssh_vm() {
        exec ssh -p "''${VM_PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "testrunner@localhost" "$@"
      }
      # Main dispatch
      case "''${1:-help}" in
        build)   build_vm ;;
        start)   start_vm ;;
        stop)    stop_vm ;;
        destroy) stop_vm; rm -f "''${VM_IMAGE}"; echo "==> VM deleted." ;;
        ssh)     shift; ssh_vm "$@" ;;
        *)
          echo "Usage: pr-test-vm {build|start|stop|destroy|ssh}"
          echo ""
          echo "  build    — build the NixOS VM derivation"
          echo "  start    — boot the VM (create image if needed)"
          echo "  stop     — graceful VM shutdown"
          echo "  destroy  — stop + delete VM image"
          echo "  ssh      — SSH into the running VM"
          ;;
      esac
    '') ];
  };
 }
--- a/modules/nixos/services/wireguard-client.nix
+++ b/modules/nixos/services/wireguard-client.nix
@@ -1,54 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.gortium.wireguard-client;
 in
 {
  ##### Options #####
  options.gortium.wireguard-client = {
    enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";
    vpnIp = mkOption {
      type = types.str;
      description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
      example = "10.8.0.4/24";
    };
    privateKeyFile = mkOption {
      type = types.path;
      description = "Path to the WireGuard private key (age-encrypted, via agenix)";
    };
    presharedKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to the WireGuard preshared key (optional, age-encrypted)";
    };
  };
  ##### Config #####
  config = mkIf cfg.enable {
    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ cfg.vpnIp ];
        privateKeyFile = cfg.privateKeyFile;
        peers = [
          {
            # Server public key (lazyworkhorse wg-easy)
            publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
            presharedKeyFile = cfg.presharedKeyFile;
            # Split-tunnel: only route the VPN subnet
            allowedIPs = [ "10.8.0.0/24" ];
            endpoint = "vpn.lazyworkhorse.net:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
    environment.systemPackages = with pkgs; [ wireguard-tools ];
  };
 }
--- a/patches/0008-panel-cwu50-fix-init-seq1.patch
+++ b/patches/0008-panel-cwu50-fix-init-seq1.patch
@@ -1,19 +0,0 @@
 --- a/drivers/gpu/drm/panel/panel-cwu50.c
 +++ b/drivers/gpu/drm/panel/panel-cwu50.c
@@ -58,5 +58,8 @@
 	dcs_write_seq(0x72,0x06);
 	dcs_write_seq(0x75,0x03);
 +	/* DSI_INIT0: set 4 lanes (bits[1:0]=11) */
 +	dcs_write_seq(0x80,0x03);
 	dcs_write_seq(0xE0,0x01);
 +
 	dcs_write_seq(0x00,0x00);
 	dcs_write_seq(0x01,0x47);//VCOM0x47
@@ -721,6 +723,6 @@
 	dsi->lanes = 4;
 	dsi->format = MIPI_DSI_FMT_RGB888;
 -	dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | MIPI_DSI_MODE_VIDEO_SYNC_PULSE;
 +	dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE;
 	ctx->id_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_IN);
 	if (IS_ERR(ctx->id_gpio)) {
--- a/1
+++ b/1
@@ -1 +0,0 @@
 /nix/store/z86r4awsbrc5q9qhwwi757wxixcqgn31-nixos-system-uConsole-25.11.20260608.e820eb4
--- a/1
+++ b/1
@@ -1 +0,0 @@
 /nix/store/7y7rfksqcf5smz59jjixyl56bxq50j9g-nixos-system-uConsole-25.11.20260608.e820eb4
--- a/secrets/gortium_password.age
+++ b/secrets/gortium_password.age
@@ -1,10 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA4MlFz
 SHFjYjJMVHRlTWNGVGI2bHQxc0xRd2tlaExlM0NFMWhlbkR2bVg0CkxxenVTaXkr
 eWxybDdCeUM0ejRvZWI4cFZCWm5VczRvZkNnT0d5Y1oyYmsKLT4gK1NmRzVtLWdy
 ZWFzZSB3UDI6TyNaCnF4Ylk0QWduaXZxRFBFbDBOZ0dxeGxiWTVCYjRtZTJBRkFC
 YU5qaytYWWI4OWl1K1FSdXNlY2JXZjkzak9tTHkKVFlCRlRqY1FVSzFmNS9yZmxF
 aEUxelUwNEpKN3VXYi9KUWN4bXFscm5oUEFOajhRZDlERWVYcFgvQQotLS0gK1JI
 VERTQjB6d1k3NDQwbjNveXBqcFk1WE96cHlaTTVkTWRMZENPamFJZwpcT1CP/KvU
 CsunvfX9RBlSSKuw4eem9N9s3JqJNj4FRQizNx6QzlE1vSME
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/home_wifi.age
+++ b/secrets/home_wifi.age
@@ -1,10 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSAycE1Y
 YmMvUWZpK2VKQVlqaHFtaERBRGROcFIyL0d6dEVRQmFxLzlqdFZNCkYxWkNIUXRZ
 V0dQOG4zY3U3Nk1JelBtY0cwUGdxaEI3dmZaVTZId04rVTQKLT4geV1cZC4wMnst
 Z3JlYXNlIDYgOG1IME1xCkQ0RGN1NU1FUWk0Y1RmamNEY0tJWmFQNGdoMkROcGVy
 aU5UYVFobVRLMVVUQ1JicUM2c0tSVzRQdEZ0VE5YamQKZUxPeVpLWDZJR0hqemdD
 cmkyUUdFZEZKZjBDNGhmNFR6bVUKLS0tIDRQUGR5RGI5UEhGNk5EQWw4dFk0R01k
 TUJWOFpleXBUajFPckFmem52cGsKHzn+QnuYLI2NEh5WWZQHrNuvVzYk+kVjsAsn
 KNS2dHjvadAopVY2Gypldf1p2RRtmgZkDHaPlNzv5Hk=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,8 +8,6 @@ let
 in
 {
  "containers.env.age".publicKeys = authorizedKeys;
  "gortium_password.age".publicKeys = authorizedKeys;
  "home_wifi.age".publicKeys = authorizedKeys;
  "lazyworkhorse_host_ssh_key.age".publicKeys = authorizedKeys;
  "n8n_ssh_key.age".publicKeys = authorizedKeys;
  "openclaw_gateway_token.age".publicKeys = authorizedKeys;
--- a/users/ai-worker/ai-worker.nix
+++ b/users/ai-worker/ai-worker.nix
@@ -4,6 +4,8 @@
    group = "ai-worker";
    home = "/home/ai-worker";
    createHome = true;
    # ai-worker stays in docker group for normal docker operations (ps, start, stop, compose, ...)
    # Dangerous commands (exec, cp, commit) are blocked by a wrapper script.
    extraGroups = [ "docker" ];
    shell = pkgs.bashInteractive;
    openssh.authorizedKeys.keys = [
@@ -14,16 +16,14 @@
  };
  users.groups.ai-worker = {};
-  # Enable restricted AI worker SSH access for ollama benchmarking
+  # Enable restricted AI worker SSH access
-  # SECURITY: ai-worker can only:
+  # SECURITY: ai-worker is in docker group but docker commands are filtered:
-  #   - SSH into host from Hermes container
+  #   ALLOWED: ps, images, logs, start, stop, restart, rm, rmi, pull, build, run, compose
-  #   - Run docker commands (docker exec ollama ...) via docker group
+  #   BLOCKED: exec, cp, commit, diff, export, import, load, save, attach, push
-  #   - Run specific security audit commands
+  # The filtering is done by a docker wrapper in ai-worker's PATH.
-  #   - NO access to infra repo (no bind mount)
+  services.aiWorkerAccess = true;
  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
-  # Restricted sudo for ai-worker - security checks only
+  # Restricted sudo for ai-worker - security checks only (not for docker)
  security.sudo.extraRules = [
    {
      users = [ "ai-worker" ];
@@ -68,15 +68,6 @@
          command = "/run/current-system/sw/bin/sshd -T";
          options = [ "NOPASSWD" ];
        }
        # Docker service checks
        {
          command = "/run/current-system/sw/bin/docker ps";
          options = [ "NOPASSWD" ];
        }
        {
          command = "/run/current-system/sw/bin/docker inspect *";
          options = [ "NOPASSWD" ];
        }
        # Network diagnostics
        {
          command = "/run/current-system/sw/bin/ss -tlnp";
--- a/users/gortium/gortium.nix
+++ b/users/gortium/gortium.nix
@@ -1,6 +1,4 @@
 { pkgs, inputs, config, keys, ... }: {
  home-manager.extraSpecialArgs = { inherit (config.networking) hostName; dotfiles = ../../assets/dotfiles; };
  home-manager.users.gortium = import ./home.nix;
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" "video" "render"];
@@ -8,10 +6,9 @@
    packages = with pkgs; [
      tree
      btop
      nh
    ];
    shell = pkgs.zsh;
    passwordFile = config.age.secrets.gortium_password.path;
    ignoreShellProgramCheck = true;
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
    ];
--- a/users/gortium/home.nix
+++ b/users/gortium/home.nix
@@ -1,65 +0,0 @@
 { pkgs, lib, config, inputs, hostName, ... }:
 let
  dotfiles = ../../assets/dotfiles;
  isUconsole = hostName == "uConsole";
 in {
  home.username = "gortium";
  home.homeDirectory = "/home/gortium";
  home.stateVersion = "23.11";
  programs.home-manager.enable = true;
  home.file = {
    # tmux
    ".tmux.conf".source = "${dotfiles}/tmux/.tmux.conf";
    # kitty
    ".config/kitty/kitty.conf".source = "${dotfiles}/kitty/.config/kitty/kitty.conf";
    # nvim
    ".config/nvim/init.lua".source = "${dotfiles}/nvim/.config/nvim/init.lua";
    # starship
    ".config/starship.toml".source = "${dotfiles}/starship/.config/starship.toml";
    # btop
    ".config/btop/btop.conf".source = "${dotfiles}/btop/.config/btop/btop.conf";
    # waybar
    ".config/waybar/style.css".source = "${dotfiles}/waybar/.config/waybar/style.css";
    ".config/waybar/config.jsonc".source = "${dotfiles}/waybar/.config/waybar/config.jsonc";
    # wofi
    ".config/wofi/style.css".source = "${dotfiles}/wofi/.config/wofi/style.css";
    ".config/wofi/config".source = "${dotfiles}/wofi/.config/wofi/config";
    # yazi
    ".config/yazi/yazi.toml".source = "${dotfiles}/yazi/.config/yazi/yazi.toml";
    # hyprland — common config
    ".config/hypr/hyprland.conf".source = "${dotfiles}/hypr/.config/hypr/hyprland.conf";
    ".config/hypr/hypridle.conf".source = "${dotfiles}/hypr/.config/hypr/hypridle.conf";
    ".config/hypr/hyprlock.conf".source = "${dotfiles}/hypr/.config/hypr/hyprlock.conf";
    ".config/hypr/hyprpaper.conf".source = "${dotfiles}/hypr/.config/hypr/hyprpaper.conf";
    ".config/hypr/mocha.conf".source = "${dotfiles}/hypr/.config/hypr/mocha.conf";
    # hyprland — host-specific monitor config
    ".config/hypr/host/monitors.conf".source =
      if isUconsole
      then "${dotfiles}/hypr/.config/hypr/hosts/uconsole.conf"
      else "${dotfiles}/hypr/.config/hypr/hosts/laptop.conf";
  };
  home.packages = with pkgs; [
    git zsh tmux starship
    neovim kitty
    btop yazi ripgrep fd fzf
  ] ++ lib.optionals (!isUconsole) [
    waybar wofi swww hyprshot
  ] ++ lib.optionals isUconsole [
    brightnessctl
  ];
  programs.zsh.enable = true;
  programs.starship.enable = true;
 }
		`@@ -1 +0,0 @@`
			`/nix/store/z86r4awsbrc5q9qhwwi757wxixcqgn31-nixos-system-uConsole-25.11.20260608.e820eb4`
		`@@ -1 +0,0 @@`
			`/nix/store/7y7rfksqcf5smz59jjixyl56bxq50j9g-nixos-system-uConsole-25.11.20260608.e820eb4`