Add restricted AI worker access with deployment capabilities #1

Merged

gortium merged 10 commits from ai-worker-restricted-access into master 2026-05-11 00:48:30 +00:00

Conversation 0 Commits 10 Files Changed 9 +320 -39

Hermes commented 2026-04-28 15:49:33 +00:00

Collaborator

Copy Link

Summary

This PR adds restricted SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host via docker commands.

Security Model

The ai-worker user now has:

Filesystem Access

• Home directory: /home/ai-worker (standard user home)
• NO bind mount: Cannot access /home/gortium/infra or other host files
• Cannot access: Any files outside standard system paths

Sudo Access

• NONE: ai-worker has no sudo privileges
• Cannot run nh, nixos-rebuild, nixpkgs-fmt, or nix

Docker Access

• Member of docker group - can run docker and docker exec commands
• Primary use: docker exec ollama ollama ... for benchmarking
• Can run docker exec --privileged ollama rocm-smi ... for VRAM monitoring

Workflow: SSH + Docker Benchmarking

Hermes container (cron triggers)
    --> SSH (as ai-worker)
Host (ai-worker user)
    --> docker exec ollama ... (run benchmarks)
Host (ollama container runs tests)
    --> SSH session ends
Hermes container
    --> save results in skill state

Changes

• modules/nixos/security/ai-worker-restricted.nix - New module: creates ai-worker user with docker group, no sudo
• modules/nixos/security/README-ai-worker.md - Documentation for docker-only workflow
• users/ai-worker.nix - User definition for ai-worker
• flake.nix - Imports the security module

Testing

After merge, verify with:

# Check ai-worker has no sudo access
sudo -u ai-worker sudo -l

# Check docker group membership
groups ai-worker

# Test docker access
sudo -u ai-worker docker exec ollama ollama list

Known Issues

• SSH key access from Hermes container (see issue #32): The ai-worker SSH private key is encrypted via age with recipients that aren't available in the Hermes container. Need to add the Hermes Gitea SSH key as a recipient in secrets.nix to allow decryption from the container.

Related

• Issue: #26 (Merge Plan)

## Summary This PR adds restricted SSH access for the AI worker (hermes-agent) to run ollama benchmarks on the host via docker commands. ## Security Model The `ai-worker` user now has: ### Filesystem Access - **Home directory**: `/home/ai-worker` (standard user home) - **NO bind mount**: Cannot access `/home/gortium/infra` or other host files - **Cannot access**: Any files outside standard system paths ### Sudo Access - **NONE**: ai-worker has no sudo privileges - Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` ### Docker Access - Member of `docker` group - can run `docker` and `docker exec` commands - Primary use: `docker exec ollama ollama ...` for benchmarking - Can run `docker exec --privileged ollama rocm-smi ...` for VRAM monitoring ## Workflow: SSH + Docker Benchmarking ``` Hermes container (cron triggers) --> SSH (as ai-worker) Host (ai-worker user) --> docker exec ollama ... (run benchmarks) Host (ollama container runs tests) --> SSH session ends Hermes container --> save results in skill state ``` ## Changes - `modules/nixos/security/ai-worker-restricted.nix` - New module: creates ai-worker user with docker group, no sudo - `modules/nixos/security/README-ai-worker.md` - Documentation for docker-only workflow - `users/ai-worker.nix` - User definition for ai-worker - `flake.nix` - Imports the security module ## Testing After merge, verify with: ```bash # Check ai-worker has no sudo access sudo -u ai-worker sudo -l # Check docker group membership groups ai-worker # Test docker access sudo -u ai-worker docker exec ollama ollama list ``` ## Known Issues - **SSH key access from Hermes container** (see issue #32): The ai-worker SSH private key is encrypted via age with recipients that aren't available in the Hermes container. Need to add the Hermes Gitea SSH key as a recipient in `secrets.nix` to allow decryption from the container. ## Related - Issue: https://code.lazyworkhorse.net/gortium/infra/issues/26 (Merge Plan)

Hermes added 1 commit 2026-04-28 15:49:35 +00:00

Add restricted AI worker access with deployment capabilities ... 18df45819d

- New module: modules/nixos/security/ai-worker-restricted.nix
  - Bind mount for infra repo access (RW)
  - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
  - Audit logging for infra changes
  - Documentation in README-ai-worker.md

- Updated users/ai-worker.nix:
  - Enable services.aiWorkerAccess
  - Lock password (SSH key only)
  - Security documentation comments

- Updated flake.nix:
  - Include new security module

SECURITY: AI must ask for user confirmation before running nh os switch

Hermes added 1 commit 2026-04-29 19:55:37 +00:00

fix: ai-worker docker-only access for ollama benchmarking ... f0e21d95e4

Remove infra repo bind mount and sudo access from ai-worker user.
Now ai-worker can only:
- SSH into host from Hermes container
- Run docker commands via docker group membership
- Execute ollama benchmarks via docker exec

Results saved to /opt/data/ai-optimizer/ in Hermes container.

gortium self-assigned this 2026-04-29 23:43:38 +00:00

Hermes referenced this pull request 2026-04-30 16:04:13 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this pull request 2026-04-30 16:09:42 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this issue from a commit 2026-04-30 18:37:14 +00:00

docs: add merge priority order with security hardening as #1 priority

Hermes referenced this pull request 2026-04-30 18:37:25 +00:00

docs: add merge priority order with security hardening as #1 #29

Hermes referenced this pull request 2026-04-30 18:37:40 +00:00

security: harden lazyworkhorse with firewall, fail2ban, SSH hardening #28

Hermes referenced this pull request 2026-05-01 01:38:33 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this issue from a commit 2026-05-02 15:36:23 +00:00

docs: add merge priority order with security hardening as #1 priority

Hermes referenced this pull request 2026-05-03 08:58:37 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

gortium added 1 commit 2026-05-03 09:31:14 +00:00

Merge branch 'master' into ai-worker-restricted-access 7d3d072961

Hermes referenced this pull request 2026-05-03 09:52:11 +00:00

fix: ai-worker SSH key not decryptable from Hermes container #32

Hermes added 1 commit 2026-05-09 20:13:15 +00:00

feat: add ai-optimizer benchmark plan and state tracking for ollama GPU benchmarking ff7303cf6a

Hermes added 1 commit 2026-05-09 20:19:34 +00:00

Revert "feat: add ai-optimizer benchmark plan and state tracking for ollama GPU benchmarking" ... 96e77c5ef2

This reverts commit ff7303cf6a.

Hermes added 1 commit 2026-05-10 14:12:43 +00:00

feat: update compose submodule for ollama-gfx906 (v0.23.2) + add ollama Dockerfile 6806898f04

gortium added 4 commits 2026-05-10 22:26:58 +00:00

Added wireguard keys c07debf088

New ollama model creator module version f722af7803

Merge remote-tracking branch 'origin/master' into ai-worker-restricted-access 5c136e0765

Merge branch 'ai-worker-restricted-access' of ssh://code.lazyworkhorse.net:2222/gortium/infra into ai-worker-restricted-access e6f7f0c263

gortium merged commit 28ab52209c into master 2026-05-11 00:48:30 +00:00

gortium deleted branch ai-worker-restricted-access 2026-05-11 00:48:30 +00:00

gortium referenced this issue from a commit 2026-05-11 00:48:32 +00:00

Merge pull request 'Add restricted AI worker access with deployment capabilities' (#1) from ai-worker-restricted-access into master

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees gortium

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#1

No description provided.