users/ai-worker.nix

@@ -12,20 +12,12 @@
   };
   users.groups.ai-worker = {};
   
-  # Restricted sudo for ai-worker - security checks and deployment only
+  # Restricted sudo for ai-worker - security checks only
   security.sudo.extraRules = [
     {
       users = [ "ai-worker" ];
       commands = [
-        {
-          command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse";
-          options = [ "NOPASSWD" ];
-        }
-        {
-          command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse";
-          options = [ "NOPASSWD" ];
-        }
-        # Security audit commands
+        # Firewall checks
         {
           command = "/run/wrappers/bin/sudo iptables -L -n -v";
           options = [ "NOPASSWD" ];
@@ -34,6 +26,7 @@
           command = "/run/wrappers/bin/sudo iptables -S";
           options = [ "NOPASSWD" ];
         }
+        # Fail2ban status
         {
           command = "/run/current-system/sw/bin/fail2ban-client status";
           options = [ "NOPASSWD" ];
@@ -46,6 +39,7 @@
           command = "/run/current-system/sw/bin/fail2ban-client get * banned";
           options = [ "NOPASSWD" ];
         }
+        # Log inspection
         {
           command = "/run/current-system/sw/bin/journalctl -t kernel -n 100";
           options = [ "NOPASSWD" ];
@@ -54,11 +48,16 @@
           command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50";
           options = [ "NOPASSWD" ];
         }
+        {
+          command = "/run/current-system/sw/bin/journalctl -u firewall -n 50";
+          options = [ "NOPASSWD" ];
+        }
+        # SSH config verification
         {
           command = "/run/current-system/sw/bin/sshd -T";
           options = [ "NOPASSWD" ];
         }
-        # Docker commands for service checks
+        # Docker service checks
         {
           command = "/run/current-system/sw/bin/docker ps";
           options = [ "NOPASSWD" ];