gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity

fix: update compose submodule for wg-easy iptables-nft fix #40

Closed
Hermes wants to merge 7 commits from fix/wg-easy-iptables-nft into master
pull from: fix/wg-easy-iptables-nft
merge into: gortium:master
Conversation 0 Commits 7 Files Changed 7 +249 -8
Hermes commented 2026-05-12 18:53:24 +00:00
Collaborator
Copy Link

Updates the compose submodule to point to the fix/wg-easy-iptables-nft branch which adds a custom Dockerfile that installs iptables-nft (nftables-backed iptables) into wg-easy.

Fixes the wg-easy container crash-loop on kernels without legacy iptable_nat module. Merge compose PR #24 first, then this one.

Updates the compose submodule to point to the fix/wg-easy-iptables-nft branch which adds a custom Dockerfile that installs iptables-nft (nftables-backed iptables) into wg-easy. Fixes the wg-easy container crash-loop on kernels without legacy iptable_nat module. Merge compose PR #24 first, then this one.
Hermes added 7 commits 2026-05-12 18:53:25 +00:00
Add restricted AI worker access with deployment capabilities 18df45819d 
- New module: modules/nixos/security/ai-worker-restricted.nix
  - Bind mount for infra repo access (RW)
  - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
  - Audit logging for infra changes
  - Documentation in README-ai-worker.md

- Updated users/ai-worker.nix:
  - Enable services.aiWorkerAccess
  - Lock password (SSH key only)
  - Security documentation comments

- Updated flake.nix:
  - Include new security module

SECURITY: AI must ask for user confirmation before running nh os switch
fix: ai-worker docker-only access for ollama benchmarking f0e21d95e4 
Remove infra repo bind mount and sudo access from ai-worker user.
Now ai-worker can only:
- SSH into host from Hermes container
- Run docker commands via docker group membership
- Execute ollama benchmarks via docker exec

Results saved to /opt/data/ai-optimizer/ in Hermes container.
Merge branch 'master' into ai-worker-restricted-access 7d3d072961
chore: update flake.lock and fix merge conflict ceb58bcf76
Merge remote-tracking branch 'origin/master' into ai-worker-restricted-access 878cfc1d99
feat: update compose submodule for ollama-gfx906 (v0.23.2) + add Dockerfile 6b2e7a626f
fix: update compose submodule for wg-easy iptables-nft fix 07805b867d 
Updates the compose submodule to point to fix/wg-easy-iptables-nft
which adds a custom Dockerfile installing iptables-nft for nftables
backend compatibility.

Fixes the wg-easy container crash-loop:
  iptables v1.8.3 (legacy): can't initialize iptables table 'nat'
  Table does not exist (do you need to insmod?)
Hermes closed this pull request 2026-05-12 20:30:04 +00:00
Hermes deleted branch fix/wg-easy-iptables-nft 2026-05-12 20:30:05 +00:00

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hermes gortium
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: gortium/infra#40
No description provided.
Delete Branch "fix/wg-easy-iptables-nft"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?