{ pkgs, inputs, config, keys, ... }: { users.users.ai-worker = { isSystemUser = true; group = "ai-worker"; home = "/home/ai-worker"; createHome = true; extraGroups = [ "docker" ]; shell = pkgs.bashInteractive; openssh.authorizedKeys.keys = [ keys.users.ai-worker.main ]; }; users.groups.ai-worker = {}; # Restricted sudo for ai-worker - security checks and deployment only security.sudo.extraRules = [ { users = [ "ai-worker" ]; commands = [ { command = "/run/current-system/sw/bin/nh os switch --flake /home/ai-worker/infra#lazyworkhorse"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /home/ai-worker/infra#lazyworkhorse"; options = [ "NOPASSWD" ]; } # Security audit commands { command = "/run/wrappers/bin/sudo iptables -L -n -v"; options = [ "NOPASSWD" ]; } { command = "/run/wrappers/bin/sudo iptables -S"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/fail2ban-client status"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/fail2ban-client status *"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/fail2ban-client get * banned"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/journalctl -t kernel -n 100"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/journalctl -u fail2ban -n 50"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/sshd -T"; options = [ "NOPASSWD" ]; } # Docker commands for service checks { command = "/run/current-system/sw/bin/docker ps"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/docker inspect *"; options = [ "NOPASSWD" ]; } # Network diagnostics { command = "/run/current-system/sw/bin/ss -tlnp"; options = [ "NOPASSWD" ]; } { command = "/run/current-system/sw/bin/cat /proc/net/tcp"; options = [ "NOPASSWD" ]; } ]; } ]; }