gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity
Files
18df45819d4d857b6536a77e86ce6fcde057f03e
infra/modules/nixos/security/README-ai-worker.md
Hermes Agent 18df45819d Add restricted AI worker access with deployment capabilities 
- New module: modules/nixos/security/ai-worker-restricted.nix
  - Bind mount for infra repo access (RW)
  - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
  - Audit logging for infra changes
  - Documentation in README-ai-worker.md

- Updated users/ai-worker.nix:
  - Enable services.aiWorkerAccess
  - Lock password (SSH key only)
  - Security documentation comments

- Updated flake.nix:
  - Include new security module

SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00

2.2 KiB
Raw Blame History

AI Worker Restricted Access

This module provides restricted access for the AI worker (hermes-agent) to manage the infra repository.

Security Model

The ai-worker user has:

Filesystem Access

  • Bind mount: /home/ai-worker/infra/home/gortium/infra (read-write)
  • Cannot access: Any other files outside the bind mount and standard system paths

Sudo Access (Whitelist Only)

The following commands are allowed via sudo without password:

  • /run/current-system/sw/bin/nh - NixOS home manager
  • /run/current-system/sw/bin/nixos-rebuild - System rebuild
  • /run/current-system/sw/bin/nixpkgs-fmt - Nix formatter
  • /run/current-system/sw/bin/nix - Nix package manager

Docker Access

  • Member of docker group - can manage containers
  • Cannot modify host system directly

Audit Logging

  • All changes to /home/gortium/infra are logged via Linux audit subsystem
  • Audit rule: -w /home/gortium/infra -p wa -k infra_changes

Workflow: Ask First, Always

CRITICAL: Before running any deployment command (nh os switch or nixos-rebuild), the AI MUST:

  1. Show the planned changes to the user
  2. Explain the impact of the changes
  3. Wait for explicit confirmation before executing

Example Workflow

# AI prepares changes
cd /home/ai-worker/infra
# ... edits files ...
nixpkgs-fmt .

# AI shows diff to user
git diff

# AI asks: "Ready to deploy? This will restart the ai_stack service."
# User responds: "Yes, proceed"

# Only then does AI run:
sudo nh os switch --flake .#lazyworkhorse

SSH Access

Connect as:

ssh ai-worker@lazyworkhorse

The working directory will be /home/ai-worker, with infra repo accessible at /home/ai-worker/infra.

Verification

Check ai-worker permissions:

# On the host, as root or gortium:
sudo -u ai-worker sudo -l

Expected output should show only the whitelisted commands.

Troubleshooting

If ai-worker cannot access infra:

# Check bind mount
mount | grep ai-worker/infra

# Check permissions
ls -la /home/gortium/infra
ls -la /home/ai-worker/infra

If sudo commands fail:

# Check sudo rules
sudo cat /etc/sudoers.d/* | grep ai-worker

# Check audit logs
sudo ausearch -k infra_changes