gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity
Files
18df45819d4d857b6536a77e86ce6fcde057f03e
infra/modules/nixos/security/README-ai-worker.md
Hermes Agent 18df45819d Add restricted AI worker access with deployment capabilities 
- New module: modules/nixos/security/ai-worker-restricted.nix
  - Bind mount for infra repo access (RW)
  - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix
  - Audit logging for infra changes
  - Documentation in README-ai-worker.md

- Updated users/ai-worker.nix:
  - Enable services.aiWorkerAccess
  - Lock password (SSH key only)
  - Security documentation comments

- Updated flake.nix:
  - Include new security module

SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00

93 lines
2.2 KiB
Markdown
Raw Blame History

# AI Worker Restricted Access
This module provides restricted access for the AI worker (hermes-agent) to manage the infra repository.
## Security Model
The `ai-worker` user has:
### Filesystem Access
- **Bind mount**: `/home/ai-worker/infra``/home/gortium/infra` (read-write)
- **Cannot access**: Any other files outside the bind mount and standard system paths
### Sudo Access (Whitelist Only)
The following commands are allowed via sudo without password:
- `/run/current-system/sw/bin/nh` - NixOS home manager
- `/run/current-system/sw/bin/nixos-rebuild` - System rebuild
- `/run/current-system/sw/bin/nixpkgs-fmt` - Nix formatter
- `/run/current-system/sw/bin/nix` - Nix package manager
### Docker Access
- Member of `docker` group - can manage containers
- Cannot modify host system directly
### Audit Logging
- All changes to `/home/gortium/infra` are logged via Linux audit subsystem
- Audit rule: `-w /home/gortium/infra -p wa -k infra_changes`
## Workflow: Ask First, Always
**CRITICAL**: Before running any deployment command (`nh os switch` or `nixos-rebuild`), the AI MUST:
1. **Show the planned changes** to the user
2. **Explain the impact** of the changes
3. **Wait for explicit confirmation** before executing
### Example Workflow
```bash
# AI prepares changes
cd /home/ai-worker/infra
# ... edits files ...
nixpkgs-fmt .
# AI shows diff to user
git diff
# AI asks: "Ready to deploy? This will restart the ai_stack service."
# User responds: "Yes, proceed"
# Only then does AI run:
sudo nh os switch --flake .#lazyworkhorse
```
## SSH Access
Connect as:
```bash
ssh ai-worker@lazyworkhorse
```
The working directory will be `/home/ai-worker`, with infra repo accessible at `/home/ai-worker/infra`.
## Verification
Check ai-worker permissions:
```bash
# On the host, as root or gortium:
sudo -u ai-worker sudo -l
```
Expected output should show only the whitelisted commands.
## Troubleshooting
If ai-worker cannot access infra:
```bash
# Check bind mount
mount | grep ai-worker/infra
# Check permissions
ls -la /home/gortium/infra
ls -la /home/ai-worker/infra
```
If sudo commands fail:
```bash
# Check sudo rules
sudo cat /etc/sudoers.d/* | grep ai-worker
# Check audit logs
sudo ausearch -k infra_changes
```
Reference in New Issue View Git Blame Copy Permalink