Hermes Agent
f0e21d95e4
Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
18 lines
499 B
Nix
18 lines
499 B
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
options.services.aiWorkerAccess = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = "Enable AI worker SSH access with docker group membership for ollama benchmarking";
|
|
};
|
|
|
|
config = mkIf config.services.aiWorkerAccess {
|
|
# ai-worker is member of docker group - can run docker commands via SSH
|
|
# No bind mounts, no sudo access - docker-only for ollama benchmarking
|
|
users.groups.docker.members = [ "ai-worker" ];
|
|
};
|
|
}
|