Security Model
Nurvus is designed with the principle of least privilege. Demi can only do what she needs to, nothing more.
Scoped Sudo
The NixOS module grants passwordless sudo for the nurvus group, but only for specific commands:
| Command | Purpose |
|---|---|
nix |
Flake operations |
nixos-rebuild |
Apply configuration changes |
nix-env |
List system generations |
tee /etc/nixos/* |
Write NixOS configuration files |
mkdir |
Create volume directories for containers |
cat /srv/* |
Read container data files |
tee /srv/* |
Write container data files |
ls /srv/* |
List container data directories |
rm -rf /srv/* |
Remove container data volumes |
mv /srv/* /srv/* |
Move/rename container data |
cp -r /srv/* /srv/* |
Copy container data |
podman |
Manage containers |
systemctl restart/stop/start/show podman-* |
Control container services |
systemctl reboot |
Reboot the system |
systemctl start nurvus-* |
Run scheduled tasks |
systemd-run |
Schedule one-off tasks |
chmod 600 /etc/nixos/* |
Secure credentials files |
Demi cannot run arbitrary commands. File operations are scoped to /srv/ (container volumes) and /etc/nixos/ (system config).
Plan-Confirm-Execute
All destructive operations require explicit user confirmation:
- Deploying or removing containers
- Modifying NixOS configuration
- Running nixos-rebuild
- Rebooting the system
Demi will always show you what she plans to do before doing it.
Agent Safety
Demi follows security best practices by default:
- Warns about insecure configurations (default passwords, exposed databases, disabled firewalls)
- Suggests safe alternatives for risky requests
- Prefers binding services to localhost unless public access is explicitly requested
- Flags common attack-target ports (22, 3306, 5432, 6379, 27017) when exposed publicly
- Suggests strong passwords and notes when credentials should be rotated
Container Networking
All containers run on an isolated Podman network (nurvus). They can reach each other by name but are not exposed to the host network unless ports are explicitly mapped.