Merge pull request #176 from naturallaw777/copilot/add-scoped-sudo-rules

[WIP] Add scoped sudo rules for sovran-support user

modules/core/tech-support.nix

@@ -11,6 +11,8 @@
 #     (u:sovran-support:---) by the Hub API as soon as a session is started.
 #   • The Hub web UI lets the user grant time-limited access to wallet files
 #     and view a full audit log of every session event.
+#   • Scoped sudo rules allow support staff to edit custom.nix, trigger rebuilds,
+#     restart services, and read logs — without full root or wallet access.
 #
 # The `acl` package provides the `setfacl` / `getfacl` utilities required by
 # the Hub's _apply_wallet_acls() and _revoke_wallet_acls() helpers.
@@ -39,4 +41,20 @@
     "d /var/lib/sovran-support      0700 sovran-support sovran-support -"
     "d /var/lib/sovran-support/.ssh 0700 sovran-support sovran-support -"
   ];
+
+  # ── Scoped sudo rules for support staff ───────────────────────────────────
+  # Grants only the minimum privileges needed for a support session.
+  # Support staff cannot stop/disable/mask services or access wallet files.
+  security.sudo.extraRules = [
+    {
+      users = [ "sovran-support" ];
+      commands = [
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/custom.nix";        options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nano /etc/nixos/configuration.nix"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/nixos-rebuild switch --flake /etc/nixos"; options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/systemctl restart *";               options = [ "NOPASSWD" ]; }
+        { command = "/run/current-system/sw/bin/journalctl *";                      options = [ "NOPASSWD" ]; }
+      ];
+    }
+  ];
 }