systems/ful/openclaw.nix

{ config, pkgs, ... }:
{
  users.users.openclaw = {
    isSystemUser = true;
    group = "openclaw";
    extraGroups = [ "openclaw-shared" ]; # Access to shared data
    home = "/var/lib/openclaw";
    createHome = true;
    shell = pkgs.bash;
    packages = [
      pkgs.llm-agents.openclaw
      pkgs.chromium
      pkgs.xorg.xvfb
      pkgs.xorg.xauth
      pkgs.xorg.xkbcomp
    ];
  };

  users.groups.openclaw = { };
  users.groups.openclaw-shared = { };

  systemd.services.openclaw = {
    description = "OpenClaw Gateway Service";
    after = [
      "network.target"
      "xvfb.service"
    ];
    wantedBy = [ "multi-user.target" ];
    wants = [ "xvfb.service" ];

    path = config.users.users.openclaw.packages;

    serviceConfig = {
      User = "openclaw";
      Group = "openclaw";
      StateDirectory = "openclaw";
      WorkingDirectory = "/var/lib/openclaw";

      ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
        exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
      '';
      ProtectHome = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectKernelLogs = true;
      ProtectClock = true;
      ProtectControlGroups = true;
      ProtectHostname = true;
      ProtectProc = "invisible";
      ProcSubset = "pid";
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      RestrictNamespaces = true;
      RestrictRealtime = true;
      LockPersonality = true;
      UMask = "0077";

      PrivateDevices = true;
      DeviceAllow = [
        "/dev/null rw"
        "/dev/zero rw"
        "/dev/random r"
        "/dev/urandom r"
      ];
      SystemCallFilter = [
        "@system-service"
        "~@mount"
        "@cpu-emulation"
        "@debug"
        "@keyring"
        "@module"
        "@obsolete"
        "@raw-io"
        "@reboot"
        "@swap"
      ];
      SystemCallArchitectures = "native";

      ProtectSystem = "strict";
      ReadWritePaths = [
        "/var/lib/openclaw"
      ];
      NoNewPrivileges = true;
      PrivateTmp = true;
      Restart = "always";
    };

    environment = {
      OPENCLAW_HOME = "/var/lib/openclaw";
      DISPLAY = ":99";
      # tell OpenClaw where Chrome is
      PUPPETEER_EXECUTABLE_PATH = "${pkgs.chromium}/bin/chromium";
    };
  };

  systemd.services.xvfb = {
    description = "X Virtual Framebuffer";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "openclaw";
      Group = "openclaw";
      ExecStart = "${pkgs.xorg.xvfb}/bin/Xvfb :99 -screen 0 1920x1080x24 +extension GLX +render -noreset";
      Environment = "DISPLAY=:99";
    };
  };
}
openclaw 2026-02-15 22:13:26 +01:00			`{ config, pkgs, ... }:`
			`{`
			`users.users.openclaw = {`
			`isSystemUser = true;`
			`group = "openclaw";`
			`extraGroups = [ "openclaw-shared" ]; # Access to shared data`
			`home = "/var/lib/openclaw";`
			`createHome = true;`
			`shell = pkgs.bash;`
			`packages = [`
			`pkgs.llm-agents.openclaw`
			`pkgs.chromium`
			`pkgs.xorg.xvfb`
			`pkgs.xorg.xauth`
			`pkgs.xorg.xkbcomp`
			`];`
			`};`

			`users.groups.openclaw = { };`
			`users.groups.openclaw-shared = { };`

			`systemd.services.openclaw = {`
			`description = "OpenClaw Gateway Service";`
			`after = [`
			`"network.target"`
			`"xvfb.service"`
			`];`
			`wantedBy = [ "multi-user.target" ];`
			`wants = [ "xvfb.service" ];`

			`path = config.users.users.openclaw.packages;`

			`serviceConfig = {`
			`User = "openclaw";`
			`Group = "openclaw";`
			`StateDirectory = "openclaw";`
			`WorkingDirectory = "/var/lib/openclaw";`

			`ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''`
			`exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway`
			`'';`
			`ProtectHome = true;`
			`ProtectKernelTunables = true;`
			`ProtectKernelModules = true;`
			`ProtectKernelLogs = true;`
			`ProtectClock = true;`
			`ProtectControlGroups = true;`
			`ProtectHostname = true;`
			`ProtectProc = "invisible";`
			`ProcSubset = "pid";`
			`RemoveIPC = true;`
			`RestrictSUIDSGID = true;`
			`RestrictNamespaces = true;`
			`RestrictRealtime = true;`
			`LockPersonality = true;`
			`UMask = "0077";`

			`PrivateDevices = true;`
			`DeviceAllow = [`
			`"/dev/null rw"`
			`"/dev/zero rw"`
			`"/dev/random r"`
			`"/dev/urandom r"`
			`];`
			`SystemCallFilter = [`
			`"@system-service"`
			`"~@mount"`
			`"@cpu-emulation"`
			`"@debug"`
			`"@keyring"`
			`"@module"`
			`"@obsolete"`
			`"@raw-io"`
			`"@reboot"`
			`"@swap"`
			`];`
			`SystemCallArchitectures = "native";`

			`ProtectSystem = "strict";`
			`ReadWritePaths = [`
			`"/var/lib/openclaw"`
			`];`
			`NoNewPrivileges = true;`
			`PrivateTmp = true;`
			`Restart = "always";`
			`};`

			`environment = {`
			`OPENCLAW_HOME = "/var/lib/openclaw";`
			`DISPLAY = ":99";`
			`# tell OpenClaw where Chrome is`
			`PUPPETEER_EXECUTABLE_PATH = "${pkgs.chromium}/bin/chromium";`
			`};`
			`};`

			`systemd.services.xvfb = {`
			`description = "X Virtual Framebuffer";`
			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`User = "openclaw";`
			`Group = "openclaw";`
			`ExecStart = "${pkgs.xorg.xvfb}/bin/Xvfb :99 -screen 0 1920x1080x24 +extension GLX +render -noreset";`
			`Environment = "DISPLAY=:99";`
			`};`
			`};`
			`}`