kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

openclaw

Browse Source
This commit is contained in:
Kierán Meinhardt
2026-02-15 22:13:26 +01:00
parent fb86f8c7f7
commit a94dacb64c
5 changed files with 228 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
flake.lock generated
View File

@@ -113,6 +113,28 @@
"type": "github"
}
},
"blueprint": {
"inputs": {
"nixpkgs": [
"llm-agents",
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1769353768,
"narHash": "sha256-zI+7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0=",
"owner": "numtide",
"repo": "blueprint",
"rev": "c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "blueprint",
"type": "github"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": "flake-parts_3",
@@ -121,7 +143,7 @@
"stockholm",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
"treefmt-nix": "treefmt-nix_3"
},
"locked": {
"lastModified": 1768927382,
@@ -376,6 +398,26 @@
"type": "github"
}
},
"llm-agents": {
"inputs": {
"blueprint": "blueprint",
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1771167156,
"narHash": "sha256-hvlg7rTzAmfX2HW0GgrVGvbXoNioTK0bidbRv42QEhY=",
"owner": "numtide",
"repo": "llm-agents.nix",
"rev": "bbd22c02ac546b7ba07147eb14194128b44ff209",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "llm-agents.nix",
"type": "github"
}
},
"menstruation-backend": {
"inputs": {
"fenix": [
@@ -450,7 +492,7 @@
"nixpkgs": [
"nixpkgs-unstable"
],
"treefmt-nix": "treefmt-nix",
"treefmt-nix": "treefmt-nix_2",
"wrappers": "wrappers"
},
"locked": {
@@ -547,16 +589,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1769598131,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
"lastModified": 1770843696,
"narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
"rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -608,6 +650,22 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1769598131,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"inputs": {
"flake-parts": "flake-parts_2",
@@ -675,6 +733,7 @@
"autorenkalender": "autorenkalender",
"fenix": "fenix",
"home-manager": "home-manager",
"llm-agents": "llm-agents",
"menstruation-backend": "menstruation-backend",
"menstruation-telegram": "menstruation-telegram",
"naersk": "naersk",
@@ -682,7 +741,7 @@
"nix-index-database": "nix-index-database",
"nix-topology": "nix-topology",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-old": "nixpkgs-old",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",
@@ -692,7 +751,7 @@
"stylix": "stylix",
"telebots": "telebots",
"tinc-graph": "tinc-graph",
"treefmt-nix": "treefmt-nix_3",
"treefmt-nix": "treefmt-nix_4",
"voidrice": "voidrice",
"wallpapers": "wallpapers",
"wetter": "wetter",
@@ -777,7 +836,7 @@
"nixpkgs"
],
"nur": "nur_2",
"systems": "systems_2",
"systems": "systems_3",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@@ -829,6 +888,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"telebots": {
"inputs": {
"nixpkgs": [
@@ -957,6 +1031,27 @@
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"llm-agents",
"nixpkgs"
]
},
"locked": {
"lastModified": 1770228511,
"narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"niphas",
@@ -977,7 +1072,7 @@
"type": "github"
}
},
"treefmt-nix_2": {
"treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"stockholm",
@@ -999,7 +1094,7 @@
"type": "github"
}
},
"treefmt-nix_3": {
"treefmt-nix_4": {
"inputs": {
"nixpkgs": [
"nixpkgs"

14
flake.nix
View File

@@ -26,6 +26,7 @@
nix-topology.url = "github:oddlama/nix-topology";
wetter.url = "github:4z3/wetter";
wrappers.url = "github:lassulus/wrappers";
llm-agents.url = "github:numtide/llm-agents.nix";
voidrice.flake = false;
wallpapers.flake = false;
@@ -78,6 +79,7 @@
scripts,
tinc-graph,
nix-topology,
llm-agents,
nixpkgs-unstable,
nixos-hardware,
niphas,
@@ -433,7 +435,12 @@
self.nixosModules.go-webring
stockholm.nixosModules.reaktor2
nur.modules.nixos.default
{ nixpkgs.overlays = [ stockholm.overlays.default ]; }
{
nixpkgs.overlays = [
stockholm.overlays.default
llm-agents.overlays.default
];
}
];
};
zaatar = nixpkgs.lib.nixosSystem {
@@ -621,4 +628,9 @@
}
);
};
nixConfig = {
extra-substituters = [ "https://cache.numtide.com" ];
extra-trusted-public-keys = [ "niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g=" ];
};
}

2
secrets

Submodule secrets updated: 83d9103f20...55417d0835

1
systems/ful/configuration.nix
View File

@@ -16,6 +16,7 @@
./gemini.nix
./wallabag.nix
./nethack.nix
./openclaw.nix
];
niveum.passport = {

107
systems/ful/openclaw.nix Normal file
View File

@@ -0,0 +1,107 @@
{ config, pkgs, ... }:
{
users.users.openclaw = {
isSystemUser = true;
group = "openclaw";
extraGroups = [ "openclaw-shared" ]; # Access to shared data
home = "/var/lib/openclaw";
createHome = true;
shell = pkgs.bash;
packages = [
pkgs.llm-agents.openclaw
pkgs.chromium
pkgs.xorg.xvfb
pkgs.xorg.xauth
pkgs.xorg.xkbcomp
];
};
users.groups.openclaw = { };
users.groups.openclaw-shared = { };
systemd.services.openclaw = {
description = "OpenClaw Gateway Service";
after = [
"network.target"
"xvfb.service"
];
wantedBy = [ "multi-user.target" ];
wants = [ "xvfb.service" ];
path = config.users.users.openclaw.packages;
serviceConfig = {
User = "openclaw";
Group = "openclaw";
StateDirectory = "openclaw";
WorkingDirectory = "/var/lib/openclaw";
ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
'';
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
UMask = "0077";
PrivateDevices = true;
DeviceAllow = [
"/dev/null rw"
"/dev/zero rw"
"/dev/random r"
"/dev/urandom r"
];
SystemCallFilter = [
"@system-service"
"~@mount"
"@cpu-emulation"
"@debug"
"@keyring"
"@module"
"@obsolete"
"@raw-io"
"@reboot"
"@swap"
];
SystemCallArchitectures = "native";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/openclaw"
];
NoNewPrivileges = true;
PrivateTmp = true;
Restart = "always";
};
environment = {
OPENCLAW_HOME = "/var/lib/openclaw";
DISPLAY = ":99";
# tell OpenClaw where Chrome is
PUPPETEER_EXECUTABLE_PATH = "${pkgs.chromium}/bin/chromium";
};
};
systemd.services.xvfb = {
description = "X Virtual Framebuffer";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "openclaw";
Group = "openclaw";
ExecStart = "${pkgs.xorg.xvfb}/bin/Xvfb :99 -screen 0 1920x1080x24 +extension GLX +render -noreset";
Environment = "DISPLAY=:99";
};
};
}