From a94dacb64ca6f50b10ff0284d584a377fd2aa811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= Date: Sun, 15 Feb 2026 22:13:26 +0100 Subject: [PATCH] openclaw --- flake.lock | 117 ++++++++++++++++++++++++++++++---- flake.nix | 14 +++- secrets | 2 +- systems/ful/configuration.nix | 1 + systems/ful/openclaw.nix | 107 +++++++++++++++++++++++++++++++ 5 files changed, 228 insertions(+), 13 deletions(-) create mode 100644 systems/ful/openclaw.nix diff --git a/flake.lock b/flake.lock index 03d1a79..6f74347 100644 --- a/flake.lock +++ b/flake.lock @@ -113,6 +113,28 @@ "type": "github" } }, + "blueprint": { + "inputs": { + "nixpkgs": [ + "llm-agents", + "nixpkgs" + ], + "systems": "systems_2" + }, + "locked": { + "lastModified": 1769353768, + "narHash": "sha256-zI+7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0=", + "owner": "numtide", + "repo": "blueprint", + "rev": "c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "blueprint", + "type": "github" + } + }, "buildbot-nix": { "inputs": { "flake-parts": "flake-parts_3", @@ -121,7 +143,7 @@ "stockholm", "nixpkgs" ], - "treefmt-nix": "treefmt-nix_2" + "treefmt-nix": "treefmt-nix_3" }, "locked": { "lastModified": 1768927382, @@ -376,6 +398,26 @@ "type": "github" } }, + "llm-agents": { + "inputs": { + "blueprint": "blueprint", + "nixpkgs": "nixpkgs", + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1771167156, + "narHash": "sha256-hvlg7rTzAmfX2HW0GgrVGvbXoNioTK0bidbRv42QEhY=", + "owner": "numtide", + "repo": "llm-agents.nix", + "rev": "bbd22c02ac546b7ba07147eb14194128b44ff209", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "llm-agents.nix", + "type": "github" + } + }, "menstruation-backend": { "inputs": { "fenix": [ @@ -450,7 +492,7 @@ "nixpkgs": [ "nixpkgs-unstable" ], - "treefmt-nix": "treefmt-nix", + "treefmt-nix": "treefmt-nix_2", "wrappers": "wrappers" }, "locked": { @@ -547,16 +589,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1769598131, - "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "lastModified": 1770843696, + "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-25.11", + "ref": "nixpkgs-unstable", "repo": "nixpkgs", "type": "github" } @@ -608,6 +650,22 @@ "type": "github" } }, + "nixpkgs_2": { + "locked": { + "lastModified": 1769598131, + "narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.11", + "repo": "nixpkgs", + "type": "github" + } + }, "nur": { "inputs": { "flake-parts": "flake-parts_2", @@ -675,6 +733,7 @@ "autorenkalender": "autorenkalender", "fenix": "fenix", "home-manager": "home-manager", + "llm-agents": "llm-agents", "menstruation-backend": "menstruation-backend", "menstruation-telegram": "menstruation-telegram", "naersk": "naersk", @@ -682,7 +741,7 @@ "nix-index-database": "nix-index-database", "nix-topology": "nix-topology", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixpkgs-old": "nixpkgs-old", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", @@ -692,7 +751,7 @@ "stylix": "stylix", "telebots": "telebots", "tinc-graph": "tinc-graph", - "treefmt-nix": "treefmt-nix_3", + "treefmt-nix": "treefmt-nix_4", "voidrice": "voidrice", "wallpapers": "wallpapers", "wetter": "wetter", @@ -777,7 +836,7 @@ "nixpkgs" ], "nur": "nur_2", - "systems": "systems_2", + "systems": "systems_3", "tinted-foot": "tinted-foot", "tinted-kitty": "tinted-kitty", "tinted-schemes": "tinted-schemes", @@ -829,6 +888,21 @@ "type": "github" } }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, "telebots": { "inputs": { "nixpkgs": [ @@ -957,6 +1031,27 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "llm-agents", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1770228511, + "narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "337a4fe074be1042a35086f15481d763b8ddc0e7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "niphas", @@ -977,7 +1072,7 @@ "type": "github" } }, - "treefmt-nix_2": { + "treefmt-nix_3": { "inputs": { "nixpkgs": [ "stockholm", @@ -999,7 +1094,7 @@ "type": "github" } }, - "treefmt-nix_3": { + "treefmt-nix_4": { "inputs": { "nixpkgs": [ "nixpkgs" diff --git a/flake.nix b/flake.nix index 34bb469..71517ec 100644 --- a/flake.nix +++ b/flake.nix @@ -26,6 +26,7 @@ nix-topology.url = "github:oddlama/nix-topology"; wetter.url = "github:4z3/wetter"; wrappers.url = "github:lassulus/wrappers"; + llm-agents.url = "github:numtide/llm-agents.nix"; voidrice.flake = false; wallpapers.flake = false; @@ -78,6 +79,7 @@ scripts, tinc-graph, nix-topology, + llm-agents, nixpkgs-unstable, nixos-hardware, niphas, @@ -433,7 +435,12 @@ self.nixosModules.go-webring stockholm.nixosModules.reaktor2 nur.modules.nixos.default - { nixpkgs.overlays = [ stockholm.overlays.default ]; } + { + nixpkgs.overlays = [ + stockholm.overlays.default + llm-agents.overlays.default + ]; + } ]; }; zaatar = nixpkgs.lib.nixosSystem { @@ -621,4 +628,9 @@ } ); }; + + nixConfig = { + extra-substituters = [ "https://cache.numtide.com" ]; + extra-trusted-public-keys = [ "niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g=" ]; + }; } diff --git a/secrets b/secrets index 83d9103..55417d0 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit 83d9103f2081f2fd19e49da06c9277f7b5cd810f +Subproject commit 55417d08355b571316d98c181c1ed2be3bcc1dc1 diff --git a/systems/ful/configuration.nix b/systems/ful/configuration.nix index 6e610fa..5f1cb30 100644 --- a/systems/ful/configuration.nix +++ b/systems/ful/configuration.nix @@ -16,6 +16,7 @@ ./gemini.nix ./wallabag.nix ./nethack.nix + ./openclaw.nix ]; niveum.passport = { diff --git a/systems/ful/openclaw.nix b/systems/ful/openclaw.nix new file mode 100644 index 0000000..c862df6 --- /dev/null +++ b/systems/ful/openclaw.nix @@ -0,0 +1,107 @@ +{ config, pkgs, ... }: +{ + users.users.openclaw = { + isSystemUser = true; + group = "openclaw"; + extraGroups = [ "openclaw-shared" ]; # Access to shared data + home = "/var/lib/openclaw"; + createHome = true; + shell = pkgs.bash; + packages = [ + pkgs.llm-agents.openclaw + pkgs.chromium + pkgs.xorg.xvfb + pkgs.xorg.xauth + pkgs.xorg.xkbcomp + ]; + }; + + users.groups.openclaw = { }; + users.groups.openclaw-shared = { }; + + systemd.services.openclaw = { + description = "OpenClaw Gateway Service"; + after = [ + "network.target" + "xvfb.service" + ]; + wantedBy = [ "multi-user.target" ]; + wants = [ "xvfb.service" ]; + + path = config.users.users.openclaw.packages; + + serviceConfig = { + User = "openclaw"; + Group = "openclaw"; + StateDirectory = "openclaw"; + WorkingDirectory = "/var/lib/openclaw"; + + ExecStart = pkgs.writeShellScript "openclaw-wrapper" '' + exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway + ''; + ProtectHome = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHostname = true; + ProtectProc = "invisible"; + ProcSubset = "pid"; + RemoveIPC = true; + RestrictSUIDSGID = true; + RestrictNamespaces = true; + RestrictRealtime = true; + LockPersonality = true; + UMask = "0077"; + + PrivateDevices = true; + DeviceAllow = [ + "/dev/null rw" + "/dev/zero rw" + "/dev/random r" + "/dev/urandom r" + ]; + SystemCallFilter = [ + "@system-service" + "~@mount" + "@cpu-emulation" + "@debug" + "@keyring" + "@module" + "@obsolete" + "@raw-io" + "@reboot" + "@swap" + ]; + SystemCallArchitectures = "native"; + + ProtectSystem = "strict"; + ReadWritePaths = [ + "/var/lib/openclaw" + ]; + NoNewPrivileges = true; + PrivateTmp = true; + Restart = "always"; + }; + + environment = { + OPENCLAW_HOME = "/var/lib/openclaw"; + DISPLAY = ":99"; + # tell OpenClaw where Chrome is + PUPPETEER_EXECUTABLE_PATH = "${pkgs.chromium}/bin/chromium"; + }; + }; + + systemd.services.xvfb = { + description = "X Virtual Framebuffer"; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + User = "openclaw"; + Group = "openclaw"; + ExecStart = "${pkgs.xorg.xvfb}/bin/Xvfb :99 -screen 0 1920x1080x24 +extension GLX +render -noreset"; + Environment = "DISPLAY=:99"; + }; + }; +}