openclaw: rip

wip: fix makanek deploy
opencrow
2026-03-16 10:11:08 +01:00 · 2026-02-18 18:19:20 +01:00 · 2026-02-18 18:18:08 +01:00 · 2026-02-18 18:17:45 +01:00
9 changed files with 80 additions and 136 deletions
--- a/configs/bots/default.nix
+++ b/configs/bots/default.nix
@@ -69,7 +69,7 @@ in
    wantedBy = [ "multi-user.target" ];
    description = "Telegram reverse bot";
    path = [ pkgs.ffmpeg ];
-    enable = true;
+    enable = false;
    script = ''
      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-reverse
    '';
@@ -81,7 +81,7 @@ in
  systemd.services.telegram-streaming-link = {
    wantedBy = [ "multi-user.target" ];
    description = "Telegram bot converting YouTube Music <-> Spotify";
-    enable = true;
+    enable = false;
    script = ''
      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-streaming-link
    '';
@@ -92,7 +92,7 @@ in
  systemd.services.telegram-betacode = {
    wantedBy = [ "multi-user.target" ];
    description = "Telegram beta code bot";
-    enable = true;
+    enable = false;
    script = ''
      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-betacode
    '';
@@ -103,7 +103,7 @@ in
  systemd.services.telegram-proverb = {
    wantedBy = [ "multi-user.target" ];
    description = "Telegram proverb bot";
-    enable = true;
+    enable = false;
    script = ''
      TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-proverb
    '';
--- a/flake.lock
+++ b/flake.lock
@@ -712,6 +712,29 @@
        "type": "github"
      }
    },
+    "opencrow": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1771337567,
+        "narHash": "sha256-DiH3hGzC7z6qv39zuFCrMrKDTKdtsN+z/OorsbBdJaQ=",
+        "owner": "pinpox",
+        "repo": "opencrow",
+        "rev": "8da71c7d1d04e27ffb5aade99f67e591d52c30c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "pinpox",
+        "repo": "opencrow",
+        "type": "github"
+      }
+    },
    "retiolum": {
      "locked": {
        "lastModified": 1756302470,
@@ -745,6 +768,7 @@
        "nixpkgs-old": "nixpkgs-old",
        "nixpkgs-unstable": "nixpkgs-unstable",
        "nur": "nur",
+        "opencrow": "opencrow",
        "retiolum": "retiolum",
        "scripts": "scripts",
        "stockholm": "stockholm",
--- a/flake.nix
+++ b/flake.nix
@@ -46,6 +46,8 @@

    agenix.inputs.home-manager.follows = "home-manager";

+    opencrow.inputs.treefmt-nix.follows = "treefmt-nix";
+
    agenix.inputs.nixpkgs.follows = "nixpkgs";
    autorenkalender.inputs.nixpkgs.follows = "nixpkgs";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
@@ -284,6 +286,7 @@
        };

        # packaged from inputs
+        opencrow = opencrow.packages.${prev.stdenv.hostPlatform.system}.opencrow;
        wetter = wetter.packages.${prev.stdenv.hostPlatform.system}.wetter;
        agenix = agenix.packages.${prev.stdenv.hostPlatform.system}.default;
        pun-sort-api = scripts.packages.${prev.stdenv.hostPlatform.system}.pun-sort-api;
--- a/packages/pi.nix
+++ b/packages/pi.nix
@@ -18,7 +18,7 @@ let
        ];
        outputHashMode = "recursive";
        outputHashAlgo = "sha256";
-        outputHash = "sha256-hfYl0Slxg3nuN6KTtvpWW0QUxtg3JRE0n9N7rIXBTOc=";
+        outputHash = "sha256-ruCukrbH89/uZHhxYSmrcs5NUi2ZG8nuwTEuJKHP2rw=";
        impureEnvVars = [
          "http_proxy"
          "https_proxy"
--- a/2
+++ b/2
--- a/systems/ful/configuration.nix
+++ b/systems/ful/configuration.nix
@@ -16,7 +16,6 @@
    ./gemini.nix
    ./wallabag.nix
    ./nethack.nix
-    ./openclaw.nix
    ./opencrow.nix
  ];

--- a/systems/ful/openclaw.nix
+++ b/systems/ful/openclaw.nix
@@ -1,117 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  users.users.openclaw = {
-    isSystemUser = true;
-    group = "openclaw";
-    extraGroups = [ "openclaw-shared" ]; # Access to shared data
-    home = "/var/lib/openclaw";
-    createHome = true;
-    shell = pkgs.bash;
-    packages = [
-      pkgs.llm-agents.openclaw
-    ];
-  };
-
-  users.groups.openclaw = { };
-  users.groups.openclaw-shared = { };
-
-  systemd.services.openclaw = {
-    description = "OpenClaw Gateway Service";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    path = config.users.users.openclaw.packages;
-
-    serviceConfig = {
-      User = "openclaw";
-      Group = "openclaw";
-      StateDirectory = "openclaw";
-      WorkingDirectory = "/var/lib/openclaw";
-
-      ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
-        exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
-      '';
-      ProtectHome = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectClock = true;
-      ProtectControlGroups = true;
-      ProtectHostname = true;
-      ProcSubset = "pid";
-      RemoveIPC = true;
-      AmbientCapabilities = ["CAP_NET_RAW"]; # access chromium websockets
-      RestrictSUIDSGID = true;
-      RestrictNamespaces = false; # might be used by websocket library
-      RestrictRealtime = true;
-      LockPersonality = true;
-      UMask = "0077";
-
-      PrivateDevices = true;
-      DeviceAllow = [
-        "/dev/null rw"
-        "/dev/zero rw"
-        "/dev/random r"
-        "/dev/urandom r"
-      ];
-      SystemCallFilter = [
-        "@system-service"
-        "~@mount"
-        "@cpu-emulation"
-        "@debug"
-        "@keyring"
-        "@module"
-        "@obsolete"
-        "@raw-io"
-        "@reboot"
-        "@swap"
-      ];
-      SystemCallArchitectures = "native";
-
-      ProtectSystem = "strict";
-      ReadWritePaths = [
-        "/var/lib/openclaw"
-      ];
-      NoNewPrivileges = true;
-      PrivateTmp = true;
-      Restart = "always";
-    };
-
-    environment = {
-      OPENCLAW_HOME = "/var/lib/openclaw";
-    };
-  };
-
-  services.restic.backups.niveum.paths = [
-    config.users.users.openclaw.home
-  ];
-
-  systemd.services.openclaw-browser = {
-    description = "OpenClaw Browser (unrestricted)";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    serviceConfig = {
-      User = "openclaw";
-      Group = "openclaw";
-      WorkingDirectory = "/var/lib/openclaw";
-      # NO hardening here - let Chrome do its thing
-      ExecStart = "${lib.getExe pkgs.chromium} ${
-        lib.escapeShellArgs [
-          "--headless"
-          "--no-sandbox"
-          "--disable-setuid-sandbox"
-          "--disable-dev-shm-usage"
-          "--remote-debugging-port=9222"
-          "--remote-debugging-address=127.0.0.1"
-        ]
-      }";
-      Restart = "always";
-    };
-  };
-}
--- a/systems/ful/opencrow.nix
+++ b/systems/ful/opencrow.nix
@@ -11,37 +11,72 @@
    opencrow-soul = {
      file = ../../secrets/opencrow-soul.age;
    };
+    opencrow-gemini-key = {
+      file = ../../secrets/opencrow-gemini-key.age;
+    };
+    opencrow-openrouter-key = {
+      file = ../../secrets/opencrow-openrouter-key.age;
+    };
  };

+  environment.systemPackages = [
+    pkgs.pi
+  ];
+
  services.opencrow = {
    enable = true;

-    extraPackages = [ pkgs.pi pkgs.nix ];
+    package = pkgs.opencrow;
+
+    extraPackages = [
+      pkgs.pi
+      pkgs.nix
+    ];

    environmentFiles = [
      config.age.secrets.opencrow-matrix-token.path
+      config.age.secrets.opencrow-openrouter-key.path
+      config.age.secrets.opencrow-gemini-key.path
    ];

-    extraBindMounts."/run/secrets/opencrow-soul" = {
+    extraBindMounts."/run/opencrow/SOUL.md" = {
      hostPath = config.age.secrets.opencrow-soul.path;
      isReadOnly = true;
    };

-    extraBindMounts."/nix/var/nix/daemon-socket" = {
-      hostPath = "/nix/var/nix/daemon-socket";
-      isReadOnly = false;
-     };
-
    environment = {
-      PI_PERMISSION_LEVEL= "high";
+      NIX_REMOTE = "daemon";
+
+      PI_PERMISSION_LEVEL = "high";
      OPENCROW_MATRIX_HOMESERVER = "https://matrix.4d2.org";
      OPENCROW_MATRIX_USER_ID = "@fable:4d2.org";
-      OPENCROW_PI_PROVIDER = "github-copilot";
-      OPENCROW_PI_MODEL = "gemini-3-flash-preview";
-      OPENCROW_SOUL_FILE = "/run/secrets/opencrow-soul";
+      OPENCROW_SOUL_FILE = "/run/opencrow/SOUL.md";
+      OPENCROW_HEARTBEAT_INTERVAL = "2h";
+
+      # end of the month
+      OPENCROW_PI_PROVIDER = "openrouter";
+      OPENCROW_PI_MODEL = "stepfun/step-3.5-flash:free";
+      # OPENCROW_PI_PROVIDER = "google";
+      # OPENCROW_PI_MODEL = "gemini-2.0-flash";
+
+      # beginning of the month
+      # OPENCROW_PI_PROVIDER = "github-copilot";
+      # OPENCROW_PI_MODEL = "claude-opus-4.6";
    };
  };

+  containers.opencrow.config = {
+    nix.settings.experimental-features = [
+      "flakes"
+      "nix-command"
+    ];
+  };
+
+  nix.settings.experimental-features = [
+    "flakes"
+    "nix-command"
+  ];
+
  services.restic.backups.niveum.paths = [
    "/var/lib/opencrow"
  ];
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -9,7 +9,7 @@
    ./gitea.nix
    ./hardware-configuration.nix
    ./hedgedoc.nix
-    ./menstruation.nix
+    # ./menstruation.nix
    ./moinbot.nix
    ./monitoring
    # ./names.nix
Author	SHA1	Message	Date
Kierán Meinhardt	3216cd19f5	openclaw: rip	2026-02-18 18:19:20 +01:00
Kierán Meinhardt	14494ca1f7	wip: fix makanek deploy	2026-02-18 18:18:08 +01:00
Kierán Meinhardt	201e9e5f60	opencrow	2026-02-18 18:17:45 +01:00