kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-22 21:01:07 +01:00
Code Releases Activity

Compare commits

base: kfm:2b59d2a68eae623afcba218bcc7d6c145618e7b9
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail
...
compare: kfm:3216cd19f55dae4e54be4918121aee3424e71eb2
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail

3 Commits
2b59d2a68e ... 3216cd19f5

Author SHA1 Message Date
Kierán Meinhardt
3216cd19f5 openclaw: rip 2026-02-18 18:19:20 +01:00
Kierán Meinhardt
14494ca1f7 wip: fix makanek deploy 2026-02-18 18:18:08 +01:00
Kierán Meinhardt
201e9e5f60 opencrow 2026-02-18 18:17:45 +01:00
9 changed files with 80 additions and 136 deletions
Expand all files Collapse all files

8
configs/bots/default.nix
View File

@@ -69,7 +69,7 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Telegram reverse bot"; description = "Telegram reverse bot";
path = [ pkgs.ffmpeg ]; path = [ pkgs.ffmpeg ];
enable = true; enable = false;
script = '' script = ''
TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-reverse TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-reverse
''; '';
@@ -81,7 +81,7 @@ in
systemd.services.telegram-streaming-link = { systemd.services.telegram-streaming-link = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Telegram bot converting YouTube Music <-> Spotify"; description = "Telegram bot converting YouTube Music <-> Spotify";
enable = true; enable = false;
script = '' script = ''
TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-streaming-link TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-streaming-link
''; '';
@@ -92,7 +92,7 @@ in
systemd.services.telegram-betacode = { systemd.services.telegram-betacode = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Telegram beta code bot"; description = "Telegram beta code bot";
enable = true; enable = false;
script = '' script = ''
TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-betacode TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-betacode
''; '';
@@ -103,7 +103,7 @@ in
systemd.services.telegram-proverb = { systemd.services.telegram-proverb = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
description = "Telegram proverb bot"; description = "Telegram proverb bot";
enable = true; enable = false;
script = '' script = ''
TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-proverb TELEGRAM_BOT_TOKEN="$(cat "$CREDENTIALS_DIRECTORY/token")" ${pkgs.telebots}/bin/telegram-proverb
''; '';

24
flake.lock generated
View File

@@ -712,6 +712,29 @@
"type": "github" "type": "github"
} }
}, },
"opencrow": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"treefmt-nix": [
"treefmt-nix"
]
},
"locked": {
"lastModified": 1771337567,
"narHash": "sha256-DiH3hGzC7z6qv39zuFCrMrKDTKdtsN+z/OorsbBdJaQ=",
"owner": "pinpox",
"repo": "opencrow",
"rev": "8da71c7d1d04e27ffb5aade99f67e591d52c30c4",
"type": "github"
},
"original": {
"owner": "pinpox",
"repo": "opencrow",
"type": "github"
}
},
"retiolum": { "retiolum": {
"locked": { "locked": {
"lastModified": 1756302470, "lastModified": 1756302470,
@@ -745,6 +768,7 @@
"nixpkgs-old": "nixpkgs-old", "nixpkgs-old": "nixpkgs-old",
"nixpkgs-unstable": "nixpkgs-unstable", "nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur", "nur": "nur",
"opencrow": "opencrow",
"retiolum": "retiolum", "retiolum": "retiolum",
"scripts": "scripts", "scripts": "scripts",
"stockholm": "stockholm", "stockholm": "stockholm",

3
flake.nix
View File

@@ -46,6 +46,8 @@
agenix.inputs.home-manager.follows = "home-manager"; agenix.inputs.home-manager.follows = "home-manager";
opencrow.inputs.treefmt-nix.follows = "treefmt-nix";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";
autorenkalender.inputs.nixpkgs.follows = "nixpkgs"; autorenkalender.inputs.nixpkgs.follows = "nixpkgs";
home-manager.inputs.nixpkgs.follows = "nixpkgs"; home-manager.inputs.nixpkgs.follows = "nixpkgs";
@@ -284,6 +286,7 @@
}; };
# packaged from inputs # packaged from inputs
opencrow = opencrow.packages.${prev.stdenv.hostPlatform.system}.opencrow;
wetter = wetter.packages.${prev.stdenv.hostPlatform.system}.wetter; wetter = wetter.packages.${prev.stdenv.hostPlatform.system}.wetter;
agenix = agenix.packages.${prev.stdenv.hostPlatform.system}.default; agenix = agenix.packages.${prev.stdenv.hostPlatform.system}.default;
pun-sort-api = scripts.packages.${prev.stdenv.hostPlatform.system}.pun-sort-api; pun-sort-api = scripts.packages.${prev.stdenv.hostPlatform.system}.pun-sort-api;

2
packages/pi.nix
View File

@@ -18,7 +18,7 @@ let
]; ];
outputHashMode = "recursive"; outputHashMode = "recursive";
outputHashAlgo = "sha256"; outputHashAlgo = "sha256";
outputHash = "sha256-hfYl0Slxg3nuN6KTtvpWW0QUxtg3JRE0n9N7rIXBTOc="; outputHash = "sha256-ruCukrbH89/uZHhxYSmrcs5NUi2ZG8nuwTEuJKHP2rw=";
impureEnvVars = [ impureEnvVars = [
"http_proxy" "http_proxy"
"https_proxy" "https_proxy"

2
secrets

Submodule secrets updated: 2309c34eb6...94998bbbe0

1
systems/ful/configuration.nix
View File

@@ -16,7 +16,6 @@
./gemini.nix ./gemini.nix
./wallabag.nix ./wallabag.nix
./nethack.nix ./nethack.nix
./openclaw.nix
./opencrow.nix ./opencrow.nix
]; ];

117
systems/ful/openclaw.nix
View File

@@ -1,117 +0,0 @@
{
config,
lib,
pkgs,
...
}:
{
users.users.openclaw = {
isSystemUser = true;
group = "openclaw";
extraGroups = [ "openclaw-shared" ]; # Access to shared data
home = "/var/lib/openclaw";
createHome = true;
shell = pkgs.bash;
packages = [
pkgs.llm-agents.openclaw
];
};
users.groups.openclaw = { };
users.groups.openclaw-shared = { };
systemd.services.openclaw = {
description = "OpenClaw Gateway Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = config.users.users.openclaw.packages;
serviceConfig = {
User = "openclaw";
Group = "openclaw";
StateDirectory = "openclaw";
WorkingDirectory = "/var/lib/openclaw";
ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
'';
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProcSubset = "pid";
RemoveIPC = true;
AmbientCapabilities = ["CAP_NET_RAW"]; # access chromium websockets
RestrictSUIDSGID = true;
RestrictNamespaces = false; # might be used by websocket library
RestrictRealtime = true;
LockPersonality = true;
UMask = "0077";
PrivateDevices = true;
DeviceAllow = [
"/dev/null rw"
"/dev/zero rw"
"/dev/random r"
"/dev/urandom r"
];
SystemCallFilter = [
"@system-service"
"~@mount"
"@cpu-emulation"
"@debug"
"@keyring"
"@module"
"@obsolete"
"@raw-io"
"@reboot"
"@swap"
];
SystemCallArchitectures = "native";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/openclaw"
];
NoNewPrivileges = true;
PrivateTmp = true;
Restart = "always";
};
environment = {
OPENCLAW_HOME = "/var/lib/openclaw";
};
};
services.restic.backups.niveum.paths = [
config.users.users.openclaw.home
];
systemd.services.openclaw-browser = {
description = "OpenClaw Browser (unrestricted)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "openclaw";
Group = "openclaw";
WorkingDirectory = "/var/lib/openclaw";
# NO hardening here - let Chrome do its thing
ExecStart = "${lib.getExe pkgs.chromium} ${
lib.escapeShellArgs [
"--headless"
"--no-sandbox"
"--disable-setuid-sandbox"
"--disable-dev-shm-usage"
"--remote-debugging-port=9222"
"--remote-debugging-address=127.0.0.1"
]
}";
Restart = "always";
};
};
}

57
systems/ful/opencrow.nix
View File

@@ -11,37 +11,72 @@
opencrow-soul = { opencrow-soul = {
file = ../../secrets/opencrow-soul.age; file = ../../secrets/opencrow-soul.age;
}; };
opencrow-gemini-key = {
file = ../../secrets/opencrow-gemini-key.age;
};
opencrow-openrouter-key = {
file = ../../secrets/opencrow-openrouter-key.age;
};
}; };
environment.systemPackages = [
pkgs.pi
];
services.opencrow = { services.opencrow = {
enable = true; enable = true;
extraPackages = [ pkgs.pi pkgs.nix ]; package = pkgs.opencrow;
extraPackages = [
pkgs.pi
pkgs.nix
];
environmentFiles = [ environmentFiles = [
config.age.secrets.opencrow-matrix-token.path config.age.secrets.opencrow-matrix-token.path
config.age.secrets.opencrow-openrouter-key.path
config.age.secrets.opencrow-gemini-key.path
]; ];
extraBindMounts."/run/secrets/opencrow-soul" = { extraBindMounts."/run/opencrow/SOUL.md" = {
hostPath = config.age.secrets.opencrow-soul.path; hostPath = config.age.secrets.opencrow-soul.path;
isReadOnly = true; isReadOnly = true;
}; };
extraBindMounts."/nix/var/nix/daemon-socket" = {
hostPath = "/nix/var/nix/daemon-socket";
isReadOnly = false;
};
environment = { environment = {
PI_PERMISSION_LEVEL= "high"; NIX_REMOTE = "daemon";
PI_PERMISSION_LEVEL = "high";
OPENCROW_MATRIX_HOMESERVER = "https://matrix.4d2.org"; OPENCROW_MATRIX_HOMESERVER = "https://matrix.4d2.org";
OPENCROW_MATRIX_USER_ID = "@fable:4d2.org"; OPENCROW_MATRIX_USER_ID = "@fable:4d2.org";
OPENCROW_PI_PROVIDER = "github-copilot"; OPENCROW_SOUL_FILE = "/run/opencrow/SOUL.md";
OPENCROW_PI_MODEL = "gemini-3-flash-preview"; OPENCROW_HEARTBEAT_INTERVAL = "2h";
OPENCROW_SOUL_FILE = "/run/secrets/opencrow-soul";
# end of the month
OPENCROW_PI_PROVIDER = "openrouter";
OPENCROW_PI_MODEL = "stepfun/step-3.5-flash:free";
# OPENCROW_PI_PROVIDER = "google";
# OPENCROW_PI_MODEL = "gemini-2.0-flash";
# beginning of the month
# OPENCROW_PI_PROVIDER = "github-copilot";
# OPENCROW_PI_MODEL = "claude-opus-4.6";
}; };
}; };
containers.opencrow.config = {
nix.settings.experimental-features = [
"flakes"
"nix-command"
];
};
nix.settings.experimental-features = [
"flakes"
"nix-command"
];
services.restic.backups.niveum.paths = [ services.restic.backups.niveum.paths = [
"/var/lib/opencrow" "/var/lib/opencrow"
]; ];

2
systems/makanek/configuration.nix
View File

@@ -9,7 +9,7 @@
./gitea.nix ./gitea.nix
./hardware-configuration.nix ./hardware-configuration.nix
./hedgedoc.nix ./hedgedoc.nix
./menstruation.nix # ./menstruation.nix
./moinbot.nix ./moinbot.nix
./monitoring ./monitoring
# ./names.nix # ./names.nix