kfm/niveum
1
0
Fork 0
mirror of https://github.com/kmein/niveum synced 2026-03-16 10:11:08 +01:00
Code Releases Activity

Compare commits

base: kfm:fb86f8c7f7c795dd31330c6a8cb4a1c1f27d33f5
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail
...
compare: kfm:21029d3bbc39ea74c53c1d024535c8afa7cf9453
Branches Tags
kfm:master kfm:update_flake_lock_action kfm:nethack kfm:wayland kfm:feature/hass-prometheus kfm:feature/itools kfm:feature/specus kfm:hass-nix-2 kfm:hass-nix kfm:grimm kfm:mympd kfm:tahina kfm:new-krops kfm:flakes kfm:flakes-2 kfm:20.09 kfm:mail

4 Commits
fb86f8c7f7 ... 21029d3bbc

Author SHA1 Message Date
Kierán Meinhardt
21029d3bbc openclaw: add backups 2026-02-15 22:39:47 +01:00
Kierán Meinhardt
d8bad81090 openclaw: give it a browser to play with 2026-02-15 22:36:29 +01:00
Kierán Meinhardt
f12beaa69e picoclaw 2026-02-15 22:14:20 +01:00
Kierán Meinhardt
a94dacb64c openclaw 2026-02-15 22:13:26 +01:00
6 changed files with 274 additions and 13 deletions
Expand all files Collapse all files

117
flake.lock generated
View File

@@ -113,6 +113,28 @@
"type": "github"
}
},
"blueprint": {
"inputs": {
"nixpkgs": [
"llm-agents",
"nixpkgs"
],
"systems": "systems_2"
},
"locked": {
"lastModified": 1769353768,
"narHash": "sha256-zI+7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0=",
"owner": "numtide",
"repo": "blueprint",
"rev": "c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "blueprint",
"type": "github"
}
},
"buildbot-nix": {
"inputs": {
"flake-parts": "flake-parts_3",
@@ -121,7 +143,7 @@
"stockholm",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_2"
"treefmt-nix": "treefmt-nix_3"
},
"locked": {
"lastModified": 1768927382,
@@ -376,6 +398,26 @@
"type": "github"
}
},
"llm-agents": {
"inputs": {
"blueprint": "blueprint",
"nixpkgs": "nixpkgs",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1771167156,
"narHash": "sha256-hvlg7rTzAmfX2HW0GgrVGvbXoNioTK0bidbRv42QEhY=",
"owner": "numtide",
"repo": "llm-agents.nix",
"rev": "bbd22c02ac546b7ba07147eb14194128b44ff209",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "llm-agents.nix",
"type": "github"
}
},
"menstruation-backend": {
"inputs": {
"fenix": [
@@ -450,7 +492,7 @@
"nixpkgs": [
"nixpkgs-unstable"
],
"treefmt-nix": "treefmt-nix",
"treefmt-nix": "treefmt-nix_2",
"wrappers": "wrappers"
},
"locked": {
@@ -547,16 +589,16 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1769598131,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
"lastModified": 1770843696,
"narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
"rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -608,6 +650,22 @@
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1769598131,
"narHash": "sha256-e7VO/kGLgRMbWtpBqdWl0uFg8Y2XWFMdz0uUJvlML8o=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fa83fd837f3098e3e678e6cf017b2b36102c7211",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": {
"inputs": {
"flake-parts": "flake-parts_2",
@@ -675,6 +733,7 @@
"autorenkalender": "autorenkalender",
"fenix": "fenix",
"home-manager": "home-manager",
"llm-agents": "llm-agents",
"menstruation-backend": "menstruation-backend",
"menstruation-telegram": "menstruation-telegram",
"naersk": "naersk",
@@ -682,7 +741,7 @@
"nix-index-database": "nix-index-database",
"nix-topology": "nix-topology",
"nixos-hardware": "nixos-hardware",
"nixpkgs": "nixpkgs",
"nixpkgs": "nixpkgs_2",
"nixpkgs-old": "nixpkgs-old",
"nixpkgs-unstable": "nixpkgs-unstable",
"nur": "nur",
@@ -692,7 +751,7 @@
"stylix": "stylix",
"telebots": "telebots",
"tinc-graph": "tinc-graph",
"treefmt-nix": "treefmt-nix_3",
"treefmt-nix": "treefmt-nix_4",
"voidrice": "voidrice",
"wallpapers": "wallpapers",
"wetter": "wetter",
@@ -777,7 +836,7 @@
"nixpkgs"
],
"nur": "nur_2",
"systems": "systems_2",
"systems": "systems_3",
"tinted-foot": "tinted-foot",
"tinted-kitty": "tinted-kitty",
"tinted-schemes": "tinted-schemes",
@@ -829,6 +888,21 @@
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"telebots": {
"inputs": {
"nixpkgs": [
@@ -957,6 +1031,27 @@
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"llm-agents",
"nixpkgs"
]
},
"locked": {
"lastModified": 1770228511,
"narHash": "sha256-wQ6NJSuFqAEmIg2VMnLdCnUc0b7vslUohqqGGD+Fyxk=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "337a4fe074be1042a35086f15481d763b8ddc0e7",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_2": {
"inputs": {
"nixpkgs": [
"niphas",
@@ -977,7 +1072,7 @@
"type": "github"
}
},
"treefmt-nix_2": {
"treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"stockholm",
@@ -999,7 +1094,7 @@
"type": "github"
}
},
"treefmt-nix_3": {
"treefmt-nix_4": {
"inputs": {
"nixpkgs": [
"nixpkgs"

16
flake.nix
View File

@@ -26,6 +26,7 @@
nix-topology.url = "github:oddlama/nix-topology";
wetter.url = "github:4z3/wetter";
wrappers.url = "github:lassulus/wrappers";
llm-agents.url = "github:numtide/llm-agents.nix";
voidrice.flake = false;
wallpapers.flake = false;
@@ -78,6 +79,7 @@
scripts,
tinc-graph,
nix-topology,
llm-agents,
nixpkgs-unstable,
nixos-hardware,
niphas,
@@ -249,6 +251,7 @@
morris = prev.callPackage packages/morris.nix { };
cro = prev.callPackage packages/cro.nix { };
exodus = prev.callPackage packages/exodus.nix { };
picoclaw = prev.callPackage packages/picoclaw.nix { };
dmenu = prev.writers.writeDashBin "dmenu" ''exec ${final.rofi}/bin/rofi -dmenu "$@"'';
weechatScripts = prev.weechatScripts // {
hotlist2extern = prev.callPackage packages/weechatScripts/hotlist2extern.nix { }; # TODO upstream
@@ -433,7 +436,12 @@
self.nixosModules.go-webring
stockholm.nixosModules.reaktor2
nur.modules.nixos.default
{ nixpkgs.overlays = [ stockholm.overlays.default ]; }
{
nixpkgs.overlays = [
stockholm.overlays.default
llm-agents.overlays.default
];
}
];
};
zaatar = nixpkgs.lib.nixosSystem {
@@ -590,6 +598,7 @@
notemenu
obsidian-vim
opustags
picoclaw
pls
polyglot
q
@@ -621,4 +630,9 @@
}
);
};
nixConfig = {
extra-substituters = [ "https://cache.numtide.com" ];
extra-trusted-public-keys = [ "niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g=" ];
};
}

34
packages/picoclaw.nix Normal file
View File

@@ -0,0 +1,34 @@
{ lib, buildGoModule, fetchFromGitHub }:
buildGoModule (finalAttrs: {
pname = "picoclaw";
version = "0.1.1";
src = fetchFromGitHub {
owner = "sipeed";
repo = "picoclaw";
rev = "v${finalAttrs.version}";
hash = "sha256-nx/D8ir4/l0pTnMNORby2FNtU+ouKT0DUjP2vpJLmPk=";
};
postPatch = ''
substituteInPlace go.mod --replace "go 1.25.7" "go 1.25.5"
'';
proxyVendor = true;
# Set to lib.fakeHash or empty initially, then update with the actual hash Nix reports.
vendorHash = "sha256-XKwYmbMyf4yg/E4Yv0uMS9v0oAuMZJwvoaAPCL/1AAY=";
subPackages = [ "cmd/picoclaw" ];
ldflags = [
"-s" "-w"
"-X main.version=${finalAttrs.version}"
];
meta = with lib; {
description = "Ultra-efficient AI Assistant in Go for $10 hardware";
homepage = "https://github.com/sipeed/picoclaw";
license = licenses.mit; # Verify license in the repo
maintainers = [];
};
})

2
secrets

Submodule secrets updated: 83d9103f20...55417d0835

1
systems/ful/configuration.nix
View File

@@ -16,6 +16,7 @@
./gemini.nix
./wallabag.nix
./nethack.nix
./openclaw.nix
];
niveum.passport = {

117
systems/ful/openclaw.nix Normal file
View File

@@ -0,0 +1,117 @@
{
config,
lib,
pkgs,
...
}:
{
users.users.openclaw = {
isSystemUser = true;
group = "openclaw";
extraGroups = [ "openclaw-shared" ]; # Access to shared data
home = "/var/lib/openclaw";
createHome = true;
shell = pkgs.bash;
packages = [
pkgs.llm-agents.openclaw
];
};
users.groups.openclaw = { };
users.groups.openclaw-shared = { };
systemd.services.openclaw = {
description = "OpenClaw Gateway Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
path = config.users.users.openclaw.packages;
serviceConfig = {
User = "openclaw";
Group = "openclaw";
StateDirectory = "openclaw";
WorkingDirectory = "/var/lib/openclaw";
ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
'';
ProtectHome = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHostname = true;
ProtectProc = "invisible";
ProcSubset = "pid";
RemoveIPC = true;
RestrictSUIDSGID = true;
RestrictNamespaces = true;
RestrictRealtime = true;
LockPersonality = true;
UMask = "0077";
PrivateDevices = true;
DeviceAllow = [
"/dev/null rw"
"/dev/zero rw"
"/dev/random r"
"/dev/urandom r"
];
SystemCallFilter = [
"@system-service"
"~@mount"
"@cpu-emulation"
"@debug"
"@keyring"
"@module"
"@obsolete"
"@raw-io"
"@reboot"
"@swap"
];
SystemCallArchitectures = "native";
ProtectSystem = "strict";
ReadWritePaths = [
"/var/lib/openclaw"
];
NoNewPrivileges = true;
PrivateTmp = true;
Restart = "always";
};
environment = {
OPENCLAW_HOME = "/var/lib/openclaw";
};
};
services.restic.backups.niveum.paths = [
config.users.users.openclaw.home
];
systemd.services.openclaw-browser = {
description = "OpenClaw Browser (unrestricted)";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
User = "openclaw";
Group = "openclaw";
WorkingDirectory = "/var/lib/openclaw";
# NO hardening here - let Chrome do its thing
ExecStart = "${lib.getExe pkgs.chromium} ${
lib.escapeShellArgs [
"--headless"
"--no-sandbox"
"--disable-setuid-sandbox"
"--disable-dev-shm-usage"
"--remote-debugging-port=9222"
"--remote-debugging-address=127.0.0.1"
]
}";
Restart = "always";
};
};
}