mirror of
https://github.com/kmein/niveum
synced 2026-03-16 18:21:07 +01:00
118 lines
2.7 KiB
Nix
118 lines
2.7 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
users.users.openclaw = {
|
|
isSystemUser = true;
|
|
group = "openclaw";
|
|
extraGroups = [ "openclaw-shared" ]; # Access to shared data
|
|
home = "/var/lib/openclaw";
|
|
createHome = true;
|
|
shell = pkgs.bash;
|
|
packages = [
|
|
pkgs.llm-agents.openclaw
|
|
];
|
|
};
|
|
|
|
users.groups.openclaw = { };
|
|
users.groups.openclaw-shared = { };
|
|
|
|
systemd.services.openclaw = {
|
|
description = "OpenClaw Gateway Service";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
path = config.users.users.openclaw.packages;
|
|
|
|
serviceConfig = {
|
|
User = "openclaw";
|
|
Group = "openclaw";
|
|
StateDirectory = "openclaw";
|
|
WorkingDirectory = "/var/lib/openclaw";
|
|
|
|
ExecStart = pkgs.writeShellScript "openclaw-wrapper" ''
|
|
exec ${pkgs.llm-agents.openclaw}/bin/openclaw gateway
|
|
'';
|
|
ProtectHome = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHostname = true;
|
|
ProtectProc = "invisible";
|
|
ProcSubset = "pid";
|
|
RemoveIPC = true;
|
|
RestrictSUIDSGID = true;
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
LockPersonality = true;
|
|
UMask = "0077";
|
|
|
|
PrivateDevices = true;
|
|
DeviceAllow = [
|
|
"/dev/null rw"
|
|
"/dev/zero rw"
|
|
"/dev/random r"
|
|
"/dev/urandom r"
|
|
];
|
|
SystemCallFilter = [
|
|
"@system-service"
|
|
"~@mount"
|
|
"@cpu-emulation"
|
|
"@debug"
|
|
"@keyring"
|
|
"@module"
|
|
"@obsolete"
|
|
"@raw-io"
|
|
"@reboot"
|
|
"@swap"
|
|
];
|
|
SystemCallArchitectures = "native";
|
|
|
|
ProtectSystem = "strict";
|
|
ReadWritePaths = [
|
|
"/var/lib/openclaw"
|
|
];
|
|
NoNewPrivileges = true;
|
|
PrivateTmp = true;
|
|
Restart = "always";
|
|
};
|
|
|
|
environment = {
|
|
OPENCLAW_HOME = "/var/lib/openclaw";
|
|
};
|
|
};
|
|
|
|
services.restic.backups.niveum.paths = [
|
|
config.users.users.openclaw.home
|
|
];
|
|
|
|
systemd.services.openclaw-browser = {
|
|
description = "OpenClaw Browser (unrestricted)";
|
|
after = [ "network.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
User = "openclaw";
|
|
Group = "openclaw";
|
|
WorkingDirectory = "/var/lib/openclaw";
|
|
# NO hardening here - let Chrome do its thing
|
|
ExecStart = "${lib.getExe pkgs.chromium} ${
|
|
lib.escapeShellArgs [
|
|
"--headless"
|
|
"--no-sandbox"
|
|
"--disable-setuid-sandbox"
|
|
"--disable-dev-shm-usage"
|
|
"--remote-debugging-port=9222"
|
|
"--remote-debugging-address=127.0.0.1"
|
|
]
|
|
}";
|
|
Restart = "always";
|
|
};
|
|
};
|
|
}
|