From 6b886eeea80aeb8bdb378f4a4035c1cf8619a8ac Mon Sep 17 00:00:00 2001
From: Kris <ocbwoy3@ocbwoy3.dev>
Date: Thu, 19 Mar 2026 17:39:44 +0200
Subject: [PATCH] tailscale

---
 flake.nix                            |  7 ++-
 hosts/server/configuration.nix       |  3 ++
 hosts/server/modules/vaultwarden.nix | 12 ++---
 hosts/server/slop/brave-shim.nix     |  2 +-
 hosts/server/slop/openclaw.nix       | 75 ++++++++++++++++++++--------
 modules/force.nix                    |  3 ++
 modules/nixos/network.nix            | 13 +++--
 modules/openclaw-fs.nix              | 32 +++---------
 modules/openclaw-user.nix            | 12 -----
 9 files changed, 89 insertions(+), 70 deletions(-)

diff --git a/flake.nix b/flake.nix
index d14e7f0..96d8b9b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -82,12 +82,17 @@
 
           inputs.tangled.nixosModules.spindle
           inputs.vscode-server.nixosModules.default
-          inputs.openclaw.nixosModules.openclaw-gateway
 
           inputs.chaotic.nixosModules.nyx-cache
           inputs.chaotic.nixosModules.nyx-overlay
           inputs.chaotic.nixosModules.nyx-registry
 
+          ./modules/openclaw-user.nix
+          ./modules/openclaw-sudo.nix
+          ./modules/openclaw-fs.nix
+          ./modules/openclaw-docker.nix
+          ./modules/openclaw-docker-env.nix
+          ./modules/openclaw-watchdog.nix
           ./hosts/server/configuration.nix
           ./hosts/server/hardware-configuration.nix
 
diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index ca8da57..865b843 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -23,6 +23,9 @@
 
   services.vscode-server.enable = true;
 
+  # Avoid clobber failures in Home Manager activations (e.g., openclaw user).
+  home-manager.backupFileExtension = "hmbackup";
+
   systemd.services.ocbwoy3-start-pm2 = {
     enable = true;
     description = "Start PM2";
diff --git a/hosts/server/modules/vaultwarden.nix b/hosts/server/modules/vaultwarden.nix
index 572be8e..e21413f 100644
--- a/hosts/server/modules/vaultwarden.nix
+++ b/hosts/server/modules/vaultwarden.nix
@@ -25,16 +25,16 @@
     };
   };
 
-  # Allow vaultwarden to write under /private/vaultwarden and ensure the directory exists.
+  # Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
   systemd.services.vaultwarden.serviceConfig = {
     ReadWritePaths = [ "/private/vaultwarden" ];
   };
 
-  systemd.tmpfiles.settings."10-vaultwarden-private"."/private/vaultwarden/data".d = {
-    user = "vaultwarden";
-    group = "vaultwarden";
-    mode = "0750";
-  };
+  # Create parent/data directories with proper ownership before startup.
+  systemd.tmpfiles.rules = [
+    "d /private/vaultwarden 0750 vaultwarden vaultwarden -"
+    "d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
+  ];
 
   # cloudflared!!
   # networking.firewall.allowedTCPPorts = [
diff --git a/hosts/server/slop/brave-shim.nix b/hosts/server/slop/brave-shim.nix
index 6c206d7..14decaf 100644
--- a/hosts/server/slop/brave-shim.nix
+++ b/hosts/server/slop/brave-shim.nix
@@ -27,7 +27,7 @@ ssl:
   verify_ssl: true
 
 logging:
-  file_path: "/home/ocbwoy3/.local/state/brave-shim/brave_shim.log"
+  file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
   level: "INFO"
 
 bot_protection:
diff --git a/hosts/server/slop/openclaw.nix b/hosts/server/slop/openclaw.nix
index 9ab8f63..e8a69be 100644
--- a/hosts/server/slop/openclaw.nix
+++ b/hosts/server/slop/openclaw.nix
@@ -6,30 +6,37 @@
 
 let
   openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
-    installPhase = old.installPhase + "\n" + ''
-      # Point Brave web-search endpoint to local shim.
-      # NOTE: upstream installPhase script does not run postInstall hooks,
-      # so patch directly at the end of installPhase.
-      if [ -d "$out/lib/openclaw/dist" ]; then
-        # Web-search tool hardcodes Brave endpoint in bundled JS.
-        # No runtime config option exists for Brave base URL in this OpenClaw version.
-        grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
-          substituteInPlace "$f" \
-            --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
-            --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
-            --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
-            --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
-        done
-      fi
-    '';
+    installPhase =
+      old.installPhase
+      + "\n"
+      + ''
+        # Point Brave web-search endpoint to local shim.
+        # NOTE: upstream installPhase script does not run postInstall hooks,
+        # so patch directly at the end of installPhase.
+        if [ -d "$out/lib/openclaw/dist" ]; then
+          # Web-search tool hardcodes Brave endpoint in bundled JS.
+          # No runtime config option exists for Brave base URL in this OpenClaw version.
+          grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
+            substituteInPlace "$f" \
+              --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
+              --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
+              --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
+              --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
+          done
+        fi
+      '';
   });
 in
 {
-  home-manager.sharedModules = [
-    inputs.openclaw.homeManagerModules.openclaw
-  ];
-
-  users.users.ocbwoy3 = {
+  users.users.openclaw = {
+    isSystemUser = false;
+    isNormalUser = true;
+    home = "/home/openclaw";
+    createHome = true;
+    group = "openclaw";
+    extraGroups = [ "docker" ];
+    shell = pkgs.bash;
+    description = "OpenClaw agent sandboxed user";
     packages = [
       openclawPatched
       (pkgs.callPackage ./gogcli.nix { })
@@ -38,4 +45,30 @@ in
       pkgs.python3
     ];
   };
+
+  users.groups.openclaw = { };
+
+  # Keep the openclaw user's systemd --user instance running so the gateway stays up.
+  # Using activation script because services.logind.lingerUsers isn't available in this release.
+  system.activationScripts.enableOpenclawLinger.text = ''
+    ${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
+  '';
+
+  # Run OpenClaw gateway only under the dedicated openclaw user (user systemd service).
+  home-manager.users.openclaw = { pkgs, ... }: {
+    imports = [ inputs.openclaw.homeManagerModules.openclaw ];
+
+    home.stateVersion = "24.11";
+    programs.openclaw = {
+      enable = true;
+      package = openclawPatched;
+      instances.default = {
+        enable = true;
+        # Linux user service only; prevent accidental launchd usage.
+        launchd.enable = false;
+        systemd.enable = true;
+      };
+    };
+  };
+
 }
diff --git a/modules/force.nix b/modules/force.nix
index b5e71a2..107b677 100644
--- a/modules/force.nix
+++ b/modules/force.nix
@@ -13,6 +13,8 @@
     ./stuff/zsh.nix
   ];
 
+  services.tailscale.enable = true;
+
   environment.systemPackages = with pkgs; [
     tmux
     gh
@@ -21,6 +23,7 @@
     openssl
     nss
     glibc
+    kitty
     nixfmt-rfc-style
     killall
     deno
diff --git a/modules/nixos/network.nix b/modules/nixos/network.nix
index 93ac9b0..679814a 100644
--- a/modules/nixos/network.nix
+++ b/modules/nixos/network.nix
@@ -2,11 +2,14 @@
 
 {
 
-	#! Disable default nameservers to prevent ISP espionage
-	networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  #! Disable default nameservers to prevent ISP espionage
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
 
-	networking.hostName = "ralsei-pc";
-	networking.networkmanager.enable = true;
-	networking.resolvconf.enable = false;
+  networking.hostName = "kris-server";
+  networking.networkmanager.enable = true;
+  networking.resolvconf.enable = false;
 
 }
diff --git a/modules/openclaw-fs.nix b/modules/openclaw-fs.nix
index 5573390..c6d50e5 100644
--- a/modules/openclaw-fs.nix
+++ b/modules/openclaw-fs.nix
@@ -1,29 +1,13 @@
 { ... }:
 {
-  fileSystems =
-    let
-      bindRO = src: {
-        device = src;
-        fsType = "none";
-        options = [ "bind" "ro" ];
-      };
-      bindHide = src: {
-        device = "tmpfs";
-        fsType = "tmpfs";
-        options = [ "size=0" "mode=000" ];
-      };
-    in
-    {
-      "/home/openclaw/private/AT Protocol" = bindHide "/private/AT Protocol";
-      "/home/openclaw/private/cloudflared" = bindHide "/private/cloudflared";
-      "/home/openclaw/private/vaultwarden" = bindHide "/private/vaultwarden";
-      "/home/openclaw/protected" = bindHide "/protected";
-    };
-
   systemd.tmpfiles.rules = [
-    "d /home/openclaw/private 0750 openclaw openclaw -"
-    "d /home/openclaw/protected 0000 root root -"
-    "f /home/openclaw/private/tangled.env 0000 root root -"
-    "f /home/openclaw/private/cloudflared.pem 0000 root root -"
+    "d /private 0750 root root -"
+    "z /private/AT\x20Protocol 0700 root root -"
+    "z /private/cloudflared 0700 root root -"
+    "z /private/cloudflared.pem 0600 root root -"
+    "z /private/wafrn 0700 root root -"
+    "z /private/tangled.env 0600 root root -"
+    "z /private/vaultwarden 0700 root root -"
+    "z /protected 0700 root root -"
   ];
 }
diff --git a/modules/openclaw-user.nix b/modules/openclaw-user.nix
index 1473b9d..6e5b8c3 100644
--- a/modules/openclaw-user.nix
+++ b/modules/openclaw-user.nix
@@ -1,15 +1,3 @@
 { pkgs, ... }:
 {
-  users.users.openclaw = {
-    isSystemUser = false;
-    isNormalUser = true;
-    home = "/home/openclaw";
-    createHome = true;
-    group = "openclaw";
-    extraGroups = [ "docker" ];
-    shell = pkgs.bash;
-    description = "OpenClaw agent sandboxed user";
-  };
-
-  users.groups.openclaw = { };
 }