tailscale

hosts/server/slop/brave-shim.nix

@@ -27,7 +27,7 @@ ssl:
   verify_ssl: true
 
 logging:
-  file_path: "/home/ocbwoy3/.local/state/brave-shim/brave_shim.log"
+  file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
   level: "INFO"
 
 bot_protection:

hosts/server/slop/openclaw.nix

@@ -6,30 +6,37 @@
 
 let
   openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
-    installPhase = old.installPhase + "\n" + ''
-      # Point Brave web-search endpoint to local shim.
-      # NOTE: upstream installPhase script does not run postInstall hooks,
-      # so patch directly at the end of installPhase.
-      if [ -d "$out/lib/openclaw/dist" ]; then
-        # Web-search tool hardcodes Brave endpoint in bundled JS.
-        # No runtime config option exists for Brave base URL in this OpenClaw version.
-        grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
-          substituteInPlace "$f" \
-            --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
-            --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
-            --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
-            --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
-        done
-      fi
-    '';
+    installPhase =
+      old.installPhase
+      + "\n"
+      + ''
+        # Point Brave web-search endpoint to local shim.
+        # NOTE: upstream installPhase script does not run postInstall hooks,
+        # so patch directly at the end of installPhase.
+        if [ -d "$out/lib/openclaw/dist" ]; then
+          # Web-search tool hardcodes Brave endpoint in bundled JS.
+          # No runtime config option exists for Brave base URL in this OpenClaw version.
+          grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
+            substituteInPlace "$f" \
+              --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
+              --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
+              --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
+              --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
+          done
+        fi
+      '';
   });
 in
 {
-  home-manager.sharedModules = [
-    inputs.openclaw.homeManagerModules.openclaw
-  ];
-
-  users.users.ocbwoy3 = {
+  users.users.openclaw = {
+    isSystemUser = false;
+    isNormalUser = true;
+    home = "/home/openclaw";
+    createHome = true;
+    group = "openclaw";
+    extraGroups = [ "docker" ];
+    shell = pkgs.bash;
+    description = "OpenClaw agent sandboxed user";
     packages = [
       openclawPatched
       (pkgs.callPackage ./gogcli.nix { })
@@ -38,4 +45,30 @@ in
       pkgs.python3
     ];
   };
+
+  users.groups.openclaw = { };
+
+  # Keep the openclaw user's systemd --user instance running so the gateway stays up.
+  # Using activation script because services.logind.lingerUsers isn't available in this release.
+  system.activationScripts.enableOpenclawLinger.text = ''
+    ${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
+  '';
+
+  # Run OpenClaw gateway only under the dedicated openclaw user (user systemd service).
+  home-manager.users.openclaw = { pkgs, ... }: {
+    imports = [ inputs.openclaw.homeManagerModules.openclaw ];
+
+    home.stateVersion = "24.11";
+    programs.openclaw = {
+      enable = true;
+      package = openclawPatched;
+      instances.default = {
+        enable = true;
+        # Linux user service only; prevent accidental launchd usage.
+        launchd.enable = false;
+        systemd.enable = true;
+      };
+    };
+  };
+
 }