tailscale

flake.nix

@@ -82,12 +82,17 @@
 
           inputs.tangled.nixosModules.spindle
           inputs.vscode-server.nixosModules.default
-          inputs.openclaw.nixosModules.openclaw-gateway
 
           inputs.chaotic.nixosModules.nyx-cache
           inputs.chaotic.nixosModules.nyx-overlay
           inputs.chaotic.nixosModules.nyx-registry
 
+          ./modules/openclaw-user.nix
+          ./modules/openclaw-sudo.nix
+          ./modules/openclaw-fs.nix
+          ./modules/openclaw-docker.nix
+          ./modules/openclaw-docker-env.nix
+          ./modules/openclaw-watchdog.nix
           ./hosts/server/configuration.nix
           ./hosts/server/hardware-configuration.nix
 

hosts/server/configuration.nix

@@ -23,6 +23,9 @@
 
   services.vscode-server.enable = true;
 
+  # Avoid clobber failures in Home Manager activations (e.g., openclaw user).
+  home-manager.backupFileExtension = "hmbackup";
+
   systemd.services.ocbwoy3-start-pm2 = {
     enable = true;
     description = "Start PM2";

hosts/server/modules/vaultwarden.nix

@@ -25,16 +25,16 @@
     };
   };
 
-  # Allow vaultwarden to write under /private/vaultwarden and ensure the directory exists.
+  # Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
   systemd.services.vaultwarden.serviceConfig = {
     ReadWritePaths = [ "/private/vaultwarden" ];
   };
 
-  systemd.tmpfiles.settings."10-vaultwarden-private"."/private/vaultwarden/data".d = {
+  # Create parent/data directories with proper ownership before startup.
-    user = "vaultwarden";
+  systemd.tmpfiles.rules = [
-    group = "vaultwarden";
+    "d /private/vaultwarden 0750 vaultwarden vaultwarden -"
-    mode = "0750";
+    "d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
-  };
+  ];
 
   # cloudflared!!
   # networking.firewall.allowedTCPPorts = [

hosts/server/slop/brave-shim.nix

@@ -27,7 +27,7 @@ ssl:
   verify_ssl: true
 
 logging:
-  file_path: "/home/ocbwoy3/.local/state/brave-shim/brave_shim.log"
+  file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
   level: "INFO"
 
 bot_protection:

hosts/server/slop/openclaw.nix

@@ -6,30 +6,37 @@
 
 let
   openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
-    installPhase = old.installPhase + "\n" + ''
+    installPhase =
-      # Point Brave web-search endpoint to local shim.
+      old.installPhase
-      # NOTE: upstream installPhase script does not run postInstall hooks,
+      + "\n"
-      # so patch directly at the end of installPhase.
+      + ''
-      if [ -d "$out/lib/openclaw/dist" ]; then
+        # Point Brave web-search endpoint to local shim.
-        # Web-search tool hardcodes Brave endpoint in bundled JS.
+        # NOTE: upstream installPhase script does not run postInstall hooks,
-        # No runtime config option exists for Brave base URL in this OpenClaw version.
+        # so patch directly at the end of installPhase.
-        grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
+        if [ -d "$out/lib/openclaw/dist" ]; then
-          substituteInPlace "$f" \
+          # Web-search tool hardcodes Brave endpoint in bundled JS.
-            --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
+          # No runtime config option exists for Brave base URL in this OpenClaw version.
-            --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
+          grep -RIl "https://api.search.brave.com" "$out/lib/openclaw/dist" | while read -r f; do
-            --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
+            substituteInPlace "$f" \
-            --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
+              --replace "https://api.search.brave.com/res/v1/web/search" "http://127.0.0.1:8000/res/v1/web/search" \
-        done
+              --replace "https://api.search.brave.com/res/v1/" "http://127.0.0.1:8000/res/v1/" \
-      fi
+              --replace "https://api.search.brave.com/" "http://127.0.0.1:8000/" \
-    '';
+              --replace "https://api.search.brave.com" "http://127.0.0.1:8000"
+          done
+        fi
+      '';
   });
 in
 {
-  home-manager.sharedModules = [
+  users.users.openclaw = {
-    inputs.openclaw.homeManagerModules.openclaw
+    isSystemUser = false;
-  ];
+    isNormalUser = true;
-
+    home = "/home/openclaw";
-  users.users.ocbwoy3 = {
+    createHome = true;
+    group = "openclaw";
+    extraGroups = [ "docker" ];
+    shell = pkgs.bash;
+    description = "OpenClaw agent sandboxed user";
     packages = [
       openclawPatched
       (pkgs.callPackage ./gogcli.nix { })
@@ -38,4 +45,30 @@ in
       pkgs.python3
     ];
   };
+
+  users.groups.openclaw = { };
+
+  # Keep the openclaw user's systemd --user instance running so the gateway stays up.
+  # Using activation script because services.logind.lingerUsers isn't available in this release.
+  system.activationScripts.enableOpenclawLinger.text = ''
+    ${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
+  '';
+
+  # Run OpenClaw gateway only under the dedicated openclaw user (user systemd service).
+  home-manager.users.openclaw = { pkgs, ... }: {
+    imports = [ inputs.openclaw.homeManagerModules.openclaw ];
+
+    home.stateVersion = "24.11";
+    programs.openclaw = {
+      enable = true;
+      package = openclawPatched;
+      instances.default = {
+        enable = true;
+        # Linux user service only; prevent accidental launchd usage.
+        launchd.enable = false;
+        systemd.enable = true;
+      };
+    };
+  };
+
 }

modules/force.nix

@@ -13,6 +13,8 @@
     ./stuff/zsh.nix
   ];
 
+  services.tailscale.enable = true;
+
   environment.systemPackages = with pkgs; [
     tmux
     gh
@@ -21,6 +23,7 @@
     openssl
     nss
     glibc
+    kitty
     nixfmt-rfc-style
     killall
     deno

modules/nixos/network.nix

@@ -2,11 +2,14 @@
 
 {
 
-	#! Disable default nameservers to prevent ISP espionage
+  #! Disable default nameservers to prevent ISP espionage
-	networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
+  networking.nameservers = [
+    "1.1.1.1"
+    "1.0.0.1"
+  ];
 
-	networking.hostName = "ralsei-pc";
+  networking.hostName = "kris-server";
-	networking.networkmanager.enable = true;
+  networking.networkmanager.enable = true;
-	networking.resolvconf.enable = false;
+  networking.resolvconf.enable = false;
 
 }

modules/openclaw-fs.nix

@@ -1,29 +1,13 @@
 { ... }:
 {
-  fileSystems =
-    let
-      bindRO = src: {
-        device = src;
-        fsType = "none";
-        options = [ "bind" "ro" ];
-      };
-      bindHide = src: {
-        device = "tmpfs";
-        fsType = "tmpfs";
-        options = [ "size=0" "mode=000" ];
-      };
-    in
-    {
-      "/home/openclaw/private/AT Protocol" = bindHide "/private/AT Protocol";
-      "/home/openclaw/private/cloudflared" = bindHide "/private/cloudflared";
-      "/home/openclaw/private/vaultwarden" = bindHide "/private/vaultwarden";
-      "/home/openclaw/protected" = bindHide "/protected";
-    };
-
   systemd.tmpfiles.rules = [
-    "d /home/openclaw/private 0750 openclaw openclaw -"
+    "d /private 0750 root root -"
-    "d /home/openclaw/protected 0000 root root -"
+    "z /private/AT\x20Protocol 0700 root root -"
-    "f /home/openclaw/private/tangled.env 0000 root root -"
+    "z /private/cloudflared 0700 root root -"
-    "f /home/openclaw/private/cloudflared.pem 0000 root root -"
+    "z /private/cloudflared.pem 0600 root root -"
+    "z /private/wafrn 0700 root root -"
+    "z /private/tangled.env 0600 root root -"
+    "z /private/vaultwarden 0700 root root -"
+    "z /protected 0700 root root -"
   ];
 }

modules/openclaw-user.nix

@@ -1,15 +1,3 @@
 { pkgs, ... }:
 {
-  users.users.openclaw = {
-    isSystemUser = false;
-    isNormalUser = true;
-    home = "/home/openclaw";
-    createHome = true;
-    group = "openclaw";
-    extraGroups = [ "docker" ];
-    shell = pkgs.bash;
-    description = "OpenClaw agent sandboxed user";
-  };
-
-  users.groups.openclaw = { };
 }