kris/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tailscale

Browse Source
This commit is contained in:
Kris
2026-03-19 17:39:44 +02:00
parent eebf3f6159
commit 6b886eeea8
9 changed files with 89 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
flake.nix
View File

@@ -82,12 +82,17 @@
inputs.tangled.nixosModules.spindle
inputs.vscode-server.nixosModules.default
inputs.openclaw.nixosModules.openclaw-gateway
inputs.chaotic.nixosModules.nyx-cache
inputs.chaotic.nixosModules.nyx-overlay
inputs.chaotic.nixosModules.nyx-registry
./modules/openclaw-user.nix
./modules/openclaw-sudo.nix
./modules/openclaw-fs.nix
./modules/openclaw-docker.nix
./modules/openclaw-docker-env.nix
./modules/openclaw-watchdog.nix
./hosts/server/configuration.nix
./hosts/server/hardware-configuration.nix

3
hosts/server/configuration.nix
View File

@@ -23,6 +23,9 @@
services.vscode-server.enable = true;
# Avoid clobber failures in Home Manager activations (e.g., openclaw user).
home-manager.backupFileExtension = "hmbackup";
systemd.services.ocbwoy3-start-pm2 = {
enable = true;
description = "Start PM2";

12
hosts/server/modules/vaultwarden.nix
View File

@@ -25,16 +25,16 @@
};
};
# Allow vaultwarden to write under /private/vaultwarden and ensure the directory exists.
# Allow vaultwarden to write under /private/vaultwarden and ensure the directories exist.
systemd.services.vaultwarden.serviceConfig = {
ReadWritePaths = [ "/private/vaultwarden" ];
};
systemd.tmpfiles.settings."10-vaultwarden-private"."/private/vaultwarden/data".d = {
user = "vaultwarden";
group = "vaultwarden";
mode = "0750";
};
# Create parent/data directories with proper ownership before startup.
systemd.tmpfiles.rules = [
"d /private/vaultwarden 0750 vaultwarden vaultwarden -"
"d /private/vaultwarden/data 0750 vaultwarden vaultwarden -"
];
# cloudflared!!
# networking.firewall.allowedTCPPorts = [

2
hosts/server/slop/brave-shim.nix
View File

@@ -27,7 +27,7 @@ ssl:
verify_ssl: true
logging:
file_path: "/home/ocbwoy3/.local/state/brave-shim/brave_shim.log"
file_path: "/home/openclaw/.local/state/brave-shim/brave_shim.log"
level: "INFO"
bot_protection:

45
hosts/server/slop/openclaw.nix
View File

@@ -6,7 +6,10 @@
let
openclawPatched = inputs.openclaw.packages.${pkgs.system}.openclaw-gateway.overrideAttrs (old: {
installPhase = old.installPhase + "\n" + ''
installPhase =
old.installPhase
+ "\n"
+ ''
# Point Brave web-search endpoint to local shim.
# NOTE: upstream installPhase script does not run postInstall hooks,
# so patch directly at the end of installPhase.
@@ -25,11 +28,15 @@ let
});
in
{
home-manager.sharedModules = [
inputs.openclaw.homeManagerModules.openclaw
];
users.users.ocbwoy3 = {
users.users.openclaw = {
isSystemUser = false;
isNormalUser = true;
home = "/home/openclaw";
createHome = true;
group = "openclaw";
extraGroups = [ "docker" ];
shell = pkgs.bash;
description = "OpenClaw agent sandboxed user";
packages = [
openclawPatched
(pkgs.callPackage ./gogcli.nix { })
@@ -38,4 +45,30 @@ in
pkgs.python3
];
};
users.groups.openclaw = { };
# Keep the openclaw user's systemd --user instance running so the gateway stays up.
# Using activation script because services.logind.lingerUsers isn't available in this release.
system.activationScripts.enableOpenclawLinger.text = ''
${pkgs.systemd}/bin/loginctl enable-linger openclaw || true
'';
# Run OpenClaw gateway only under the dedicated openclaw user (user systemd service).
home-manager.users.openclaw = { pkgs, ... }: {
imports = [ inputs.openclaw.homeManagerModules.openclaw ];
home.stateVersion = "24.11";
programs.openclaw = {
enable = true;
package = openclawPatched;
instances.default = {
enable = true;
# Linux user service only; prevent accidental launchd usage.
launchd.enable = false;
systemd.enable = true;
};
};
};
}

3
modules/force.nix
View File

@@ -13,6 +13,8 @@
./stuff/zsh.nix
];
services.tailscale.enable = true;
environment.systemPackages = with pkgs; [
tmux
gh
@@ -21,6 +23,7 @@
openssl
nss
glibc
kitty
nixfmt-rfc-style
killall
deno

7
modules/nixos/network.nix
View File

@@ -3,9 +3,12 @@
{
#! Disable default nameservers to prevent ISP espionage
networking.nameservers = [ "1.1.1.1" "1.0.0.1" ];
networking.nameservers = [
"1.1.1.1"
"1.0.0.1"
];
networking.hostName = "ralsei-pc";
networking.hostName = "kris-server";
networking.networkmanager.enable = true;
networking.resolvconf.enable = false;

32
modules/openclaw-fs.nix
View File

@@ -1,29 +1,13 @@
{ ... }:
{
fileSystems =
let
bindRO = src: {
device = src;
fsType = "none";
options = [ "bind" "ro" ];
};
bindHide = src: {
device = "tmpfs";
fsType = "tmpfs";
options = [ "size=0" "mode=000" ];
};
in
{
"/home/openclaw/private/AT Protocol" = bindHide "/private/AT Protocol";
"/home/openclaw/private/cloudflared" = bindHide "/private/cloudflared";
"/home/openclaw/private/vaultwarden" = bindHide "/private/vaultwarden";
"/home/openclaw/protected" = bindHide "/protected";
};
systemd.tmpfiles.rules = [
"d /home/openclaw/private 0750 openclaw openclaw -"
"d /home/openclaw/protected 0000 root root -"
"f /home/openclaw/private/tangled.env 0000 root root -"
"f /home/openclaw/private/cloudflared.pem 0000 root root -"
"d /private 0750 root root -"
"z /private/AT\x20Protocol 0700 root root -"
"z /private/cloudflared 0700 root root -"
"z /private/cloudflared.pem 0600 root root -"
"z /private/wafrn 0700 root root -"
"z /private/tangled.env 0600 root root -"
"z /private/vaultwarden 0700 root root -"
"z /protected 0700 root root -"
];
}

12
modules/openclaw-user.nix
View File

@@ -1,15 +1,3 @@
{ pkgs, ... }:
{
users.users.openclaw = {
isSystemUser = false;
isNormalUser = true;
home = "/home/openclaw";
createHome = true;
group = "openclaw";
extraGroups = [ "docker" ];
shell = pkgs.bash;
description = "OpenClaw agent sandboxed user";
};
users.groups.openclaw = { };
}