diff --git a/.gitignore b/.gitignore index d68418c..34b25fd 100644 --- a/.gitignore +++ b/.gitignore @@ -11,9 +11,3 @@ env/ # Installer ISO live WiFi (SSID/PSK); see docs/server-installer-usb.md nixos/installer-wifi.nix - -# OpenClaw: Telegram user ID(s), not in public repo -nixos/home/danny/openclaw-allow-from.nix - -# OpenClaw: documents live in private repo; local clone optional -openclaw-documents-repo/ diff --git a/AGENTS.md b/AGENTS.md index 2c8bb6f..ba41641 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -51,7 +51,3 @@ ssh -i ~/.ssh/id_ed25519_sunken_ship danny@sunken-ship 'hostname; ip addr' Rebuild on the server (flake is in `nixos/`): `ssh ... 'cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#sunken-ship'`. The server has WiFi (see [docs/sunken-ship-wifi.md](docs/sunken-ship-wifi.md)); it remains reachable when ethernet is unplugged. -## OpenClaw (macOS) - -OpenClaw (AI assistant gateway, Telegram) is integrated in the dotfiles flake. Config: [nixos/home/danny/openclaw.nix](nixos/home/danny/openclaw.nix). Documents (SOUL.md, TOOLS.md, etc.) come from a separate repo via the flake input `openclaw-documents` in [nixos/flake.nix](nixos/flake.nix)—override with e.g. `openclaw-documents.url = "github:you/openclaw-documents";`. See [docs/openclaw-documents.md](docs/openclaw-documents.md). Secrets (bot token, gateway token, Telegram user ID) live in the config or `~/.secrets/`. One apply: `darwin-rebuild switch --flake .` from `nixos/`. - diff --git a/CLAUDE.md b/CLAUDE.md index 44c8248..c7544c0 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -26,7 +26,7 @@ cd ~/dotfiles/nixos && nix build .#installer-iso ## Flake architecture - **Flake:** `nixos/flake.nix` — single flake for all hosts -- **Inputs:** nixpkgs-unstable, nix-darwin, home-manager, nixos-wsl, disko, zen-browser, nix-openclaw, openclaw-documents +- **Inputs:** nixpkgs-unstable, nix-darwin, home-manager, nixos-wsl, disko, zen-browser - **Host configs** in `nixos/hosts/`: - `macos.nix` — Apple Silicon MacBook Air (aarch64-darwin, nix-darwin) - `sunken-ship.nix` — NixOS home server (x86_64-linux) @@ -50,10 +50,6 @@ cd ~/dotfiles/nixos && nix build .#installer-iso - Auto-rebuild timer: `dotfiles-rebuild` — only active after flake config switch. Check with `systemctl is-active dotfiles-rebuild.timer`. - Server has WiFi; stays reachable when ethernet is unplugged. -## OpenClaw - -AI assistant gateway (Telegram), integrated in the flake. Config: `nixos/home/danny/openclaw.nix`. Documents (SOUL.md, TOOLS.md) come from a separate local repo via the `openclaw-documents` flake input (path: `/Users/danny/dotfiles/openclaw-documents-repo`). Secrets (bot token, gateway token, Telegram user ID) live in `~/.secrets/` or the config. One apply: `darwin-rebuild switch --flake .`. - ## Ollama Custom nix-darwin module at `nixos/ollama.nix` (upstream PR not yet merged). Enabled on macOS via `nixos/hosts/macos.nix`. Runs as a launchd user agent with `ollama serve`. diff --git a/TODO.md b/TODO.md index e850514..67d900a 100644 --- a/TODO.md +++ b/TODO.md @@ -1,11 +1,7 @@ # TODO -1. **OpenClaw:** Remove the activation-backup + force overrides in `nixos/home/danny/openclaw.nix`. They work around "file is in the way" / "would be clobbered" when home-manager manages `~/.openclaw/`. Prefer fixing upstream (nix-openclaw) or a cleaner approach (e.g. deploy to a different path, or let the module handle existing files). - -2. Create a setup/boot USB that: installs NixOS on the server with encryption and WiFi configured from the start; only required input is the server's name (e.g. sunken-ship). +1. Create a setup/boot USB that: installs NixOS on the server with encryption and WiFi configured from the start; only required input is the server's name (e.g. sunken-ship). * I have a set wifi SSID/PSK, assume servers will start up and be able to reach this wifi. * I don't know how to go about the rest of this. -3. Encrypt sunken-ship (LUKS); update hardware/config for encrypted root and boot. - -4. Host telegram bot once again (for what purpose?) +2. Encrypt sunken-ship (LUKS); update hardware/config for encrypted root and boot. diff --git a/docs/openclaw-documents.md b/docs/openclaw-documents.md deleted file mode 100644 index 0496c1d..0000000 --- a/docs/openclaw-documents.md +++ /dev/null @@ -1,21 +0,0 @@ -# OpenClaw documents (separate repo) - -SOUL.md, TOOLS.md, and any other markdown files used by OpenClaw are supplied via the flake input `openclaw-documents` in `nixos/flake.nix`. The input points at the **local clone** `path:/Users/danny/dotfiles/openclaw-documents-repo` so `sudo darwin-rebuild` doesn’t need SSH to GitHub. (Change the path in `flake.nix` if your clone lives elsewhere.) - -## Repo contents - -The repo (or local clone) must have at least: -- `SOUL.md` – who the assistant is, personality and boundaries -- `TOOLS.md` – what the assistant can use and how -- `AGENTS.md` – instructions for the AI when acting on your behalf - (The nix-openclaw module asserts these exist.) -- A minimal `flake.nix` so the repo can be used as a flake input: - ```nix - { outputs = { ... }: { source = ./.; }; } - ``` - -## Local clone - -The flake uses the local clone at `~/dotfiles/openclaw-documents-repo/` (path input, gitignored). Edit SOUL/TOOLS there; the next rebuild uses the current directory contents (no `nix flake update` needed). Push/pull to sync with the private GitHub repo when you like. - -To use the remote repo instead (e.g. on another machine), set `openclaw-documents.url = "git+ssh://git@github.com/DannyDannyDanny/openclaw-documents"` in `nixos/flake.nix` and ensure your SSH key is loaded when running the rebuild. diff --git a/nixos/flake.lock b/nixos/flake.lock index 4348541..75d6555 100644 --- a/nixos/flake.lock +++ b/nixos/flake.lock @@ -40,24 +40,6 @@ "inputs": { "systems": "systems" }, - "locked": { - "lastModified": 1731533236, - "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "inputs": { - "systems": "systems_2" - }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -93,27 +75,6 @@ } }, "home-manager_2": { - "inputs": { - "nixpkgs": [ - "nix-openclaw", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1767909183, - "narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=", - "owner": "nix-community", - "repo": "home-manager", - "rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "home-manager", - "type": "github" - } - }, - "home-manager_3": { "inputs": { "nixpkgs": [ "zen-browser", @@ -155,49 +116,10 @@ "type": "github" } }, - "nix-openclaw": { - "inputs": { - "flake-utils": "flake-utils", - "home-manager": "home-manager_2", - "nix-steipete-tools": "nix-steipete-tools", - "nixpkgs": "nixpkgs_2" - }, - "locked": { - "lastModified": 1773837347, - "narHash": "sha256-PvJTsgowv03pfpEx7+u6Qd8If3HhgkFGpn3IJI22wE4=", - "owner": "openclaw", - "repo": "nix-openclaw", - "rev": "632bb133f694a540e961e613d66224643429d80f", - "type": "github" - }, - "original": { - "owner": "openclaw", - "repo": "nix-openclaw", - "type": "github" - } - }, - "nix-steipete-tools": { - "inputs": { - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1773561580, - "narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=", - "owner": "openclaw", - "repo": "nix-steipete-tools", - "rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f", - "type": "github" - }, - "original": { - "owner": "openclaw", - "repo": "nix-steipete-tools", - "type": "github" - } - }, "nixos-wsl": { "inputs": { "flake-compat": "flake-compat", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs" }, "locked": { "lastModified": 1773603777, @@ -215,38 +137,6 @@ } }, "nixpkgs": { - "locked": { - "lastModified": 1767364772, - "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1767767207, - "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "5912c1772a44e31bf1c63c0390b90501e5026886", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1773282481, "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=", @@ -262,7 +152,7 @@ "type": "github" } }, - "nixpkgs_4": { + "nixpkgs_2": { "locked": { "lastModified": 1773628058, "narHash": "sha256-hpXH0z3K9xv0fHaje136KY872VT2T5uwxtezlAskQgY=", @@ -278,7 +168,7 @@ "type": "github" } }, - "nixpkgs_5": { + "nixpkgs_3": { "locked": { "lastModified": 1682134069, "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=", @@ -292,27 +182,13 @@ "type": "indirect" } }, - "openclaw-documents": { - "locked": { - "lastModified": 1773840501, - "narHash": "sha256-Dpb4erTKZqAKolD7UjXMuIBUEax21q2jNvT+1fiIFA4=", - "path": "/Users/danny/dotfiles/openclaw-documents-repo", - "type": "path" - }, - "original": { - "path": "/Users/danny/dotfiles/openclaw-documents-repo", - "type": "path" - } - }, "root": { "inputs": { "disko": "disko", "home-manager": "home-manager", "nix-darwin": "nix-darwin", - "nix-openclaw": "nix-openclaw", "nixos-wsl": "nixos-wsl", - "nixpkgs": "nixpkgs_4", - "openclaw-documents": "openclaw-documents", + "nixpkgs": "nixpkgs_2", "vscode-server": "vscode-server", "zen-browser": "zen-browser" } @@ -332,25 +208,10 @@ "type": "github" } }, - "systems_2": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "vscode-server": { "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_5" + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs_3" }, "locked": { "lastModified": 1770124655, @@ -368,7 +229,7 @@ }, "zen-browser": { "inputs": { - "home-manager": "home-manager_3", + "home-manager": "home-manager_2", "nixpkgs": [ "nixpkgs" ] diff --git a/nixos/flake.nix b/nixos/flake.nix index 4ce2c37..6563f56 100644 --- a/nixos/flake.nix +++ b/nixos/flake.nix @@ -18,10 +18,6 @@ disko.url = "github:nix-community/disko"; disko.inputs.nixpkgs.follows = "nixpkgs"; - - nix-openclaw.url = "github:openclaw/nix-openclaw"; - # OpenClaw SOUL/TOOLS and other docs. Absolute path to local clone (no SSH under sudo). - openclaw-documents.url = "path:/Users/danny/dotfiles/openclaw-documents-repo"; }; outputs = { @@ -33,8 +29,6 @@ home-manager, zen-browser, disko, - nix-openclaw, - openclaw-documents, ... }: { nixosConfigurations = { @@ -69,7 +63,22 @@ sunken-ship = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; - modules = [ ./hosts/sunken-ship.nix ]; + modules = [ + ./hosts/sunken-ship.nix + + # Home Manager on NixOS + home-manager.nixosModules.home-manager + ({ lib, ... }: { + home-manager.useGlobalPkgs = true; + home-manager.useUserPackages = true; + home-manager.backupFileExtension = "backup"; + home-manager.users.danny = { ... }: { + home.username = "danny"; + home.homeDirectory = lib.mkForce "/home/danny"; + home.stateVersion = "25.11"; + }; + }) + ]; }; # For disko-install: LUKS + WiFi; hostname/WiFi via --system-config. @@ -95,25 +104,20 @@ # macOS (nix-darwin) configuration darwinConfigurations."Daniel-Macbook-Air" = nix-darwin.lib.darwinSystem { - specialArgs = { inherit zen-browser nix-openclaw openclaw-documents; }; + specialArgs = { inherit zen-browser; }; modules = [ ./hosts/macos.nix ./fish.nix - # OpenClaw overlay so pkgs.openclaw etc. are available - ({ nix-openclaw, ... }: { - nixpkgs.overlays = [ nix-openclaw.overlays.default ]; - }) - # Home Manager on macOS home-manager.darwinModules.home-manager - ({ lib, zen-browser, nix-openclaw, openclaw-documents, ... }: { + ({ lib, zen-browser, ... }: { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; # Automatically backup files before home-manager overwrites them home-manager.backupFileExtension = "backup"; # Pass flake inputs to home-manager modules (e.g. home.nix) - home-manager.extraSpecialArgs = { inherit zen-browser openclaw-documents; }; + home-manager.extraSpecialArgs = { inherit zen-browser; }; home-manager.users.danny = { ... }: { # Force an absolute path even if another module sets a bad value. @@ -121,8 +125,6 @@ home.homeDirectory = lib.mkForce "/Users/danny"; imports = [ ./home/danny/home.nix - nix-openclaw.homeManagerModules.openclaw - ./home/danny/openclaw.nix ]; }; }) diff --git a/nixos/home/danny/openclaw-allow-from.nix.example b/nixos/home/danny/openclaw-allow-from.nix.example deleted file mode 100644 index 2794718..0000000 --- a/nixos/home/danny/openclaw-allow-from.nix.example +++ /dev/null @@ -1,3 +0,0 @@ -# Copy to openclaw-allow-from.nix (gitignored) and put your Telegram user ID(s) from @userinfobot. -# Example: -[ 00000000 ] diff --git a/nixos/home/danny/openclaw-gateway-wrapper.sh b/nixos/home/danny/openclaw-gateway-wrapper.sh deleted file mode 100644 index 94086e7..0000000 --- a/nixos/home/danny/openclaw-gateway-wrapper.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env bash -# Load OPENCLAW_GATEWAY_TOKEN from a file and exec the real gateway. -# Install: token in ~/.secrets/openclaw-gateway-token (one line, no newline). -set -euo pipefail -TOKEN_FILE="${OPENCLAW_GATEWAY_TOKEN_FILE:-$HOME/.secrets/openclaw-gateway-token}" -if [ -f "$TOKEN_FILE" ]; then - export OPENCLAW_GATEWAY_TOKEN=$(cat "$TOKEN_FILE") -fi -exec "$@" diff --git a/nixos/home/danny/openclaw.nix b/nixos/home/danny/openclaw.nix deleted file mode 100644 index 1d943be..0000000 --- a/nixos/home/danny/openclaw.nix +++ /dev/null @@ -1,76 +0,0 @@ -# OpenClaw (AI assistant gateway) – Telegram, launchd, documents. -# Documents (SOUL.md, TOOLS.md, etc.) come from a separate repo via the flake input -# openclaw-documents (see flake.nix; override with e.g. github:you/openclaw-documents). -# Secrets (not in repo): -# ~/.secrets/telegram-bot-token -# ~/.secrets/openclaw-gateway-token (one line, gateway auth token) -# nixos/home/danny/openclaw-allow-from.nix (gitignored; copy from .example) -# After editing, run: darwin-rebuild switch --flake . (from ~/dotfiles/nixos) - -{ config, lib, pkgs, openclaw-documents, ... }: - -let - # Telegram user IDs from gitignored file so we don't commit them - allowFromPath = ./. + "/openclaw-allow-from.nix"; - allowFrom = if builtins.pathExists allowFromPath then import allowFromPath else [ ]; -in -{ - programs.openclaw = { - enable = true; - # Flake input: use .source (in-repo and separate-repo flakes expose source = ./.) - documents = openclaw-documents.source or openclaw-documents.outPath or openclaw-documents; - - config = { }; - - instances.default = { - enable = true; - config = { - gateway = { - mode = "local"; - auth.token = ""; # loaded from ~/.secrets/openclaw-gateway-token via wrapper - }; - channels.telegram = { - tokenFile = "/Users/danny/.secrets/telegram-bot-token"; - allowFrom = allowFrom; - groups."*" = { requireMention = true; }; - }; - }; - plugins = [ - # e.g. { source = "github:openclaw/nix-steipete-tools?dir=tools/summarize"; } - ]; - }; - }; - - # Wrapper loads gateway token from file and execs the real gateway (keeps token out of store) - home.file.".local/bin/openclaw-gateway-wrapper" = { - source = ./openclaw-gateway-wrapper.sh; - executable = true; - }; - - # TODO: Remove this bloat (see dotfiles TODO.md). Back up as target user so HM can overwrite. - home.activation.backupOpenclawBeforeSwitch = lib.hm.dag.entryBefore [ "linkGeneration" ] '' - OPENCLAW="${config.home.homeDirectory}/.openclaw" - USER="${config.home.username}" - if [ -d "$OPENCLAW" ]; then - for f in "$OPENCLAW"/workspace/*.md "$OPENCLAW"/openclaw.json; do - [ -e "$f" ] && [ ! -L "$f" ] && (sudo -u "$USER" mv -n "$f" "$f.backup" 2>/dev/null || true) - done - fi - ''; - home.file.".openclaw/openclaw.json".force = true; - - # Override launchd agent to run wrapper so OPENCLAW_GATEWAY_TOKEN is set from file at runtime. - # Do not reference config.launchd.agents."..." here (causes infinite recursion). - launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce { - enable = true; - config = { - ProgramArguments = [ - (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper") - "${pkgs.openclaw}/bin/openclaw" - "gateway" - ]; - RunAtLoad = true; - KeepAlive = true; - }; - }; -} diff --git a/openclaw-todo.md b/openclaw-todo.md deleted file mode 100644 index c01ab3b..0000000 --- a/openclaw-todo.md +++ /dev/null @@ -1,48 +0,0 @@ -# OpenClaw Setup TODO - -## Current state - -OpenClaw is **already fully wired** into the macOS (Daniel-Macbook-Air) darwin config: - -- **Keep:** `nix-openclaw` flake input, overlay, home-manager module import — all correct -- **Keep:** `nixos/home/danny/openclaw.nix` — working config with launchd agent, wrapper, documents integration -- **Keep:** `openclaw-gateway-wrapper.sh` — loads gateway token from `~/.secrets/` at runtime -- **Keep:** `openclaw-allow-from.nix` (gitignored) — Telegram user ID allowlist -- **Scrap/fix:** `home.activation.backupOpenclawBeforeSwitch` — marked as bloat in a TODO; remove once confirmed unnecessary -- **Not wired:** `sunken-ship` and `macbookair` NixOS configs have zero OpenClaw references - -## Phase 1: Get OpenClaw running on macOS (Daniel-Macbook-Air) - -- [ ] Ensure `openclaw-documents-repo` exists at `~/dotfiles/openclaw-documents-repo` (or clone it) -- [ ] Create secrets: - - `~/.secrets/telegram-bot-token` (from @BotFather) - - `~/.secrets/openclaw-gateway-token` (gateway auth token) -- [ ] Copy `openclaw-allow-from.nix.example` → `openclaw-allow-from.nix`, fill in Telegram user ID(s) -- [ ] Rebuild: `cd ~/dotfiles/nixos && darwin-rebuild switch --flake .` -- [ ] Verify launchd agent: `launchctl list | grep openclaw` -- [ ] Test: message bot on Telegram -- [ ] Verify Ollama integration: `ollama list` (already enabled via `macos.nix` → `ollama.nix`) - -## Phase 2: Move to dedicated server (sunken-ship or new host) - -- [ ] **Decide:** run OpenClaw on sunken-ship (existing) or a new host (phantom-ship)? -- [ ] Add `nix-openclaw` + `openclaw-documents` to the NixOS config's `specialArgs` (currently only passed to darwinConfigurations) -- [ ] Port `openclaw.nix` from home-manager launchd agent → systemd user service (or system service) - - Replace `launchd.agents` block with `systemd.user.services` equivalent - - Update wrapper to use systemd `EnvironmentFile=` instead of bash wrapper -- [ ] Handle secrets on server: - - `scp` token files to server `~/.secrets/` (don't commit) - - Or use `agenix`/`sops-nix` for encrypted secrets in repo -- [ ] Decide on documents: clone `openclaw-documents-repo` on server, or use GitHub flake input instead of local path -- [ ] If Ollama needed on server: port `ollama.nix` (launchd → systemd) or use nixpkgs `services.ollama` (available in NixOS, not nix-darwin) -- [ ] Rebuild on server: `sudo nixos-rebuild switch --flake .#sunken-ship` - -## Packaging decisions - -| Decision | Current | Options | -|---|---|---| -| OpenClaw binary | `nix-openclaw` flake input | **Keep** — gives overlay + HM module | -| Documents | Local path flake input | Local path for dev, switch to `github:` for server | -| Ollama on macOS | Custom `ollama.nix` (PR #972) | **Keep** until nix-darwin merges upstream | -| Ollama on NixOS | Not configured | Use `services.ollama` from nixpkgs (built-in on NixOS) | -| Secrets | Files in `~/.secrets/` | Fine for now; consider `sops-nix` if adding more |