chore: remove all OpenClaw integration from dotfiles 🔥

OpenClaw is no longer used. Removes flake inputs (nix-openclaw, openclaw-documents), overlays, home-manager modules, config files, docs, and related TODO/gitignore entries.
2026-03-22 11:55:06 +01:00 · 2026-03-22 11:55:06 +01:00 · 18ccebc109
commit 18ccebc109
parent 494bc8a5f4
11 changed files with 29 additions and 341 deletions
--- a/.gitignore
+++ b/.gitignore
@ -11,9 +11,3 @@ env/
 # Installer ISO live WiFi (SSID/PSK); see docs/server-installer-usb.md
 nixos/installer-wifi.nix
 # OpenClaw: Telegram user ID(s), not in public repo
 nixos/home/danny/openclaw-allow-from.nix
 # OpenClaw: documents live in private repo; local clone optional
 openclaw-documents-repo/
--- a/AGENTS.md
+++ b/AGENTS.md
@ -51,7 +51,3 @@ ssh -i ~/.ssh/id_ed25519_sunken_ship danny@sunken-ship 'hostname; ip addr'
 Rebuild on the server (flake is in `nixos/`): `ssh ... 'cd /etc/dotfiles/nixos && sudo nixos-rebuild switch --flake .#sunken-ship'`. The server has WiFi (see [docs/sunken-ship-wifi.md](docs/sunken-ship-wifi.md)); it remains reachable when ethernet is unplugged.
 ## OpenClaw (macOS)
 OpenClaw (AI assistant gateway, Telegram) is integrated in the dotfiles flake. Config: [nixos/home/danny/openclaw.nix](nixos/home/danny/openclaw.nix). Documents (SOUL.md, TOOLS.md, etc.) come from a separate repo via the flake input `openclaw-documents` in [nixos/flake.nix](nixos/flake.nix)—override with e.g. `openclaw-documents.url = "github:you/openclaw-documents";`. See [docs/openclaw-documents.md](docs/openclaw-documents.md). Secrets (bot token, gateway token, Telegram user ID) live in the config or `~/.secrets/`. One apply: `darwin-rebuild switch --flake .` from `nixos/`.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -26,7 +26,7 @@ cd ~/dotfiles/nixos && nix build .#installer-iso
 ## Flake architecture
 - **Flake:** `nixos/flake.nix` — single flake for all hosts
- **Inputs:** nixpkgs-unstable, nix-darwin, home-manager, nixos-wsl, disko, zen-browser, nix-openclaw, openclaw-documents
+- **Inputs:** nixpkgs-unstable, nix-darwin, home-manager, nixos-wsl, disko, zen-browser
 - **Host configs** in `nixos/hosts/`:
  - `macos.nix` — Apple Silicon MacBook Air (aarch64-darwin, nix-darwin)
  - `sunken-ship.nix` — NixOS home server (x86_64-linux)
@ -50,10 +50,6 @@ cd ~/dotfiles/nixos && nix build .#installer-iso
 - Auto-rebuild timer: `dotfiles-rebuild` — only active after flake config switch. Check with `systemctl is-active dotfiles-rebuild.timer`.
 - Server has WiFi; stays reachable when ethernet is unplugged.
 ## OpenClaw
 AI assistant gateway (Telegram), integrated in the flake. Config: `nixos/home/danny/openclaw.nix`. Documents (SOUL.md, TOOLS.md) come from a separate local repo via the `openclaw-documents` flake input (path: `/Users/danny/dotfiles/openclaw-documents-repo`). Secrets (bot token, gateway token, Telegram user ID) live in `~/.secrets/` or the config. One apply: `darwin-rebuild switch --flake .`.
 ## Ollama
 Custom nix-darwin module at `nixos/ollama.nix` (upstream PR not yet merged). Enabled on macOS via `nixos/hosts/macos.nix`. Runs as a launchd user agent with `ollama serve`.
--- a/TODO.md
+++ b/TODO.md
@ -1,11 +1,7 @@
 # TODO
-1. **OpenClaw:** Remove the activation-backup + force overrides in `nixos/home/danny/openclaw.nix`. They work around "file is in the way" / "would be clobbered" when home-manager manages `~/.openclaw/`. Prefer fixing upstream (nix-openclaw) or a cleaner approach (e.g. deploy to a different path, or let the module handle existing files).
+1. Create a setup/boot USB that: installs NixOS on the server with encryption and WiFi configured from the start; only required input is the server's name (e.g. sunken-ship).
 2. Create a setup/boot USB that: installs NixOS on the server with encryption and WiFi configured from the start; only required input is the server's name (e.g. sunken-ship).
   * I have a set wifi SSID/PSK, assume servers will start up and be able to reach this wifi.
   * I don't know how to go about the rest of this.
-3. Encrypt sunken-ship (LUKS); update hardware/config for encrypted root and boot.
+2. Encrypt sunken-ship (LUKS); update hardware/config for encrypted root and boot.
 4. Host telegram bot once again (for what purpose?)
--- a/docs/openclaw-documents.md
+++ b/docs/openclaw-documents.md
@ -1,21 +0,0 @@
 # OpenClaw documents (separate repo)
 SOUL.md, TOOLS.md, and any other markdown files used by OpenClaw are supplied via the flake input `openclaw-documents` in `nixos/flake.nix`. The input points at the **local clone** `path:/Users/danny/dotfiles/openclaw-documents-repo` so `sudo darwin-rebuild` doesn’t need SSH to GitHub. (Change the path in `flake.nix` if your clone lives elsewhere.)
 ## Repo contents
 The repo (or local clone) must have at least:
 - `SOUL.md` – who the assistant is, personality and boundaries
 - `TOOLS.md` – what the assistant can use and how
 - `AGENTS.md` – instructions for the AI when acting on your behalf  
  (The nix-openclaw module asserts these exist.)
 - A minimal `flake.nix` so the repo can be used as a flake input:
  ```nix
  { outputs = { ... }: { source = ./.; }; }
  ```
 ## Local clone
 The flake uses the local clone at `~/dotfiles/openclaw-documents-repo/` (path input, gitignored). Edit SOUL/TOOLS there; the next rebuild uses the current directory contents (no `nix flake update` needed). Push/pull to sync with the private GitHub repo when you like.
 To use the remote repo instead (e.g. on another machine), set `openclaw-documents.url = "git+ssh://git@github.com/DannyDannyDanny/openclaw-documents"` in `nixos/flake.nix` and ensure your SSH key is loaded when running the rebuild.
--- a/nixos/flake.lock
+++ b/nixos/flake.lock
@ -40,24 +40,6 @@
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1681202837,
        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
@ -93,27 +75,6 @@
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nix-openclaw",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1767909183,
        "narHash": "sha256-u/bcU0xePi5bgNoRsiqSIwaGBwDilKKFTz3g0hqOBAo=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "cd6e96d56ed4b2a779ac73a1227e0bb1519b3509",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "home-manager_3": {
      "inputs": {
        "nixpkgs": [
          "zen-browser",
@ -155,49 +116,10 @@
        "type": "github"
      }
    },
    "nix-openclaw": {
      "inputs": {
        "flake-utils": "flake-utils",
        "home-manager": "home-manager_2",
        "nix-steipete-tools": "nix-steipete-tools",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1773837347,
        "narHash": "sha256-PvJTsgowv03pfpEx7+u6Qd8If3HhgkFGpn3IJI22wE4=",
        "owner": "openclaw",
        "repo": "nix-openclaw",
        "rev": "632bb133f694a540e961e613d66224643429d80f",
        "type": "github"
      },
      "original": {
        "owner": "openclaw",
        "repo": "nix-openclaw",
        "type": "github"
      }
    },
    "nix-steipete-tools": {
      "inputs": {
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1773561580,
        "narHash": "sha256-wT0bKTp45YnMkc4yXQvk943Zz/rksYiIjEXGdWzxnic=",
        "owner": "openclaw",
        "repo": "nix-steipete-tools",
        "rev": "cd4c429ff3b3aaef9f92e59812cf2baf5704b86f",
        "type": "github"
      },
      "original": {
        "owner": "openclaw",
        "repo": "nix-steipete-tools",
        "type": "github"
      }
    },
    "nixos-wsl": {
      "inputs": {
        "flake-compat": "flake-compat",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1773603777,
@ -215,38 +137,6 @@
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1767364772,
        "narHash": "sha256-fFUnEYMla8b7UKjijLnMe+oVFOz6HjijGGNS1l7dYaQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "16c7794d0a28b5a37904d55bcca36003b9109aaa",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1767767207,
        "narHash": "sha256-Mj3d3PfwltLmukFal5i3fFt27L6NiKXdBezC1EBuZs4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "5912c1772a44e31bf1c63c0390b90501e5026886",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1773282481,
        "narHash": "sha256-b/GV2ysM8mKHhinse2wz+uP37epUrSE+sAKXy/xvBY4=",
@ -262,7 +152,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1773628058,
        "narHash": "sha256-hpXH0z3K9xv0fHaje136KY872VT2T5uwxtezlAskQgY=",
@ -278,7 +168,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
+    "nixpkgs_3": {
      "locked": {
        "lastModified": 1682134069,
        "narHash": "sha256-TnI/ZXSmRxQDt2sjRYK/8j8iha4B4zP2cnQCZZ3vp7k=",
@ -292,27 +182,13 @@
        "type": "indirect"
      }
    },
    "openclaw-documents": {
      "locked": {
        "lastModified": 1773840501,
        "narHash": "sha256-Dpb4erTKZqAKolD7UjXMuIBUEax21q2jNvT+1fiIFA4=",
        "path": "/Users/danny/dotfiles/openclaw-documents-repo",
        "type": "path"
      },
      "original": {
        "path": "/Users/danny/dotfiles/openclaw-documents-repo",
        "type": "path"
      }
    },
    "root": {
      "inputs": {
        "disko": "disko",
        "home-manager": "home-manager",
        "nix-darwin": "nix-darwin",
        "nix-openclaw": "nix-openclaw",
        "nixos-wsl": "nixos-wsl",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_2",
        "openclaw-documents": "openclaw-documents",
        "vscode-server": "vscode-server",
        "zen-browser": "zen-browser"
      }
@ -332,25 +208,10 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "vscode-server": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_5"
+        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1770124655,
@ -368,7 +229,7 @@
    },
    "zen-browser": {
      "inputs": {
-        "home-manager": "home-manager_3",
+        "home-manager": "home-manager_2",
        "nixpkgs": [
          "nixpkgs"
        ]
--- a/nixos/flake.nix
+++ b/nixos/flake.nix
@ -18,10 +18,6 @@
    disko.url = "github:nix-community/disko";
    disko.inputs.nixpkgs.follows = "nixpkgs";
    nix-openclaw.url = "github:openclaw/nix-openclaw";
    # OpenClaw SOUL/TOOLS and other docs. Absolute path to local clone (no SSH under sudo).
    openclaw-documents.url = "path:/Users/danny/dotfiles/openclaw-documents-repo";
  };
  outputs = {
@ -33,8 +29,6 @@
    home-manager,
    zen-browser,
    disko,
    nix-openclaw,
    openclaw-documents,
    ...
  }: {
    nixosConfigurations = {
@ -69,7 +63,22 @@
      sunken-ship = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
-        modules = [ ./hosts/sunken-ship.nix ];
+        modules = [
          ./hosts/sunken-ship.nix
          # Home Manager on NixOS
          home-manager.nixosModules.home-manager
          ({ lib, ... }: {
            home-manager.useGlobalPkgs = true;
            home-manager.useUserPackages = true;
            home-manager.backupFileExtension = "backup";
            home-manager.users.danny = { ... }: {
              home.username = "danny";
              home.homeDirectory = lib.mkForce "/home/danny";
              home.stateVersion = "25.11";
            };
          })
        ];
      };
      # For disko-install: LUKS + WiFi; hostname/WiFi via --system-config.
@ -95,25 +104,20 @@
    # macOS (nix-darwin) configuration
    darwinConfigurations."Daniel-Macbook-Air" = nix-darwin.lib.darwinSystem {
-      specialArgs = { inherit zen-browser nix-openclaw openclaw-documents; };
+      specialArgs = { inherit zen-browser; };
      modules = [
        ./hosts/macos.nix
        ./fish.nix
        # OpenClaw overlay so pkgs.openclaw etc. are available
        ({ nix-openclaw, ... }: {
          nixpkgs.overlays = [ nix-openclaw.overlays.default ];
        })
        # Home Manager on macOS
        home-manager.darwinModules.home-manager
-        ({ lib, zen-browser, nix-openclaw, openclaw-documents, ... }: {
+        ({ lib, zen-browser, ... }: {
          home-manager.useGlobalPkgs = true;
          home-manager.useUserPackages = true;
          # Automatically backup files before home-manager overwrites them
          home-manager.backupFileExtension = "backup";
          # Pass flake inputs to home-manager modules (e.g. home.nix)
-          home-manager.extraSpecialArgs = { inherit zen-browser openclaw-documents; };
+          home-manager.extraSpecialArgs = { inherit zen-browser; };
          home-manager.users.danny = { ... }: {
            # Force an absolute path even if another module sets a bad value.
@ -121,8 +125,6 @@
            home.homeDirectory = lib.mkForce "/Users/danny";
            imports = [
              ./home/danny/home.nix
              nix-openclaw.homeManagerModules.openclaw
              ./home/danny/openclaw.nix
            ];
          };
        })
--- a/nixos/home/danny/openclaw-allow-from.nix.example
+++ b/nixos/home/danny/openclaw-allow-from.nix.example
@ -1,3 +0,0 @@
 # Copy to openclaw-allow-from.nix (gitignored) and put your Telegram user ID(s) from @userinfobot.
 # Example:
 [ 00000000 ]
--- a/nixos/home/danny/openclaw-gateway-wrapper.sh
+++ b/nixos/home/danny/openclaw-gateway-wrapper.sh
@ -1,9 +0,0 @@
 #!/usr/bin/env bash
 # Load OPENCLAW_GATEWAY_TOKEN from a file and exec the real gateway.
 # Install: token in ~/.secrets/openclaw-gateway-token (one line, no newline).
 set -euo pipefail
 TOKEN_FILE="${OPENCLAW_GATEWAY_TOKEN_FILE:-$HOME/.secrets/openclaw-gateway-token}"
 if [ -f "$TOKEN_FILE" ]; then
  export OPENCLAW_GATEWAY_TOKEN=$(cat "$TOKEN_FILE")
 fi
 exec "$@"
--- a/nixos/home/danny/openclaw.nix
+++ b/nixos/home/danny/openclaw.nix
@ -1,76 +0,0 @@
 # OpenClaw (AI assistant gateway) – Telegram, launchd, documents.
 # Documents (SOUL.md, TOOLS.md, etc.) come from a separate repo via the flake input
 # openclaw-documents (see flake.nix; override with e.g. github:you/openclaw-documents).
 # Secrets (not in repo):
 #   ~/.secrets/telegram-bot-token
 #   ~/.secrets/openclaw-gateway-token   (one line, gateway auth token)
 #   nixos/home/danny/openclaw-allow-from.nix  (gitignored; copy from .example)
 # After editing, run: darwin-rebuild switch --flake . (from ~/dotfiles/nixos)
 { config, lib, pkgs, openclaw-documents, ... }:
 let
  # Telegram user IDs from gitignored file so we don't commit them
  allowFromPath = ./. + "/openclaw-allow-from.nix";
  allowFrom = if builtins.pathExists allowFromPath then import allowFromPath else [ ];
 in
 {
  programs.openclaw = {
    enable = true;
    # Flake input: use .source (in-repo and separate-repo flakes expose source = ./.)
    documents = openclaw-documents.source or openclaw-documents.outPath or openclaw-documents;
    config = { };
    instances.default = {
      enable = true;
      config = {
        gateway = {
          mode = "local";
          auth.token = "";  # loaded from ~/.secrets/openclaw-gateway-token via wrapper
        };
        channels.telegram = {
          tokenFile = "/Users/danny/.secrets/telegram-bot-token";
          allowFrom = allowFrom;
          groups."*" = { requireMention = true; };
        };
      };
      plugins = [
        # e.g. { source = "github:openclaw/nix-steipete-tools?dir=tools/summarize"; }
      ];
    };
  };
  # Wrapper loads gateway token from file and execs the real gateway (keeps token out of store)
  home.file.".local/bin/openclaw-gateway-wrapper" = {
    source = ./openclaw-gateway-wrapper.sh;
    executable = true;
  };
  # TODO: Remove this bloat (see dotfiles TODO.md). Back up as target user so HM can overwrite.
  home.activation.backupOpenclawBeforeSwitch = lib.hm.dag.entryBefore [ "linkGeneration" ] ''
    OPENCLAW="${config.home.homeDirectory}/.openclaw"
    USER="${config.home.username}"
    if [ -d "$OPENCLAW" ]; then
      for f in "$OPENCLAW"/workspace/*.md "$OPENCLAW"/openclaw.json; do
        [ -e "$f" ] && [ ! -L "$f" ] && (sudo -u "$USER" mv -n "$f" "$f.backup" 2>/dev/null || true)
      done
    fi
  '';
  home.file.".openclaw/openclaw.json".force = true;
  # Override launchd agent to run wrapper so OPENCLAW_GATEWAY_TOKEN is set from file at runtime.
  # Do not reference config.launchd.agents."..." here (causes infinite recursion).
  launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce {
    enable = true;
    config = {
      ProgramArguments = [
        (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper")
        "${pkgs.openclaw}/bin/openclaw"
        "gateway"
      ];
      RunAtLoad = true;
      KeepAlive = true;
    };
  };
 }
--- a/openclaw-todo.md
+++ b/openclaw-todo.md
@ -1,48 +0,0 @@
 # OpenClaw Setup TODO
 ## Current state
 OpenClaw is **already fully wired** into the macOS (Daniel-Macbook-Air) darwin config:
 - **Keep:** `nix-openclaw` flake input, overlay, home-manager module import — all correct
 - **Keep:** `nixos/home/danny/openclaw.nix` — working config with launchd agent, wrapper, documents integration
 - **Keep:** `openclaw-gateway-wrapper.sh` — loads gateway token from `~/.secrets/` at runtime
 - **Keep:** `openclaw-allow-from.nix` (gitignored) — Telegram user ID allowlist
 - **Scrap/fix:** `home.activation.backupOpenclawBeforeSwitch` — marked as bloat in a TODO; remove once confirmed unnecessary
 - **Not wired:** `sunken-ship` and `macbookair` NixOS configs have zero OpenClaw references
 ## Phase 1: Get OpenClaw running on macOS (Daniel-Macbook-Air)
 - [ ] Ensure `openclaw-documents-repo` exists at `~/dotfiles/openclaw-documents-repo` (or clone it)
 - [ ] Create secrets:
  - `~/.secrets/telegram-bot-token` (from @BotFather)
  - `~/.secrets/openclaw-gateway-token` (gateway auth token)
 - [ ] Copy `openclaw-allow-from.nix.example` → `openclaw-allow-from.nix`, fill in Telegram user ID(s)
 - [ ] Rebuild: `cd ~/dotfiles/nixos && darwin-rebuild switch --flake .`
 - [ ] Verify launchd agent: `launchctl list | grep openclaw`
 - [ ] Test: message bot on Telegram
 - [ ] Verify Ollama integration: `ollama list` (already enabled via `macos.nix` → `ollama.nix`)
 ## Phase 2: Move to dedicated server (sunken-ship or new host)
 - [ ] **Decide:** run OpenClaw on sunken-ship (existing) or a new host (phantom-ship)?
 - [ ] Add `nix-openclaw` + `openclaw-documents` to the NixOS config's `specialArgs` (currently only passed to darwinConfigurations)
 - [ ] Port `openclaw.nix` from home-manager launchd agent → systemd user service (or system service)
  - Replace `launchd.agents` block with `systemd.user.services` equivalent
  - Update wrapper to use systemd `EnvironmentFile=` instead of bash wrapper
 - [ ] Handle secrets on server:
  - `scp` token files to server `~/.secrets/` (don't commit)
  - Or use `agenix`/`sops-nix` for encrypted secrets in repo
 - [ ] Decide on documents: clone `openclaw-documents-repo` on server, or use GitHub flake input instead of local path
 - [ ] If Ollama needed on server: port `ollama.nix` (launchd → systemd) or use nixpkgs `services.ollama` (available in NixOS, not nix-darwin)
 - [ ] Rebuild on server: `sudo nixos-rebuild switch --flake .#sunken-ship`
 ## Packaging decisions
 | Decision | Current | Options |
 |---|---|---|
 | OpenClaw binary | `nix-openclaw` flake input | **Keep** — gives overlay + HM module |
 | Documents | Local path flake input | Local path for dev, switch to `github:` for server |
 | Ollama on macOS | Custom `ollama.nix` (PR #972) | **Keep** until nix-darwin merges upstream |
 | Ollama on NixOS | Not configured | Use `services.ollama` from nixpkgs (built-in on NixOS) |
 | Secrets | Files in `~/.secrets/` | Fine for now; consider `sops-nix` if adding more |