From 52649f500ad42d6efee0c029bf0589291f8b2d76 Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sat, 4 Apr 2026 12:06:08 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20add=20git/nodejs=20to=20openclaw,=20con?= =?UTF-8?q?figure=20GitHub=20PAT=20credential=20helper=20=F0=9F=94=91?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds git and nodejs to openclaw-gateway service PATH. Configures a git credential helper that reads a fine-grained PAT from /etc/openclaw/github-token. Creates /var/lib/openclaw/repos for repo clones. --- nixos/hosts/phantom-ship.nix | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index 966d365..ffa28d5 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -87,6 +87,7 @@ in services.openclaw-gateway = { enable = true; environmentFiles = [ "/etc/openclaw/env" ]; + servicePath = [ pkgs.git pkgs.nodejs ]; config = { gateway.mode = "local"; channels.telegram = { @@ -96,12 +97,29 @@ in }; }; - # OpenClaw gateway needs write access to its config dir for runtime state. + # OpenClaw gateway needs write access to its config dir and repo clones. systemd.tmpfiles.rules = [ "d /etc/openclaw 0775 root openclaw - -" + "d /var/lib/openclaw/repos 0750 openclaw openclaw - -" ]; + # Git config for the openclaw user: credential helper reads PAT from file. + # PAT (not in repo): /etc/openclaw/github-token (fine-grained, scoped to specific repos) + environment.etc."openclaw/gitconfig" = { + text = '' + [user] + name = OpenClaw Bot + email = noreply@openclaw.local + [credential "https://github.com"] + helper = "!f() { echo username=x-access-token; echo password=$(cat /etc/openclaw/github-token); }; f" + [safe] + directory = /var/lib/openclaw/repos + ''; + mode = "0644"; + }; + # Harden the openclaw-gateway systemd service. + systemd.services.openclaw-gateway.environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig"; systemd.services.openclaw-gateway.serviceConfig = { ProtectHome = "read-only"; ProtectSystem = "strict";