OpenClaw: integrate in dotfiles flake, secrets from files

- Add nix-openclaw to flake; OpenClaw config in home/danny/openclaw.nix - Gateway token from ~/.secrets/openclaw-gateway-token via wrapper script - Telegram allowFrom from gitignored openclaw-allow-from.nix (example committed) - openclaw-documents (AGENTS.md, SOUL.md, TOOLS.md) for workspace - AGENTS.md: note OpenClaw config location and apply command Made-with: Cursor
2026-03-14 10:51:52 +01:00 · 2026-03-14 10:51:52 +01:00 · 703720da96
commit 703720da96
parent 9519804cc6
10 changed files with 244 additions and 10 deletions
--- a/nixos/home/danny/openclaw-allow-from.nix.example
+++ b/nixos/home/danny/openclaw-allow-from.nix.example
@ -0,0 +1,3 @@
+# Copy to openclaw-allow-from.nix (gitignored) and put your Telegram user ID(s) from @userinfobot.
+# Example:
+[ 00000000 ]
--- a/nixos/home/danny/openclaw-documents/AGENTS.md
+++ b/nixos/home/danny/openclaw-documents/AGENTS.md
@ -0,0 +1,7 @@
+# Agent instructions
+
+Instructions for the AI assistant (OpenClaw) when acting on your behalf.
+
+- Prefer terminal and scripting for automation; use GUI only when necessary.
+- Prefer tools and skills provided by enabled plugins; suggest enabling a plugin if a task needs it.
+- Do not store secrets or tokens in the repo; use ~/.secrets/ or environment.
--- a/nixos/home/danny/openclaw-documents/SOUL.md
+++ b/nixos/home/danny/openclaw-documents/SOUL.md
@ -0,0 +1,7 @@
+# Soul
+
+Who the assistant is, its personality and boundaries.
+
+- Helpful and concise.
+- Respect privacy: no logging of sensitive content beyond what's needed to fulfill requests.
+- Prefer safe defaults; ask before destructive or irreversible actions.
--- a/nixos/home/danny/openclaw-documents/TOOLS.md
+++ b/nixos/home/danny/openclaw-documents/TOOLS.md
@ -0,0 +1,6 @@
+# Tools
+
+What the assistant can use and how.
+
+- CLI tools and skills come from enabled plugins (see `nixos/home/danny/openclaw.nix` → `programs.openclaw.instances.default.plugins`).
+- Add plugins there and run `darwin-rebuild switch --flake .` from ~/dotfiles/nixos to install new tools and skills.
--- a/nixos/home/danny/openclaw-gateway-wrapper.sh
+++ b/nixos/home/danny/openclaw-gateway-wrapper.sh
@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# Load OPENCLAW_GATEWAY_TOKEN from a file and exec the real gateway.
+# Install: token in ~/.secrets/openclaw-gateway-token (one line, no newline).
+set -euo pipefail
+TOKEN_FILE="${OPENCLAW_GATEWAY_TOKEN_FILE:-$HOME/.secrets/openclaw-gateway-token}"
+if [ -f "$TOKEN_FILE" ]; then
+  export OPENCLAW_GATEWAY_TOKEN=$(cat "$TOKEN_FILE")
+fi
+exec "$@"
--- a/nixos/home/danny/openclaw.nix
+++ b/nixos/home/danny/openclaw.nix
@ -0,0 +1,57 @@
+# OpenClaw (AI assistant gateway) – Telegram, launchd, documents.
+# Secrets (not in repo):
+#   ~/.secrets/telegram-bot-token
+#   ~/.secrets/openclaw-gateway-token   (one line, gateway auth token)
+#   nixos/home/danny/openclaw-allow-from.nix  (gitignored; copy from .example)
+# After editing, run: darwin-rebuild switch --flake . (from ~/dotfiles/nixos)
+
+{ config, lib, ... }:
+
+let
+  # Telegram user IDs from gitignored file so we don't commit them
+  allowFromPath = ./. + "/openclaw-allow-from.nix";
+  allowFrom = if builtins.pathExists allowFromPath then import allowFromPath else [ ];
+in
+{
+  programs.openclaw = {
+    enable = true;
+    documents = ./openclaw-documents;
+
+    config = { };
+
+    instances.default = {
+      enable = true;
+      config = {
+        gateway = {
+          mode = "local";
+          auth.token = "";  # loaded from ~/.secrets/openclaw-gateway-token via wrapper
+        };
+        channels.telegram = {
+          tokenFile = "/Users/danny/.secrets/telegram-bot-token";
+          allowFrom = allowFrom;
+          groups."*" = { requireMention = true; };
+        };
+      };
+      plugins = [
+        # e.g. { source = "github:openclaw/nix-steipete-tools?dir=tools/summarize"; }
+      ];
+    };
+  };
+
+  # Wrapper loads gateway token from file and execs the real gateway (keeps token out of store)
+  home.file.".local/bin/openclaw-gateway-wrapper" = {
+    source = ./openclaw-gateway-wrapper.sh;
+    executable = true;
+  };
+
+  # Prepend wrapper to launchd so OPENCLAW_GATEWAY_TOKEN is set from file at runtime
+  launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce (
+    (config.launchd.agents."com.steipete.openclaw.gateway" or { }) // {
+      config = (config.launchd.agents."com.steipete.openclaw.gateway".config or { }) // {
+        ProgramArguments = [
+          (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper")
+        ] ++ (config.launchd.agents."com.steipete.openclaw.gateway".config.ProgramArguments or [ ]);
+      };
+    }
+  );
+}