OpenClaw: integrate in dotfiles flake, secrets from files

- Add nix-openclaw to flake; OpenClaw config in home/danny/openclaw.nix - Gateway token from ~/.secrets/openclaw-gateway-token via wrapper script - Telegram allowFrom from gitignored openclaw-allow-from.nix (example committed) - openclaw-documents (AGENTS.md, SOUL.md, TOOLS.md) for workspace - AGENTS.md: note OpenClaw config location and apply command Made-with: Cursor
2026-03-14 10:51:52 +01:00 · 2026-03-14 10:51:52 +01:00 · 703720da96
commit 703720da96
parent 9519804cc6
10 changed files with 244 additions and 10 deletions
--- a/nixos/home/danny/openclaw.nix
+++ b/nixos/home/danny/openclaw.nix
@ -0,0 +1,57 @@
+# OpenClaw (AI assistant gateway) – Telegram, launchd, documents.
+# Secrets (not in repo):
+#   ~/.secrets/telegram-bot-token
+#   ~/.secrets/openclaw-gateway-token   (one line, gateway auth token)
+#   nixos/home/danny/openclaw-allow-from.nix  (gitignored; copy from .example)
+# After editing, run: darwin-rebuild switch --flake . (from ~/dotfiles/nixos)
+
+{ config, lib, ... }:
+
+let
+  # Telegram user IDs from gitignored file so we don't commit them
+  allowFromPath = ./. + "/openclaw-allow-from.nix";
+  allowFrom = if builtins.pathExists allowFromPath then import allowFromPath else [ ];
+in
+{
+  programs.openclaw = {
+    enable = true;
+    documents = ./openclaw-documents;
+
+    config = { };
+
+    instances.default = {
+      enable = true;
+      config = {
+        gateway = {
+          mode = "local";
+          auth.token = "";  # loaded from ~/.secrets/openclaw-gateway-token via wrapper
+        };
+        channels.telegram = {
+          tokenFile = "/Users/danny/.secrets/telegram-bot-token";
+          allowFrom = allowFrom;
+          groups."*" = { requireMention = true; };
+        };
+      };
+      plugins = [
+        # e.g. { source = "github:openclaw/nix-steipete-tools?dir=tools/summarize"; }
+      ];
+    };
+  };
+
+  # Wrapper loads gateway token from file and execs the real gateway (keeps token out of store)
+  home.file.".local/bin/openclaw-gateway-wrapper" = {
+    source = ./openclaw-gateway-wrapper.sh;
+    executable = true;
+  };
+
+  # Prepend wrapper to launchd so OPENCLAW_GATEWAY_TOKEN is set from file at runtime
+  launchd.agents."com.steipete.openclaw.gateway" = lib.mkForce (
+    (config.launchd.agents."com.steipete.openclaw.gateway" or { }) // {
+      config = (config.launchd.agents."com.steipete.openclaw.gateway".config or { }) // {
+        ProgramArguments = [
+          (config.home.homeDirectory + "/.local/bin/openclaw-gateway-wrapper")
+        ] ++ (config.launchd.agents."com.steipete.openclaw.gateway".config.ProgramArguments or [ ]);
+      };
+    }
+  );
+}