feat: add OpenClaw gateway to phantom-ship 🤖

Telegram bot via nix-openclaw NixOS module. Secrets (API key, bot token) loaded from /etc/openclaw/ at runtime. Telegram user ID read from gitignored openclaw-allow-from.nix.
2026-04-03 12:02:02 +02:00 · 2026-04-03 12:02:02 +02:00 · b04b53f9c4
commit b04b53f9c4
parent d1ab7d9a69
4 changed files with 146 additions and 9 deletions
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@ -1,10 +1,14 @@
-# NixOS server: bare config with SSH, auto-rebuild, Ethernet.
-# Services (OpenClaw, etc.) to be added later.
+# NixOS server: SSH, auto-rebuild, NAT for rusty-anchor, OpenClaw gateway.
 { config, lib, pkgs, ... }:

 let
  dotfilesDir = "/etc/dotfiles";
  flakeRef = "${dotfilesDir}/nixos#phantom-ship";
+
+  # Telegram user ID(s) — gitignored, not committed to public repo.
+  # Create openclaw-allow-from.nix with e.g.: [ 12345678 ]
+  allowFromPath = ./openclaw-allow-from.nix;
+  openclawAllowFrom = if builtins.pathExists allowFromPath then import allowFromPath else [ ];
 in
 {
  imports = [ ./phantom-ship-hardware.nix ];
@ -77,6 +81,19 @@ in
    git  # clone/bootstrap and dotfiles-rebuild timer
  ];

+  # OpenClaw AI gateway — Telegram bot, Anthropic API.
+  # Secrets (not in repo): /etc/openclaw/telegram-bot-token, /etc/openclaw/env (ANTHROPIC_API_KEY)
+  services.openclaw-gateway = {
+    enable = true;
+    environmentFiles = [ "/etc/openclaw/env" ];
+    config = {
+      channels.telegram = {
+        tokenFile = "/etc/openclaw/telegram-bot-token";
+        allowFrom = openclawAllowFrom;
+      };
+    };
+  };
+
  # Pull dotfiles and rebuild if the repo has new commits.
  systemd.services.dotfiles-rebuild = {
    description = "Pull dotfiles and run nixos-rebuild if repo changed";