feat: git

Author: theorderingmachine

machines/tom/configuration.nix

@@ -297,12 +297,18 @@
         owner = "slacks";
         group = "slacks";
       };
-      "openclaw" = {
+      "openclaw/env" = {
         format = "dotenv";
         owner = "openclaw";
         group = "openclaw";
         sopsFile = ./services/openclaw-gateway/vault.env;
       };
+      "openclaw/ssh/private" = {
+        owner = "openclaw";
+        group = "openclaw";
+        key = "tom/ssh/private";
+        path = "/var/lib/openclaw/.ssh/id_ed25519";
+      };
       "restic/git" = {
         owner = "git";
         group = "git";
@@ -432,6 +438,11 @@
         isSystemUser = true;
         group = "git";
       };
+      openclaw = {
+        isSystemUser = true;
+        group = "openclaw";
+        home = "/var/lib/openclaw";
+      };
       quintus = {
         isSystemUser = true;
         group = "quintus";
@@ -463,6 +474,7 @@
       endpoints = { };
       etime = { };
       git = { };
+      openclaw = { };
       quintus = { };
       slacks = { };
       snaek = { };

machines/tom/secrets/vault.yaml

@@ -56,7 +56,7 @@ sops:
             ZkxZVFpHMXpPaUhTTFRQZExXZXlrckkKgF4x8xxm1WeRHWmMItTkWUelYnHd0d0v
             rXpwaQ/l79BzAsGy3YmENr/w0/pOTYXTNXSR1dam46qnJuFflqxhhg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-06T01:13:42Z"
-    mac: ENC[AES256_GCM,data:ydWWt/2RdvgYY76euU18JO1rgdnl3BO5NVBFHvcEz3lJYbLewi4ztG8Yor5IEFX3l/GpUkOugsfeacFO7afoJGm1S4P3Z6Qbb+WTr7zZKxCbuEKhrNCuumSQy+VwK0HHY6+pSw5JEG8bfvS1zw22S3jieUn9K2jQAgdC+J5LxwE=,iv:p+nbK7xRE4SsV5QPeZmtz4kUOXjNw2s/r95a9L9joMA=,tag:ImSAUH31OdavSnbbL4ihOQ==,type:str]
+    lastmodified: "2026-04-06T02:48:13Z"
+    mac: ENC[AES256_GCM,data:qImApZnJe3DEx0ke5+ZjpaKH4ZwYHGXexLID/i5w1wLv+6eqVnVj5MD5Kxea13lPGvmrMqykxkcpylKKlZpZi17dIaj9aJhajAqxvLP/qJb21RFj9kSXs/C4iOgxZ8rYmyBlP8mMPsm3mV42FcXx3at9vDEkwHmWOMqpj4Hg56o=,iv:NyPBukffrqy+xzib1Je9EDxDmmQSqZ0XeUJQfi5kook=,tag:Rph8z8u+N/7KemvhoOl5vA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.12.2

machines/tom/services/openclaw-gateway/default.nix

@@ -192,14 +192,25 @@
       NODE_ENV = "production";
       OPENCLAW_CONFIG_PATH = "/var/lib/openclaw/openclaw.json";
     };
-    environmentFiles = [ config.sops.secrets."openclaw".path ];
+    environmentFiles = [ config.sops.secrets."openclaw/env".path ];
     execStartPre = [
       "${pkgs.coreutils}/bin/cp /etc/openclaw/openclaw.json /var/lib/openclaw/openclaw.json"
     ];
     group = "openclaw";
+    servicePath = [
+      pkgs.curl # https://github.com/curl/curl
+      pkgs.fd # https://github.com/sharkdp/fd
+      pkgs.gh # https://github.com/cli/cli
+      pkgs.git # https://github.com/git/git
+      pkgs.jq # https://github.com/jqlang/jq
+      pkgs.ripgrep # https://github.com/BurntSushi/ripgrep
+    ];
     logPath = "/var/lib/openclaw/gateway.log";
     port = 18789;
     stateDir = "/var/lib/openclaw";
     user = "openclaw";
   };
+  systemd.tmpfiles.rules = [
+    "L+ /var/lib/openclaw/.gitconfig - - - - ${./gitconfig}"
+  ];
 }

machines/tom/services/openclaw-gateway/gitconfig

@@ -0,0 +1,10 @@
+[commit]
+  gpgsign = true
+[gpg]
+  format = ssh
+[gpg "ssh"]
+  allowedSignersFile = ~/.ssh/allowed_signers
+[user]
+  email = tom@deorr.co
+  name = @theorderingmachine
+  signingkey = ~/.ssh/id_ed25519

machines/tom/services/openclaw-gateway/vault.env

@@ -1,11 +1,12 @@
 ANTHROPIC_API_KEY=ENC[AES256_GCM,data:75h2+MUR1gYpD8ClLnB66f09vE1sHKQkP3iLTH29GSedSqvE8WEpRTrVQA5dRoWIdUnhefk9F53lIAZ5Oj/tLeJMLo8Znx3TqnZS+UiShw8J83BMe7n1G14Vx8u0BE6tpeZwi51Sw+bZPyaC,iv:MUsimkmo28xq38DyeUXwDWOvguME2sv1Nm6SPPzGFAc=,tag:KyUWUz/ghFVDz3kB+CswmA==,type:str]
 BRAVE_API_KEY=ENC[AES256_GCM,data:f03Ye+g6RWh1uM2mDVeu8AVB6LcUMLzfLljzbJNrxw==,iv:aTnCPtquR8E8iMsv25m3Wnxww41Ue/3RsHIqdd+5jac=,tag:mejFrh3qG1hROa7/c9Mblg==,type:str]
+GH_TOKEN=ENC[AES256_GCM,data:JPqhc5hWFn1/D/6YTpd1SSkODbNjx6oRQJtCQf1BxotDWq2GKWkVoA==,iv:uUKhMlZgT20ildN/eyJZsS/lHbE0pKYizITJGodGbgU=,tag:2o+iURYV2IFgKjk0CLTgDQ==,type:str]
 OPENAI_API_KEY=ENC[AES256_GCM,data:FzYiZyVMQj++n5PwQpjvy8pd5LXMV/7pIk5RgwYj+3K/HvUXdi0WktBpGRk/vAo+TDuO4H7kM5nsmilAkD4G4pADb0qLW9z6uPwMMP6uSs+7wWu0ADMhAeAtFWWyO3onJzsvcAsAx0X3T9MhcGU/L8+0nMXKMat+PO/hkPvzuDET/b0lNDjofC0H0+M5ZEEY7UkF+h65XYPpWXTqzBQl/a3bh1c=,iv:0+EOZcZbfSZncl2dF7KhUigpMDJqHS4JS91MDL1HPz8=,tag:SaIVxsBAWLMSr/X+WCeVjQ==,type:str]
 SLACK_BOT_TOKEN=ENC[AES256_GCM,data:Gn0bWENh5T8JaVo5J44XnemAj5xRw8yyAv3QG5+kJChIiRV5l/Uf/Y5TEjcgUdh/BaT0a7rjb+7/2g==,iv:zRPuA64S9cA0p14/yF5FlhR7UonNa/JQTxz/U80OoOU=,tag:VH7G6T5PI9U11UbdZpUIvA==,type:str]
 SLACK_SIGNING_SECRET=ENC[AES256_GCM,data:VMVcKRGXSjbiH3XAWgH1j8PwwsppxTNeeZxR7NGDwt4=,iv:MIknV9uio6uUrpmqunT7MKFbNmy+yL9pMlZMPOww8nQ=,tag:nq1vxzfrXhzn9GgIZ+/dLw==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaC9LR25NRStJc2RSV2xi\nWmdMN1ZzYXhKUXZyczZLTkhML3E0bjZUOFNZCmtTd0JnVXJHK0VSNGowbFg0L25x\nT2tuek1Xd0FPR3YzRERBY3c5Sko1NVUKLS0tIERGbkdFYVY4TnV3Y0R4andYYTJh\ndFM4SDNVdjVwTmhjeFh4MStkL1FXUVkKvP1cGmZhKk3NNSHr1fFyt0aWYtVqab+y\n7q+ypOSot0v6O3JJL4KPz9LS2XieBCZRNGHmBI/ICEfbz5TnYzI6kw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1dujf55uzev2nnpq6c2drn0e8pmpxay22qqfsavwaxqakwn9se5hsputgx4
-sops_lastmodified=2026-04-05T22:53:38Z
-sops_mac=ENC[AES256_GCM,data:7kFrfLRnqo5CUl33GWmp4vPIgC9PE1aeLouS60VdYCPKjXTs3NMPOPebEaY4N1WFAX5Yfmn2AtxnpnlsmRlqrZzAVumWsKvq8bvNJm8Nsfl3oVlEUW1gFNXV1UmJah8rokg0GkxXA0ifhG3ulP3hiZ116657BTU+mBmdeSiTwuc=,iv:v1tOI2bNZoiwCSk4EBOiXXh6GGCeorx+5zT3CSNZ38A=,tag:jdK1NNLSBx8oFCfZH9saww==,type:str]
+sops_lastmodified=2026-04-06T02:43:47Z
+sops_mac=ENC[AES256_GCM,data:IJ2oq6aargCH7Gq/St1Bdh1pF0YvlDUZ27uc6L/FnYEhuvybHXAmhHuZRmPtxarcgzY2SDLTKuWaf+nmb8ldQSkJGhDD4ddQxWzkJC1o1aEBhhYICIaIcLNf4zZd8/eBGOO7nxYotPy9+c7UFc1eweUK0M5sOjuy/7c+klk6LGs=,iv:d/DDiGsP2USOkyaTiR6AgrMcKzCOP5gwj8ugI3+2RAo=,tag:0H0oJA7u7MKEP7eodNkixA==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.12.2