openclaw: bring tom to slack in persistent http connection kept (#82)

Co-authored-by: @theorderingmachine <tom@deorr.co>

Author: zimeg

CHANGELOG.md

@@ -6,6 +6,7 @@ versioning is done in a continuous fashion without worries of breaking changes.
 
 ## patches
 
+- `openclaw`: bring tom to slack in persistent http connection kept 2026-04-05
 - `systemd`: protect against services finding another other process 2026-04-04
 - `nix`: import language servers and formatted linter from upstream 2026-04-04
 - `vhs`: record terminal demos with tapes that share in caring gifs 2026-03-30

cloud/backup.tf

@@ -2,6 +2,7 @@ module "backup" {
   for_each = {
     git       = "tom.git"
     minecraft = "tom.25565"
+    openclaw  = "tom.openclaw"
   }
 
   source = "./modules/backup"
@@ -32,3 +33,15 @@ output "backup_minecraft_secret_access_key" {
   value     = module.backup["minecraft"].secret_access_key
   sensitive = true
 }
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_access_key_id" {
+  value     = module.backup["openclaw"].access_key_id
+  sensitive = true
+}
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_secret_access_key" {
+  value     = module.backup["openclaw"].secret_access_key
+  sensitive = true
+}

cloud/configuration.nix

@@ -66,6 +66,10 @@
                 email = "zim@o526.net";
                 group = "nginx";
               };
+              "tom.o526.net" = {
+                email = "zim@o526.net";
+                group = "nginx";
+              };
               "o526.net" = {
                 email = "zim@o526.net";
                 group = "nginx";
@@ -124,6 +128,17 @@
                   proxyWebsockets = true;
                 };
               };
+              "tom.o526.net" = {
+                enableACME = true;
+                forceSSL = true;
+                locations."/slack/events" = {
+                  proxyPass = "http://10.100.0.2:18789";
+                  proxyWebsockets = false;
+                  extraConfig = ''
+                    proxy_set_header x-forwarded-user "slack";
+                  '';
+                };
+              };
               "o526.net" = {
                 enableACME = true;
                 forceSSL = true;

flake.lock

@@ -20,6 +20,10 @@
       url = "github:LnL7/nix-darwin";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    nix-openclaw = {
+      url = "github:openclaw/nix-openclaw";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     nixos-generators = {
       url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -166,6 +170,7 @@
             ./machines/tom/configuration.nix
             inputs.home-manager.nixosModules.home-manager
             inputs.impermanence.nixosModules.impermanence
+            inputs.nix-openclaw.nixosModules.openclaw-gateway
             inputs.sops-nix.nixosModules.sops
             {
               home-manager = {

flake.nix

@@ -13,6 +13,11 @@
     };
   };
   nixpkgs.config = {
+    allowInsecurePredicate =
+      pkg:
+      builtins.elem (pkgs.lib.getName pkg) [
+        "openclaw"
+      ];
     allowUnfreePredicate =
       pkg:
       builtins.elem (pkgs.lib.getName pkg) [
@@ -60,6 +65,7 @@
     ./services/interception-tools
     ./services/minecraft-server
     ./services/ollama
+    ./services/openclaw-gateway
     ./services/openssh
     ./services/pipewire
     ./services/plasma6
@@ -93,6 +99,7 @@
       "/etc/ollama/models"
       "/srv/minecraft/world"
       "/var/lib/nixos"
+      "/var/lib/openclaw"
       "/var/lib/slack"
       "/var/lib/soft-serve"
       "/var/lib/systemd/coredump"
@@ -159,6 +166,7 @@
         5000 # Quintus
         8082 # Todo's Guide
         8083 # Endpoints
+        18789 # OpenClaw
         23231 # Soft Serve
         25565 # Minecraft
       ];
@@ -219,6 +227,12 @@
         group = "minecraft";
         sopsFile = ./services/restic/vault.minecraft.env;
       };
+      "aws/iam/openclaw" = {
+        format = "dotenv";
+        owner = "openclaw";
+        group = "openclaw";
+        sopsFile = ./services/restic/vault.openclaw.env;
+      };
       "github/oauth" = {
         owner = config.users.users.default.name;
         group = "wheel";
@@ -283,6 +297,18 @@
         owner = "slacks";
         group = "slacks";
       };
+      "openclaw/env" = {
+        format = "dotenv";
+        owner = "openclaw";
+        group = "openclaw";
+        sopsFile = ./services/openclaw-gateway/vault.env;
+      };
+      "openclaw/ssh/private" = {
+        owner = "openclaw";
+        group = "openclaw";
+        key = "tom/ssh/private";
+        path = "/var/lib/openclaw/.ssh/id_ed25519";
+      };
       "restic/git" = {
         owner = "git";
         group = "git";
@@ -291,6 +317,10 @@
         owner = "minecraft";
         group = "minecraft";
       };
+      "restic/openclaw" = {
+        owner = "openclaw";
+        group = "openclaw";
+      };
       "slack/snaek" = {
         format = "dotenv";
         owner = "snaek";
@@ -408,6 +438,11 @@
         isSystemUser = true;
         group = "git";
       };
+      openclaw = {
+        isSystemUser = true;
+        group = "openclaw";
+        home = "/var/lib/openclaw";
+      };
       quintus = {
         isSystemUser = true;
         group = "quintus";
@@ -439,6 +474,7 @@
       endpoints = { };
       etime = { };
       git = { };
+      openclaw = { };
       quintus = { };
       slacks = { };
       snaek = { };

machines/tom/configuration.nix

@@ -24,6 +24,7 @@ github:
 restic:
     git: ENC[AES256_GCM,data:HiSNgy2BByydX5OpVCno0jIE2tt+XsOc/SqXvmpf2th1OAFauvF+FOrGywM=,iv:DgBnpVXapP39J4eRzy4/DRWHfOc0dk51pMi32XWHlrQ=,tag:7T2kqGV/l6mKRNna7S9bJQ==,type:str]
     minecraft: ENC[AES256_GCM,data:tk4jvTaCTGDK1RGa/uW6RWyjtUKl,iv:EJLhXDhGBnnWmDaKuhDPl4/daoVnnAN8v0mIalS1ODw=,tag:saefTwBI1pDIZEZ10t/ePw==,type:str]
+    openclaw: ENC[AES256_GCM,data:u1XfiniFMqWS+x7xh8/NbPKjWLk1MbOZIHv3BtftL3zcwV0eezfbraLOBl8=,iv:xJfIl1T6L+xmVLF5cEYq2e58DMLUQGd9OoCFwpffbIo=,tag:Emx/SllzPoes7WQpNE6Vug==,type:str]
 tailscale:
     auth: ENC[AES256_GCM,data:6LWj2Cx8DLXpxPH0MnttV0exwkQe7bsxB84aKMGUupws0GAsL0YMFC/yF4ffz5u9109mcMsMY3HatzLpuw4=,iv:hFW8p2fZbprUS1TIl5VR8nwfwey7zwkKN9YPKADzw1s=,tag:DweIRvZNHOUXdoKJr1CDtg==,type:str]
 tom:
@@ -55,7 +56,7 @@ sops:
             ZkxZVFpHMXpPaUhTTFRQZExXZXlrckkKgF4x8xxm1WeRHWmMItTkWUelYnHd0d0v
             rXpwaQ/l79BzAsGy3YmENr/w0/pOTYXTNXSR1dam46qnJuFflqxhhg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-07T21:27:42Z"
-    mac: ENC[AES256_GCM,data:ZANJKMW8EuRdi3dywpodG4i/9b66w/iYMjcF0kzLcB5Qvk3669zrlH3G55WaeUTJjd7MA7l5CB4aM8jH5KvIpYA5W7wDApAE3DC8HTXVXPWZdrr1ldZXVzg08lYnucIWXzfJLiQ2qmX7oo0uzP2UTZ6H60Nj5WUkEmNqDfxywo0=,iv:uiF9sjwpatspbhC7tMD3mB3wM+ElbqPtD06V09uhAgc=,tag:s7L8sKAVIK1JZMkFx5+5VA==,type:str]
+    lastmodified: "2026-04-06T02:48:13Z"
+    mac: ENC[AES256_GCM,data:qImApZnJe3DEx0ke5+ZjpaKH4ZwYHGXexLID/i5w1wLv+6eqVnVj5MD5Kxea13lPGvmrMqykxkcpylKKlZpZi17dIaj9aJhajAqxvLP/qJb21RFj9kSXs/C4iOgxZ8rYmyBlP8mMPsm3mV42FcXx3at9vDEkwHmWOMqpj4Hg56o=,iv:NyPBukffrqy+xzib1Je9EDxDmmQSqZ0XeUJQfi5kook=,tag:Rph8z8u+N/7KemvhoOl5vA==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.12.2

machines/tom/secrets/vault.yaml

@@ -0,0 +1,7 @@
+keys:
+  - &tom age1dujf55uzev2nnpq6c2drn0e8pmpxay22qqfsavwaxqakwn9se5hsputgx4
+creation_rules:
+  - path_regex: \.env$
+    key_groups:
+      - age:
+          - *tom