feat: openclaw!

modules/hosts/krembo.nix

@@ -6,5 +6,6 @@
 
   flake.modules.homeManager.krembo.imports = with config.flake.modules.homeManager; [
     base
+    server
   ];
 }

modules/server/openclaw.nix

@@ -0,0 +1,53 @@
+{
+  inputs,
+  config,
+  ...
+}: let
+  flk = config.flake;
+in {
+  flake.modules.nixos.server = {
+    pkgs,
+    config,
+    ...
+  }: {
+    nixpkgs.overlays = [inputs.nix-openclaw.overlays.default];
+
+    sops.secrets."openclaw/telegram_token" = {
+      owner = flk.meta.user.name;
+    };
+    sops.secrets."openclaw/env" = {
+      owner = flk.meta.user.name;
+    };
+  };
+
+  flake.modules.homeManager.server = {
+    imports = [inputs.nix-openclaw.homeManagerModules.openclaw];
+
+    programs.openclaw = {
+      enable = true;
+      config = {
+        channels.telegram = {
+          tokenFile = "/run/secrets/openclaw/telegram_token";
+          allowFrom = [
+            flk.meta.telegram.userId
+          ];
+        };
+
+        gateway = {
+          mode = "local";
+        };
+      };
+    };
+
+    # Pass the ANTHROPIC_API_KEY (and any other env vars) to the gateway service.
+    # The env file at /run/secrets/openclaw/env should contain lines like:
+    #   ANTHROPIC_API_KEY=sk-ant-...
+    #
+    # NOTE (issue #35): gateway.auth.token does not serialize from Nix config into
+    # the on-disk JSON that the gateway reads.  After first activation, run:
+    #   openclaw config set gateway.auth.token <your-token>
+    systemd.user.services.openclaw-gateway = {
+      serviceConfig.EnvironmentFile = "/run/secrets/openclaw/env";
+    };
+  };
+}

modules/settings.nix

@@ -25,4 +25,6 @@
 
   flake.meta.location = "/home/${flake.meta.user.name}/dotfiles";
   flake.meta.stateVersion = "25.11";
+
+  flake.meta.telegram.userId = 8561191706;
 }