feat: fw add matrix token generation for openclaw

2026-04-14 23:41:49 +02:00 · 2026-04-14 23:41:49 +02:00 · 12b77a3960
commit 12b77a3960
parent 358f2296ce
2 changed files with 32 additions and 0 deletions
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@ -109,6 +109,8 @@ in
          matrix-authentication-service # mas-cli for migration
        ];

+        security.sudo.enable = true;
+
        networking.hostName = hostname;

        services.openssh = {
--- a/hosts/fw/modules/web/matrix.nix
+++ b/hosts/fw/modules/web/matrix.nix
@ -571,6 +571,36 @@ in {
    '';
  };

+  # Provision an OpenClaw bot user in MAS and issue a long-lived compatibility
+  # access token.  Runs once; the token is persisted in /var/lib/mas/.
+  systemd.services.matrix-bot-provision = {
+    description = "Provision Matrix bot user for OpenClaw";
+    after = [ "matrix-authentication-service.service" ];
+    before = [ "podman-openclaw.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    path = [ "/run/wrappers" ];
+    script = ''
+      TOKEN_FILE="/persist/openclaw-token"
+      if [ ! -f "$TOKEN_FILE" ]; then
+        sudo -u mas ${masPackage}/bin/mas-cli manage register-user \
+          --config /run/mas/config.yaml \
+          --username openclaw \
+          --display-name "OpenClaw Bot" \
+          --yes 2>/dev/null || true
+        TOKEN=$(sudo -u mas ${masPackage}/bin/mas-cli manage issue-compatibility-token \
+          --config /run/mas/config.yaml \
+          openclaw OPENCLAW 2>&1 \
+          | ${pkgs.gnugrep}/bin/grep -oP 'token issued: \K\S+')
+        echo "$TOKEN" > "$TOKEN_FILE"
+        chmod 0444 "$TOKEN_FILE"
+      fi
+    '';
+  };
+
  # Mattermost bridge (bridgev2 — attrs replace entirely, so include all needed fields)
  services.mautrix-mattermost = {
    enable = true;