feat: change openclaw to a vm and give read access to a db

2026-02-09 03:06:46 +01:00 · 2026-02-09 03:06:46 +01:00 · f3ef4ff11c
commit f3ef4ff11c
parent 5847c04acd
10 changed files with 372 additions and 75 deletions
--- a/hosts/web-arm/configuration.nix
+++ b/hosts/web-arm/configuration.nix
@ -40,7 +40,8 @@
    # otherwise the build will fail
    ./modules/sa-core.nix
    ./modules/scana11y.nix
-    
+
+    ./modules/wireguard.nix
  ];

  nixpkgs.overlays = [
--- a/hosts/web-arm/modules/mysql.nix
+++ b/hosts/web-arm/modules/mysql.nix
@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, config, ... }:

 let
  mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" ''
@ -71,10 +71,39 @@ in {
        max_allowed_packet = "64M";
        transaction_isolation = "READ-COMMITTED";
        binlog_format = "ROW";
+        bind-address = "127.0.0.1,10.42.98.10";
      };
    };
  };

+  # Allow MySQL access from WireGuard peers
+  networking.firewall.interfaces."wg_cloonar".allowedTCPPorts = [ 3306 ];
+
+  # Read-only MySQL user for openclaw-vm (via WireGuard)
+  sops.secrets.openclaw-mysql-password = {};
+
+  systemd.services.openclaw-mysql-init = {
+    description = "Create openclaw MySQL user with read-only access to support_cloonar_dev";
+    after = [ "mysql.service" ];
+    requires = [ "mysql.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      password=$(cat ${config.sops.secrets.openclaw-mysql-password.path})
+      ${config.services.mysql.package}/bin/mysql -e \
+        "CREATE USER IF NOT EXISTS 'openclaw'@'10.42.98.%' IDENTIFIED BY '$password';"
+      ${config.services.mysql.package}/bin/mysql -e \
+        "ALTER USER 'openclaw'@'10.42.98.%' IDENTIFIED BY '$password';"
+      ${config.services.mysql.package}/bin/mysql -e \
+        "GRANT SELECT ON support_cloonar_dev.* TO 'openclaw'@'10.42.98.%';"
+      ${config.services.mysql.package}/bin/mysql -e \
+        "FLUSH PRIVILEGES;"
+    '';
+  };
+
  services.mysqlBackup.enable = true;
  services.mysqlBackup.databases = [ "mysql" ];
 }
--- a/hosts/web-arm/modules/wireguard.nix
+++ b/hosts/web-arm/modules/wireguard.nix
@ -0,0 +1,14 @@
+{ config, ... }: {
+  sops.secrets.wg_cloonar_key = {};
+
+  networking.wireguard.interfaces.wg_cloonar = {
+    ips = [ "10.42.98.10/24" ];
+    privateKeyFile = config.sops.secrets.wg_cloonar_key.path;
+    peers = [{
+      endpoint = "vpn.cloonar.com:51820";
+      publicKey = "TKQVDmBnf9av46kQxLQSBDhAeaK8r1zh8zpU64zuc1Q=";
+      allowedIPs = [ "10.42.0.0/16" ];
+      persistentKeepalive = 25; # web-arm is behind NAT, keep tunnel alive
+    }];
+  };
+}
--- a/hosts/web-arm/secrets.yaml
+++ b/hosts/web-arm/secrets.yaml