feat(users/rus07tam): enable openclaw gateway via systemd

chore: apply nix fmt
2026-04-01 09:56:24 +03:00 · 2026-04-01 09:54:15 +03:00
48 changed files with 275 additions and 187 deletions
--- a/hosts/velarion/machine.nix
+++ b/hosts/velarion/machine.nix
@ -1,11 +1,13 @@
-{dns, ...}: let
+{ dns, ... }:
+let
  domain = "ruject.fun";
  database = {
    host = "127.0.0.1";
    port = 5432;
  };
  ipv4 = "94.156.112.0";
-in {
+in
+{
  services.nginx.enable = true;
  machine = {
    gateway = "10.0.0.1";
@ -29,7 +31,7 @@ in {
            "ns2"
          ];

-          A = [ipv4];
+          A = [ ipv4 ];

          subdomains = rec {
            ns1 = host ipv4 null;
@ -52,10 +54,10 @@ in {
          };

          TXT = [
-            (with spf; strict ["a:mail.ruject.fun"])
+            (with spf; strict [ "a:mail.ruject.fun" ])
          ];

-          MX = with mx; [(mx 10 "mail.ruject.fun.")];
+          MX = with mx; [ (mx 10 "mail.ruject.fun.") ];

          DMARC = [
            {
--- a/services/bind/firewall.nix
+++ b/services/bind/firewall.nix
@ -6,7 +6,8 @@
 let
  cfg = config.machine.bind;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  networking.firewall = {
    allowedTCPPorts = [ cfg.port ];
    allowedUDPPorts = [ cfg.port ];
--- a/services/bind/service.nix
+++ b/services/bind/service.nix
@ -7,7 +7,8 @@
 let
  cfg = config.machine.bind;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  services.bind = {
    enable = cfg.enable;
    listenOnPort = cfg.port;
--- a/services/code-server/nginx.nix
+++ b/services/code-server/nginx.nix
@ -6,7 +6,8 @@
 let
  cfg = config.machine.code-server;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  services.nginx.virtualHosts = mkIf (cfg.domain != null) {
    ${cfg.domain} = {
      enableACME = true;
--- a/services/code-server/options.nix
+++ b/services/code-server/options.nix
@ -6,7 +6,8 @@
 let
  cfg = config.machine.code-server;
 in
-with lib; {
+with lib;
+{
  options.machine.code-server = {
    enable = mkEnableOption "code-server";
    port = mkOption {
--- a/services/code-server/service.nix
+++ b/services/code-server/service.nix
@ -7,7 +7,8 @@
 let
  cfg = config.machine.code-server;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  services.code-server = {
    enable = cfg.enable;
    port = cfg.port;
--- a/services/coturn/firewall.nix
+++ b/services/coturn/firewall.nix
@ -6,7 +6,8 @@
 let
  cfg = config.machine.coturn;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  networking.firewall = {
    interfaces.enp2s0 =
      let
--- a/services/coturn/service.nix
+++ b/services/coturn/service.nix
@ -12,7 +12,8 @@ let
    realm
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.coturn = rec {
    inherit realm enable;
    no-cli = true;
--- a/services/forgejo/mail.nix
+++ b/services/forgejo/mail.nix
@ -9,7 +9,8 @@ let
  inherit (config.machine.forgejo) domain;
  address = "noreply@${domain}";
 in
-with lib; mkIf config.machine.mail.enable {
+with lib;
+mkIf config.machine.mail.enable {
  services.forgejo = {
    secrets = {
      mailer.PASSWD = sec."mail/servicePassword".path;
--- a/services/forgejo/network.nix
+++ b/services/forgejo/network.nix
@ -10,19 +10,22 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall = {
    allowedTCPPorts = [ port ];
  };

-  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://[::1]:${toString port}";
-        proxyWebsockets = true;
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf (domain != null) {
+      "${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString port}";
+          proxyWebsockets = true;
+        };
      };
    };
-  };
 }
--- a/services/forgejo/runners.nix
+++ b/services/forgejo/runners.nix
@ -9,7 +9,8 @@ let
  url = config.services.forgejo.settings.server.ROOT_URL;
  cfg = config.machine.forgejo;
 in
-with lib; mkIf cfg.enableRunner {
+with lib;
+mkIf cfg.enableRunner {
  sops.secrets = {
    "forgejo/runnerToken" = {
      sopsFile = ./../../secrets/common.yaml;
--- a/services/forgejo/tmpfiles.nix
+++ b/services/forgejo/tmpfiles.nix
@ -7,7 +7,8 @@ let
  cfg = config.machine.forgejo;
  customDir = config.services.forgejo.customDir;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  systemd.tmpfiles.rules = [
    "d '${customDir}/templates' - forgejo forgejo - -"
    "d '${customDir}/public' - forgejo forgejo - -"
--- a/services/mail/rspamd.nix
+++ b/services/mail/rspamd.nix
@ -6,7 +6,8 @@
 let
  inherit (config.machine.mail) enable;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.rspamd = {
    enable = true;
    overrides = {
--- a/services/mail/tmpfiles.nix
+++ b/services/mail/tmpfiles.nix
@ -7,7 +7,8 @@
 let
  inherit (config.machine.mail) enable;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  systemd.tmpfiles.rules = [
    "C /var/dkim/default.private 0600 root root - - ${sec.dkim_default_private.path}"
  ];
--- a/services/minecraft-server/firewall.nix
+++ b/services/minecraft-server/firewall.nix
@ -9,7 +9,8 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall.allowedTCPPorts = [
    port
  ];
--- a/services/minecraft-server/service.nix
+++ b/services/minecraft-server/service.nix
@ -10,7 +10,8 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.minecraft-server = {
    inherit enable;
    dataDir = "/var/lib/minecraft";
--- a/services/mysql/firewall.nix
+++ b/services/mysql/firewall.nix
@ -6,7 +6,8 @@
 let
  cfg = config.machine.mysql;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  networking.firewall = {
    allowedTCPPorts = [ cfg.port ];
  };
--- a/services/mysql/service.nix
+++ b/services/mysql/service.nix
@ -10,7 +10,8 @@ let
    enable
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.mysql = {
    inherit enable;
    package = pkgs.mysql84;
--- a/services/navidrome/service.nix
+++ b/services/navidrome/service.nix
@ -11,17 +11,20 @@ let
    folder
    ;
 in
-with lib; mkIf enable {
-  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://[::1]:${toString port}";
-        proxyWebsockets = true;
+with lib;
+mkIf enable {
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf (domain != null) {
+      "${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://[::1]:${toString port}";
+          proxyWebsockets = true;
+        };
      };
    };
-  };

  services.navidrome = {
    inherit enable;
--- a/services/networking/service.nix
+++ b/services/networking/service.nix
@ -1,8 +1,14 @@
-{ config, lib, hostname, ... }:
+{
+  config,
+  lib,
+  hostname,
+  ...
+}:
 let
  inherit (config.machine) ipv4 gateway;
 in
-with lib; {
+with lib;
+{
  networking = {
    hostName = hostname;
    networkmanager.enable = mkDefault true;
--- a/services/nextcloud/database.nix
+++ b/services/nextcloud/database.nix
@ -7,7 +7,8 @@ let
  pgsqlEnable = config.machine.postgresql.enable;
  cfg = config.machine.nextcloud;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  services.nextcloud.config =
    if pgsqlEnable then
      {
@ -20,13 +21,15 @@ with lib; mkIf cfg.enable {
        dbhost = "localhost";
      };

-  services.postgresql = with lib; mkIf pgsqlEnable {
-    ensureDatabases = [ "nextcloud" ];
-    ensureUsers = [
-      {
-        name = "nextcloud";
-        ensureDBOwnership = true;
-      }
-    ];
-  };
+  services.postgresql =
+    with lib;
+    mkIf pgsqlEnable {
+      ensureDatabases = [ "nextcloud" ];
+      ensureUsers = [
+        {
+          name = "nextcloud";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
 }
--- a/services/nextcloud/mail.nix
+++ b/services/nextcloud/mail.nix
@ -11,7 +11,8 @@ let
    ;
  address = "noreply@${host}";
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.nextcloud = {
    settings = {
      mail_smtpmode = "smtp";
--- a/services/nextcloud/service.nix
+++ b/services/nextcloud/service.nix
@ -8,7 +8,8 @@
 let
  cfg = config.machine.nextcloud;
 in
-with lib; mkIf cfg.enable {
+with lib;
+mkIf cfg.enable {
  services.nextcloud = {
    enable = cfg.enable;
    appstoreEnable = false;
--- a/services/nginx/acme.nix
+++ b/services/nginx/acme.nix
@ -1,5 +1,6 @@
 { lib, config, ... }:
-with lib; mkIf (config.services.nginx.enable) {
+with lib;
+mkIf (config.services.nginx.enable) {
  security.acme = {
    acceptTerms = true;
    defaults = {
--- a/services/nginx/firewall.nix
+++ b/services/nginx/firewall.nix
@ -6,7 +6,8 @@
 let
  inherit (config.services.nginx) enable;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall.allowedTCPPorts = [
    80
    443
--- a/services/postgresql/service.nix
+++ b/services/postgresql/service.nix
@ -10,7 +10,8 @@ let
    enable
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.postgresql = {
    inherit enable;
    settings = {
--- a/services/prometheus/service.nix
+++ b/services/prometheus/service.nix
@ -9,7 +9,8 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.prometheus = {
    inherit enable port;
  };
--- a/services/prosody/firewall.nix
+++ b/services/prosody/firewall.nix
@ -8,7 +8,8 @@ let
    enable
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall = {
    allowedTCPPorts = [
      # HTTP filer
--- a/services/prosody/nginx.nix
+++ b/services/prosody/nginx.nix
@ -11,7 +11,8 @@ let

  localhost = "http://localhost:5280";
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  security.acme.certs."${domain}".extraDomainNames = [
    "conference.${domain}"
    "upload.${domain}"
@ -19,36 +20,38 @@ with lib; mkIf enable {
  users.groups.acme.members = [
    "prosody"
  ];
-  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
-    "${domain}".locations = {
-      "= /xmpp-websocket" = {
-        proxyPass = localhost;
-        proxyWebsockets = true;
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf (domain != null) {
+      "${domain}".locations = {
+        "= /xmpp-websocket" = {
+          proxyPass = localhost;
+          proxyWebsockets = true;
+        };
+        "= /http-bind".proxyPass = localhost;
+        "/push".proxyPass = localhost;
+        "= /.well-known/host-meta".proxyPass = localhost;
+        "= /.well-known/host-meta.json".proxyPass = localhost;
+      };
+      "conference.${domain}" = {
+        http3 = true;
+        quic = true;
+        forceSSL = true;
+        kTLS = true;
+        useACMEHost = domain;
+        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
+        locations."/".proxyPass = localhost;
+      };
+      "upload.${domain}" = {
+        http3 = true;
+        quic = true;
+        forceSSL = true;
+        kTLS = true;
+        useACMEHost = domain;
+        sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
+        sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
+        locations."/".proxyPass = localhost;
      };
-      "= /http-bind".proxyPass = localhost;
-      "/push".proxyPass = localhost;
-      "= /.well-known/host-meta".proxyPass = localhost;
-      "= /.well-known/host-meta.json".proxyPass = localhost;
    };
-    "conference.${domain}" = {
-      http3 = true;
-      quic = true;
-      forceSSL = true;
-      kTLS = true;
-      useACMEHost = domain;
-      sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-      sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-      locations."/".proxyPass = localhost;
-    };
-    "upload.${domain}" = {
-      http3 = true;
-      quic = true;
-      forceSSL = true;
-      kTLS = true;
-      useACMEHost = domain;
-      sslCertificate = "${config.security.acme.certs.${domain}.directory}/fullchain.pem";
-      sslCertificateKey = "${config.security.acme.certs.${domain}.directory}/key.pem";
-      locations."/".proxyPass = localhost;
-    };
-  };
 }
--- a/services/prosody/service.nix
+++ b/services/prosody/service.nix
@ -12,7 +12,8 @@ let

  sslCertDir = config.security.acme.certs."${domain}".directory;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.prosody = {
    inherit enable;

--- a/services/redis/service.nix
+++ b/services/redis/service.nix
@ -10,7 +10,8 @@ let
    enable
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  sops.secrets = {
    "redis/password" = { };
  };
--- a/services/roundcube/service.nix
+++ b/services/roundcube/service.nix
@ -10,7 +10,8 @@ let
    domain
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.roundcube = {
    inherit enable;
    dicts = with pkgs.aspellDicts; [
--- a/services/synapse/database.nix
+++ b/services/synapse/database.nix
@ -7,20 +7,25 @@ let
  pgsqlEnable = config.machine.postgresql.enable;
  inherit (config.machine.synapse) enable;
 in
-with lib; mkIf enable {
-  services.postgresql = with lib; mkIf pgsqlEnable {
-    ensureUsers = [
-      {
-        name = "matrix-synapse";
-        ensureDBOwnership = true;
-      }
-    ];
-    ensureDatabases = [ "matrix-synapse" ];
-  };
+with lib;
+mkIf enable {
+  services.postgresql =
+    with lib;
+    mkIf pgsqlEnable {
+      ensureUsers = [
+        {
+          name = "matrix-synapse";
+          ensureDBOwnership = true;
+        }
+      ];
+      ensureDatabases = [ "matrix-synapse" ];
+    };
  services.matrix-synapse.settings.database = {
    name = if pgsqlEnable then "psycopg2" else "sqlite3";
-    args = with lib; mkIf pgsqlEnable {
-      host = "/run/postgresql";
-    };
+    args =
+      with lib;
+      mkIf pgsqlEnable {
+        host = "/run/postgresql";
+      };
  };
 }
--- a/services/synapse/element.nix
+++ b/services/synapse/element.nix
@ -52,7 +52,8 @@ let
    };
  };
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;
--- a/services/synapse/mail.nix
+++ b/services/synapse/mail.nix
@ -11,7 +11,8 @@ let
    ;
  address = "noreply@${domain}";
 in
-with lib; mkIf (enable && config.machine.mail.enable) {
+with lib;
+mkIf (enable && config.machine.mail.enable) {
  services.matrix-synapse = {
    settings = {
      admin_contact = address;
--- a/services/synapse/redis.nix
+++ b/services/synapse/redis.nix
@ -7,7 +7,8 @@ let
  redisEnable = config.machine.redis.enable;
  inherit (config.machine.synapse) enable;
 in
-with lib; mkIf (redisEnable && enable) {
+with lib;
+mkIf (redisEnable && enable) {
  services.redis.servers.matrix-synapse = {
    enable = true;
  };
--- a/services/synapse/secrets.nix
+++ b/services/synapse/secrets.nix
@ -8,7 +8,8 @@ let
    enable
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  sops.secrets = {
    "matrix/registrationSharedSecret" = {
      sopsFile = ./../../secrets/common.yaml;
@ -40,7 +41,9 @@ with lib; mkIf enable {
        smtp_pass: ${config.sops.placeholder."mail/servicePassword"}
    '';
  };
-  services.matrix-synapse.extraConfigFiles = with lib; mkIf config.machine.synapse.enable [
-    config.sops.templates.matrix-synapse-config.path
-  ];
+  services.matrix-synapse.extraConfigFiles =
+    with lib;
+    mkIf config.machine.synapse.enable [
+      config.sops.templates.matrix-synapse-config.path
+    ];
 }
--- a/services/synapse/synapse.nix
+++ b/services/synapse/synapse.nix
@ -12,7 +12,8 @@ let
    metrics
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.matrix-synapse = {
    inherit enable;
    enableRegistrationScript = true;
--- a/services/synapse/turn.nix
+++ b/services/synapse/turn.nix
@ -6,7 +6,8 @@
 let
  inherit (config.machine.coturn) enable;
 in
-with lib; mkIf (enable && config.machine.coturn.enable) {
+with lib;
+mkIf (enable && config.machine.coturn.enable) {
  services.matrix-synapse.settings = with config.services.coturn; {
    turn_uris = [
      "turn:${realm}:3478?transport=udp"
--- a/services/uptime-kuma/service.nix
+++ b/services/uptime-kuma/service.nix
@ -10,7 +10,8 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  services.uptime-kuma = {
    inherit enable;
    settings = {
@ -18,16 +19,18 @@ with lib; mkIf enable {
    };
  };

-  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
-        proxyWebsockets = true;
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf (domain != null) {
+      "${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+          proxyWebsockets = true;
+        };
      };
    };
-  };

  networking.firewall = {
    allowedTCPPorts = [ port ];
--- a/services/vaultwarden/service.nix
+++ b/services/vaultwarden/service.nix
@ -10,34 +10,37 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall = {
    allowedTCPPorts = [ port ];
  };

-  services.nginx.virtualHosts = with lib; mkIf (domain != null) {
-    "${domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
-        proxyWebsockets = true;
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf (domain != null) {
+      "${domain}" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+          proxyWebsockets = true;
+          extraConfig = ''
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $host;
+          '';
+        };
+
        extraConfig = ''
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_set_header X-Forwarded-Host $host;
+          add_header X-Frame-Options DENY;
+          add_header X-Content-Type-Options nosniff;
+          add_header Referrer-Policy same-origin;
+          add_header X-XSS-Protection "1; mode=block";
        '';
      };
-
-      extraConfig = ''
-        add_header X-Frame-Options DENY;
-        add_header X-Content-Type-Options nosniff;
-        add_header Referrer-Policy same-origin;
-        add_header X-XSS-Protection "1; mode=block";
-      '';
    };
-  };

  services.vaultwarden = {
    inherit enable;
--- a/services/xray-3x-ui/firewall.nix
+++ b/services/xray-3x-ui/firewall.nix
@ -9,7 +9,8 @@ let
    port
    ;
 in
-with lib; mkIf enable {
+with lib;
+mkIf enable {
  networking.firewall.allowedTCPPorts = [
    # Web panel
    port
--- a/services/xray-3x-ui/nginx.nix
+++ b/services/xray-3x-ui/nginx.nix
@ -2,43 +2,50 @@
  lib,
  config,
  ...
-}: let
-  inherit
-    (config.machine.xray-3x-ui)
+}:
+let
+  inherit (config.machine.xray-3x-ui)
    enable
    port
    domain
    subscriptions
    ;
-in {
-  services.nginx.virtualHosts = with lib; mkIf enable {
-    ${domain} = with lib; mkIf (domain != null) {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_set_header X-Real-IP         $remote_addr;
-          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_redirect off;
-        '';
-      };
+in
+{
+  services.nginx.virtualHosts =
+    with lib;
+    mkIf enable {
+      ${domain} =
+        with lib;
+        mkIf (domain != null) {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:${toString port}";
+            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_set_header X-Real-IP         $remote_addr;
+              proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_redirect off;
+            '';
+          };
+        };
+      ${subscriptions.domain} =
+        with lib;
+        mkIf (subscriptions.domain != null) {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:2096";
+            proxyWebsockets = true;
+            extraConfig = ''
+              proxy_set_header X-Real-IP         $remote_addr;
+              proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_redirect off;
+            '';
+          };
+        };
    };
-    ${subscriptions.domain} = with lib; mkIf (subscriptions.domain != null) {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:2096";
-        proxyWebsockets = true;
-        extraConfig = ''
-          proxy_set_header X-Real-IP         $remote_addr;
-          proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-          proxy_redirect off;
-        '';
-      };
-    };
-  };
 }
--- a/services/xray-3x-ui/service.nix
+++ b/services/xray-3x-ui/service.nix
@ -1,6 +1,11 @@
 # See https://github.com/sunmeplz/xray-3x-ui

-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 with lib;

@ -11,8 +16,7 @@ let
  minGoVersion = "1.26.0";

  xray-3x-ui =
-    assert assertMsg
-      (versionAtLeast pkgs.go.version minGoVersion)
+    assert assertMsg (versionAtLeast pkgs.go.version minGoVersion)
      "3x-ui requires Go >= ${minGoVersion}, but ${pkgs.go.version} is available";

    pkgs.buildGoModule rec {
@ -28,7 +32,10 @@ let

      vendorHash = "sha256-M8YQTMfF/xZut4hxUcAfF2xGK625vwJNp4JS/zoXUCQ=";

-      ldflags = [ "-s" "-w" ];
+      ldflags = [
+        "-s"
+        "-w"
+      ];

      meta = with lib; {
        description = "Xray panel supporting multi-protocol multi-user";
@ -39,7 +46,8 @@ let
      };
    };

-in {
+in
+{
  # Service implementation
  config = mkIf cfg.enable {
    # User and group configuration
@ -85,8 +93,14 @@ in {
        Group = "xray-3x-ui";
        StateDirectory = "3x-ui 3x-ui/bin 3x-ui/logs";
        StateDirectoryMode = "0755";
-        AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
-        CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" "CAP_NET_ADMIN" ];
+        AmbientCapabilities = [
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_ADMIN"
+        ];
+        CapabilityBoundingSet = [
+          "CAP_NET_BIND_SERVICE"
+          "CAP_NET_ADMIN"
+        ];
      };
    };

--- a/users/rus07tam/modules/openclaw/service.nix
+++ b/users/rus07tam/modules/openclaw/service.nix
@ -7,6 +7,7 @@
  programs.openclaw = {
    enable = true;
    installApp = false;
+    systemd.enable = true;

    bundledPlugins = {
      summarize.enable = true;
Author	SHA1	Message	Date
Rustam Efimov	793eeb3161	feat(users/rus07tam): enable openclaw gateway via systemd Some checks failed Nix CI / build (push) Failing after 3m36s Details	2026-04-01 09:56:24 +03:00
Rustam Efimov	e2bd4444d2	chore: apply nix fmt	2026-04-01 09:54:15 +03:00