From 369e96cbd7d0552b1f6c15b06a4585257d6d958a Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Sat, 4 Apr 2026 11:27:05 +0200
Subject: [PATCH] =?UTF-8?q?security:=20harden=20openclaw-gateway=20systemd?=
 =?UTF-8?q?=20service=20=F0=9F=9B=A1=EF=B8=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ProtectSystem=strict, ProtectHome=read-only, PrivateTmp,
NoNewPrivileges. Only /var/lib/openclaw and /etc/openclaw
are writable.
---
 nixos/hosts/phantom-ship.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index 6370681..966d365 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -101,6 +101,15 @@ in
     "d /etc/openclaw 0775 root openclaw - -"
   ];
 
+  # Harden the openclaw-gateway systemd service.
+  systemd.services.openclaw-gateway.serviceConfig = {
+    ProtectHome = "read-only";
+    ProtectSystem = "strict";
+    PrivateTmp = true;
+    NoNewPrivileges = true;
+    ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
+  };
+
   # Pull dotfiles and rebuild if the repo has new commits.
   systemd.services.dotfiles-rebuild = {
     description = "Pull dotfiles and run nixos-rebuild if repo changed";