dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security: harden openclaw-gateway systemd service 🛡️

Browse source 
ProtectSystem=strict, ProtectHome=read-only, PrivateTmp,
NoNewPrivileges. Only /var/lib/openclaw and /etc/openclaw
are writable.
This commit is contained in:
DannyDannyDanny 2026-04-04 11:27:05 +02:00
parent 4544635ad6
commit 369e96cbd7
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
nixos/hosts/phantom-ship.nix
View file

@ -101,6 +101,15 @@ in
"d /etc/openclaw 0775 root openclaw - -" "d /etc/openclaw 0775 root openclaw - -"
]; ];
# Harden the openclaw-gateway systemd service.
systemd.services.openclaw-gateway.serviceConfig = {
ProtectHome = "read-only";
ProtectSystem = "strict";
PrivateTmp = true;
NoNewPrivileges = true;
ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
};
# Pull dotfiles and rebuild if the repo has new commits. # Pull dotfiles and rebuild if the repo has new commits.
systemd.services.dotfiles-rebuild = { systemd.services.dotfiles-rebuild = {
description = "Pull dotfiles and run nixos-rebuild if repo changed"; description = "Pull dotfiles and run nixos-rebuild if repo changed";