From 6500ad39bff165a9d1233c96a046af4def19febc Mon Sep 17 00:00:00 2001
From: DannyDannyDanny <dth@taiga.ai>
Date: Sat, 18 Apr 2026 22:28:32 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20gate=20openclaw-gateway=20hardening=20on?=
 =?UTF-8?q?=20enable=20flag=20=F0=9F=94=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 nixos/hosts/phantom-ship.nix | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index 605d222..3137532 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -151,14 +151,16 @@ in
     mode = "0644";
   };
 
-  # Harden the openclaw-gateway systemd service.
-  systemd.services.openclaw-gateway.environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig";
-  systemd.services.openclaw-gateway.serviceConfig = {
-    ProtectHome = "read-only";
-    ProtectSystem = "strict";
-    PrivateTmp = true;
-    NoNewPrivileges = true;
-    ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
+  # Harden the openclaw-gateway systemd service (only when enabled).
+  systemd.services.openclaw-gateway = lib.mkIf config.services.openclaw-gateway.enable {
+    environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig";
+    serviceConfig = {
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      PrivateTmp = true;
+      NoNewPrivileges = true;
+      ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
+    };
   };
 
   # Auto-rebuild service/timer + safe.directory provided by the