dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: gate openclaw-gateway hardening on enable flag 🔧

Browse source
This commit is contained in:
DannyDannyDanny 2026-04-18 22:28:32 +02:00
parent 40627405f7
commit 6500ad39bf
1 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
nixos/hosts/phantom-ship.nix
View file

@ -151,14 +151,16 @@ in
mode = "0644";
};
# Harden the openclaw-gateway systemd service.
systemd.services.openclaw-gateway.environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig";
systemd.services.openclaw-gateway.serviceConfig = {
ProtectHome = "read-only";
ProtectSystem = "strict";
PrivateTmp = true;
NoNewPrivileges = true;
ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
# Harden the openclaw-gateway systemd service (only when enabled).
systemd.services.openclaw-gateway = lib.mkIf config.services.openclaw-gateway.enable {
environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig";
serviceConfig = {
ProtectHome = "read-only";
ProtectSystem = "strict";
PrivateTmp = true;
NoNewPrivileges = true;
ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
};
};
# Auto-rebuild service/timer + safe.directory provided by the