dannydannydanny/dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: gate openclaw-gateway hardening on enable flag 🔧

Browse source
This commit is contained in:
DannyDannyDanny 2026-04-18 22:28:32 +02:00
parent 40627405f7
commit 6500ad39bf
1 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

18
nixos/hosts/phantom-ship.nix
View file

@ -151,14 +151,16 @@ in
mode = "0644"; mode = "0644";
}; };
# Harden the openclaw-gateway systemd service. # Harden the openclaw-gateway systemd service (only when enabled).
systemd.services.openclaw-gateway.environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig"; systemd.services.openclaw-gateway = lib.mkIf config.services.openclaw-gateway.enable {
systemd.services.openclaw-gateway.serviceConfig = { environment.GIT_CONFIG_GLOBAL = "/etc/openclaw/gitconfig";
ProtectHome = "read-only"; serviceConfig = {
ProtectSystem = "strict"; ProtectHome = "read-only";
PrivateTmp = true; ProtectSystem = "strict";
NoNewPrivileges = true; PrivateTmp = true;
ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ]; NoNewPrivileges = true;
ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ];
};
}; };
# Auto-rebuild service/timer + safe.directory provided by the # Auto-rebuild service/timer + safe.directory provided by the