From e8d4bbf24b4b8710ff5a3a3be0d1c57fbee3e545 Mon Sep 17 00:00:00 2001
From: Hara <hara@phantom-ship.local>
Date: Fri, 24 Apr 2026 10:37:53 +0200
Subject: [PATCH 1/2] Add danny to openclaw group for secret file access

---
 nixos/hosts/phantom-ship.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index 60668e7..6a6c6e9 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -61,7 +61,7 @@ in
 
   users.users.danny = {
     isNormalUser = true;
-    extraGroups = [ "wheel" ];
+    extraGroups = [ "wheel" "openclaw" ];
     # Password is locked (key-only SSH). Use NixOS installer or recovery to reset if needed.
   };
 

From 6ef7112ae0f862fc7a471265af32dcfffcfbc17b Mon Sep 17 00:00:00 2001
From: Hara <hara@phantom-ship.local>
Date: Fri, 24 Apr 2026 11:24:27 +0200
Subject: [PATCH 2/2] revert: remove danny from openclaw group

Widened access unnecessarily - use sudo -n instead for one-off secret reads.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 nixos/hosts/phantom-ship.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix
index 6a6c6e9..60668e7 100644
--- a/nixos/hosts/phantom-ship.nix
+++ b/nixos/hosts/phantom-ship.nix
@@ -61,7 +61,7 @@ in
 
   users.users.danny = {
     isNormalUser = true;
-    extraGroups = [ "wheel" "openclaw" ];
+    extraGroups = [ "wheel" ];
     # Password is locked (key-only SSH). Use NixOS installer or recovery to reset if needed.
   };