Summary
The current module only supports home-manager (user-level systemd service). This means the gateway runs with full access to the user's personal files, SSH keys, credentials, etc.
Upstream issue: openclaw/openclaw#2341
Proposal
Add a NixOS module (nixosModules.clawdbot) that:
- Creates a dedicated
clawdbot system user with minimal privileges
- Runs the gateway as a system-level systemd service
- Applies systemd hardening options:
DynamicUser=true or dedicated userProtectHome=truePrivateTmp=trueNoNewPrivileges=trueProtectSystem=strict- etc.
- Manages credentials in the isolated user's home
Use Case
Security-conscious users who want to run clawdbot on a server without exposing their personal files to the LLM.
Notes
- Claude OAuth credentials would need to be set up separately for the clawdbot user
- Could coexist with the home-manager module for different use cases
Summary
The current module only supports home-manager (user-level systemd service). This means the gateway runs with full access to the user's personal files, SSH keys, credentials, etc.
Upstream issue: openclaw/openclaw#2341
Proposal
Add a NixOS module (
nixosModules.clawdbot) that:clawdbotsystem user with minimal privilegesDynamicUser=trueor dedicated userProtectHome=truePrivateTmp=trueNoNewPrivileges=trueProtectSystem=strictUse Case
Security-conscious users who want to run clawdbot on a server without exposing their personal files to the LLM.
Notes