Field guide — hardening NemoClaw for single-VPS production deployment

[AdnanSattar]

Hey folks, sharing a hands-on write-up on running NemoClaw in a
zero-trust configuration on a single VPS. Aimed at infra engineers
deploying always-on agents without DGX hardware.

Part 1: VPS substrate: rootless user, Tailscale mesh, UFW, no public
attack surface. https://medium.com/@adnansattar09/nemoclaw-for-the-enterprise-a-zero-trust-setup-for-openclaw-part-1-201cce688948

Part 2: Installing NemoClaw and bootstrapping the four-layer stack
(Docker → k3s → sandbox pod → agent). https://medium.com/@adnansattar09/nemoclaw-for-the-enterprise-installing-nemoclaw-and-bootstrapping-the-sandbox-part-2-31c24c181734

Real gotchas covered:

• nemoclaw onboard is destructive on rerun and there's no protective
  prompt — wiped my state once before I learned
• Gateway doesn't survive host reboots cleanly; auth token rotates and
  the dashboard doesn't pick it up automatically. Recovery is a 4-layer
  exec command (Docker → k3s → pod → file).
• The "Gateway process started but is not responding" message after
  onboard is almost always a timing race condition, not a real failure

Three more parts coming: Matrix E2EE control channel, policy engineering,
skills and plugins.

If anyone from the NVIDIA team spots something I got wrong about
NemoClaw internals especially in the onboarding section - happy
to fold corrections in.