Skip to content

[Feature] Add NixOS module for running gateway as isolated system user #22

New issue
New issue
Open
#24
Open
[Feature] Add NixOS module for running gateway as isolated system user#22
#24
@jeanlucthumm

Description

@jeanlucthumm
jeanlucthumm
opened on Jan 26, 2026

Summary

The current module only supports home-manager (user-level systemd service). This means the gateway runs with full access to the user's personal files, SSH keys, credentials, etc.

Upstream issue: moltbot/moltbot#2341

Proposal

Add a NixOS module (nixosModules.clawdbot) that:

  1. Creates a dedicated clawdbot system user with minimal privileges
  2. Runs the gateway as a system-level systemd service
  3. Applies systemd hardening options:
    • DynamicUser=true or dedicated user
    • ProtectHome=true
    • PrivateTmp=true
    • NoNewPrivileges=true
    • ProtectSystem=strict
    • etc.
  4. Manages credentials in the isolated user's home

Use Case

Security-conscious users who want to run clawdbot on a server without exposing their personal files to the LLM.

Notes

  • Claude OAuth credentials would need to be set up separately for the clawdbot user
  • Could coexist with the home-manager module for different use cases

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions