๐ openclaw-nix
One flake. Fully hardened. Your agents, secured.
A NixOS module for deploying OpenClaw with security defaults that actually make sense. Because 15,200 exposed control panels on the public internet is not a configuration choice โ it's a crisis.
Built for the NixOS community
The Problem
OpenClaw has 180K+ GitHub stars. It's the most popular agent infrastructure platform in the world. It's also, according to CrowdStrike and SecurityScorecard reports, one of the most commonly misconfigured:
- 15,200+ exposed admin panels on the public internet
- Default installs bind to
0.0.0.0with no auth - Tool execution in
fullmode = unrestricted shell access - No TLS, no firewall rules, no sandboxing out of the box
Most of these aren't malicious deployments. They're people who followed the quickstart, got it working, and moved on. The defaults failed them.
The Solution
services.openclaw.enable = true;
services.openclaw.domain = "agents.example.com";
That's it. Two lines. You get:
| Security Layer | What It Does |
|---|---|
| Gateway auth | Auto-generated token, required for all connections |
| Localhost binding | Gateway never touches the public internet directly |
| Caddy reverse proxy | Automatic TLS via Let's Encrypt, security headers |
| Tool allowlists | Only safe tools enabled โ no exec, no full mode |
| systemd hardening | NoNewPrivileges, PrivateTmp, ProtectSystem=strict, capability dropping |
| Firewall | Only ports 443 (HTTPS) and 22 (SSH) open |
| Fail2ban | SSH brute-force protection with incremental bans |
| Dedicated user | Runs as openclaw user, not root, not your account |