feat: add openclaw sandboxed user, sudo policy, fs restrictions, docker proxy, watchdog

2026-03-14 17:02:37 +02:00
parent 2a16184fba
commit eebf3f6159
6 changed files with 181 additions and 0 deletions
--- a/modules/openclaw-docker.nix
+++ b/modules/openclaw-docker.nix
@@ -0,0 +1,32 @@
+{ pkgs, ... }:
+{
+  virtualisation.oci-containers.containers.docker-socket-proxy = {
+    image = "tecnativa/docker-socket-proxy:latest";
+    autoStart = true;
+    volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ];
+    environment = {
+      CONTAINERS = "1";
+      IMAGES = "1";
+      NETWORKS = "1";
+      VOLUMES = "1";
+      INFO = "1";
+      POST = "1";
+      BUILD = "1";
+      COMMIT = "0";
+      CONFIGS = "0";
+      DISTRIBUTION = "0";
+      EXEC = "0";
+      GRPC = "0";
+      PLUGINS = "0";
+      SECRETS = "0";
+      SERVICES = "0";
+      SESSION = "0";
+      SWARM = "0";
+      SYSTEM = "0";
+      TASKS = "0";
+      AUTH = "0";
+      ALLOW_RESTARTS = "1";
+    };
+    ports = [ "127.0.0.1:2375:2375" ];
+  };
+}