feat: add openclaw sandboxed user, sudo policy, fs restrictions, docker proxy, watchdog

modules/openclaw-fs.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  fileSystems =
+    let
+      bindRO = src: {
+        device = src;
+        fsType = "none";
+        options = [ "bind" "ro" ];
+      };
+      bindHide = src: {
+        device = "tmpfs";
+        fsType = "tmpfs";
+        options = [ "size=0" "mode=000" ];
+      };
+    in
+    {
+      "/home/openclaw/private/AT Protocol" = bindHide "/private/AT Protocol";
+      "/home/openclaw/private/cloudflared" = bindHide "/private/cloudflared";
+      "/home/openclaw/private/vaultwarden" = bindHide "/private/vaultwarden";
+      "/home/openclaw/protected" = bindHide "/protected";
+    };
+
+  systemd.tmpfiles.rules = [
+    "d /home/openclaw/private 0750 openclaw openclaw -"
+    "d /home/openclaw/protected 0000 root root -"
+    "f /home/openclaw/private/tangled.env 0000 root root -"
+    "f /home/openclaw/private/cloudflared.pem 0000 root root -"
+  ];
+}