{ ... }:
{
  fileSystems =
    let
      bindRO = src: {
        device = src;
        fsType = "none";
        options = [ "bind" "ro" ];
      };
      bindHide = src: {
        device = "tmpfs";
        fsType = "tmpfs";
        options = [ "size=0" "mode=000" ];
      };
    in
    {
      "/home/openclaw/private/AT Protocol" = bindHide "/private/AT Protocol";
      "/home/openclaw/private/cloudflared" = bindHide "/private/cloudflared";
      "/home/openclaw/private/vaultwarden" = bindHide "/private/vaultwarden";
      "/home/openclaw/protected" = bindHide "/protected";
    };

  systemd.tmpfiles.rules = [
    "d /home/openclaw/private 0750 openclaw openclaw -"
    "d /home/openclaw/protected 0000 root root -"
    "f /home/openclaw/private/tangled.env 0000 root root -"
    "f /home/openclaw/private/cloudflared.pem 0000 root root -"
  ];
}