docs: update claude setup

refactor: Move some things to roles
refactor: fix some linting

roles/openclaw/tasks/security.yml

@@ -0,0 +1,49 @@
+---
+# ---------------------------------------------------------------------------
+# UFW firewall — defense-in-depth behind OPNsense perimeter
+# Allows SSH and the OpenClaw gateway port; blocks everything else inbound
+# ---------------------------------------------------------------------------
+- name: Install UFW
+  ansible.builtin.apt:
+    name: ufw
+    state: present
+    update_cache: true
+
+- name: Set UFW default policies
+  community.general.ufw:
+    direction: "{{ item.direction }}"
+    policy: "{{ item.policy }}"
+  loop:
+    - { direction: incoming, policy: deny }
+    - { direction: outgoing, policy: allow }
+    - { direction: routed,   policy: deny }
+
+- name: Allow SSH
+  community.general.ufw:
+    rule: allow
+    port: "{{ openclaw_ssh_port | string }}"
+    proto: tcp
+
+- name: Allow OpenClaw gateway port
+  community.general.ufw:
+    rule: allow
+    port: "{{ openclaw_gateway_port | string }}"
+    proto: tcp
+
+- name: Enable UFW
+  community.general.ufw:
+    state: enabled
+
+# ---------------------------------------------------------------------------
+# Rootless Podman — used exclusively for agent sandbox isolation
+# Runs as the openclaw user; no root daemon, no exposed sockets
+# podman-docker provides a docker-compatible CLI shim for OpenClaw tooling
+# ---------------------------------------------------------------------------
+- name: Install Podman and dependencies
+  ansible.builtin.apt:
+    name:
+      - podman
+      - podman-docker
+      - uidmap
+    state: present
+    update_cache: true