docs: update claude setup

refactor: Move some things to roles
refactor: fix some linting

roles/openclaw/templates/openclaw-config.yaml.j2

@@ -0,0 +1,24 @@
+# OpenClaw configuration — managed by Ansible, do not edit manually
+# Ref: https://docs.openclaw.ai
+
+gateway:
+  port: 18789
+  # Gateway binds localhost only; Tailscale is the remote access path
+
+providers:
+  - type: {{ openclaw_model_provider }}
+    apiKey: "{{ openclaw_api_key }}"
+
+{% if openclaw_signal_enabled | bool %}
+channels:
+  signal:
+    account: "{{ openclaw_signal_account }}"
+    cliPath: "{{ openclaw_signal_cli_path }}"
+    dmPolicy: {{ openclaw_signal_dm_policy }}
+{% if openclaw_signal_allow_from | length > 0 %}
+    allowFrom:
+{% for number in openclaw_signal_allow_from %}
+      - "{{ number }}"
+{% endfor %}
+{% endif %}
+{% endif %}

roles/openclaw/templates/openclaw.service.j2

@@ -0,0 +1,29 @@
+[Unit]
+Description=OpenClaw AI Gateway
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User={{ openclaw_user }}
+Group={{ openclaw_group }}
+WorkingDirectory={{ openclaw_home }}
+
+Environment=OPENCLAW_STATE_DIR={{ openclaw_state_dir }}
+Environment=OPENCLAW_CONFIG_PATH={{ openclaw_state_dir }}/config.yaml
+Environment=DOCKER_HOST=unix:/run/user/{{ __openclaw_uid }}/podman/podman.sock
+Environment=XDG_RUNTIME_DIR=/run/user/{{ __openclaw_uid }}
+
+ExecStart=/usr/bin/openclaw gateway run
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ReadWritePaths={{ openclaw_state_dir }} {{ openclaw_home }}
+ProtectHome=read-only
+
+[Install]
+WantedBy=multi-user.target