[Unit]
Description=OpenClaw AI Gateway
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User={{ openclaw_user }}
Group={{ openclaw_group }}
WorkingDirectory={{ openclaw_home }}

Environment=OPENCLAW_STATE_DIR={{ openclaw_state_dir }}
Environment=OPENCLAW_CONFIG_PATH={{ openclaw_state_dir }}/config.yaml
Environment=DOCKER_HOST=unix:/run/user/{{ __openclaw_uid }}/podman/podman.sock
Environment=XDG_RUNTIME_DIR=/run/user/{{ __openclaw_uid }}

ExecStart=/usr/bin/openclaw gateway run
Restart=on-failure
RestartSec=5

# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ReadWritePaths={{ openclaw_state_dir }} {{ openclaw_home }}
ProtectHome=read-only

[Install]
WantedBy=multi-user.target