diff --git a/modules/openclaw.nix b/modules/openclaw.nix
index 412ea58..4b24b0f 100644
--- a/modules/openclaw.nix
+++ b/modules/openclaw.nix
@@ -91,8 +91,8 @@ in
           ];
 
           ExecStartPre = [
-            "${pkgs.coreutils}/bin/mkdir -p ${configDir} ${dataDir} ${workspaceDir}"
-            "${pkgs.bash}/bin/bash -c 'cp -n /etc/openclaw/openclaw.json ${configDir}/ || true'"
+            "${pkgs.coreutils}/bin/mkdir -p ${configDir} ${dataDir} ${workspaceDir} /var/lib/openclaw/.openclaw"
+            "${pkgs.bash}/bin/bash -c 'cp -n /etc/openclaw/openclaw.json /var/lib/openclaw/.openclaw/openclaw.json || true'"
           ];
 
           ExecStart = "${pkgs.nodejs_22}/bin/npx openclaw gateway --port ${toString cfg.port} --allow-unconfigured";
@@ -103,7 +103,7 @@ in
           # Security
           PrivateTmp = true;
           ProtectSystem = "strict";
-          ReadWritePaths = [ "/var/lib/openclaw" configDir dataDir workspaceDir ];
+          ReadWritePaths = [ "/var/lib/openclaw" "/var/lib/openclaw/.openclaw" configDir dataDir workspaceDir ];
           NoNewPrivileges = true;
         }
         (lib.mkIf (cfg.environmentFile != null) {