From 9092d6ec58da9f7779e400a1cd88af82606910a8 Mon Sep 17 00:00:00 2001
From: Franz Kafka <kafka@ashisgreat.xyz>
Date: Thu, 19 Mar 2026 15:09:05 +0000
Subject: [PATCH] fix(openclaw): remove --network=host, use bridge network
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Drops --network=host from OpenClaw container
- Container now runs on Podman's default bridge network
- Gateway port already mapped via ports config (127.0.0.1:18789:8080)
- Container retains outbound internet access for Discord API, model providers, etc.
- Cannot reach other host services (Forgejo, Vaultwarden, etc.) — principle of least privilege

Note: If OpenClaw needs to reach local services in the future, add explicit
extraOptions like --network=bridge or create a shared Podman network.
---
 modules/openclaw-podman.nix | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/modules/openclaw-podman.nix b/modules/openclaw-podman.nix
index ee4c952..080ef0d 100644
--- a/modules/openclaw-podman.nix
+++ b/modules/openclaw-podman.nix
@@ -1,5 +1,5 @@
 # OpenClaw Podman Module
-# Provides: AI Agent with Discord integration running in a container
+# Provides: AI Agent with Discord integration running in an isolated container
 #
 # Usage:
 #   myModules.openclaw-podman = {
@@ -39,7 +39,7 @@ in
     # Enable podman
     myModules.podman.enable = true;
 
-    # OpenClaw container
+    # OpenClaw container (bridge network — isolated from host services)
     virtualisation.oci-containers.containers."openclaw" = {
       image = "ghcr.io/openclaw/openclaw:latest";
       ports = [ "127.0.0.1:${toString cfg.port}:8080" ];
@@ -50,9 +50,6 @@ in
         "${./openclaw-config.json}:/home/node/.openclaw/openclaw.json:ro"
         "openclaw-data:/home/node/.openclaw"
       ];
-      extraOptions = [
-        "--network=host"
-      ];
     };
   };
 }