fix: added support for the OPENCLAW_GATEWAY_TOKEN secret

[nicholasburr]

After provisioning a new virtual machine, openclaw.service fails to start; Refusing to bind gateway to lan without auth

░ The job identifier is 319.
Jun 09 19:46:44 tank-os podman[4082]: 2026-06-09 19:46:44.303626954 +0000 UTC m=+0.304739138 image pull 1160102b0fd49878de024aeb39e245deb5640413169188702d261f5167965714>
Jun 09 19:46:44 tank-os podman[4082]: 2026-06-09 19:46:44.348292665 +0000 UTC m=+0.349404849 container create cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf59>
Jun 09 19:46:44 tank-os podman[4082]: 2026-06-09 19:46:44.451160859 +0000 UTC m=+0.452273083 container init cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf5958>
Jun 09 19:46:44 tank-os podman[4082]: 2026-06-09 19:46:44.452752801 +0000 UTC m=+0.453864985 container start cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf595>
Jun 09 19:46:44 tank-os systemd[1081]: Started openclaw.service - OpenClaw gateway (rootless Podman).
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit UNIT has finished successfully.
░░ 
░░ The job identifier is 319.
Jun 09 19:46:44 tank-os openclaw[4082]: cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf59586929
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.119+00:00 [gateway] loading configuration…
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.202+00:00 [gateway] resolving authentication…
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.209+00:00 Refusing to bind gateway to lan without auth.
Jun 09 19:46:45 tank-os openclaw[4092]: Container environment detected — the gateway defaults to bind=auto (0.0.0.0) for port-forwarding compatibility.
Jun 09 19:46:45 tank-os openclaw[4092]: Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD, or pass --token/--password *** start with auth.
Jun 09 19:46:45 tank-os podman[4126]: 2026-06-09 19:46:45.237836841 +0000 UTC m=+0.010384867 container died cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf5958>
Jun 09 19:46:45 tank-os podman[4126]: 2026-06-09 19:46:45.43496086 +0000 UTC m=+0.207508886 container remove cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf595>
Jun 09 19:46:45 tank-os systemd[1081]: openclaw.service: Main process exited, code=exited, status=78/CONFIG
░░ Subject: Unit process exited

I have updated bootc/rootfs/usr/libexec/tank-os/sync-podman-secrets to provision OPENCLAW_GATEWAY_TOKEN using podman secrets as described here - https://github.com/nicholasburr/tank-os/blob/main/docs/provisioning.md#podman-secrets

After the secret is applied the gateway continues startup as expected.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 80c33b9a-38d6-4832-b54a-d546763c4790

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sallyom]

@nicholasburr thanks for the PR! I'm testing it & will get the fix in asap

[nicholasburr]

Hey @sallyom I got pulled into a side quest on this but, the bit in the python script isn’t required. I can clean this up tonight + update the docs.

[sallyom]

Hey @sallyom I got pulled into a side quest on this but, the bit in the python script isn’t required. I can clean this up tonight + update the docs.

SGTM, that's what I found, too. Also if you can add this to the docs:

docs/provisioning.md → Podman Secrets, alongside the existing provider-token examples:

  sudo -iu openclaw
  printf '%s' "$OPENCLAW_GATEWAY_TOKEN" | podman secret create openclaw_gateway_token -
  tank-openclaw-secrets
  systemctl --user restart openclaw.service

  I’d also add a sentence:

  The `openclaw_gateway_token` Podman secret is injected into the OpenClaw container as `OPENCLAW_GATEWAY_TOKEN`, which satisfies gateway token auth without storing the token
  in `openclaw.json`.

No worries if you don't get to it til we're back from weekend, I'll check in then too - thanks, again for your help - I need to keep up with this much better :)

[nicholasburr]

I got the docs updated, but my lack of git skills is showing. I might need to fix my repo then reopen the PR.