fix: Add support for OPENCLAW_GATEWAY_TOKEN

[nicholasburr]

After provisioning a new virtual machine, openclaw.service fails to start; Refusing to bind gateway to lan without auth

Jun 09 19:46:44 tank-os openclaw[4082]: cd7a204083bf66b6eed18af3ddab20d3f2ba110f3a4b9499ea3332cf59586929
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.119+00:00 [gateway] loading configuration…
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.202+00:00 [gateway] resolving authentication…
Jun 09 19:46:45 tank-os openclaw[4092]: 2026-06-09T19:46:45.209+00:00 Refusing to bind gateway to lan without auth.
Jun 09 19:46:45 tank-os openclaw[4092]: Container environment detected — the gateway defaults to bind=auto (0.0.0.0) for port-forwarding compatibility.
Jun 09 19:46:45 tank-os openclaw[4092]: Set OPENCLAW_GATEWAY_TOKEN or OPENCLAW_GATEWAY_PASSWORD, or pass --token/--password *** start with auth.

Updated bootc/rootfs/usr/libexec/tank-os/sync-podman-secrets to provision OPENCLAW_GATEWAY_TOKEN using podman secrets as described here - https://github.com/nicholasburr/tank-os/blob/main/docs/provisioning.md#podman-secrets

After the secret is applied the gateway continues startup as expected.

Summary by CodeRabbit

• New Features

  • Added support for syncing the OpenClaw Gateway token as a Podman secret.

• Documentation

  • Enhanced provisioning guide with step-by-step instructions for configuring the Gateway token, Anthropic API key, and OpenAI API key.
  • Added post-boot connection and secret synchronization guidance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c5b3a6b-98fa-4ade-814b-331fb264cf98

📥 Commits

Reviewing files that changed from the base of the PR and between 08edc35 and 3e7c5b2.

📒 Files selected for processing (2)

• bootc/rootfs/usr/libexec/tank-os/sync-podman-secrets
• docs/provisioning.md

---

📝 Walkthrough

Walkthrough

The sync-podman-secrets script gains one line registering the openclaw_gateway_token Podman secret as an environment-based secret target (OPENCLAW_GATEWAY_TOKEN) in the OpenClaw quadlet drop-in. docs/provisioning.md adds a post-boot SSH step and expands the Podman Secrets section with Gateway token creation, API key setup, and an Applying Secrets subsection.

Changes

Gateway Token Secret Support

Layer / File(s)	Summary
Register gateway token in sync-podman-secrets bootc/rootfs/usr/libexec/tank-os/sync-podman-secrets	Adds openclaw_gateway_token to the secret registration list so it is conditionally appended to the OpenClaw quadlet drop-in as Secret=<name>,type=env,target=OPENCLAW_GATEWAY_TOKEN.
Provisioning docs: Gateway token setup and Applying Secrets docs/provisioning.md	Adds a post-boot SSH instruction for Gateway token configuration; reworks the Podman Secrets section with structured subsections for Gateway token creation (with service restart), API key creation, and an Applying Secrets step for syncing Quadlet drop-ins and OpenClaw SecretRefs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A token hops in, sleek and sly,
Slipped into the drop-in on the fly.
The docs now guide with gentle care,
SSH in, configure—secrets are there!
🐇✨ The gateway swings open wide.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: Add support for OPENCLAW_GATEWAY_TOKEN' directly and specifically describes the main change: adding gateway token support to the secret syncing script, which resolves the documented service startup failure.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nicholasburr]

@sallyom I broke the last one, here is a clean PR.