feat: unsandbox my clawd

modules/server/openclaw.nix

@@ -18,6 +18,10 @@ in {
     sops.secrets."openclaw/env" = {
       owner = flk.meta.user.name;
     };
+
+    environment.systemPackages = with pkgs; [
+      whisper-cpp
+    ];
   };
 
   flake.modules.homeManager.server = {
@@ -37,17 +41,19 @@ in {
           mode = "local";
         };
       };
+      bundledPlugins = {
+        summarize.enable = true; # Summarize web pages, PDFs, videos
+        sag.enable = false; # Text-to-speech
+        gogcli.enable = false; # Google Calendar
+        goplaces.enable = true; # Google Places API
+        bird.enable = false; # Twitter/X
+      };
     };
 
-    # Pass the ANTHROPIC_API_KEY (and any other env vars) to the gateway service.
-    # The env file at /run/secrets/openclaw/env should contain lines like:
-    #   ANTHROPIC_API_KEY=sk-ant-...
-    #
-    # NOTE (issue #35): gateway.auth.token does not serialize from Nix config into
-    # the on-disk JSON that the gateway reads.  After first activation, run:
-    #   openclaw config set gateway.auth.token <your-token>
     systemd.user.services.openclaw-gateway = {
-      serviceConfig.EnvironmentFile = "/run/secrets/openclaw/env";
+      Service.Environment = [
+        ''PATH="$PATH:/run/current-system/sw/bin/"''
+      ];
     };
   };
 }