{
  inputs,
  config,
  ...
}: let
  flk = config.flake;
in {
  flake.modules.nixos.server = {
    pkgs,
    config,
    ...
  }: {
    nixpkgs.overlays = [inputs.nix-openclaw.overlays.default];

    sops.secrets."openclaw/telegram_token" = {
      owner = flk.meta.user.name;
    };
    sops.secrets."openclaw/env" = {
      owner = flk.meta.user.name;
    };
  };

  flake.modules.homeManager.server = {
    imports = [inputs.nix-openclaw.homeManagerModules.openclaw];

    programs.openclaw = {
      enable = true;
      config = {
        channels.telegram = {
          tokenFile = "/run/secrets/openclaw/telegram_token";
          allowFrom = [
            flk.meta.telegram.userId
          ];
        };

        gateway = {
          mode = "local";
        };
      };
    };

    # Pass the ANTHROPIC_API_KEY (and any other env vars) to the gateway service.
    # The env file at /run/secrets/openclaw/env should contain lines like:
    #   ANTHROPIC_API_KEY=sk-ant-...
    #
    # NOTE (issue #35): gateway.auth.token does not serialize from Nix config into
    # the on-disk JSON that the gateway reads.  After first activation, run:
    #   openclaw config set gateway.auth.token <your-token>
    systemd.user.services.openclaw-gateway = {
      serviceConfig.EnvironmentFile = "/run/secrets/openclaw/env";
    };
  };
}