feat: add openclaw node service and migrate to lix

- Add headless openclaw node systemd service for host execution
- Migrate from nix to lix package manager
- Permit openclaw-2026.3.12 (insecure package warning)
- Use ai-worker user for node service

hosts/lazyworkhorse/configuration.nix

@@ -209,6 +209,7 @@
 
     coms = {
       path = self + "/assets/compose/coms";
+      envFile = config.age.secrets.containers_env.path;
     };
 
     finance = {
@@ -255,9 +256,26 @@
       #   mode = "0600";
       #   path = "/home/n8n-worker/.ssh/n8n_ssh_key";
       # };
+      openclaw_gateway_token = {
+        file = ../../secrets/openclaw_gateway_token.age;
+        owner = "root";
+        group = "openclaw-node";
+        mode = "0440";
+        path = "/run/secrets/openclaw_gateway_token";
+      };
     };
   };
 
+  # OpenClaw Node service (host-side execution for Docker gateway)
+  services.openclaw-node = {
+    enable = true;
+    user = "ai-worker";
+    gatewayHost = "127.0.0.1";
+    gatewayPort = 18789;
+    gatewayTokenFile = "/run/secrets/openclaw_gateway_token";
+    displayName = "lazyworkhorse-host";
+  };
+
   # Public host ssh key (kept in sync with the private one)
   environment.etc."ssh/ssh_host_ed25519_key.pub".text =
     "${keys.hosts.lazyworkhorse.main}";