{"id":44651502,"url":"https://github.com/openclaw/openclaw-ansible","last_synced_at":"2026-02-14T21:01:00.840Z","repository":{"id":331524364,"uuid":"1130539840","full_name":"openclaw/openclaw-ansible","owner":"openclaw","description":"Automated, hardened Clawdbot installation with Tailscale VPN, UFW firewall, and Docker isolation","archived":false,"fork":false,"pushed_at":"2026-02-05T15:58:36.000Z","size":75,"stargazers_count":215,"open_issues_count":9,"forks_count":107,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-06T01:56:15.885Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/openclaw.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["moltbot"]}},"created_at":"2026-01-08T16:44:56.000Z","updated_at":"2026-02-06T01:16:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/openclaw/openclaw-ansible","commit_stats":null,"previous_names":["clawdbot/clawdbot-ansible","moltbot/clawdbot-ansible","openclaw/clawdbot-ansible","openclaw/openclaw-ansible"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/openclaw/openclaw-ansible","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fopenclaw-ansible","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fopenclaw-ansible/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fopenclaw-ansible/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fopenclaw-ansible/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/openclaw","download_url":"https://codeload.github.com/openclaw/openclaw-ansible/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/openclaw%2Fopenclaw-ansible/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29455594,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-14T15:52:44.973Z","status":"ssl_error","status_checked_at":"2026-02-14T15:52:11.208Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-14T21:00:21.166Z","updated_at":"2026-02-14T21:01:00.833Z","avatar_url":"https://github.com/openclaw.png","language":"Shell","funding_links":["https://github.com/sponsors/moltbot"],"categories":["Skills \u0026 Plugins","Self-Hosting","Deployment und Betrieb","🦞 OpenClaw Ecosystem","🚀 Deployment \u0026 Operations"],"sub_categories":["Third-Party Platforms","Docker \u0026 Kubernetes","Self-Hosted Deployment und Infrastruktur","Other Cloud Provider Credits"],"readme":"# OpenClaw Ansible Installer\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Lint](https://github.com/openclaw/openclaw-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/openclaw/openclaw-ansible/actions/workflows/lint.yml)\n[![Ansible](https://img.shields.io/badge/Ansible-2.14+-blue.svg)](https://www.ansible.com/)\n[![Multi-OS](https://img.shields.io/badge/OS-Debian%20%7C%20Ubuntu-orange.svg)](https://www.debian.org/)\n\nAutomated, hardened installation of [OpenClaw](https://github.com/openclaw/openclaw) with Docker and Tailscale VPN support for Debian/Ubuntu Linux.\n\n## ⚠️ macOS Support: Deprecated \u0026 Disabled\n\n**Effective 2026-02-06, support for bare-metal macOS installations has been removed from this playbook.**\n\n### Why?\nThe underlying project currently requires system-level permissions and configurations that introduce significant security risks when executed on a primary host OS. To protect user data and system integrity, we have disabled bare-metal execution.\n\n### What does this mean?\n* The playbook will now explicitly fail if run on a `Darwin` (macOS) system.\n* We strongly discourage manual workarounds to bypass this check.\n* **Future Support:** We are evaluating a virtualization-first strategy (using Vagrant or Docker) to provide a sandboxed environment for this project in the future.\n\n## Features\n\n- 🔒 **Firewall-first**: UFW firewall + Docker isolation\n- 🛡️ **Fail2ban**: SSH brute-force protection out of the box\n- 🔄 **Auto-updates**: Automatic security patches via unattended-upgrades\n- 🔐 **Tailscale VPN**: Secure remote access without exposing services\n- 🐳 **Docker**: Docker CE with security hardening\n- 🚀 **One-command install**: Complete setup in minutes\n- 🔧 **Auto-configuration**: DBus, systemd, environment setup\n- 📦 **pnpm installation**: Uses `pnpm install -g openclaw@latest`\n\n## Quick Start\n\n### Release Mode (Recommended)\n\nInstall the latest stable version from npm:\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bash\n```\n\n### Development Mode\n\nInstall from source for development or testing:\n\n```bash\n# Clone the installer\ngit clone https://github.com/openclaw/openclaw-ansible.git\ncd openclaw-ansible\n\n# Install in development mode\nansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development\n```\n\n## What Gets Installed\n\n- Tailscale (mesh VPN)\n- UFW firewall (SSH + Tailscale ports only)\n- Docker CE + Compose V2 (for sandboxes)\n- Node.js 22.x + pnpm\n- OpenClaw on host (not containerized)\n- Systemd service (auto-start)\n\n## Post-Install\n\nAfter installation completes, switch to the openclaw user:\n\n```bash\nsudo su - openclaw\n```\n\nThen run the quick-start onboarding wizard:\n\n```bash\nopenclaw onboard --install-daemon\n```\n\nThis will:\n- Guide you through the setup wizard\n- Configure your messaging provider (WhatsApp/Telegram/Signal)\n- Install and start the daemon service\n\n### Alternative Manual Setup\n\n```bash\n# Configure manually\nopenclaw configure\n\n# Login to provider\nopenclaw providers login\n\n# Test gateway\nopenclaw gateway\n\n# Install as daemon\nopenclaw daemon install\nopenclaw daemon start\n\n# Check status\nopenclaw status\nopenclaw logs\n```\n\n## Installation Modes\n\n### Release Mode (Default)\n- Installs via `pnpm install -g openclaw@latest`\n- Gets latest stable version from npm registry\n- Automatic updates via `pnpm install -g openclaw@latest`\n- **Recommended for production**\n\n### Development Mode\n- Clones from `https://github.com/openclaw/openclaw.git`\n- Builds from source with `pnpm build`\n- Symlinks binary to `~/.local/bin/openclaw`\n- Adds helpful aliases:\n  - `openclaw-rebuild` - Rebuild after code changes\n  - `openclaw-dev` - Navigate to repo directory\n  - `openclaw-pull` - Pull, install deps, and rebuild\n- **Recommended for development and testing**\n\nEnable with: `-e openclaw_install_mode=development`\n\n## Security\n\n- **Public ports**: SSH (22), Tailscale (41641/udp) only\n- **Fail2ban**: SSH brute-force protection (5 attempts → 1 hour ban)\n- **Automatic updates**: Security patches via unattended-upgrades\n- **Docker isolation**: Containers can't expose ports externally (DOCKER-USER chain)\n- **Non-root**: OpenClaw runs as unprivileged user\n- **Scoped sudo**: Limited to service management (not full root)\n- **Systemd hardening**: NoNewPrivileges, PrivateTmp, ProtectSystem\n\nVerify: `nmap -p- YOUR_SERVER_IP` should show only port 22 open.\n\n### Security Note\n\nFor high-security environments, audit before running:\n\n```bash\ngit clone https://github.com/openclaw/openclaw-ansible.git\ncd openclaw-ansible\n# Review playbook.yml and roles/\nansible-playbook playbook.yml --check --diff  # Dry run\nansible-playbook playbook.yml --ask-become-pass\n```\n\n## Documentation\n\n- [Configuration Guide](docs/configuration.md) - All configuration options\n- [Development Mode](docs/development-mode.md) - Build from source\n- [Security Architecture](docs/security.md) - Security details\n- [Technical Details](docs/architecture.md) - Architecture overview\n- [Troubleshooting](docs/troubleshooting.md) - Common issues\n- [Agent Guidelines](AGENTS.md) - AI agent instructions\n\n## Requirements\n\n- Debian 11+ or Ubuntu 20.04+\n- Root/sudo access\n- Internet connection\n\n## What Gets Installed\n\n- Tailscale (mesh VPN)\n- UFW firewall (SSH + Tailscale ports only)\n- Docker CE + Compose V2 (for sandboxes)\n- Node.js 22.x + pnpm\n- OpenClaw on host (not containerized)\n- Systemd service (auto-start)\n\n## Manual Installation\n\n### Release Mode (Default)\n\n```bash\n# Install dependencies\nsudo apt update \u0026\u0026 sudo apt install -y ansible git\n\n# Clone repository\ngit clone https://github.com/openclaw/openclaw-ansible.git\ncd openclaw-ansible\n\n# Install Ansible collections\nansible-galaxy collection install -r requirements.yml\n\n# Run installation\n./run-playbook.sh\n```\n\n### Development Mode\n\nBuild from source for development:\n\n```bash\n# Same as above, but with development mode flag\n./run-playbook.sh -e openclaw_install_mode=development\n\n# Or directly:\nansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development\n```\n\nThis will:\n- Clone openclaw repo to `~/code/openclaw`\n- Run `pnpm install` and `pnpm build`\n- Symlink binary to `~/.local/bin/openclaw`\n- Add development aliases to `.bashrc`\n\n## Configuration Options\n\nAll configuration variables can be found in [`roles/openclaw/defaults/main.yml`](roles/openclaw/defaults/main.yml).\n\nYou can override them in three ways:\n\n### 1. Via Command Line\n\n```bash\nansible-playbook playbook.yml --ask-become-pass \\\n  -e openclaw_install_mode=development \\\n  -e \"openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']\"\n```\n\n### 2. Via Variables File\n\n```bash\n# Create vars.yml\ncat \u003e vars.yml \u003c\u003c EOF\nopenclaw_install_mode: development\nopenclaw_ssh_keys:\n  - \"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@host\"\n  - \"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... user@host\"\nopenclaw_repo_url: \"https://github.com/YOUR_USERNAME/openclaw.git\"\nopenclaw_repo_branch: \"feature-branch\"\ntailscale_authkey: \"tskey-auth-xxxxxxxxxxxxx\"\nEOF\n\n# Use it\nansible-playbook playbook.yml --ask-become-pass -e @vars.yml\n```\n\n### 3. Edit Defaults Directly\n\nEdit `roles/openclaw/defaults/main.yml` before running the playbook.\n\n### Available Variables\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `openclaw_user` | `openclaw` | System user name |\n| `openclaw_home` | `/home/openclaw` | User home directory |\n| `openclaw_install_mode` | `release` | `release` or `development` |\n| `openclaw_ssh_keys` | `[]` | List of SSH public keys |\n| `openclaw_repo_url` | `https://github.com/openclaw/openclaw.git` | Git repository (dev mode) |\n| `openclaw_repo_branch` | `main` | Git branch (dev mode) |\n| `tailscale_authkey` | `\"\"` | Tailscale auth key for auto-connect |\n| `nodejs_version` | `22.x` | Node.js version to install |\n\nSee [`roles/openclaw/defaults/main.yml`](roles/openclaw/defaults/main.yml) for the complete list.\n\n### Common Configuration Examples\n\n#### SSH Keys for Remote Access\n\n```bash\nansible-playbook playbook.yml --ask-become-pass \\\n  -e \"openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']\"\n```\n\n#### Development Mode with Custom Repository\n\n```bash\nansible-playbook playbook.yml --ask-become-pass \\\n  -e openclaw_install_mode=development \\\n  -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git \\\n  -e openclaw_repo_branch=feature-branch\n```\n\n#### Tailscale Auto-Connect\n\n```bash\nansible-playbook playbook.yml --ask-become-pass \\\n  -e tailscale_authkey=tskey-auth-xxxxxxxxxxxxx\n```\n\n## License\n\nMIT - see [LICENSE](LICENSE)\n\n## Support\n\n- OpenClaw: https://github.com/openclaw/openclaw\n- This installer: https://github.com/openclaw/openclaw-ansible/issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fopenclaw-ansible","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopenclaw%2Fopenclaw-ansible","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopenclaw%2Fopenclaw-ansible/lists"}