diff --git a/.gitignore b/.gitignore index 8cb8bac..de86135 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,14 @@ *.log .ansible/ .vault_pass + +# Secrets and credentials +*.env +.env* +secrets.yml +vault.yml +*.pem +*.key +id_rsa* +host_vars/ +group_vars/ diff --git a/AGENTS.md b/AGENTS.md index 8ae7d25..d59ba2a 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -2,7 +2,7 @@ ## Project Overview -Ansible playbook for automated, hardened Clawdbot installation on Debian/Ubuntu systems. +Ansible playbook for automated, hardened OpenClaw installation on Debian/Ubuntu systems. ## Key Principles @@ -16,14 +16,14 @@ Ansible playbook for automated, hardened Clawdbot installation on Debian/Ubuntu ### Task Order Docker must be installed **before** firewall configuration. -Task order in `roles/clawdbot/tasks/main.yml`: +Task order in `roles/openclaw/tasks/main.yml`: ```yaml - tailscale.yml # VPN setup - user.yml # Create system user - docker.yml # Install Docker (creates /etc/docker) - firewall.yml # Configure UFW + daemon.json (needs /etc/docker to exist) - nodejs.yml # Node.js + pnpm -- clawdbot.yml # Container setup +- openclaw.yml # Container setup ``` Reason: `firewall.yml` writes `/etc/docker/daemon.json` and restarts Docker service. @@ -110,16 +110,16 @@ Keep docs concise. No progress logs, no refactoring summaries. ### Host System ``` -/opt/clawdbot/ # Installation files -/home/clawdbot/.clawdbot/ # Config and data -/etc/systemd/system/clawdbot.service +/opt/openclaw/ # Installation files +/home/openclaw/.openclaw/ # Config and data +/etc/systemd/system/openclaw.service /etc/docker/daemon.json /etc/ufw/after.rules ``` ### Repository ``` -roles/clawdbot/ +roles/openclaw/ ├── tasks/ # Ansible tasks (order matters!) ├── templates/ # Jinja2 configs ├── defaults/ # Variables @@ -141,7 +141,7 @@ SSH is exposed to the internet. Fail2ban automatically bans IPs after 5 failed a Security patches should be applied promptly. Automatic security-only updates reduce vulnerability windows. ### Why Scoped Sudo? -The clawdbot user only needs to manage its own service and Tailscale. Full root access would be dangerous if the app is compromised. +The openclaw user only needs to manage its own service and Tailscale. Full root access would be dangerous if the app is compromised. ### Why Localhost Binding? Defense in depth. If DOCKER-USER fails, localhost binding prevents external access. @@ -160,7 +160,7 @@ Clean lifecycle, auto-start, logging integration. ## Making Changes ### Adding a New Task -1. Add to appropriate file in `roles/clawdbot/tasks/` +1. Add to appropriate file in `roles/openclaw/tasks/` 2. Update main.yml if new task file 3. Test with `--check` first 4. Verify idempotency (can run multiple times safely) @@ -185,5 +185,5 @@ Clean lifecycle, auto-start, logging integration. ## Support Channels -- Clawdbot issues: https://github.com/clawdbot/clawdbot -- This installer: https://github.com/pasogott/clawdbot-ansible +- OpenClaw issues: https://github.com/openclaw/openclaw +- This installer: https://github.com/openclaw/openclaw-ansible diff --git a/CHANGELOG.md b/CHANGELOG.md index cf2ac9b..0f4b5de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,15 +11,15 @@ - **Automatic OS detection** with proper fallback #### Installation Modes -- **Release Mode** (default): Install via `pnpm install -g clawdbot@latest` +- **Release Mode** (default): Install via `pnpm install -g openclaw@latest` - **Development Mode**: Clone repo, build from source, symlink binary -- Switch modes with `-e clawdbot_install_mode=development` -- Development aliases: `clawdbot-rebuild`, `clawdbot-dev`, `clawdbot-pull` +- Switch modes with `-e openclaw_install_mode=development` +- Development aliases: `openclaw-rebuild`, `openclaw-dev`, `openclaw-pull` #### System Improvements - **apt update & upgrade** runs automatically at start (Debian/Ubuntu) - **Homebrew integrated** in PATH for all users -- **pnpm package manager** used for Clawdbot installation +- **pnpm package manager** used for OpenClaw installation ### 🐛 Bug Fixes @@ -31,34 +31,34 @@ - **No more manual** `eval $(dbus-launch --sh-syntax)` needed! 2. **User Switching Command** ✅ - - Fixed: Changed from `sudo -i -u clawdbot` to `sudo su - clawdbot` + - Fixed: Changed from `sudo -i -u openclaw` to `sudo su - openclaw` - Ensures proper login shell with .bashrc loading - - Alternative documented: `sudo -u clawdbot -i` + - Alternative documented: `sudo -u openclaw -i` -3. **Clawdbot Installation** ✅ - - Changed: `pnpm add -g` → `pnpm install -g clawdbot@latest` +3. **OpenClaw Installation** ✅ + - Changed: `pnpm add -g` → `pnpm install -g openclaw@latest` - Added installation verification - Added version display 4. **Configuration Management** ✅ - Removed automatic config.yml creation - Removed automatic systemd service installation - - Let `clawdbot onboard --install-daemon` handle setup + - Let `openclaw onboard --install-daemon` handle setup - Only create directory structure ### 📦 New Files Created #### OS-Specific Task Files ``` -roles/clawdbot/tasks/ +roles/openclaw/tasks/ ├── system-tools-linux.yml # apt-based tool installation ├── system-tools-macos.yml # brew-based tool installation ├── docker-linux.yml # Docker CE installation ├── docker-macos.yml # Docker Desktop installation ├── firewall-linux.yml # UFW configuration ├── firewall-macos.yml # Application Firewall config -├── clawdbot-release.yml # Release mode installation -└── clawdbot-development.yml # Development mode installation +├── openclaw-release.yml # Release mode installation +└── openclaw-development.yml # Development mode installation ``` #### Documentation @@ -73,7 +73,7 @@ roles/clawdbot/tasks/ - Added OS detection (is_macos, is_debian, is_linux, is_redhat) - Added apt update/upgrade at start - Added Homebrew installation - - Enhanced welcome message with `clawdbot onboard --install-daemon` + - Enhanced welcome message with `openclaw onboard --install-daemon` - Removed automatic config.yml creation - **install.sh** @@ -89,40 +89,40 @@ roles/clawdbot/tasks/ - **README.md** - Updated for multi-OS support - Added OS-specific requirements - - Updated quick-start with `clawdbot onboard --install-daemon` + - Updated quick-start with `openclaw onboard --install-daemon` - Added Homebrew to feature list #### Role Files -- **roles/clawdbot/defaults/main.yml** +- **roles/openclaw/defaults/main.yml** - Added OS-specific variables (homebrew_prefix, package_manager) -- **roles/clawdbot/tasks/main.yml** +- **roles/openclaw/tasks/main.yml** - No changes (orchestrator) -- **roles/clawdbot/tasks/system-tools.yml** +- **roles/openclaw/tasks/system-tools.yml** - Refactored to delegate to OS-specific files - Added fail-safe for unsupported OS -- **roles/clawdbot/tasks/docker.yml** +- **roles/openclaw/tasks/docker.yml** - Refactored to delegate to OS-specific files -- **roles/clawdbot/tasks/firewall.yml** +- **roles/openclaw/tasks/firewall.yml** - Refactored to delegate to OS-specific files -- **roles/clawdbot/tasks/user.yml** +- **roles/openclaw/tasks/user.yml** - Added loginctl enable-linger - Added XDG_RUNTIME_DIR configuration - Added DBUS_SESSION_BUS_ADDRESS setup - Fixed systemd user service support -- **roles/clawdbot/tasks/clawdbot.yml** - - Changed to `pnpm install -g clawdbot@latest` +- **roles/openclaw/tasks/openclaw.yml** + - Changed to `pnpm install -g openclaw@latest` - Added installation verification - Removed config.yml template generation - Removed systemd service installation - Only creates directory structure -- **roles/clawdbot/templates/clawdbot-host.service.j2** +- **roles/openclaw/templates/openclaw-host.service.j2** - Added XDG_RUNTIME_DIR environment - Added DBUS_SESSION_BUS_ADDRESS - Added Homebrew to PATH @@ -134,9 +134,9 @@ roles/clawdbot/tasks/ ```bash # Installation curl -fsSL https://.../install.sh | bash -sudo -i -u clawdbot # ❌ Wrong command -nano ~/.clawdbot/config.yml # Manual config -clawdbot login # Manual setup +sudo -i -u openclaw # ❌ Wrong command +nano ~/.openclaw/config.yml # Manual config +openclaw login # Manual setup # Missing DBus setup # ❌ Errors ``` @@ -144,8 +144,8 @@ clawdbot login # Manual setup ```bash # Installation curl -fsSL https://.../install.sh | bash -sudo su - clawdbot # ✅ Correct command -clawdbot onboard --install-daemon # ✅ One command setup! +sudo su - openclaw # ✅ Correct command +openclaw onboard --install-daemon # ✅ One command setup! # DBus auto-configured # ✅ Works # Service auto-installed # ✅ Works ``` @@ -153,27 +153,27 @@ clawdbot onboard --install-daemon # ✅ One command setup! #### New Workflow - Development Mode ```bash # Installation with development mode -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible -./run-playbook.sh -e clawdbot_install_mode=development +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible +./run-playbook.sh -e openclaw_install_mode=development -# Switch to clawdbot user -sudo su - clawdbot +# Switch to openclaw user +sudo su - openclaw # Make changes -clawdbot-dev # cd ~/code/clawdbot +openclaw-dev # cd ~/code/openclaw vim src/some-file.ts # Edit code -clawdbot-rebuild # pnpm build +openclaw-rebuild # pnpm build # Test immediately -clawdbot doctor # Uses new build +openclaw doctor # Uses new build ``` ### 🎯 User Experience Improvements #### Welcome Message -- Shows environment status (XDG_RUNTIME_DIR, DBUS, Homebrew, Clawdbot version) -- Recommends `clawdbot onboard --install-daemon` as primary command +- Shows environment status (XDG_RUNTIME_DIR, DBUS, Homebrew, OpenClaw version) +- Recommends `openclaw onboard --install-daemon` as primary command - Provides manual setup steps as alternative - Lists useful commands for troubleshooting @@ -186,12 +186,12 @@ clawdbot doctor # Uses new build #### Directory Structure Ansible creates only structure, no config files: ``` -~/.clawdbot/ +~/.openclaw/ ├── sessions/ # Created (empty) ├── credentials/ # Created (secure: 0700) ├── data/ # Created (empty) └── logs/ # Created (empty) -# clawdbot.json # NOT created - user's clawdbot creates it +# openclaw.json # NOT created - user's openclaw creates it # config.yml # NOT created - deprecated ``` @@ -200,11 +200,11 @@ Ansible creates only structure, no config files: #### Systemd Service Hardening - `ProtectSystem=strict` - System directories read-only - `ProtectHome=read-only` - Limited home access -- `ReadWritePaths=~/.clawdbot` - Only config writable +- `ReadWritePaths=~/.openclaw` - Only config writable - `NoNewPrivileges=true` - No privilege escalation #### User Isolation -- Dedicated clawdbot system user +- Dedicated openclaw system user - lingering enabled for systemd user services - Proper DBus session isolation - XDG_RUNTIME_DIR per-user @@ -219,23 +219,23 @@ Ansible creates only structure, no config files: | Firewall | UFW | Application FW | Working | | systemd | ✅ | ❌ | Linux only | | DBus Setup | ✅ | N/A | Linux only | -| pnpm + Clawdbot | ✅ | ✅ | Working | +| pnpm + OpenClaw | ✅ | ✅ | Working | ### ⚠️ Breaking Changes 1. **User Switch Command Changed** - - Old: `sudo -i -u clawdbot` - - New: `sudo su - clawdbot` + - Old: `sudo -i -u openclaw` + - New: `sudo su - openclaw` - Impact: Update documentation, scripts 2. **No Auto-Configuration** - Old: config.yml auto-created - - New: User runs `clawdbot onboard` + - New: User runs `openclaw onboard` - Impact: Users must run onboard command 3. **No Auto-Service Install** - Old: systemd service auto-installed - - New: `clawdbot onboard --install-daemon` + - New: `openclaw onboard --install-daemon` - Impact: Service not running after ansible ### 🔄 Migration Guide @@ -249,7 +249,7 @@ Just run the new installer - everything works out of the box! echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc # 2. Enable lingering -sudo loginctl enable-linger clawdbot +sudo loginctl enable-linger openclaw # 3. Add Homebrew (Linux) echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc @@ -257,8 +257,8 @@ echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc # 4. Reload source ~/.bashrc -# 5. Reinstall clawdbot -pnpm install -g clawdbot@latest +# 5. Reinstall openclaw +pnpm install -g openclaw@latest ``` ### 📚 Documentation Updates @@ -285,7 +285,7 @@ pnpm install -g clawdbot@latest ### 🙏 Credits -Based on user feedback and real-world usage patterns from the clawdbot community. +Based on user feedback and real-world usage patterns from the openclaw community. Special thanks to early testers who identified the DBus and user switching issues! diff --git a/LICENSE b/LICENSE index 45f95f3..e160905 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2025 Clawdbot Contributors +Copyright (c) 2025 OpenClaw Contributors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index d3603e0..8bf4903 100644 --- a/README.md +++ b/README.md @@ -1,24 +1,34 @@ -# Clawdbot Ansible Installer +# OpenClaw Ansible Installer [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) -[![Lint](https://github.com/pasogott/clawdbot-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/pasogott/clawdbot-ansible/actions/workflows/lint.yml) +[![Lint](https://github.com/openclaw/openclaw-ansible/actions/workflows/lint.yml/badge.svg)](https://github.com/openclaw/openclaw-ansible/actions/workflows/lint.yml) [![Ansible](https://img.shields.io/badge/Ansible-2.14+-blue.svg)](https://www.ansible.com/) -[![Multi-OS](https://img.shields.io/badge/OS-Debian%20%7C%20Ubuntu%20%7C%20macOS-orange.svg)](https://www.debian.org/) +[![Multi-OS](https://img.shields.io/badge/OS-Debian%20%7C%20Ubuntu-orange.svg)](https://www.debian.org/) -Automated, hardened installation of [Clawdbot](https://github.com/clawdbot/clawdbot) with Docker, Homebrew, and Tailscale VPN support for Linux and macOS. +Automated, hardened installation of [OpenClaw](https://github.com/openclaw/openclaw) with Docker and Tailscale VPN support for Debian/Ubuntu Linux. + +## ⚠️ macOS Support: Deprecated & Disabled + +**Effective 2026-02-06, support for bare-metal macOS installations has been removed from this playbook.** + +### Why? +The underlying project currently requires system-level permissions and configurations that introduce significant security risks when executed on a primary host OS. To protect user data and system integrity, we have disabled bare-metal execution. + +### What does this mean? +* The playbook will now explicitly fail if run on a `Darwin` (macOS) system. +* We strongly discourage manual workarounds to bypass this check. +* **Future Support:** We are evaluating a virtualization-first strategy (using Vagrant or Docker) to provide a sandboxed environment for this project in the future. ## Features -- 🔒 **Firewall-first**: UFW (Linux) + Application Firewall (macOS) + Docker isolation +- 🔒 **Firewall-first**: UFW firewall + Docker isolation - 🛡️ **Fail2ban**: SSH brute-force protection out of the box - 🔄 **Auto-updates**: Automatic security patches via unattended-upgrades - 🔐 **Tailscale VPN**: Secure remote access without exposing services -- 🍺 **Homebrew**: Package manager for both Linux and macOS -- 🐳 **Docker**: Docker CE (Linux) / Docker Desktop (macOS) -- 🌐 **Multi-OS Support**: Debian, Ubuntu, and macOS +- 🐳 **Docker**: Docker CE with security hardening - 🚀 **One-command install**: Complete setup in minutes - 🔧 **Auto-configuration**: DBus, systemd, environment setup -- 📦 **pnpm installation**: Uses `pnpm install -g clawdbot@latest` +- 📦 **pnpm installation**: Uses `pnpm install -g openclaw@latest` ## Quick Start @@ -27,7 +37,7 @@ Automated, hardened installation of [Clawdbot](https://github.com/clawdbot/clawd Install the latest stable version from npm: ```bash -curl -fsSL https://raw.githubusercontent.com/pasogott/clawdbot-ansible/main/install.sh | bash +curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bash ``` ### Development Mode @@ -36,11 +46,11 @@ Install from source for development or testing: ```bash # Clone the installer -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible # Install in development mode -ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development +ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development ``` ## What Gets Installed @@ -49,21 +59,21 @@ ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=develop - UFW firewall (SSH + Tailscale ports only) - Docker CE + Compose V2 (for sandboxes) - Node.js 22.x + pnpm -- Clawdbot on host (not containerized) +- OpenClaw on host (not containerized) - Systemd service (auto-start) ## Post-Install -After installation completes, switch to the clawdbot user: +After installation completes, switch to the openclaw user: ```bash -sudo su - clawdbot +sudo su - openclaw ``` Then run the quick-start onboarding wizard: ```bash -clawdbot onboard --install-daemon +openclaw onboard --install-daemon ``` This will: @@ -75,42 +85,42 @@ This will: ```bash # Configure manually -clawdbot configure +openclaw configure # Login to provider -clawdbot providers login +openclaw providers login # Test gateway -clawdbot gateway +openclaw gateway # Install as daemon -clawdbot daemon install -clawdbot daemon start +openclaw daemon install +openclaw daemon start # Check status -clawdbot status -clawdbot logs +openclaw status +openclaw logs ``` ## Installation Modes ### Release Mode (Default) -- Installs via `pnpm install -g clawdbot@latest` +- Installs via `pnpm install -g openclaw@latest` - Gets latest stable version from npm registry -- Automatic updates via `pnpm install -g clawdbot@latest` +- Automatic updates via `pnpm install -g openclaw@latest` - **Recommended for production** ### Development Mode -- Clones from `https://github.com/clawdbot/clawdbot.git` +- Clones from `https://github.com/openclaw/openclaw.git` - Builds from source with `pnpm build` -- Symlinks binary to `~/.local/bin/clawdbot` +- Symlinks binary to `~/.local/bin/openclaw` - Adds helpful aliases: - - `clawdbot-rebuild` - Rebuild after code changes - - `clawdbot-dev` - Navigate to repo directory - - `clawdbot-pull` - Pull, install deps, and rebuild + - `openclaw-rebuild` - Rebuild after code changes + - `openclaw-dev` - Navigate to repo directory + - `openclaw-pull` - Pull, install deps, and rebuild - **Recommended for development and testing** -Enable with: `-e clawdbot_install_mode=development` +Enable with: `-e openclaw_install_mode=development` ## Security @@ -118,7 +128,7 @@ Enable with: `-e clawdbot_install_mode=development` - **Fail2ban**: SSH brute-force protection (5 attempts → 1 hour ban) - **Automatic updates**: Security patches via unattended-upgrades - **Docker isolation**: Containers can't expose ports externally (DOCKER-USER chain) -- **Non-root**: Clawdbot runs as unprivileged user +- **Non-root**: OpenClaw runs as unprivileged user - **Scoped sudo**: Limited to service management (not full root) - **Systemd hardening**: NoNewPrivileges, PrivateTmp, ProtectSystem @@ -129,8 +139,8 @@ Verify: `nmap -p- YOUR_SERVER_IP` should show only port 22 open. For high-security environments, audit before running: ```bash -git clone https://github.com/openclaw/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible # Review playbook.yml and roles/ ansible-playbook playbook.yml --check --diff # Dry run ansible-playbook playbook.yml --ask-become-pass @@ -147,36 +157,18 @@ ansible-playbook playbook.yml --ask-become-pass ## Requirements -### Linux (Debian/Ubuntu) - Debian 11+ or Ubuntu 20.04+ - Root/sudo access - Internet connection -### macOS -- macOS 11 (Big Sur) or later -- Homebrew will be installed automatically -- Admin/sudo access -- Internet connection - ## What Gets Installed -### Common (All OS) -- Homebrew package manager +- Tailscale (mesh VPN) +- UFW firewall (SSH + Tailscale ports only) +- Docker CE + Compose V2 (for sandboxes) - Node.js 22.x + pnpm -- Clawdbot via `pnpm install -g clawdbot@latest` -- Essential development tools -- Git, zsh, oh-my-zsh - -### Linux-Specific -- Docker CE + Compose V2 -- UFW firewall (configured) -- Tailscale VPN -- systemd service - -### macOS-Specific -- Docker Desktop (via Homebrew Cask) -- Application Firewall -- Tailscale app +- OpenClaw on host (not containerized) +- Systemd service (auto-start) ## Manual Installation @@ -187,8 +179,8 @@ ansible-playbook playbook.yml --ask-become-pass sudo apt update && sudo apt install -y ansible git # Clone repository -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible # Install Ansible collections ansible-galaxy collection install -r requirements.yml @@ -203,21 +195,21 @@ Build from source for development: ```bash # Same as above, but with development mode flag -./run-playbook.sh -e clawdbot_install_mode=development +./run-playbook.sh -e openclaw_install_mode=development # Or directly: -ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development +ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development ``` This will: -- Clone clawdbot repo to `~/code/clawdbot` +- Clone openclaw repo to `~/code/openclaw` - Run `pnpm install` and `pnpm build` -- Symlink binary to `~/.local/bin/clawdbot` +- Symlink binary to `~/.local/bin/openclaw` - Add development aliases to `.bashrc` ## Configuration Options -All configuration variables can be found in [`roles/clawdbot/defaults/main.yml`](roles/clawdbot/defaults/main.yml). +All configuration variables can be found in [`roles/openclaw/defaults/main.yml`](roles/openclaw/defaults/main.yml). You can override them in three ways: @@ -225,8 +217,8 @@ You can override them in three ways: ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e "clawdbot_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" + -e openclaw_install_mode=development \ + -e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" ``` ### 2. Via Variables File @@ -234,12 +226,12 @@ ansible-playbook playbook.yml --ask-become-pass \ ```bash # Create vars.yml cat > vars.yml << EOF -clawdbot_install_mode: development -clawdbot_ssh_keys: +openclaw_install_mode: development +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@host" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... user@host" -clawdbot_repo_url: "https://github.com/YOUR_USERNAME/clawdbot.git" -clawdbot_repo_branch: "feature-branch" +openclaw_repo_url: "https://github.com/YOUR_USERNAME/openclaw.git" +openclaw_repo_branch: "feature-branch" tailscale_authkey: "tskey-auth-xxxxxxxxxxxxx" EOF @@ -249,22 +241,22 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars.yml ### 3. Edit Defaults Directly -Edit `roles/clawdbot/defaults/main.yml` before running the playbook. +Edit `roles/openclaw/defaults/main.yml` before running the playbook. ### Available Variables | Variable | Default | Description | |----------|---------|-------------| -| `clawdbot_user` | `clawdbot` | System user name | -| `clawdbot_home` | `/home/clawdbot` | User home directory | -| `clawdbot_install_mode` | `release` | `release` or `development` | -| `clawdbot_ssh_keys` | `[]` | List of SSH public keys | -| `clawdbot_repo_url` | `https://github.com/clawdbot/clawdbot.git` | Git repository (dev mode) | -| `clawdbot_repo_branch` | `main` | Git branch (dev mode) | +| `openclaw_user` | `openclaw` | System user name | +| `openclaw_home` | `/home/openclaw` | User home directory | +| `openclaw_install_mode` | `release` | `release` or `development` | +| `openclaw_ssh_keys` | `[]` | List of SSH public keys | +| `openclaw_repo_url` | `https://github.com/openclaw/openclaw.git` | Git repository (dev mode) | +| `openclaw_repo_branch` | `main` | Git branch (dev mode) | | `tailscale_authkey` | `""` | Tailscale auth key for auto-connect | | `nodejs_version` | `22.x` | Node.js version to install | -See [`roles/clawdbot/defaults/main.yml`](roles/clawdbot/defaults/main.yml) for the complete list. +See [`roles/openclaw/defaults/main.yml`](roles/openclaw/defaults/main.yml) for the complete list. ### Common Configuration Examples @@ -272,16 +264,16 @@ See [`roles/clawdbot/defaults/main.yml`](roles/clawdbot/defaults/main.yml) for t ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e "clawdbot_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" + -e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" ``` #### Development Mode with Custom Repository ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e clawdbot_repo_url=https://github.com/YOUR_USERNAME/clawdbot.git \ - -e clawdbot_repo_branch=feature-branch + -e openclaw_install_mode=development \ + -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git \ + -e openclaw_repo_branch=feature-branch ``` #### Tailscale Auto-Connect @@ -297,5 +289,5 @@ MIT - see [LICENSE](LICENSE) ## Support -- Clawdbot: https://github.com/clawdbot/clawdbot -- This installer: https://github.com/pasogott/clawdbot-ansible/issues +- OpenClaw: https://github.com/openclaw/openclaw +- This installer: https://github.com/openclaw/openclaw-ansible/issues diff --git a/RELEASE_NOTES_v2.0.0.md b/RELEASE_NOTES_v2.0.0.md index 7125278..1466bab 100644 --- a/RELEASE_NOTES_v2.0.0.md +++ b/RELEASE_NOTES_v2.0.0.md @@ -13,10 +13,10 @@ This release adds **multi-OS support** (macOS + Linux), **development mode**, an - ✅ Automatic OS detection with proper fallback #### Installation Modes -- ✅ **Release Mode** (default): `pnpm install -g clawdbot@latest` +- ✅ **Release Mode** (default): `pnpm install -g openclaw@latest` - ✅ **Development Mode**: Clone repo, build from source, symlink binary -- ✅ Switch with `-e clawdbot_install_mode=development` -- ✅ Development aliases: `clawdbot-rebuild`, `clawdbot-dev`, `clawdbot-pull` +- ✅ Switch with `-e openclaw_install_mode=development` +- ✅ Development aliases: `openclaw-rebuild`, `openclaw-dev`, `openclaw-pull` ### 🐛 Critical Bug Fixes @@ -29,7 +29,7 @@ All issues from user feedback resolved: - No more manual `eval $(dbus-launch --sh-syntax)` needed! 2. ✅ **User Switch Command** - - Fixed from `sudo -i -u clawdbot` to `sudo su - clawdbot` + - Fixed from `sudo -i -u openclaw` to `sudo su - openclaw` - Ensures proper login shell with environment 3. ✅ **Homebrew Integration** @@ -48,8 +48,8 @@ All issues from user feedback resolved: ### 🔧 Improvements -- ✅ **Better onboarding**: Recommends `clawdbot onboard --install-daemon` -- ✅ **No auto-config**: Config files created by clawdbot itself +- ✅ **Better onboarding**: Recommends `openclaw onboard --install-daemon` +- ✅ **No auto-config**: Config files created by openclaw itself - ✅ **Enhanced security**: systemd service hardening - ✅ **Linting**: yamllint & ansible-lint production profile passed @@ -57,14 +57,14 @@ All issues from user feedback resolved: #### Quick Start (Release Mode) ```bash -curl -fsSL https://raw.githubusercontent.com/clawdbot/clawdbot-ansible/main/install.sh | bash +curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bash ``` #### Development Mode ```bash -git clone https://github.com/clawdbot/clawdbot-ansible.git -cd clawdbot-ansible -./run-playbook.sh -e clawdbot_install_mode=development +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible +./run-playbook.sh -e openclaw_install_mode=development ``` ### 📚 Documentation @@ -76,8 +76,8 @@ cd clawdbot-ansible ### ⚠️ Breaking Changes -1. **User switch command changed**: Use `sudo su - clawdbot` instead of `sudo -i -u clawdbot` -2. **No auto-configuration**: Config files no longer auto-generated, use `clawdbot onboard` +1. **User switch command changed**: Use `sudo su - openclaw` instead of `sudo -i -u openclaw` +2. **No auto-configuration**: Config files no longer auto-generated, use `openclaw onboard` 3. **No auto-service**: systemd service not auto-installed, use `--install-daemon` flag ### 🔄 Migration @@ -89,7 +89,7 @@ echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc echo 'export PNPM_HOME="$HOME/.local/share/pnpm"' >> ~/.bashrc # Enable lingering -sudo loginctl enable-linger clawdbot +sudo loginctl enable-linger openclaw # Add Homebrew (Linux) echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc @@ -97,8 +97,8 @@ echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc # Reload source ~/.bashrc -# Reinstall clawdbot -pnpm install -g clawdbot@latest +# Reinstall openclaw +pnpm install -g openclaw@latest ``` ### 📊 Testing @@ -115,4 +115,4 @@ Special thanks to early adopters who provided feedback on the DBus and user swit --- -**Full Changelog**: https://github.com/clawdbot/clawdbot-ansible/blob/main/CHANGELOG.md +**Full Changelog**: https://github.com/openclaw/openclaw-ansible/blob/main/CHANGELOG.md diff --git a/UPGRADE_NOTES.md b/UPGRADE_NOTES.md index d3d35e6..85ac932 100644 --- a/UPGRADE_NOTES.md +++ b/UPGRADE_NOTES.md @@ -3,23 +3,23 @@ ## ✅ Completed Changes ### 1. Installation Modes (Release vs Development) -- **File**: `roles/clawdbot/defaults/main.yml` -- Added `clawdbot_install_mode` variable (release | development) -- Release mode: Install via `pnpm install -g clawdbot@latest` (default) +- **File**: `roles/openclaw/defaults/main.yml` +- Added `openclaw_install_mode` variable (release | development) +- Release mode: Install via `pnpm install -g openclaw@latest` (default) - Development mode: Clone repo, build, symlink binary - Development settings: repo URL, branch, code directory **Files Created**: -- `roles/clawdbot/tasks/clawdbot-release.yml` - npm installation -- `roles/clawdbot/tasks/clawdbot-development.yml` - git clone + build +- `roles/openclaw/tasks/openclaw-release.yml` - npm installation +- `roles/openclaw/tasks/openclaw-development.yml` - git clone + build - `docs/development-mode.md` - comprehensive guide **Development Mode Features**: -- Clones to `~/code/clawdbot` +- Clones to `~/code/openclaw` - Runs `pnpm install` and `pnpm build` -- Symlinks `bin/clawdbot.js` to `~/.local/bin/clawdbot` -- Adds aliases: `clawdbot-rebuild`, `clawdbot-dev`, `clawdbot-pull` -- Sets `CLAWDBOT_DEV_DIR` environment variable +- Symlinks `bin/openclaw.js` to `~/.local/bin/openclaw` +- Adds aliases: `openclaw-rebuild`, `openclaw-dev`, `openclaw-pull` +- Sets `OPENCLAW_DEV_DIR` environment variable **Usage**: ```bash @@ -27,13 +27,13 @@ ./run-playbook.sh # Development mode -./run-playbook.sh -e clawdbot_install_mode=development +./run-playbook.sh -e openclaw_install_mode=development # With custom repo ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e clawdbot_repo_url=https://github.com/YOUR_USERNAME/clawdbot.git \ - -e clawdbot_repo_branch=feature-branch + -e openclaw_install_mode=development \ + -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git \ + -e openclaw_repo_branch=feature-branch ``` ### 2. OS Detection & apt update/upgrade @@ -51,57 +51,57 @@ ansible-playbook playbook.yml --ask-become-pass \ ### 3. OS-Specific System Tools - **Files**: - - `roles/clawdbot/tasks/system-tools.yml` (orchestrator) - - `roles/clawdbot/tasks/system-tools-linux.yml` (apt-based) - - `roles/clawdbot/tasks/system-tools-macos.yml` (brew-based) + - `roles/openclaw/tasks/system-tools.yml` (orchestrator) + - `roles/openclaw/tasks/system-tools-linux.yml` (apt-based) + - `roles/openclaw/tasks/system-tools-macos.yml` (brew-based) - Tools installed via appropriate package manager per OS - Homebrew shellenv integrated into .zshrc ### 4. OS-Specific Docker Installation - **Files**: - - `roles/clawdbot/tasks/docker.yml` (orchestrator) - - `roles/clawdbot/tasks/docker-linux.yml` (Docker CE) - - `roles/clawdbot/tasks/docker-macos.yml` (Docker Desktop) + - `roles/openclaw/tasks/docker.yml` (orchestrator) + - `roles/openclaw/tasks/docker-linux.yml` (Docker CE) + - `roles/openclaw/tasks/docker-macos.yml` (Docker Desktop) - Linux: Docker CE via apt - macOS: Docker Desktop via Homebrew Cask ### 5. OS-Specific Firewall Configuration - **Files**: - - `roles/clawdbot/tasks/firewall.yml` (orchestrator) - - `roles/clawdbot/tasks/firewall-linux.yml` (UFW) - - `roles/clawdbot/tasks/firewall-macos.yml` (Application Firewall) + - `roles/openclaw/tasks/firewall.yml` (orchestrator) + - `roles/openclaw/tasks/firewall-linux.yml` (UFW) + - `roles/openclaw/tasks/firewall-macos.yml` (Application Firewall) - Linux: UFW with Docker isolation - macOS: Application Firewall configuration ### 6. DBus & systemd User Service Fixes -- **File**: `roles/clawdbot/tasks/user.yml` -- Fixed: `loginctl enable-linger` for clawdbot user +- **File**: `roles/openclaw/tasks/user.yml` +- Fixed: `loginctl enable-linger` for openclaw user - Fixed: XDG_RUNTIME_DIR set to `/run/user/$(id -u)` - Fixed: DBUS_SESSION_BUS_ADDRESS configuration in .bashrc - No more manual `eval $(dbus-launch --sh-syntax)` needed! ### 7. Systemd Service Template Enhancement -- **File**: `roles/clawdbot/templates/clawdbot-host.service.j2` +- **File**: `roles/openclaw/templates/openclaw-host.service.j2` - Added XDG_RUNTIME_DIR environment variable - Added DBUS_SESSION_BUS_ADDRESS - Added Homebrew to PATH - Enhanced security with ProtectSystem and ProtectHome -### 8. Clawdbot Installation via pnpm -- **File**: `roles/clawdbot/tasks/clawdbot.yml` -- Changed from `pnpm add -g` to `pnpm install -g clawdbot@latest` +### 8. OpenClaw Installation via pnpm +- **File**: `roles/openclaw/tasks/openclaw.yml` +- Changed from `pnpm add -g` to `pnpm install -g openclaw@latest` - Added verification step - Added version display ### 9. Correct User Switching Command - **File**: `run-playbook.sh` -- Changed from `sudo -i -u clawdbot` to `sudo su - clawdbot` -- Alternative: `sudo -u clawdbot -i` +- Changed from `sudo -i -u openclaw` to `sudo su - openclaw` +- Alternative: `sudo -u openclaw -i` - Ensures proper login shell with .bashrc loaded ### 10. Enhanced Welcome Message - **File**: `playbook.yml` (post_tasks) -- Recommends: `clawdbot onboard --install-daemon` as first command +- Recommends: `openclaw onboard --install-daemon` as first command - Shows environment status (XDG_RUNTIME_DIR, DBUS, Homebrew) - Provides both quick-start and manual setup paths - More helpful command examples @@ -117,16 +117,16 @@ ansible-playbook playbook.yml --ask-become-pass \ - Multi-OS badge (Debian | Ubuntu | macOS) - Updated features list - Added OS-specific requirements -- Added post-install instructions with `clawdbot onboard --install-daemon` +- Added post-install instructions with `openclaw onboard --install-daemon` ## 🎯 Key Improvements ### Fixed Issues from User History 1. ✅ **DBus errors**: Automatically configured, no manual setup needed -2. ✅ **User switching**: Correct command (`sudo su - clawdbot`) +2. ✅ **User switching**: Correct command (`sudo su - openclaw`) 3. ✅ **Environment**: XDG_RUNTIME_DIR and DBUS properly set 4. ✅ **Homebrew**: Integrated and in PATH -5. ✅ **pnpm**: Uses `pnpm install -g clawdbot@latest` +5. ✅ **pnpm**: Uses `pnpm install -g openclaw@latest` ### OS Detection Framework - Clean separation between Linux and macOS tasks @@ -135,7 +135,7 @@ ansible-playbook playbook.yml --ask-become-pass \ ### Better User Experience - Clear next steps after installation -- Recommends `clawdbot onboard --install-daemon` +- Recommends `openclaw onboard --install-daemon` - Helpful welcome message with environment status - Proper shell initialization @@ -149,7 +149,7 @@ If you have an existing installation, you may need to: echo 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' >> ~/.bashrc # 2. Enable lingering -sudo loginctl enable-linger clawdbot +sudo loginctl enable-linger openclaw # 3. Add Homebrew to PATH (if using Linux) echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc @@ -157,8 +157,8 @@ echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"' >> ~/.bashrc # 4. Reload shell source ~/.bashrc -# 5. Reinstall clawdbot -pnpm install -g clawdbot@latest +# 5. Reinstall openclaw +pnpm install -g openclaw@latest ``` ## 📝 TODO - Future macOS Enhancements @@ -186,10 +186,10 @@ ansible-playbook playbook.yml --ask-become-pass --tags=never -vv # Test full installation ./run-playbook.sh -# Verify clawdbot -sudo su - clawdbot -clawdbot --version -clawdbot onboard --install-daemon +# Verify openclaw +sudo su - openclaw +openclaw --version +openclaw onboard --install-daemon ``` ### macOS (Future) @@ -203,7 +203,7 @@ clawdbot onboard --install-daemon ### Enhanced systemd Security - `ProtectSystem=strict`: Read-only system directories - `ProtectHome=read-only`: Limited home access -- `ReadWritePaths`: Only ~/.clawdbot writable +- `ReadWritePaths`: Only ~/.openclaw writable - `NoNewPrivileges`: Prevents privilege escalation ### DBus Session Security @@ -218,17 +218,17 @@ clawdbot onboard --install-daemon - `install.sh` - Multi-OS detection - `run-playbook.sh` - Correct user switch command - `README.md` - Multi-OS documentation -- `roles/clawdbot/defaults/main.yml` - OS-specific variables -- `roles/clawdbot/tasks/*.yml` - OS-aware task orchestration -- `roles/clawdbot/templates/clawdbot-host.service.j2` - Enhanced service +- `roles/openclaw/defaults/main.yml` - OS-specific variables +- `roles/openclaw/tasks/*.yml` - OS-aware task orchestration +- `roles/openclaw/templates/openclaw-host.service.j2` - Enhanced service ### New Files Created -- `roles/clawdbot/tasks/system-tools-linux.yml` -- `roles/clawdbot/tasks/system-tools-macos.yml` -- `roles/clawdbot/tasks/docker-linux.yml` -- `roles/clawdbot/tasks/docker-macos.yml` -- `roles/clawdbot/tasks/firewall-linux.yml` -- `roles/clawdbot/tasks/firewall-macos.yml` +- `roles/openclaw/tasks/system-tools-linux.yml` +- `roles/openclaw/tasks/system-tools-macos.yml` +- `roles/openclaw/tasks/docker-linux.yml` +- `roles/openclaw/tasks/docker-macos.yml` +- `roles/openclaw/tasks/firewall-linux.yml` +- `roles/openclaw/tasks/firewall-macos.yml` - `UPGRADE_NOTES.md` (this file) --- diff --git a/docs/architecture.md b/docs/architecture.md index fe87e1f..1034660 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -24,8 +24,8 @@ description: Technical implementation details └──────────────┬──────────────────────────┘ │ ┌──────────────┴──────────────────────────┐ -│ Clawdbot Container │ -│ User: clawdbot │ +│ OpenClaw Container │ +│ User: openclaw │ │ Port: 127.0.0.1:3000 │ └──────────────────────────────────────────┘ ``` @@ -33,17 +33,17 @@ description: Technical implementation details ## File Structure ``` -/opt/clawdbot/ +/opt/openclaw/ ├── Dockerfile ├── docker-compose.yml -/home/clawdbot/.clawdbot/ +/home/openclaw/.openclaw/ ├── config.yml ├── sessions/ └── credentials/ /etc/systemd/system/ -└── clawdbot.service +└── openclaw.service /etc/docker/ └── daemon.json @@ -54,11 +54,11 @@ description: Technical implementation details ## Service Management -Clawdbot runs as a systemd service that manages the Docker container: +OpenClaw runs as a systemd service that manages the Docker container: ```bash # Systemd controls Docker Compose -systemd → docker compose → clawdbot container +systemd → docker compose → openclaw container ``` ## Installation Flow @@ -69,7 +69,7 @@ systemd → docker compose → clawdbot container - Display connection instructions 2. **User Creation** (`user.yml`) - - Create `clawdbot` system user + - Create `openclaw` system user 3. **Docker Installation** (`docker.yml`) - Install Docker CE + Compose V2 @@ -87,7 +87,7 @@ systemd → docker compose → clawdbot container - Install Node.js 22.x - Install pnpm globally -6. **Clawdbot Setup** (`clawdbot.yml`) +6. **OpenClaw Setup** (`openclaw.yml`) - Create directories - Generate configs from templates - Build Docker image @@ -120,11 +120,11 @@ Principle of least privilege. If container is compromised, attacker has limited ``` main.yml ├── tailscale.yml (VPN setup) -├── user.yml (create clawdbot user) +├── user.yml (create openclaw user) ├── docker.yml (install Docker, create /etc/docker) ├── firewall.yml (configure UFW + Docker daemon) ├── nodejs.yml (Node.js + pnpm) -└── clawdbot.yml (container setup) +└── openclaw.yml (container setup) ``` Order matters: Docker must be installed before firewall configuration because: diff --git a/docs/configuration.md b/docs/configuration.md index 0fb862a..2bcdd15 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -1,11 +1,11 @@ # Configuration Guide -This guide explains all available configuration options for the Clawdbot Ansible installer. +This guide explains all available configuration options for the OpenClaw Ansible installer. ## Configuration File All default variables are defined in: -**[`roles/clawdbot/defaults/main.yml`](../roles/clawdbot/defaults/main.yml)** +**[`roles/openclaw/defaults/main.yml`](../roles/openclaw/defaults/main.yml)** ## How to Configure @@ -15,8 +15,8 @@ Pass variables directly via `-e` flag: ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e "clawdbot_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" + -e openclaw_install_mode=development \ + -e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" ``` ### Method 2: Variables File @@ -25,12 +25,12 @@ Create a `vars.yml` file: ```yaml # vars.yml -clawdbot_install_mode: development -clawdbot_ssh_keys: +openclaw_install_mode: development +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@host" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... admin@laptop" -clawdbot_repo_url: "https://github.com/YOUR_USERNAME/clawdbot.git" -clawdbot_repo_branch: "main" +openclaw_repo_url: "https://github.com/YOUR_USERNAME/openclaw.git" +openclaw_repo_branch: "main" tailscale_authkey: "tskey-auth-xxxxxxxxxxxxx" nodejs_version: "22.x" ``` @@ -43,7 +43,7 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars.yml ### Method 3: Edit Defaults -Directly edit `roles/clawdbot/defaults/main.yml` before running the playbook. +Directly edit `roles/openclaw/defaults/main.yml` before running the playbook. **Note**: This is not recommended for version control, use variables files instead. @@ -51,109 +51,109 @@ Directly edit `roles/clawdbot/defaults/main.yml` before running the playbook. ### User Configuration -#### `clawdbot_user` +#### `openclaw_user` - **Type**: String -- **Default**: `clawdbot` -- **Description**: System user name for running Clawdbot +- **Default**: `openclaw` +- **Description**: System user name for running OpenClaw - **Example**: ```bash - -e clawdbot_user=myuser + -e openclaw_user=myuser ``` -#### `clawdbot_home` +#### `openclaw_home` - **Type**: String -- **Default**: `/home/clawdbot` -- **Description**: Home directory for the clawdbot user +- **Default**: `/home/openclaw` +- **Description**: Home directory for the openclaw user - **Example**: ```bash - -e clawdbot_home=/home/myuser + -e openclaw_home=/home/myuser ``` -#### `clawdbot_ssh_keys` +#### `openclaw_ssh_keys` - **Type**: List of strings - **Default**: `[]` (empty) -- **Description**: SSH public keys for accessing the clawdbot user account +- **Description**: SSH public keys for accessing the openclaw user account - **Example**: ```yaml - clawdbot_ssh_keys: + openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@host" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... admin@laptop" ``` ```bash - -e "clawdbot_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" + -e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']" ``` ### Installation Mode -#### `clawdbot_install_mode` +#### `openclaw_install_mode` - **Type**: String (`release` or `development`) - **Default**: `release` - **Description**: Installation mode - - `release`: Install via npm (`pnpm install -g clawdbot@latest`) + - `release`: Install via npm (`pnpm install -g openclaw@latest`) - `development`: Clone repo, build from source, symlink binary - **Example**: ```bash - -e clawdbot_install_mode=development + -e openclaw_install_mode=development ``` ### Development Mode Settings -These variables only apply when `clawdbot_install_mode: development` +These variables only apply when `openclaw_install_mode: development` -#### `clawdbot_repo_url` +#### `openclaw_repo_url` - **Type**: String (Git URL) -- **Default**: `https://github.com/clawdbot/clawdbot.git` +- **Default**: `https://github.com/openclaw/openclaw.git` - **Description**: Git repository URL to clone - **Example**: ```bash - -e clawdbot_repo_url=https://github.com/YOUR_USERNAME/clawdbot.git + -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git ``` -#### `clawdbot_repo_branch` +#### `openclaw_repo_branch` - **Type**: String - **Default**: `main` - **Description**: Git branch to checkout - **Example**: ```bash - -e clawdbot_repo_branch=feature-branch + -e openclaw_repo_branch=feature-branch ``` -#### `clawdbot_code_dir` +#### `openclaw_code_dir` - **Type**: String (Path) -- **Default**: `{{ clawdbot_home }}/code` +- **Default**: `{{ openclaw_home }}/code` - **Description**: Directory where code repositories are stored - **Example**: ```bash - -e clawdbot_code_dir=/home/clawdbot/projects + -e openclaw_code_dir=/home/openclaw/projects ``` -#### `clawdbot_repo_dir` +#### `openclaw_repo_dir` - **Type**: String (Path) -- **Default**: `{{ clawdbot_code_dir }}/clawdbot` -- **Description**: Full path to clawdbot repository +- **Default**: `{{ openclaw_code_dir }}/openclaw` +- **Description**: Full path to openclaw repository - **Example**: ```bash - -e clawdbot_repo_dir=/home/clawdbot/projects/clawdbot + -e openclaw_repo_dir=/home/openclaw/projects/openclaw ``` -### Clawdbot Settings +### OpenClaw Settings -#### `clawdbot_port` +#### `openclaw_port` - **Type**: Integer - **Default**: `3000` -- **Description**: Port for Clawdbot gateway (currently informational) +- **Description**: Port for OpenClaw gateway (currently informational) - **Example**: ```bash - -e clawdbot_port=8080 + -e openclaw_port=8080 ``` -#### `clawdbot_config_dir` +#### `openclaw_config_dir` - **Type**: String (Path) -- **Default**: `{{ clawdbot_home }}/.clawdbot` -- **Description**: Clawdbot configuration directory +- **Default**: `{{ openclaw_home }}/.openclaw` +- **Description**: OpenClaw configuration directory - **Example**: ```bash - -e clawdbot_config_dir=/etc/clawdbot + -e openclaw_config_dir=/etc/openclaw ``` ### Node.js Configuration @@ -201,7 +201,7 @@ These are automatically set based on the detected OS: ```yaml # vars.yml -clawdbot_ssh_keys: +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@desktop" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHyyyyyyyy user@laptop" ``` @@ -214,10 +214,10 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars.yml ```yaml # vars-dev.yml -clawdbot_install_mode: development -clawdbot_repo_url: "https://github.com/myorg/clawdbot.git" -clawdbot_repo_branch: "develop" -clawdbot_ssh_keys: +openclaw_install_mode: development +openclaw_repo_url: "https://github.com/myorg/openclaw.git" +openclaw_repo_branch: "develop" +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx dev@workstation" ``` @@ -229,9 +229,9 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars-dev.yml ```yaml # vars-prod.yml -clawdbot_install_mode: release +openclaw_install_mode: release tailscale_authkey: "tskey-auth-k1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6" -clawdbot_ssh_keys: +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx admin@mgmt-server" nodejs_version: "22.x" ``` @@ -244,10 +244,10 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars-prod.yml ```yaml # vars-custom.yml -clawdbot_user: mybot -clawdbot_home: /opt/mybot -clawdbot_config_dir: /etc/mybot -clawdbot_code_dir: /opt/mybot/repositories +openclaw_user: mybot +openclaw_home: /opt/mybot +openclaw_config_dir: /etc/mybot +openclaw_code_dir: /opt/mybot/repositories ``` ```bash @@ -258,9 +258,9 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars-custom.yml ```yaml # vars-testing.yml -clawdbot_install_mode: development -clawdbot_repo_branch: "experimental-feature" -clawdbot_ssh_keys: +openclaw_install_mode: development +openclaw_repo_branch: "experimental-feature" +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx tester@qa" ``` @@ -274,10 +274,10 @@ ansible-playbook playbook.yml --ask-become-pass -e @vars-testing.yml ```yaml # environments/dev.yml -clawdbot_install_mode: development -clawdbot_repo_url: "https://github.com/clawdbot/clawdbot.git" -clawdbot_repo_branch: "main" -clawdbot_ssh_keys: +openclaw_install_mode: development +openclaw_repo_url: "https://github.com/openclaw/openclaw.git" +openclaw_repo_branch: "main" +openclaw_ssh_keys: - "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}" ``` @@ -285,9 +285,9 @@ clawdbot_ssh_keys: ```yaml # environments/staging.yml -clawdbot_install_mode: release +openclaw_install_mode: release tailscale_authkey: "{{ lookup('env', 'TAILSCALE_AUTHKEY_STAGING') }}" -clawdbot_ssh_keys: +openclaw_ssh_keys: - "{{ lookup('file', '~/.ssh/id_ed25519.pub') }}" ``` @@ -295,9 +295,9 @@ clawdbot_ssh_keys: ```yaml # environments/prod.yml -clawdbot_install_mode: release +openclaw_install_mode: release tailscale_authkey: "{{ lookup('env', 'TAILSCALE_AUTHKEY_PROD') }}" -clawdbot_ssh_keys: +openclaw_ssh_keys: - "ssh-ed25519 AAAAC3... ops@prod-mgmt" - "ssh-ed25519 AAAAC3... admin@backup-server" nodejs_version: "22.x" @@ -307,9 +307,9 @@ nodejs_version: "22.x" ### SSH Keys -1. **Use dedicated keys**: Create separate SSH keys for Clawdbot access +1. **Use dedicated keys**: Create separate SSH keys for OpenClaw access ```bash - ssh-keygen -t ed25519 -f ~/.ssh/clawdbot_ed25519 -C "clawdbot-access" + ssh-keygen -t ed25519 -f ~/.ssh/openclaw_ed25519 -C "openclaw-access" ``` 2. **Limit key permissions**: Use SSH key options to restrict access @@ -320,7 +320,7 @@ nodejs_version: "22.x" 3. **Rotate keys regularly**: Update SSH keys periodically ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e "clawdbot_ssh_keys=['$(cat ~/.ssh/new_key.pub)']" + -e "openclaw_ssh_keys=['$(cat ~/.ssh/new_key.pub)']" ``` ### Tailscale Auth Keys @@ -381,8 +381,8 @@ ansible-playbook playbook.yml --ask-become-pass \ Check file ownership and permissions: ```bash -sudo ls -la /home/clawdbot/.ssh/ -sudo cat /home/clawdbot/.ssh/authorized_keys +sudo ls -la /home/openclaw/.ssh/ +sudo cat /home/openclaw/.ssh/authorized_keys ``` ### Tailscale Not Connecting @@ -405,4 +405,4 @@ ansible-playbook playbook.yml --ask-become-pass \ - [Main README](../README.md) - [Development Mode Guide](development-mode.md) - [Upgrade Notes](../UPGRADE_NOTES.md) -- [Defaults File](../roles/clawdbot/defaults/main.yml) +- [Defaults File](../roles/openclaw/defaults/main.yml) diff --git a/docs/development-mode.md b/docs/development-mode.md index c1c8ce0..8830172 100644 --- a/docs/development-mode.md +++ b/docs/development-mode.md @@ -1,6 +1,6 @@ # Development Mode Installation -This guide explains how to install Clawdbot in **development mode**, where the application is built from source instead of installed from npm. +This guide explains how to install OpenClaw in **development mode**, where the application is built from source instead of installed from npm. ## Overview @@ -9,10 +9,10 @@ This guide explains how to install Clawdbot in **development mode**, where the a | Feature | Release Mode | Development Mode | |---------|-------------|------------------| | Source | npm registry | GitHub repository | -| Installation | `pnpm install -g clawdbot@latest` | `git clone` + `pnpm build` | -| Location | `~/.local/share/pnpm/global/...` | `~/code/clawdbot/` | -| Binary | Global pnpm package | Symlink to `bin/clawdbot.js` | -| Updates | `pnpm install -g clawdbot@latest` | `git pull` + `pnpm build` | +| Installation | `pnpm install -g openclaw@latest` | `git clone` + `pnpm build` | +| Location | `~/.local/share/pnpm/global/...` | `~/code/openclaw/` | +| Binary | Global pnpm package | Symlink to `bin/openclaw.js` | +| Updates | `pnpm install -g openclaw@latest` | `git pull` + `pnpm build` | | Use Case | Production, stable deployments | Development, testing, debugging | | Recommended For | End users | Developers, contributors | @@ -22,11 +22,11 @@ This guide explains how to install Clawdbot in **development mode**, where the a ```bash # Clone the ansible installer -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/pasogott/openclaw-ansible.git +cd openclaw-ansible # Run in development mode -./run-playbook.sh -e clawdbot_install_mode=development +./run-playbook.sh -e openclaw_install_mode=development ``` ### Manual Install @@ -36,14 +36,14 @@ cd clawdbot-ansible sudo apt update && sudo apt install -y ansible git # Clone repository -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/pasogott/openclaw-ansible.git +cd openclaw-ansible # Install collections ansible-galaxy collection install -r requirements.yml # Run playbook with development mode -ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development +ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development ``` ## What Gets Installed @@ -51,20 +51,20 @@ ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=develop ### Directory Structure ``` -/home/clawdbot/ -├── .clawdbot/ # Configuration directory +/home/openclaw/ +├── .openclaw/ # Configuration directory │ ├── sessions/ │ ├── credentials/ │ ├── data/ │ └── logs/ ├── .local/ │ ├── bin/ -│ │ └── clawdbot # Symlink -> ~/code/clawdbot/bin/clawdbot.js +│ │ └── openclaw # Symlink -> ~/code/openclaw/bin/openclaw.js │ └── share/pnpm/ └── code/ - └── clawdbot/ # Git repository + └── openclaw/ # Git repository ├── bin/ - │ └── clawdbot.js + │ └── openclaw.js ├── dist/ # Built files ├── src/ # Source code ├── package.json @@ -83,12 +83,12 @@ The Ansible playbook performs these steps: 2. **Clone repository** ```bash cd ~/code - git clone https://github.com/clawdbot/clawdbot.git + git clone https://github.com/openclaw/openclaw.git ``` 3. **Install dependencies** ```bash - cd clawdbot + cd openclaw pnpm install ``` @@ -99,15 +99,15 @@ The Ansible playbook performs these steps: 5. **Create symlink** ```bash - ln -sf ~/code/clawdbot/bin/clawdbot.js ~/.local/bin/clawdbot - chmod +x ~/code/clawdbot/bin/clawdbot.js + ln -sf ~/code/openclaw/bin/openclaw.js ~/.local/bin/openclaw + chmod +x ~/code/openclaw/bin/openclaw.js ``` 6. **Add development aliases** to `.bashrc`: ```bash - alias clawdbot-rebuild='cd ~/code/clawdbot && pnpm build' - alias clawdbot-dev='cd ~/code/clawdbot' - alias clawdbot-pull='cd ~/code/clawdbot && git pull && pnpm install && pnpm build' + alias openclaw-rebuild='cd ~/code/openclaw && pnpm build' + alias openclaw-dev='cd ~/code/openclaw' + alias openclaw-pull='cd ~/code/openclaw && git pull && pnpm install && pnpm build' ``` ## Development Workflow @@ -116,29 +116,29 @@ The Ansible playbook performs these steps: ```bash # 1. Navigate to repository -clawdbot-dev -# or: cd ~/code/clawdbot +openclaw-dev +# or: cd ~/code/openclaw # 2. Make your changes vim src/some-file.ts # 3. Rebuild -clawdbot-rebuild +openclaw-rebuild # or: pnpm build # 4. Test immediately -clawdbot --version -clawdbot doctor +openclaw --version +openclaw doctor ``` ### Pulling Updates ```bash # Pull latest changes and rebuild -clawdbot-pull +openclaw-pull # Or manually: -cd ~/code/clawdbot +cd ~/code/openclaw git pull pnpm install pnpm build @@ -147,18 +147,18 @@ pnpm build ### Testing Changes ```bash -# After rebuilding, the clawdbot command uses the new code immediately -clawdbot status -clawdbot gateway +# After rebuilding, the openclaw command uses the new code immediately +openclaw status +openclaw gateway # View daemon logs -clawdbot logs +openclaw logs ``` ### Switching Branches ```bash -cd ~/code/clawdbot +cd ~/code/openclaw # Switch to feature branch git checkout feature-branch @@ -177,14 +177,14 @@ The following aliases are added to `.bashrc`: | Alias | Command | Purpose | |-------|---------|---------| -| `clawdbot-dev` | `cd ~/code/clawdbot` | Navigate to repo | -| `clawdbot-rebuild` | `cd ~/code/clawdbot && pnpm build` | Rebuild after changes | -| `clawdbot-pull` | `cd ~/code/clawdbot && git pull && pnpm install && pnpm build` | Update and rebuild | +| `openclaw-dev` | `cd ~/code/openclaw` | Navigate to repo | +| `openclaw-rebuild` | `cd ~/code/openclaw && pnpm build` | Rebuild after changes | +| `openclaw-pull` | `cd ~/code/openclaw && git pull && pnpm install && pnpm build` | Update and rebuild | Plus an environment variable: ```bash -export CLAWDBOT_DEV_DIR="$HOME/code/clawdbot" +export OPENCLAW_DEV_DIR="$HOME/code/openclaw" ``` ## Configuration Variables @@ -193,28 +193,28 @@ You can customize the development installation: ```yaml # In playbook or command line -clawdbot_install_mode: "development" -clawdbot_repo_url: "https://github.com/clawdbot/clawdbot.git" -clawdbot_repo_branch: "main" -clawdbot_code_dir: "/home/clawdbot/code" -clawdbot_repo_dir: "/home/clawdbot/code/clawdbot" +openclaw_install_mode: "development" +openclaw_repo_url: "https://github.com/openclaw/openclaw.git" +openclaw_repo_branch: "main" +openclaw_code_dir: "/home/openclaw/code" +openclaw_repo_dir: "/home/openclaw/code/openclaw" ``` ### Using a Fork ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e clawdbot_repo_url=https://github.com/YOUR_USERNAME/clawdbot.git \ - -e clawdbot_repo_branch=your-feature-branch + -e openclaw_install_mode=development \ + -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git \ + -e openclaw_repo_branch=your-feature-branch ``` ### Custom Location ```bash ansible-playbook playbook.yml --ask-become-pass \ - -e clawdbot_install_mode=development \ - -e clawdbot_code_dir=/home/clawdbot/projects + -e openclaw_install_mode=development \ + -e openclaw_code_dir=/home/openclaw/projects ``` ## Switching Between Modes @@ -223,23 +223,23 @@ ansible-playbook playbook.yml --ask-become-pass \ ```bash # Uninstall global package -pnpm uninstall -g clawdbot +pnpm uninstall -g openclaw # Run ansible in development mode -ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development +ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development ``` ### From Development to Release ```bash # Remove symlink -rm ~/.local/bin/clawdbot +rm ~/.local/bin/openclaw # Remove repository (optional) -rm -rf ~/code/clawdbot +rm -rf ~/code/openclaw # Install from npm -pnpm install -g clawdbot@latest +pnpm install -g openclaw@latest ``` ## Troubleshooting @@ -247,7 +247,7 @@ pnpm install -g clawdbot@latest ### Build Fails ```bash -cd ~/code/clawdbot +cd ~/code/openclaw # Check Node.js version (needs 22.x) node --version @@ -262,12 +262,12 @@ pnpm build ```bash # Check symlink -ls -la ~/.local/bin/clawdbot +ls -la ~/.local/bin/openclaw # Recreate symlink -rm ~/.local/bin/clawdbot -ln -sf ~/code/clawdbot/bin/clawdbot.js ~/.local/bin/clawdbot -chmod +x ~/code/clawdbot/bin/clawdbot.js +rm ~/.local/bin/openclaw +ln -sf ~/code/openclaw/bin/openclaw.js ~/.local/bin/openclaw +chmod +x ~/code/openclaw/bin/openclaw.js ``` ### Command Not Found @@ -281,7 +281,7 @@ source ~/.bashrc ### Git Issues ```bash -cd ~/code/clawdbot +cd ~/code/openclaw # Reset to clean state git reset --hard origin/main @@ -324,23 +324,23 @@ No difference in runtime memory usage between modes. ```bash # Test specific commit -cd ~/code/clawdbot +cd ~/code/openclaw git fetch origin pull/123/head:pr-123 git checkout pr-123 pnpm install pnpm build # Test it -clawdbot doctor +openclaw doctor ``` ### Automated Testing ```bash #!/bin/bash -# test-clawdbot.sh +# test-openclaw.sh -cd ~/code/clawdbot +cd ~/code/openclaw git pull pnpm install pnpm build @@ -349,7 +349,7 @@ pnpm build pnpm test # Integration test -clawdbot doctor +openclaw doctor ``` ## Best Practices @@ -358,12 +358,12 @@ clawdbot doctor 1. ✅ **Always rebuild after code changes** ```bash - clawdbot-rebuild + openclaw-rebuild ``` 2. ✅ **Test changes before committing** ```bash - pnpm build && clawdbot doctor + pnpm build && openclaw doctor ``` 3. ✅ **Keep dependencies updated** @@ -392,19 +392,19 @@ You can have multiple clones: ```bash # Main development -~/code/clawdbot/ # main branch +~/code/openclaw/ # main branch # Experimental features -~/code/clawdbot-test/ # testing branch +~/code/openclaw-test/ # testing branch # Switch binary symlink -ln -sf ~/code/clawdbot-test/bin/clawdbot.js ~/.local/bin/clawdbot +ln -sf ~/code/openclaw-test/bin/openclaw.js ~/.local/bin/openclaw ``` ### Custom Build Options ```bash -cd ~/code/clawdbot +cd ~/code/openclaw # Development build (faster, includes source maps) NODE_ENV=development pnpm build @@ -417,10 +417,10 @@ NODE_ENV=production pnpm build ```bash # Run with debug output -DEBUG=* clawdbot gateway +DEBUG=* openclaw gateway # Or specific namespaces -DEBUG=clawdbot:* clawdbot gateway +DEBUG=openclaw:* openclaw gateway ``` ## See Also @@ -428,4 +428,4 @@ DEBUG=clawdbot:* clawdbot gateway - [Main README](../README.md) - [Security Architecture](security.md) - [Troubleshooting Guide](troubleshooting.md) -- [Clawdbot Repository](https://github.com/clawdbot/clawdbot) +- [OpenClaw Repository](https://github.com/openclaw/openclaw) diff --git a/docs/installation.md b/docs/installation.md index dd2909e..1de448b 100644 --- a/docs/installation.md +++ b/docs/installation.md @@ -8,7 +8,7 @@ description: Detailed installation and configuration instructions ## Quick Install ```bash -curl -fsSL https://raw.githubusercontent.com/pasogott/clawdbot-ansible/main/install.sh | bash +curl -fsSL https://raw.githubusercontent.com/pasogott/openclaw-ansible/main/install.sh | bash ``` ## Manual Installation @@ -23,8 +23,8 @@ sudo apt install -y ansible git ### Clone and Run ```bash -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/pasogott/openclaw-ansible.git +cd openclaw-ansible # Install Ansible collections ansible-galaxy collection install -r requirements.yml @@ -50,11 +50,11 @@ sudo tailscale status Get auth keys from: https://login.tailscale.com/admin/settings/keys -### 2. Configure Clawdbot +### 2. Configure OpenClaw ```bash # Edit config -sudo nano /home/clawdbot/.clawdbot/config.yml +sudo nano /home/openclaw/.openclaw/config.yml # Key settings to configure: # - provider: whatsapp/telegram/signal @@ -67,10 +67,10 @@ sudo nano /home/clawdbot/.clawdbot/config.yml ```bash # Login (will prompt for QR code or phone verification) -sudo docker exec -it clawdbot clawdbot login +sudo docker exec -it openclaw openclaw login # Check connection -sudo docker logs -f clawdbot +sudo docker logs -f openclaw ``` ## Service Management @@ -79,33 +79,33 @@ sudo docker logs -f clawdbot ```bash # Start/stop/restart -sudo systemctl start clawdbot -sudo systemctl stop clawdbot -sudo systemctl restart clawdbot +sudo systemctl start openclaw +sudo systemctl stop openclaw +sudo systemctl restart openclaw # View status -sudo systemctl status clawdbot +sudo systemctl status openclaw # Enable/disable auto-start -sudo systemctl enable clawdbot -sudo systemctl disable clawdbot +sudo systemctl enable openclaw +sudo systemctl disable openclaw ``` ### Docker Commands ```bash # View logs -sudo docker logs clawdbot -sudo docker logs -f clawdbot # follow +sudo docker logs openclaw +sudo docker logs -f openclaw # follow # Shell access -sudo docker exec -it clawdbot bash +sudo docker exec -it openclaw bash # Restart container -sudo docker restart clawdbot +sudo docker restart openclaw # Check status -sudo docker compose -f /opt/clawdbot/docker-compose.yml ps +sudo docker compose -f /opt/openclaw/docker-compose.yml ps ``` ### Firewall Management @@ -122,9 +122,9 @@ sudo ufw reload sudo iptables -L DOCKER-USER -n -v ``` -## Accessing Clawdbot +## Accessing OpenClaw -Clawdbot's web interface runs on port 3000 (localhost only). +OpenClaw's web interface runs on port 3000 (localhost only). ### Via Tailscale (Recommended) @@ -186,22 +186,22 @@ sudo tailscale status ```bash # Stop services -sudo systemctl stop clawdbot -sudo systemctl disable clawdbot +sudo systemctl stop openclaw +sudo systemctl disable openclaw sudo tailscale down # Remove containers and data -sudo docker compose -f /opt/clawdbot/docker-compose.yml down -sudo rm -rf /opt/clawdbot -sudo rm -rf /home/clawdbot/.clawdbot -sudo rm /etc/systemd/system/clawdbot.service +sudo docker compose -f /opt/openclaw/docker-compose.yml down +sudo rm -rf /opt/openclaw +sudo rm -rf /home/openclaw/.openclaw +sudo rm /etc/systemd/system/openclaw.service sudo systemctl daemon-reload # Remove packages (optional) sudo apt remove --purge tailscale docker-ce docker-ce-cli containerd.io docker-compose-plugin nodejs # Remove user (optional) -sudo userdel -r clawdbot +sudo userdel -r openclaw # Reset firewall (optional) sudo ufw disable @@ -212,7 +212,7 @@ sudo ufw --force reset ### Custom Port -Edit `/opt/clawdbot/docker-compose.yml`: +Edit `/opt/openclaw/docker-compose.yml`: ```yaml ports: @@ -221,18 +221,18 @@ ports: Then restart: ```bash -sudo systemctl restart clawdbot +sudo systemctl restart openclaw ``` ### Environment Variables -Add to `/opt/clawdbot/docker-compose.yml`: +Add to `/opt/openclaw/docker-compose.yml`: ```yaml environment: - NODE_ENV=production - ANTHROPIC_API_KEY=sk-ant-xxx - - DEBUG=clawdbot:* + - DEBUG=openclaw:* ``` ### Volume Mounts @@ -241,7 +241,7 @@ Add additional volumes in docker-compose.yml: ```yaml volumes: - - /home/clawdbot/.clawdbot:/home/clawdbot/.clawdbot + - /home/openclaw/.openclaw:/home/openclaw/.openclaw - /path/to/custom:/custom ``` @@ -260,7 +260,7 @@ ansible-playbook playbook.yml \ ```yaml # Example GitHub Actions -- name: Deploy Clawdbot +- name: Deploy OpenClaw run: | ansible-playbook playbook.yml \ -e "tailscale_authkey=${{ secrets.TAILSCALE_KEY }}" \ diff --git a/docs/security.md b/docs/security.md index 7dce18d..1840b0f 100644 --- a/docs/security.md +++ b/docs/security.md @@ -7,7 +7,7 @@ description: Firewall configuration, Docker isolation, and security hardening de ## Overview -This playbook implements a multi-layer defense strategy to secure Clawdbot installations. +This playbook implements a multi-layer defense strategy to secure OpenClaw installations. ## Security Layers @@ -67,28 +67,28 @@ ports: ### Layer 5: Non-Root Container -Container processes run as unprivileged `clawdbot` user. +Container processes run as unprivileged `openclaw` user. ### Layer 6: Systemd Hardening -The clawdbot service runs with security restrictions: +The openclaw service runs with security restrictions: - `NoNewPrivileges=true` - Prevents privilege escalation - `PrivateTmp=true` - Isolated /tmp directory - `ProtectSystem=strict` - Read-only system directories - `ProtectHome=read-only` - Limited home directory access -- `ReadWritePaths` - Only ~/.clawdbot is writable +- `ReadWritePaths` - Only ~/.openclaw is writable ### Layer 7: Scoped Sudo Access -The clawdbot user has limited sudo permissions (not full root): +The openclaw user has limited sudo permissions (not full root): ```bash # Allowed commands only: -- systemctl start/stop/restart/status clawdbot +- systemctl start/stop/restart/status openclaw - systemctl daemon-reload - tailscale commands -- journalctl for clawdbot logs +- journalctl for openclaw logs ``` ### Layer 8: Automatic Security Updates @@ -138,7 +138,7 @@ sudo systemctl status unattended-upgrades ## Tailscale Access -Clawdbot's web interface (port 3000) is bound to localhost. Access it via: +OpenClaw's web interface (port 3000) is bound to localhost. Access it via: 1. **SSH tunnel**: ```bash @@ -192,5 +192,5 @@ After installation, verify: ## Reporting Security Issues If you discover a security vulnerability, please report it privately: -- Clawdbot: https://github.com/clawdbot/clawdbot/security -- This installer: https://github.com/openclaw/clawdbot-ansible/security +- OpenClaw: https://github.com/openclaw/openclaw/security +- This installer: https://github.com/openclaw/openclaw-ansible/security diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index 824ab56..f4ee2a2 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -7,12 +7,12 @@ description: Common issues and solutions ## Container Can't Reach Internet -**Symptom**: Clawdbot can't connect to WhatsApp/Telegram +**Symptom**: OpenClaw can't connect to WhatsApp/Telegram **Check**: ```bash # Test from container -sudo docker exec clawdbot ping -c 3 8.8.8.8 +sudo docker exec openclaw ping -c 3 8.8.8.8 # Check UFW allows outbound sudo ufw status verbose | grep OUT @@ -26,7 +26,7 @@ sudo iptables -L DOCKER-USER -n -v # Restart Docker + Firewall sudo systemctl restart docker sudo ufw reload -sudo systemctl restart clawdbot +sudo systemctl restart openclaw ``` ## Port Already in Use @@ -38,11 +38,11 @@ sudo systemctl restart clawdbot # Find what's using port 3000 sudo ss -tlnp | grep 3000 -# Change Clawdbot port -sudo nano /opt/clawdbot/docker-compose.yml +# Change OpenClaw port +sudo nano /opt/openclaw/docker-compose.yml # Change: "127.0.0.1:3001:3000" -sudo systemctl restart clawdbot +sudo systemctl restart openclaw ``` ## Firewall Lockout @@ -69,24 +69,24 @@ sudo ufw enable **Check logs**: ```bash # Systemd logs -sudo journalctl -u clawdbot -n 50 +sudo journalctl -u openclaw -n 50 # Docker logs -sudo docker logs clawdbot +sudo docker logs openclaw # Compose status -sudo docker compose -f /opt/clawdbot/docker-compose.yml ps +sudo docker compose -f /opt/openclaw/docker-compose.yml ps ``` **Common fixes**: ```bash # Rebuild image -cd /opt/clawdbot +cd /opt/openclaw sudo docker compose build --no-cache -sudo systemctl restart clawdbot +sudo systemctl restart openclaw # Check permissions -sudo chown -R clawdbot:clawdbot /home/clawdbot/.clawdbot +sudo chown -R openclaw:openclaw /home/openclaw/.openclaw ``` ## Verify Docker Isolation diff --git a/install.sh b/install.sh index 96020d9..fa4d3ed 100755 --- a/install.sh +++ b/install.sh @@ -1,8 +1,8 @@ #!/bin/bash set -e -# Clawdbot Ansible Installer -# This script installs Ansible if needed and runs the Clawdbot playbook +# OpenClaw Ansible Installer +# This script installs Ansible if needed and runs the OpenClaw playbook # Enable 256 colors export TERM=xterm-256color @@ -12,7 +12,7 @@ if [ -z "$COLORTERM" ]; then export COLORTERM=truecolor fi -REPO_URL="https://raw.githubusercontent.com/pasogott/clawdbot-ansible/main" +REPO_URL="https://raw.githubusercontent.com/openclaw/openclaw-ansible/main" PLAYBOOK_URL="${REPO_URL}/playbook.yml" TEMP_DIR=$(mktemp -d) @@ -26,20 +26,16 @@ CYAN='\033[0;36m' NC='\033[0m' # No Color echo -e "${GREEN}╔════════════════════════════════════════╗${NC}" -echo -e "${GREEN}║ Clawdbot Ansible Installer ║${NC}" +echo -e "${GREEN}║ OpenClaw Ansible Installer ║${NC}" echo -e "${GREEN}╚════════════════════════════════════════╝${NC}" echo "" # Detect operating system -if [[ "$OSTYPE" == "darwin"* ]]; then - OS_TYPE="macos" - echo -e "${GREEN}Detected: macOS${NC}" -elif command -v apt-get &> /dev/null; then - OS_TYPE="linux" - echo -e "${GREEN}Detected: Debian/Ubuntu Linux${NC}" +if command -v apt-get &> /dev/null; then + echo -e "${GREEN}✓ Detected: Debian/Ubuntu Linux${NC}" else - echo -e "${RED}Error: Unsupported operating system.${NC}" - echo -e "${RED}This installer supports: Debian/Ubuntu and macOS${NC}" + echo -e "${RED}✗ Error: Unsupported operating system${NC}" + echo -e "${RED} This installer supports: Debian/Ubuntu Linux only${NC}" exit 1 fi @@ -76,8 +72,8 @@ cd "$TEMP_DIR" # For simplicity, we'll clone the entire repo echo "Cloning repository..." -git clone https://github.com/pasogott/clawdbot-ansible.git -cd clawdbot-ansible +git clone https://github.com/openclaw/openclaw-ansible.git +cd openclaw-ansible echo -e "${GREEN}✓ Playbook downloaded${NC}" @@ -97,4 +93,4 @@ echo "" cd / rm -rf "$TEMP_DIR" -# run-playbook.sh will display instructions to switch to clawdbot user +# run-playbook.sh will display instructions to switch to openclaw user diff --git a/playbook.yml b/playbook.yml index 53459c5..17d9863 100644 --- a/playbook.yml +++ b/playbook.yml @@ -1,5 +1,5 @@ --- -- name: Install Clawdbot with Docker and UFW firewall +- name: Install OpenClaw with Docker and UFW firewall hosts: localhost connection: local become: true @@ -18,26 +18,30 @@ - name: Detect operating system ansible.builtin.set_fact: - is_macos: "{{ ansible_os_family == 'Darwin' }}" is_linux: "{{ ansible_os_family == 'Debian' }}" is_debian: "{{ ansible_distribution in ['Debian', 'Ubuntu'] }}" - is_redhat: "{{ ansible_os_family == 'RedHat' }}" + + - name: Fail on unsupported macOS + ansible.builtin.fail: + msg: >- + macOS bare-metal support has been deprecated and disabled. + Please use a Linux VM or container instead. + See README.md for details. + when: ansible_os_family == 'Darwin' - name: Display detected OS ansible.builtin.debug: msg: | Detected OS: {{ ansible_distribution }} {{ ansible_distribution_version }} OS Family: {{ ansible_os_family }} - macOS: {{ is_macos }} Linux (Debian/Ubuntu): {{ is_debian }} - Linux (RedHat/CentOS): {{ is_redhat }} - name: Update apt cache and upgrade all packages (Debian/Ubuntu) ansible.builtin.apt: update_cache: true upgrade: dist cache_valid_time: 3600 - when: is_debian + when: is_debian and not ci_test register: apt_upgrade_result - name: Display apt upgrade results @@ -70,42 +74,13 @@ run_once: true changed_when: false - - name: Check if Homebrew is installed - ansible.builtin.stat: - path: "{{ '/opt/homebrew/bin/brew' if is_macos else '/home/linuxbrew/.linuxbrew/bin/brew' }}" - register: homebrew_check - - - name: Install Homebrew (macOS and Linux) - ansible.builtin.shell: | - NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" - args: - creates: "{{ '/opt/homebrew/bin/brew' if is_macos else '/home/linuxbrew/.linuxbrew/bin/brew' }}" - when: not homebrew_check.stat.exists - register: homebrew_install - become: false - - - name: Add Homebrew to PATH for current session (Linux) - ansible.builtin.set_fact: - ansible_env: "{{ ansible_env | combine({'PATH': '/home/linuxbrew/.linuxbrew/bin:' + ansible_env.PATH}) }}" - when: is_linux and not is_macos - - - name: Add Homebrew to PATH for current session (macOS) - ansible.builtin.set_fact: - ansible_env: "{{ ansible_env | combine({'PATH': '/opt/homebrew/bin:' + ansible_env.PATH}) }}" - when: is_macos - - - name: Display Homebrew installation status - ansible.builtin.debug: - msg: "✅ Homebrew installed successfully" - when: homebrew_install is defined and homebrew_install.changed - roles: - - clawdbot + - openclaw post_tasks: - name: Copy ASCII art script - ansible.builtin.copy: - src: roles/clawdbot/files/show-lobster.sh + ansible.builtin.template: + src: roles/openclaw/templates/show-lobster.sh.j2 dest: /tmp/show-lobster.sh mode: '0755' @@ -113,16 +88,16 @@ ansible.builtin.command: /tmp/show-lobster.sh changed_when: false - - name: Create one-time welcome message for clawdbot user + - name: Create one-time welcome message for openclaw user ansible.builtin.copy: - dest: /home/clawdbot/.clawdbot-welcome - owner: clawdbot - group: clawdbot + dest: /home/openclaw/.openclaw-welcome + owner: openclaw + group: openclaw mode: '0644' content: | echo "" echo "╔════════════════════════════════════════════════════════╗" - echo "║ 📋 Clawdbot Setup - Next Steps ║" + echo "║ 📋 OpenClaw Setup - Next Steps ║" echo "╚════════════════════════════════════════════════════════╝" echo "" echo "You are: $(whoami)@$(hostname)" @@ -132,14 +107,13 @@ echo "Environment is configured:" echo " ✓ XDG_RUNTIME_DIR: ${XDG_RUNTIME_DIR:-not set}" echo " ✓ DBUS_SESSION_BUS_ADDRESS: ${DBUS_SESSION_BUS_ADDRESS:-not set}" - echo " ✓ Homebrew: $(which brew 2>/dev/null || echo 'not found')" - echo " ✓ Clawdbot: $(clawdbot --version 2>/dev/null || echo 'not found')" + echo " ✓ OpenClaw: $(openclaw --version 2>/dev/null || echo 'not found')" echo "" echo "────────────────────────────────────────────────────────" echo "🚀 Quick Start - Run This Command:" echo "────────────────────────────────────────────────────────" echo "" - echo " clawdbot onboard --install-daemon" + echo " openclaw onboard --install-daemon" echo "" echo "This will:" echo " • Guide you through the setup wizard" @@ -151,53 +125,54 @@ echo "────────────────────────────────────────────────────────" echo "" echo "1️⃣ Interactive onboarding (recommended):" - echo " clawdbot onboard --install-daemon" + echo " openclaw onboard --install-daemon" echo "" echo "2️⃣ Manual configuration:" - echo " clawdbot configure" - echo " nano ~/.clawdbot/clawdbot.json" + echo " openclaw configure" + echo " nano ~/.openclaw/openclaw.json" echo "" echo "3️⃣ Login to messaging provider:" - echo " clawdbot providers login" + echo " openclaw providers login" echo "" echo "4️⃣ Test the gateway:" - echo " clawdbot gateway" + echo " openclaw gateway" echo "" echo "5️⃣ Install as daemon (if not using onboard):" - echo " clawdbot daemon install" - echo " clawdbot daemon start" + echo " openclaw daemon install" + echo " openclaw daemon start" echo "" echo "────────────────────────────────────────────────────────" echo "🔧 Useful Commands:" echo "────────────────────────────────────────────────────────" echo "" - echo " • View logs: clawdbot logs" - echo " • Check status: clawdbot status" - echo " • Stop daemon: clawdbot daemon stop" - echo " • Restart daemon: clawdbot daemon restart" - echo " • Troubleshoot: clawdbot doctor" - echo " • List agents: clawdbot agents list" + echo " • View logs: openclaw logs" + echo " • Check status: openclaw status" + echo " • Stop daemon: openclaw daemon stop" + echo " • Restart daemon: openclaw daemon restart" + echo " • Troubleshoot: openclaw doctor" + echo " • List agents: openclaw agents list" echo "" - echo "────────────────────────────────────────────────────────" + {% if tailscale_enabled | default(false) %}echo "────────────────────────────────────────────────────────" echo "🌐 Connect Tailscale VPN (optional):" echo "────────────────────────────────────────────────────────" echo "" echo " exit" echo " sudo tailscale up" echo "" - echo "────────────────────────────────────────────────────────" + {% endif %}echo "────────────────────────────────────────────────────────" echo "" echo "Type 'exit' to return to your previous user" echo "" - rm -f ~/.clawdbot-welcome + # Remove welcome message (suppress errors if already deleted) + rm -f "$HOME/.openclaw-welcome" 2>/dev/null || true - name: Add welcome message to .bashrc ansible.builtin.lineinfile: - path: /home/clawdbot/.bashrc - line: '[ -f ~/.clawdbot-welcome ] && source ~/.clawdbot-welcome' + path: /home/openclaw/.bashrc + line: '[ -f ~/.openclaw-welcome ] && source ~/.openclaw-welcome' state: present insertafter: EOF - name: Notify that playbook is complete ansible.builtin.debug: - msg: "✅ Clawdbot installation complete!" + msg: "✅ OpenClaw installation complete!" diff --git a/requirements.yml b/requirements.yml index 90621cf..833acf2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,3 +4,5 @@ collections: version: ">=3.4.0" - name: community.general version: ">=8.0.0" + - name: ansible.posix + version: ">=1.5.0" diff --git a/roles/clawdbot/defaults/main.yml b/roles/clawdbot/defaults/main.yml deleted file mode 100644 index a5aa8ed..0000000 --- a/roles/clawdbot/defaults/main.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -# Clawdbot default variables - -# Tailscale settings -tailscale_authkey: "" # Optional: set to auto-connect during installation - -# Node.js version -nodejs_version: "22.x" - -# Clawdbot settings -clawdbot_port: 3000 - -# Clawdbot config directory -clawdbot_config_dir: "{{ clawdbot_home }}/.clawdbot" - -# User settings (will be created as system user) -clawdbot_user: clawdbot -clawdbot_home: /home/clawdbot - -# OS-specific settings (set dynamically in tasks) -homebrew_prefix: "{{ '/opt/homebrew' if ansible_os_family == 'Darwin' else '/home/linuxbrew/.linuxbrew' }}" -package_manager: "{{ 'brew' if ansible_os_family == 'Darwin' else 'apt' }}" - -# Installation mode: 'release' or 'development' -# release: Install via pnpm install -g clawdbot@latest -# development: Clone repo, build from source, link globally -clawdbot_install_mode: "release" - -# Development mode settings (only used when clawdbot_install_mode: development) -clawdbot_repo_url: "https://github.com/clawdbot/clawdbot.git" -clawdbot_repo_branch: "main" -clawdbot_code_dir: "{{ clawdbot_home }}/code" -clawdbot_repo_dir: "{{ clawdbot_code_dir }}/clawdbot" - -# SSH keys for clawdbot user -# Add your public SSH keys here to allow SSH access as clawdbot user -# Example: -# clawdbot_ssh_keys: -# - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@host" -# - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxxxxxxxxxxxxxxxxxxxxxxx user@host" -clawdbot_ssh_keys: [] diff --git a/roles/clawdbot/tasks/clawdbot-development.yml b/roles/clawdbot/tasks/clawdbot-development.yml deleted file mode 100644 index 7e52b40..0000000 --- a/roles/clawdbot/tasks/clawdbot-development.yml +++ /dev/null @@ -1,140 +0,0 @@ ---- -# Development mode installation - Clone repo, build from source, link globally - -- name: Create code directory - ansible.builtin.file: - path: "{{ clawdbot_code_dir }}" - state: directory - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0755' - -- name: Check if clawdbot repository already exists - ansible.builtin.stat: - path: "{{ clawdbot_repo_dir }}/.git" - register: clawdbot_repo_exists - -- name: Clone clawdbot repository - ansible.builtin.git: - repo: "{{ clawdbot_repo_url }}" - dest: "{{ clawdbot_repo_dir }}" - version: "{{ clawdbot_repo_branch }}" - update: true - become: true - become_user: "{{ clawdbot_user }}" - when: not clawdbot_repo_exists.stat.exists - -- name: Pull latest changes if repo exists - ansible.builtin.git: - repo: "{{ clawdbot_repo_url }}" - dest: "{{ clawdbot_repo_dir }}" - version: "{{ clawdbot_repo_branch }}" - update: true - become: true - become_user: "{{ clawdbot_user }}" - when: clawdbot_repo_exists.stat.exists - register: git_pull_result - -- name: Display git pull status - ansible.builtin.debug: - msg: "Git repository updated: {{ git_pull_result.changed | default(false) }}" - when: clawdbot_repo_exists.stat.exists - -- name: Install dependencies with pnpm - ansible.builtin.shell: - cmd: pnpm install - chdir: "{{ clawdbot_repo_dir }}" - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - environment: - PNPM_HOME: "{{ clawdbot_home }}/.local/share/pnpm" - PATH: "{{ clawdbot_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" - HOME: "{{ clawdbot_home }}" - register: pnpm_install_result - changed_when: "'Already up to date' not in pnpm_install_result.stdout" - -- name: Build clawdbot from source - ansible.builtin.shell: - cmd: pnpm build - chdir: "{{ clawdbot_repo_dir }}" - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - environment: - PNPM_HOME: "{{ clawdbot_home }}/.local/share/pnpm" - PATH: "{{ clawdbot_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" - HOME: "{{ clawdbot_home }}" - register: pnpm_build_result - changed_when: true # Build always changes dist/ directory - -- name: Display build output - ansible.builtin.debug: - msg: "Build completed successfully" - when: pnpm_build_result.rc == 0 - -- name: Check if dist directory exists - ansible.builtin.stat: - path: "{{ clawdbot_repo_dir }}/dist" - register: dist_dir - -- name: Fail if build didn't create dist directory - ansible.builtin.fail: - msg: "Build failed - dist directory not found" - when: not dist_dir.stat.exists - -- name: Remove existing global clawdbot symlink (if any) - ansible.builtin.file: - path: "{{ clawdbot_home }}/.local/bin/clawdbot" - state: absent - -- name: Create symlink to clawdbot binary - ansible.builtin.file: - src: "{{ clawdbot_repo_dir }}/bin/clawdbot.js" - dest: "{{ clawdbot_home }}/.local/bin/clawdbot" - state: link - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - force: true - -- name: Make clawdbot binary executable - ansible.builtin.file: - path: "{{ clawdbot_repo_dir }}/bin/clawdbot.js" - mode: '0755' - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - -- name: Verify clawdbot installation from development build - ansible.builtin.shell: - cmd: "{{ clawdbot_home }}/.local/bin/clawdbot --version" - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - environment: - PATH: "{{ clawdbot_home }}/.local/bin:/usr/local/bin:/usr/bin:/bin" - register: clawdbot_dev_version - changed_when: false - -- name: Display installed Clawdbot version (development build) - ansible.builtin.debug: - msg: | - ✅ Clawdbot installed from source: {{ clawdbot_dev_version.stdout }} - 📂 Repository: {{ clawdbot_repo_dir }} - 🔗 Binary: {{ clawdbot_home }}/.local/bin/clawdbot -> {{ clawdbot_repo_dir }}/bin/clawdbot.js - -- name: Add development mode info to .bashrc - ansible.builtin.blockinfile: - path: "{{ clawdbot_home }}/.bashrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - Clawdbot development" - block: | - # Clawdbot development mode - export CLAWDBOT_DEV_DIR="{{ clawdbot_repo_dir }}" - - # Aliases for development - alias clawdbot-rebuild='cd {{ clawdbot_repo_dir }} && pnpm build' - alias clawdbot-dev='cd {{ clawdbot_repo_dir }}' - alias clawdbot-pull='cd {{ clawdbot_repo_dir }} && git pull && pnpm install && pnpm build' - create: true - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0644' diff --git a/roles/clawdbot/tasks/clawdbot-release.yml b/roles/clawdbot/tasks/clawdbot-release.yml deleted file mode 100644 index 72d081c..0000000 --- a/roles/clawdbot/tasks/clawdbot-release.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# Release mode installation - Install via pnpm from npm registry - -- name: Install Clawdbot globally as clawdbot user (using pnpm) - ansible.builtin.shell: - cmd: pnpm install -g clawdbot@latest - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - environment: - PNPM_HOME: "{{ clawdbot_home }}/.local/share/pnpm" - PATH: "{{ clawdbot_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" - HOME: "{{ clawdbot_home }}" - register: clawdbot_install - changed_when: "'Already up to date' not in clawdbot_install.stdout" - -- name: Verify clawdbot installation - ansible.builtin.shell: - cmd: "{{ clawdbot_home }}/.local/bin/clawdbot --version" - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - register: clawdbot_version - changed_when: false - -- name: Display installed Clawdbot version (release) - ansible.builtin.debug: - msg: "✅ Clawdbot installed from npm: {{ clawdbot_version.stdout }}" diff --git a/roles/clawdbot/tasks/clawdbot.yml b/roles/clawdbot/tasks/clawdbot.yml deleted file mode 100644 index 86f73b3..0000000 --- a/roles/clawdbot/tasks/clawdbot.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -- name: Create Clawdbot directories (structure only, no config files) - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: "{{ item.mode }}" - loop: - - { path: "{{ clawdbot_config_dir }}", mode: '0755' } - - { path: "{{ clawdbot_config_dir }}/sessions", mode: '0755' } - - { path: "{{ clawdbot_config_dir }}/credentials", mode: '0700' } - - { path: "{{ clawdbot_config_dir }}/data", mode: '0755' } - - { path: "{{ clawdbot_config_dir }}/logs", mode: '0755' } - -- name: Create pnpm directories - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0755' - loop: - - "{{ clawdbot_home }}/.local/share/pnpm" - - "{{ clawdbot_home }}/.local/share/pnpm/store" - - "{{ clawdbot_home }}/.local/bin" - -- name: Ensure pnpm directories have correct ownership - ansible.builtin.file: - path: "{{ clawdbot_home }}/.local/share/pnpm" - state: directory - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - recurse: true - mode: '0755' - -- name: Configure pnpm for clawdbot user - ansible.builtin.shell: - cmd: | - pnpm config set global-dir {{ clawdbot_home }}/.local/share/pnpm - pnpm config set global-bin-dir {{ clawdbot_home }}/.local/bin - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - changed_when: true # Always consider changed as pnpm config may update - -- name: Display installation mode - ansible.builtin.debug: - msg: "📦 Installation mode: {{ clawdbot_install_mode }}" - -# Include appropriate installation method based on mode -- name: Include release installation (pnpm install -g) - ansible.builtin.include_tasks: clawdbot-release.yml - when: clawdbot_install_mode == "release" - -- name: Include development installation (git clone + build + link) - ansible.builtin.include_tasks: clawdbot-development.yml - when: clawdbot_install_mode == "development" - -- name: Configure .bashrc for clawdbot user (base config) - ansible.builtin.blockinfile: - path: "{{ clawdbot_home }}/.bashrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - Clawdbot pnpm" - block: | - # pnpm configuration - export PNPM_HOME="{{ clawdbot_home }}/.local/share/pnpm" - export PATH="{{ clawdbot_home }}/.local/bin:$PNPM_HOME:$PATH" - create: true - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0644' - insertafter: EOF - -# NOTE: We do NOT create config.yml here - clawdbot onboard/configure will do that -# We also do NOT install the systemd service - clawdbot onboard --install-daemon will do that -# The .clawdbot directory structure is created above, but config and daemon are user-initiated - -- name: Display configuration note - ansible.builtin.debug: - msg: | - ℹ️ Clawdbot is installed but NOT configured yet. - - Next steps (run as clawdbot user): - 1. Switch user: sudo su - clawdbot - 2. Run onboarding: clawdbot onboard --install-daemon - - This will: - • Create configuration files (~/.clawdbot/clawdbot.json) - • Guide you through provider setup - • Install and start the daemon service automatically diff --git a/roles/clawdbot/tasks/docker-macos.yml b/roles/clawdbot/tasks/docker-macos.yml deleted file mode 100644 index 83679b4..0000000 --- a/roles/clawdbot/tasks/docker-macos.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -# macOS-specific Docker installation (Docker Desktop) - -- name: Check if Docker Desktop is installed (macOS) - ansible.builtin.stat: - path: /Applications/Docker.app - register: docker_desktop - -- name: Install Docker Desktop via Homebrew Cask (macOS) - community.general.homebrew_cask: - name: docker - state: present - environment: - PATH: "/opt/homebrew/bin:{{ ansible_env.PATH }}" - when: not docker_desktop.stat.exists - -- name: Wait for Docker Desktop to be available (macOS) - ansible.builtin.wait_for: - path: /var/run/docker.sock - timeout: 120 - when: not docker_desktop.stat.exists - -- name: Display Docker Desktop installation note (macOS) - ansible.builtin.debug: - msg: | - ℹ️ Docker Desktop installed on macOS. - Please ensure Docker Desktop is running and has been configured. - You may need to start it manually from Applications. - when: not docker_desktop.stat.exists - -- name: Verify Docker is accessible - ansible.builtin.command: docker --version - register: docker_version - changed_when: false - failed_when: false - -- name: Display Docker version - ansible.builtin.debug: - msg: "Docker installed: {{ docker_version.stdout }}" - when: docker_version.rc == 0 diff --git a/roles/clawdbot/tasks/docker.yml b/roles/clawdbot/tasks/docker.yml deleted file mode 100644 index da00b9a..0000000 --- a/roles/clawdbot/tasks/docker.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Main Docker orchestration - delegates to OS-specific tasks - -- name: Include Linux Docker installation - ansible.builtin.include_tasks: docker-linux.yml - when: ansible_os_family == 'Debian' - -- name: Include macOS Docker installation - ansible.builtin.include_tasks: docker-macos.yml - when: ansible_os_family == 'Darwin' diff --git a/roles/clawdbot/tasks/firewall-macos.yml b/roles/clawdbot/tasks/firewall-macos.yml deleted file mode 100644 index 08fba2b..0000000 --- a/roles/clawdbot/tasks/firewall-macos.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -# macOS-specific firewall configuration (pf) - -- name: Display macOS firewall information - ansible.builtin.debug: - msg: | - ℹ️ macOS uses built-in Application Firewall and pf. - Docker Desktop on macOS handles its own network isolation. - Consider configuring the Application Firewall via System Preferences. - -- name: Check macOS firewall status - ansible.builtin.command: /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate - register: macos_firewall_status - changed_when: false - become: true - -- name: Display firewall status - ansible.builtin.debug: - msg: "macOS Firewall Status: {{ macos_firewall_status.stdout }}" - -- name: Enable macOS Application Firewall (if disabled) - ansible.builtin.command: /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on - when: "'disabled' in macos_firewall_status.stdout.lower()" - become: true - changed_when: true - -- name: Allow Tailscale through firewall - ansible.builtin.command: /usr/libexec/ApplicationFirewall/socketfilterfw --add /Applications/Tailscale.app - failed_when: false - become: true - changed_when: false diff --git a/roles/clawdbot/tasks/firewall.yml b/roles/clawdbot/tasks/firewall.yml deleted file mode 100644 index d00bcf8..0000000 --- a/roles/clawdbot/tasks/firewall.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Main firewall orchestration - delegates to OS-specific tasks - -- name: Include Linux firewall configuration - ansible.builtin.include_tasks: firewall-linux.yml - when: ansible_os_family == 'Debian' - -- name: Include macOS firewall configuration - ansible.builtin.include_tasks: firewall-macos.yml - when: ansible_os_family == 'Darwin' diff --git a/roles/clawdbot/tasks/system-tools-linux.yml b/roles/clawdbot/tasks/system-tools-linux.yml deleted file mode 100644 index a13c9ec..0000000 --- a/roles/clawdbot/tasks/system-tools-linux.yml +++ /dev/null @@ -1,118 +0,0 @@ ---- -# Linux-specific system tools installation (apt-based) - -- name: Install essential system tools (Linux - apt) - ansible.builtin.apt: - name: - # Shells - - zsh - # Editors - - vim - - nano - # Version control - - git - - git-lfs - # Network tools - - curl - - wget - - netcat-openbsd - - net-tools - - dnsutils - - iputils-ping - - traceroute - - tcpdump - - nmap - - socat - - telnet - # Debugging tools - - strace - - lsof - - gdb - - htop - - iotop - - iftop - - sysstat - - procps - # System utilities - - tmux - - tree - - jq - - unzip - - rsync - - less - # Build essentials for Homebrew on Linux - - build-essential - - file - state: present - update_cache: true - -- name: Set zsh as default shell for clawdbot user (Linux) - ansible.builtin.user: - name: "{{ clawdbot_user }}" - shell: /usr/bin/zsh - -- name: Deploy global vim configuration (Linux) - ansible.builtin.template: - src: vimrc.j2 - dest: /etc/vim/vimrc.local - owner: root - group: root - mode: '0644' - -- name: Configure .bashrc for clawdbot user (Linux) - ansible.builtin.blockinfile: - path: "{{ clawdbot_home }}/.bashrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - Clawdbot config" - block: | - # Enable 256 colors - export TERM=xterm-256color - export COLORTERM=truecolor - - # Add Homebrew to PATH (Linux) - eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" - - # Add pnpm to PATH - export PNPM_HOME="{{ clawdbot_home }}/.local/share/pnpm" - export PATH="{{ clawdbot_home }}/.local/bin:$PNPM_HOME:$PATH" - - # Color support for common tools - export CLICOLOR=1 - export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43' - - # Aliases - alias ls='ls --color=auto' - alias grep='grep --color=auto' - alias ll='ls -lah' - create: true - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0644' - -- name: Configure .zshrc for clawdbot user (Linux) - ansible.builtin.blockinfile: - path: "{{ clawdbot_home }}/.zshrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - Clawdbot config" - block: | - # Enable 256 colors - export TERM=xterm-256color - export COLORTERM=truecolor - - # Add Homebrew to PATH (Linux) - eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" - - # Add pnpm to PATH - export PNPM_HOME="{{ clawdbot_home }}/.local/share/pnpm" - export PATH="{{ clawdbot_home }}/.local/bin:$PNPM_HOME:$PATH" - - # Color support for common tools - export CLICOLOR=1 - export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43' - - # Aliases - alias ls='ls --color=auto' - alias grep='grep --color=auto' - alias ll='ls -lah' - create: true - owner: "{{ clawdbot_user }}" - group: "{{ clawdbot_user }}" - mode: '0644' diff --git a/roles/clawdbot/tasks/system-tools-macos.yml b/roles/clawdbot/tasks/system-tools-macos.yml deleted file mode 100644 index 0cbd47d..0000000 --- a/roles/clawdbot/tasks/system-tools-macos.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -# macOS-specific system tools installation (Homebrew-based) - -- name: Install essential system tools (macOS - Homebrew) - community.general.homebrew: - name: - # Shells - - zsh - # Editors - - vim - - nano - # Version control - - git - - git-lfs - # Network tools - - curl - - wget - - netcat - - nmap - - socat - - telnet - # Debugging tools - - htop - # System utilities - - tmux - - tree - - jq - - unzip - - rsync - state: present - environment: - PATH: "/opt/homebrew/bin:{{ ansible_env.PATH }}" - -- name: Get current user shell (macOS) - ansible.builtin.command: dscl . -read /Users/{{ clawdbot_user }} UserShell - register: current_shell - changed_when: false - failed_when: false - -- name: Set zsh as default shell for clawdbot user (macOS) - ansible.builtin.command: chsh -s /bin/zsh {{ clawdbot_user }} - when: "'/bin/zsh' not in current_shell.stdout" - changed_when: true - -- name: Configure .zshrc for clawdbot user (macOS) - ansible.builtin.blockinfile: - path: "{{ clawdbot_home }}/.zshrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - Clawdbot config" - block: | - # Enable 256 colors - export TERM=xterm-256color - export COLORTERM=truecolor - - # Add Homebrew to PATH (macOS) - eval "$(/opt/homebrew/bin/brew shellenv)" - - # Add pnpm to PATH - export PATH="{{ clawdbot_home }}/.local/bin:$PATH" - - # Color support for common tools - export CLICOLOR=1 - export LSCOLORS=ExFxCxDxBxegedabagacad - - # Aliases - alias ls='ls -G' - alias grep='grep --color=auto' - alias ll='ls -lah' - create: true - owner: "{{ clawdbot_user }}" - mode: '0644' diff --git a/roles/clawdbot/tasks/system-tools.yml b/roles/clawdbot/tasks/system-tools.yml deleted file mode 100644 index 365cc03..0000000 --- a/roles/clawdbot/tasks/system-tools.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -# Main system tools orchestration - delegates to OS-specific tasks - -- name: Include Linux system tools installation - ansible.builtin.include_tasks: system-tools-linux.yml - when: ansible_os_family == 'Debian' - -- name: Include macOS system tools installation - ansible.builtin.include_tasks: system-tools-macos.yml - when: ansible_os_family == 'Darwin' - -- name: Display unsupported OS warning - ansible.builtin.fail: - msg: "Unsupported OS family: {{ ansible_os_family }}. Only Debian/Ubuntu and macOS are supported." - when: ansible_os_family not in ['Debian', 'Darwin'] - -# Common tasks for all operating systems - -- name: Install oh-my-zsh for clawdbot user - ansible.builtin.shell: - cmd: | - sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended - creates: "{{ clawdbot_home }}/.oh-my-zsh" - executable: /bin/bash - become: true - become_user: "{{ clawdbot_user }}" - environment: - HOME: "{{ clawdbot_home }}" - USER: "{{ clawdbot_user }}" - -- name: Configure git globally - community.general.git_config: - name: "{{ item.name }}" - scope: global - value: "{{ item.value }}" - loop: - - { name: 'init.defaultBranch', value: 'main' } - - { name: 'pull.rebase', value: 'false' } - - { name: 'core.editor', value: 'vim' } - - { name: 'color.ui', value: 'auto' } - - { name: 'alias.st', value: 'status' } - - { name: 'alias.co', value: 'checkout' } - - { name: 'alias.br', value: 'branch' } - - { name: 'alias.ci', value: 'commit' } - - { name: 'alias.unstage', value: 'reset HEAD --' } - - { name: 'alias.last', value: 'log -1 HEAD' } - - { name: 'alias.lg', value: 'log --oneline --graph --decorate --all' } diff --git a/roles/clawdbot/tasks/tailscale-macos.yml b/roles/clawdbot/tasks/tailscale-macos.yml deleted file mode 100644 index 4ab0ce0..0000000 --- a/roles/clawdbot/tasks/tailscale-macos.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -# macOS-specific Tailscale installation (Homebrew Cask) - -- name: Check if Tailscale is already installed (macOS) - ansible.builtin.stat: - path: /Applications/Tailscale.app - register: tailscale_app_macos - -- name: Install Tailscale via Homebrew Cask (macOS) - community.general.homebrew_cask: - name: tailscale - state: present - environment: - PATH: "/opt/homebrew/bin:{{ ansible_env.PATH }}" - when: not tailscale_app_macos.stat.exists - -- name: Check if Tailscale is running (macOS) - ansible.builtin.command: /Applications/Tailscale.app/Contents/MacOS/Tailscale status --json - register: tailscale_status_macos - changed_when: false - failed_when: false - -- name: Display Tailscale setup instructions (macOS) - ansible.builtin.debug: - msg: - - "============================================" - - "Tailscale installed on macOS" - - "============================================" - - "" - - "To connect this Mac to your Tailnet:" - - "" - - "Option 1 - GUI:" - - " 1. Open Tailscale from Applications" - - " 2. Click 'Log in' and follow the web flow" - - "" - - "Option 2 - CLI:" - - " sudo /Applications/Tailscale.app/Contents/MacOS/Tailscale up" - - "" - - "With auth key:" - - " sudo /Applications/Tailscale.app/Contents/MacOS/Tailscale up --authkey tskey-auth-xxxxx" - - "" - - "Get auth key from: https://login.tailscale.com/admin/settings/keys" - when: tailscale_status_macos.rc != 0 diff --git a/roles/clawdbot/tasks/tailscale.yml b/roles/clawdbot/tasks/tailscale.yml deleted file mode 100644 index 6d76828..0000000 --- a/roles/clawdbot/tasks/tailscale.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Main Tailscale orchestration - delegates to OS-specific tasks - -- name: Include Linux Tailscale installation - ansible.builtin.include_tasks: tailscale-linux.yml - when: ansible_os_family == 'Debian' - -- name: Include macOS Tailscale installation - ansible.builtin.include_tasks: tailscale-macos.yml - when: ansible_os_family == 'Darwin' diff --git a/roles/clawdbot/tasks/user.yml b/roles/clawdbot/tasks/user.yml deleted file mode 100644 index 95fe38a..0000000 --- a/roles/clawdbot/tasks/user.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -- name: Create clawdbot system user - ansible.builtin.user: - name: clawdbot - comment: "Clawdbot Service User" - system: true - shell: /bin/bash - create_home: true - home: /home/clawdbot - state: present - -- name: Add clawdbot user to sudoers with scoped NOPASSWD - ansible.builtin.copy: - dest: /etc/sudoers.d/clawdbot - mode: '0440' - owner: root - group: root - content: | - # Clawdbot sudo permissions (scoped for security) - # - # SECURITY NOTE: These permissions are intentionally limited. - # If clawdbot is compromised, attackers can only: - # - Manage the clawdbot service - # - Run basic tailscale diagnostics - # - View clawdbot logs - # - # To grant full tailscale control (e.g., for self-healing VPN): - # clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale * - # - # To grant full sudo (NOT RECOMMENDED): - # clawdbot ALL=(ALL) NOPASSWD: ALL - - # Service control - clawdbot service only - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl start clawdbot - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop clawdbot - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart clawdbot - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl status clawdbot - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable clawdbot - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl disable clawdbot - # daemon-reload affects all units (required after service file changes) - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload - - # Tailscale - diagnostics + connect/disconnect - # NOTE: 'up' allows flags like --advertise-exit-node. For tighter control, - # remove 'up' and 'down' lines - operator must then manage VPN manually. - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale status - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale up * - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale down - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale ip * - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale version - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale ping * - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/tailscale whois * - - # Journal access - clawdbot logs only - clawdbot ALL=(ALL) NOPASSWD: /usr/bin/journalctl -u clawdbot * - validate: /usr/sbin/visudo -cf %s - -- name: Set clawdbot user as primary user for installation - ansible.builtin.set_fact: - clawdbot_user: clawdbot - clawdbot_home: /home/clawdbot - -# Fix DBus issues for systemd user services -- name: Get clawdbot user ID - ansible.builtin.command: id -u clawdbot - register: clawdbot_uid - changed_when: false - when: ansible_os_family == 'Debian' - -- name: Display clawdbot user ID - ansible.builtin.debug: - msg: "Clawdbot user ID: {{ clawdbot_uid.stdout }}" - when: ansible_os_family == 'Debian' - -- name: Enable lingering for clawdbot user (allows systemd user services without login) - ansible.builtin.command: loginctl enable-linger clawdbot - changed_when: false - when: ansible_os_family == 'Debian' - -- name: Create runtime directory for clawdbot user - ansible.builtin.file: - path: "/run/user/{{ clawdbot_uid.stdout }}" - state: directory - owner: clawdbot - group: clawdbot - mode: '0700' - when: ansible_os_family == 'Debian' - -- name: Store clawdbot UID as fact for later use - ansible.builtin.set_fact: - clawdbot_uid_value: "{{ clawdbot_uid.stdout }}" - when: ansible_os_family == 'Debian' - -# SSH key configuration -- name: Create .ssh directory for clawdbot user - ansible.builtin.file: - path: "{{ clawdbot_home }}/.ssh" - state: directory - owner: clawdbot - group: clawdbot - mode: '0700' - -- name: Add SSH authorized keys for clawdbot user - ansible.builtin.authorized_key: - user: clawdbot - state: present - key: "{{ item }}" - loop: "{{ clawdbot_ssh_keys }}" - when: clawdbot_ssh_keys | length > 0 - -- name: Display SSH key configuration status - ansible.builtin.debug: - msg: "✅ {{ clawdbot_ssh_keys | length }} SSH key(s) configured for clawdbot user" - when: clawdbot_ssh_keys | length > 0 - -- name: Display SSH key warning if none configured - ansible.builtin.debug: - msg: "⚠️ No SSH keys configured. Set 'clawdbot_ssh_keys' variable to allow SSH access." - when: clawdbot_ssh_keys | length == 0 - -- name: Set XDG_RUNTIME_DIR in .bashrc for clawdbot user - ansible.builtin.lineinfile: - path: /home/clawdbot/.bashrc - line: 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' - state: present - create: true - owner: clawdbot - group: clawdbot - mode: '0644' - when: ansible_os_family == 'Debian' - -- name: Set DBUS_SESSION_BUS_ADDRESS in .bashrc for clawdbot user - ansible.builtin.blockinfile: - path: /home/clawdbot/.bashrc - marker: "# {mark} ANSIBLE MANAGED BLOCK - DBus config" - block: | - # DBus session bus configuration - if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then - if [ -f "${XDG_RUNTIME_DIR}/bus" ]; then - export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" - fi - fi - create: true - owner: clawdbot - group: clawdbot - mode: '0644' - when: ansible_os_family == 'Debian' diff --git a/roles/clawdbot/templates/clawdbot-host.service.j2 b/roles/clawdbot/templates/clawdbot-host.service.j2 deleted file mode 100644 index 109a333..0000000 --- a/roles/clawdbot/templates/clawdbot-host.service.j2 +++ /dev/null @@ -1,42 +0,0 @@ -[Unit] -Description=Clawdbot AI Gateway -After=network.target docker.service -Requires=docker.service - -[Service] -Type=simple -User={{ clawdbot_user }} -Group={{ clawdbot_user }} -WorkingDirectory={{ clawdbot_home }} - -# Environment variables -Environment="PATH={{ clawdbot_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/usr/local/bin:/usr/bin:/bin" -Environment="PNPM_HOME={{ clawdbot_home }}/.local/share/pnpm" -Environment="HOME={{ clawdbot_home }}" -Environment="XDG_RUNTIME_DIR=/run/user/{{ clawdbot_uid_value | default('1000') }}" - -# DBus session bus -Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ clawdbot_uid_value | default('1000') }}/bus" - -# Start command -ExecStart={{ clawdbot_home }}/.local/bin/clawdbot gateway - -# Restart policy -Restart=always -RestartSec=10 - -# Security hardening -NoNewPrivileges=true -PrivateTmp=true -ProtectSystem=strict -ProtectHome=read-only -ReadWritePaths={{ clawdbot_home }}/.clawdbot -ReadWritePaths={{ clawdbot_home }}/.local - -# Logging -StandardOutput=journal -StandardError=journal -SyslogIdentifier=clawdbot - -[Install] -WantedBy=multi-user.target diff --git a/roles/openclaw/defaults/main.yml b/roles/openclaw/defaults/main.yml new file mode 100644 index 0000000..243cc6d --- /dev/null +++ b/roles/openclaw/defaults/main.yml @@ -0,0 +1,42 @@ +--- +# OpenClaw default variables + +# CI testing mode - skips tasks that require systemd, Docker-in-Docker, or kernel access +ci_test: false + +# Tailscale settings +# WARNING: Tasks using tailscale_authkey MUST set no_log: true to prevent credential exposure +tailscale_enabled: false # Set to true to install and configure Tailscale +tailscale_authkey: "" # Optional: set to auto-connect during installation + +# Node.js version +nodejs_version: "22.x" + +# OpenClaw settings +openclaw_port: 3000 + +# OpenClaw config directory +openclaw_config_dir: "{{ openclaw_home }}/.openclaw" + +# User settings (will be created as system user) +openclaw_user: openclaw +openclaw_home: /home/openclaw + +# Installation mode: 'release' or 'development' +# release: Install via pnpm install -g openclaw@latest +# development: Clone repo, build from source, link globally +openclaw_install_mode: "release" + +# Development mode settings (only used when openclaw_install_mode: development) +openclaw_repo_url: "https://github.com/openclaw/openclaw.git" +openclaw_repo_branch: "main" +openclaw_code_dir: "{{ openclaw_home }}/code" +openclaw_repo_dir: "{{ openclaw_code_dir }}/openclaw" + +# SSH keys for openclaw user +# Add your public SSH keys here to allow SSH access as openclaw user +# Example: +# openclaw_ssh_keys: +# - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@host" +# - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxxxxxxxxxxxxxxxxxxxxxxx user@host" +openclaw_ssh_keys: [] diff --git a/roles/clawdbot/files/clawdbot-setup.sh b/roles/openclaw/files/openclaw-setup.sh similarity index 73% rename from roles/clawdbot/files/clawdbot-setup.sh rename to roles/openclaw/files/openclaw-setup.sh index c2eadc2..0da2362 100644 --- a/roles/clawdbot/files/clawdbot-setup.sh +++ b/roles/openclaw/files/openclaw-setup.sh @@ -13,12 +13,12 @@ BLUE='\033[0;34m' CYAN='\033[0;36m' NC='\033[0m' # No Color -# Clawdbot ASCII Art Lobster +# OpenClaw ASCII Art Lobster cat << 'LOBSTER' [0;36m +====================================================+ | | - | [0;33mWelcome to Clawdbot! [0;31m🦞[0;36m | + | [0;33mWelcome to OpenClaw! [0;31m🦞[0;36m | | | |[0;31m ,.---._ [0;36m| |[0;31m ,,,, / `, [0;36m| @@ -45,19 +45,19 @@ echo " - UFW Firewall: ENABLED" echo " - Open Ports: SSH (22) + Tailscale (41641/udp)" echo " - Docker isolation: ACTIVE" echo "" -echo -e "📚 Documentation: ${GREEN}https://docs.clawd.bot${NC}" +echo -e "📚 Documentation: ${GREEN}https://docs.openclaw.ai${NC}" echo "" -# Switch to clawdbot user for setup -echo -e "${YELLOW}Switching to clawdbot user for setup...${NC}" +# Switch to openclaw user for setup +echo -e "${YELLOW}Switching to openclaw user for setup...${NC}" echo "" echo "DEBUG: About to create init script..." # Create init script that will be sourced on login -cat > /home/clawdbot/.clawdbot-init << 'INIT_EOF' +cat > /home/openclaw/.openclaw-init << 'INIT_EOF' # Display welcome message echo "============================================" -echo "📋 Clawdbot Setup - Next Steps" +echo "📋 OpenClaw Setup - Next Steps" echo "============================================" echo "" echo "You are now: $(whoami)@$(hostname)" @@ -65,19 +65,19 @@ echo "Home: $HOME" echo "" echo "🔧 Setup Commands:" echo "" -echo "1. Configure Clawdbot:" -echo " nano ~/.clawdbot/config.yml" +echo "1. Configure OpenClaw:" +echo " nano ~/.openclaw/config.yml" echo "" echo "2. Login to provider (WhatsApp/Telegram/Signal):" -echo " clawdbot login" +echo " openclaw login" echo "" echo "3. Test gateway:" -echo " clawdbot gateway" +echo " openclaw gateway" echo "" echo "4. Exit and manage as service:" echo " exit" -echo " sudo systemctl status clawdbot" -echo " sudo journalctl -u clawdbot -f" +echo " sudo systemctl status openclaw" +echo " sudo journalctl -u openclaw -f" echo "" echo "5. Connect Tailscale (as root):" echo " exit" @@ -89,18 +89,18 @@ echo "Type 'exit' to return to previous user" echo "" # Remove this init file after first login -rm -f ~/.clawdbot-init +rm -f ~/.openclaw-init INIT_EOF -chown clawdbot:clawdbot /home/clawdbot/.clawdbot-init +chown openclaw:openclaw /home/openclaw/.openclaw-init # Add one-time sourcing to .bashrc if not already there -grep -q '.clawdbot-init' /home/clawdbot/.bashrc 2>/dev/null || { - echo '' >> /home/clawdbot/.bashrc - echo '# One-time setup message' >> /home/clawdbot/.bashrc - echo '[ -f ~/.clawdbot-init ] && source ~/.clawdbot-init' >> /home/clawdbot/.bashrc +grep -q '.openclaw-init' /home/openclaw/.bashrc 2>/dev/null || { + echo '' >> /home/openclaw/.bashrc + echo '# One-time setup message' >> /home/openclaw/.bashrc + echo '[ -f ~/.openclaw-init ] && source ~/.openclaw-init' >> /home/openclaw/.bashrc } -# Switch to clawdbot user with explicit interactive shell +# Switch to openclaw user with explicit interactive shell # Using setsid to create new session + force pseudo-terminal allocation -exec sudo -i -u clawdbot /bin/bash --login +exec sudo -i -u openclaw /bin/bash --login diff --git a/roles/clawdbot/files/show-lobster.sh b/roles/openclaw/files/show-lobster.sh similarity index 93% rename from roles/clawdbot/files/show-lobster.sh rename to roles/openclaw/files/show-lobster.sh index 7cee761..508cb3c 100755 --- a/roles/clawdbot/files/show-lobster.sh +++ b/roles/openclaw/files/show-lobster.sh @@ -3,7 +3,7 @@ cat << 'LOBSTER' [0;36m +====================================================+ | | - | [0;33mWelcome to Clawdbot! [0;31m🦞[0;36m | + | [0;33mWelcome to OpenClaw! [0;31m🦞[0;36m | | | |[0;31m ,.---._ [0;36m| |[0;31m ,,,, / `, [0;36m| @@ -30,5 +30,5 @@ echo " - UFW Firewall: ENABLED" echo " - Open Ports: SSH (22) + Tailscale (41641/udp)" echo " - Docker isolation: ACTIVE" echo "" -echo "📚 Documentation: https://docs.clawd.bot" +echo "📚 Documentation: https://docs.openclaw.ai" echo "" diff --git a/roles/clawdbot/handlers/main.yml b/roles/openclaw/handlers/main.yml similarity index 100% rename from roles/clawdbot/handlers/main.yml rename to roles/openclaw/handlers/main.yml diff --git a/roles/clawdbot/tasks/docker-linux.yml b/roles/openclaw/tasks/docker-linux.yml similarity index 98% rename from roles/clawdbot/tasks/docker-linux.yml rename to roles/openclaw/tasks/docker-linux.yml index 9e59853..b66a7a2 100644 --- a/roles/clawdbot/tasks/docker-linux.yml +++ b/roles/openclaw/tasks/docker-linux.yml @@ -61,7 +61,7 @@ - name: Add user to docker group ansible.builtin.user: - name: "{{ clawdbot_user }}" + name: "{{ openclaw_user }}" groups: docker append: true diff --git a/roles/clawdbot/tasks/firewall-linux.yml b/roles/openclaw/tasks/firewall-linux.yml similarity index 88% rename from roles/clawdbot/tasks/firewall-linux.yml rename to roles/openclaw/tasks/firewall-linux.yml index b33cc6e..068b4a5 100644 --- a/roles/clawdbot/tasks/firewall-linux.yml +++ b/roles/openclaw/tasks/firewall-linux.yml @@ -15,7 +15,7 @@ group: root mode: '0644' content: | - # Clawdbot security hardening - SSH protection + # OpenClaw security hardening - SSH protection [DEFAULT] bantime = 3600 findtime = 600 @@ -61,7 +61,7 @@ group: root mode: '0644' content: | - // Clawdbot security hardening - automatic security updates + // OpenClaw security hardening - automatic security updates Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}ESMApps:${distro_codename}-apps-security"; @@ -103,6 +103,7 @@ port: '41641' proto: udp comment: 'Tailscale' + when: tailscale_enabled | bool - name: Get default network interface ansible.builtin.shell: @@ -113,6 +114,14 @@ register: default_interface changed_when: false +- name: Validate default network interface was detected + ansible.builtin.assert: + that: + - default_interface.stdout is defined + - default_interface.stdout | length > 0 + fail_msg: "Failed to detect default network interface. Cannot configure firewall rules safely." + success_msg: "Default network interface detected: {{ default_interface.stdout }}" + - name: Create UFW after.rules for Docker isolation ansible.builtin.blockinfile: path: /etc/ufw/after.rules diff --git a/roles/clawdbot/tasks/main.yml b/roles/openclaw/tasks/main.yml similarity index 56% rename from roles/clawdbot/tasks/main.yml rename to roles/openclaw/tasks/main.yml index 5e6aace..81a5dd9 100644 --- a/roles/clawdbot/tasks/main.yml +++ b/roles/openclaw/tasks/main.yml @@ -3,19 +3,22 @@ ansible.builtin.include_tasks: system-tools.yml - name: Include Tailscale installation tasks - ansible.builtin.include_tasks: tailscale.yml + ansible.builtin.include_tasks: tailscale-linux.yml + when: tailscale_enabled | bool - name: Include user creation tasks ansible.builtin.include_tasks: user.yml - name: Include Docker installation tasks - ansible.builtin.include_tasks: docker.yml + ansible.builtin.include_tasks: docker-linux.yml + when: not ci_test - name: Include firewall configuration tasks - ansible.builtin.include_tasks: firewall.yml + ansible.builtin.include_tasks: firewall-linux.yml + when: not ci_test - name: Include Node.js installation tasks ansible.builtin.include_tasks: nodejs.yml -- name: Include Clawdbot setup tasks - ansible.builtin.include_tasks: clawdbot.yml +- name: Include OpenClaw setup tasks + ansible.builtin.include_tasks: openclaw.yml diff --git a/roles/clawdbot/tasks/nodejs.yml b/roles/openclaw/tasks/nodejs.yml similarity index 90% rename from roles/clawdbot/tasks/nodejs.yml rename to roles/openclaw/tasks/nodejs.yml index f094d9a..8c1ecf4 100644 --- a/roles/clawdbot/tasks/nodejs.yml +++ b/roles/openclaw/tasks/nodejs.yml @@ -42,10 +42,15 @@ name: nodejs state: present +- name: Check if pnpm is already installed + ansible.builtin.command: pnpm --version + register: pnpm_check + failed_when: false + changed_when: false + - name: Install pnpm globally ansible.builtin.command: npm install -g pnpm - args: - creates: /usr/local/bin/pnpm + when: pnpm_check.rc != 0 - name: Verify Node.js installation ansible.builtin.command: node --version diff --git a/roles/openclaw/tasks/openclaw-development.yml b/roles/openclaw/tasks/openclaw-development.yml new file mode 100644 index 0000000..653c345 --- /dev/null +++ b/roles/openclaw/tasks/openclaw-development.yml @@ -0,0 +1,142 @@ +--- +# Development mode installation - Clone repo, build from source, link globally + +- name: Create code directory + ansible.builtin.file: + path: "{{ openclaw_code_dir }}" + state: directory + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0755' + +- name: Check if openclaw repository already exists + ansible.builtin.stat: + path: "{{ openclaw_repo_dir }}/.git" + register: openclaw_repo_exists + +- name: Clone openclaw repository + ansible.builtin.git: + repo: "{{ openclaw_repo_url }}" + dest: "{{ openclaw_repo_dir }}" + version: "{{ openclaw_repo_branch }}" + update: true + become: true + become_user: "{{ openclaw_user }}" + when: not openclaw_repo_exists.stat.exists + +- name: Pull latest changes if repo exists + ansible.builtin.git: + repo: "{{ openclaw_repo_url }}" + dest: "{{ openclaw_repo_dir }}" + version: "{{ openclaw_repo_branch }}" + update: true + become: true + become_user: "{{ openclaw_user }}" + when: openclaw_repo_exists.stat.exists + register: git_pull_result + +- name: Display git pull status + ansible.builtin.debug: + msg: "Git repository updated: {{ git_pull_result.changed | default(false) }}" + when: openclaw_repo_exists.stat.exists + +- name: Install dependencies with pnpm + ansible.builtin.shell: + cmd: pnpm install + chdir: "{{ openclaw_repo_dir }}" + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" + register: pnpm_install_result + changed_when: "'Already up to date' not in pnpm_install_result.stdout" + +- name: Build openclaw from source + ansible.builtin.shell: + cmd: pnpm build + chdir: "{{ openclaw_repo_dir }}" + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" + register: pnpm_build_result + changed_when: true # Build always changes dist/ directory + +- name: Display build output + ansible.builtin.debug: + msg: "Build completed successfully" + when: pnpm_build_result.rc == 0 + +- name: Check if dist directory exists + ansible.builtin.stat: + path: "{{ openclaw_repo_dir }}/dist" + register: dist_dir + +- name: Fail if build didn't create dist directory + ansible.builtin.fail: + msg: "Build failed - dist directory not found" + when: not dist_dir.stat.exists + +- name: Remove existing global openclaw symlink (if any) + ansible.builtin.file: + path: "{{ openclaw_home }}/.local/bin/openclaw" + state: absent + +- name: Create symlink to openclaw binary + ansible.builtin.file: + src: "{{ openclaw_repo_dir }}/bin/openclaw.js" + dest: "{{ openclaw_home }}/.local/bin/openclaw" + state: link + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + force: true + +- name: Make openclaw binary executable + ansible.builtin.file: + path: "{{ openclaw_repo_dir }}/bin/openclaw.js" + mode: '0755' + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + +- name: Verify openclaw installation from development build + ansible.builtin.shell: + cmd: openclaw --version + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" + register: openclaw_dev_version + changed_when: false + +- name: Display installed OpenClaw version (development build) + ansible.builtin.debug: + msg: | + OpenClaw installed from source: {{ openclaw_dev_version.stdout }} + Repository: {{ openclaw_repo_dir }} + Binary: {{ openclaw_home }}/.local/bin/openclaw -> {{ openclaw_repo_dir }}/bin/openclaw.js + +- name: Add development mode info to .bashrc + ansible.builtin.blockinfile: + path: "{{ openclaw_home }}/.bashrc" + marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw development" + block: | + # OpenClaw development mode + export OPENCLAW_DEV_DIR="{{ openclaw_repo_dir }}" + + # Aliases for development + alias openclaw-rebuild='cd {{ openclaw_repo_dir }} && pnpm build' + alias openclaw-dev='cd {{ openclaw_repo_dir }}' + alias openclaw-pull='cd {{ openclaw_repo_dir }} && git pull && pnpm install && pnpm build' + create: true + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0644' diff --git a/roles/openclaw/tasks/openclaw-release.yml b/roles/openclaw/tasks/openclaw-release.yml new file mode 100644 index 0000000..76aaef8 --- /dev/null +++ b/roles/openclaw/tasks/openclaw-release.yml @@ -0,0 +1,32 @@ +--- +# Release mode installation - Install via pnpm from npm registry + +- name: Install OpenClaw globally as openclaw user (using pnpm) + ansible.builtin.shell: + cmd: pnpm install -g openclaw@latest + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" + register: openclaw_install + changed_when: "'Already up to date' not in openclaw_install.stdout" + +- name: Verify openclaw installation + ansible.builtin.shell: + cmd: openclaw --version + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" + register: openclaw_version + changed_when: false + +- name: Display installed OpenClaw version (release) + ansible.builtin.debug: + msg: "OpenClaw installed from npm: {{ openclaw_version.stdout }}" diff --git a/roles/openclaw/tasks/openclaw.yml b/roles/openclaw/tasks/openclaw.yml new file mode 100644 index 0000000..7e51164 --- /dev/null +++ b/roles/openclaw/tasks/openclaw.yml @@ -0,0 +1,109 @@ +--- +- name: Validate openclaw_install_mode + ansible.builtin.assert: + that: + - openclaw_install_mode in ["release", "development"] + fail_msg: "Invalid openclaw_install_mode: '{{ openclaw_install_mode }}'. Must be 'release' or 'development'." + success_msg: "Valid install mode: {{ openclaw_install_mode }}" + +- name: Create OpenClaw directories (structure only, no config files) + ansible.builtin.file: + path: "{{ item.path }}" + state: directory + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: "{{ item.mode }}" + loop: + - { path: "{{ openclaw_config_dir }}", mode: '0755' } + - { path: "{{ openclaw_config_dir }}/sessions", mode: '0755' } + - { path: "{{ openclaw_config_dir }}/credentials", mode: '0700' } + - { path: "{{ openclaw_config_dir }}/data", mode: '0755' } + - { path: "{{ openclaw_config_dir }}/logs", mode: '0755' } + +- name: Create pnpm directories + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0755' + loop: + - "{{ openclaw_home }}/.local/share/pnpm" + - "{{ openclaw_home }}/.local/share/pnpm/store" + - "{{ openclaw_home }}/.local/bin" + +- name: Ensure pnpm directories have correct ownership + ansible.builtin.file: + path: "{{ openclaw_home }}/.local/share/pnpm" + state: directory + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + recurse: true + mode: '0755' + +- name: Configure pnpm for openclaw user + ansible.builtin.shell: + cmd: | + CURRENT_GLOBAL_DIR=$(pnpm config get global-dir 2>/dev/null || echo "") + CURRENT_BIN_DIR=$(pnpm config get global-bin-dir 2>/dev/null || echo "") + CHANGED=0 + if [ "$CURRENT_GLOBAL_DIR" != "{{ openclaw_home }}/.local/share/pnpm" ]; then + pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm + CHANGED=1 + fi + if [ "$CURRENT_BIN_DIR" != "{{ openclaw_home }}/.local/bin" ]; then + pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin + CHANGED=1 + fi + exit $CHANGED + executable: /bin/bash + become: true + become_user: "{{ openclaw_user }}" + register: pnpm_config_result + changed_when: pnpm_config_result.rc == 1 + failed_when: pnpm_config_result.rc > 1 + +- name: Display installation mode + ansible.builtin.debug: + msg: "Installation mode: {{ openclaw_install_mode }}" + +# Include appropriate installation method based on mode +- name: Include release installation (pnpm install -g) + ansible.builtin.include_tasks: openclaw-release.yml + when: openclaw_install_mode == "release" + +- name: Include development installation (git clone + build + link) + ansible.builtin.include_tasks: openclaw-development.yml + when: openclaw_install_mode == "development" + +- name: Configure .bashrc for openclaw user (base config) + ansible.builtin.blockinfile: + path: "{{ openclaw_home }}/.bashrc" + marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw pnpm" + block: | + # pnpm configuration + export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm" + export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH" + create: true + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0644' + insertafter: EOF + +# NOTE: We do NOT create config.yml here - openclaw onboard/configure will do that +# We also do NOT install the systemd service - openclaw onboard --install-daemon will do that +# The .openclaw directory structure is created above, but config and daemon are user-initiated + +- name: Display configuration note + ansible.builtin.debug: + msg: | + OpenClaw is installed but NOT configured yet. + + Next steps (run as openclaw user): + 1. Switch user: sudo su - openclaw + 2. Run onboarding: openclaw onboard --install-daemon + + This will: + - Create configuration files (~/.openclaw/openclaw.json) + - Guide you through provider setup + - Install and start the daemon service automatically diff --git a/roles/openclaw/tasks/system-tools-linux.yml b/roles/openclaw/tasks/system-tools-linux.yml new file mode 100644 index 0000000..712952f --- /dev/null +++ b/roles/openclaw/tasks/system-tools-linux.yml @@ -0,0 +1,53 @@ +--- +# Linux-specific system tools installation (apt-based) + +- name: Install essential system tools (Linux - apt) + ansible.builtin.apt: + name: + # Editors + - vim + - nano + # Version control + - git + - git-lfs + # Network tools + - curl + - wget + - netcat-openbsd + - net-tools + - dnsutils + - iputils-ping + - traceroute + - tcpdump + - nmap + - socat + - telnet + # Debugging tools + - strace + - lsof + - gdb + - htop + - iotop + - iftop + - sysstat + - procps + # System utilities + - tmux + - tree + - jq + - unzip + - rsync + - less + # Build essentials for development + - build-essential + - file + state: present + update_cache: true + +- name: Deploy global vim configuration (Linux) + ansible.builtin.template: + src: vimrc.j2 + dest: /etc/vim/vimrc.local + owner: root + group: root + mode: '0644' diff --git a/roles/openclaw/tasks/system-tools.yml b/roles/openclaw/tasks/system-tools.yml new file mode 100644 index 0000000..d4e0695 --- /dev/null +++ b/roles/openclaw/tasks/system-tools.yml @@ -0,0 +1,25 @@ +--- +# Main system tools orchestration - Linux only + +- name: Include Linux system tools installation + ansible.builtin.include_tasks: system-tools-linux.yml + +# Common tasks for all operating systems + +- name: Configure git globally + community.general.git_config: + name: "{{ item.name }}" + scope: global + value: "{{ item.value }}" + loop: + - { name: 'init.defaultBranch', value: 'main' } + - { name: 'pull.rebase', value: 'false' } + - { name: 'core.editor', value: 'vim' } + - { name: 'color.ui', value: 'auto' } + - { name: 'alias.st', value: 'status' } + - { name: 'alias.co', value: 'checkout' } + - { name: 'alias.br', value: 'branch' } + - { name: 'alias.ci', value: 'commit' } + - { name: 'alias.unstage', value: 'reset HEAD --' } + - { name: 'alias.last', value: 'log -1 HEAD' } + - { name: 'alias.lg', value: 'log --oneline --graph --decorate --all' } diff --git a/roles/clawdbot/tasks/tailscale-linux.yml b/roles/openclaw/tasks/tailscale-linux.yml similarity index 100% rename from roles/clawdbot/tasks/tailscale-linux.yml rename to roles/openclaw/tasks/tailscale-linux.yml diff --git a/roles/openclaw/tasks/user.yml b/roles/openclaw/tasks/user.yml new file mode 100644 index 0000000..cf7135b --- /dev/null +++ b/roles/openclaw/tasks/user.yml @@ -0,0 +1,194 @@ +--- +- name: Create openclaw system user + ansible.builtin.user: + name: openclaw + comment: "OpenClaw Service User" + system: true + shell: /bin/bash + create_home: true + home: /home/openclaw + state: present + +- name: Ensure openclaw home directory has correct ownership + ansible.builtin.file: + path: "{{ openclaw_home }}" + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + state: directory + mode: '0755' + +- name: Configure .bashrc for openclaw user + ansible.builtin.blockinfile: + path: "{{ openclaw_home }}/.bashrc" + marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw config" + block: | + # Enable 256 colors + export TERM=xterm-256color + export COLORTERM=truecolor + + # Add pnpm to PATH + export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm" + export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH" + + # Color support for common tools + export CLICOLOR=1 + export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43' + + # Aliases + alias ls='ls --color=auto' + alias grep='grep --color=auto' + alias ll='ls -lah' + create: true + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0644' + +- name: Add openclaw user to sudoers with scoped NOPASSWD + ansible.builtin.copy: + dest: /etc/sudoers.d/openclaw + mode: '0440' + owner: root + group: root + content: | + # OpenClaw sudo permissions (scoped for security) + # + # SECURITY NOTE: These permissions are intentionally limited. + # If openclaw is compromised, attackers can only: + # - Manage the openclaw service + # - Run basic tailscale diagnostics + # - View openclaw logs + # + # To grant full tailscale control (e.g., for self-healing VPN): + # openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale * + # + # To grant full sudo (NOT RECOMMENDED): + # openclaw ALL=(ALL) NOPASSWD: ALL + + # Service control - openclaw service only + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl start openclaw + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl stop openclaw + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart openclaw + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl status openclaw + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl enable openclaw + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl disable openclaw + # daemon-reload affects all units (required after service file changes) + openclaw ALL=(ALL) NOPASSWD: /usr/bin/systemctl daemon-reload + + # Tailscale - diagnostics + connect/disconnect + # NOTE: 'up' allows flags like --advertise-exit-node. For tighter control, + # remove 'up' and 'down' lines - operator must then manage VPN manually. + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale status + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale up * + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale down + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale ip * + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale version + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale ping * + openclaw ALL=(ALL) NOPASSWD: /usr/bin/tailscale whois * + + # Journal access - openclaw logs only + openclaw ALL=(ALL) NOPASSWD: /usr/bin/journalctl -u openclaw * + validate: /usr/sbin/visudo -cf %s + +- name: Set openclaw user as primary user for installation + ansible.builtin.set_fact: + openclaw_user: openclaw + openclaw_home: /home/openclaw + +- name: Create .bash_profile to source .bashrc for login shells + ansible.builtin.copy: + dest: "{{ openclaw_home }}/.bash_profile" + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0644' + content: | + # .bash_profile - Executed for login shells + # Source .bashrc to ensure environment is loaded for login shells + if [ -f ~/.bashrc ]; then + . ~/.bashrc + fi + +# Fix DBus issues for systemd user services +- name: Get openclaw user ID + ansible.builtin.command: id -u openclaw + register: openclaw_uid + changed_when: false + when: ansible_os_family == 'Debian' and not ci_test + +- name: Display openclaw user ID + ansible.builtin.debug: + msg: "OpenClaw user ID: {{ openclaw_uid.stdout }}" + when: ansible_os_family == 'Debian' and not ci_test + +- name: Enable lingering for openclaw user (allows systemd user services without login) + ansible.builtin.command: loginctl enable-linger openclaw + changed_when: false + when: ansible_os_family == 'Debian' and not ci_test + +- name: Create runtime directory for openclaw user + ansible.builtin.file: + path: "/run/user/{{ openclaw_uid.stdout }}" + state: directory + owner: openclaw + group: openclaw + mode: '0700' + when: ansible_os_family == 'Debian' and not ci_test + +- name: Store openclaw UID as fact for later use + ansible.builtin.set_fact: + openclaw_uid_value: "{{ openclaw_uid.stdout }}" + when: ansible_os_family == 'Debian' and not ci_test + +# SSH key configuration +- name: Create .ssh directory for openclaw user + ansible.builtin.file: + path: "{{ openclaw_home }}/.ssh" + state: directory + owner: openclaw + group: openclaw + mode: '0700' + +- name: Add SSH authorized keys for openclaw user + ansible.posix.authorized_key: + user: openclaw + state: present + key: "{{ item }}" + loop: "{{ openclaw_ssh_keys }}" + when: openclaw_ssh_keys | length > 0 + +- name: Display SSH key configuration status + ansible.builtin.debug: + msg: "{{ openclaw_ssh_keys | length }} SSH key(s) configured for openclaw user" + when: openclaw_ssh_keys | length > 0 + +- name: Display SSH key warning if none configured + ansible.builtin.debug: + msg: "No SSH keys configured. Set 'openclaw_ssh_keys' variable to allow SSH access." + when: openclaw_ssh_keys | length == 0 + +- name: Set XDG_RUNTIME_DIR in .bashrc for openclaw user + ansible.builtin.lineinfile: + path: /home/openclaw/.bashrc + line: 'export XDG_RUNTIME_DIR=/run/user/$(id -u)' + state: present + create: true + owner: openclaw + group: openclaw + mode: '0644' + when: ansible_os_family == 'Debian' and not ci_test + +- name: Set DBUS_SESSION_BUS_ADDRESS in .bashrc for openclaw user + ansible.builtin.blockinfile: + path: /home/openclaw/.bashrc + marker: "# {mark} ANSIBLE MANAGED BLOCK - DBus config" + block: | + # DBus session bus configuration + if [ -z "$DBUS_SESSION_BUS_ADDRESS" ]; then + if [ -f "${XDG_RUNTIME_DIR}/bus" ]; then + export DBUS_SESSION_BUS_ADDRESS="unix:path=${XDG_RUNTIME_DIR}/bus" + fi + fi + create: true + owner: openclaw + group: openclaw + mode: '0644' + when: ansible_os_family == 'Debian' and not ci_test diff --git a/roles/clawdbot/templates/daemon.json.j2 b/roles/openclaw/templates/daemon.json.j2 similarity index 100% rename from roles/clawdbot/templates/daemon.json.j2 rename to roles/openclaw/templates/daemon.json.j2 diff --git a/roles/clawdbot/templates/clawdbot-config.yml.j2 b/roles/openclaw/templates/openclaw-config.yml.j2 similarity index 86% rename from roles/clawdbot/templates/clawdbot-config.yml.j2 rename to roles/openclaw/templates/openclaw-config.yml.j2 index 98cfd33..aad95c4 100644 --- a/roles/clawdbot/templates/clawdbot-config.yml.j2 +++ b/roles/openclaw/templates/openclaw-config.yml.j2 @@ -1,7 +1,7 @@ -# Clawdbot Configuration Template +# OpenClaw Configuration Template # Generated by Ansible on {{ ansible_date_time.iso8601 }} # -# For full documentation, visit: https://docs.clawd.bot/configuration +# For full documentation, visit: https://docs.openclaw.ai/configuration # Connection Provider # Options: whatsapp, telegram, signal @@ -11,12 +11,12 @@ provider: whatsapp whatsapp: # Phone number in international format (e.g., +4366412345678) phone: "" - + # Telegram Configuration (if using telegram provider) telegram: # Telegram bot token from @BotFather token: "" - + # Signal Configuration (if using signal provider) signal: # Signal phone number @@ -26,22 +26,22 @@ signal: ai: # Model provider: anthropic, openai provider: anthropic - + # API Keys (set as environment variables or here) # anthropic_api_key: "" # openai_api_key: "" - + # Model selection model: claude-3-5-sonnet-20241022 - + # Max tokens per response max_tokens: 4096 # Gateway Settings gateway: # Port for web interface - port: {{ clawdbot_port }} - + port: {{ openclaw_port }} + # Enable web UI web_ui: true @@ -49,16 +49,16 @@ gateway: logging: # Log level: debug, info, warn, error level: info - + # Log file location - file: {{ clawdbot_config_dir }}/clawdbot.log + file: {{ openclaw_config_dir }}/openclaw.log # Security security: # Allowed phone numbers (whitelist) # Leave empty to allow all allowed_numbers: [] - + # Rate limiting rate_limit: enabled: true @@ -68,9 +68,9 @@ security: advanced: # Session timeout in minutes session_timeout: 60 - + # Auto-reconnect on disconnect auto_reconnect: true - + # Keep-alive interval in seconds keep_alive_interval: 30 diff --git a/roles/openclaw/templates/openclaw-host.service.j2 b/roles/openclaw/templates/openclaw-host.service.j2 new file mode 100644 index 0000000..b2226b8 --- /dev/null +++ b/roles/openclaw/templates/openclaw-host.service.j2 @@ -0,0 +1,42 @@ +[Unit] +Description=OpenClaw AI Gateway +After=network.target docker.service +Requires=docker.service + +[Service] +Type=simple +User={{ openclaw_user }} +Group={{ openclaw_user }} +WorkingDirectory={{ openclaw_home }} + +# Environment variables +Environment="PNPM_HOME={{ openclaw_home }}/.local/share/pnpm" +Environment="PATH={{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" +Environment="HOME={{ openclaw_home }}" +Environment="XDG_RUNTIME_DIR=/run/user/{{ openclaw_uid_value }}" + +# DBus session bus +Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ openclaw_uid_value }}/bus" + +# Start command +ExecStart=openclaw gateway + +# Restart policy +Restart=always +RestartSec=10 + +# Security hardening +NoNewPrivileges=true +PrivateTmp=true +ProtectSystem=strict +ProtectHome=read-only +ReadWritePaths={{ openclaw_home }}/.openclaw +ReadWritePaths={{ openclaw_home }}/.local + +# Logging +StandardOutput=journal +StandardError=journal +SyslogIdentifier=openclaw + +[Install] +WantedBy=multi-user.target diff --git a/roles/openclaw/templates/show-lobster.sh.j2 b/roles/openclaw/templates/show-lobster.sh.j2 new file mode 100644 index 0000000..66456be --- /dev/null +++ b/roles/openclaw/templates/show-lobster.sh.j2 @@ -0,0 +1,42 @@ +#jinja2: lstrip_blocks: True +{% raw %}#!/bin/bash +cat << 'LOBSTER' +[0;36m + +====================================================+ + | | + | [0;33mWelcome to OpenClaw! [0;31m🦞[0;36m | + | | + |[0;31m ,.---._ [0;36m| + |[0;31m ,,,, / `, [0;36m| + |[0;31m \\\ / '\_ ; [0;36m| + |[0;31m |||| /\/``-.__\;' [0;36m| + |[0;31m ::::/\/_ [0;36m| + |[0;31m {{`-.__.-'(`(^^(^^^(^ 9 `.=========' [0;36m| + |[0;31m{{{{{{ { ( ( ( ( (-----:= [0;36m| + |[0;31m {{.-'~~'-.(,(,,(,,,(__6_.'=========. [0;36m| + |[0;31m ::::\/\ [0;36m| + |[0;31m |||| \/\ ,-'/, [0;36m| + |[0;31m //// \ `` _/ ; [0;36m| + |[0;31m '''' \ ` .' [0;36m| + |[0;31m `---' [0;36m| + | | + | [0;32m✅ Installation Successful![0;36m | + | | + +====================================================+[0m +LOBSTER + +echo "" +echo "🔒 Security Status:" +echo " - UFW Firewall: ENABLED" +{% endraw %} +{% if tailscale_enabled | default(false) %} +echo " - Open Ports: SSH (22) + Tailscale (41641/udp)" +{% else %} +echo " - Open Ports: SSH (22)" +{% endif %} +{% raw %} +echo " - Docker isolation: ACTIVE" +echo "" +echo "📚 Documentation: https://github.com/openclaw/openclaw-ansible" +echo "" +{% endraw %} diff --git a/roles/clawdbot/templates/vimrc.j2 b/roles/openclaw/templates/vimrc.j2 similarity index 100% rename from roles/clawdbot/templates/vimrc.j2 rename to roles/openclaw/templates/vimrc.j2 diff --git a/run-playbook.sh b/run-playbook.sh index c83b84f..cafeb2f 100755 --- a/run-playbook.sh +++ b/run-playbook.sh @@ -17,22 +17,21 @@ if [ $PLAYBOOK_EXIT -eq 0 ]; then echo "✅ INSTALLATION COMPLETE!" echo "═══════════════════════════════════════════════════════════" echo "" - echo "🔄 SWITCH TO CLAWDBOT USER with:" + echo "🔄 SWITCH TO OPENCLAW USER with:" echo "" - echo " sudo su - clawdbot" + echo " sudo su - openclaw" echo "" echo " OR (alternative):" echo "" - echo " sudo -u clawdbot -i" + echo " sudo -u openclaw -i" echo "" - echo "This will switch you to the clawdbot user with a proper" + echo "This will switch you to the openclaw user with a proper" echo "login shell (loads .bashrc, sets environment correctly)." echo "" echo "After switching, you'll see the next setup steps:" - echo " • Configure Clawdbot (~/.clawdbot/config.yml)" + echo " • Configure OpenClaw (~/.openclaw/config.yml)" echo " • Login to messaging provider (WhatsApp/Telegram/Signal)" echo " • Test the gateway" - echo " • Connect Tailscale VPN" echo "" echo "═══════════════════════════════════════════════════════════" echo "" diff --git a/tests/Dockerfile.ubuntu2404 b/tests/Dockerfile.ubuntu2404 new file mode 100644 index 0000000..6ce1438 --- /dev/null +++ b/tests/Dockerfile.ubuntu2404 @@ -0,0 +1,29 @@ +FROM ubuntu:24.04 + +ENV DEBIAN_FRONTEND=noninteractive + +# Install Ansible and dependencies +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + ansible \ + python3 \ + python3-apt \ + sudo \ + systemd \ + git \ + curl \ + ca-certificates \ + acl \ + gpg \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Copy project into container +COPY . /opt/ansible +WORKDIR /opt/ansible + +# Install Ansible Galaxy collections +RUN ansible-galaxy collection install -r requirements.yml + +# Default: run the test entrypoint +ENTRYPOINT ["bash", "tests/entrypoint.sh"] diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 0000000..6345004 --- /dev/null +++ b/tests/README.md @@ -0,0 +1,68 @@ +# Docker CI Test Harness + +This directory contains a Docker-based CI test harness for the Ansible playbook. It validates convergence, correctness, and idempotency by running the playbook inside an Ubuntu 24.04 container. + +## Quick Start + +```bash +# Run all tests +bash tests/run-tests.sh + +# Or specify a distro (currently only ubuntu2404 available) +bash tests/run-tests.sh ubuntu2404 +``` + +## Test Structure + +The test harness runs three sequential tests: + +1. **Convergence**: Runs the playbook with `ci_test=true` to verify it completes without errors +2. **Verification**: Runs `verify.yml` to assert the system is in the expected state +3. **Idempotency**: Runs the playbook a second time and verifies `changed=0` + +## Files + +- `Dockerfile.ubuntu2404` - Ubuntu 24.04 container with Ansible pre-installed +- `entrypoint.sh` - Test execution script (convergence → verification → idempotency) +- `verify.yml` - Post-convergence assertions (user exists, packages installed, directories created, etc.) +- `run-tests.sh` - Local test runner script + +## CI Test Mode + +The `ci_test` variable skips tasks that require: +- Docker-in-Docker (Docker CE installation) +- Kernel access (UFW/iptables firewall) +- systemd services (loginctl, daemon installation) +- External package installation (openclaw app install) + +Everything else runs normally: package installation, user creation, Node.js/pnpm setup, directory structure, config file rendering, etc. + +## What Gets Tested + +| Component | Tested? | Notes | +|-----------|---------|-------| +| System packages (35+) | ✅ Yes | Full apt install | +| User creation + config | ✅ Yes | User, .bashrc, sudoers, SSH dir | +| Node.js + pnpm | ✅ Yes | Full install + version check | +| Directory structure | ✅ Yes | All .openclaw/* dirs with perms | +| Git global config | ✅ Yes | Aliases, default branch | +| Vim config | ✅ Yes | Template rendering | +| Docker CE install | ❌ No | Needs Docker-in-Docker | +| UFW / iptables | ❌ No | Needs kernel access | +| fail2ban / systemd | ❌ No | Needs running systemd | +| Tailscale | ❌ No | Disabled by default already | +| OpenClaw app install | ❌ No | External package | +| Idempotency | ✅ Yes | Second run must have 0 changes | + +## Exit Codes + +- `0` - All tests passed +- `1` - Test failure (convergence failed, verification failed, or idempotency check failed) + +## Development + +To add tests for additional distributions: +1. Create `Dockerfile.` (e.g., `Dockerfile.debian12`) +2. Run: `bash tests/run-tests.sh ` + +The test harness automatically builds the image and runs the test suite. diff --git a/tests/entrypoint.sh b/tests/entrypoint.sh new file mode 100755 index 0000000..daba430 --- /dev/null +++ b/tests/entrypoint.sh @@ -0,0 +1,30 @@ +#!/usr/bin/env bash +set -euo pipefail + +PLAYBOOK_ARGS=(-e ci_test=true -e ansible_become=false --connection=local) + +# --- Step 1: Convergence --- +echo "===> Step 1: Convergence test" +ansible-playbook playbook.yml "${PLAYBOOK_ARGS[@]}" +echo "===> Convergence: PASSED" + +# --- Step 2: Verification --- +echo "===> Step 2: Verification" +ansible-playbook tests/verify.yml "${PLAYBOOK_ARGS[@]}" +echo "===> Verification: PASSED" + +# --- Step 3: Idempotency --- +echo "===> Step 3: Idempotency test" +IDEMPOTENCY_OUT=$(ansible-playbook playbook.yml "${PLAYBOOK_ARGS[@]}" 2>&1) +echo "$IDEMPOTENCY_OUT" + +CHANGED=$(echo "$IDEMPOTENCY_OUT" | tail -n 5 | grep -oP 'changed=\K[0-9]+' | head -1) +if [ "${CHANGED:-1}" -eq 0 ]; then + echo "===> Idempotency: PASSED (0 changed)" +else + echo "===> Idempotency: FAILED (changed=$CHANGED)" + exit 1 +fi + +echo "" +echo "===> All tests passed" diff --git a/tests/run-tests.sh b/tests/run-tests.sh new file mode 100755 index 0000000..f4eedf9 --- /dev/null +++ b/tests/run-tests.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +set -euo pipefail + +DISTRO="${1:-ubuntu2404}" +IMAGE="openclaw-ansible-test:${DISTRO}" + +echo "Building test image (${DISTRO})..." +docker build -t "$IMAGE" -f "tests/Dockerfile.${DISTRO}" . + +echo "Running tests..." +docker run --rm "$IMAGE" diff --git a/tests/verify.yml b/tests/verify.yml new file mode 100644 index 0000000..9b032bb --- /dev/null +++ b/tests/verify.yml @@ -0,0 +1,70 @@ +--- +- name: Verify playbook results + hosts: localhost + connection: local + gather_facts: true + + vars: + openclaw_user: openclaw + openclaw_home: /home/openclaw + + tasks: + - name: Verify openclaw user exists + ansible.builtin.command: id openclaw + changed_when: false + + - name: Verify critical packages installed + ansible.builtin.command: "dpkg -s {{ item }}" + loop: [git, curl, vim, jq, tmux, tree, htop] + changed_when: false + + - name: Verify Node.js installed + ansible.builtin.command: node --version + changed_when: false + + - name: Verify pnpm installed + ansible.builtin.command: pnpm --version + changed_when: false + + - name: Verify openclaw directory structure + ansible.builtin.stat: + path: "{{ item.path }}" + loop: + - { path: "{{ openclaw_home }}/.openclaw", mode: "0755" } + - { path: "{{ openclaw_home }}/.openclaw/sessions" } + - { path: "{{ openclaw_home }}/.openclaw/credentials", mode: "0700" } + - { path: "{{ openclaw_home }}/.openclaw/data" } + - { path: "{{ openclaw_home }}/.openclaw/logs" } + - { path: "{{ openclaw_home }}/.ssh", mode: "0700" } + register: dir_checks + + - name: Assert directories exist + ansible.builtin.assert: + that: item.stat.exists and item.stat.isdir + fail_msg: "Directory missing: {{ item.item.path }}" + loop: "{{ dir_checks.results }}" + loop_control: + label: "{{ item.item.path }}" + + - name: Assert credentials dir has restricted permissions + ansible.builtin.assert: + that: dir_checks.results[2].stat.mode == '0700' + fail_msg: "credentials dir should be 0700" + + - name: Verify sudoers file exists and is valid + ansible.builtin.command: visudo -cf /etc/sudoers.d/openclaw + changed_when: false + + - name: Verify global vim config exists + ansible.builtin.stat: + path: /etc/vim/vimrc.local + register: vimrc + - ansible.builtin.assert: + that: vimrc.stat.exists + + - name: Verify git global config + ansible.builtin.command: git config --global init.defaultBranch + changed_when: false + register: git_branch + - ansible.builtin.assert: + that: git_branch.stdout == 'main'