fix: apply all missing bug fixes and improvements from PR #16

Complete functional parity with PR #16 while preserving openclaw naming. Initial fixes (7): - Add home directory ownership fix to prevent permission errors - Move .bashrc configuration from system-tools to user.yml - Add ci_test conditionals to all systemd-related tasks - Fix binary path resolution (use PATH instead of hardcoded paths) - Remove all Homebrew path references - Update pnpm installation to use idempotent check-first approach - Change apt upgrade to use ci_test conditional Additional fixes from comprehensive double-check (7): - Use ansible.builtin.authorized_key instead of ansible.posix - Remove ansible.posix collection dependency from requirements.yml - Remove "Connect Tailscale VPN" from completion message (now optional) - Add comprehensive security entries to .gitignore - Add network interface validation in firewall configuration - Improve pnpm config idempotency with proper change detection - Add install_mode validation with clear error messages Files modified: 12 - .gitignore: Added security-related ignore patterns - playbook.yml: Fixed apt upgrade conditional - requirements.yml: Removed ansible.posix dependency - run-playbook.sh: Removed optional Tailscale from completion - roles/openclaw/tasks/user.yml: Multiple critical fixes - roles/openclaw/tasks/system-tools-linux.yml: Removed .bashrc config - roles/openclaw/tasks/firewall-linux.yml: Added validation - roles/openclaw/tasks/nodejs.yml: Improved pnpm check - roles/openclaw/tasks/openclaw.yml: Added validation and idempotency - roles/openclaw/tasks/openclaw-release.yml: Fixed paths - roles/openclaw/tasks/openclaw-development.yml: Fixed paths - roles/openclaw/templates/openclaw-host.service.j2: Fixed PATH and ExecStart All functional changes from PR #16 are now incorporated with correct openclaw naming throughout. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-10 09:45:41 -06:00 · 2026-02-10 09:45:41 -06:00 · 1f552e482c
commit 1f552e482c
parent 42a882b87b
12 changed files with 107 additions and 54 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,14 @@
 *.log
 .ansible/
 .vault_pass
+
+# Secrets and credentials
+*.env
+.env*
+secrets.yml
+vault.yml
+*.pem
+*.key
+id_rsa*
+host_vars/
+group_vars/
--- a/playbook.yml
+++ b/playbook.yml
@ -41,9 +41,8 @@
        update_cache: true
        upgrade: dist
        cache_valid_time: 3600
-      when: is_debian
+      when: is_debian and not ci_test
      register: apt_upgrade_result
-      ignore_errors: true

    - name: Display apt upgrade results
      ansible.builtin.debug:
--- a/requirements.yml
+++ b/requirements.yml
@ -4,5 +4,3 @@ collections:
    version: ">=3.4.0"
  - name: community.general
    version: ">=8.0.0"
-  - name: ansible.posix
-    version: ">=1.5.0"
--- a/roles/openclaw/tasks/firewall-linux.yml
+++ b/roles/openclaw/tasks/firewall-linux.yml
@ -114,6 +114,14 @@
  register: default_interface
  changed_when: false

+- name: Validate default network interface was detected
+  ansible.builtin.assert:
+    that:
+      - default_interface.stdout is defined
+      - default_interface.stdout | length > 0
+    fail_msg: "Failed to detect default network interface. Cannot configure firewall rules safely."
+    success_msg: "Default network interface detected: {{ default_interface.stdout }}"
+
 - name: Create UFW after.rules for Docker isolation
  ansible.builtin.blockinfile:
    path: /etc/ufw/after.rules
--- a/roles/openclaw/tasks/nodejs.yml
+++ b/roles/openclaw/tasks/nodejs.yml
@ -42,10 +42,15 @@
    name: nodejs
    state: present

+- name: Check if pnpm is already installed
+  ansible.builtin.command: pnpm --version
+  register: pnpm_check
+  failed_when: false
+  changed_when: false
+
 - name: Install pnpm globally
  ansible.builtin.command: npm install -g pnpm
-  args:
-    creates: /usr/local/bin/pnpm
+  when: pnpm_check.rc != 0

 - name: Verify Node.js installation
  ansible.builtin.command: node --version
--- a/roles/openclaw/tasks/openclaw-development.yml
+++ b/roles/openclaw/tasks/openclaw-development.yml
@ -49,7 +49,7 @@
  become_user: "{{ openclaw_user }}"
  environment:
    PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm"
-    PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
+    PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
    HOME: "{{ openclaw_home }}"
  register: pnpm_install_result
  changed_when: "'Already up to date' not in pnpm_install_result.stdout"
@ -63,7 +63,7 @@
  become_user: "{{ openclaw_user }}"
  environment:
    PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm"
-    PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
+    PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
    HOME: "{{ openclaw_home }}"
  register: pnpm_build_result
  changed_when: true  # Build always changes dist/ directory
@ -106,12 +106,14 @@

 - name: Verify openclaw installation from development build
  ansible.builtin.shell:
-    cmd: "{{ openclaw_home }}/.local/bin/openclaw --version"
+    cmd: openclaw --version
    executable: /bin/bash
  become: true
  become_user: "{{ openclaw_user }}"
  environment:
-    PATH: "{{ openclaw_home }}/.local/bin:/usr/local/bin:/usr/bin:/bin"
+    PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm"
+    PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
+    HOME: "{{ openclaw_home }}"
  register: openclaw_dev_version
  changed_when: false

--- a/roles/openclaw/tasks/openclaw-release.yml
+++ b/roles/openclaw/tasks/openclaw-release.yml
@ -9,17 +9,21 @@
  become_user: "{{ openclaw_user }}"
  environment:
    PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm"
-    PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin"
+    PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
    HOME: "{{ openclaw_home }}"
  register: openclaw_install
  changed_when: "'Already up to date' not in openclaw_install.stdout"

 - name: Verify openclaw installation
  ansible.builtin.shell:
-    cmd: "{{ openclaw_home }}/.local/bin/openclaw --version"
+    cmd: openclaw --version
    executable: /bin/bash
  become: true
  become_user: "{{ openclaw_user }}"
+  environment:
+    PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm"
+    PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
+    HOME: "{{ openclaw_home }}"
  register: openclaw_version
  changed_when: false

--- a/roles/openclaw/tasks/openclaw.yml
+++ b/roles/openclaw/tasks/openclaw.yml
@ -1,4 +1,11 @@
 ---
+- name: Validate openclaw_install_mode
+  ansible.builtin.assert:
+    that:
+      - openclaw_install_mode in ["release", "development"]
+    fail_msg: "Invalid openclaw_install_mode: '{{ openclaw_install_mode }}'. Must be 'release' or 'development'."
+    success_msg: "Valid install mode: {{ openclaw_install_mode }}"
+
 - name: Create OpenClaw directories (structure only, no config files)
  ansible.builtin.file:
    path: "{{ item.path }}"
@ -37,12 +44,24 @@
 - name: Configure pnpm for openclaw user
  ansible.builtin.shell:
    cmd: |
-      pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm
-      pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin
+      CURRENT_GLOBAL_DIR=$(pnpm config get global-dir 2>/dev/null || echo "")
+      CURRENT_BIN_DIR=$(pnpm config get global-bin-dir 2>/dev/null || echo "")
+      CHANGED=0
+      if [ "$CURRENT_GLOBAL_DIR" != "{{ openclaw_home }}/.local/share/pnpm" ]; then
+        pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm
+        CHANGED=1
+      fi
+      if [ "$CURRENT_BIN_DIR" != "{{ openclaw_home }}/.local/bin" ]; then
+        pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin
+        CHANGED=1
+      fi
+      exit $CHANGED
    executable: /bin/bash
  become: true
  become_user: "{{ openclaw_user }}"
-  changed_when: true  # Always consider changed as pnpm config may update
+  register: pnpm_config_result
+  changed_when: pnpm_config_result.rc == 1
+  failed_when: pnpm_config_result.rc > 1

 - name: Display installation mode
  ansible.builtin.debug:
--- a/roles/openclaw/tasks/system-tools-linux.yml
+++ b/roles/openclaw/tasks/system-tools-linux.yml
@ -51,29 +51,3 @@
    owner: root
    group: root
    mode: '0644'
-
- name: Configure .bashrc for openclaw user (Linux)
-  ansible.builtin.blockinfile:
-    path: "{{ openclaw_home }}/.bashrc"
-    marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw config"
-    block: |
-      # Enable 256 colors
-      export TERM=xterm-256color
-      export COLORTERM=truecolor
-
-      # Add pnpm to PATH
-      export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm"
-      export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH"
-
-      # Color support for common tools
-      export CLICOLOR=1
-      export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43'
-
-      # Aliases
-      alias ls='ls --color=auto'
-      alias grep='grep --color=auto'
-      alias ll='ls -lah'
-    create: true
-    owner: "{{ openclaw_user }}"
-    group: "{{ openclaw_user }}"
-    mode: '0644'
--- a/roles/openclaw/tasks/user.yml
+++ b/roles/openclaw/tasks/user.yml
@ -9,6 +9,40 @@
    home: /home/openclaw
    state: present

+- name: Ensure openclaw home directory has correct ownership
+  ansible.builtin.file:
+    path: "{{ openclaw_home }}"
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    state: directory
+    mode: '0755'
+
+- name: Configure .bashrc for openclaw user
+  ansible.builtin.blockinfile:
+    path: "{{ openclaw_home }}/.bashrc"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw config"
+    block: |
+      # Enable 256 colors
+      export TERM=xterm-256color
+      export COLORTERM=truecolor
+
+      # Add pnpm to PATH
+      export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm"
+      export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH"
+
+      # Color support for common tools
+      export CLICOLOR=1
+      export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43'
+
+      # Aliases
+      alias ls='ls --color=auto'
+      alias grep='grep --color=auto'
+      alias ll='ls -lah'
+    create: true
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    mode: '0644'
+
 - name: Add openclaw user to sudoers with scoped NOPASSWD
  ansible.builtin.copy:
    dest: /etc/sudoers.d/openclaw
@ -78,17 +112,17 @@
  ansible.builtin.command: id -u openclaw
  register: openclaw_uid
  changed_when: false
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 - name: Display openclaw user ID
  ansible.builtin.debug:
    msg: "OpenClaw user ID: {{ openclaw_uid.stdout }}"
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 - name: Enable lingering for openclaw user (allows systemd user services without login)
  ansible.builtin.command: loginctl enable-linger openclaw
  changed_when: false
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 - name: Create runtime directory for openclaw user
  ansible.builtin.file:
@ -97,12 +131,12 @@
    owner: openclaw
    group: openclaw
    mode: '0700'
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 - name: Store openclaw UID as fact for later use
  ansible.builtin.set_fact:
    openclaw_uid_value: "{{ openclaw_uid.stdout }}"
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 # SSH key configuration
 - name: Create .ssh directory for openclaw user
@ -114,7 +148,7 @@
    mode: '0700'

 - name: Add SSH authorized keys for openclaw user
-  ansible.posix.authorized_key:
+  ansible.builtin.authorized_key:
    user: openclaw
    state: present
    key: "{{ item }}"
@ -140,7 +174,7 @@
    owner: openclaw
    group: openclaw
    mode: '0644'
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test

 - name: Set DBUS_SESSION_BUS_ADDRESS in .bashrc for openclaw user
  ansible.builtin.blockinfile:
@ -157,4 +191,4 @@
    owner: openclaw
    group: openclaw
    mode: '0644'
-  when: ansible_os_family == 'Debian'
+  when: ansible_os_family == 'Debian' and not ci_test
--- a/roles/openclaw/templates/openclaw-host.service.j2
+++ b/roles/openclaw/templates/openclaw-host.service.j2
@ -10,16 +10,16 @@ Group={{ openclaw_user }}
 WorkingDirectory={{ openclaw_home }}

 # Environment variables
-Environment="PATH={{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/usr/local/bin:/usr/bin:/bin"
 Environment="PNPM_HOME={{ openclaw_home }}/.local/share/pnpm"
+Environment="PATH={{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin"
 Environment="HOME={{ openclaw_home }}"
-Environment="XDG_RUNTIME_DIR=/run/user/{{ openclaw_uid_value | default('1000') }}"
+Environment="XDG_RUNTIME_DIR=/run/user/{{ openclaw_uid_value }}"

 # DBus session bus
-Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ openclaw_uid_value | default('1000') }}/bus"
+Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ openclaw_uid_value }}/bus"

 # Start command
-ExecStart={{ openclaw_home }}/.local/bin/openclaw gateway
+ExecStart=openclaw gateway

 # Restart policy
 Restart=always
--- a/run-playbook.sh
+++ b/run-playbook.sh
@ -32,7 +32,6 @@ if [ $PLAYBOOK_EXIT -eq 0 ]; then
    echo "  • Configure OpenClaw (~/.openclaw/config.yml)"
    echo "  • Login to messaging provider (WhatsApp/Telegram/Signal)"
    echo "  • Test the gateway"
-    echo "  • Connect Tailscale VPN"
    echo ""
    echo "═══════════════════════════════════════════════════════════"
    echo ""