diff --git a/.gitignore b/.gitignore index 8cb8bac..de86135 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,14 @@ *.log .ansible/ .vault_pass + +# Secrets and credentials +*.env +.env* +secrets.yml +vault.yml +*.pem +*.key +id_rsa* +host_vars/ +group_vars/ diff --git a/playbook.yml b/playbook.yml index ad1f408..17d9863 100644 --- a/playbook.yml +++ b/playbook.yml @@ -41,9 +41,8 @@ update_cache: true upgrade: dist cache_valid_time: 3600 - when: is_debian + when: is_debian and not ci_test register: apt_upgrade_result - ignore_errors: true - name: Display apt upgrade results ansible.builtin.debug: diff --git a/requirements.yml b/requirements.yml index 833acf2..90621cf 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,5 +4,3 @@ collections: version: ">=3.4.0" - name: community.general version: ">=8.0.0" - - name: ansible.posix - version: ">=1.5.0" diff --git a/roles/openclaw/tasks/firewall-linux.yml b/roles/openclaw/tasks/firewall-linux.yml index 7ed1570..068b4a5 100644 --- a/roles/openclaw/tasks/firewall-linux.yml +++ b/roles/openclaw/tasks/firewall-linux.yml @@ -114,6 +114,14 @@ register: default_interface changed_when: false +- name: Validate default network interface was detected + ansible.builtin.assert: + that: + - default_interface.stdout is defined + - default_interface.stdout | length > 0 + fail_msg: "Failed to detect default network interface. Cannot configure firewall rules safely." + success_msg: "Default network interface detected: {{ default_interface.stdout }}" + - name: Create UFW after.rules for Docker isolation ansible.builtin.blockinfile: path: /etc/ufw/after.rules diff --git a/roles/openclaw/tasks/nodejs.yml b/roles/openclaw/tasks/nodejs.yml index f094d9a..8c1ecf4 100644 --- a/roles/openclaw/tasks/nodejs.yml +++ b/roles/openclaw/tasks/nodejs.yml @@ -42,10 +42,15 @@ name: nodejs state: present +- name: Check if pnpm is already installed + ansible.builtin.command: pnpm --version + register: pnpm_check + failed_when: false + changed_when: false + - name: Install pnpm globally ansible.builtin.command: npm install -g pnpm - args: - creates: /usr/local/bin/pnpm + when: pnpm_check.rc != 0 - name: Verify Node.js installation ansible.builtin.command: node --version diff --git a/roles/openclaw/tasks/openclaw-development.yml b/roles/openclaw/tasks/openclaw-development.yml index a7b5c93..653c345 100644 --- a/roles/openclaw/tasks/openclaw-development.yml +++ b/roles/openclaw/tasks/openclaw-development.yml @@ -49,7 +49,7 @@ become_user: "{{ openclaw_user }}" environment: PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" - PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" HOME: "{{ openclaw_home }}" register: pnpm_install_result changed_when: "'Already up to date' not in pnpm_install_result.stdout" @@ -63,7 +63,7 @@ become_user: "{{ openclaw_user }}" environment: PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" - PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" HOME: "{{ openclaw_home }}" register: pnpm_build_result changed_when: true # Build always changes dist/ directory @@ -106,12 +106,14 @@ - name: Verify openclaw installation from development build ansible.builtin.shell: - cmd: "{{ openclaw_home }}/.local/bin/openclaw --version" + cmd: openclaw --version executable: /bin/bash become: true become_user: "{{ openclaw_user }}" environment: - PATH: "{{ openclaw_home }}/.local/bin:/usr/local/bin:/usr/bin:/bin" + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" register: openclaw_dev_version changed_when: false diff --git a/roles/openclaw/tasks/openclaw-release.yml b/roles/openclaw/tasks/openclaw-release.yml index 8bdc0d7..76aaef8 100644 --- a/roles/openclaw/tasks/openclaw-release.yml +++ b/roles/openclaw/tasks/openclaw-release.yml @@ -9,17 +9,21 @@ become_user: "{{ openclaw_user }}" environment: PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" - PATH: "{{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" HOME: "{{ openclaw_home }}" register: openclaw_install changed_when: "'Already up to date' not in openclaw_install.stdout" - name: Verify openclaw installation ansible.builtin.shell: - cmd: "{{ openclaw_home }}/.local/bin/openclaw --version" + cmd: openclaw --version executable: /bin/bash become: true become_user: "{{ openclaw_user }}" + environment: + PNPM_HOME: "{{ openclaw_home }}/.local/share/pnpm" + PATH: "{{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" + HOME: "{{ openclaw_home }}" register: openclaw_version changed_when: false diff --git a/roles/openclaw/tasks/openclaw.yml b/roles/openclaw/tasks/openclaw.yml index 523feed..7e51164 100644 --- a/roles/openclaw/tasks/openclaw.yml +++ b/roles/openclaw/tasks/openclaw.yml @@ -1,4 +1,11 @@ --- +- name: Validate openclaw_install_mode + ansible.builtin.assert: + that: + - openclaw_install_mode in ["release", "development"] + fail_msg: "Invalid openclaw_install_mode: '{{ openclaw_install_mode }}'. Must be 'release' or 'development'." + success_msg: "Valid install mode: {{ openclaw_install_mode }}" + - name: Create OpenClaw directories (structure only, no config files) ansible.builtin.file: path: "{{ item.path }}" @@ -37,12 +44,24 @@ - name: Configure pnpm for openclaw user ansible.builtin.shell: cmd: | - pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm - pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin + CURRENT_GLOBAL_DIR=$(pnpm config get global-dir 2>/dev/null || echo "") + CURRENT_BIN_DIR=$(pnpm config get global-bin-dir 2>/dev/null || echo "") + CHANGED=0 + if [ "$CURRENT_GLOBAL_DIR" != "{{ openclaw_home }}/.local/share/pnpm" ]; then + pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm + CHANGED=1 + fi + if [ "$CURRENT_BIN_DIR" != "{{ openclaw_home }}/.local/bin" ]; then + pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin + CHANGED=1 + fi + exit $CHANGED executable: /bin/bash become: true become_user: "{{ openclaw_user }}" - changed_when: true # Always consider changed as pnpm config may update + register: pnpm_config_result + changed_when: pnpm_config_result.rc == 1 + failed_when: pnpm_config_result.rc > 1 - name: Display installation mode ansible.builtin.debug: diff --git a/roles/openclaw/tasks/system-tools-linux.yml b/roles/openclaw/tasks/system-tools-linux.yml index 6daa940..712952f 100644 --- a/roles/openclaw/tasks/system-tools-linux.yml +++ b/roles/openclaw/tasks/system-tools-linux.yml @@ -51,29 +51,3 @@ owner: root group: root mode: '0644' - -- name: Configure .bashrc for openclaw user (Linux) - ansible.builtin.blockinfile: - path: "{{ openclaw_home }}/.bashrc" - marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw config" - block: | - # Enable 256 colors - export TERM=xterm-256color - export COLORTERM=truecolor - - # Add pnpm to PATH - export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm" - export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH" - - # Color support for common tools - export CLICOLOR=1 - export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43' - - # Aliases - alias ls='ls --color=auto' - alias grep='grep --color=auto' - alias ll='ls -lah' - create: true - owner: "{{ openclaw_user }}" - group: "{{ openclaw_user }}" - mode: '0644' diff --git a/roles/openclaw/tasks/user.yml b/roles/openclaw/tasks/user.yml index e07ffd3..97d1df2 100644 --- a/roles/openclaw/tasks/user.yml +++ b/roles/openclaw/tasks/user.yml @@ -9,6 +9,40 @@ home: /home/openclaw state: present +- name: Ensure openclaw home directory has correct ownership + ansible.builtin.file: + path: "{{ openclaw_home }}" + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + state: directory + mode: '0755' + +- name: Configure .bashrc for openclaw user + ansible.builtin.blockinfile: + path: "{{ openclaw_home }}/.bashrc" + marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw config" + block: | + # Enable 256 colors + export TERM=xterm-256color + export COLORTERM=truecolor + + # Add pnpm to PATH + export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm" + export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH" + + # Color support for common tools + export CLICOLOR=1 + export LS_COLORS='di=34:ln=35:so=32:pi=33:ex=31:bd=34;46:cd=34;43:su=30;41:sg=30;46:tw=30;42:ow=30;43' + + # Aliases + alias ls='ls --color=auto' + alias grep='grep --color=auto' + alias ll='ls -lah' + create: true + owner: "{{ openclaw_user }}" + group: "{{ openclaw_user }}" + mode: '0644' + - name: Add openclaw user to sudoers with scoped NOPASSWD ansible.builtin.copy: dest: /etc/sudoers.d/openclaw @@ -78,17 +112,17 @@ ansible.builtin.command: id -u openclaw register: openclaw_uid changed_when: false - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test - name: Display openclaw user ID ansible.builtin.debug: msg: "OpenClaw user ID: {{ openclaw_uid.stdout }}" - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test - name: Enable lingering for openclaw user (allows systemd user services without login) ansible.builtin.command: loginctl enable-linger openclaw changed_when: false - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test - name: Create runtime directory for openclaw user ansible.builtin.file: @@ -97,12 +131,12 @@ owner: openclaw group: openclaw mode: '0700' - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test - name: Store openclaw UID as fact for later use ansible.builtin.set_fact: openclaw_uid_value: "{{ openclaw_uid.stdout }}" - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test # SSH key configuration - name: Create .ssh directory for openclaw user @@ -114,7 +148,7 @@ mode: '0700' - name: Add SSH authorized keys for openclaw user - ansible.posix.authorized_key: + ansible.builtin.authorized_key: user: openclaw state: present key: "{{ item }}" @@ -140,7 +174,7 @@ owner: openclaw group: openclaw mode: '0644' - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test - name: Set DBUS_SESSION_BUS_ADDRESS in .bashrc for openclaw user ansible.builtin.blockinfile: @@ -157,4 +191,4 @@ owner: openclaw group: openclaw mode: '0644' - when: ansible_os_family == 'Debian' + when: ansible_os_family == 'Debian' and not ci_test diff --git a/roles/openclaw/templates/openclaw-host.service.j2 b/roles/openclaw/templates/openclaw-host.service.j2 index a39c182..b2226b8 100644 --- a/roles/openclaw/templates/openclaw-host.service.j2 +++ b/roles/openclaw/templates/openclaw-host.service.j2 @@ -10,16 +10,16 @@ Group={{ openclaw_user }} WorkingDirectory={{ openclaw_home }} # Environment variables -Environment="PATH={{ openclaw_home }}/.local/bin:/home/linuxbrew/.linuxbrew/bin:/usr/local/bin:/usr/bin:/bin" Environment="PNPM_HOME={{ openclaw_home }}/.local/share/pnpm" +Environment="PATH={{ openclaw_home }}/.local/bin:{{ openclaw_home }}/.local/share/pnpm:/usr/local/bin:/usr/bin:/bin" Environment="HOME={{ openclaw_home }}" -Environment="XDG_RUNTIME_DIR=/run/user/{{ openclaw_uid_value | default('1000') }}" +Environment="XDG_RUNTIME_DIR=/run/user/{{ openclaw_uid_value }}" # DBus session bus -Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ openclaw_uid_value | default('1000') }}/bus" +Environment="DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/{{ openclaw_uid_value }}/bus" # Start command -ExecStart={{ openclaw_home }}/.local/bin/openclaw gateway +ExecStart=openclaw gateway # Restart policy Restart=always diff --git a/run-playbook.sh b/run-playbook.sh index b7869d4..cafeb2f 100755 --- a/run-playbook.sh +++ b/run-playbook.sh @@ -32,7 +32,6 @@ if [ $PLAYBOOK_EXIT -eq 0 ]; then echo " • Configure OpenClaw (~/.openclaw/config.yml)" echo " • Login to messaging provider (WhatsApp/Telegram/Signal)" echo " • Test the gateway" - echo " • Connect Tailscale VPN" echo "" echo "═══════════════════════════════════════════════════════════" echo ""