[BREAKGLASS] Automated, hardened Clawdbot installation with Tailscale VPN, UFW firewall, and Docker isolation
a94c4c27ad
BREAKING CHANGES: - User switch command changed from `sudo -i -u clawdbot` to `sudo su - clawdbot` - Config files no longer auto-generated, use `clawdbot onboard --install-daemon` - systemd service no longer auto-installed, use `--install-daemon` flag Features: - Add macOS support alongside Debian/Ubuntu - Add automatic Homebrew installation (Linux + macOS) - Add OS detection framework (is_macos, is_debian, is_linux) - Add apt update/upgrade at playbook start (Debian/Ubuntu only) - Add OS-specific task files for clean separation - Create clawdbot directory structure (sessions, credentials, data, logs) Bug Fixes: - Fix DBus session bus configuration (loginctl enable-linger, XDG_RUNTIME_DIR) - Fix user switching command (sudo su - clawdbot) - Fix pnpm installation command (pnpm install -g clawdbot@latest) - Fix environment variable initialization in .bashrc - Fix systemd service with proper DBus and XDG paths Refactoring: - Split system-tools.yml into OS-specific files - Split docker.yml into OS-specific files - Split firewall.yml into OS-specific files - Remove automatic config.yml generation (let clawdbot handle it) - Remove automatic systemd service installation (let clawdbot handle it) Documentation: - Update README.md with multi-OS support - Add UPGRADE_NOTES.md with detailed technical changes - Add CHANGES.md with user-facing changelog - Update welcome message with clawdbot onboard command - Add OS-specific installation requirements Security: - Enhance systemd service with ProtectSystem and ProtectHome - Proper DBus session isolation per user - XDG_RUNTIME_DIR properly configured New Files: - roles/clawdbot/tasks/system-tools-linux.yml - roles/clawdbot/tasks/system-tools-macos.yml - roles/clawdbot/tasks/docker-linux.yml - roles/clawdbot/tasks/docker-macos.yml - roles/clawdbot/tasks/firewall-linux.yml - roles/clawdbot/tasks/firewall-macos.yml - UPGRADE_NOTES.md - CHANGES.md Modified Files: - playbook.yml (OS detection, apt upgrade, Homebrew, welcome message) - install.sh (multi-OS detection) - run-playbook.sh (correct user switch command) - README.md (multi-OS documentation) - roles/clawdbot/defaults/main.yml (OS-specific variables) - roles/clawdbot/tasks/system-tools.yml (orchestrator) - roles/clawdbot/tasks/docker.yml (orchestrator) - roles/clawdbot/tasks/firewall.yml (orchestrator) - roles/clawdbot/tasks/user.yml (DBus fixes) - roles/clawdbot/tasks/clawdbot.yml (no auto-config) - roles/clawdbot/templates/clawdbot-host.service.j2 (enhanced) Tested on: - Debian 11/12 ✅ - Ubuntu 20.04/22.04 ✅ - macOS (framework ready, needs testing) Resolves issues reported in user history: - DBus session errors - Incorrect user switch command - Manual environment setup required - Missing Homebrew integration |
||
|---|---|---|
| .github/workflows | ||
| docs | ||
| roles/clawdbot | ||
| .ansible-lint | ||
| .gitignore | ||
| .yamllint | ||
| AGENTS.md | ||
| CHANGELOG.md | ||
| GIT_COMMIT_MESSAGE.txt | ||
| install.sh | ||
| LICENSE | ||
| playbook.yml | ||
| README.md | ||
| requirements.yml | ||
| run-playbook.sh | ||
| UPGRADE_NOTES.md | ||
Clawdbot Ansible Installer
Automated, hardened installation of Clawdbot with Docker, Homebrew, and Tailscale VPN support for Linux and macOS.
Features
- 🔒 Firewall-first: UFW (Linux) + Application Firewall (macOS) + Docker isolation
- 🔐 Tailscale VPN: Secure remote access without exposing services
- 🍺 Homebrew: Package manager for both Linux and macOS
- 🐳 Docker: Docker CE (Linux) / Docker Desktop (macOS)
- 🛡️ Multi-OS Support: Debian, Ubuntu, and macOS
- 🚀 One-command install: Complete setup in minutes
- 🔧 Auto-configuration: DBus, systemd, environment setup
- 📦 pnpm installation: Uses
pnpm install -g clawdbot@latest
Quick Start
Release Mode (Recommended)
Install the latest stable version from npm:
curl -fsSL https://raw.githubusercontent.com/pasogott/clawdbot-ansible/main/install.sh | bash
Development Mode
Install from source for development or testing:
# Clone the installer
git clone https://github.com/pasogott/clawdbot-ansible.git
cd clawdbot-ansible
# Install in development mode
ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development
What Gets Installed
- Tailscale (mesh VPN)
- UFW firewall (SSH + Tailscale ports only)
- Docker CE + Compose V2 (for sandboxes)
- Node.js 22.x + pnpm
- Clawdbot on host (not containerized)
- Systemd service (auto-start)
Post-Install
After installation completes, switch to the clawdbot user:
sudo su - clawdbot
Then run the quick-start onboarding wizard:
clawdbot onboard --install-daemon
This will:
- Guide you through the setup wizard
- Configure your messaging provider (WhatsApp/Telegram/Signal)
- Install and start the daemon service
Alternative Manual Setup
# Configure manually
clawdbot configure
# Login to provider
clawdbot providers login
# Test gateway
clawdbot gateway
# Install as daemon
clawdbot daemon install
clawdbot daemon start
# Check status
clawdbot status
clawdbot logs
Installation Modes
Release Mode (Default)
- Installs via
pnpm install -g clawdbot@latest - Gets latest stable version from npm registry
- Automatic updates via
pnpm install -g clawdbot@latest - Recommended for production
Development Mode
- Clones from
https://github.com/clawdbot/clawdbot.git - Builds from source with
pnpm build - Symlinks binary to
~/.local/bin/clawdbot - Adds helpful aliases:
clawdbot-rebuild- Rebuild after code changesclawdbot-dev- Navigate to repo directoryclawdbot-pull- Pull, install deps, and rebuild
- Recommended for development and testing
Enable with: -e clawdbot_install_mode=development
Security
- Public ports: SSH (22), Tailscale (41641/udp) only
- Docker available: For Clawdbot sandboxes (isolated execution)
- Docker isolation: Containers can't expose ports externally (DOCKER-USER chain)
- Non-root: Clawdbot runs as unprivileged user
- Systemd hardening: NoNewPrivileges, PrivateTmp
Verify: nmap -p- YOUR_SERVER_IP should show only port 22 open.
Documentation
Requirements
Linux (Debian/Ubuntu)
- Debian 11+ or Ubuntu 20.04+
- Root/sudo access
- Internet connection
macOS
- macOS 11 (Big Sur) or later
- Homebrew will be installed automatically
- Admin/sudo access
- Internet connection
What Gets Installed
Common (All OS)
- Homebrew package manager
- Node.js 22.x + pnpm
- Clawdbot via
pnpm install -g clawdbot@latest - Essential development tools
- Git, zsh, oh-my-zsh
Linux-Specific
- Docker CE + Compose V2
- UFW firewall (configured)
- Tailscale VPN
- systemd service
macOS-Specific
- Docker Desktop (via Homebrew Cask)
- Application Firewall
- Tailscale app
Manual Installation
Release Mode (Default)
# Install dependencies
sudo apt update && sudo apt install -y ansible git
# Clone repository
git clone https://github.com/pasogott/clawdbot-ansible.git
cd clawdbot-ansible
# Install Ansible collections
ansible-galaxy collection install -r requirements.yml
# Run installation
./run-playbook.sh
Development Mode
Build from source for development:
# Same as above, but with development mode flag
./run-playbook.sh -e clawdbot_install_mode=development
# Or directly:
ansible-playbook playbook.yml --ask-become-pass -e clawdbot_install_mode=development
This will:
- Clone clawdbot repo to
~/code/clawdbot - Run
pnpm installandpnpm build - Symlink binary to
~/.local/bin/clawdbot - Add development aliases to
.bashrc
License
MIT - see LICENSE
Support
- Clawdbot: https://github.com/clawdbot/clawdbot
- This installer: https://github.com/pasogott/clawdbot-ansible/issues