License: MIT Lint Ansible Multi-OS
Automated, hardened installation of OpenClaw with Docker and Tailscale VPN support for Debian/Ubuntu Linux.
Effective 2026年02月06日, support for bare-metal macOS installations has been removed from this playbook.
The underlying project currently requires system-level permissions and configurations that introduce significant security risks when executed on a primary host OS. To protect user data and system integrity, we have disabled bare-metal execution.
- The playbook will now explicitly fail if run on a
Darwin(macOS) system. - We strongly discourage manual workarounds to bypass this check.
- Future Support: We are evaluating a virtualization-first strategy (using Vagrant or Docker) to provide a sandboxed environment for this project in the future.
- 🔒 Firewall-first: UFW firewall + Docker isolation
- 🛡️ Fail2ban: SSH brute-force protection out of the box
- 🔄 Auto-updates: Automatic security patches via unattended-upgrades
- 🔐 Tailscale VPN: Secure remote access without exposing services
- 🐳 Docker: Docker CE with security hardening
- 🚀 One-command install: Complete setup in minutes
- 🔧 Auto-configuration: DBus, systemd, environment setup
- 📦 pnpm installation: Uses
pnpm install -g openclaw@latest
Install the latest stable version from npm:
curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bashInstall from source for development or testing:
# Clone the installer git clone https://github.com/openclaw/openclaw-ansible.git cd openclaw-ansible # Install in development mode ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development
- Tailscale (mesh VPN)
- UFW firewall (SSH + Tailscale ports only)
- Docker CE + Compose V2 (for sandboxes)
- Node.js 22.x + pnpm
- OpenClaw on host (not containerized)
- Systemd service (auto-start)
After installation completes, switch to the openclaw user:
sudo su - openclaw
Then run the quick-start onboarding wizard:
openclaw onboard --install-daemon
This will:
- Guide you through the setup wizard
- Configure your messaging provider (WhatsApp/Telegram/Signal)
- Install and start the daemon service
# Configure manually openclaw configure # Login to provider openclaw providers login # Test gateway openclaw gateway # Install as daemon openclaw daemon install openclaw daemon start # Check status openclaw status openclaw logs
- Installs via
pnpm install -g openclaw@latest - Gets latest stable version from npm registry
- Automatic updates via
pnpm install -g openclaw@latest - Recommended for production
- Clones from
https://github.com/openclaw/openclaw.git - Builds from source with
pnpm build - Symlinks binary to
~/.local/bin/openclaw - Adds helpful aliases:
openclaw-rebuild- Rebuild after code changesopenclaw-dev- Navigate to repo directoryopenclaw-pull- Pull, install deps, and rebuild
- Recommended for development and testing
Enable with: -e openclaw_install_mode=development
- Public ports: SSH (22), Tailscale (41641/udp) only
- Fail2ban: SSH brute-force protection (5 attempts → 1 hour ban)
- Automatic updates: Security patches via unattended-upgrades
- Docker isolation: Containers can't expose ports externally (DOCKER-USER chain)
- Non-root: OpenClaw runs as unprivileged user
- Scoped sudo: Limited to service management (not full root)
- Systemd hardening: NoNewPrivileges, PrivateTmp, ProtectSystem
Verify: nmap -p- YOUR_SERVER_IP should show only port 22 open.
For high-security environments, audit before running:
git clone https://github.com/openclaw/openclaw-ansible.git cd openclaw-ansible # Review playbook.yml and roles/ ansible-playbook playbook.yml --check --diff # Dry run ansible-playbook playbook.yml --ask-become-pass
- Configuration Guide - All configuration options
- Development Mode - Build from source
- Security Architecture - Security details
- Technical Details - Architecture overview
- Troubleshooting - Common issues
- Agent Guidelines - AI agent instructions
- Debian 11+ or Ubuntu 20.04+
- Root/sudo access
- Internet connection
- Tailscale (mesh VPN)
- UFW firewall (SSH + Tailscale ports only)
- Docker CE + Compose V2 (for sandboxes)
- Node.js 22.x + pnpm
- OpenClaw on host (not containerized)
- Systemd service (auto-start)
# Install dependencies sudo apt update && sudo apt install -y ansible git # Clone repository git clone https://github.com/openclaw/openclaw-ansible.git cd openclaw-ansible # Install Ansible collections ansible-galaxy collection install -r requirements.yml # Run installation ./run-playbook.sh
Build from source for development:
# Same as above, but with development mode flag ./run-playbook.sh -e openclaw_install_mode=development # Or directly: ansible-playbook playbook.yml --ask-become-pass -e openclaw_install_mode=development
This will:
- Clone openclaw repo to
~/code/openclaw - Run
pnpm installandpnpm build - Symlink binary to
~/.local/bin/openclaw - Add development aliases to
.bashrc
All configuration variables can be found in roles/openclaw/defaults/main.yml.
You can override them in three ways:
ansible-playbook playbook.yml --ask-become-pass \
-e openclaw_install_mode=development \
-e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']"# Create vars.yml cat > vars.yml << EOF openclaw_install_mode: development openclaw_ssh_keys: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGxxxxxxxx user@host" - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... user@host" openclaw_repo_url: "https://github.com/YOUR_USERNAME/openclaw.git" openclaw_repo_branch: "feature-branch" tailscale_authkey: "tskey-auth-xxxxxxxxxxxxx" EOF # Use it ansible-playbook playbook.yml --ask-become-pass -e @vars.yml
Edit roles/openclaw/defaults/main.yml before running the playbook.
| Variable | Default | Description |
|---|---|---|
openclaw_user |
openclaw |
System user name |
openclaw_home |
/home/openclaw |
User home directory |
openclaw_install_mode |
release |
release or development |
openclaw_ssh_keys |
[] |
List of SSH public keys |
openclaw_repo_url |
https://github.com/openclaw/openclaw.git |
Git repository (dev mode) |
openclaw_repo_branch |
main |
Git branch (dev mode) |
tailscale_authkey |
"" |
Tailscale auth key for auto-connect |
nodejs_version |
22.x |
Node.js version to install |
See roles/openclaw/defaults/main.yml for the complete list.
ansible-playbook playbook.yml --ask-become-pass \
-e "openclaw_ssh_keys=['ssh-ed25519 AAAAC3... user@host']"ansible-playbook playbook.yml --ask-become-pass \ -e openclaw_install_mode=development \ -e openclaw_repo_url=https://github.com/YOUR_USERNAME/openclaw.git \ -e openclaw_repo_branch=feature-branch
ansible-playbook playbook.yml --ask-become-pass \ -e tailscale_authkey=tskey-auth-xxxxxxxxxxxxx
MIT - see LICENSE
- OpenClaw: https://github.com/openclaw/openclaw
- This installer: https://github.com/openclaw/openclaw-ansible/issues