Ansible
Ansible Installation
Section titled “Ansible Installation”Deploy OpenClaw to production servers with openclaw-ansible — an automated installer with security-first architecture.
Prerequisites
Section titled “Prerequisites”| Requirement | Details |
|---|---|
| OS | Debian 11+ or Ubuntu 20.04+ |
| Access | Root or sudo privileges |
| Network | Internet connection for package installation |
| Ansible | 2.14+ (installed automatically by the quick-start script) |
What You Get
Section titled “What You Get”- Firewall-first security — UFW + Docker isolation (only SSH + Tailscale accessible)
- Tailscale VPN — secure remote access without exposing services publicly
- Docker — isolated sandbox containers, localhost-only bindings
- Defense in depth — 4-layer security architecture
- Systemd integration — auto-start on boot with hardening
- One-command setup — complete deployment in minutes
Quick Start
Section titled “Quick Start”One-command install:
curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bashWhat Gets Installed
Section titled “What Gets Installed”The Ansible playbook installs and configures:
- Tailscale — mesh VPN for secure remote access
- UFW firewall — SSH + Tailscale ports only
- Docker CE + Compose V2 — for agent sandboxes
- Node.js 24 + pnpm — runtime dependencies (Node 22 LTS, currently
22.14+, remains supported) - OpenClaw — host-based, not containerized
- Systemd service — auto-start with security hardening
Post-Install Setup
Section titled “Post-Install Setup”Switch to the openclaw user
Terminal window sudo -i -u openclawRun the onboarding wizard
The post-install script guides you through configuring OpenClaw settings.
Connect messaging providers
Log in to WhatsApp, Telegram, Discord, or Signal:
Terminal window openclaw channels loginVerify the installation
Terminal window sudo systemctl status openclawsudo journalctl -u openclaw -fConnect to Tailscale
Join your VPN mesh for secure remote access.
Quick Commands
Section titled “Quick Commands”# Check service statussudo systemctl status openclaw
# View live logssudo journalctl -u openclaw -f
# Restart gatewaysudo systemctl restart openclaw
# Provider login (run as openclaw user)sudo -i -u openclawopenclaw channels loginSecurity Architecture
Section titled “Security Architecture”The deployment uses a 4-layer defense model:
- Firewall (UFW) — only SSH (22) + Tailscale (41641/udp) exposed publicly
- VPN (Tailscale) — gateway accessible only via VPN mesh
- Docker isolation — DOCKER-USER iptables chain prevents external port exposure
- Systemd hardening — NoNewPrivileges, PrivateTmp, unprivileged user
To verify your external attack surface:
nmap -p- YOUR_SERVER_IPOnly port 22 (SSH) should be open. All other services (gateway, Docker) are locked down.
Docker is installed for agent sandboxes (isolated tool execution), not for running the gateway itself. See Multi-Agent Sandbox and Tools for sandbox configuration.
Manual Installation
Section titled “Manual Installation”If you prefer manual control over the automation:
Install prerequisites
Terminal window sudo apt update && sudo apt install -y ansible gitClone the repository
Terminal window git clone https://github.com/openclaw/openclaw-ansible.gitcd openclaw-ansibleInstall Ansible collections
Terminal window ansible-galaxy collection install -r requirements.ymlRun the playbook
Terminal window ./run-playbook.shAlternatively, run directly and then manually execute the setup script afterward:
/tmp/openclaw-setup.sh ansible-playbook playbook.yml --ask-become-pass
Updating
Section titled “Updating”The Ansible installer sets up OpenClaw for manual updates. See Updating for the standard update flow.
To re-run the Ansible playbook (for example, for configuration changes):
cd openclaw-ansible./run-playbook.shThis is idempotent and safe to run multiple times.
Troubleshooting
Section titled “Troubleshooting”Firewall blocks my connection
- Ensure you can access via Tailscale VPN first
- SSH access (port 22) is always allowed
- The gateway is only accessible via Tailscale by design
Service will not start
# Check logssudo journalctl -u openclaw -n 100
# Verify permissionssudo ls -la /opt/openclaw
# Test manual startsudo -i -u openclawcd ~/openclawopenclaw gateway runDocker sandbox issues
# Verify Docker is runningsudo systemctl status docker
# Check sandbox imagesudo docker images | grep openclaw-sandbox
# Build sandbox image if missingcd /opt/openclaw/openclawsudo -u openclaw ./scripts/sandbox-setup.shProvider login fails
Make sure you are running as the openclaw user:
sudo -i -u openclawopenclaw channels loginAdvanced Configuration
Section titled “Advanced Configuration”For detailed security architecture and troubleshooting, see the openclaw-ansible repo:
Related
Section titled “Related”- openclaw-ansible — full deployment guide
- Docker — containerized gateway setup
- Sandboxing — agent sandbox configuration
- Multi-Agent Sandbox and Tools — per-agent isolation