From openclaw-assist
Guide for deploying OpenClaw to production environments. Use when the user asks to "deploy OpenClaw", "run OpenClaw in Docker", "set up OpenClaw on a VPS", "deploy OpenClaw with Ansible", "install OpenClaw with Nix", "manage the OpenClaw service", "run OpenClaw in production", "configure OpenClaw systemd service", "set up OpenClaw on a server", "use Docker Compose with OpenClaw", "deploy OpenClaw to the cloud", "set up OpenClaw daemon", or needs help with container deployment, server hardening, service management, or distributed node architecture.
npx claudepluginhub jamesprial/prial-plugins --plugin openclaw-assistThis skill uses the workspace's default tool permissions.
Deploy OpenClaw to production across Docker, VPS/cloud, Ansible-managed servers, and Nix environments. This skill covers the deployment decision tree, container configuration, cloud provider options, automated provisioning, declarative builds, service management, and distributed node architecture.
Administers OpenClaw instances across macOS, Ubuntu/Debian, Docker, OCI, and Proxmox hosts; manages installation, gateways, security hardening, monitoring, backups, Tailscale, and channel configs.
Answers OpenClaw questions on configuration, troubleshooting, setup, architecture, features, channels, gateway, automation, models, and design decisions using clawdocs and openclaw CLIs.
Installs and configures NVIDIA NemoClaw sandboxed AI agent platform on Linux using Docker, OpenShell, cgroup fixes, Cloudflare tunnels, and NVIDIA API keys.
Share bugs, ideas, or general feedback.
Deploy OpenClaw to production across Docker, VPS/cloud, Ansible-managed servers, and Nix environments. This skill covers the deployment decision tree, container configuration, cloud provider options, automated provisioning, declarative builds, service management, and distributed node architecture.
Architecture note: The Gateway is the core process in every deployment. It is the single source of truth for configuration, routing, and state. Tools are optionally sandboxed in Docker containers, but the Gateway itself runs as a standalone Node.js process. Always back up ~/.openclaw/ -- it contains all configuration, credentials, and runtime state.
Select a deployment strategy based on the target environment and operational requirements.
| Scenario | Strategy | Tradeoff |
|---|---|---|
| Local development | openclaw onboard --install-daemon | Simplest path; no containers or infrastructure to manage |
| Isolated reproducible environment | Docker | Clean separation between host and runtime; good for sandboxing tools |
| Always-on remote access | VPS / cloud | Persistent endpoint accessible from any device |
| Production Debian/Ubuntu with hardening | Ansible | One-command provisioning with 4-layer defense (firewall + VPN + container isolation + systemd hardening) |
| Declarative reproducible builds | Nix | Pinned versions, deterministic behavior, instant rollback |
For local development only, run openclaw onboard --install-daemon and skip the rest of this document. For all other scenarios, continue to the relevant section below.
Run the Gateway and sandboxed tools inside Docker containers for isolation and reproducibility.
From the OpenClaw repository root:
git clone https://github.com/openclaw/openclaw.git
cd openclaw
./docker-setup.sh
The setup script builds the image, creates volumes, and starts the container with port 18789 mapped to the host.
A docker-compose.yml is available in the repository root for multi-container orchestration. Start with:
docker compose up -d
node user (UID 1000) inside the container. All file operations run as this user.~/.openclaw -- Configuration, credentials, and runtime state (mounted into the container).~/openclaw/workspace -- Sandbox workspace for tool execution.If the container reports permission errors on mounted volumes, align host directory ownership to UID 1000:
sudo chown -R 1000:1000 ~/.openclaw
Then restart the container.
Podman works as a drop-in replacement. Substitute podman for docker in all commands. Rootless Podman is supported.
For complete Docker configuration options, multi-stage build details, network modes, and Podman-specific adjustments, read ${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/docker.md.
Automated provisioning for production Debian/Ubuntu servers with comprehensive security hardening.
curl -fsSL https://raw.githubusercontent.com/openclaw/openclaw-ansible/main/install.sh | bash
This downloads and runs the openclaw-ansible playbook, which handles the full provisioning lifecycle.
Note: macOS Ansible support was discontinued on February 6, 2026. Use a different deployment method for macOS targets.
The Ansible playbook implements defense in depth:
ProtectSystem, PrivateTmp, NoNewPrivileges, and capability bounding.After the playbook completes:
sudo su - openclawopenclaw onboard --install-daemonsudo tailscale upsystemctl status openclawFor the full Ansible playbook reference, variable overrides, inventory configuration, and hardening details, read ${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/ansible.md.
Deploy to a remote server for always-on access from any device.
| Provider | Notes |
|---|---|
| Railway | One-click deploy from GitHub repo |
| Northflank | Browser-based setup and management |
| Oracle Cloud | Free tier eligible (ARM instances) |
| Fly.io | Edge deployment with global regions |
| Hetzner | Cost-effective European VPS |
| GCP | Compute Engine or Cloud Run |
| exe.dev | Developer-focused hosting |
| AWS | EC2 instances or Lightsail |
| DigitalOcean | Droplets with simple provisioning |
The Gateway binds to loopback (127.0.0.1) by default. This means it is not accessible from the network without explicit action. Two secure access patterns:
ssh -L 18789:127.0.0.1:18789 user@server
tailscale serve --bg 18789
Authentication is required when binding the gateway to a broader network interface (e.g., 0.0.0.0). Configure auth tokens in ~/.openclaw/config.yaml under gateway.auth before changing the bind address.
For provider-specific setup guides, pricing notes, and network configuration details, read ${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/vps-cloud.md.
Declarative, reproducible deployment using the Nix package manager and Home Manager.
The nix-openclaw module provides a fully declarative OpenClaw installation.
Add to home.nix:
imports = [ nix-openclaw.homeManagerModules.default ];
services.openclaw = {
enable = true;
};
Then rebuild:
home-manager switch
Set the environment variable to enforce deterministic mode:
export OPENCLAW_NIX_MODE=1
This disables auto-updates, pins all dependency resolution to the Nix store, and ensures builds are fully reproducible across machines.
| Variable | Purpose |
|---|---|
OPENCLAW_HOME | Override the home directory (default: ~/.openclaw) |
OPENCLAW_STATE_DIR | Override the state/runtime directory |
OPENCLAW_CONFIG_PATH | Override the config file path |
OPENCLAW_NIX_MODE | Set to 1 for deterministic behavior |
Roll back to the previous working configuration at any time:
home-manager switch --rollback
This restores the exact prior OpenClaw version and configuration atomically.
For complete Nix flake configuration, module options, overlay setup, and troubleshooting, read ${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/nix.md.
Manage the OpenClaw Gateway as a background service on Linux (systemd) and macOS (launchd).
The onboarding wizard handles daemon registration automatically:
openclaw onboard --install-daemon
This auto-detects the platform and writes the appropriate service definition. The gateway starts immediately and is configured to launch on boot.
Control the service with standard systemctl commands:
systemctl start openclaw # Start the gateway
systemctl stop openclaw # Stop the gateway
systemctl restart openclaw # Restart after config changes
systemctl status openclaw # Check service health
journalctl -u openclaw -f # Stream live logs
The unit file is installed to ~/.config/systemd/user/openclaw.service (user-level) or /etc/systemd/system/openclaw.service (system-level, used by Ansible).
Control the service with launchctl:
launchctl start com.openclaw.gateway # Start the gateway
launchctl stop com.openclaw.gateway # Stop the gateway
launchctl list | grep openclaw # Check service status
The plist is installed to ~/Library/LaunchAgents/com.openclaw.gateway.plist.
If a version upgrade changes service metadata, reinstall the service definition without re-running the full onboarding wizard:
openclaw gateway install --force
This regenerates the systemd unit or launchd plist with current binary paths and configuration.
Both systemd and launchd configurations enable auto-start by default. The gateway launches when the user logs in (user-level service) or when the system boots (system-level service).
For complete service configuration options, log file locations, and platform-specific troubleshooting, read ${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/systemd-launchd.md.
OpenClaw supports a distributed architecture where the Gateway runs in the cloud and lightweight nodes run on local devices.
Nodes connect outbound to the Gateway over a secure channel. No inbound ports need to be opened on the local device. This allows the Gateway to orchestrate tools that require physical device access without exposing those devices to the network.
Load these resources for expanded detail on each deployment method:
${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/docker.md -- Complete Docker and Docker Compose configuration, multi-stage builds, volume management, network modes, health checks, and Podman compatibility.${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/ansible.md -- Full Ansible playbook reference, inventory configuration, variable overrides, 4-layer security model details, and post-provisioning checklist.${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/vps-cloud.md -- Provider-specific deployment guides, pricing considerations, network security configuration, SSH tunnel and Tailscale Serve setup, and auth token management.${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/nix.md -- Nix flake setup, Home Manager module options, overlay configuration, environment variable reference, deterministic mode details, and rollback procedures.${CLAUDE_PLUGIN_ROOT}/skills/deployment/references/systemd-launchd.md -- systemd unit file and launchd plist specifications, log file locations, journal filtering, auto-restart policies, and platform-specific troubleshooting.