openclaw/scripts/docker-entrypoint-phala.sh
HashWarlock 3c4f74a337 chore: update docker-compose and entrypoint script for directory structure changes
- Changed CLAWDBOT_STATE_DIR and CLAWDBOT_WORKSPACE_DIR paths from /data to /home/node for improved organization.
- Updated GATEWAY_BIND default value from loopback to lan for broader accessibility.
- Adjusted volume mappings in docker-compose for consistency with new directory structure.
- Modified entrypoint script to reflect updated directory paths and ensure proper setup.
2026-01-26 22:26:08 -06:00

98 lines
3.7 KiB
Bash
Executable File

#!/bin/bash
# Phala Cloud CVM entrypoint - auto-configures Redpill provider on first boot
set -e
CONFIG_DIR="${CLAWDBOT_STATE_DIR:-/home/node/.clawdbot}"
CONFIG_FILE="$CONFIG_DIR/clawdbot.json"
# Create state directory if it doesn't exist
mkdir -p "$CONFIG_DIR"
# Build gateway auth arguments
GATEWAY_AUTH_ARGS=""
if [ "${GATEWAY_AUTH:-off}" = "token" ]; then
if [ -z "$GATEWAY_TOKEN" ]; then
# Generate a random token if not provided
GATEWAY_TOKEN=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 32)
echo "Generated gateway token: $GATEWAY_TOKEN"
fi
GATEWAY_AUTH_ARGS="--gateway-auth token --gateway-token $GATEWAY_TOKEN"
elif [ "${GATEWAY_AUTH:-off}" = "password" ]; then
if [ -z "$GATEWAY_PASSWORD" ]; then
echo "Error: GATEWAY_AUTH=password requires GATEWAY_PASSWORD to be set"
exit 1
fi
GATEWAY_AUTH_ARGS="--gateway-auth password --gateway-password $GATEWAY_PASSWORD"
else
GATEWAY_AUTH_ARGS="--gateway-auth off"
fi
# Check if we need to run initial setup
if [ ! -f "$CONFIG_FILE" ] && [ -n "$REDPILL_API_KEY" ]; then
echo "First boot detected with REDPILL_API_KEY - running auto-configuration..."
# shellcheck disable=SC2086
node dist/index.js onboard \
--non-interactive \
--accept-risk \
--mode local \
--auth-choice redpill-api-key \
--workspace "${CLAWDBOT_WORKSPACE_DIR:-/home/node/clawd}" \
--gateway-bind ${GATEWAY_BIND:-loopback} \
$GATEWAY_AUTH_ARGS \
--skip-daemon \
--skip-skills \
--skip-health \
--skip-ui
echo "Auto-configuration complete."
# Enable password/token-only auth for remote Control UI access
# This allows the web UI to connect without device pairing (Web Crypto API)
# which is required for HTTPS proxy deployments like Phala dstack
node dist/index.js config set gateway.controlUi.allowInsecureAuth true --json
echo "✓ Control UI configured for remote access"
# Configure channel allowlists if user IDs are provided
if [ -n "$TELEGRAM_ALLOWED_USERS" ] || [ -n "$DISCORD_ALLOWED_USERS" ]; then
echo "Configuring channel allowlists..."
if [ -n "$TELEGRAM_ALLOWED_USERS" ]; then
# Convert comma-separated list to JSON array
TELEGRAM_IDS=$(echo "$TELEGRAM_ALLOWED_USERS" | sed 's/,/", "/g' | sed 's/^/"/' | sed 's/$/"/')
node dist/index.js config set channels.telegram.dmPolicy allowlist || true
node dist/index.js config set "channels.telegram.allowFrom" "[$TELEGRAM_IDS]" --json || true
echo "✓ Telegram allowlist configured: $TELEGRAM_ALLOWED_USERS"
fi
if [ -n "$DISCORD_ALLOWED_USERS" ]; then
# Convert comma-separated list to JSON array
DISCORD_IDS=$(echo "$DISCORD_ALLOWED_USERS" | sed 's/,/", "/g' | sed 's/^/"/' | sed 's/$/"/')
node dist/index.js config set channels.discord.dm.policy allowlist || true
node dist/index.js config set "channels.discord.dm.allowFrom" "[$DISCORD_IDS]" --json || true
echo "✓ Discord allowlist configured: $DISCORD_ALLOWED_USERS"
fi
fi
echo "Starting gateway..."
fi
# Clean orphaned session locks from previous gateway restarts
# Gateway SIGUSR1 restart keeps PID=1 but clears in-memory lock state,
# leaving lock files that appear valid but are actually orphaned.
SESSIONS_DIR="$CONFIG_DIR/agents/main/sessions"
if [ -d "$SESSIONS_DIR" ]; then
LOCK_COUNT=$(find "$SESSIONS_DIR" -name "*.lock" -type f 2>/dev/null | wc -l)
if [ "$LOCK_COUNT" -gt 0 ]; then
echo "Cleaning $LOCK_COUNT orphaned session lock(s)..."
find "$SESSIONS_DIR" -name "*.lock" -type f -delete 2>/dev/null || true
fi
fi
# Start the gateway
exec node dist/index.js gateway \
--bind ${GATEWAY_BIND:-loopback} \
--port "${GATEWAY_PORT:-18789}" \
--allow-unconfigured