349 lines
8.6 KiB
Markdown
349 lines
8.6 KiB
Markdown
# Enterprise Deployment Guide
|
|
|
|
This guide covers deployment patterns for enterprise environments with multiple users, teams, and security requirements.
|
|
|
|
## Deployment Patterns
|
|
|
|
### Single-Tenant (Recommended for Teams)
|
|
|
|
A single gateway serves one team with shared configuration:
|
|
|
|
```
|
|
┌─────────────────────────────────────────┐
|
|
│ Gateway Host │
|
|
│ ┌─────────────────────────────────┐ │
|
|
│ │ Moltbot Gateway │ │
|
|
│ │ - All team channels │ │
|
|
│ │ - Shared agent config │ │
|
|
│ │ - Team-wide RBAC │ │
|
|
│ └─────────────────────────────────┘ │
|
|
└─────────────────────────────────────────┘
|
|
│ │ │
|
|
┌────┴───┐ ┌────┴───┐ ┌────┴───┐
|
|
│ User A │ │ User B │ │ User C │
|
|
└────────┘ └────────┘ └────────┘
|
|
```
|
|
|
|
**Configuration:**
|
|
|
|
```yaml
|
|
# config.yaml
|
|
gateway:
|
|
port: 18789
|
|
auth:
|
|
mode: token
|
|
token: ${GATEWAY_TOKEN}
|
|
|
|
rbac:
|
|
enabled: true
|
|
defaultRole: user
|
|
assignments:
|
|
"admin@company.com": admin
|
|
"dev@company.com": operator
|
|
```
|
|
|
|
### Multi-Tenant (Isolated Teams)
|
|
|
|
Separate gateway instances per team for full isolation:
|
|
|
|
```
|
|
┌──────────────────┐ ┌──────────────────┐
|
|
│ Team A Host │ │ Team B Host │
|
|
│ ┌──────────────┐ │ │ ┌──────────────┐ │
|
|
│ │ Gateway A │ │ │ │ Gateway B │ │
|
|
│ │ Port 18789 │ │ │ │ Port 18790 │ │
|
|
│ └──────────────┘ │ │ └──────────────┘ │
|
|
└──────────────────┘ └──────────────────┘
|
|
│ │
|
|
Team A Users Team B Users
|
|
```
|
|
|
|
**Benefits:**
|
|
- Complete data isolation between teams
|
|
- Independent configuration and credentials
|
|
- Separate audit logs per team
|
|
- Different RBAC policies per team
|
|
|
|
**Setup:**
|
|
|
|
```bash
|
|
# Team A gateway
|
|
clawdbot config set gateway.port 18789
|
|
clawdbot config set gateway.auth.token "team-a-token"
|
|
|
|
# Team B gateway (different host or port)
|
|
clawdbot config set gateway.port 18790
|
|
clawdbot config set gateway.auth.token "team-b-token"
|
|
```
|
|
|
|
### Multi-Agent Routing
|
|
|
|
Route different users to different agents based on channel or identity:
|
|
|
|
```yaml
|
|
# config.yaml
|
|
agents:
|
|
main:
|
|
model: claude-sonnet-4-20250514
|
|
system: "You are a general assistant."
|
|
|
|
devops:
|
|
model: claude-sonnet-4-20250514
|
|
system: "You are a DevOps specialist."
|
|
tools:
|
|
policy: elevated
|
|
|
|
support:
|
|
model: claude-sonnet-4-20250514
|
|
system: "You are a customer support agent."
|
|
tools:
|
|
policy: read-only
|
|
|
|
bindings:
|
|
- channel: slack
|
|
channelId: "devops-channel"
|
|
agentId: devops
|
|
|
|
- channel: telegram
|
|
senderId: "support-team"
|
|
agentId: support
|
|
```
|
|
|
|
### Per-User Agent Isolation
|
|
|
|
Give each user their own agent instance:
|
|
|
|
```yaml
|
|
# config.yaml
|
|
agents:
|
|
template:
|
|
model: claude-sonnet-4-20250514
|
|
session:
|
|
mode: persistent
|
|
dir: ~/.clawdbot/sessions/${senderId}
|
|
|
|
bindings:
|
|
- channel: "*"
|
|
agentId: template
|
|
sessionKey: "${channel}:${senderId}"
|
|
```
|
|
|
|
## Container Deployment
|
|
|
|
### Docker
|
|
|
|
```dockerfile
|
|
FROM node:22-alpine
|
|
RUN npm install -g clawdbot@latest
|
|
EXPOSE 18789
|
|
VOLUME /root/.clawdbot
|
|
CMD ["clawdbot", "gateway", "run", "--bind", "0.0.0.0"]
|
|
```
|
|
|
|
```yaml
|
|
# docker-compose.yaml
|
|
services:
|
|
clawdbot:
|
|
image: clawdbot:latest
|
|
ports:
|
|
- "18789:18789"
|
|
volumes:
|
|
- ./config:/root/.clawdbot
|
|
environment:
|
|
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
|
|
- GATEWAY_TOKEN=${GATEWAY_TOKEN}
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:18789/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
```
|
|
|
|
### Kubernetes
|
|
|
|
```yaml
|
|
# deployment.yaml
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: clawdbot-gateway
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: clawdbot
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: clawdbot
|
|
spec:
|
|
containers:
|
|
- name: gateway
|
|
image: clawdbot:latest
|
|
ports:
|
|
- containerPort: 18789
|
|
env:
|
|
- name: ANTHROPIC_API_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: clawdbot-secrets
|
|
key: anthropic-api-key
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 18789
|
|
initialDelaySeconds: 10
|
|
periodSeconds: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /ready
|
|
port: 18789
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /root/.clawdbot
|
|
volumes:
|
|
- name: config
|
|
configMap:
|
|
name: clawdbot-config
|
|
```
|
|
|
|
```yaml
|
|
# service.yaml
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: clawdbot
|
|
annotations:
|
|
prometheus.io/scrape: "true"
|
|
prometheus.io/port: "18789"
|
|
prometheus.io/path: "/metrics"
|
|
spec:
|
|
selector:
|
|
app: clawdbot
|
|
ports:
|
|
- port: 18789
|
|
targetPort: 18789
|
|
```
|
|
|
|
## High Availability
|
|
|
|
### Load Balancing Considerations
|
|
|
|
Moltbot gateway is stateful (WebSocket connections, session state). For HA:
|
|
|
|
1. **Sticky sessions** - Route users to the same instance
|
|
2. **Shared state** - Use external session storage (future feature)
|
|
3. **Active-passive** - Run standby instance for failover
|
|
|
|
### Health Endpoints
|
|
|
|
Configure your load balancer to use:
|
|
|
|
- **Liveness:** `GET /health` - Returns 200 if process is alive
|
|
- **Readiness:** `GET /ready` - Returns 200 if channels are connected
|
|
|
|
### Graceful Shutdown
|
|
|
|
The gateway handles SIGTERM gracefully:
|
|
1. Stops accepting new connections
|
|
2. Completes in-flight requests
|
|
3. Closes WebSocket connections cleanly
|
|
4. Flushes audit logs
|
|
|
|
## Network Configuration
|
|
|
|
### Firewall Rules
|
|
|
|
| Port | Direction | Purpose |
|
|
|------|-----------|---------|
|
|
| 18789 | Inbound | Gateway WebSocket/HTTP |
|
|
| 443 | Outbound | Anthropic API, channel APIs |
|
|
|
|
### Reverse Proxy
|
|
|
|
With nginx:
|
|
|
|
```nginx
|
|
upstream clawdbot {
|
|
server localhost:18789;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name gateway.company.com;
|
|
|
|
ssl_certificate /etc/ssl/certs/gateway.crt;
|
|
ssl_certificate_key /etc/ssl/private/gateway.key;
|
|
|
|
location / {
|
|
proxy_pass http://clawdbot;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 86400;
|
|
}
|
|
}
|
|
```
|
|
|
|
Configure trusted proxies in Moltbot:
|
|
|
|
```yaml
|
|
gateway:
|
|
trustedProxies:
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
- "192.168.0.0/16"
|
|
```
|
|
|
|
## Environment Variables
|
|
|
|
| Variable | Description |
|
|
|----------|-------------|
|
|
| `ANTHROPIC_API_KEY` | API key for Claude models |
|
|
| `GATEWAY_TOKEN` | Gateway authentication token |
|
|
| `CLAWDBOT_CONFIG_PATH` | Custom config file path |
|
|
| `CLAWDBOT_STATE_DIR` | State directory (sessions, logs) |
|
|
| `LOG_LEVEL` | Logging verbosity (debug, info, warn, error) |
|
|
|
|
## Backup and Recovery
|
|
|
|
### Critical Data
|
|
|
|
| Path | Description | Backup Priority |
|
|
|------|-------------|-----------------|
|
|
| `~/.clawdbot/config.yaml` | Configuration | High |
|
|
| `~/.clawdbot/credentials/` | Channel tokens, pairing | High |
|
|
| `~/.clawdbot/sessions/` | Session history | Medium |
|
|
| `~/.clawdbot/audit.jsonl` | Audit logs | High |
|
|
|
|
### Backup Script
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
BACKUP_DIR="/backups/clawdbot/$(date +%Y%m%d)"
|
|
mkdir -p "$BACKUP_DIR"
|
|
|
|
# Config and credentials (encrypted)
|
|
tar -czf "$BACKUP_DIR/config.tar.gz" \
|
|
~/.clawdbot/config.yaml \
|
|
~/.clawdbot/credentials/
|
|
|
|
# Audit logs
|
|
cp ~/.clawdbot/audit*.jsonl "$BACKUP_DIR/"
|
|
|
|
# Retain 30 days
|
|
find /backups/clawdbot -mtime +30 -delete
|
|
```
|
|
|
|
## Next Steps
|
|
|
|
- [Security Hardening](/enterprise/security-hardening) - TLS, rate limiting, audit configuration
|
|
- [Observability](/enterprise/observability) - Metrics, tracing, dashboards
|
|
- [Gateway Configuration](/gateway/configuration) - Full configuration reference
|