Your own personal AI assistant. Any OS. Any Platform. The lobster way. 🦞
Go to file
2026-01-27 15:34:10 +00:00
.agent/workflows chore(repo): remove stray .DS_Store 2026-01-26 19:41:25 +00:00
.github fix: stabilize install smoke against clawdbot installer 2026-01-27 14:58:01 +00:00
apps refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
assets refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
docs refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
extensions refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
git-hooks fix: add git hook setup and stable config hash sorting 2026-01-19 02:02:17 +00:00
packages/clawdbot refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
patches fix: bundle mac model catalog 2026-01-21 19:58:19 +00:00
scripts fix: skip a2ui bundling when sources are excluded 2026-01-27 15:01:57 +00:00
skills refactor: align skills and loaders with moltbot rename 2026-01-27 12:21:02 +00:00
src chore: update a2ui bundle hash 2026-01-27 13:00:02 +00:00
Swabble fix: tui local shell consent UX (#1463) 2026-01-22 23:38:44 +00:00
test refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
ui refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
vendor/a2ui refactor(vendor): align a2ui renderer typings 2026-01-14 01:17:56 +00:00
.detect-secrets.cfg chore: stabilize prek hooks runner selection (#1720) (thanks @dguido) 2026-01-25 10:55:28 +00:00
.dockerignore Docker: add root-level setup 2026-01-02 13:53:06 +02:00
.env.example Add warelay CLI with Twilio webhook support 2025-11-24 11:23:15 +01:00
.gitattributes ci: enforce lf line endings 2026-01-08 02:29:20 +00:00
.gitignore Build: stop tracking bundled artifacts (#2455) (thanks @0oAstro) 2026-01-26 23:08:25 -05:00
.gitignore-clawdbot feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
.npmrc build: allow matrix crypto build scripts 2026-01-20 12:23:05 +00:00
.oxfmtrc.jsonc chore: migrate to oxlint and oxfmt 2026-01-14 15:02:19 +00:00
.oxlintrc.json Update oxlint config to put ignore pattern inside the oxlint config. 2026-01-17 03:19:42 +00:00
.pre-commit-config.yaml chore: stabilize prek hooks runner selection (#1720) (thanks @dguido) 2026-01-25 10:55:28 +00:00
.prettierignore fix: stabilize ci checks 2026-01-19 00:34:26 +00:00
.secrets.baseline chore: stabilize prek hooks runner selection (#1720) (thanks @dguido) 2026-01-25 10:55:28 +00:00
.shellcheckrc feat: add prek pre-commit hooks and dependabot (#1720) 2026-01-25 10:53:23 +00:00
.swiftformat feat: add prek pre-commit hooks and dependabot (#1720) 2026-01-25 10:53:23 +00:00
.swiftlint.yml chore(swift): narrow formatter/lint scope 2026-01-09 19:49:12 +00:00
AGENTS.md refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
appcast.xml refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
CHANGELOG.md refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
CLAUDE.md Document exclamation mark escaping workaround for Claude Code 2025-12-02 06:52:56 +00:00
CONTRIBUTING.md refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
DEPLOYMENT_SUMMARY.md feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
docker-compose.yml refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
docker-setup.sh refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
Dockerfile security: apply Agents Council recommendations 2026-01-26 13:39:14 +00:00
Dockerfile.sandbox feat: add per-session agent sandbox 2026-01-03 21:41:58 +01:00
Dockerfile.sandbox-browser refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
docs.acp.md refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
fix-docker-image.sh feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
fly.private.toml refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
fly.toml refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
install_and_harden.sh feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
INSTALLATION_REPORT.md feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
LICENSE Initial commit 2025-11-24 11:16:47 +01:00
package.json fix: include compat dist in npm package 2026-01-27 12:59:59 +00:00
pnpm-lock.yaml fix: sync pnpm lockfile for moltbot rename 2026-01-27 14:37:10 +00:00
pnpm-workspace.yaml chore: update molt.bot domains 2026-01-27 12:21:01 +00:00
QUICK_REFERENCE.md feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
README-header.png docs: add README header image 2025-11-25 14:29:21 +01:00
README.md feat(infra): add secure Ubuntu hardening and Clawdbot install script 2026-01-27 15:34:10 +00:00
render.yaml refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
SECURITY.md refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
tsconfig.json web: add heartbeat and bounded reconnect tuning 2025-11-26 02:34:43 +01:00
vitest.config.ts refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
vitest.e2e.config.ts refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
vitest.extensions.config.ts chore: speed up tests and update opencode models 2026-01-23 11:36:32 +00:00
vitest.gateway.config.ts chore: speed up tests and update opencode models 2026-01-23 11:36:32 +00:00
vitest.live.config.ts refactor: rename clawdbot to moltbot with legacy compat 2026-01-27 12:21:02 +00:00
vitest.unit.config.ts chore: speed up tests and update opencode models 2026-01-23 11:36:32 +00:00
zizmor.yml feat: add prek pre-commit hooks and dependabot (#1720) 2026-01-25 10:53:23 +00:00

Clawdbot Secure Installation Guide

This repository contains scripts to securely install and configure Clawdbot on Ubuntu 22.04 with comprehensive security hardening.

Features

  • Docker-based Clawdbot installation
  • Gateway binds to localhost only (127.0.0.1) - NOT publicly accessible
  • Password authentication with strong password requirements (16+ chars)
  • Tailscale integration for secure remote access
  • UFW firewall configured (SSH + Tailscale only, blocks everything else)
  • Fail2ban for SSH brute force protection
  • Unattended security updates enabled
  • Non-root user for running Clawdbot
  • Log rotation configured
  • DM policy set to pairing (not open)
  • Channel allowlist configured (not open)
  • Idempotent - safe to run multiple times
  • Reversible - complete uninstall instructions included

Quick Start (One-Line Command)

Required Environment Variables

export CLAWDBOT_PASSWORD="your-strong-password-min-16-chars"
export TAILSCALE_AUTH_KEY="tskey-auth-xxxxx"  # Optional but recommended

Installation

curl -fsSL https://raw.githubusercontent.com/yourusername/yourrepo/main/install_and_harden.sh | sudo -E bash

Or download and run locally:

wget https://raw.githubusercontent.com/yourusername/yourrepo/main/install_and_harden.sh
chmod +x install_and_harden.sh
export CLAWDBOT_PASSWORD="your-strong-password-min-16-chars"
export TAILSCALE_AUTH_KEY="tskey-auth-xxxxx"  # Optional
sudo -E ./install_and_harden.sh

Manual Installation Steps

1. Prepare Environment Variables

Create a secure password (minimum 16 characters):

export CLAWDBOT_PASSWORD="$(openssl rand -base64 24)"
echo "Your Clawdbot password: $CLAWDBOT_PASSWORD"
# SAVE THIS PASSWORD SECURELY!

Get a Tailscale auth key from: https://login.tailscale.com/admin/settings/keys

export TAILSCALE_AUTH_KEY="tskey-auth-xxxxx"

2. Run Installation Script

sudo -E ./install_and_harden.sh

The script will:

  • Update system packages
  • Install Docker, UFW, Fail2ban, Tailscale
  • Create a non-root clawdbot user
  • Configure firewall (SSH + Tailscale only)
  • Enable unattended security updates
  • Install and configure Clawdbot with secure defaults
  • Run a health check

3. Access Clawdbot

cd /home/clawdbot/clawdbot
sudo ./setup-tailscale-serve.sh

Access at: https://<hostname>.<tailnet>.ts.net

Option B: SSH Tunnel

From your local machine:

ssh -L 3000:127.0.0.1:3000 ubuntu@<server-ip>

Access at: http://localhost:3000

Login with your CLAWDBOT_PASSWORD.

Security Architecture

Network Security

  • Gateway Binding: Clawdbot gateway binds to 127.0.0.1:3000 only (not 0.0.0.0)
  • No Public Ports: Port 3000 is NOT exposed to the internet
  • UFW Firewall: Only SSH (22) and Tailscale (41641/udp) are allowed
  • Access Methods: Only via Tailscale Serve or SSH tunnel

Authentication & Authorization

  • Auth Mode: Password-based authentication (required)
  • Strong Password: Minimum 16 characters enforced
  • DM Policy: Set to pairing (not open)
  • Channel Allowlist: Configured (not open to all)

System Hardening

  • Non-Root User: Clawdbot runs as dedicated clawdbot user
  • Fail2ban: Protects SSH from brute force attacks (3 attempts, 2-hour ban)
  • Unattended Upgrades: Automatic security updates enabled
  • Log Rotation: Prevents disk space exhaustion
  • Docker Isolation: Clawdbot runs in isolated container

Management Commands

Check Status

sudo systemctl status clawdbot
docker ps

View Logs

docker logs clawdbot -f

Restart Service

sudo systemctl restart clawdbot

Stop Service

sudo systemctl stop clawdbot

Health Check

cd /home/clawdbot/clawdbot
./clawdbot-doctor.sh

Update Clawdbot

cd /home/clawdbot/clawdbot
docker-compose pull
sudo systemctl restart clawdbot

Configuration

Configuration file: /home/clawdbot/clawdbot/.env

Important: Never commit .env to git! It contains your password.

To change settings:

sudo nano /home/clawdbot/clawdbot/.env
sudo systemctl restart clawdbot

Troubleshooting

Clawdbot not starting

docker logs clawdbot
sudo systemctl status clawdbot

Can't access via Tailscale

sudo tailscale status
sudo tailscale up  # Re-authenticate if needed

Firewall blocking connections

sudo ufw status verbose

Check all security settings

cd /home/clawdbot/clawdbot
./clawdbot-doctor.sh

Uninstall / Rollback

See /home/clawdbot/clawdbot/UNINSTALL.md for complete removal instructions.

Quick Uninstall

sudo systemctl stop clawdbot
sudo systemctl disable clawdbot
cd /home/clawdbot/clawdbot
docker-compose down -v
sudo userdel -r clawdbot
sudo rm /etc/systemd/system/clawdbot.service
sudo systemctl daemon-reload

Files Included

  • install_and_harden.sh - Main installation script (idempotent)
  • docker-compose.yml - Docker Compose configuration (generated)
  • .env - Environment variables with secrets (generated, not in git)
  • README.md - This file
  • UNINSTALL.md - Removal instructions (generated)
  • clawdbot-doctor.sh - Health check script (generated)
  • setup-tailscale-serve.sh - Tailscale Serve setup (generated)

Security Best Practices

  1. Never commit secrets to git - .env file is excluded
  2. Use strong passwords - Minimum 16 characters enforced
  3. Keep system updated - Unattended upgrades enabled
  4. Monitor logs - Check docker logs clawdbot regularly
  5. Run health checks - Use clawdbot-doctor.sh periodically
  6. Limit access - Only use Tailscale or SSH tunnel, never expose publicly
  7. Review firewall rules - sudo ufw status verbose
  8. Check Fail2ban - sudo fail2ban-client status sshd

Requirements

  • Ubuntu 22.04 LTS (fresh installation recommended)
  • Root or sudo access
  • Internet connection
  • Tailscale account (optional but recommended)

License

This script is provided as-is for secure Clawdbot deployment.

Support

For issues with:

  • This script: Open an issue in this repository
  • Clawdbot: See official Clawdbot documentation
  • Tailscale: See https://tailscale.com/kb/

Changelog

  • v1.0.0 - Initial release with full security hardening