openclaw-docker Deploy-first OpenClaw packaging with secure defaults and a Hetzner-ready path.

---

OpenClaw users usually land here because they want a deployable setup, not just a local test harness. This repo is optimized for that: Hetzner-first infrastructure, image-first runtime, explicit state sync, and a repo-local deploy skill that can drive the operational flow while keeping the manual path documented.

Deploy OpenClaw

Recommended for Claude Code users:

Use $deploy-openclaw-hetzner to fresh-deploy OpenClaw on Hetzner.

The deploy skill currently supports:

• fresh-deploy for preflight, tofu apply/resume, and readiness verification
• state-sync for routine data/ / workspaces/ updates to an existing server

If you prefer the manual path, follow the full Hetzner runbook in infra/hetzner/README.md.

Start here for the full deployment guide and decision matrix:

• docs/DEPLOYMENT.md
• docs/DEPLOY_DECISIONS.md

For manual deployments from a customized local clone, the usual follow-up sync is:

make sync-state SERVER=root@<server-ip>

Why This Repo

• Deploy-first - Hetzner + OpenTofu path with a repo-local deploy skill
• Secure by default - Loopback binding, token auth, dropped capabilities, and sane container limits
• Image-first runtime - Prebuilt image for reproducible bootstraps, explicit sync for personal state
• Multi-workspace - Separate personalities and memory layouts under workspaces/
• Extensible - Add packages, toolchains, and browser automation without forking the base flow

Local Usage

If you want to run OpenClaw locally for testing or development:

git clone https://github.com/holive/openclaw-docker
cd openclaw-docker
make quickstart

Useful local commands:

make quickstart   # first-time setup + start
make resume       # start (if needed) and chat
make info         # check workspace, provider, container status
make chat         # interactive TUI (requires running gateway)
make help         # show all commands

Provider setup:

• Free (no API key): Kimi, MiniMax OAuth, or Qwen OAuth via make configure
• Paid: set provider keys in .env
• Via OpenRouter: use a single OpenRouter key for multiple providers

For details, see:

• docs/PROVIDERS.md
• docs/WORKSPACES.md
• docs/CUSTOMIZATION.md

Security

Default hardening includes loopback binding, token authentication, cap_drop: ALL, no-new-privileges, a PID limit, and a tmpfs-backed /tmp.

Device pairing ensures only authorized browsers connect. Run make doctor to diagnose configuration issues.

See docs/SECURITY.md for the full security model and docs/REMOTE.md for remote access patterns.

Documentation

• DEPLOYMENT.md - Hetzner deployment guide and entrypoint
• DEPLOY_DECISIONS.md - When to choose each deploy variant
• infra/hetzner/README.md - Manual Hetzner runbook
• PROVIDERS.md - AI provider options (free and paid)
• DASHBOARD.md - Browser-based Control UI
• SECURITY.md - What Docker protects and doesn't
• SKILLS.md - Installing additional skills
• WORKSPACES.md - Multi-workspace guide
• CUSTOMIZATION.md - Extending the image
• REMOTE.md - Remote access setup
• UPGRADE.md - Upgrade guide and version history

Pre-installed Skills

• gh - GitHub CLI
• mcporter - MCP server manager
• @presto-ai/google-workspace-mcp - Gmail, Calendar, Drive
• Chromium (optional, enable with OPENCLAW_BROWSER=true)

License

MIT