Add Docker Compose configuration for OpenClaw gateway (#13)

Co-authored-by: Claude <noreply@anthropic.com>

Author: nsheaps

.github/workflows/arcane-deploy.yaml

@@ -4,7 +4,7 @@ on:
   push:
     branches: [main]
     paths:
-      - 'hosts/heapsnas/**'
+      - 'arcane/**'
       - '.github/workflows/arcane-deploy.yaml'
 
 concurrency:
@@ -20,6 +20,35 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Set Arcane global variables
+        env:
+          ARCANE_URL: ${{ secrets.ARCANE_URL }}
+          ARCANE_API_KEY: ${{ secrets.ARCANE_API_KEY }}
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          # Fetch existing global variables
+          existing=$(curl -sf --max-time 30 \
+            -H "X-Api-Key: ${ARCANE_API_KEY}" \
+            "${ARCANE_URL}/api/templates/variables")
+
+          # Merge OP_SERVICE_ACCOUNT_TOKEN into existing variables (upsert)
+          updated=$(echo "${existing}" | jq \
+            --arg key "OP_SERVICE_ACCOUNT_TOKEN" \
+            --arg val "${OP_SERVICE_ACCOUNT_TOKEN}" \
+            '.data | map(select(.key != $key)) + [{"key": $key, "value": $val}] | {"variables": .}')
+
+          # Update global variables
+          curl -sf --max-time 30 \
+            -X PUT \
+            -H "X-Api-Key: ${ARCANE_API_KEY}" \
+            -H "Content-Type: application/json" \
+            -d "${updated}" \
+            "${ARCANE_URL}/api/templates/variables" > /dev/null
+
+          echo "Global variables updated"
+
       - name: Deploy heapsnas stacks
         # TODO: Pin to commit SHA once nsheaps/github-actions has releases.
         #       See: https://github.com/nsheaps/iac/issues/3
@@ -28,7 +57,7 @@ jobs:
           arcane-url: ${{ secrets.ARCANE_URL }}
           arcane-api-key: ${{ secrets.ARCANE_API_KEY }}
           environment-id: ${{ secrets.ARCANE_ENVIRONMENT_ID }}
-          compose-dir: hosts/heapsnas
+          compose-dir: arcane/hosts/heapsnas
           sync-name-prefix: heapsnas
           auth-type: http
           git-token: ${{ secrets.GIT_TOKEN }}

arcane/hosts/heapsnas/openclaw/compose.yaml

@@ -0,0 +1,116 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json
+name: 'openclaw'
+
+# OP_SERVICE_ACCOUNT_TOKEN is set as an Arcane global variable by the
+# arcane-deploy workflow. It's available to all compose projects via
+# Arcane's .env.global mechanism.
+
+services:
+  init-secrets:
+    image: 1password/op:2
+    user: '0:0' # Run as root for putting in the secrets dir
+    environment:
+      - OP_SERVICE_ACCOUNT_TOKEN=${OP_SERVICE_ACCOUNT_TOKEN}
+    volumes:
+      - openclaw-secrets:/run/secrets:rw
+    command:
+      - /bin/bash
+      - -c
+      - |
+        set -euo pipefail
+        {
+          function fetch() {
+              local ref="$$1"
+              local dest="$$2"
+              op read --no-newline "$$ref" > "$$dest"
+              echo " got '$$ref' => '$$dest'"
+          }
+          echo "Fetching all secrets in parallel..."
+
+          fetch "op://heapsinfra/arcane--heapsnas--openclaw/gateway_token" "/run/secrets/openclaw_gateway_token" &
+
+          wait
+          chmod 444 /run/secrets/*
+        } || {
+          echo "Failed to fetch secrets, waiting 5 minutes before exiting"
+          sleep 300
+          exit 1
+        }
+
+  openclaw-gateway:
+    image: ghcr.io/openclaw/openclaw:latest
+    restart: unless-stopped
+    init: true
+    environment:
+      - HOME=/home/node
+      - TERM=xterm-256color
+    volumes:
+      - openclaw-config:/home/node/.openclaw
+      - openclaw-workspace:/home/node/.openclaw/workspace
+      - openclaw-secrets:/run/secrets:ro
+    ports:
+      - '${OPENCLAW_GATEWAY_PORT:-18789}:18789'
+    command:
+      - node
+      - dist/index.js
+      - gateway
+      - --bind
+      - lan
+      - --port
+      - '18789'
+      - --token-file
+      - /run/secrets/openclaw_gateway_token
+    healthcheck:
+      test:
+        - CMD
+        - node
+        - -e
+        - "fetch('http://127.0.0.1:18789/healthz').then((r)=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"
+      interval: 30s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+    networks:
+      - cloudflared
+    depends_on:
+      init-secrets:
+        condition: service_completed_successfully
+
+  openclaw-cli:
+    image: ghcr.io/openclaw/openclaw:latest
+    restart: unless-stopped
+    init: true
+    network_mode: 'service:openclaw-gateway'
+    cap_drop:
+      - NET_RAW
+      - NET_ADMIN
+    security_opt:
+      - no-new-privileges:true
+    environment:
+      - HOME=/home/node
+      - TERM=xterm-256color
+      - BROWSER=echo
+    volumes:
+      - openclaw-config:/home/node/.openclaw
+      - openclaw-workspace:/home/node/.openclaw/workspace
+      - openclaw-secrets:/run/secrets:ro
+    stdin_open: true
+    tty: true
+    entrypoint: ['node', 'dist/index.js']
+    depends_on:
+      openclaw-gateway:
+        condition: service_healthy
+
+# https://docs.docker.com/engine/storage/drivers/
+volumes:
+  openclaw-secrets:
+    driver: local
+  openclaw-config:
+    driver: local
+  openclaw-workspace:
+    driver: local
+
+# https://docs.docker.com/engine/network/drivers/
+networks:
+  cloudflared:
+    external: true

package.json

@@ -9,7 +9,7 @@
     "check:fix": "nx run-many --target check:prettier:fix --target check:docker",
     "check:prettier": "nx exec -- prettier --check '**/*.{yaml,yml,md,json,json5}'",
     "check:prettier:fix": "nx exec -- prettier --write '**/*.{yaml,yml,md,json,json5}'",
-    "check:docker": "nx exec -- bin/check-docker-compose.sh hosts/*/*-compose.{yaml,yml}"
+    "check:docker": "nx exec -- bin/check-docker-compose.sh hosts/*/*-compose.{yaml,yml} arcane/hosts/*/*/compose.{yaml,yml}"
   },
   "author": "Nathan Heaps",
   "license": "MIT",