Automated Tier 3+ Security Hardening for OpenClaw AI Agents
This Ansible playbook implements and extends the security hardening measures described in the OpenClaw Security Guide, providing a fully automated deployment with additional defense-in-depth layers.
Deploys a hardened OpenClaw installation with:
- Rootless Podman containers: Strict isolation running as a non-privileged user.
- Network egress filtering: Squid proxy sidecar with a domain allowlist.
- HTTPS termination: Caddy reverse proxy with auto-generated self-signed certificates.
- LiteLLM credential brokering: OpenClaw never sees real API keys; LiteLLM spoofs models (e.g., Deepseek acting as Claude).
- Consolidated Configuration: Single
openclaw.jsonmaster config for Gateway, Tools, and Agents. - Automated Identity: EFF wordlist hostname generation and persistent SSH key management.
- Multi-OS support: Native tasks for Arch Linux and Debian/Ubuntu (AWS ready).
- Security Monitoring: Systemd-based weekly audits for prompt injections and blocked domains.
| Feature | Original Article (Tier 3) | This Ansible Implementation |
|---|---|---|
| Container Runtime | Docker | Podman (rootless) ⭐ |
| Network Filtering | Firewall only | Firewall + Squid egress allowlist ⭐ |
| HTTPS | Optional/Manual | Caddy reverse proxy (Terminated HTTPS) ⭐ |
| Identity Management | Manual setup | Automated EFF wordlist generation |
| OS Support | Ubuntu focus | Arch + Debian/Ubuntu auto-detection |
| Deployment Method | Manual | Fully automated interactive script |
| Monitoring | Manual cron | Systemd timers + audit script |
| LLM Providers | Anthropic focus | Ollama (Deepseek) / Anthropic / OpenAI |
| Secrets Management | Manual generation | Auto-gen with PERSISTENCE across runs ⭐ |
| Access Control | Token only | Token + Manual Device Pairing |
Local Machine (Controller):
- Ansible 2.10+
- OpenSSL (for cert generation)
- SSH Client (
ssh-keygen) - Python 3.8+
Target Machine:
- Arch Linux OR Debian/Ubuntu
- Initial root/sudo access (Password or AWS .pem key)
- 2GB+ RAM
cd openclaw-hardened-ansible
chmod +x deploy.sh update-allowlist.shRun the interactive script. It will prompt for your IP, provider, and keys.
./deploy.shAWS/Cloud Example:
./deploy.sh \
--target 54.x.x.x \
--ssh-user ubuntu \
--ssh-key ~/my-aws-key.pem \
--mgmt-cidr 192.168.20.0/24 \
--provider ollama \
--model "deepseek-r1:8b" \
--url "http://10.100.1.25:11434"Once finished, get your persistent token:
ssh -i ssh-keys/your-name.pem openclaw@IP "cat ~/openclaw-docker/.env | grep TOKEN"Open https://IP:18789, click through the SSL warning, and paste the token in Settings.
Since device auth is enabled, you must approve your browser from the host CLI:
# Inside the OpenClaw host
podman exec openclaw-agent openclaw devices pending
podman exec openclaw-agent openclaw devices approve <YOUR_ID>- Edit
roles/tier3-setup/templates/allowlist.txt.j2. - Run
./update-allowlist.sh -t IP --ssh-user USER --ask-pass.
A systemd timer runs monitor-openclaw.sh weekly. To run manually:
sudo /home/openclaw/openclaw-docker/monitor-openclaw.shCheck the reports at ~/openclaw-docker/security-audit-YYYYMMDD.log.
If you see errors, run the OpenClaw "Doctor" to check the schema:
podman exec openclaw-agent openclaw doctordeploy.sh: Main entry point (interactive/CLI).update-allowlist.sh: Lightweight allowlist updater.ssh-keys/: Stores generated.pemand.crtfiles.roles/tier3-setup/: The core hardening logic.requirements.yml: Ansible dependencies (auto-installed).
Provided as-is for harm-reduction. OpenClaw is architecturally "spicy"—this deployment reduces the blast radius but prompt injection remains an inherent risk of LLMs. Use burner accounts only.