A Complete Guide to Securely Deploying, Operating, and Scaling Self-Hosted AI Agents
Introduction: The Production Mindset
Chapter 1: What Is OpenClaw? Architecture and Design Philosophy
- The Self-Hosted AI Agent Landscape
- Three-Layer Architecture: Gateway, Channels, LLM
- The Pi Agent Core and the Conversation Loop
- Canvas: The Visual Workspace
- Multi-Agent Support and Per-Agent Configuration
- Trust Boundaries and Threat Model Overview
Chapter 2: System Requirements and Installation
- Hardware Specifications by Use Case
- Operating System Support
- Node.js Version Requirements
- Installation via npm
- The Onboard Wizard and Daemon Installation
- Verifying the Installation
- Troubleshooting Common Install Failures
Chapter 3: Configuration Deep Dive
- The Configuration File Format and Discovery Rules
- Editing Configuration: Four Methods
- Gateway Settings: Host, Port, Auth Mode, Trusted Proxy
- Agent Configuration: Defaults, Per-Agent Profiles, Skill Allowlists
- Channel Configuration Overview
- Tools and Exec Policy Configuration
- Session Management and Memory Injection
- Environment Variable Overrides and Dotenv Integration
Chapter 4: Authentication, Authorization, and Secrets Management
- LLM Provider Authentication: API Keys, OAuth Flows, and Token Refresh
- Auth Profiles and Multi-Account Management
- Gateway Connection Authentication: API Key, Trusted-Proxy, and Tailscale
- Secret Reference Providers: Environment Variables, Files, and External Systems
- Credential Resolution at Startup and Rotation Procedures
- Production Secrets Management Best Practices
Chapter 5: Channel Integration and Multi-Channel Operations
- WhatsApp Setup: QR Login and Linked Devices
- Telegram Bot Creation and Token Configuration
- Discord Bot Setup with OAuth2 Application Tokens
- Slack Workspace Integration and App Configuration
- Signal, iMessage, Matrix, and Other Channels
- Per-Channel Routing, Mention Gating, and Group Policy
- Multi-Agent Channel Assignment
Chapter 6: LLM Integration: Cloud Providers and Local Models
- Supported Cloud Providers: OpenAI, Anthropic, Google, OpenRouter, and Others
- Provider Configuration with Auth Profiles and Failover Chains
- LiteLLM Integration for Unified Multi-Provider Routing
- Local Model Setup with Ollama, LM Studio, and vLLM
- Hardware Requirements for Local Inference
- Model Selection Trade-Offs: Quality vs Cost vs Latency vs Privacy
Chapter 7: Docker and Kubernetes Deployment
- Pre-built Images and GitHub Container Registry (GHCR)
- Docker Compose Production Template with Annotations
- Volume Mounts, Resource Limits, and Logging Configuration
- Custom Dockerfile for Air-Gapped or Hardened Environments
- Kubernetes Core Resources: Deployment, Service, ConfigMap, Secret
- Persistent Volumes for State and Workspace
- The OpenClaw Operator for Automated Lifecycle Management
- Health Checks, Rolling Updates, and Pod Disruption Budgets
- Ingress Configuration with TLS Termination
Chapter 8: Networking, TLS, and Reverse Proxy Setup
- Default Port Exposure and Firewall Hardening
- Reverse Proxy Architecture: Nginx, Caddy, and Traefik
- TLS Certificate Management with Let’s Encrypt and Certbot
- WebSocket Upgrade Support for Real-Time Channels
- Trusted Proxy Authentication Mode
- Tailscale Integration for Secure Remote Access
- Kubernetes Ingress with TLS Termination
Chapter 9: Security Hardening and Threat Mitigation
- Threat Model for Self-Hosted AI Agents
- Exec Tool Security Policies: Sandbox vs Gateway, Allowlist Enforcement
- Filesystem Permissions on State, Config, and Credentials Directories
- Tool Policy Configuration: Allow/Deny Lists and Approval Workflows
- Prompt Injection Defense Strategies
- Docker Container Hardening
- Network-Level Controls: Bind to Localhost, Disable Control UI When Unnecessary
- Audit Findings and the Security Audit System
- Incident Response Procedures
Chapter 10: Monitoring, Logging, and Observability
- Built-in Logging Configuration and Log Levels
- The Prometheus Metrics Plugin for Gateway Diagnostics
- Grafana Dashboard Setup and Example Queries
- OpenTelemetry Integration for Traces and Structured Logs
- Alerting Strategies: When to Page, What to Monitor
Chapter 11: Backups, Updates, and Disaster Recovery
- What State Lives Where: Config, Workspace, Memory, Sessions, Credentials
- The
openclaw backupCommand and What It Captures - Automated Backup Strategies with Cron and Cloud Storage
- Update Procedures: Rolling Updates, Version Pinning, and Rollback Strategies
- Migration Between Machines or Environments
- Disaster Recovery Runbook: Complete Restore Sequence
Chapter 12: Performance Tuning, Compliance, and Operational Best Practices
- Concurrency Tuning: Max Concurrent Skills and Session Limits
- LLM Call Optimization: Caching, Batching, and Prompt Compression
- Resource Management for Multi-Agent Deployments
- Privacy Considerations: Data Residency, PII Handling, and GDPR Implications
- Compliance Frameworks: SOC 2, HIPAA, and FedRAMP Considerations
- Change Management and Configuration Versioning (GitOps)
- Incident Response Procedures
- Documentation and Runbook Maintenance
- Building an OpenClaw Operations Culture
