OpenClaw Deploy uses native override files at every layer — all gitignored so your local customizations never conflict with upstream changes.
Override System#
| Layer | What to customize | Override file | Template | Required? | Copy when |
|---|
| Terraform | State backend | terraform/envs/prod/backend.tf | backend.tf.example | Required | Before make init |
| Terraform | Infrastructure variables | terraform/envs/prod/terraform.tfvars | terraform.tfvars.example | Required | Before make plan |
| Docker | Extra services | docker-compose.override.yml | docker-compose.override.example.yml | Optional | Before make bootstrap |
| Make | Extra targets | Makefile.local | Makefile.local.example | Optional | Anytime |
| Ansible | Extra plays | ansible/site.local.yml | ansible/site.local.example.yml | Optional | Anytime |
| Scripts | Addon scripts | scripts/local/ | scripts/local.example/ | Optional | Anytime |
Docker Compose: docker-compose.override.yml is automatically merged — no flags needed.
Makefile: Makefile.local is loaded via -include. All variables from the main Makefile are available.
Ansible: ansible/site.local.yml is used instead of site.yml when it exists. It should import site.yml first, then add your local plays.
OpenClaw Configuration Overview Configuration lives in openclaw.json (gitignored — create from openclaw.example.json) and is deployed via make deploy.
Agent Defaults Key Value Purpose userTimezone UTC Proper time context for scheduling, logs, heartbeat timeFormat 24 European 24h format imageMaxDimensionPx 800 Downscale images before vision API — saves ~30% tokens contextTokens 180000 Safety margin below 200k model limit Telegram Channel Retry Logic Resilience for transient network errors (outbound sendMessage, editMessage, sendChatAction):
1 2 3 4 5 6 "retry": { "attempts": 3, "minDelayMs": 400, "maxDelayMs": 30000, "jitter": 0.1 } Access Control DM policy: pairing (default) + allowFrom restriction allowFrom: ["<YOUR_TELEGRAM_ID>"] — restricts DM access (extra layer beyond pairing) groupAllowFrom: ["<USER_ID_1>", "<USER_ID_2>"] — global group sender restriction Security model:
...
Secrets Reference Two secret files are required. Neither is ever committed to git.
secrets/inputs.sh — Infrastructure config Sourced by the Makefile at parse time (and re-exported for Terraform). Contains deployment-level config, not runtime secrets.
1 2 cp secrets/inputs.example.sh secrets/inputs.sh vim secrets/inputs.sh Variable Required Description HCLOUD_TOKEN Yes Hetzner Cloud API token — console.hetzner.cloud → Security → API Tokens SSH_KEY_FINGERPRINT Yes Fingerprint of your SSH key uploaded to Hetzner — console → Security → SSH Keys SERVER_IP Tailscale only Set to openclaw-prod (MagicDNS) after locking down SSH. Leave unset to auto-detect from Terraform output. TAILSCALE_AUTH_KEY Tailscale only Reusable pre-authorized key from login.tailscale.com/admin/settings/keys. Must be set before make bootstrap. SSH_KEY No Path to SSH private key. Defaults to ~/.ssh/id_rsa. The Makefile auto-sources inputs.sh for Terraform vars. For SSH-based targets (make ssh, make deploy, etc.), SERVER_IP must resolve — either auto-detected from Terraform output or explicitly set.
...
Version Management All dependencies are pinned in their respective config files. Renovate Bot opens weekly PRs when updates are available (see renovate.json).
Where versions live Dependency File Notes OpenClaw docker/Dockerfile (ARG OPENCLAW_VERSION) Never auto-merged — check release notes + run make backup-now first Node.js base image docker/Dockerfile (FROM node:...) chromedp/headless-shell docker-compose.yml (image:) Terraform CLI terraform/envs/prod/main.tf (required_version) Also enforced in CI via hashicorp/setup-terraform input hcloud provider terraform/envs/prod/main.tf (version =) ansible-core .github/workflows/*.yml (pip install) Range constraint — bump minor manually GitHub Actions .github/workflows/*.yml (uses:) Auto-merged by Renovate Auto-update policy Renovate runs weekly and opens PRs grouped by ecosystem:
...