OpenClaw Deploy uses native override files at every layer — all gitignored so your local customizations never conflict with upstream changes.
Override System#
| Layer | What to customize | Override file | Template | Required? | Copy when |
|---|
| Terraform | State backend | terraform/envs/prod/backend.tf | backend.tf.example | Required | Before make init |
| Terraform | Infrastructure variables | terraform/envs/prod/terraform.tfvars | terraform.tfvars.example | Required | Before make plan |
| Docker | Extra services | docker-compose.override.yml | docker-compose.override.example.yml | Optional | Before make bootstrap |
| Make | Extra targets | Makefile.local | Makefile.local.example | Optional | Anytime |
| Ansible | Extra plays | ansible/site.local.yml | ansible/site.local.example.yml | Optional | Anytime |
| Scripts | Addon scripts | scripts/local/ | scripts/local.example/ | Optional | Anytime |
Docker Compose: docker-compose.override.yml is automatically merged — no flags needed.
Makefile: Makefile.local is loaded via -include. All variables from the main Makefile are available.
Ansible: ansible/site.local.yml is used instead of site.yml when it exists. It should import site.yml first, then add your local plays.
Private Fork#
For a production setup, the recommended approach is to keep your credentials, personal config, and extensions in a private fork that tracks this repo as upstream. See private-fork.md for the full workflow, .gitattributes template, and merge driver setup.
For a long-lived production setup, the recommended pattern is a private fork — tracking this repo as upstream and keeping credentials, personal config, and extensions in your fork. This lets you pull upstream improvements with minimal friction while keeping your private files out of the public repo.
Repo layout Repo Purpose openclaw-deploy (this repo) Public template — source of truth for all shared files your-private-fork Your production deployment — credentials, overrides, extensions All shared infrastructure changes should be made in openclaw-deploy first, then pulled into your fork — never the reverse.
...
OpenClaw Configuration Overview Configuration lives in openclaw.json (gitignored — create from openclaw.example.json) and is deployed via make deploy.
Agent Defaults Key Value Purpose userTimezone UTC Proper time context for scheduling, logs, heartbeat timeFormat 24 European 24h format imageMaxDimensionPx 800 Downscale images before vision API — saves ~30% tokens contextTokens 180000 Safety margin below 200k model limit Telegram Channel Retry Logic Resilience for transient network errors (outbound sendMessage, editMessage, sendChatAction):
1 2 3 4 5 6 "retry": { "attempts": 3, "minDelayMs": 400, "maxDelayMs": 30000, "jitter": 0.1 } Access Control DM policy: pairing (default) + allowFrom restriction allowFrom: ["<YOUR_TELEGRAM_ID>"] — restricts DM access (extra layer beyond pairing) groupAllowFrom: ["<USER_ID_1>", "<USER_ID_2>"] — global group sender restriction Security model:
...
Secrets Reference Two secret files are required. Neither is ever committed to git.
secrets/inputs.sh — Infrastructure config Sourced by the Makefile at parse time (and re-exported for Terraform). Contains deployment-level config, not runtime secrets.
1 2 cp secrets/inputs.example.sh secrets/inputs.sh vim secrets/inputs.sh Variable Required Description HCLOUD_TOKEN Yes Hetzner Cloud API token — console.hetzner.cloud → Security → API Tokens SSH_KEY_FINGERPRINT Yes Fingerprint of your SSH key uploaded to Hetzner — console → Security → SSH Keys SERVER_IP Tailscale only Set to openclaw-prod (MagicDNS) after locking down SSH. Leave unset to auto-detect from Terraform output. TAILSCALE_AUTH_KEY Tailscale only Reusable pre-authorized key from login.tailscale.com/admin/settings/keys. Must be set before make bootstrap. SSH_KEY No Path to SSH private key. Defaults to ~/.ssh/id_rsa. The Makefile auto-sources inputs.sh for Terraform vars. For SSH-based targets (make ssh, make deploy, etc.), SERVER_IP must resolve — either auto-detected from Terraform output or explicitly set.
...
Version Management All dependencies are pinned in their respective config files. Renovate Bot opens weekly PRs when updates are available (see renovate.json).
Where versions live Dependency File Notes OpenClaw docker/Dockerfile (ARG OPENCLAW_VERSION) Never auto-merged — check release notes + run make backup-now first Node.js base image docker/Dockerfile (FROM node:...) Terraform CLI terraform/envs/prod/main.tf (required_version) Also enforced in CI via hashicorp/setup-terraform input hcloud provider terraform/envs/prod/main.tf (version =) ansible-core .github/workflows/*.yml (pip install) Range constraint — bump minor manually GitHub Actions .github/workflows/*.yml (uses:) Auto-merged by Renovate Auto-update policy Renovate runs weekly and opens PRs grouped by ecosystem:
...