Remove macOS support, make Tailscale optional, and fix installation issues#1
Open
justin-russell wants to merge 14 commits intomainfrom
Open
Remove macOS support, make Tailscale optional, and fix installation issues#1justin-russell wants to merge 14 commits intomainfrom
justin-russell wants to merge 14 commits intomainfrom
Conversation
BREAKING CHANGE: macOS support has been completely removed from this playbook.
The playbook now explicitly fails on Darwin systems with a clear error message.
## macOS/Homebrew/Zsh Removal
### Deleted Files (7)
- roles/clawdbot/tasks/system-tools-macos.yml
- roles/clawdbot/tasks/docker-macos.yml
- roles/clawdbot/tasks/firewall-macos.yml
- roles/clawdbot/tasks/tailscale-macos.yml
- roles/clawdbot/tasks/docker.yml (orchestrator)
- roles/clawdbot/tasks/tailscale.yml (orchestrator)
- roles/clawdbot/tasks/firewall.yml (orchestrator)
### Task File Updates
- main.yml: Updated includes to point directly to Linux files
- system-tools.yml: Removed macOS dispatch and oh-my-zsh installation
- system-tools-linux.yml: Removed zsh package, zsh shell, .zshrc config, Homebrew PATH
- defaults/main.yml: Removed homebrew_prefix and package_manager variables
### Playbook Updates
- playbook.yml: Added Darwin fail-fast check, removed all Homebrew logic and is_macos variable
- install.sh: Removed macOS detection
### Template Updates
- clawdbot-host.service.j2: Removed Homebrew PATH
- clawdbot-release.yml & clawdbot-development.yml: Removed Homebrew from PATH variables
## Audit Findings Fixed
### H4: Network Interface Validation
- firewall-linux.yml: Added assertion to validate default_interface.stdout is non-empty
### M2: Expanded .gitignore
- Added secret patterns: *.env, .env*, secrets.yml, vault.yml, *.pem, *.key, id_rsa*, host_vars/, group_vars/
### M3/M9: Fixed Hardcoded Values
- user.yml: Replaced hardcoded 'clawdbot' and '/home/clawdbot' with variables
- playbook.yml: Fixed hardcoded paths to use variables
### M7: Added no_log for Secrets
- user.yml: Added no_log: true to authorized_key task
- defaults/main.yml: Added warning comment for tailscale_authkey
### M8: Fixed UID Race Condition
- user.yml: Added assertion to verify clawdbot_uid_value is defined and non-empty
- clawdbot-host.service.j2: Removed default('1000') from clawdbot_uid_value
### M10: Install Mode Validation
- clawdbot.yml: Added assertion to validate clawdbot_install_mode is 'release' or 'development'
## Documentation Updates
### README.md
- Updated badge to show only Debian/Ubuntu support
- Added prominent macOS deprecation notice
- Removed all macOS/Homebrew/zsh references
- Consolidated "What Gets Installed" section
### Documentation Files
- docs/architecture.md: Updated task file names and installation flow
- docs/configuration.md: Removed OS-specific settings (homebrew_prefix, package_manager)
- docs/security.md: Updated macOS limitations section with deprecation notice
## Resolution
- Resolves audit findings H1 and H2 (macOS-specific correctness issues)
- Addresses audit findings H4, M2, M3, M7, M8, M9, M10
- Simplifies codebase by removing multi-OS complexity
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Adds tailscale_enabled variable (default: false) to allow users to opt into Tailscale installation. When disabled, skips Tailscale package installation, firewall rules (port 41641), sudoers entries, and related welcome messages. Changes: - Add tailscale_enabled: false to defaults/main.yml - Guard Tailscale task includes and firewall rules with conditional - Convert show-lobster.sh to Jinja2 template for dynamic port display - Update sudoers template to conditionally include Tailscale permissions - Update documentation with new variable and examples Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Changes install.sh from a remote installer that clones the repo into a temp directory to a local dependency installer that just sets up prerequisites. Changes: - Remove redundant repo cloning (assumes already in repo directory) - Add directory validation to ensure running from correct location - Install only Ansible and required collections - Do not run playbook automatically (use run-playbook.sh instead) - Add clear next steps showing how to run with/without Tailscale - Improve error messages and status indicators This provides clearer separation: install.sh for dependencies, run-playbook.sh for execution. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The .bashrc configuration task was running before the clawdbot user was created, causing "failed to look up user clawdbot" errors. Moved the task from system-tools-linux.yml to user.yml (immediately after user creation) to ensure proper execution order. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The pnpm global bin directory was not in PATH when running pnpm install,
causing "configured global bin directory is not in PATH" errors.
Added {{ clawdbot_home }}/.local/share/pnpm to PATH in environment blocks
for both release and development mode installation tasks.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The clawdbot binary is installed to PNPM_HOME, not .local/bin. Updated all references to use the command name (found via PATH) instead of hardcoded paths. Changes: - Update systemd service to include PNPM_HOME in PATH and use "clawdbot" command - Update verification tasks to use proper environment with full PATH - Remove hardcoded path references in favor of PATH resolution This ensures the binary is found correctly whether installed via pnpm global (release mode) or symlinked from development build. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
When using 'sudo su - clawdbot' or 'sudo -u clawdbot -i', bash starts as a login shell which reads .bash_profile (not .bashrc). Users had to manually source .bashrc to get the correct environment. Added .bash_profile that sources .bashrc, ensuring environment variables (PNPM_HOME, PATH, etc.) are loaded for both login and interactive shells. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The welcome message script tried to remove itself but sometimes showed "Permission denied" errors. Changed to use $HOME instead of ~ and added error suppression with 2>/dev/null || true. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The home directory was owned by root:root instead of clawdbot:clawdbot, preventing the clawdbot user from creating/deleting files in their own home. Added explicit ownership task after user creation to ensure /home/clawdbot is owned by the clawdbot user with correct permissions (755). This fixes "Permission denied" errors when trying to delete files in the home directory. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add comprehensive test suite that validates convergence, correctness, and idempotency by running the playbook in an Ubuntu 24.04 container. New test infrastructure: - tests/Dockerfile.ubuntu2404: Ubuntu container with Ansible pre-installed - tests/entrypoint.sh: Runs convergence → verification → idempotency - tests/verify.yml: Post-convergence assertions for system state - tests/run-tests.sh: Main entry point for local testing - tests/README.md: Test harness documentation Introduce ci_test variable to skip tasks requiring: - Docker-in-Docker (Docker CE installation) - Kernel access (UFW/iptables firewall) - systemd services (loginctl, daemon setup) - External packages (clawdbot app install) Idempotency improvements: - Make pnpm configuration idempotent with state checking - Make pnpm installation idempotent with pre-check All tests passing: convergence ✓, verification ✓, idempotency ✓ Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add detailed documentation for the Docker-based CI test harness: - Overview of test infrastructure and workflow - Quick start guide for running tests locally - Explanation of ci_test mode and what gets skipped - Test coverage matrix (75% of playbook tasks) - Idempotency improvements and examples - Troubleshooting guide for common test failures - Instructions for adding new tests and distributions - CI/CD integration examples (GitHub Actions, GitLab) - Performance metrics and optimization tips Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Reverted install.sh to the original remote installation script from main branch, which clones the repository and runs the playbook. This restores the curl | bash installation pattern for remote usage. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Removed macOS detection and support from the remote installer script to align with the playbook which only supports Debian/Ubuntu Linux. Also updated repository URLs from pasogott/clawdbot-ansible to openclaw/openclaw-ansible. Changes: - Remove macOS OS detection - Update error messages to only mention Linux support - Change clone URL to https://github.com/openclaw/openclaw-ansible.git - Update raw GitHub URL for consistency Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Provides coworker with actionable documentation cleanup checklist, CI test harness info, and GitHub issue template for future macOS restoration with proper security hardening. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR removes macOS support from the playbook (Linux-only), makes Tailscale installation optional (disabled by default), and fixes multiple installation and user environment issues discovered during testing.
Major Changes
🔧 Platform Support
🌐 Tailscale Made Optional
tailscale_enabledvariable (default:false)🐛 Installation Fixes
Multiple critical fixes for user environment and installation flow:
🧪 Testing Infrastructure
Security Improvements
Documentation Updates
Commit Log
Testing
✅ Tested on Ubuntu 22.04 VPS
✅ Verified with Tailscale disabled (default)
✅ Verified with Tailscale enabled
✅ All installation issues resolved
✅ User environment loads correctly on login
Breaking Changes
tailscale_enabled: trueto install Tailscale🤖 Generated with Claude Code