IronClaw — Rust-based secure AI assistant with OpenCode + free models

robi

Hi @timconsidine,

Packaged IronClaw (nearai/ironclaw v0.21.0) for Cloudron following your AgentZero/Nanobot pattern. Everything's working on the demo Cloudron — zero config, free model, no API keys needed.

Built image: registry.demo.cloudron.io/ironclaw:20260322-042051-0335cfa11
Source repo: https://github.com/nearai/ironclaw

Files you need to take over the package:

1. CloudronManifest.json

{
  "id": "com.nearai.ironclaw",
  "title": "IronClaw",
  "author": "NEAR AI",
  "description": "Your secure personal AI assistant, always on your side. Rust-based, privacy-first, defense-in-depth security.",
  "tagline": "Secure AI Assistant in Rust",
  "version": "0.1.0",
  "upstreamVersion": "0.21.0",
  "healthCheckPath": "/health",
  "httpPort": 3000,
  "memoryLimit": 2147483648,
  "addons": { "localstorage": {}, "postgresql": {} },
  "manifestVersion": 2,
  "website": "https://www.ironclaw.com",
  "tags": ["ai", "agent", "assistant", "rust", "privacy"]
}

2. Dockerfile

FROM rust:1.92-slim-bookworm AS builder
RUN apt-get update && apt-get install -y --no-install-recommends \
    pkg-config libssl-dev cmake gcc g++ \
    && rm -rf /var/lib/apt/lists/* \
    && rustup target add wasm32-wasip2 \
    && cargo install wasm-tools
WORKDIR /app
COPY Cargo.toml Cargo.lock ./
COPY crates/ crates/
COPY build.rs build.rs
COPY src/ src/
COPY tests/ tests/
COPY migrations/ migrations/
COPY registry/ registry/
COPY channels-src/ channels-src/
COPY wit/ wit/
COPY providers.json providers.json
COPY benches/ benches/
RUN cargo build --release --bin ironclaw
FROM cloudron/base:5.0.0@sha256:04fd70dbd8ad6149c19de39e35718e024417c3e01dc9c6637eaf4a41ec4e596c
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
    && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*
RUN npm install -g opencode-ai
COPY --from=builder /app/target/release/ironclaw /usr/local/bin/ironclaw
COPY --from=builder /app/migrations /app/code/migrations
COPY CloudronManifest.json /app/code/CloudronManifest.json
COPY cloudron/start.sh /app/code/start.sh
COPY cloudron/opencode-server.py /app/code/opencode-server.py
COPY cloudron/default-env /app/code/default-env
COPY logo.png /app/code/logo.png
RUN chmod +x /app/code/start.sh
RUN mkdir -p /app/data/.ironclaw
ENV HOME=/app/data
WORKDIR /app/data
ENV IRONCLAW_IN_DOCKER=true
ENV RUST_LOG=ironclaw=info
EXPOSE 3000
CMD [ "/app/code/start.sh" ]

3. cloudron/start.sh

#!/bin/bash
set -eu
export HOME="/app/data"
mkdir -p /app/data/.ironclaw
if [ ! -f /app/data/.ironclaw/.env ]; then
	cp /app/code/default-env /app/data/.ironclaw/.env
	TOKEN=$(openssl rand -hex 24)
	echo "GATEWAY_AUTH_TOKEN=${TOKEN}" >>/app/data/.ironclaw/.env
	echo "==> Generated gateway auth token (saved to .ironclaw/.env)"
fi
sed -i '/^DATABASE_URL=/d' /app/data/.ironclaw/.env
echo "DATABASE_URL=postgres://${CLOUDRON_POSTGRESQL_USERNAME}:${CLOUDRON_POSTGRESQL_PASSWORD}@${CLOUDRON_POSTGRESQL_HOST}:${CLOUDRON_POSTGRESQL_PORT}/${CLOUDRON_POSTGRESQL_DATABASE}" >>/app/data/.ironclaw/.env
set -a
. /app/data/.ironclaw/.env
set +a
chown -R cloudron:cloudron /app/data
cat >/app/data/.bashrc <<'BASHRC'
alias ll='ls -la'
alias la='ls -A'
alias l='ls -CFsa'
alias ..='cd ..'
alias ...='cd ../..'
alias grep='grep --color=auto'
PS1='\[\e[1;36m\]ironclaw\[\e[0m\]:\[\e[1;34m\]\w\[\e[0m\$ '
BASHRC
echo "==> Starting OpenCode server..."
opencode serve --port 4096 --hostname 127.0.0.1 &
sleep 3
echo "==> Starting OpenCode proxy..."
python3 /app/code/opencode-server.py &
sleep 2
echo "==> Starting IronClaw..."
exec gosu cloudron:cloudron ironclaw run --no-onboard
4. cloudron/default-env
LLM_BACKEND=openai_compatible
LLM_BASE_URL=http://127.0.0.1:4097/v1
LLM_API_KEY=not-needed
LLM_MODEL=minimax-m2.5-free
GATEWAY_ENABLED=true
GATEWAY_HOST=0.0.0.0
GATEWAY_PORT=3000
AGENT_NAME=ironclaw
AGENT_USE_PLANNING=true
RUST_LOG=ironclaw=info

5. cloudron/opencode-server.py — OpenAI-compatible proxy that wraps opencode run (full file is ~120 lines, available in the package repo)
6. CloudronVersions.json

{
  "versions": [{
    "version": "0.1.0",
    "upstreamVersion": "0.21.0",
    "id": "com.nearai.ironclaw",
    "title": "IronClaw",
    "minBoxVersion": "9.0.0"
  }]
}

Key packaging notes:

• Gateway defaults to 127.0.0.1 — must set GATEWAY_HOST=0.0.0.0
• Webhook server on 8080 conflicts with Cloudron — disable by unsetting HTTP_PORT/HTTP_HOST
• --no-onboard is on ironclaw run, not root command
• .bashrc must go to /app/data/ (home dir is read-only in Cloudron)
• OpenCode proxy must return id, created, object fields or rig-core rejects the response
  Happy to hand off the full package directory or collaborate on getting it into the community apps list. The opencode-server.py proxy file is too long for this post — you can grab it from the running app or image.

---

timconsidine

@robi I have another Ukraine mission, so going to be mostly offline for a week.

Can look at it on return.

robi

Ha, your agent can do it..

Safe travels friend!

LoudLemur

@timconsidine Please be careful out there, tim

timconsidine

@LoudLemur thank you, will do, always safe secluded handover points, 1000kms from hunter drones, and my van & trailer is not a high value target for Ivan’s AWACS. There again, Ivan’s aim is awful, so I guess it’s possible he could get close while aiming at something else.
Mission #37 - 75 tonnes total, no incidents.