OpenClaw

@JLX89 updated to include the Tailscale CLI + daemon installed in the Docker image

To use it, add to /app/data/.env:

TS_AUTHKEY=tskey-auth-...
TS_HOSTNAME=openclaw

@creative567145 added the SEARXNG_URL= as well env

@creative567145 I have added these to the package. However I can't test them so please leave feedback here if something isn't working.

@Joseph Sorry about that, just updated the package. It's now here: https://git.due.ren/andreas/ente-cloudron/-/raw/main/CloudronVersions.json

@Joseph Sure! Did you already add the ente package?

@robi These were patches made to the openclaw package. I'd say best is you guys test what you are trying to do then we can make all moving parts work

I think it works now. Too slow on CPU so can't actually test it without waiting ages. Ollama will only work with a model that supports tool use, so no tinyllama.

1. Node.js version override

Cloudron base image ships Node 22.14, OpenClaw requires 22.16+. We symlink /usr/local/node-22.14.0/bin/node → /usr/bin/node (NodeSource 22.22) so both the gateway
and openclaw CLI use the correct version.

2. Gateway config for reverse proxy

OpenClaw doesn't expect to run behind a proxy by default. start.sh creates /app/data/config/openclaw.json on first run with:

• gateway.mode: "local" — skips pairing requirement
• gateway.trustedProxies: ["172.18.0.0/16"] — trusts Cloudron's Docker network
• gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback: true — allows web UI behind Cloudron's reverse proxy
• gateway.controlUi.dangerouslyDisableDeviceAuth: true — skips device pairing for web UI

3. Ollama auth proxy

OpenClaw's Ollama model discovery (/api/tags) doesn't send auth headers. Cloudron's Ollama package requires Bearer token auth. start.sh starts a Node.js HTTP proxy on localhost:11434 that:

• Intercepts all requests to Ollama
• Injects Authorization: Bearer <OLLAMA_API_KEY> header
• Forwards to the real OLLAMA_BASE_URL
• Overrides OLLAMA_BASE_URL to http://127.0.0.1:11434 so OpenClaw talks to the proxy

Activated when both OLLAMA_API_KEY and OLLAMA_BASE_URL are set in /app/data/.env.

4. Auth auto-provisioning

start.sh auto-creates /app/data/agents/main/agent/auth-profiles.json from:

• CLAUDE_SETUP_TOKEN → type: "token" profile
• ANTHROPIC_API_KEY → type: "api_key" profile

Not sure if this is actually valuable for anyone but it should work.

actually looks a bit more complicated and that ollama won't let openclaw do model discovery without api key… I'll have to look more into this

Pushing an update now for easy ollama configuration. You should be able to pass endpoint and API key through the .env

To connect your Cloudron Ollama with OpenClaw:

• install Ollama
• download a model in Ollama, for example by running ollama pull tinyllama in the web terminal.
• grab the Ollama API key with cat /app/data/.api_keyor from the file explorer
• install OpenClaw
• open file explorer for OpenClaw app and open .env
• add endpoint and api key from ollama
• restart OpenClaw

@timconsidine I didn't bundle it with ollama. Is that something you want to do? Ollama won't really be very useful on the vast majority of servers without some beefy GPU. But you could connect openclaw with it.

Packaged, needs more testing though https://git.due.ren/andreas/openclaw-cloudron/-/raw/main/CloudronVersions.json

Plus it's an opinionated packaged geared towards what I think is important but installing new skills should work as is.

@girish Perfect thank you

@James I am aware, I mean migrating from the stock Matrix app

Edit: Nevermind I completely misread, I thought this is a replacement for synapse including MAS but its MAS standalone

@robi Likely in the browser cache when using the web UI. In the App locally on your computer

@girish Unfortunately setting https://my.cloudron.example/openid/jwks_rsaonly isn't working either and testing auth returns:

Failed to get your identity
Looks like something went wrong. Here are the details.
Failed to verify oidc token with fresh keys
undefined

PKCE is disabled, Email claim is set to email and OIDC Scopes are set to openid,email and profile.

I can see the login attempt as authenticated in the logs for some reason though.

Edit: https://my.cloudron.example/openid/jwks_rsaonly for my cloudron returns only {"keys":[]}. Was there a regression? I'm running 9.1.3. The regular jwks endpoint is returning proper values..

@Joseph Data is stored locally if you don't connect it with their hosted service or a self-hosted instance.

@James Nice, have you tested rolling back the backup from the cloudron stock app as a form of migration of an existing instance?

@girish Perfect thanks!

Can we please allow rsync for the lamp stack? That would speed up my CI/CD pipeline.

@girish

Mar 03 15:37:42 2026-03-03T21:37:42.190 request_id=GJlyiUIE9OJthqsAAMcB [info] GET /admin/shared-senders/new
Mar 03 15:37:42 2026-03-03T21:37:42.202 request_id=GJlyiUIE9OJthqsAAMcB [info] Sent 500 in 11ms
Mar 03 15:37:42 2026-03-03T21:37:42.203 request_id=GJlyiUIE9OJthqsAAMcB [error] ** (Phoenix.Template.UndefinedError) Could not render "_config.html" for KeilaWeb.SenderView, please define a matching clause for render/2 or define a template at "lib/keila_web/templates/sender/*". The following templates were compiled:
Mar 03 15:37:42 %{form: %Phoenix.HTML.Form{source: #Ecto.Changeset<action: nil, changes: %{config: #Ecto.Changeset<action: :insert, changes: %{type: "ses"}, errors: [], data: #Keila.Mailings.Sender.Config<>, valid?: true, ...>}, errors: [], data: #Keila.Mailings.SharedSender<>, valid?: true, ...>, impl: Phoenix.HTML.FormData.Ecto.Changeset, id: "form", name: "shared_sender", data: %Keila.Mailings.SharedSender{__meta__: #Ecto.Schema.Metadata<:built, "mailings_shared_senders">, id: nil, name: nil, config: nil, inserted_at: nil, updated_at: nil}, action: nil, hidden: [], params: %{}, errors: [], options: [method: "post", id: "form", multipart: false, class: "mt-8 max-w-md flex flex-col gap-4", "@change": "setUnsavedReminder(true)", "x-data": true], index: nil}, sender_adapters: ["ses"]}
Mar 03 15:37:42 (keila 0.19.0) lib/keila_web/controllers/shared_sender_admin_controller.ex:1: KeilaWeb.SharedSenderAdminController.action/2
Mar 03 15:37:42 (keila 0.19.0) lib/keila_web/templates/shared_sender_admin/edit.html.heex:60: anonymous fn/3 in KeilaWeb.SharedSenderAdminView."edit.html"/1
Mar 03 15:37:42 (phoenix 1.7.21) lib/phoenix/controller.ex:1008: anonymous fn/5 in Phoenix.Controller.template_render_to_iodata/4
Mar 03 15:37:42 (phoenix 1.7.21) lib/phoenix/controller.ex:974: Phoenix.Controller.render_and_send/4
Mar 03 15:37:42 (phoenix_live_view 1.1.24) lib/phoenix_live_view/engine.ex:130: Phoenix.HTML.Safe.Phoenix.LiveView.Rendered.to_iodata/1
Mar 03 15:37:42 (phoenix_live_view 1.1.24) lib/phoenix_live_view/engine.ex:142: Phoenix.HTML.Safe.Phoenix.LiveView.Rendered.to_iodata/3
Mar 03 15:37:42 (phoenix_view 2.0.4) lib/phoenix_view.ex:694: Phoenix.View.__not_found__!/3
Mar 03 15:37:42 (telemetry 1.3.0) /app/code/deps/telemetry/src/telemetry.erl:324: :telemetry.span/3

@Muhanand Definitely possible. But this app just by nature requires a more sophisticated manual setup.