clawup 1.0.0

package/infra/dist/components/openclaw-agent.js

@@ -0,0 +1,287 @@
+"use strict";
+/**
+ * OpenClaw Agent - Reusable Pulumi ComponentResource
+ * Provisions a single OpenClaw agent on AWS EC2
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OpenClawAgent = void 0;
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const aws = __importStar(require("@pulumi/aws"));
+const zlib = __importStar(require("zlib"));
+const shared_1 = require("./shared");
+/**
+ * OpenClaw Agent ComponentResource
+ *
+ * Provisions a complete OpenClaw agent on AWS EC2 including:
+ * - VPC, subnet, and security group (or uses existing)
+ * - EC2 instance with Ubuntu 24.04
+ * - Docker, Node.js 22, and OpenClaw installation
+ * - Tailscale for secure HTTPS access
+ * - Systemd service for auto-start
+ *
+ * @example
+ * ```typescript
+ * const agent = new OpenClawAgent("my-agent", {
+ *   anthropicApiKey: config.requireSecret("anthropicApiKey"),
+ *   tailscaleAuthKey: config.requireSecret("tailscaleAuthKey"),
+ *   tailnetDnsName: config.require("tailnetDnsName"),
+ * });
+ *
+ * export const url = agent.tailscaleUrl;
+ * ```
+ */
+class OpenClawAgent extends pulumi.ComponentResource {
+    /** EC2 instance public IP */
+    publicIp;
+    /** EC2 instance public DNS */
+    publicDns;
+    /** Tailscale URL with authentication token */
+    tailscaleUrl;
+    /** Gateway authentication token */
+    gatewayToken;
+    /** SSH private key (Ed25519) */
+    sshPrivateKey;
+    /** SSH public key */
+    sshPublicKey;
+    /** EC2 instance ID */
+    instanceId;
+    /** VPC ID */
+    vpcId;
+    /** Subnet ID */
+    subnetId;
+    /** Security Group ID */
+    securityGroupId;
+    constructor(name, args, opts) {
+        super("clawup:aws:OpenClawAgent", name, {}, opts);
+        const defaultResourceOptions = { parent: this };
+        // Defaults
+        const instanceType = args.instanceType ?? "t3.medium";
+        const gatewayPort = args.gatewayPort ?? 18789;
+        const browserPort = args.browserPort ?? 18791;
+        const volumeSize = args.volumeSize ?? 30;
+        const model = args.model ?? "anthropic/claude-opus-4-6";
+        const enableSandbox = args.enableSandbox ?? true;
+        const baseTags = args.tags ?? {};
+        // Generate SSH key pair + gateway token
+        const { sshKey, gatewayTokenValue } = (0, shared_1.generateKeyPairAndToken)(name, defaultResourceOptions);
+        // VPC - create or use existing
+        let vpcId;
+        let internetGateway;
+        if (args.vpcId) {
+            vpcId = pulumi.output(args.vpcId);
+        }
+        else {
+            const vpc = new aws.ec2.Vpc(`${name}-vpc`, {
+                cidrBlock: "10.0.0.0/16",
+                enableDnsHostnames: true,
+                enableDnsSupport: true,
+                tags: pulumi.output(baseTags).apply((tags) => ({
+                    ...tags,
+                    Name: `${name}-vpc`,
+                })),
+            }, defaultResourceOptions);
+            vpcId = vpc.id;
+            internetGateway = new aws.ec2.InternetGateway(`${name}-igw`, {
+                vpcId: vpc.id,
+                tags: pulumi.output(baseTags).apply((tags) => ({
+                    ...tags,
+                    Name: `${name}-igw`,
+                })),
+            }, defaultResourceOptions);
+        }
+        // Subnet - create or use existing
+        let subnetId;
+        if (args.subnetId) {
+            subnetId = pulumi.output(args.subnetId);
+        }
+        else {
+            const subnet = new aws.ec2.Subnet(`${name}-subnet`, {
+                vpcId: vpcId,
+                cidrBlock: "10.0.1.0/24",
+                mapPublicIpOnLaunch: true,
+                tags: pulumi.output(baseTags).apply((tags) => ({
+                    ...tags,
+                    Name: `${name}-subnet`,
+                })),
+            }, defaultResourceOptions);
+            subnetId = subnet.id;
+            // Create route table only if we created the VPC
+            if (internetGateway) {
+                const routeTable = new aws.ec2.RouteTable(`${name}-rt`, {
+                    vpcId: vpcId,
+                    routes: [
+                        {
+                            cidrBlock: "0.0.0.0/0",
+                            gatewayId: internetGateway.id,
+                        },
+                    ],
+                    tags: pulumi.output(baseTags).apply((tags) => ({
+                        ...tags,
+                        Name: `${name}-rt`,
+                    })),
+                }, defaultResourceOptions);
+                new aws.ec2.RouteTableAssociation(`${name}-rta`, {
+                    subnetId: subnet.id,
+                    routeTableId: routeTable.id,
+                }, defaultResourceOptions);
+            }
+        }
+        // Security Group - create or use existing
+        let securityGroupId;
+        if (args.securityGroupId) {
+            securityGroupId = pulumi.output(args.securityGroupId);
+        }
+        else {
+            const securityGroup = new aws.ec2.SecurityGroup(`${name}-sg`, {
+                vpcId: vpcId,
+                description: `Security group for OpenClaw agent ${name}`,
+                // SSH is disabled by default — Tailscale is the primary access method.
+                // Pass allowedSshCidrs to enable SSH from specific IPs as a fallback.
+                ingress: pulumi
+                    .output(args.allowedSshCidrs ?? [])
+                    .apply((cidrs) => cidrs.length > 0
+                    ? [
+                        {
+                            description: "SSH access (restricted)",
+                            fromPort: 22,
+                            toPort: 22,
+                            protocol: "tcp",
+                            cidrBlocks: cidrs,
+                        },
+                    ]
+                    : []),
+                egress: [
+                    {
+                        fromPort: 0,
+                        toPort: 0,
+                        protocol: "-1",
+                        cidrBlocks: ["0.0.0.0/0"],
+                    },
+                ],
+                tags: pulumi.output(baseTags).apply((tags) => ({
+                    ...tags,
+                    Name: `${name}-sg`,
+                })),
+            }, defaultResourceOptions);
+            securityGroupId = securityGroup.id;
+        }
+        // Create EC2 key pair
+        const keyPair = new aws.ec2.KeyPair(`${name}-keypair`, {
+            publicKey: sshKey.publicKeyOpenssh,
+            tags: pulumi.output(baseTags).apply((tags) => ({
+                ...tags,
+                Name: `${name}-keypair`,
+            })),
+        }, defaultResourceOptions);
+        // Get Ubuntu 24.04 AMI
+        const ami = aws.ec2.getAmiOutput({
+            owners: ["099720109477"], // Canonical
+            mostRecent: true,
+            filters: [
+                {
+                    name: "name",
+                    values: [
+                        "ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-amd64-server-*",
+                    ],
+                },
+                { name: "virtualization-type", values: ["hvm"] },
+            ],
+        }, defaultResourceOptions);
+        // Generate cloud-init user data
+        const userData = (0, shared_1.buildCloudInitUserData)(name, args, gatewayTokenValue, {
+            gatewayPort: gatewayPort,
+            browserPort: browserPort,
+            model: model,
+            enableSandbox: enableSandbox,
+        });
+        // Create EC2 instance
+        const instance = new aws.ec2.Instance(`${name}-instance`, {
+            ami: ami.id,
+            instanceType: instanceType,
+            subnetId: subnetId,
+            vpcSecurityGroupIds: [securityGroupId],
+            keyName: keyPair.keyName,
+            userDataBase64: userData.apply((script) => {
+                const gzipped = zlib.gzipSync(Buffer.from(script));
+                return gzipped.toString("base64");
+            }),
+            userDataReplaceOnChange: true,
+            // Enforce IMDSv2 to prevent unauthenticated metadata access
+            metadataOptions: {
+                httpTokens: "required",
+                httpEndpoint: "enabled",
+                httpPutResponseHopLimit: 2,
+            },
+            rootBlockDevice: {
+                volumeSize: volumeSize,
+                volumeType: "gp3",
+            },
+            tags: pulumi.output(baseTags).apply((tags) => ({
+                ...tags,
+                Name: name,
+                Component: "openclaw-agent",
+            })),
+        }, defaultResourceOptions);
+        // Set outputs
+        this.publicIp = instance.publicIp;
+        this.publicDns = instance.publicDns;
+        this.instanceId = instance.id;
+        this.vpcId = vpcId;
+        this.subnetId = subnetId;
+        this.securityGroupId = securityGroupId;
+        this.sshPrivateKey = pulumi.secret(sshKey.privateKeyOpenssh);
+        this.sshPublicKey = sshKey.publicKeyOpenssh;
+        this.gatewayToken = pulumi.secret(gatewayTokenValue);
+        // Tailscale hostname includes stack name to avoid conflicts (e.g., dev-agent-pm)
+        const tsHostname = `${pulumi.getStack()}-${name}`;
+        this.tailscaleUrl = pulumi.secret(pulumi.interpolate `https://${tsHostname}.${args.tailnetDnsName}/?token=${gatewayTokenValue}`);
+        // Register outputs
+        this.registerOutputs({
+            publicIp: this.publicIp,
+            publicDns: this.publicDns,
+            tailscaleUrl: this.tailscaleUrl,
+            gatewayToken: this.gatewayToken,
+            sshPrivateKey: this.sshPrivateKey,
+            sshPublicKey: this.sshPublicKey,
+            instanceId: this.instanceId,
+            vpcId: this.vpcId,
+            subnetId: this.subnetId,
+            securityGroupId: this.securityGroupId,
+        });
+    }
+}
+exports.OpenClawAgent = OpenClawAgent;
+//# sourceMappingURL=openclaw-agent.js.map

package/infra/dist/components/shared.js

@@ -0,0 +1,132 @@
+"use strict";
+/**
+ * Shared helpers for OpenClaw agent components (AWS + Hetzner)
+ *
+ * Extracts the duplicated SSH key generation, gateway token derivation,
+ * and cloud-init user data assembly that was identical across providers.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateKeyPairAndToken = generateKeyPairAndToken;
+exports.buildCloudInitUserData = buildCloudInitUserData;
+const pulumi = __importStar(require("@pulumi/pulumi"));
+const tls = __importStar(require("@pulumi/tls"));
+const crypto = __importStar(require("crypto"));
+const cloud_init_1 = require("./cloud-init");
+/**
+ * Generate an SSH key pair and a gateway authentication token.
+ * Both providers use the same ED25519 key generation pattern.
+ */
+function generateKeyPairAndToken(name, resourceOptions) {
+    const sshKey = new tls.PrivateKey(`${name}-ssh-key`, { algorithm: "ED25519" }, resourceOptions);
+    const tokenKey = new tls.PrivateKey(`${name}-gateway-token-key`, { algorithm: "ED25519" }, resourceOptions);
+    const gatewayTokenValue = tokenKey.publicKeyOpenssh.apply((key) => {
+        const hash = crypto.createHash("sha256").update(key).digest("hex");
+        return hash.substring(0, 48);
+    });
+    return { sshKey, gatewayTokenValue };
+}
+/**
+ * Build the cloud-init user data script from base agent args.
+ *
+ * Resolves all Pulumi secrets/outputs, assembles a CloudInitConfig,
+ * generates + interpolates the script, and optionally compresses it.
+ */
+function buildCloudInitUserData(name, args, gatewayTokenValue, defaults) {
+    const pluginSecretEntries = Object.entries(args.pluginSecrets ?? {});
+    const pluginSecretOutputs = pluginSecretEntries.map(([, v]) => pulumi.output(v));
+    const depSecretEntries = Object.entries(args.depSecrets ?? {});
+    const depSecretOutputs = depSecretEntries.map(([, v]) => pulumi.output(v));
+    // Stage 1: resolve all string secrets (same type, safe in one pulumi.all)
+    return pulumi
+        .all([
+        args.tailscaleAuthKey,
+        args.anthropicApiKey,
+        gatewayTokenValue,
+        ...pluginSecretOutputs,
+        ...depSecretOutputs,
+    ])
+        .apply(([tsAuthKey, apiKey, gwToken, ...secretValues]) => {
+        // Stage 2: resolve mixed-type Input<> config values
+        return pulumi
+            .all([
+            pulumi.output(defaults?.gatewayPort ?? args.gatewayPort ?? 18789),
+            pulumi.output(defaults?.browserPort ?? args.browserPort ?? 18791),
+            pulumi.output(defaults?.model ?? args.model ?? "anthropic/claude-opus-4-6"),
+            pulumi.output(defaults?.enableSandbox ?? args.enableSandbox ?? true),
+        ])
+            .apply(([gatewayPort, browserPort, model, enableSandbox]) => {
+            const tsHostname = `${pulumi.getStack()}-${name}`;
+            // Build additional secrets map from plugin secrets + dep secrets
+            const additionalSecrets = {};
+            pluginSecretEntries.forEach(([envVar], idx) => {
+                additionalSecrets[envVar] = secretValues[idx];
+            });
+            depSecretEntries.forEach(([envVar], idx) => {
+                additionalSecrets[envVar] = secretValues[pluginSecretEntries.length + idx];
+            });
+            const cloudInitConfig = {
+                anthropicApiKey: apiKey,
+                tailscaleAuthKey: tsAuthKey,
+                gatewayToken: gwToken,
+                gatewayPort: gatewayPort,
+                browserPort: browserPort,
+                model: model,
+                backupModel: args.backupModel,
+                codingAgent: args.codingAgent,
+                enableSandbox: enableSandbox,
+                tailscaleHostname: tsHostname,
+                workspaceFiles: args.workspaceFiles,
+                envVars: args.envVars,
+                postSetupCommands: args.postSetupCommands,
+                createUbuntuUser: defaults?.createUbuntuUser,
+                plugins: args.plugins,
+                enableFunnel: args.enableFunnel,
+                clawhubSkills: args.clawhubSkills,
+                deps: args.deps,
+                depSecrets: additionalSecrets,
+            };
+            const script = (0, cloud_init_1.generateCloudInit)(cloudInitConfig);
+            const interpolated = (0, cloud_init_1.interpolateCloudInit)(script, {
+                anthropicApiKey: apiKey,
+                tailscaleAuthKey: tsAuthKey,
+                gatewayToken: gwToken,
+                additionalSecrets,
+            });
+            return defaults?.compress ? (0, cloud_init_1.compressCloudInit)(interpolated) : interpolated;
+        });
+    });
+}
+//# sourceMappingURL=shared.js.map

package/infra/dist/components/types.js

@@ -0,0 +1,6 @@
+"use strict";
+/**
+ * Shared types for OpenClaw agent components (AWS + Hetzner)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map