Skip to content

Releases: eratchev/openclaw-deploy

v1.1 — Voice Transcription

Choose a tag to compare

@eratchev eratchev released this 05 Mar 16:10

What's new

Voice Transcription

Telegram voice notes are now automatically transcribed via OpenAI Whisper before reaching OpenClaw. You can speak to your bot hands-free.

How it works: A new voice-proxy service sits between Caddy and OpenClaw. It intercepts Telegram webhook POSTs, downloads voice/audio messages into memory (no disk writes), transcribes them via the Whisper API, injects the transcript as message.text, and forwards the mutated update to OpenClaw. Non-voice traffic is forwarded unchanged. OpenClaw never knows a voice note was involved.

Setup: See the Voice Transcription section in README for full setup instructions. Requires OPENAI_API_KEY, TELEGRAM_TOKEN, and OpenClaw configured in webhook mode.

Start with: make up-voice

Changes

  • services/voice-proxy/ — new hardened aiohttp service (non-root, read-only fs, caps dropped)
  • Caddyfile — routes all traffic through voice-proxy instead of directly to OpenClaw
  • docker-compose.yml — voice-proxy service with rate limiting, health check, resource limits
  • Makefileup-voice target
  • docs/architecture.md — updated diagram, network table, and service role descriptions
  • 36 unit tests covering transforms, rate limiting, download, transcription, forwarding, and integration

Deployment notes

  • Requires OpenClaw in webhook mode (channels.telegram.webhookUrl, webhookSecret, webhookHost=0.0.0.0)
  • voice-proxy forwards to OpenClaw's Telegram webhook server on port 8787 (not the gateway API on 18789)
  • Rate limit: 10 voice messages/minute per chat (configurable via VOICE_RATE_LIMIT_PER_MIN)
  • Cost: ~$0.006/min (OpenAI Whisper)

v1.0 — Initial release

Choose a tag to compare

@eratchev eratchev released this 03 Mar 17:43

Hardened single-VPS deployment of OpenClaw with execution guardrails. Personal assistant + publishable open-source template.

What's included

  • TLS termination via Caddy with automatic Let's Encrypt certificates
  • Hardened container — non-root user (UID 1000), all Linux capabilities dropped, read-only filesystem, memory/CPU limits
  • Network segmentation — Redis isolated to internal Docker network, unreachable from the internet
  • Execution guardrail — Python watchdog kills runaway LLM sessions (LLM call limit, session time, idle timeout, memory threshold)
  • Automated backups — daily cron uploads the data volume to Hetzner Object Storage (S3-compatible) with configurable retention
  • VPS provisioningscripts/provision.sh configures UFW, SSH key-only auth, Fail2ban, and unattended security upgrades
  • Makefileup, down, logs, backup-remote, update, kill-switch

Guardrail limits (configurable via env)

Limit Default
MAX_LLM_CALLS 30
MAX_SESSION_SECONDS 300
MAX_IDLE_SECONDS 60
MAX_MEMORY_PCT 90%

Requirements

  • Hetzner CX22 (or equivalent) running Ubuntu 24.04 LTS
  • A domain name pointing to the VPS
  • OpenClaw configured locally (channels onboarded before deploy)

See the README for quickstart instructions and the threat model for known limitations.