Releases: eratchev/openclaw-deploy
Release list
v1.1 — Voice Transcription
What's new
Voice Transcription
Telegram voice notes are now automatically transcribed via OpenAI Whisper before reaching OpenClaw. You can speak to your bot hands-free.
How it works: A new voice-proxy service sits between Caddy and OpenClaw. It intercepts Telegram webhook POSTs, downloads voice/audio messages into memory (no disk writes), transcribes them via the Whisper API, injects the transcript as message.text, and forwards the mutated update to OpenClaw. Non-voice traffic is forwarded unchanged. OpenClaw never knows a voice note was involved.
Setup: See the Voice Transcription section in README for full setup instructions. Requires OPENAI_API_KEY, TELEGRAM_TOKEN, and OpenClaw configured in webhook mode.
Start with: make up-voice
Changes
services/voice-proxy/— new hardened aiohttp service (non-root, read-only fs, caps dropped)Caddyfile— routes all traffic through voice-proxy instead of directly to OpenClawdocker-compose.yml— voice-proxy service with rate limiting, health check, resource limitsMakefile—up-voicetargetdocs/architecture.md— updated diagram, network table, and service role descriptions- 36 unit tests covering transforms, rate limiting, download, transcription, forwarding, and integration
Deployment notes
- Requires OpenClaw in webhook mode (
channels.telegram.webhookUrl,webhookSecret,webhookHost=0.0.0.0) - voice-proxy forwards to OpenClaw's Telegram webhook server on port 8787 (not the gateway API on 18789)
- Rate limit: 10 voice messages/minute per chat (configurable via
VOICE_RATE_LIMIT_PER_MIN) - Cost: ~$0.006/min (OpenAI Whisper)
v1.0 — Initial release
Hardened single-VPS deployment of OpenClaw with execution guardrails. Personal assistant + publishable open-source template.
What's included
- TLS termination via Caddy with automatic Let's Encrypt certificates
- Hardened container — non-root user (UID 1000), all Linux capabilities dropped, read-only filesystem, memory/CPU limits
- Network segmentation — Redis isolated to internal Docker network, unreachable from the internet
- Execution guardrail — Python watchdog kills runaway LLM sessions (LLM call limit, session time, idle timeout, memory threshold)
- Automated backups — daily cron uploads the data volume to Hetzner Object Storage (S3-compatible) with configurable retention
- VPS provisioning —
scripts/provision.shconfigures UFW, SSH key-only auth, Fail2ban, and unattended security upgrades - Makefile —
up,down,logs,backup-remote,update,kill-switch
Guardrail limits (configurable via env)
| Limit | Default |
|---|---|
MAX_LLM_CALLS |
30 |
MAX_SESSION_SECONDS |
300 |
MAX_IDLE_SECONDS |
60 |
MAX_MEMORY_PCT |
90% |
Requirements
- Hetzner CX22 (or equivalent) running Ubuntu 24.04 LTS
- A domain name pointing to the VPS
- OpenClaw configured locally (channels onboarded before deploy)
See the README for quickstart instructions and the threat model for known limitations.