b9643ad60e
- Add fly.private.toml template for deployments with no public IP - Add "Private Deployment (Hardened)" section to Fly docs - Document how to convert existing deployment to private-only - Add security notes recommending env vars over config file for secrets This addresses security concerns about Clawdbot gateways being discoverable on internet scanners (Shodan, Censys). Private deployments are accessible only via fly proxy, WireGuard, or SSH. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
40 lines
1.1 KiB
TOML
40 lines
1.1 KiB
TOML
# Clawdbot Fly.io PRIVATE deployment configuration
|
|
# Use this template for hardened deployments with no public IP exposure.
|
|
#
|
|
# This config is suitable when:
|
|
# - You only make outbound calls (no inbound webhooks needed)
|
|
# - You use ngrok/Tailscale tunnels for any webhook callbacks
|
|
# - You access the gateway via `fly proxy` or WireGuard, not public URL
|
|
# - You want the deployment hidden from internet scanners (Shodan, etc.)
|
|
#
|
|
# See https://fly.io/docs/reference/configuration/
|
|
|
|
app = "clawdbot"
|
|
primary_region = "iad" # change to your closest region
|
|
|
|
[build]
|
|
dockerfile = "Dockerfile"
|
|
|
|
[env]
|
|
NODE_ENV = "production"
|
|
CLAWDBOT_PREFER_PNPM = "1"
|
|
CLAWDBOT_STATE_DIR = "/data"
|
|
NODE_OPTIONS = "--max-old-space-size=1536"
|
|
|
|
[processes]
|
|
app = "node dist/index.js gateway --allow-unconfigured --port 3000 --bind lan"
|
|
|
|
# NOTE: No [http_service] block = no public ingress allocated.
|
|
# The gateway will only be accessible via:
|
|
# - fly proxy 3000:3000 -a <app-name>
|
|
# - fly wireguard (then access via internal IPv6)
|
|
# - fly ssh console
|
|
|
|
[[vm]]
|
|
size = "shared-cpu-2x"
|
|
memory = "2048mb"
|
|
|
|
[mounts]
|
|
source = "clawdbot_data"
|
|
destination = "/data"
|