#9426: Coolify deploy hardening: compose, bootstrap, Traefik
docs
scripts
docker
agents
stale
Cluster:
Docker and Deployment Improvements
## Summary
Production-ready Coolify deployment setup with hardened Docker Compose configuration, Traefik integration, and bootstrap script for token management and configuration.
## Motivation
Coolify deployments are fragile without explicit Traefik routing and consistent bootstrap behavior. This PR makes the default Compose and bootstrap path production-ready.
## How It Works
1. Traefik routes HTTPS to the container's internal port
2. Bootstrap script validates bind/token settings and writes config
3. Gateway starts with consistent bind/port flags
4. Docker socket proxy enables sandboxing safely
## Architecture
```mermaid
graph LR;
User --> Traefik;
Traefik --> OpenClaw[openclaw container];
OpenClaw --> Bootstrap[scripts/coolify-bootstrap.sh];
Bootstrap --> Config[/root/.openclaw/openclaw.json];
Bootstrap --> Gateway;
OpenClaw --> DockerProxy[docker-socket-proxy];
```
## Key Code Changes
1. **New Files:**
- `docker-compose.coolify.yml` - Production Compose for Coolify with Traefik labels
- `scripts/coolify-bootstrap.sh` - Bootstrap script (token sync, config creation, startup)
- `.env.coolify.example` - Environment variable template
2. **Docker Compose Hardening (`docker-compose.coolify.yml`):**
- Security opts: `no-new-privileges:true`
- Capabilities: `cap_drop: ALL`
- File descriptor limits: `ulimits.nofile: 65535` (WebSocket connections)
- Traefik labels for automatic HTTPS routing
- Docker socket proxy integration for safe sandboxing
3. **Bootstrap Script Features (`scripts/coolify-bootstrap.sh`):**
- Token sync: Writes `SERVICE_PASSWORD_GATEWAY` to `$TOKEN_FILE`
- Config validation: Checks `OPENCLAW_GATEWAY_BIND` (defaults to `lan`)
- CLI setup: Creates symlink `/root/bin/openclaw` → `/app/openclaw.mjs`
- PATH fixes: Ensures `/root/bin` is in PATH
- Docker proxy wait: Polls `$DOCKER_HOST/_ping` before gateway startup
- Workspace alignment: Uses `/root/openclaw-workspace`
4. **Container Configuration:**
- Environment: `GATEWAY_TRUSTED_PROXIES=10.0.1.7` (Coolify's Traefik)
- Volumes: `openclaw-config`, `openclaw-workspace`
- User: `0` (root for Coolify volume permissions)
- Healthcheck: HTTP endpoint for Traefik routing
5. **Bug Fixes:**
- `src/agents/skills-install.ts` - Changed from `-g` to `--prefix CONFIG_DIR` for Docker compatibility
- `src/cron/isolated-agent/run.ts` - Removed unused import `formatXHighModelHint`
- `src/docker-setup.test.ts` - Updated to support multiple compose file locations
## Dependencies
- PR #9421 for `skipDevicePairingForTrustedProxy` support
## Testing
- `pnpm build && pnpm test`
Most Similar PRs
#8050: fix: docker hardening
by christopherbarnett96 · 2026-02-03
66.8%
#16124: Docs: rewrite Coolify guide for native one-click service
by frankdierolf · 2026-02-14
66.6%
#3965: Fix Docker Compose configuration for moltbot deployment
by YoByron · 2026-01-29
66.5%
#9190: feat(docker): Add autonomous container self-restart and runtime pac...
by alexdredmon · 2026-02-05
65.9%
#7133: feat: Automated Docker setup with environment-based configuration
by synetalsolutions · 2026-02-02
64.5%
#13950: fix(docker): add browser sidecar service and health checks
by n24q02m · 2026-02-11
64.5%
#9881: chore(compose): harden gateway (localhost ports, limits, logging, h...
by tiagoderossi · 2026-02-05
63.6%
#9999: Docker: fix token mismatch and add dev setup workflow
by benclarkeio · 2026-02-06
63.6%
#12629: Dockerfile: pre-install common CLI tools for agent runtime
by jhs129 · 2026-02-09
63.3%
#21305: Fix/proxy-ip-allow-list
by janaka · 2026-02-19
62.8%