Initial commit — OpenClaw VM infrastructure

- ansible/: VM provisioning playbooks and roles
  - provision-vm.yml: create KVM VM from Ubuntu cloud image
  - install.yml: install OpenClaw on guest (upstream)
  - customize.yml: swappiness, virtiofs fstab, linger
  - roles/vm/: libvirt domain XML, cloud-init templates
  - inventory.yml + host_vars/zap.yml: zap instance config
- backup-openclaw-vm.sh: daily rsync + MinIO upload
- restore-openclaw-vm.sh: full redeploy from scratch
- README.md: full operational documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ansible/roles/openclaw/tasks/openclaw.yml

@@ -0,0 +1,121 @@
+---
+- name: Validate openclaw_install_mode
+  ansible.builtin.assert:
+    that:
+      - openclaw_install_mode in ["release", "development"]
+    fail_msg: "Invalid openclaw_install_mode: '{{ openclaw_install_mode }}'. Must be 'release' or 'development'."
+    success_msg: "Valid install mode: {{ openclaw_install_mode }}"
+
+- name: Ensure openclaw home directory exists with correct ownership
+  ansible.builtin.file:
+    path: "{{ openclaw_home }}"
+    state: directory
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    mode: '0755'
+
+- name: Create OpenClaw directories (structure only, no config files)
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    mode: "{{ item.mode }}"
+  loop:
+    - { path: "{{ openclaw_config_dir }}", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/sessions", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/credentials", mode: '0700' }
+    - { path: "{{ openclaw_config_dir }}/data", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/logs", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/agents", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/agents/main", mode: '0755' }
+    - { path: "{{ openclaw_config_dir }}/agents/main/agent", mode: '0700' }
+    - { path: "{{ openclaw_config_dir }}/workspace", mode: '0755' }
+
+- name: Create pnpm directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    mode: '0755'
+  loop:
+    - "{{ openclaw_home }}/.local/share/pnpm"
+    - "{{ openclaw_home }}/.local/share/pnpm/store"
+    - "{{ openclaw_home }}/.local/bin"
+
+- name: Ensure pnpm directories have correct ownership
+  ansible.builtin.file:
+    path: "{{ openclaw_home }}/.local/share/pnpm"
+    state: directory
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    recurse: true
+    mode: '0755'
+
+- name: Configure pnpm for openclaw user
+  ansible.builtin.shell:
+    cmd: |
+      CURRENT_GLOBAL_DIR=$(pnpm config get global-dir 2>/dev/null || echo "")
+      CURRENT_BIN_DIR=$(pnpm config get global-bin-dir 2>/dev/null || echo "")
+      CHANGED=0
+      if [ "$CURRENT_GLOBAL_DIR" != "{{ openclaw_home }}/.local/share/pnpm" ]; then
+        pnpm config set global-dir {{ openclaw_home }}/.local/share/pnpm
+        CHANGED=1
+      fi
+      if [ "$CURRENT_BIN_DIR" != "{{ openclaw_home }}/.local/bin" ]; then
+        pnpm config set global-bin-dir {{ openclaw_home }}/.local/bin
+        CHANGED=1
+      fi
+      exit $CHANGED
+    executable: /bin/bash
+  become: true
+  become_user: "{{ openclaw_user }}"
+  register: pnpm_config_result
+  changed_when: pnpm_config_result.rc == 1
+  failed_when: pnpm_config_result.rc > 1
+
+- name: Display installation mode
+  ansible.builtin.debug:
+    msg: "Installation mode: {{ openclaw_install_mode }}"
+
+# Include appropriate installation method based on mode
+- name: Include release installation (pnpm install -g)
+  ansible.builtin.include_tasks: openclaw-release.yml
+  when: openclaw_install_mode == "release"
+
+- name: Include development installation (git clone + build + link)
+  ansible.builtin.include_tasks: openclaw-development.yml
+  when: openclaw_install_mode == "development"
+
+- name: Configure .bashrc for openclaw user (base config)
+  ansible.builtin.blockinfile:
+    path: "{{ openclaw_home }}/.bashrc"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK - OpenClaw pnpm"
+    block: |
+      # pnpm configuration
+      export PNPM_HOME="{{ openclaw_home }}/.local/share/pnpm"
+      export PATH="{{ openclaw_home }}/.local/bin:$PNPM_HOME:$PATH"
+    create: true
+    owner: "{{ openclaw_user }}"
+    group: "{{ openclaw_user }}"
+    mode: '0644'
+    insertafter: EOF
+
+# NOTE: We do NOT create config.yml here - openclaw onboard/configure will do that
+# We also do NOT install the systemd service - openclaw onboard --install-daemon will do that
+# The .openclaw directory structure is created above, but config and daemon are user-initiated
+
+- name: Display configuration note
+  ansible.builtin.debug:
+    msg: |
+      OpenClaw is installed but NOT configured yet.
+
+      Next steps (run as openclaw user):
+      1. Switch user: sudo su - {{ openclaw_user }}
+      2. Run onboarding: openclaw onboard --install-daemon
+
+      This will:
+      - Create configuration files (~/.openclaw/openclaw.json)
+      - Guide you through provider setup
+      - Install and start the daemon service automatically