Skip to content

v1.0.0 - Inital commit validated on:#17

Open
markosluga wants to merge 2 commits intof5devcentral:mainfrom
markosluga:openclaw_network_boundary
Open

v1.0.0 - Inital commit validated on:#17
markosluga wants to merge 2 commits intof5devcentral:mainfrom
markosluga:openclaw_network_boundary

Conversation

@markosluga
Copy link
Copy Markdown
Collaborator

@markosluga markosluga commented Apr 20, 2026
edited
Loading

Summary

This PR adds a new agentic lab under 4_agentic_labs/openclaw_network_boundary/ — a complete, self-contained Docker Compose stack that runs OpenClaw inside a secure network boundary with kernel-level outbound traffic isolation, TLS termination, and full OpenTelemetry observability.

What's included

  • nginx — TLS termination (using NGINX acme autorenew) as the sole public entry point
  • OpenClaw — AI agent gateway, never exposed directly
  • Ollama — local LLM inference (tested on GTX 1650 4GB and Jetson Orin Nano 8GB)
  • mitmproxy — intercepts and decrypts all outbound traffic from OpenClaw; enforced at the kernel level via iptables so no process can bypass it
  • OpenTelemetry collector — captures inbound (nginx) and outbound (mitmproxy) spans to a local JSONL audit trail

Validated on

  • Intel x86 + NVIDIA GTX 1650 4GB
  • NVIDIA Jetson Orin Nano 8GB shared memory (JetPack 6 + NVIDIA Container Runtime)

Test plan

  • docker compose up deploys all services cleanly
  • nginx serves OpenClaw over HTTPS with a valid TLS certificate
  • mitmproxy intercepts outbound OpenClaw traffic
  • iptables rules prevent direct outbound connections from the openclaw container
  • OTel spans appear in network-boundary-traffic.jsonl
  • Ollama serves inference locally without external routing

@markosluga markosluga force-pushed the openclaw_network_boundary branch from 8b62f0a to 47231d9 Compare April 21, 2026 17:59
@claude
v1.0.0 - OpenClaw Network Boundary
4cf1361 
Complete self-contained Docker Compose stack running OpenClaw behind a
secure network boundary with automatic TLS, kernel-level outbound isolation,
and full OpenTelemetry observability.

- nginx inbound reverse proxy with TLS via ngx_http_acme_module (HTTP-01,
  Let's Encrypt); multi-stage Dockerfile compiles Rust module at build time
- DNS-01 alternative (acme.sh, Route53/Cloudflare/GCP): docs/dns-acme.md
- mitmproxy outbound MITM proxy with OTel addon
- Kernel-level outbound isolation via iptables (cap_add: NET_ADMIN)
- Ollama LLM backend — nvidia runtime on Jetson, CPU/empty on x86
- otel-collector writing inbound + outbound spans to JSONL with rotation
- README: home lab network guide (direct hosting, port forwarding, DMZ)
- README: all steps in do / what you'll see / why it matters format

Validated on: Intel x86 + NVIDIA GTX1650 4GB, NVIDIA Jetson Orin Nano 8GB

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@markosluga markosluga force-pushed the openclaw_network_boundary branch from eef052e to 4cf1361 Compare April 22, 2026 16:18
@claude
v1.0.2 - simplify nginx image to nginx:1.30.0-otel
5cdc9f1 
Switch from multi-stage Rust build to official nginx:1.30.0-otel base
image which ships with both ngx_otel_module and ngx_http_acme_module
pre-installed, eliminating the builder stage and Rust toolchain entirely.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@markosluga