IronClaw: Extra configuration during install to ensure Web Gateway can run (#14635)

* configure gateway during install for best chance of it not getting disabled

* add missing dbus-run-session on service

* add back chmod to .env file

* remove extra character

* add back mkdir for /root/.ironclaw

* remove erroneous msg blocks, service env values and tab in post completion gateway line

ct/alpine-ironclaw.sh

@@ -60,11 +60,12 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Complete setup by running:${CL}"
-echo -e "${TAB}${BGN}ironclaw onboard${CL}"
-echo -e "${INFO}${YW} Then start the service:${CL}"
-echo -e "${TAB}${BGN}rc-service ironclaw start${CL}"
-echo -e "${INFO}${YW} Access the Web UI at:${CL}"
+echo -e "${INFO}${YW} Next Steps:${CL}"
+echo -e "${TAB}1. Complete setup by running:${CL}"
+echo -e "${TAB}${TAB}${BGN}/usr/local/bin/ironclaw onboard${CL}"
+echo -e "${TAB}2. Start the service:${CL}"
+echo -e "${TAB}${TAB}${BGN}rc-service ironclaw start${CL}"
+echo -e "${TAB}3. Access the Web UI at:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
-echo -e "${INFO}${YW} Auth token and database credentials:${CL}"
-echo -e "${TAB}${BGN}cat /root/.ironclaw/.env${CL}"
+echo -e "${INFO}${YW} Use Gateway Authentication Token to login:${CL}"
+echo -e "${TAB}${TAB}${BGN}cat /root/.ironclaw/gateway.creds${CL}"

ct/ironclaw.sh

@@ -40,7 +40,7 @@ function update_script() {
     msg_ok "Backed up Configuration"
 
     fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
-      "ironclaw-$(uname -m)-unknown-linux-$([[ -f /etc/alpine-release ]] && echo "musl" || echo "gnu").tar.gz"
+      "ironclaw-$(uname -m)-unknown-linux-gnu.tar.gz"
     chmod +x /usr/local/bin/ironclaw
 
     msg_info "Restoring Configuration"
@@ -62,11 +62,12 @@ description
 
 msg_ok "Completed Successfully!\n"
 echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
-echo -e "${INFO}${YW} Complete setup by running:${CL}"
-echo -e "${TAB}${BGN}ironclaw onboard${CL}"
-echo -e "${INFO}${YW} Then start the service:${CL}"
-echo -e "${TAB}${BGN}systemctl start ironclaw${CL}"
-echo -e "${INFO}${YW} Access the Web UI at:${CL}"
+echo -e "${INFO}${YW} Next Steps:${CL}"
+echo -e "${TAB}1. Configure remaining settings:${CL}"
+echo -e "${TAB}${TAB}${BGN}/usr/local/bin/ironclaw onboard${CL}"
+echo -e "${TAB}2. Start the service:${CL}"
+echo -e "${TAB}${TAB}${BGN}systemctl start ironclaw${CL}"
+echo -e "${TAB}3. Access the Web UI at:${CL}"
 echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
-echo -e "${INFO}${YW} Auth token and database credentials:${CL}"
-echo -e "${TAB}${BGN}cat /root/.ironclaw/.env${CL}"
+echo -e "${INFO}${YW} Use Gateway Authentication Token to login:${CL}"
+echo -e "${TAB}${TAB}${BGN}cat /root/.ironclaw/gateway.creds${CL}"

install/alpine-ironclaw-install.sh

@@ -35,20 +35,41 @@ fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest"
   "ironclaw-$(uname -m)-unknown-linux-musl.tar.gz"
 chmod +x /usr/local/bin/ironclaw
 
-msg_info "Configuring IronClaw"
-mkdir -p /root/.ironclaw
+msg_info "Configuring Environment"
 GATEWAY_TOKEN=$(openssl rand -hex 32)
+mkdir -p /root/.ironclaw
+{
+    echo "Gateway-Token"
+    echo "Token: $GATEWAY_TOKEN"
+} >> /root/.ironclaw/gateway.creds
+
+mkdir -p /root/.ironclaw
 cat <<EOF >/root/.ironclaw/.env
+DATABASE_BACKEND=postgres
 DATABASE_URL=postgresql://ironclaw:${PG_PASS}@localhost:5432/ironclaw?sslmode=disable
 GATEWAY_ENABLED=true
 GATEWAY_HOST=0.0.0.0
 GATEWAY_PORT=3000
 GATEWAY_AUTH_TOKEN=${GATEWAY_TOKEN}
 CLI_ENABLED=false
-AGENT_NAME=ironclaw
 RUST_LOG=ironclaw=info,tower_http=info
 EOF
 chmod 600 /root/.ironclaw/.env
+msg_ok "Configured Environment"
+
+msg_info "Configuring IronClaw"
+# Set values in the database since it is typically the true source of truth and ensures values are set correctly on first run before the service starts.
+/usr/local/bin/ironclaw --no-onboard config set database_backend postgres >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set database_url "postgresql://ironclaw:${PG_PASS}@localhost:5432/ironclaw?sslmode=disable" >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_enabled true >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_host 0.0.0.0 >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_port 3000 >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_auth_token "${GATEWAY_TOKEN}" >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.cli_enabled false >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set secrets_master_key_source none >/dev/null
+# Running ironclaw defaults to use env for secrets and creates this entry, but we want to set that during onboard.
+sleep 5
+sed -i '/SECRETS_MASTER_KEY/d' /root/.ironclaw/.env
 msg_ok "Configured IronClaw"
 
 msg_info "Creating Service"

install/ironclaw-install.sh

@@ -24,23 +24,44 @@ PG_VERSION="17" PG_MODULES="pgvector" setup_postgresql
 PG_DB_NAME="ironclaw" PG_DB_USER="ironclaw" PG_DB_EXTENSIONS="vector" setup_postgresql_db
 
 fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
-  "ironclaw-$(uname -m)-unknown-linux-$([[ -f /etc/alpine-release ]] && echo "musl" || echo "gnu").tar.gz"
+  "ironclaw-$(uname -m)-unknown-linux-gnu.tar.gz"
 chmod +x /usr/local/bin/ironclaw
 
-msg_info "Configuring IronClaw"
-mkdir -p /root/.ironclaw
+msg_info "Configuring Environment"
 GATEWAY_TOKEN=$(openssl rand -hex 32)
+mkdir -p /root/.ironclaw
+{
+    echo "Gateway-Token"
+    echo "Token: $GATEWAY_TOKEN"
+} >> /root/.ironclaw/gateway.creds
+
+mkdir -p /root/.ironclaw
 cat <<EOF >/root/.ironclaw/.env
+DATABASE_BACKEND=postgres
 DATABASE_URL=postgresql://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAME}?sslmode=disable
 GATEWAY_ENABLED=true
 GATEWAY_HOST=0.0.0.0
 GATEWAY_PORT=3000
 GATEWAY_AUTH_TOKEN=${GATEWAY_TOKEN}
 CLI_ENABLED=false
-AGENT_NAME=ironclaw
 RUST_LOG=ironclaw=info,tower_http=info
 EOF
 chmod 600 /root/.ironclaw/.env
+msg_ok "Configured Environment"
+
+msg_info "Configuring IronClaw"
+# Set values in the database since it is typically the true source of truth and ensures values are set correctly on first run before the service starts.
+/usr/local/bin/ironclaw --no-onboard config set database_backend postgres >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set database_url "postgresql://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAME}?sslmode=disable" >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_enabled true >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_host 0.0.0.0 >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_port 3000 >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.gateway_auth_token "${GATEWAY_TOKEN}" >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set channels.cli_enabled false >/dev/null
+/usr/local/bin/ironclaw --no-onboard config set secrets_master_key_source none >/dev/null
+# Running ironclaw defaults to use env for secrets and creates this entry, but we want to set that during onboard.
+sleep 5
+sed -i '/SECRETS_MASTER_KEY/d' /root/.ironclaw/.env
 msg_ok "Configured IronClaw"
 
 msg_info "Creating Service"
@@ -51,10 +72,7 @@ After=network.target postgresql.service
 
 [Service]
 Type=simple
-User=root
-WorkingDirectory=/root
-EnvironmentFile=/root/.ironclaw/.env
-ExecStart=/usr/bin/dbus-run-session /usr/local/bin/ironclaw
+ExecStart=/usr/bin/dbus-run-session /usr/local/bin/ironclaw run
 Restart=on-failure
 RestartSec=5