Remove macos support

[thebalaa]

Summary

This PR removes macOS support from the playbook (Linux-only), makes Tailscale installation optional (disabled by default), and fixes multiple installation and user environment issues discovered during testing.

Major Changes

🔧 Platform Support

• Remove macOS support: Removed all macOS/Homebrew/zsh related tasks and dependencies
  • Playbook now only supports Debian/Ubuntu Linux
  • Updated install.sh to reflect Linux-only support
  • Fixed repository URLs to point to openclaw/openclaw-ansible

🌐 Tailscale Made Optional

• Add tailscale_enabled variable (default: false)
  • Users must explicitly opt-in to Tailscale installation
  • When disabled: no packages, firewall rules, or sudoers entries created
  • Conditional welcome messages and documentation
  • Converted show-lobster.sh to Jinja2 template for dynamic port display

🐛 Installation Fixes

Multiple critical fixes for user environment and installation flow:

1. Home directory ownership: Fixed clawdbot home directory being owned by root instead of clawdbot user
2. Login shell environment: Added .bash_profile to source .bashrc for login shells (sudo su - clawdbot)
3. PNPM PATH configuration: Added PNPM_HOME to PATH in all pnpm installation tasks
4. Binary path resolution: Fixed clawdbot binary path in systemd service and verification tasks
5. Task ordering: Moved .bashrc configuration to run after user creation
6. Welcome message cleanup: Suppressed permission errors when removing welcome file

🧪 Testing Infrastructure

• Docker-based CI test harness: Added containerized test environment
  • Ubuntu 22.04 and 24.04 test images
  • Automated playbook validation
  • Test with both Tailscale enabled/disabled scenarios
• Comprehensive testing documentation: Added docs/testing.md with test procedures

Security Improvements

• Tailscale now opt-in only (reduces attack surface by default)
• Scoped sudoers entries only created when needed
• Fixed file permissions and ownership issues

Documentation Updates

• Updated architecture.md to reflect Tailscale as optional
• Updated configuration.md with tailscale_enabled variable documentation
• Added testing.md with comprehensive test procedures
• Updated all example configurations

Commit Log

• refactor: remove macOS/Homebrew/zsh support and fix audit findings
• feat: make Tailscale optional (default: disabled)
• refactor: simplify install.sh to only install dependencies
• fix: move .bashrc configuration after user creation
• fix: add PNPM_HOME to PATH in pnpm installation tasks
• fix: correct clawdbot binary path resolution
• fix: create .bash_profile to source .bashrc for login shells
• fix: suppress permission error when removing welcome message
• fix: ensure clawdbot home directory has correct ownership
• feat: add Docker-based CI test harness for playbook validation
• docs: add comprehensive testing documentation
• revert: restore install.sh to main branch version
• refactor: remove macOS support and fix repository URL in install.sh

Testing

✅ Tested on Ubuntu 22.04 VPS
✅ Verified with Tailscale disabled (default)
✅ Verified with Tailscale enabled
✅ All installation issues resolved
✅ User environment loads correctly on login

Breaking Changes

⚠️ macOS is no longer supported - Users on macOS should use Docker or a Linux VM
⚠️ Tailscale is disabled by default - Set tailscale_enabled: true to install Tailscale

🤖 Generated with Claude Code

[alauppe]

This is excellent work, @thebalaa. We want all of this.

What we love:

• Removing macOS support - You're absolutely right that incomplete security is worse than no support. The pf + Docker Desktop networking problem is real, and your documentation of what would be needed to restore it properly (in HANDOFF.md) is thoughtful.

• Tailscale as opt-in - This is the right default. Not everyone needs VPN, and it reduces attack surface out of the box.

• The bug fixes - The .bash_profile fix for login shells, home directory ownership, PNPM PATH issues - these are real problems that would bite users. Great catches.

• Test infrastructure - The Docker-based CI harness with convergence/verification/idempotency testing is exactly what this project needs. This will catch regressions before they hit users.

One snag: While this PR was in flight, we merged a rename from clawdbot → openclaw (PR #13). The role directory is now roles/openclaw/, variables are openclaw_*, etc.

Could you rebase on main? The structure has changed but your changes should map cleanly:

• roles/clawdbot/ → roles/openclaw/
• clawdbot_* variables → openclaw_*
• Service name clawdbot → openclaw

We're excited to merge this once it's rebased. Thank you for the thorough testing and documentation - it shows. 🙏

[justin-russell]

Hey, @alauppe! I've updated everything with the rename changes. I've tested on a Hetzner VM from scratch and all seems to work. Let me know if there's anything else!

[alauppe]

Following up with some specifics to help with the rebase:

Structural changes on main since your PR:

The clawdbot → openclaw rename has landed (PR #13). The key mappings you'll need:

• roles/clawdbot/ → roles/openclaw/
• clawdbot_* variables → openclaw_*
• Service/user name clawdbot → openclaw
• clawdbot_home → openclaw_home, etc.

One thing to preserve from main:

We fixed the authorized_key module FQCN. Please keep:

# requirements.yml - keep this entry:
- name: ansible.posix
  version: ">=1.5.0"

# In user.yml - use the canonical module name:
ansible.posix.authorized_key:   # not ansible.builtin.authorized_key

Why this matters: ansible.builtin.authorized_key is actually a deprecated redirect stub - the real module lives in ansible.posix. Using the redirect hides the dependency and breaks on ansible-core-only installations where ansible.posix isn't bundled. The lint warning (fqcn[canonical]) is correct here.

Everything else in your PR is great as-is. Looking forward to the rebased version - we're ready to merge once it's updated.

[justin-russell]

Done! Thanks for the feedback, @alauppe

[alauppe]

Excellent work on the rebase, @thebalaa. Everything looks clean.

Approving - this PR brings real improvements:

• macOS removal with clear deprecation notice and restoration roadmap
• Tailscale as opt-in (sensible default, reduces attack surface)
• Critical bug fixes (home directory ownership, .bash_profile for login shells, PNPM PATH)
• Docker CI test harness with convergence/verification/idempotency
• Better .gitignore for secrets
• Network interface validation

Thank you for addressing the ansible.posix and rename feedback. This is a quality contribution.