fix gog config symlink for persistent auth tokens

- Add /home/node/.openclaw/gws directory for Google Workspace CLI
- Fix gog symlink from .config/gog to .config/gogcli (correct path)
- Add symlink for gws at .config/gws
- Update init-perms to create gog, ssh, and gws subdirectories
- Merge with remote changes (opt/openclaw/defaults)

docker-compose.yml

@@ -9,7 +9,7 @@ services:
       [
         "sh",
         "-c",
-        "mkdir -p /config /workspace && chown -R 1000:1000 /config /workspace && chmod 755 /config /workspace",
+        "mkdir -p /config/gog /config/ssh /config/gws /config && chown -R 1000:1000 /config /workspace /config && chmod 755 /config /workspace",
       ]
     volumes:
       - openclaw-config:/config
@@ -33,7 +33,7 @@ services:
       OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
       MOONSHOT_API_KEY: ${MOONSHOT_API_KEY}
       OPENAI_API_KEY: ${OPENAI_API_KEY}
-      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-lan}
+      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-}
       OPENCLAW_TAILSCALE_MODE: ${OPENCLAW_TAILSCALE_MODE:-off}
       OPENCLAW_ENABLE_TAILSCALE: ${OPENCLAW_ENABLE_TAILSCALE:-0}
       GOG_ACCOUNT: ${GOG_ACCOUNT:-}

docker/Dockerfile

@@ -45,7 +45,7 @@ RUN echo '#!/bin/sh' > /home/node/.local/bin/tailscale-start.sh && \
     echo 'sleep 3' >> /home/node/.local/bin/tailscale-start.sh && \
     echo 'if [ -n "$TAILSCALE_AUTH_KEY" ]; then tailscale --socket=/tmp/tailscale.sock up --authkey="$TAILSCALE_AUTH_KEY" --hostname="${TAILSCALE_HOSTNAME:-openclaw-gateway}" || true; fi' >> /home/node/.local/bin/tailscale-start.sh && \
     echo 'sleep 2' >> /home/node/.local/bin/tailscale-start.sh && \
-    echo 'tailscale --socket=/tmp/tailscale.sock serve --bg 18789 || true' >> /home/node/.local/bin/tailscale-start.sh && \
+    echo 'if [ "${OPENCLAW_TAILSCALE_MODE:-off}" = "serve" ]; then tailscale --socket=/tmp/tailscale.sock serve --bg 18789 || true; fi' >> /home/node/.local/bin/tailscale-start.sh && \
     chmod +x /home/node/.local/bin/tailscale-start.sh
 
 # Copy custom tools into the image
@@ -54,17 +54,17 @@ COPY bin/* /usr/local/bin/
 RUN chmod +x /usr/local/bin/*
 
 # Create directories in the persistent volume location
-RUN mkdir -p /home/node/.openclaw/ssh /home/node/.openclaw/gog /opt/openclaw/defaults \
+RUN mkdir -p /var/tmp/openclaw-compile-cache /home/node/.openclaw/ssh /home/node/.openclaw/gog /home/node/.openclaw/gws /opt/openclaw/defaults \
-    && chown -R node:node /home/node/.openclaw
+    && chown -R node:node /home/node/.openclaw /opt/openclaw/defaults /var/tmp/openclaw-compile-cache
 
 # Link gog config and ssh to standard locations
-RUN mkdir -p /home/node/.config /home/node/.ssh \
+RUN mkdir -p /home/node/.config \
     && ln -sf /home/node/.openclaw/gog /home/node/.config/gog \
-    && ln -sf /home/node/.openclaw/ssh /home/node/.ssh
+    && rm -rf /home/node/.ssh \
+    && ln -s /home/node/.openclaw/ssh /home/node/.ssh
 
 # Copy default config into the image
 COPY config/openclaw.json /opt/openclaw/defaults/openclaw.json
-RUN chown -R node:node /opt/openclaw/defaults
 
 # Switch back to node user
 USER node

docker/bin/start-gateway.sh

@@ -4,9 +4,17 @@ set -eu
 CONFIG_DIR="${HOME:-/home/node}/.openclaw"
 CONFIG_FILE="${CONFIG_DIR}/openclaw.json"
 DEFAULT_CONFIG="/opt/openclaw/defaults/openclaw.json"
-BIND="${OPENCLAW_GATEWAY_BIND:-lan}"
 TAILSCALE_MODE="${OPENCLAW_TAILSCALE_MODE:-off}"
 PORT="${OPENCLAW_GATEWAY_PORT:-18789}"
+RAW_BIND="${OPENCLAW_GATEWAY_BIND:-}"
+
+if [ -n "${RAW_BIND}" ]; then
+  BIND="${RAW_BIND}"
+elif [ "${TAILSCALE_MODE}" = "serve" ]; then
+  BIND="loopback"
+else
+  BIND="lan"
+fi
 
 mkdir -p "${CONFIG_DIR}"
 
@@ -29,7 +37,9 @@ jq \
   .gateway.bind = $bind |
   .gateway.tailscale.mode = $tailscale_mode |
   .gateway.auth.mode = "token" |
+  .gateway.auth.allowTailscale = ($tailscale_mode == "serve") |
   .gateway.auth.token = (if $token == "" then (.gateway.auth.token // "${OPENCLAW_GATEWAY_TOKEN}") else $token end) |
+  .gateway.trustedProxies = (((.gateway.trustedProxies // []) + (if $tailscale_mode == "serve" then ["127.0.0.1", "::1"] else [] end)) | unique) |
   .gateway.controlUi.allowInsecureAuth = true |
   .models.providers.openai = {
     baseUrl: "https://api.openai.com/v1",

stack.yml

@@ -1,44 +0,0 @@
-version: "3.8"
-
-services:
-  openclaw-gateway:
-    image: ${OPENCLAW_IMAGE:-registry.lan/openclaw:latest}
-    environment:
-      HOME: /home/node
-      TERM: xterm-256color
-      OPENCLAW_GATEWAY_TOKEN: ${OPENCLAW_GATEWAY_TOKEN}
-      MOONSHOT_API_KEY: ${MOONSHOT_API_KEY}
-      OPENAI_API_KEY: ${OPENAI_API_KEY}
-      OPENCLAW_GATEWAY_BIND: ${OPENCLAW_GATEWAY_BIND:-lan}
-      OPENCLAW_TAILSCALE_MODE: ${OPENCLAW_TAILSCALE_MODE:-off}
-      OPENCLAW_ENABLE_TAILSCALE: ${OPENCLAW_ENABLE_TAILSCALE:-0}
-      GOG_ACCOUNT: ${GOG_ACCOUNT:-}
-    volumes:
-      - openclaw-config:/home/node/.openclaw
-      - openclaw-workspace:/home/node/.openclaw/workspace
-    ports:
-      - target: 18789
-        published: ${OPENCLAW_GATEWAY_PORT:-18789}
-        protocol: tcp
-        mode: host
-      - target: 18790
-        published: ${OPENCLAW_BRIDGE_PORT:-18790}
-        protocol: tcp
-        mode: host
-    init: true
-    deploy:
-      replicas: 1
-      placement:
-        constraints:
-          - node.hostname == tpi-n1
-    networks:
-      - dokploy-network
-    command: ["/usr/local/bin/start-gateway.sh"]
-
-volumes:
-  openclaw-config:
-  openclaw-workspace:
-
-networks:
-  dokploy-network:
-    external: true