Arsitektur Production-Grade
OpenClaw di VPS Linux

Pendahuluan

Production environment bukan development yang di-scale up. Ini completely different beast: downtime costs money, security breaches destroy trust, dan performance issues lose customers.

Artikel ini adalah definitive guide untuk menjalankan OpenClaw di production dengan enterprise-grade architecture: high availability, disaster recovery planning, comprehensive monitoring, automated deployment, security hardening, dan operational excellence.

Architecture Overview

1. Production Architecture Diagram

┌─────────────────────────────────────────────────────────┐
│                    LOAD BALANCER (Nginx)                 │
│                  SSL Termination / WAF                    │
└─────────────────────────────────────────────────────────┘
                            │
        ┌──────────────────┼──────────────────┐
        │                  │                  │
┌───────▼────────┐  ┌──────▼───────┐  ┌──────▼───────┐
│  OpenClaw #1   │  │ OpenClaw #2  │  │ OpenClaw #3  │
│  (Worker+API)  │  │ (Worker+API) │  │ (Worker+API) │
└───────┬────────┘  └──────┬───────┘  └──────┬───────┘
        │                  │                  │
        └──────────────────┼──────────────────┘
                           │
        ┌──────────────────┼──────────────────┐
        │                  │                  │
┌───────▼────────┐  ┌──────▼───────┐  ┌──────▼───────┐
│  Redis Cluster │  │  PostgreSQL  │  │   Storage    │
│  (Queue/Cache) │  │  (Primary +  │  │   (S3/Minio) │
│                │  │   Replicas)  │  │              │
└────────────────┘  └──────────────┘  └──────────────┘

┌─────────────────────────────────────────────────────────┐
│              MONITORING & OBSERVABILITY                  │
│  Prometheus + Grafana + Loki + AlertManager             │
└─────────────────────────────────────────────────────────┘

2. Components

• Load Balancer: Nginx (SSL, health checks, rate limiting)
• Application Servers: 3+ OpenClaw instances (PM2 cluster mode)
• Database: PostgreSQL (primary + streaming replicas)
• Cache/Queue: Redis Cluster (persistent + slaves)
• Storage: S3-compatible object storage
• Monitoring: Prometheus, Grafana, Loki, AlertManager
• Backup: Automated daily backups dengan retention policy

High Availability Setup

1. Load Balancer Configuration

# /etc/nginx/nginx.conf
upstream openclaw_backend {
    least_conn;
    
    server 10.0.1.10:3000 max_fails=3 fail_timeout=30s;
    server 10.0.1.11:3000 max_fails=3 fail_timeout=30s;
    server 10.0.1.12:3000 max_fails=3 fail_timeout=30s;
    
    keepalive 32;
}

server {
    listen 443 ssl http2;
    server_name api.openclaw.example.com;
    
    ssl_certificate /etc/letsencrypt/live/openclaw.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    # Rate limiting
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/m;
    limit_req zone=api_limit burst=20 nodelay;
    
    # Health check endpoint bypass
    location /health {
        proxy_pass http://openclaw_backend;
        access_log off;
    }
    
    location / {
        proxy_pass http://openclaw_backend;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Timeouts
        proxy_connect_timeout 10s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # Buffering
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;
    }
}

2. Database Replication

# Primary server postgresql.conf
wal_level = replica
max_wal_senders = 3
wal_keep_size = 1GB

# pg_hba.conf
host replication replicator 10.0.1.0/24 md5

# Create replication user
CREATE ROLE replicator WITH REPLICATION LOGIN PASSWORD 'secure_password';

Replica server:

# Setup replica
pg_basebackup -h primary_host -D /var/lib/postgresql/14/main -U replicator -P -v -R -X stream

# Start replica
sudo systemctl start postgresql

3. Redis Cluster

# Install Redis Cluster
sudo apt install redis-server -y

# Create cluster dengan 3 masters + 3 slaves
redis-cli --cluster create \
  10.0.1.20:6379 10.0.1.21:6379 10.0.1.22:6379 \
  10.0.1.23:6379 10.0.1.24:6379 10.0.1.25:6379 \
  --cluster-replicas 1

4. Heath Checks & Auto-Recovery

// ecosystem.config.js
module.exports = {
  apps: [{
    name: 'openclaw',
    script: './dist/index.js',
    instances: 4,
    exec_mode: 'cluster',
    max_memory_restart: '2G',
    min_uptime: '10s',
    max_restarts: 10,
    autorestart: true,
    watch: false,
    
    // Health check
    health_check: {
      enabled: true,
      interval: 30000,
      timeout: 5000,
      endpoint: 'http://localhost:3000/health',
      unhealthy_restart: true
    },
    
    env_production: {
      NODE_ENV: 'production',
      PORT: 3000
    }
  }]
}

Disaster Recovery

1. Backup Strategy

Follow 3-2-1 rule: 3 copies, 2 different media, 1 offsite.

#!/bin/bash
# /opt/openclaw/backup.sh

DATE=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backup"
S3_BUCKET="s3://openclaw-backups"

# Database backup
pg_dump -h localhost -U openclaw openclaw_prod | gzip > "$BACKUP_DIR/db_$DATE.sql.gz"

# Redis backup
redis-cli --rdb "$BACKUP_DIR/redis_$DATE.rdb"

# Application config
tar -czf "$BACKUP_DIR/config_$DATE.tar.gz" /opt/openclaw/config

# Upload to S3
aws s3 sync $BACKUP_DIR $S3_BUCKET --delete

# Cleanup old backups (keep 30 days)
find $BACKUP_DIR -name "*.gz" -mtime +30 -delete
find $BACKUP_DIR -name "*.rdb" -mtime +30 -delete

2. Automated Backup dengan OpenClaw

{
  "name": "production-backup",
  "schedule": "0 2 * * *",
  "priority": "high",
  "actions": [
    {
      "type": "shell",
      "command": "/opt/openclaw/backup.sh",
      "timeout": 3600000
    },
    {
      "type": "notification",
      "channel": "telegram",
      "message": "✅ Backup completed: {{date}}"
    },
    {
      "type": "condition",
      "if": "exit_code != 0",
      "then": [
        {
          "type": "notification",
          "channel": "pagerduty",
          "severity": "critical",
          "message": "🚨 Backup FAILED!"
        }
      ]
    }
  ]
}

3. Recovery Procedures

# Download latest backup
aws s3 cp s3://openclaw-backups/db_latest.sql.gz .

# Restore database
gunzip < db_latest.sql.gz | psql -h localhost -U openclaw openclaw_prod

# Restore Redis
redis-cli --rdb redis_latest.rdb

# Restart services
pm2 restart openclaw

4. RTO & RPO Targets

• RTO (Recovery Time Objective): < 30 minutes
• RPO (Recovery Point Objective): < 1 hour
• Backup Frequency: Every 6 hours + continuous WAL archiving
• Backup Retention: 30 days daily, 12 months monthly

Complete Monitoring Stack

1. Prometheus Setup

# prometheus.yml
global:
  scrape_interval: 15s
  evaluation_interval: 15s

scrape_configs:
  - job_name: 'openclaw'
    static_configs:
      - targets: ['10.0.1.10:3000', '10.0.1.11:3000', '10.0.1.12:3000']
    
  - job_name: 'node-exporter'
    static_configs:
      - targets: ['10.0.1.10:9100', '10.0.1.11:9100', '10.0.1.12:9100']
  
  - job_name: 'postgres-exporter'
    static_configs:
      - targets: ['10.0.1.30:9187']
  
  - job_name: 'redis-exporter'
    static_configs:
      - targets: ['10.0.1.40:9121']

2. Grafana Dashboard

# Install Grafana
sudo apt-get install -y software-properties-common
sudo add-apt-repository "deb https://packages.grafana.com/oss/deb stable main"
wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
sudo apt-get update
sudo apt-get install grafana

sudo systemctl enable grafana-server
sudo systemctl start grafana-server

Import dashboards: Node Exporter Full, PostgreSQL Database, Redis Dashboard.

3. Log Aggregation (Loki)

# docker-compose.yml for Loki stack
version: '3'
services:
  loki:
    image: grafana/loki:latest
    ports:
      - "3100:3100"
    volumes:
      - ./loki-config.yaml:/etc/loki/local-config.yaml
      - loki-data:/loki
    
  promtail:
    image: grafana/promtail:latest
    volumes:
      - /var/log:/var/log
      - ./promtail-config.yaml:/etc/promtail/config.yml
    command: -config.file=/etc/promtail/config.yml

4. AlertManager

# alertmanager.yml
route:
  receiver: 'telegram'
  group_by: ['alertname', 'cluster', 'service']
  group_wait: 10s
  group_interval: 10s
  repeat_interval: 12h

receivers:
  - name: 'telegram'
    telegram_configs:
      - bot_token: 'YOUR_BOT_TOKEN'
        chat_id: YOUR_CHAT_ID
        parse_mode: 'HTML'

  - name: 'pagerduty'
    pagerduty_configs:
      - service_key: 'YOUR_SERVICE_KEY'

CI/CD Pipeline

1. GitHub Actions Workflow

# .github/workflows/deploy.yml
name: Deploy to Production

on:
  push:
    branches: [main]

jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-node@v3
        with:
          node-version: '18'
      - run: npm ci
      - run: npm test
      - run: npm run lint

  build:
    needs: test
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: npm ci
      - run: npm run build
      - uses: actions/upload-artifact@v3
        with:
          name: dist
          path: dist/

  deploy:
    needs: build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/download-artifact@v3
        with:
          name: dist
      
      - name: Deploy to Production
        uses: appleboy/ssh-action@master
        with:
          host: ${{ secrets.PRODUCTION_HOST }}
          username: ${{ secrets.SSH_USER }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          script: |
            cd /opt/openclaw
            git pull origin main
            npm ci --production
            npm run build
            pm2 reload ecosystem.config.js --update-env
            
      - name: Health Check
        run: |
          sleep 10
          curl -f https://api.openclaw.example.com/health || exit 1
      
      - name: Notify Success
        if: success()
        run: |
          curl -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
            -d "chat_id=${{ secrets.TELEGRAM_CHAT_ID }}" \
            -d "text=✅ OpenClaw deployed successfully to production"

2. Blue-Green Deployment

#!/bin/bash
# blue-green-deploy.sh

# Current active environment
ACTIVE=$(cat /opt/openclaw/active)

if [ "$ACTIVE" == "blue" ]; then
  TARGET="green"
  TARGET_PORT=3001
else
  TARGET="blue"
  TARGET_PORT=3000
fi

echo "Deploying to $TARGET environment..."

# Deploy to target
cd /opt/openclaw/$TARGET
git pull origin main
npm ci --production
npm run build

# Start target environment
PORT=$TARGET_PORT pm2 start ecosystem.config.js --name "openclaw-$TARGET"

# Wait for health check
sleep 10
if curl -f http://localhost:$TARGET_PORT/health; then
  echo "Health check passed. Switching traffic..."
  
  # Update Nginx upstream
  sed -i "s/server 127.0.0.1:[0-9]*/server 127.0.0.1:$TARGET_PORT/" /etc/nginx/conf.d/openclaw.conf
  sudo nginx -s reload
  
  # Update active marker
  echo $TARGET > /opt/openclaw/active
  
  # Stop old environment
  pm2 delete "openclaw-$ACTIVE"
  
  echo "Deployment successful!"
else
  echo "Health check failed. Rolling back..."
  pm2 delete "openclaw-$TARGET"
  exit 1
fi

Security Hardening

1. System Hardening

# Firewall (UFW)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow from 10.0.1.0/24 to any port 5432  # PostgreSQL internal
sudo ufw allow from 10.0.1.0/24 to any port 6379  # Redis internal
sudo ufw enable

# Fail2Ban untuk SSH protection
sudo apt install fail2ban -y
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

# Automatic security updates
sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure --priority=low unattended-upgrades

2. Application Security

{
  "security": {
    "authentication": {
      "method": "jwt",
      "tokenExpiry": 3600,
      "refreshTokenExpiry": 604800,
      "algorithm": "RS256"
    },
    "authorization": {
      "rbac": true,
      "defaultRole": "viewer"
    },
    "rateLimit": {
      "enabled": true,
      "windowMs": 60000,
      "max": 100
    },
    "cors": {
      "enabled": true,
      "origin": ["https://app.example.com"],
      "credentials": true
    },
    "helmet": {
      "enabled": true,
      "contentSecurityPolicy": true,
      "hsts": true
    },
    "secrets": {
      "provider": "vault",
      "endpoint": "https://vault.example.com"
    }
  }
}

3. SSL/TLS Configuration

# Let's Encrypt dengan auto-renewal
sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d api.openclaw.example.com

# Auto-renewal via cron
sudo crontab -e
# Add: 0 0 * * * certbot renew --quiet

Infrastructure as Code

1. Terraform Configuration

# main.tf
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

resource "aws_instance" "openclaw_app" {
  count         = 3
  ami           = "ami-xxxxxxxxx"
  instance_type = "t3.large"
  
  tags = {
    Name = "openclaw-app-${count.index + 1}"
    Environment = "production"
  }
  
  user_data = file("user-data.sh")
}

resource "aws_db_instance" "openclaw_db" {
  identifier        = "openclaw-prod"
  engine            = "postgres"
  engine_version    = "14"
  instance_class    = "db.t3.large"
  allocated_storage = 100
  
  multi_az               = true
  backup_retention_period = 30
  
  username = "openclaw"
  password = var.db_password
}

2. Ansible Playbook

# playbook.yml
---
- name: Deploy OpenClaw
  hosts: openclaw_servers
  become: yes
  
  tasks:
    - name: Install Node.js
      apt:
        name: nodejs
        state: present
    
    - name: Clone repository
      git:
        repo: 'https://github.com/org/openclaw.git'
        dest: /opt/openclaw
        version: main
    
    - name: Install dependencies
      command: npm ci --production
      args:
        chdir: /opt/openclaw
    
    - name: Build application
      command: npm run build
      args:
        chdir: /opt/openclaw
    
    - name: Start with PM2
      command: pm2 start ecosystem.config.js
      args:
        chdir: /opt/openclaw

Multi-Region Setup

Untuk global deployment dengan low latency:

1. DNS-Based Routing

# Route53 atau Cloudflare
api.openclaw.com
  ├─ asia.api.openclaw.com → Singapore VPS
  ├─ eu.api.openclaw.com → Frankfurt VPS
  └─ us.api.openclaw.com → New York VPS

# Geolocation-based routing
Asia Pacific → asia.api.openclaw.com
Europe → eu.api.openclaw.com
Americas → us.api.openclaw.com

2. Database Replication Cross-Region

# Primary (Singapore) → Replica (US, EU)
# pg_hba.conf on primary
host replication replicator 0.0.0.0/0 md5

# Replica setup (US, EU)
primary_conninfo = 'host=singapore.db.example.com port=5432 user=replicator password=xxx'
primary_slot_name = 'replica_us'

Production Best Practices

Operational Checklist

• ☐ Load balancing configured dengan health checks
• ☐ Database replication active dan tested
• ☐ Automated backups running (test restore monthly)
• ☐ Monitoring stack deployed (Prometheus, Grafana, alerts)
• ☐ Logging aggregation working
• ☐ SSL certificates valid dan auto-renewing
• ☐ Firewall rules configured
• ☐ Secrets managed securely
• ☐ CI/CD pipeline functional
• ☐ Runbooks documented
• ☐ On-call rotation established
• ☐ Disaster recovery plan tested

VPS Enterprise untuk Production

FAQ

Kesimpulan

Production deployment bukan one-time task—ini ongoing discipline. The architecture outlined here provides:

• Reliability: High availability, automated failover, comprehensive backups
• Performance: Load balancing, caching, optimized infrastructure
• Security: Layered security, secrets management, regular updates
• Observability: Complete monitoring, logging, alerting stack
• Agility: CI/CD pipeline, infrastructure as code, automated deployment

👉 Artikel Terkait

Enterprise-grade infrastructure. Production-ready architecture.