Skip to content

Rodin-AI/ops-gateway

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.github/workflows
.github/workflows
 
 
screenshots
screenshots
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
main.go
main.go
 
 
watchdog.sh
watchdog.sh
 
 

Repository files navigation

ops-gateway

A tiny, single-binary HTTP service for out-of-band management of an OpenClaw gateway. Designed to run alongside the gateway as a systemd service behind a Cloudflare Tunnel with Zero Trust access.

Screenshots

Mobile UI

What it does

  • GET / — Web UI with live gateway status, health history bar, restart button, and doctor
  • GET /health — No auth. Returns {"ok":true} if ops-gateway itself is alive
  • GET /status — Authenticated. Returns current gateway status + 1-hour health history
  • POST /restart — Authenticated. Restarts the gateway via systemctl --user restart openclaw-gateway
  • POST /doctor — Authenticated. Runs openclaw doctor (add ?fix=true for --fix)

Install

From release binaries

Download the latest binary for your platform from the releases page:

# Linux amd64
curl -LO https://github.com/aweiker/ops-gateway/releases/latest/download/ops-gateway-linux-amd64
chmod +x ops-gateway-linux-amd64
sudo mv ops-gateway-linux-amd64 /usr/local/bin/ops-gateway

Available architectures: linux/amd64, linux/arm64, darwin/amd64, darwin/arm64, freebsd/amd64.

From source

go install github.com/aweiker/ops-gateway@latest

Or clone and build:

git clone https://github.com/aweiker/ops-gateway.git
cd ops-gateway
go build -o ops-gateway .

Authentication

Two mechanisms (either works):

  1. Cloudflare Access (Zero Trust) — email-based OTP, session lasts 24h. Ideal for phone access.
  2. Bearer tokenAuthorization: Bearer <token> header. For automation/scripts.

Configuration

Variable Default Description
OPS_TOKEN (required) Bearer token for API authentication
OPS_PORT 18790 Listen port (binds to 127.0.0.1)
OPENCLAW_BIN openclaw Path to the OpenClaw CLI binary 
export OPS_TOKEN="$(openssl rand -hex 32)"
./ops-gateway

Systemd service

[Unit]
Description=Ops Gateway

[Service]
Type=simple
ExecStart=/usr/local/bin/ops-gateway
EnvironmentFile=/path/to/env
Restart=always

[Install]
WantedBy=default.target

Cloudflare Tunnel + Access

  1. Create a tunnel: cloudflared tunnel create ops
  2. Route DNS: create a CNAME record pointing to <tunnel-id>.cfargotunnel.com
  3. Create an Access application for the hostname
  4. Add an Access policy (e.g., email allowlist)
tunnel: <tunnel-id>
credentials-file: /path/to/credentials.json

ingress:
  - hostname: ops.example.com
    service: http://127.0.0.1:18790
  - service: http_status:404

Health Watchdog

The included watchdog.sh is a companion script designed to run as a systemd timer (every 2 minutes):

  • Checks gateway health via HTTP and systemd
  • Auto-restarts after 3 consecutive failures
  • Sends Telegram alerts on failure/recovery (bypasses OpenClaw entirely)
[Timer]
OnBootSec=1min
OnUnitActiveSec=2min

Architecture

Phone/Browser
    │
    ▼ (HTTPS)
Cloudflare Access (Zero Trust)
    │
    ▼ (authenticated)
Cloudflare Tunnel
    │
    ▼ (localhost)
ops-gateway (:18790)
    │
    ├──▶ systemctl restart openclaw-gateway
    ├──▶ openclaw doctor [--fix]
    └──▶ systemctl is-active openclaw-gateway

Zero dependencies beyond Go stdlib. ~250 lines.

License

MIT

About

Tiny HTTP service for out-of-band OpenClaw gateway management. Web UI + Cloudflare Access + auto-restart watchdog.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.2.0 — Cron Dashboard Latest
Apr 28, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages