CongaLine
Deploy and manage a fleet of OpenClaw AI assistants anywhere. Supporting hobbyist, team, and enterprise use cases.
Install / Use
/learn @cruxdigital-llc/CongaLineREADME
CongaLine 🦞🦞🦞
Self-host a fleet of isolated OpenClaw AI agents — each with its own container, network, secrets, and identity — managed through a single CLI. Deploy anywhere: your laptop, a $5 VPS, a Raspberry Pi, or a hardened AWS account.
CongaLine n. A single-file procession of spiny lobsters that travel in physical contact during seasonal migration, reducing hydrodynamic drag and offering collective protection from predators.
Key Features
- Promotion pipeline — develop locally, validate on a remote host, enforce in production. Same config at every tier.
- Per-agent isolation — separate Docker containers, networks, secrets, and config
- Portable deployment policy — define egress rules, model routing, and security posture in a single
conga-policy.yaml. Each provider enforces what it can and reports the gap. - Slack optional — use via web UI (gateway) only, or connect to Slack for team chat
- Two agent types — user agents (DM-only) for individuals, team agents (channel-based) for groups
- CLI for everything — operators and end users manage agents, secrets, and infrastructure through the
congaCLI - Modular provider system — pluggable deployment targets (AWS, local, remote, future: Kubernetes, ECS)
Architecture
┌─────────────────────────────────────────────────┐
│ CLI Commands │
│ (setup, add-user, policy, channels, status, ...) │
└────────────────────┬────────────────────────────┘
│ Provider interface
┌───────────┼───────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ AWS Provider │ │Remote Provider│ │Local Provider│
│ │ │ │ │ │
│ EC2 + SSM │ │ SSH + Docker │ │ Docker CLI │
│ Secrets Mgr │ │ File secrets │ │ File secrets │
│ Zero-ingress │ │ SSH tunnel │ │ localhost │
└──────────────┘ └──────────────┘ └──────────────┘
Separation of Concerns
| Layer | Managed by | What it does |
|-------|-----------|-------------|
| Infrastructure | Terraform (AWS), conga admin setup (remote/local) | VPC/EC2, remote host, or local Docker environment |
| Configuration | CLI (conga admin setup) | Shared secrets, Docker image, deployment settings |
| Agents | CLI (conga admin add-user/add-team) | Per-agent containers, configs, routing, secrets |
| Policies | CLI (conga policy) | Egress rules, security posture, routing enforcement |
| Channels | CLI (conga channels) | Messaging platform integrations, agent-channel bindings |
Bootstrap from Manifest
The fastest way to stand up a complete environment — one file, one command.
1. Create a manifest
Copy the example and customize:
cp demo.yaml.example demo.yaml
# Edit demo.yaml: set SSH host, Slack IDs, etc.
2. Create an env file with secrets
cat > demo.env << 'EOF'
ANTHROPIC_API_KEY=sk-ant-...
SLACK_BOT_TOKEN=xoxb-...
SLACK_SIGNING_SECRET=...
SLACK_APP_TOKEN=xapp-...
EOF
3. Bootstrap
conga bootstrap demo.yaml --env demo.env
This provisions the entire environment in one shot: server setup, agents, secrets, Slack channels, channel bindings, and egress policy. Each step is idempotent — re-running skips completed work.
The provider field in the manifest selects the deployment target (local, remote, or aws). Secrets use $VAR references expanded from the env file — they're never stored in the manifest.
Note:
bootstrapis additive — it creates and configures resources but never removes them. For full declarative lifecycle management (plan, apply, destroy), a Terraform provider is planned.
After bootstrap, use the CLI and MCP tools for ongoing changes:
conga policy set-egress --allowed-domains "api.example.com" # modify policy
conga policy deploy # push to agents
conga admin add-user newagent # add more agents
conga channels bind newagent slack:U0123456789 # bind to Slack
Quick Start (Local Docker)
The fastest way to get running — no AWS account needed.
Prerequisites
- Docker Desktop installed and running
- Go >= 1.25 (to build the CLI)
- Anthropic API key
1. Build the CLI
go build -o /usr/local/bin/conga ./cmd/conga
2. Setup local environment
conga admin setup --provider local
This will prompt for the repo path (auto-detected), Docker image, and optionally Slack tokens. Skip Slack tokens for gateway-only mode (web UI).
3. Add an agent
conga admin add-user myagent
No Slack member ID needed for gateway-only mode. With Slack:
conga admin add-user myagent U0123456789
4. Set your API key and start
conga secrets set anthropic-api-key --agent myagent
conga refresh --agent myagent
conga status --agent myagent
5. Connect
conga connect --agent myagent
Open the URL in your browser. Device pairing is auto-approved.
6. Teardown (when done)
conga admin teardown
Removes all containers, networks, and local config.
Quick Start (Remote — VPS, Bare Metal, Any SSH Host)
Deploy to any Linux machine you can SSH into — a cloud VPS (Hetzner, DigitalOcean, Linode, Hostinger), a Raspberry Pi, a Mac Mini, a colocated server, or anything else running Linux with 4GB+ RAM.
Prerequisites
- Any SSH-accessible Linux host with 4GB+ RAM and 10GB+ free disk
- SSH key authentication configured (password auth not supported)
- Go >= 1.25 (to build the CLI)
- Anthropic API key
Docker is installed automatically during setup if not already present.
1. Build the CLI
go build -o /usr/local/bin/conga ./cmd/conga
2. Setup remote environment
conga admin setup --provider remote
This will prompt for:
- SSH connection details (host, port, user, key path)
- Docker image (auto-installs Docker if needed)
- Slack tokens (optional — skip for gateway-only web UI)
3. Add an agent
conga admin add-user myagent
With Slack:
conga admin add-user myagent U0123456789
4. Set your API key and start
conga secrets set anthropic-api-key --agent myagent
conga refresh --agent myagent
conga status --agent myagent
5. Connect
conga connect --agent myagent
Opens an SSH tunnel to the remote host's gateway. Open the URL in your browser — no ports are exposed to the internet.
6. Teardown (when done)
conga admin teardown
Removes all containers, networks, and data from the remote host.
Quick Start (AWS)
For teams and production — hardened, zero-ingress deployment.
Prerequisites
- AWS account with AWS SSO (Identity Center) configured
- AWS CLI v2 with session-manager-plugin installed
- Terraform >= 1.5
- Slack app configured for OpenClaw (required for AWS deployment)
- OpenClaw Docker image — pinned to
v2026.3.11(see Docker Image)
1. Bootstrap Terraform state
export AWS_PROFILE=your-aws-profile
export AWS_REGION=us-east-2
cd terraform
./bootstrap.sh
2. Deploy infrastructure
cp backend.tf.example backend.tf # edit with your account ID, region, profile
cp terraform.tfvars.example terraform.tfvars # edit with your settings
terraform init
terraform plan
terraform apply
3. Configure the deployment
conga admin setup
4. Add agents and start
conga admin add-user boblobclaw UEXAMPLE01
conga admin add-team bluthcompany CEXAMPLE01
conga admin list-agents
conga admin cycle-host # restarts EC2; bootstrap discovers and provisions all agents
Install the CLI (End Users)
No Terraform, Go, or repo clone required. This is how users manage their agents and secrets as well as access the web UI securely.
Prerequisites (AWS provider)
- AWS CLI v2 — Install guide
- session-manager-plugin — macOS:
brew install --cask session-manager-plugin| Other platforms - AWS SSO access — your admin will provide the SSO URL and account ID
Prerequisites (Remote provider)
- SSH access to the remote host (key-based auth)
Prerequisites (Local provider)
- Docker Desktop installed and running
Install
Homebrew (macOS/Linux):
brew tap cruxdigital-llc/conga-line
brew install conga
macOS (Apple Silicon) — tested:
curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_darwin_arm64.tar.gz | tar xz -C /usr/local/bin conga
macOS (Intel):
curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_darwin_amd64.tar.gz | tar xz -C /usr/local/bin conga
Linux (amd64) — untested:
curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_linux_amd64.tar.gz | tar xz -C /usr/local/bin conga
Linux (arm64) — untested:
curl -fsSL https://github.com/cruxdigital-llc/conga-line/releases/latest/download/conga_linux_arm64.tar.gz | tar xz -C /usr/local/bin conga
First-time setup (AWS)
aws configure sso --profile your-profile
export AWS_PROFILE=your-profile
aws sso login
conga auth status
conga secrets set anthropic-api-key
co
