Deployment
Infrastructure
| Component | Hosting | Secrets |
|---|---|---|
| OpenClaw | k3s pod | Discord bot token, API URL, LLM API key |
| Accounting API | k3s pod | Folio API key, Fiken token, Postgres creds |
| PostgreSQL | k3s | Connection string |
| Docs site | Cloudflare Pages | None |
Pod Configuration
OpenClaw Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: accountant-openclaw
spec:
replicas: 1
template:
spec:
containers:
- name: openclaw
image: ghcr.io/stig-johnny/openclaw:latest
env:
- name: DISCORD_BOT_TOKEN
valueFrom:
secretKeyRef:
name: openclaw-secrets
key: discord-bot-token
- name: ACCOUNTING_API_URL
value: "http://accountant-api:8080"
- name: LLM_API_KEY
valueFrom:
secretKeyRef:
name: openclaw-secrets
key: llm-api-key
Accounting API Pod
apiVersion: apps/v1
kind: Deployment
metadata:
name: accountant-api
spec:
replicas: 1
template:
spec:
containers:
- name: api
image: ghcr.io/stig-johnny/accountant-api:latest
env:
- name: FOLIO_API_KEY
valueFrom:
secretKeyRef:
name: api-secrets
key: folio-api-key
- name: FIKEN_TOKEN
valueFrom:
secretKeyRef:
name: api-secrets
key: fiken-token
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: api-secrets
key: database-url
Secrets
All secrets stored as SealedSecrets in the GitOps repo.
| Secret | Pod | Description |
|---|---|---|
discord-bot-token |
OpenClaw | Discord bot token |
llm-api-key |
OpenClaw | Gemini / Anthropic API key |
folio-api-key |
API | Folio API key for Invotek AS |
fiken-token |
API | Fiken bearer token for Invotek AS |
database-url |
API | PostgreSQL connection string |
OpenClaw has no access to Folio, Fiken, or Postgres secrets. The API has no access to the Discord bot token.
CI/CD
GitHub Actions on push to main:
- Build and push container images
- ArgoCD syncs deployments on k3s
Docs site deploys separately via Cloudflare Pages.