Architecture

JuiceFS Storage

Shared storage layer for tenant data with client-side encryption.

Overview

JuiceFS provides a POSIX-compatible filesystem backed by:

Hetzner Object Storage (S3) — block storage (~EUR 5/TB/mo)
PostgreSQL — metadata store (file tree, permissions)
Local NVMe cache — hot data cache (~50 GB)

Encryption

All tenant data is encrypted client-side before upload to S3:

Algorithm: AES-256-GCM
Key management: stored in JuiceFS metadata DB
Chelar operators cannot read tenant data from S3 directly

Tenant Data Layout

/data/tenants/
  {slug}/
    openclaw.json          # Runtime config (AI provider, model, features)
    credentials/
      whatsapp/            # Baileys session files
      telegram/            # Bot token
    workspace/             # User files
    .openclaw/             # Runtime state (DB, logs)

Each directory has:

Unique UID/GID — POSIX permissions prevent cross-tenant access
Quota — 1 GB default (configurable per plan)
S3 versioning — accidental deletion recovery

Key Files

ansible/roles/juicefs/ — JuiceFS installation and mount configuration
api/internal/orchestrator/orchestrator.go — data directory creation during provisioning

On this page

Overview Encryption Tenant Data Layout Key Files