ɳSelf generates required secrets and repairs common misconfigurations automatically on first boot and on every nself build / nself deploy. No manual secret management is required for baseline operation.

Two secrets are generated on first boot if not already set in .env.secrets:

These are written to .env.secrets (never tracked) and loaded by orchestration.sh into .env.computed. If the secrets already exist in .env.secrets, they are never overwritten.

Without CLAW_WEB_SECRET, every request to the claw plugin's /claw/* endpoints returns 401. Without PLUGIN_INTERNAL_SECRET, plugin-to-plugin calls (mux → ai, claw → mux) fail. Both caused production 502 and 401 failures that were difficult to diagnose. Auto-generation removes the failure class entirely.

Production nginx deployments on Hetzner use the OS resolver (8.8.8.8 / 1.1.1.1 fallback). Without an explicit resolver directive, nginx caches DNS results indefinitely and returns 502 when upstream container IPs change after a docker restart.

ɳSelf now generates the following in every nginx server block for upstream proxying:

resolver 127.0.0.11 valid=30s;
set $upstream http://plugin-name:PORT;
proxy_pass $upstream;

The 127.0.0.11 resolver is Docker's embedded DNS server. The valid=30s TTL re-resolves upstream IPs when containers restart. The set $upstream variable form bypasses nginx's startup-time DNS requirement, allowing nginx to start even if an upstream plugin container is temporarily down.

When the ai plugin is installed and no external AI provider is configured (no OPENAI_API_KEY, no ANTHROPIC_API_KEY, etc.), the plugin:

1. Checks if ollama is running at http://localhost:11434.
2. If not running, pulls and starts the gemma-3-4b model via ollama pull gemma3:4b.
3. Configures itself to use ollama/gemma3:4b as the default provider.

This means ɳSelf's AI features work on a fresh install without any API keys or cloud accounts. Users on slower hardware can override with OLLAMA_MODEL env var.

OPENAI_API_KEY set?  → use openai/gpt-4o-mini
ANTHROPIC_API_KEY set? → use anthropic/claude-3-5-haiku
OLLAMA_MODEL set? → use ollama/<model>
(default) → pull gemma3:4b via ollama

19 endpoints in the claw plugin specification were missing from the implementation, causing basic claw functionality to fail on clean installs. These are implemented as part of P94 S92.

See plugins-pro/.github/docs/plugins/claw.md for the full endpoint list.

• .env.secrets, auto-populated on first boot (never tracked)
• .env.computed, generated by orchestration.sh; reads from .env.secrets
• plugins-pro/.github/docs/plugins/ai.md, Ollama local default details
• web/docs/content/operations/self-healing.mdx, web documentation