Auto-Updating Self-Hosted Crypto Wallets: Watchtower + GHCR Integration
Self-hosted crypto wallets need automatic updates to stay secure, but most solutions force you to choose between convenience and control. Setting up proper auto-updates for containerized wallet infrastructure while maintaining security and avoiding downtime has been a persistent challenge for developers running their own nodes and services.
The stakes are higher than typical software updates. Crypto wallet infrastructure handles private keys and real funds — a botched update can mean lost access or security vulnerabilities. Yet manual updates create operational burden and often lead to running outdated, potentially vulnerable software.
Why Self-Hosted Wallet Infrastructure Matters
Running your own wallet service gives you complete control over private keys, transaction policies, and operational security. Unlike hosted wallet APIs that can rate-limit your AI agents or impose usage restrictions, self-hosted infrastructure scales with your needs. You're not dependent on external services staying online or maintaining their terms of service.
The challenge is maintaining that infrastructure properly. Crypto moves fast, with frequent security patches and protocol updates. Missing a critical update can expose your wallets to exploits, while update failures can break AI agent access to funds.
Watchtower Integration for Automatic Updates
WAIaaS solves this with Watchtower integration built into its Docker deployment. Watchtower monitors running containers and automatically pulls new images when they're available, handling the update process seamlessly.
Here's how to set up auto-updating wallet infrastructure:
services:
daemon:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
container_name: waiaas-daemon
ports:
- "127.0.0.1:3100:3100"
volumes:
- waiaas-data:/data
environment:
- WAIAAS_DATA_DIR=/data
- WAIAAS_DAEMON_HOSTNAME=0.0.0.0
env_file:
- path: .env
required: false
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3100/health"]
interval: 30s
timeout: 5s
start_period: 10s
retries: 3
labels:
- "com.centurylinklabs.watchtower.enable=true"
watchtower:
image: containrrr/watchtower
container_name: watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_POLL_INTERVAL=3600 # Check hourly
- WATCHTOWER_CLEANUP=true # Remove old images
- WATCHTOWER_INCLUDE_STOPPED=true
- WATCHTOWER_LABEL_ENABLE=true # Only update labeled containers
restart: unless-stopped
volumes:
waiaas-data:
driver: local
The key components working together:
Container Registry: WAIaaS publishes images to GitHub Container Registry (GHCR) with each release. The latest tag always points to the most recent stable version.
Health Checks: The daemon includes built-in health endpoints that Docker monitors. If an update breaks the service, Docker can restart the container automatically.
Graceful Updates: Watchtower stops the old container, pulls the new image, and starts the replacement. The wallet data persists in the named volume across updates.
Advanced Update Configuration
For production deployments, you want more control over update timing and rollback capabilities:
# Create watchtower configuration directory
mkdir -p ~/.waiaas/watchtower
# Configure update schedule (daily at 3 AM)
cat > ~/.waiaas/watchtower/config.yml << EOF
schedule: "0 0 3 * * *"
cleanup: true
include-stopped: true
label-enable: true
monitor-only: false
notifications:
slack:
hook-url: "https://hooks.slack.com/..."
identifier: "waiaas-updates"
EOF
You can also pin to specific versions for stability while still automating updates within that version range:
services:
daemon:
image: ghcr.io/minhoyoo-iotrust/waiaas:v1.2 # Pin to v1.2.x releases
# ... rest of config
Backup Integration Before Updates
The most robust setup includes automated backups before each update:
#!/bin/bash
# backup-before-update.sh
BACKUP_DIR="$HOME/.waiaas/backups/$(date +%Y%m%d_%H%M%S)"
mkdir -p "$BACKUP_DIR"
# Stop daemon temporarily
docker compose stop daemon
# Backup data volume
docker run --rm \
-v waiaas-data:/source:ro \
-v "$BACKUP_DIR":/backup \
alpine tar czf /backup/waiaas-data.tar.gz -C /source .
# Restart daemon
docker compose up -d daemon
echo "Backup created at $BACKUP_DIR"
You can trigger this script before Watchtower updates by using pre-update hooks:
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./backup-before-update.sh:/backup-before-update.sh:ro
environment:
- WATCHTOWER_LIFECYCLE_HOOKS=true
- WATCHTOWER_PRE_UPDATE_CMD=/backup-before-update.sh
Monitoring Update Status
WAIaaS provides API endpoints to check system status after updates:
# Check daemon health
curl http://127.0.0.1:3100/health
# Verify wallet access still works
curl http://127.0.0.1:3100/v1/wallet/balance \
-H "Authorization: Bearer wai_sess_<token>"
# Check for any pending transactions that might need attention
curl http://127.0.0.1:3100/v1/transactions?status=pending \
-H "Authorization: Bearer wai_sess_<token>"
The daemon also exposes metrics for monitoring systems:
# Get system info including version
curl http://127.0.0.1:3100/v1/system/info \
-H "X-Master-Password: <password>"
Rolling Updates for Zero Downtime
For critical applications that can't tolerate update downtime, run multiple WAIaaS instances behind a load balancer:
services:
waiaas-1:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
volumes:
- waiaas-data:/data
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "com.centurylinklabs.watchtower.scope=group1"
waiaas-2:
image: ghcr.io/minhoyoo-iotrust/waiaas:latest
volumes:
- waiaas-data:/data # Shared data volume
labels:
- "com.centurylinklabs.watchtower.enable=true"
- "com.centurylinklabs.watchtower.scope=group2"
watchtower-1:
image: containrrr/watchtower
environment:
- WATCHTOWER_SCOPE=group1
- WATCHTOWER_POLL_INTERVAL=3600
watchtower-2:
image: containrrr/watchtower
environment:
- WATCHTOWER_SCOPE=group2
- WATCHTOWER_POLL_INTERVAL=3660 # Offset by 1 minute
This setup updates instances in sequence, maintaining service availability throughout the update process.
Quick Start: Auto-Updating Wallet Setup
- Clone and configure:
git clone https://github.com/minhoyoo-iotrust/WAIaaS.git
cd WAIaaS
cp docker-compose.yml docker-compose.watchtower.yml
- Add Watchtower to your compose file:
cat >> docker-compose.watchtower.yml << EOF
watchtower:
image: containrrr/watchtower
container_name: watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WATCHTOWER_POLL_INTERVAL=3600
- WATCHTOWER_CLEANUP=true
restart: unless-stopped
EOF
- Start with auto-updates enabled:
docker compose -f docker-compose.watchtower.yml up -d
- Verify auto-update is working:
docker logs watchtower
# Should show: "Scheduling next run: <next-check-time>"
- Test the setup:
# Check current version
docker exec waiaas-daemon cat /app/package.json | grep version
# Force an update check
docker exec watchtower watchtower --run-once --cleanup
The setup automatically handles security patches, protocol updates, and feature releases without manual intervention. Your wallet infrastructure stays current while you focus on building AI agents.
Self-hosted wallet infrastructure gives you complete sovereignty over your AI agents' financial capabilities. With proper auto-update configuration, you get the security benefits of staying current without sacrificing the control that made you choose self-hosting in the first place.
Ready to deploy your own auto-updating wallet infrastructure? Check out the GitHub repository for the complete Docker setup, or visit waiaas.ai to explore the full platform capabilities including the 39 REST API routes, 15 DeFi protocol integrations, and policy engine with 21 security controls.