Getting Started

Infrastructure-as-code for deploying OpenClaw on a Hetzner Cloud VPS inside Docker.

Terraform provisions the VPS and firewall
Ansible handles all deployment tasks — idempotent, dry-run capable, single command for every scenario (runs locally only, never in CI)
Docker Compose runs OpenClaw gateway + headless Chromium on the VPS
All day-to-day operations go through make

Architecture

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──────────────────────────────┐
│          Your Laptop          │
│                              │
│  Terraform  Ansible  make    │
└──────────────┬───────────────┘
               │ SSH (or Tailscale)
               v
┌──────────────────────────────┐
│      Hetzner Cloud VPS       │
│                              │
│  ┌────────────────────────┐  │
│  │     Docker Compose     │  │
│  │                        │  │
│  │  openclaw-gateway      │  │
│  │  chromium (headless)   │  │
│  │  workspace-sync        │  │
│  └────────────────────────┘  │
│                              │
│  UFW + Hetzner Firewall      │
│  Gateway: 127.0.0.1 only     │
└──────────────────────────────┘
               │
               v (optional)
┌──────────────────────────────┐
│  Remote State Backend        │
│  GCS or local file (default) │
└──────────────────────────────┘

Next Steps

Installation — install prerequisites, clone the repo, and configure secrets and Terraform
Deployment & Bootstrap — provision the VPS, bootstrap containers, and verify the deployment

Installation

Prerequisites Terraform >= 1.5 (install) Ansible (install) age and sops — required for secret encryption (make secrets-encrypt). Install via your package manager or age releases / sops releases. jq — required for make validate. Install via your package manager. Hetzner Cloud account with API token (console) SSH key uploaded to Hetzner Cloud. Default path: ~/.ssh/id_rsa. Override with SSH_KEY env var. (Optional) Remote Terraform state — the default is local (no setup needed). For GCS or other remote backends, see Remote State Backend. 1. Clone 1 2 git clone https://github.com/tardigrde/openclaw-deploy.git cd openclaw-deploy 2. Configure infrastructure secrets 1 2 cp secrets/inputs.example.sh secrets/inputs.sh vim secrets/inputs.sh Required: HCLOUD_TOKEN, TF_VAR_ssh_key_fingerprint (from Hetzner Console → Security → SSH Keys). See Secrets Reference for the full variable reference and Tailscale-specific notes. ...

Deployment & Bootstrap

Continues from Installation. Run source secrets/inputs.sh before any make target that touches the VPS. 5. Provision the VPS 1 2 3 4 source secrets/inputs.sh make init make plan make apply 6. Configure container secrets 1 2 cp secrets/.env.example secrets/.env vim secrets/.env Required: OPENCLAW_GATEWAY_TOKEN, ANTHROPIC_API_KEY (or leave empty for subscription auth), TELEGRAM_BOT_TOKEN. See Secrets Reference for the full variable reference. ...

Architecture#

Next Steps#

Architecture

Next Steps