Installation

Prerequisites

Terraform >= 1.5 (install)
Ansible (install)
age and sops — required for secret encryption (make secrets-encrypt). Install via your package manager or age releases / sops releases.
jq — required for make validate. Install via your package manager.
Hetzner Cloud account with API token (console)
SSH key uploaded to Hetzner Cloud. Default path: ~/.ssh/id_rsa. Override with SSH_KEY env var.
(Optional) Remote Terraform state — the default is local (no setup needed). For GCS or other remote backends, see Remote State Backend.

1. Clone

1
2
git clone https://github.com/tardigrde/openclaw-deploy.git
cd openclaw-deploy

2. Configure infrastructure secrets

1
2
cp secrets/inputs.example.sh secrets/inputs.sh
vim secrets/inputs.sh

Required: HCLOUD_TOKEN, TF_VAR_ssh_key_fingerprint (from Hetzner Console → Security → SSH Keys). See Secrets Reference for the full variable reference and Tailscale-specific notes.

3. Configure OpenClaw

1
2
cp openclaw.example.json openclaw.json
vim openclaw.json

Customize: Telegram IDs, timezone, AI models. See the official OpenClaw configuration docs for details on every option.

Tailscale users: Skip the allowedOrigins Tailscale hostname for now — you won’t know it until after bootstrap. You’ll fill it in at the Tailscale setup step.

4. Configure Terraform backend

1
cp terraform/envs/prod/backend.tf.example terraform/envs/prod/backend.tf

The default (backend "local") requires no setup. To use GCS remote state instead, edit backend.tf — see Remote State Backend.

Next Step

Continue to Deployment & Bootstrap to provision the VPS and start containers.

Prerequisites#

1. Clone#

2. Configure infrastructure secrets#

3. Configure OpenClaw#

4. Configure Terraform backend#

Next Step#