Deploy OpenClaw on VPS with Claude/Codex
# do-openclaw: production-hardened OpenClaw deployment for DigitalOcean
do-openclaw is a documentation-only repo for deploying OpenClaw — an open-source, self-hosted AI agent framework — on a DigitalOcean droplet. Target: Ubuntu 24.04, Premium AMD tier (4GB / 2 vCPU, ~$24/mo).
The content grew out of running multiple OpenClaw agents in production. Each deployment surfaced fresh failure modes (sandbox races, cron serialization, silent rsync skips, config-cache drift) and the fixes got generalized and landed here.
It’s the “day 2” layer missing from upstream docs: host hardening, DEV/PROD on one droplet, safe skill deployment, and ~60 operational learnings.
## What’s in the repo
docs/openclaw-setup-guide.md— manual walkthrough (provision → install → workspace).docs/prompt-claude-code-openclaw-setup.md— 15-block prompt for Claude Code or Codex, with human gates.docs/references/reference-openclaw-design-patterns.md— architecture + §13 operational learnings.docs/references/reference-openclaw-prompt-caching.md— AnthropiccacheRetentionconfiguration.CLAUDE.md— ~80 config patterns and gotchas.
## How to use it
Paste this into Claude Code or Codex on your workstation:
Read the OpenClaw + DigitalOcean setup guide at
https://raw.githubusercontent.com/raywu/do-openclaw/master/docs/openclaw-setup-guide.md
Walk through it with me end to end. Interview me for the values I need
to provide (droplet size, agent identity, channel IDs, timezone, etc.).
Help me provision and harden a DigitalOcean droplet first, then install
OpenClaw and configure the workspace on it. Pause at every decision
point and every security-sensitive step. Do not improvise file contents
— every workspace file has exact content that matters.
No clone required. Roughly 60–90 minutes for a fresh install.
At the end you have:
- Gateway on
127.0.0.1:18789, reached over SSH tunnel. - Workspace files populated.
- DEV at
~/.openclaw-dev/and PROD at~/.openclaw/, withpromote.shbetween them. - SQLite + markdown memory.
- Sandbox isolation for untrusted exec.
- Cron with session targeting.
- Telegram and WhatsApp channels ready to wire.
## Tradclaw
Tradclaw is a household-assistant persona that layers on top of vanilla OpenClaw. To set it up against a fresh droplet, paste this prompt:
I want to set up OpenClaw on a new DigitalOcean droplet, then configure it
as Tradclaw (household assistant). Do the work in three stages, in order.
Pause between stages and confirm with me before moving on.
STAGE 1 — Vanilla OpenClaw on DigitalOcean
Read these first:
https://raw.githubusercontent.com/raywu/do-openclaw/master/README.md
https://raw.githubusercontent.com/raywu/do-openclaw/master/docs/openclaw-setup-guide.md
Walk me through end to end:
(a) Provision + harden an Ubuntu 24.04 Premium AMD droplet (non-root
user, SSH hardening, UFW, automatic security updates, snapshots,
Claude Code installed, tmux ready).
(b) Install OpenClaw (v2026.1.29 or later — earlier versions have a
critical RCE, CVE-2026-25253).
(c) Create the GENERIC vanilla workspace per Phase 3 (SOUL, IDENTITY,
AGENTS, TOOLS, USER, HEARTBEAT, BOOT, MEMORY). Content is exact —
do not "improve" it.
(d) Build the sandbox Docker image.
(e) Verify the gateway is healthy over SSH tunnel.
STAGE 2 — Overlay Tradclaw workspace
Read these:
https://raw.githubusercontent.com/ChatPRD/tradclaw/main/README.md
https://raw.githubusercontent.com/ChatPRD/tradclaw/main/tradclaw/BOOTSTRAP.md
On the droplet:
(a) Back up the generic workspace files from stage 1.
(b) Copy the CONTENTS of tradclaw's workspace/ into
~/.openclaw/workspace/ — this replaces SOUL, IDENTITY, AGENTS,
TOOLS, USER, HEARTBEAT, MEMORY with tradclaw-tailored versions.
That replacement is intentional.
(c) Copy only the tradclaw skills I pick from tradclaw's skills/
into ~/.openclaw/workspace/skills/. Do not copy all of them.
(d) Restart the gateway.
STAGE 3 — Tradclaw bootstrap interview
Follow tradclaw's tradclaw/BOOTSTRAP.md read order. Run the onboarding
interview in small batches. Apply results per apply-interview-results.md:
tailor USER.md, TOOLS.md, HEARTBEAT.md, seed MEMORY.md, recommend skills,
suggest cron jobs from tradclaw's cron/README.md (do NOT copy the IDs /
times / timezones verbatim — treat them as examples only).
Rules for the whole run:
- Interview me for every value you need (droplet size, agent name,
timezone, channel IDs, household details). Don't invent placeholders.
- Pause at every security-sensitive or destructive step.
- For anything that needs a browser on my laptop (Google Calendar OAuth,
WhatsApp QR), pause and tell me exactly what to do.
- Do not enable every tradclaw skill by default — only the ones I pick.
## Link
github.com/raywu/do-openclaw — MIT licensed.