VPS Bootstrap

Full deployment and disaster recovery framework for OpenClaw on Ubuntu VPS.

Overview

Three scripts handle the complete lifecycle:

1. bootstrap.sh — Fresh VPS → fully operational OpenClaw (15-20 min)
2. restore.sh — Restore workspace, config, secrets, and crons from backup
3. verify.sh — Post-deployment verification (all-green = ready)

Quick Start

New VPS setup

# On fresh Ubuntu 24.04 VPS
bash scripts/bootstrap.sh

Restore from backup

bash scripts/restore.sh ~/openclaw-backup-*.tar.gz

Verify everything works

bash scripts/verify.sh

What bootstrap.sh does

Sequential installation with error handling at each step:

1. System packages — build-essential, curl, git, jq, unzip, etc.
2. Node.js — Latest LTS via NodeSource
3. Google Chrome — Stable channel + headless shim for browser tools
4. OpenClaw — Global npm install + gateway service setup
5. Security baseline — UFW firewall, fail2ban, SSH key-only auth
6. Service setup — systemd user service with auto-restart + linger

Each step is idempotent — safe to re-run if interrupted.

What restore.sh does

Extracts a backup tarball and restores:

• Workspace files (SOUL.md, MEMORY.md, AGENTS.md, memory/, scripts/)
• OpenClaw config (openclaw.json, .env)
• Cron database
• GPG keys + password store (encrypted secrets)
• OAuth credentials (GOG, rclone)
• System config snapshot

What verify.sh does

Runs 10+ checks and reports pass/fail:

• OpenClaw gateway running and healthy
• Telegram/Discord providers connected
• Browser tools functional
• Backup system operational
• Cron jobs loaded
• SSH security baseline
• Disk space and memory

Backup Script (Optional)

For automated daily backups, see references/backup-guide.md.

Customization

Edit scripts/bootstrap.sh variables at the top:

OPENCLAW_PORT=18789        # Gateway port
ENABLE_FIREWALL=true       # UFW setup
ENABLE_FAIL2BAN=true       # SSH protection
INSTALL_CHROME=true        # Browser tools support

Requirements

• Ubuntu 22.04+ or Debian 12+
• Root or sudo access
• 2GB+ RAM recommended
• SSH key access configured

Security Notes

• Scripts never store secrets in plaintext in the skill itself
• GPG keys are backed up encrypted
• SSH is hardened to key-only authentication
• Gateway binds to localhost by default