This Terraform configuration creates a Linode VM with security hardening and automated setup for openclaw/clawdbot.
- Terraform installed
- Linode account with API token
- SSH key pair generated
-
Generate SSH keys (if you don't have them):
ssh-keygen -t ed25519 -C "openclaw@example.com" -f ~/.ssh/openclaw
-
Set your Linode API token:
export LINODE_TOKEN="your-linode-api-token"
-
Create a
terraform.tfvarsfile:linode_token = "your-linode-api-token" public_key_path = "~/.ssh/openclaw.pub" allowed_ssh_cidrs = ["YOUR_IP/32"] # Replace with your IP region = "us-east" # or your preferred region instance_type = "g6-nanode-1" # or your preferred plan
# Initialize Terraform
terraform init
# Plan the deployment
terraform plan
# Apply the configuration
terraform apply
# View outputs (including generated root password)
terraform output -json
# SSH as openclaw user
ssh openclaw@$(terraform output -raw instance_ip)- The firewall allows SSH only from the specified CIDR blocks
- Password authentication is disabled via cloud-init
- Root login is restricted to key-based auth only
- The
openclawuser has passwordless sudo access
| Variable | Description | Default |
|---|---|---|
linode_token |
Linode API token | Required |
public_key_path |
Path to SSH public key | Required |
allowed_ssh_cidrs |
CIDR blocks for SSH access | ["0.0.0.0/0"] |
instance_label |
VM label | "openclaw-vm" |
region |
Linode region | "us-east" |
instance_type |
VM plan | "g6-nanode-1" |
root_password |
Root password (auto-generated if empty) | "" |
| Output | Description |
|---|---|
instance_ip |
Public IP of the VM |
ssh_command |
SSH command to connect |
root_password |
Root password (sensitive) |
firewall_id |
Firewall ID |
openclaw (Clawdbot) is installed and ready to use out-of-the-box on the VM.
SSH to the VM as openclaw user
ssh openclaw@$VMIPand run
clawdbot onboard --install-daemonto begin the onboarding process - follow upstream docs