openboatmobile-ai/docs/DIGITALOCEAN_SETUP.md

# DigitalOcean Setup

Detailed guide for deploying OpenBoatmobile to DigitalOcean.

## When to Use DigitalOcean

| Factor | Hetzner | DigitalOcean |
|--------|---------|--------------|
| Price | €4.49/mo (cx23) | $24/mo (s-2vcpu-4gb) |
| US West Coast | No | Yes (SFO2, SFO3) |
| Documentation | Good | Excellent |
| One-click apps | Limited | Extensive |
| Support | Ticket | Ticket + Premium |

Use DigitalOcean if:
- You're on the US West Coast (SFO has better latency than Ashburn)
- You already have DO credits/promo codes
- You prefer DO's documentation and ecosystem

## Create DigitalOcean Account

1. Go to [DigitalOcean](https://www.digitalocean.com/)
2. Sign up
3. Add a payment method ($5 minimum)

## Create API Token

1. Go to [DO API Settings](https://cloud.digitalocean.com/account/api/tokens)
2. Click **Generate New Token**
3. Name it (e.g., "openclaw-terraform")
4. Permissions: **Read & Write**
5. Copy the token immediately (shown only once)

## Add SSH Key

1. Go to [DO Security Settings](https://cloud.digitalocean.com/account/security)
2. Click **Add SSH Key**
3. Paste your public key contents:
   ```bash
   cat ~/.ssh/id_ed25519.pub
   ```
4. Give it a name
5. Click **Add SSH Key**

### Get the Fingerprint

Terraform needs the fingerprint, not the name:

```bash
ssh-keygen -lf ~/.ssh/id_ed25519.pub
# Output: 256 SHA256:abc123... your@email.com (ED25519)
```

The fingerprint is the part after `SHA256:` and before the email.

```bash
TF_VAR_ssh_key_fingerprints='["abc123..."]'
```

## Choose a Region

| Code | Location | Notes |
|------|----------|-------|
| `nyc1` | New York | US East |
| `nyc3` | New York | US East (recommended) |
| `sfo2` | San Francisco | US West |
| `sfo3` | San Francisco | US West |
| `ams3` | Amsterdam | Europe |
| `lon1` | London | Europe |
| `sgp1` | Singapore | Asia |

## Configure OpenBoatmobile

### Minimal Configuration

In `terraform.tfvars`:

```hcl
provider = "digitalocean"

server_name               = "my-agent"
droplet_size_digitalocean = "s-2vcpu-4gb"
region_digitalocean       = "nyc3"

# These come from environment:
# TF_VAR_do_token
# TF_VAR_venice_api_key
# TF_VAR_ssh_key_fingerprints
```

### Droplet Sizes

| Size | vCPU | RAM | Disk | Price |
|------|------|-----|------|-------|
| s-1vcpu-2gb | 1 | 2 GB | 50 GB | $12/mo |
| **s-2vcpu-4gb** | 2 | 4 GB | 80 GB | **$24/mo** (recommended) |
| s-2vcpu-8gb | 2 | 8 GB | 160 GB | $48/mo |
| s-4vcpu-8gb | 4 | 8 GB | 160 GB | $64/mo |

The s-2vcpu-4gb is the sweet spot for OpenClaw.

## Deploy

```bash
# Load secrets
source .env

# Initialize (first time only)
terraform init

# Preview changes
terraform plan

# Deploy
terraform apply
```

## Post-Deployment

Terraform outputs:

```
server_ip = "123.45.67.89"
ssh_command = "ssh openclaw@123.45.67.89"  # or "ssh hermes@123.45.67.89" for Hermes
```

### Connect

```bash
# Username is 'openclaw' or 'hermes' depending on framework
ssh <USERNAME>@123.45.67.89
```

### Run OpenClaw Onboarding

```bash
openclaw onboard --install-daemon
```

## Firewall Rules

OpenBoatmobile creates a DigitalOcean firewall with:

| Direction | Port | Source |
|-----------|------|--------|
| Inbound | 22 (SSH) | Configured IPs |
| Outbound | All | Any |

To restrict SSH to your IP:

```bash
TF_VAR_ssh_allowed_ips='["your.public.ip/32"]'
```

## Cleanup

```bash
terraform destroy
```

## Troubleshooting

### "SSH Key fingerprint not found"

- Use the fingerprint, not the name
- The fingerprint is shown in DO Console under Security
- Make sure there are no extra spaces

### "API Token invalid"

- Regenerate the token
- Copy immediately (shown only once)
- Check for trailing spaces in `.env`

### Droplet created but can't SSH

- Wait 2-3 minutes for cloud-init
- Verify your key fingerprint is correct
- Check firewall allows your IP

### "Rate limit exceeded"

- DO has API rate limits
- Wait a few minutes and retry
- Use `terraform plan` sparingly before `apply`