openboatmobile-ai/docs/HETZNER_SETUP.md

# Hetzner Cloud Setup

Detailed guide for deploying OpenBoatmobile to Hetzner Cloud.

## Why Hetzner?

| Spec | Hetznercx23 | DigitalOcean s-2vcpu-4gb |
|------|-------------|-------------------------|
| vCPU | 2 | 2 |
| RAM | 4 GB | 4 GB |
| Disk | 80 GB NVMe | 80 GB SSD |
| Bandwidth | 20 TB included | 4 TB included |
| **Price** | **€4.49/mo** | **$24/mo** |

Hetzner is ~70% cheaper for equivalent specs.

## Create Hetzner Account

1. Go to [Hetzner Cloud](https://www.hetzner.com/cloud)
2. Sign up (email verification required)
3. Add a payment method

## Create API Token

1. Go to [Hetzner Console](https://console.hetzner.cloud/)
2. Click your project (or create one)
3. Navigate to **Security** → **API Tokens**
4. Click **Create API Token**
5. Name it (e.g., "openclaw-terraform")
6. Permissions: **Read & Write**
7. Copy the token immediately (shown onlyonce)

## Add SSH Key

1. In Hetzner Console, go to **Security** → **SSH Keys**
2. Click **Add SSH Key**
3. Paste your public key contents:
   ```bash
   cat ~/.ssh/id_ed25519.pub
   ```
4. Give it a name you can remember (e.g., "laptop-2024")
5. Click **Add SSH Key**

## Choose a Location

Hetzner locations:

| Code | Location | Continent |
|------|----------|-----------|
| `nbg1` | Nuremberg | Europe |
| `fsn1` | Falkenstein | Europe |
| `hel1` | Helsinki | Europe |
| `ash` | Ashburn, VA | North America |

For US users: `ash` (Ashburn) has the best latency.

## Configure OpenBoatmobile

### Minimal Configuration

In `terraform.tfvars`:

```hcl
provider            = "hetzner"
server_name         = "my-agent"
server_type_hetzner = "cx23"
location_hetzner    = "ash"

# These come from environment:
# TF_VAR_hcloud_token
# TF_VAR_venice_api_key
# TF_VAR_ssh_key_names
```

### Server Types

| Type | vCPU | RAM | Disk | Price |
|------|------|-----|------|-------|
| cx22 | 2 | 4 GB | 40 GB | €3.79/mo |
| **cx23** | 2 | 4 GB | 80 GB | **€4.49/mo** (recommended) |
| cpx21 | 3 | 4 GB | 80 GB | €5.99/mo |
| cpx31 | 4 | 8 GB | 160 GB | €8.99/mo |

The cx23 is the sweet spot for OpenClaw: enough RAM for Node.js + LLM contexts, affordable price.

## Deploy

```bash
# Load secrets
source .env

# Initialize (first time only)
terraform init

# Preview changes
terraform plan

# Deploy
terraform apply
```

## Post-Deployment

Terraform outputs your server IP:

```
server_ip = "123.45.67.89"
ssh_command = "ssh openclaw@123.45.67.89"  # or "ssh hermes@123.45.67.89" for Hermes
```

### Connect

```bash
# Username is 'openclaw' or 'hermes' depending on framework
ssh <USERNAME>@123.45.67.89
```

### Check Cloud-Init Status

On the server:

```bash
# Check if cloud-init is still running
cloud-init status

# If waiting, you can watch progress:
tail -f /var/log/cloud-init-output.log
```

### Run OpenClaw Onboarding

```bash
openclaw onboard --install-daemon
```

### Verify Gateway

```bash
systemctl status openclaw-gateway
```

## Firewall Rules

OpenBoatmobile creates a Hetzner firewall with:

| Direction | Port | Source |
|-----------|------|--------|
| Inbound | 22 (SSH) | Configured IPs |
| Outbound | All | Any |

To restrict SSH to your IP:

```bash
TF_VAR_ssh_allowed_ips='["your.public.ip/32", "another.ip/32"]'
```

## Cleanup

To destroy your deployment:

```bash
terraform destroy
```

**Note:** This deletes the server and all data. Backup anything important first.

## Troubleshooting

### "API Token invalid"

- Copy the token again (shown only once)
- Check for trailing spaces in `.env`
- Verify token has Read & Write permissions

### "SSH Key not found"

- The key name must match exactly what you entered in Hetzner Console
- Case-sensitive
- Use the name, not the fingerprint

### Server shows but can't SSH

- Wait 2-3 minutes for cloud-init
- Check your IP is in `ssh_allowed_ips`
- Verify the key is added to your agent: `ssh-add -l`

### Cloud-init stuck

```bash
# On the server
cloud-init status --wait
# Or check logs
tail -f /var/log/cloud-init-output.log
```