OpenClaw setup – Digital Ocean Marketplace app vs bare-server implementation

Leave a Comment / Uncategorized / By

From Marketplace Convenience to Owning the Box: Rebuilding OpenClaw the Hard Way

I didn’t start this project intending to write about infrastructure at all. I just wanted an OpenClaw agent running, reasonably secure, and flexible enough to evolve as my ideas evolved.

What follows isn’t a tutorial. It’s a reflection on decision points: where defaults stopped fitting, where assumptions surfaced, and why I ultimately split this work into two very different phases.

The story is best understood as two implementations of the same goal:

  1. A Marketplace appliance that optimized for speed and safety
  2. A bare-server installation that optimized for control and understanding

Only after those were clearly separated did the security story fully make sense.

Part I — The Marketplace App: Fast, Opinionated, and Bounded

Why I started with the Marketplace

I began with the DigitalOcean Marketplace Moltbot/OpenClaw app for the obvious reasons:

  • one-click deployment
  • preconfigured services
  • sensible defaults
  • a fast path to “it works”

And to be clear: it does work.

The Marketplace image is an appliance:

  • opinionated filesystem layout under /opt
  • Docker-based sandboxing
  • helper scripts for status, restart, and updates
  • guardrails that assume a fairly standard exposure model

At this stage, speed mattered more than ownership. The app got me productive quickly.

Security hardening exposed hidden assumptions

The first real friction appeared when I did what I do on any server I expect to keep around:

  • closed ports 80/443
  • bound services to loopback
  • accessed the UI exclusively via SSH tunnels

Nothing actually broke — but the mental model cracked.

The advertised dashboard URL stopped working. Not because the system was misconfigured, but because it implicitly assumed public HTTPS access.

The UI was still there. It was just reachable only through localhost and tunnels.

This was the first real signal that:

The Marketplace app supports private operation, but it isn’t designed around it.

SSH quietly became the real control plane

Once public access was removed, everything meaningful flowed through SSH:

  • administrative access
  • port forwarding for the dashboard
  • viewing agent-generated pages
  • debugging

The web UI became a convenience layer. SSH was the authority.

This reinforced a pattern I’ve seen repeatedly:

If you care about security and control, SSH matters more than dashboards.

Updating beyond the Marketplace version broke the illusion

The real fork came when I tried to move beyond the Marketplace-pinned version of OpenClaw.

Pulling newer upstream releases meant:

  • switching repositories
  • running npm install directly
  • interacting with the project as source, not as an appliance

That’s where friction appeared:

  • npm authentication state existed where it shouldn’t
  • lockfiles were missing
  • configuration behaved as if the system was immutable

None of this is wrong for an appliance. It’s just incompatible with source-level ownership.

At that point, I’d effectively opted out of the Marketplace contract — without actually rebuilding yet.

When Docker stopped feeling helpful

The Marketplace app uses Docker as an additional sandbox layer.

On a shared host, that makes sense. On a single-purpose droplet, it began to feel redundant:

  • the VM itself is already an isolation boundary
  • Docker added another layer to debug
  • npm + Docker + security hardening became a troubleshooting funnel

This wasn’t an anti-Docker conclusion. It was a scope realization:

Defense-in-depth only helps if you’re willing to debug every layer.

The conclusion of Part I

The Marketplace app did exactly what it promised:

  • fast startup
  • safe defaults
  • minimal thinking required

But once I wanted:

  • source-level upgrades
  • deeper security control
  • architectural flexibility

…the appliance model stopped fitting.

That’s not failure — it’s intent mismatch.

Part II — Bare Server: Owning the System End-to-End

Why I rebuilt instead of hollowing out

I briefly considered stripping Docker and Marketplace artifacts from the existing droplet.

Technically possible. Practically messy.

Once I reframed the infrastructure as disposable, the choice became obvious:

  • no archaeology
  • no hidden state
  • no assumptions to unwind

A clean Ubuntu droplet offered:

  • predictable behavior
  • no invisible npm state
  • full control over layout and lifecycle

Rebuilding wasn’t riskier. It was clearer.

User ownership turned out to matter more than tooling

On the fresh server, one lesson surfaced immediately:

Software can only manage itself if the Unix ownership model is respected.

I separated responsibilities cleanly:

  • adminuser → OS, firewall, networking, systemd
  • openclaw → agent runtime, configuration, workspace

Running OpenClaw as the wrong user caused subtle failures — especially around reset and lifecycle operations. Once aligned, behavior became predictable.

When “reset” doesn’t actually reset

Even with permissions fixed, OpenClaw’s built-in reset struggled on a headless server.

The cause was mundane:

  • assumptions about desktop Trash semantics
  • brittle fallback deletion logic

The solution wasn’t clever tooling — it was explicit state deletion by the owning user, followed by re-onboarding.

On servers, explicit beats elegant.

Part III — Hardening the Server (Where Everything Finally Clicked)

Only after the application model was clear did the security architecture fully settle.

Owning the network boundary

I made the network model explicit:

  • no public HTTP
  • no exposed dashboards
  • SSH as the only ingress

From there, introducing Tailscale was the natural next step:

  • no static IPs
  • no domains
  • no inbound firewall rules
  • identity-based access

SSH didn’t disappear — it moved inside a private network.

One unexpected benefit was silence: no scan noise, no log spam, no resource spikes from rejected traffic.

Silence is a form of hardening.

Network trust vs application auth

During final setup, I had to choose between:

  • application-level gateway auth
  • relying on the private network’s identity guarantees

With Tailscale in place, the answer was clear:

  • the network already provides authentication and encryption
  • app-level auth became optional defense-in-depth

Security improved by removing unnecessary layers, not stacking them.

Where I landed

The final architecture is deliberately boring:

Me
 ↓
Tailscale (identity + encryption)
 ↓
SSH (admin + tunnels when needed)
 ↓
OpenClaw (loopback or tailnet-bound services)

No public services. No magic URLs. No assumptions I don’t control.

The real takeaway

The Marketplace app is a solid appliance.

If you treat it like an appliance, it’s great.

But if your goal is:

  • to understand the system
  • to evolve it freely
  • to harden it intentionally

…a bare server forces clarity.

Convenience gets you running. Ownership teaches you how it works.

That understanding — of boundaries, trust, and responsibility — ended up being the most valuable outcome of the project.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.