Oracle Cloud

CoderClaw on Oracle Cloud (OCI)

Goal

Run a persistent CoderClaw Gateway on Oracle Cloud’s Always Free ARM tier.

Oracle’s free tier can be a great fit for CoderClaw (especially if you already have an OCI account), but it comes with tradeoffs:

• ARM architecture (most things work, but some binaries may be x86-only)
• Capacity and signup can be finicky

Cost Comparison (2026)

Provider	Plan	Specs	Price/mo	Notes
Oracle Cloud	Always Free ARM	up to 4 OCPU, 24GB RAM	$0	ARM, limited capacity
Hetzner	CX22	2 vCPU, 4GB RAM	~ $4	Cheapest paid option
DigitalOcean	Basic	1 vCPU, 1GB RAM	$6	Easy UI, good docs
Vultr	Cloud Compute	1 vCPU, 1GB RAM	$6	Many locations
Linode	Nanode	1 vCPU, 1GB RAM	$5	Now part of Akamai

---

Prerequisites

• Oracle Cloud account (signup) — see community signup guide if you hit issues
• Tailscale account (free at tailscale.com)
• ~30 minutes

1) Create an OCI Instance

1. Log into Oracle Cloud Console
2. Navigate to Compute → Instances → Create Instance
3. Configure:
   • Name: coderclaw
   • Image: Ubuntu 24.04 (aarch64)
   • Shape: VM.Standard.A1.Flex (Ampere ARM)
   • OCPUs: 2 (or up to 4)
   • Memory: 12 GB (or up to 24 GB)
   • Boot volume: 50 GB (up to 200 GB free)
   • SSH key: Add your public key
4. Click Create
5. Note the public IP address

Tip: If instance creation fails with “Out of capacity”, try a different availability domain or retry later. Free tier capacity is limited.

2) Connect and Update

# Connect via public IP
ssh ubuntu@YOUR_PUBLIC_IP

# Update system
sudo apt update && sudo apt upgrade -y
sudo apt install -y build-essential

Note: build-essential is required for ARM compilation of some dependencies.

3) Configure User and Hostname

# Set hostname
sudo hostnamectl set-hostname coderclaw

# Set password for ubuntu user
sudo passwd ubuntu

# Enable lingering (keeps user services running after logout)
sudo loginctl enable-linger ubuntu

4) Install Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --ssh --hostname=coderclaw

This enables Tailscale SSH, so you can connect via ssh coderclaw from any device on your tailnet — no public IP needed.

Verify:

tailscale status

From now on, connect via Tailscale: ssh ubuntu@coderclaw (or use the Tailscale IP).

5) Install CoderClaw

curl -fsSL https://coderclaw.ai/install.sh | bash
source ~/.bashrc

When prompted “How do you want to hatch your bot?”, select “Do this later”.

Note: If you hit ARM-native build issues, start with system packages (e.g. sudo apt install -y build-essential) before reaching for Homebrew.

6) Configure Gateway (loopback + token auth) and enable Tailscale Serve

Use token auth as the default. It’s predictable and avoids needing any “insecure auth” Control UI flags.

# Keep the Gateway private on the VM
coderclaw config set gateway.bind loopback

# Require auth for the Gateway + Control UI
coderclaw config set gateway.auth.mode token
coderclaw doctor --generate-gateway-token

# Expose over Tailscale Serve (HTTPS + tailnet access)
coderclaw config set gateway.tailscale.mode serve
coderclaw config set gateway.trustedProxies '["127.0.0.1"]'

systemctl --user restart coderclaw-gateway

7) Verify

# Check version
coderclaw --version

# Check daemon status
systemctl --user status coderclaw-gateway

# Check Tailscale Serve
tailscale serve status

# Test local response
curl http://localhost:18789

8) Lock Down VCN Security

Now that everything is working, lock down the VCN to block all traffic except Tailscale. OCI’s Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.

1. Go to Networking → Virtual Cloud Networks in the OCI Console
2. Click your VCN → Security Lists → Default Security List
3. Remove all ingress rules except:
   • 0.0.0.0/0 UDP 41641 (Tailscale)
4. Keep default egress rules (allow all outbound)

This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. From now on, you can only connect via Tailscale.

---

Access the Control UI

From any device on your Tailscale network:

https://coderclaw.<tailnet-name>.ts.net/

Replace <tailnet-name> with your tailnet name (visible in tailscale status).

No SSH tunnel needed. Tailscale provides:

• HTTPS encryption (automatic certs)
• Authentication via Tailscale identity
• Access from any device on your tailnet (laptop, phone, etc.)

---

Security: VCN + Tailscale (recommended baseline)

With the VCN locked down (only UDP 41641 open) and the Gateway bound to loopback, you get strong defense-in-depth: public traffic is blocked at the network edge, and admin access happens over your tailnet.

This setup often removes the need for extra host-based firewall rules purely to stop Internet-wide SSH brute force — but you should still keep the OS updated, run coderclaw security audit, and verify you aren’t accidentally listening on public interfaces.

What’s Already Protected

Traditional Step	Needed?	Why
UFW firewall	No	VCN blocks before traffic reaches instance
fail2ban	No	No brute force if port 22 blocked at VCN
sshd hardening	No	Tailscale SSH doesn’t use sshd
Disable root login	No	Tailscale uses Tailscale identity, not system users
SSH key-only auth	No	Tailscale authenticates via your tailnet
IPv6 hardening	Usually not	Depends on your VCN/subnet settings; verify what’s actually assigned/exposed

Still Recommended

• Credential permissions: chmod 700 ~/.coderclaw
• Security audit: coderclaw security audit
• System updates: sudo apt update && sudo apt upgrade regularly
• Monitor Tailscale: Review devices in Tailscale admin console

Verify Security Posture

# Confirm no public ports listening
sudo ss -tlnp | grep -v '127.0.0.1\|::1'

# Verify Tailscale SSH is active
tailscale status | grep -q 'offers: ssh' && echo "Tailscale SSH active"

# Optional: disable sshd entirely
sudo systemctl disable --now ssh

---

Fallback: SSH Tunnel

If Tailscale Serve isn’t working, use an SSH tunnel:

# From your local machine (via Tailscale)
ssh -L 18789:127.0.0.1:18789 ubuntu@coderclaw

Then open http://localhost:18789.

---

Troubleshooting

Instance creation fails (“Out of capacity”)

Free tier ARM instances are popular. Try:

• Different availability domain
• Retry during off-peak hours (early morning)
• Use the “Always Free” filter when selecting shape

Tailscale won’t connect

# Check status
sudo tailscale status

# Re-authenticate
sudo tailscale up --ssh --hostname=coderclaw --reset

Gateway won’t start

coderclaw gateway status
coderclaw doctor --non-interactive
journalctl --user -u coderclaw-gateway -n 50

Can’t reach Control UI

# Verify Tailscale Serve is running
tailscale serve status

# Check gateway is listening
curl http://localhost:18789

# Restart if needed
systemctl --user restart coderclaw-gateway

ARM binary issues

Some tools may not have ARM builds. Check:

uname -m  # Should show aarch64

Most npm packages work fine. For binaries, look for linux-arm64 or aarch64 releases.

---

Persistence

All state lives in:

• ~/.coderclaw/ — config, credentials, session data
• ~/.coderclaw/workspace/ — workspace (SOUL.md, memory, artifacts)

Back up periodically:

tar -czvf coderclaw-backup.tar.gz ~/.coderclaw ~/.coderclaw/workspace

---

See Also

• Gateway remote access — other remote access patterns
• Tailscale integration — full Tailscale docs
• Gateway configuration — all config options
• DigitalOcean guide — if you want paid + easier signup
• Hetzner guide — Docker-based alternative