Acceptance checklist
- Ubuntu version and initial package state recorded
- Dedicated non-sudo service user and pinned OpenClaw version verified
- systemd enable, restart, health, and failure behavior captured
- SSH key-only access proven before password authentication is disabled
- UFW and fail2ban state captured; only agreed public ports exposed
- Every non-SSH service verified as loopback-bound unless explicitly approved
- Secrets stored in mode-0600 environment files and absent from unit files, logs, and shell history
- Monitoring, log access, recovery steps, and rollback notes tested
- Telegram connectivity checked with redacted output when included in scope
- Runbook and secret-free screen recording delivered
Example evidence index
01-baseline.txt OS, packages, clock
02-service.txt version, unit, status, restart
03-network.txt listeners, UFW, external exposure
04-access.txt SSH policy, fail2ban status
05-secrets.txt permissions and redacted references
06-telegram.txt redacted connectivity check (if scoped)
07-monitoring.txt alert path and log retrieval
RUNBOOK.md operate, restart, recover, roll back
Outputs are redacted before delivery. Secret values are never copied into this index.
Runtime model
OpenClaw runs as a managed service on the new VPS. The buyer can operate it from a local machine and, when included, through Telegram. The VPS remains the runtime, so the local operator machine does not need to stay online.
Buy the fixed-scope trial — $600 →