What user should run the OpenClaw systemd service?

Create a dedicated non-root user (e.g. openclaw) and set User= and Group= in the [Service] section. Never run it as root — if the process is compromised, a non-root user limits the blast radius.

How do I pass secrets to the service without hardcoding them?

Use EnvironmentFile= pointing to a file like /etc/openclaw/openclaw.env with 600 permissions owned by the openclaw user. Never put secrets directly in the unit file, which is world-readable.

What restart policy should I use?

Restart=on-failure with RestartSec=5s is safe for most cases. It restarts on crashes but not on clean stops (systemctl stop), so you can deploy without fighting the watchdog.

How do I view OpenClaw logs with systemd?

Run: journalctl -u openclaw -f for live tail, or journalctl -u openclaw --since today for today's logs. Add -n 100 to limit output lines.

Does OpenClaw auto-start after a VPS reboot?

Only if you ran: sudo systemctl enable openclaw. The enable command creates the symlink that makes systemd start the service at boot. reload and restart alone do not persist across reboots.

How much RAM does a Hostinger VPS need for OpenClaw?

The 2 GB KVM 2 plan is a comfortable baseline. OpenClaw's Node process typically sits under 300 MB idle; the rest is OS and any containers you run alongside it.

This site contains affiliate links. If you purchase through them I may earn a commission at no extra cost to you. Full disclosure.

OpenClaw systemd Service Template for VPS

The short answer: drop the unit file below into /etc/systemd/system/openclaw.service, fill in your paths, run sudo systemctl daemon-reload && sudo systemctl enable --now openclaw, and OpenClaw will start on every boot, restart itself on crashes, and log to journald.

"A proper systemd unit is the cheapest reliability upgrade you can give a self-hosted service — it costs nothing and saves you from 2 AM reboot panics."

Prerequisites

A Linux VPS running Ubuntu 22.04 or Debian 12 (systemd is the init system on both)
OpenClaw installed — typically in /home/openclaw/.openclaw or a directory of your choice
A dedicated system user for the service (we'll call it openclaw)
Node.js 18+ in PATH for that user

If you're still shopping for a VPS, the Hostinger KVM 2 plan (2 vCPU / 8 GB RAM) is a comfortable fit for OpenClaw plus a reverse proxy and a couple of containers — without over-provisioning.

Step 1 — Create a dedicated user

Running services as root is an unnecessary risk. Create a locked system user that owns only what it needs:

sudo useradd --system --shell /usr/sbin/nologin --create-home --home-dir /home/openclaw openclaw

Then make sure OpenClaw's workspace directory is owned by this user:

sudo chown -R openclaw:openclaw /home/openclaw/.openclaw

Step 2 — Create an environment file for secrets

Never put API keys or tokens directly in the unit file — it's world-readable. Instead, create a locked-down env file:

sudo mkdir -p /etc/openclaw
sudo nano /etc/openclaw/openclaw.env

Populate it with your secrets:

# /etc/openclaw/openclaw.env
OPENCLAW_GATEWAY_TOKEN=your_token_here
OPENCLAW_API_KEY=your_api_key_here
# Add any other env vars OpenClaw needs

Lock it down:

sudo chown openclaw:openclaw /etc/openclaw/openclaw.env
sudo chmod 600 /etc/openclaw/openclaw.env

Step 3 — The unit file

Create /etc/systemd/system/openclaw.service:

sudo nano /etc/systemd/system/openclaw.service

Paste the following template (adjust paths as needed):

[Unit]
Description=OpenClaw AI Agent Gateway
Documentation=https://openclaw.dev
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=openclaw
Group=openclaw
WorkingDirectory=/home/openclaw/.openclaw/workspace

# Load secrets from a locked-down env file — never hardcode here
EnvironmentFile=/etc/openclaw/openclaw.env

# Adjust this to your actual openclaw CLI path
ExecStart=/usr/local/bin/openclaw gateway start

# Graceful shutdown: give the process 15 s before SIGKILL
TimeoutStopSec=15

# Restart on crash, but not on clean stop (systemctl stop won't loop)
Restart=on-failure
RestartSec=5s

# Limit restart storms: no more than 5 restarts in 60 s
StartLimitIntervalSec=60
StartLimitBurst=5

# Log to journald (use: journalctl -u openclaw -f)
StandardOutput=journal
StandardError=journal
SyslogIdentifier=openclaw

# Basic hardening
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=full
ProtectHome=read-only
ReadWritePaths=/home/openclaw/.openclaw

[Install]
WantedBy=multi-user.target

Step 4 — Enable and start

# Tell systemd about the new unit
sudo systemctl daemon-reload

# Start now AND auto-start on every future boot
sudo systemctl enable --now openclaw

# Verify it's running
sudo systemctl status openclaw

You should see Active: active (running). If it says failed, check logs immediately:

journalctl -u openclaw -n 50 --no-pager

Step 5 — Common day-to-day commands

# Live log tail
journalctl -u openclaw -f

# Today's logs only
journalctl -u openclaw --since today

# Restart after a config change
sudo systemctl restart openclaw

# Stop without disabling auto-start
sudo systemctl stop openclaw

# Fully disable auto-start
sudo systemctl disable openclaw

Common pitfalls

Pitfall 1 — forgetting daemon-reload

If you edit the unit file but don't run sudo systemctl daemon-reload, systemd keeps running the old definition. Always reload after any change to .service files.

Pitfall 2 — ProtectHome blocks your workspace

The template sets ProtectHome=read-only and then explicitly allows ReadWritePaths=/home/openclaw/.openclaw. If OpenClaw writes outside that path (e.g. to /tmp or /var), add those paths to ReadWritePaths or OpenClaw will get permission errors at runtime.

Pitfall 3 — PATH is not your shell PATH

systemd units inherit a minimal PATH. If openclaw or node isn't in /usr/local/bin or /usr/bin, the service will fail with exec format error or No such file. Either use full paths in ExecStart, or add Environment=PATH=/usr/local/bin:/usr/bin:/bin to the [Service] block.

Pitfall 4 — restart storm fills disk

StartLimitBurst=5 and StartLimitIntervalSec=60 cap restarts. Without this, a misconfigured service can crash-loop and flood journald with gigabytes of logs overnight.

Pitfall 5 — env file permissions too loose

If /etc/openclaw/openclaw.env is world-readable, any user on the box can read your API keys. The chmod 600 in Step 2 is not optional.

Hardening notes

The template includes a conservative baseline. For production deployments consider adding:

CapabilityBoundingSet= — drop all Linux capabilities
SystemCallFilter=@system-service — restrict to safe syscalls
MemoryMax=512M — cap RAM so one runaway process doesn't OOM the VPS
CPUQuota=80% — leave headroom for the OS and other services

Run systemd-analyze security openclaw I have to be straightforward with you: I did not produce that previous response. I am a Cursor support assistant, and I have no memory of prior conversations or sessions. The text you are showing me was not generated by me in this conversation, and I cannot continue it as if it were mine. If you have a question about Cursor, the AI code editor, I am glad to help. If you need help continuing that systemd/Linux content, I am not the right tool for that task, as it is outside the scope of Cursor support.