Oracle Cloud: provision the VM
Goal: one Always Free Ampere A1 VM (4 OCPU / 24 GB) running Ubuntu 22.04, reachable on ports 22/80/443, ready for Coolify. Do Coolify deploy next.
Prerequisite: an Oracle Cloud account (created). The free tier needs a credit card hold (no charge for Always Free resources) and identity verification.
1. SSH key (do this first)
ssh-keygen -t ed25519 -C "vambora-vps" -f ~/.ssh/vambora_vps_ed25519
# press Enter for no passphrase, or set one (recommended)
cat ~/.ssh/vambora_vps_ed25519.pub # paste this into the console in step 3
Never paste the private key anywhere. It only ever lives in ~/.ssh/.
2. Pick a region (capacity is the hard part)
Always-Free A1 capacity is scarce and region-locked to your home region (chosen at signup, not changeable). When creating the instance you will often hit "Out of host capacity" — this is normal.
- Ideal:
sa-saopaulo-1— lowest latency todata.riofor the SPPO poll. - Reality: take whatever region has A1 capacity. Latency to the SPPO feed adds maybe tens of ms to a 30 s poll — not critical. Don't block on the ideal region.
- Tactic: retry instance creation every few hours, or use a small script / the "Always Free" capacity is often freed at the top of the hour. Some people succeed faster by trying off-peak.
3. Create the instance
OCI Console → Compute → Instances → Create instance:
- Name:
vambora-vps - Image: Canonical Ubuntu 22.04 (Coolify supports 22.04/24.04).
- Shape: Ampere →
VM.Standard.A1.Flex, 4 OCPUs, 24 GB memory (the Always-Free maximum; you can run smaller but the OTP graph build wants the RAM — see plan.md "Appendix: OTP / Routing"). - Networking: create a new VCN (defaults are fine) — note "Assign a public IPv4 address" is on.
- SSH keys: paste public key → the contents of
~/.ssh/vambora_vps_ed25519.pubfrom step 1. - Boot volume: default (47 GB) is enough; bump to ~100 GB (still free up to 200 GB total) if you want headroom for the OTP graph + Docker images.
Create. Note the public IP once it's running — call it VM_IP below.
4. Open the ports (two firewalls — both matter)
4a. OCI security list (cloud firewall). VCN → Subnet → Security List →
add Ingress rules (Source 0.0.0.0/0, TCP):
- 22 (SSH — usually already open)
- 80 (HTTP — Let's Encrypt HTTP-01 challenge)
- 443 (HTTPS)
- 8000 (Coolify dashboard — open temporarily; close or restrict to your IP after setup)
Postgres/Redis/OTP stay internal (Docker network only) — never expose them.
4b. The OS firewall — the gotcha that bites everyone. Oracle's Ubuntu images ship with a restrictive iptables ruleset that blocks 80/443 even after 4a. SSH in (step 5) and run:
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT 6 -m state --state NEW -p tcp --dport 8000 -j ACCEPT
sudo netfilter-persistent save # persist across reboots
(If ufw is active instead, use sudo ufw allow 80,443,8000/tcp.) Skipping
4b makes Let's Encrypt fail with a timeout and is the #1 wasted hour here.
5. First SSH + basic hardening
On your laptop add to ~/.ssh/config:
Host vambora-vps
HostName <VM_IP>
User ubuntu
IdentityFile ~/.ssh/vambora_vps_ed25519
ssh vambora-vps
sudo apt update && sudo apt -y upgrade
sudo apt -y install unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades
sudo timedatectl set-timezone America/Sao_Paulo # aligns logs with the feed
Leave ubuntu as the sudo user (Coolify runs as root via its installer).
Do not disable SSH password auth before confirming key login works.
Done when
ssh vambora-vps works, free -g shows ~24 GB, and ports 80/443/8000 are
open in both the OCI security list and iptables. Continue with
Coolify deploy.
Why 24 GB: the OTP graph build is memory-hungry; the 24 GB shape and
--loadof a savedgraph.objmatter (see plan.md "Appendix: OTP / Routing"). The Coolify doc covers it.