Provider, DigitalOcean
Deploy Olympus on a DigitalOcean droplet
DigitalOcean is the recommended provider for self-hosting Olympus. The combination of API-driven provisioning, predictable pricing, and broad region coverage makes it the path of least resistance for the Daedalus wizard.
What Daedalus does for you
When you pick DigitalOcean in the Daedalus Provider wizard step:
- Reads your DigitalOcean Personal Access Token (PAT) from the local Daedalus context.
- Creates a droplet (size and region you select).
- Configures the droplet firewall: ports 22 (SSH from your IP only), 80, 443 open; everything else blocked.
- Generates and uploads an SSH keypair specific to this deployment.
- Installs Podman,
podman-compose, and any other prerequisites on the droplet via cloud-init. - Records the droplet IP, SSH key path, and other identifiers in
daedalus.json.
What you need before starting
- A DigitalOcean account with billing configured.
- A Personal Access Token (PAT) with
readandwritescopes, generate at cloud.digitalocean.com/account/api/tokens. Keep the token visible just long enough to paste into Daedalus's Provider step; it's stored locally only.
Recommended droplet size
| Tier | Best for | Monthly |
|---|---|---|
s-1vcpu-2gb | Trying out Olympus, under 100 MAU | $12 |
s-2vcpu-4gb | Small production, under 1k MAU | $24 |
s-4vcpu-8gb | Mid production, under 10k MAU | $48 |
c-4 (CPU-optimized) | Heavy auth traffic, >10k MAU | $84 |
For Postgres self-hosted on the same droplet, add at least 2GB RAM headroom. For managed Postgres (recommended), the droplet just runs the apps.
Recommended region
Pick the region closest to your users, not to you. Cross-region latency on the auth path is felt, a login flow takes 3-4 round trips between browser, Caddy, Hera, Kratos, and Hydra.
- North America: NYC1, NYC3, SFO3
- Europe: AMS3, FRA1
- Asia: SGP1, SYD1
Firewall rules Daedalus applies
inbound:
22/tcp from <your-IP> # SSH from your laptop only
80/tcp from 0.0.0.0/0 # HTTP → Caddy redirects to HTTPS
443/tcp from 0.0.0.0/0 # HTTPS → Caddy
outbound:
all (default)The admin API ports (:3101, :3103, :4101, :4103, :5432) are not exposed by the firewall, they're host-bound but inaccessible externally. See Operate, Network Topology.
Reserved IP (optional)
To enable zero-downtime droplet replacement, attach a DigitalOcean Reserved IP to the droplet and point your DNS at the Reserved IP instead of the droplet's public IP. When you destroy and recreate the droplet, reattach the Reserved IP.
Daedalus doesn't manage Reserved IPs, set this up yourself via the DigitalOcean dashboard before pointing DNS.
Cloud-init customization
Daedalus's default cloud-init script installs Podman and starts the SSH daemon. If you need additional setup (Fail2Ban, log forwarding to a SIEM, etc.), edit the cloud-init template in daedalus/src/features/provider/digitalocean/cloud-init.yml before clicking Create Droplet, or run additional commands via SSH after provisioning.
Backups
DigitalOcean offers automated weekly backups for droplets at +20% of the droplet cost. Useful for "oops I deleted something" recovery, but the better path is application-level backups: Operate, Backups (Postgres).
What if you already have a droplet?
Use Provider, Direct SSH instead. Daedalus's DigitalOcean path provisions a new droplet; if you have an existing one, point Daedalus at its IP via the SSH path.
Cost breakdown (small production estimate)
- Droplet (s-2vcpu-4gb): $24/mo
- Reserved IP: free while attached
- Snapshots: $0.06/GB/mo (~$2/mo)
- Bandwidth: 4TB included, ~$0.01/GB after
- Total: ~$26/mo for a sub-1k-MAU deployment.
Compare with managed Auth0 at the equivalent scale: $240/mo (Essentials, 5k MAU), Olympus is ~10× cheaper at this size.
Where next
- Deploy, DNS and Domains, point your domain at the new droplet.
- Deploy, Database (managed Neon), recommended Postgres path.
- Deploy, First production deploy, the full first-deploy walkthrough.