수정 요지
AWS 이관안을 OpenClaw-first로 재정렬했습니다.
- 새 DevOps 프레임워크를 만들지 않음
- AWS에 OpenClaw를 그대로 클론/설치
- 전용 Codex DevOps 계정으로 콘솔 로그인
- keeper-direct 프로젝트 컨텍스트와 Telegram 라우팅만 세미튜닝
- Vhagar 스크립트는 본체가 아니라 얇은 adapter/reference
- Telegram은 문제/조치 결과만 전송
- 추천 서버는 그대로
t3a.largeSeoul
최신 문서
/home/tlswk/projects/vhagar/docs/AWS_OPENCLAW_CODEX_DEVOPS_MIGRATION_2026-05-08.md
AWS OpenClaw + Codex DevOps Migration Plan (2026-05-08)
Target project:
keeper-directCurrent control box: Vhagar /kontologyTarget control box: AWS EC2 /keeper-devops-01Region recommendation:ap-northeast-2Seoul Status: OpenClaw-first plan. No AWS resources created yet.
BLUF
Do not build a new DevOps framework.
Clone/install OpenClaw on AWS, log in the dedicated Codex DevOps account there, then apply a small keeper-direct tuning layer.
Recommended first server:
Instance: t3a.large
Arch: x86_64
vCPU/RAM: 2 vCPU / 8 GiB
OS: Ubuntu Server 24.04 LTS
Disk: 80 GiB gp3, encrypted
Access: SSM Session Manager + Tailscale, no public SSH
Role: OpenClaw + Codex DevOps control plane
Vhagar remains the migration source and fallback. AWS becomes the active operator.
1. Principle
OpenClaw already has the right shape:
- channels and Telegram integration
- agent/task routing
- skills
- workspace memory
- long-running assistant ergonomics
- Codex/Claude/Gemini style AI division
So the correct move is:
OpenClaw core 그대로
+ Codex DevOps account login
+ keeper-direct project context
+ keeper-direct Telegram channel
+ problem-only alert policy
+ a few thin health-check adapters
Avoid:
- rewriting OpenClaw features in shell
- building a parallel task system
- making systemd scripts the main product
- sending every access/CRUD event to Telegram
2. What Moves From Vhagar
Move these as reference assets and adapters:
/home/tlswk/projects/vhagar/docs/
/home/tlswk/projects/vhagar/scripts/ops/
/home/tlswk/projects/keeper-direct/
Do not blindly copy secrets:
/home/tlswk/.codex-devops/auth.json
/home/tlswk/.config/keeper-ops/telegram.env
/home/tlswk/.openclaw/openclaw.json
Codex OAuth should be created by logging in on AWS. Secrets should come from AWS SSM Parameter Store or Secrets Manager.
Current Vhagar state:
- Dedicated Codex OAuth exists locally at
/home/tlswk/.codex-devops. keeper-ops-smoke.timer,keeper-ops-deep.timer, andkeeper-ops-report.timerare active as temporary fallback.keeper-access-audit.timeris stopped.keeper_access_audit.shdefaults toKEEPER_ACCESS_NOTIFY_MODE=problems.- Dedicated Telegram group is
keeper-direct-devops. - Existing OpenClaw Telegram env is disabled for keeper ops.
3. Server Recommendation
Prices below are Linux On-Demand in Seoul (ap-northeast-2), pulled from AWS Price List Bulk API CSV published 2026-05-07T19:29:15Z. Monthly estimate uses 730 hours and excludes EBS, data transfer, CloudWatch, snapshots, taxes, and support.
| Instance | vCPU | RAM | Arch | Hourly | 730h/month | Decision |
|---|---|---|---|---|---|---|
t3a.medium |
2 | 4 GiB | x86_64 | $0.0468 |
$34.16 |
Too tight except bootstrap |
t3a.large |
2 | 8 GiB | x86_64 | $0.0936 |
$68.33 |
Recommended start |
t4g.large |
2 | 8 GiB | arm64 | $0.0832 |
$60.74 |
Cheaper, but compatibility risk |
m7i.large |
2 | 8 GiB | x86_64 | $0.1239 |
$90.45 |
Stable upgrade path |
c7i-flex.large |
2 | 4 GiB | x86_64 | $0.09576 |
$69.90 |
CPU nice, RAM too tight |
EBS gp3 in Seoul:
| Item | Price |
|---|---|
| gp3 storage | $0.0912/GB-month |
| 80 GiB gp3 | about $7.30/month |
Practical monthly estimate:
| Shape | Compute | 80 GiB gp3 | Rough total |
|---|---|---|---|
t3a.large |
$68.33 |
$7.30 |
$75-85/month before transfer/log/snapshot |
m7i.large |
$90.45 |
$7.30 |
$98-110/month before transfer/log/snapshot |
Recommendation: start with t3a.large.
Reasons:
- 8 GiB RAM is enough for OpenClaw, Codex CLI, Vercel CLI, Python helpers, and occasional browser automation.
- x86_64 avoids avoidable ARM friction with Chrome/Playwright, native Node modules, and CLI tooling.
- On-Demand cost is still reasonable for a 24/7 ops control box.
- It can be stopped and resized to
m7i.largeif CPU credits become annoying.
4. Target Architecture
Telegram keeper-direct-devops
-> OpenClaw Telegram channel
-> OpenClaw task/agent routing
-> Codex DevOps console login on EC2
-> keeper-direct repo + Vercel + Supabase + AI Comms
-> Telegram result only for problems, decisions, and completed actions
Problem flow:
problem detected
-> Telegram alert
대표님 replies
-> OpenClaw receives the message
-> task/directive is routed to Codex/Claude Code
-> agent acts or drafts action
-> result is posted to Telegram + AI Comms
Default policy:
- Telegram only for problems and action results.
- Access/CRUD logs are stored, not spammed.
- Production merge/deploy remains gated unless explicit P0 policy is active.
- Vhagar remains fallback until AWS is verified.
5. AWS Security Model
EC2:
- Name:
keeper-devops-01 - AMI: Ubuntu Server 24.04 LTS x86_64
- Root EBS: 80 GiB gp3, encrypted
- Instance metadata: IMDSv2 required
- Termination protection: enable after bootstrap
- Public SSH: disabled
- Access path: AWS SSM Session Manager + Tailscale
Security group:
- Inbound: none by default
- Optional inbound: Tailscale only if needed
- Outbound: HTTPS allowed
IAM role:
AmazonSSMManagedInstanceCore- CloudWatch logs policy only if journal shipping is enabled
- No static AWS access keys on disk
Secrets:
- Use SSM Parameter Store SecureString or AWS Secrets Manager.
- Never commit Codex auth, Telegram tokens, Vercel tokens, Supabase keys, or GitHub tokens.
Suggested parameter names:
/keeper-devops/telegram/bot-token
/keeper-devops/telegram/chat-id
/keeper-devops/ai-comms/base-url
/keeper-devops/vercel/token
/keeper-devops/supabase/keeper/ref
6. Filesystem Layout
Use a dedicated user:
/home/keeperops/
.openclaw/
.codex-devops/
.config/keeper-ops/
.local/state/keeper-ops/
bin/codex-devops
projects/
openclaw/
keeper-direct/
vhagar/
OpenClaw owns the operational loop. vhagar/scripts/ops is only a small adapter/reference directory.
7. Bootstrap Order
- Launch EC2
t3a.large, Ubuntu 24.04 LTS, 80 GiB encrypted gp3. - Attach IAM role with SSM.
- Disable public SSH path.
- Install base packages:
sudo apt-get update
sudo apt-get install -y git curl jq unzip build-essential python3 python3-venv nodejs npm tmux
- Create
keeperopsuser. - Clone/install OpenClaw using the existing OpenClaw install path.
- Copy or recreate OpenClaw config carefully:
- copy project context and skills
- do not copy stale credentials blindly
- configure Telegram to
keeper-direct-devops
- Install Codex CLI.
- Log in to the dedicated Codex account on AWS:
CODEX_HOME=/home/keeperops/.codex-devops codex login --device-auth
- Clone
keeper-direct. - Copy Vhagar docs and thin ops adapters:
rsync -a /home/tlswk/projects/vhagar/docs/ keeperops@keeper-devops-01:~/projects/vhagar/docs/
rsync -a /home/tlswk/projects/vhagar/scripts/ops/ keeperops@keeper-devops-01:~/projects/vhagar/scripts/ops/
- Configure Vercel, Supabase, AI Comms, Telegram secrets from AWS-managed secrets.
- Register keeper-direct in OpenClaw:
- project context
- allowed commands
- Telegram channel routing
- problem-only alert policy
- Prime logs so old events do not alert.
- Enable OpenClaw service/timers.
8. Keeper-Direct Tuning Layer
This should stay small.
Required tuning:
- project context: repo path, branch rules, production URL
- health checks: diagnose/admin/Vercel/Supabase/AI Comms
- alert policy: problems only
- Telegram command intake: replies become work directives
- report policy: action completion and daily digest
Optional adapters from Vhagar:
keeper_ops_check.sh: reuse as health-check command or convert into OpenClaw skill.keeper_ops_report.sh: keep until OpenClaw daily digest replaces it.keeper_access_audit.sh: keep as Vercel log poller,KEEPER_ACCESS_NOTIFY_MODE=problems.- Telegram helper scripts: keep only if OpenClaw Telegram channel does not fully cover a case.
9. What Not To Build
Do not build:
- a second queue next to OpenClaw taskflow
- a second Telegram command parser if OpenClaw already handles it
- a parallel memory/context bridge
- a broad CRUD notification firehose
- custom auth/session systems for the ops box
Only add glue where OpenClaw does not already have the needed primitive.
10. AWS Runtime Target
Preferred active runtime:
openclaw.service
openclaw-telegram.service or equivalent channel runner
keeper-health.timer thin health adapter, if not native OpenClaw
keeper-access.timer problem-only Vercel audit, if still needed
keeper-digest.timer daily summary, if not native OpenClaw
Vhagar timers should be disabled after AWS is green:
systemctl --user disable --now keeper-ops-smoke.timer keeper-ops-deep.timer keeper-ops-report.timer keeper-access-audit.timer
11. Definition Of Done
- EC2
keeper-devops-01is reachable via SSM/Tailscale. - OpenClaw is installed and running on EC2.
- Dedicated Codex DevOps account is logged in on EC2.
keeper-directrepo is cloned and fetchable.- OpenClaw can route
keeper-direct-devopsTelegram messages. - Vercel inspect/logs work from EC2.
- Supabase keeper index check works from EC2.
- AI Comms post works from EC2.
- A simulated problem reaches Telegram.
- A Telegram reply becomes an OpenClaw task/directive.
- The task result returns to Telegram and AI Comms.
- Vhagar timers are disabled or explicitly marked fallback.
12. Sources
- AWS Price List Bulk API docs:
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-the-aws-price-list-bulk-api-fetching-price-list-files-manually.html - AWS EC2 On-Demand pricing:
https://aws.amazon.com/ec2/pricing/on-demand/ - AWS EC2 general purpose instance specifications:
https://docs.aws.amazon.com/ec2/latest/instancetypes/gp.html - AWS burstable unlimited mode docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode.html - Price data file used:
https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonEC2/current/ap-northeast-2/index.csv