결과
AWS 상주형 OpenClaw + Codex DevOps 이관 설계를 문서화했습니다.
- 추천 인스턴스:
t3a.largeSeoul (ap-northeast-2) - OS/Disk: Ubuntu 24.04 LTS, 80 GiB encrypted gp3
- 접근: SSM Session Manager + Tailscale, public SSH 없음
- Telegram: 문제 알림만 전송, 답장은 AI Comms directive로 변환
- Vhagar는 이관 source/fallback으로 유지
문서
/home/tlswk/projects/vhagar/docs/AWS_OPENCLAW_CODEX_DEVOPS_MIGRATION_2026-05-08.md
AWS OpenClaw + Codex DevOps Migration Plan (2026-05-08)
Target project:
keeper-directCurrent control box: Vhagar /kontologyTarget control box: AWS EC2 /keeper-devops-01Region recommendation:ap-northeast-2Seoul Status: planning doc. No AWS resources created yet.
BLUF
Move the Vhagar keeper ops package to a dedicated AWS EC2 box, then run OpenClaw and Codex from that machine.
Recommended first instance:
Instance: t3a.large
Arch: x86_64
vCPU/RAM: 2 vCPU / 8 GiB
OS: Ubuntu Server 24.04 LTS
Disk: 80 GiB gp3, encrypted
Access: SSM Session Manager + Tailscale, no public SSH
Role: keeper-direct DevOps control plane
Why not the cheapest option:
t4g.largeis cheaper, but ARM can create friction with browser automation, local Chrome/Playwright, native Node packages, and CLI tooling.t3a.mediumis cheaper, but 4 GiB is tight for OpenClaw + Codex CLI + Vercel CLI + browser automation + watchers.m7i.largeis the better no-credit-surprise stable option, but it costs more. Start ont3a.large, observe CPU credits, then move tom7i.largeif the box becomes a true always-on agent host.
1. Current Vhagar Package To Move
Source:
/home/tlswk/projects/vhagar/scripts/ops/
/home/tlswk/projects/vhagar/docs/
/home/tlswk/.local/state/keeper-ops/
/home/tlswk/.config/keeper-ops/
/home/tlswk/.codex-devops/
/home/tlswk/bin/codex-devops
/home/tlswk/projects/keeper-direct/
Current important state:
- Dedicated Codex OAuth home exists at
/home/tlswk/.codex-devops. keeper-ops-smoke.timer,keeper-ops-deep.timer, andkeeper-ops-report.timerare active on Vhagar.keeper-access-audit.timeris stopped on Vhagar to avoid noisy access messages.keeper_access_audit.shnow defaults toKEEPER_ACCESS_NOTIFY_MODE=problems.- Dedicated Telegram chat is
keeper-direct-devops. - Existing OpenClaw Telegram env was disabled for keeper ops.
Move as an ops package, not as production code. Production remains on Vercel/Supabase.
2. AWS Instance Decision
Prices below are Linux On-Demand in Seoul (ap-northeast-2), pulled from AWS Price List Bulk API CSV published 2026-05-07T19:29:15Z. Monthly estimate uses 730 hours and excludes EBS, data transfer, CloudWatch, snapshots, taxes, and support.
| Instance | vCPU | RAM | Arch | Hourly | 730h/month | Decision |
|---|---|---|---|---|---|---|
t3a.medium |
2 | 4 GiB | x86_64 | $0.0468 |
$34.16 |
Too tight except bootstrap |
t3a.large |
2 | 8 GiB | x86_64 | $0.0936 |
$68.33 |
Recommended start |
t4g.large |
2 | 8 GiB | arm64 | $0.0832 |
$60.74 |
Cheaper, but compatibility risk |
m7i.large |
2 | 8 GiB | x86_64 | $0.1239 |
$90.45 |
Stable upgrade path |
c7i-flex.large |
2 | 4 GiB | x86_64 | $0.09576 |
$69.90 |
CPU nice, RAM too tight |
EBS gp3 in Seoul:
| Item | Price |
|---|---|
| gp3 storage | $0.0912/GB-month |
| 80 GiB gp3 | about $7.30/month |
Practical monthly estimate:
| Shape | Compute | 80 GiB gp3 | Rough total |
|---|---|---|---|
t3a.large |
$68.33 |
$7.30 |
$75-85/month before transfer/log/snapshot |
m7i.large |
$90.45 |
$7.30 |
$98-110/month before transfer/log/snapshot |
3. Target Architecture
Telegram keeper-direct-devops
-> inbound command poller
-> AI Comms directive
-> OpenClaw/Codex agent loop on EC2
-> GitHub / Vercel / Supabase / AI Comms
-> Telegram result only when action is needed or completed
Rules:
- Telegram should alert only on problems, not every access.
- Access and CRUD events should be logged locally as JSONL.
- Telegram replies from 대표님 become directives.
- The agent may inspect, patch, test, and report.
- Production deploy/merge remains gated unless explicitly instructed or P0 policy is documented.
4. Security Model
EC2:
- Name:
keeper-devops-01 - AMI: Ubuntu Server 24.04 LTS x86_64
- Root EBS: 80 GiB gp3, encrypted
- Instance metadata: IMDSv2 required
- Termination protection: enabled after bootstrap
- Public SSH: disabled
- Access path: AWS SSM Session Manager and Tailscale
Security group:
- Inbound: none by default
- Optional inbound: Tailscale only if needed
- Outbound: HTTPS allowed
IAM role:
AmazonSSMManagedInstanceCore- CloudWatch logs policy only if journal shipping is enabled
- No static AWS access keys on disk
Secrets:
- Use SSM Parameter Store SecureString or AWS Secrets Manager.
- Never commit:
- Codex
auth.json - Telegram token/chat id
- Vercel token
- Supabase service keys
- GitHub tokens
- Codex
Suggested parameter names:
/keeper-devops/telegram/bot-token
/keeper-devops/telegram/chat-id
/keeper-devops/ai-comms/base-url
/keeper-devops/vercel/token
/keeper-devops/supabase/keeper/ref
5. Filesystem Layout
Use a dedicated user:
/home/keeperops/
.codex-devops/
.config/keeper-ops/
.local/state/keeper-ops/
bin/codex-devops
projects/
vhagar/
keeper-direct/
Alternative service layout:
/srv/keeper-devops/
vhagar/
keeper-direct/
state/
secrets/
Prefer /home/keeperops for Codex/OpenClaw console login ergonomics, then use system-level services after bootstrap.
6. Bootstrap Order
- Launch EC2
t3a.large, Ubuntu 24.04 LTS, 80 GiB encrypted gp3. - Attach IAM role with SSM.
- Disable public SSH path.
- Install base packages:
sudo apt-get update
sudo apt-get install -y git curl jq unzip build-essential python3 python3-venv nodejs npm tmux
- Install Codex CLI and OpenClaw.
- Create
keeperopsuser. - Copy Vhagar ops package:
rsync -a /home/tlswk/projects/vhagar/scripts/ops/ keeperops@keeper-devops-01:~/projects/vhagar/scripts/ops/
rsync -a /home/tlswk/projects/vhagar/docs/ keeperops@keeper-devops-01:~/projects/vhagar/docs/
- Clone
keeper-direct. - Configure secrets from SSM/Secrets Manager into local env files with
0600. - Log in to Codex DevOps account on EC2:
CODEX_HOME=/home/keeperops/.codex-devops codex login --device-auth
- Log in Vercel CLI or set Vercel token.
- Prime logs to avoid old backlog.
- Enable systemd timers.
7. systemd Target On AWS
Use system services, not user timers, once stable:
keeper-ops-smoke.timer every 5 min
keeper-ops-deep.timer every 15 min
keeper-ops-report.timer daily 23:10 KST
keeper-access-audit.timer every 1 min, notify_mode=problems
keeper-telegram-inbox.timer every 15-30 sec
Default Telegram policy:
KEEPER_ACCESS_NOTIFY_MODE=problems
Meanings:
problems: Telegram only for HTTP>=400, Vercelerror/fatal, andDELETE.mutations: Telegram forPOST,PUT,PATCH,DELETE, and errors.all: Telegram for every matched access event. Do not use during normal operations.
8. Telegram Command Loop
Desired flow:
problem detected
-> Telegram alert to keeper-direct-devops
대표님 replies
-> Telegram inbox poller reads reply
-> AI Comms directive is created
-> OpenClaw/Codex claims and acts
-> result posted to AI Comms + Telegram
Directive payload shape:
{
"from": "telegram:keeper-direct-devops",
"to": ["codex", "claude-code"],
"type": "directive",
"project": "keeper-direct",
"title": "대표님 Telegram 지시",
"summary_for_ai": "Telegram reply converted to directive",
"content_md": "..."
}
9. What Changes From Vhagar
Keep:
keeper_ops_check.shkeeper_ops_report.shkeeper_access_audit.sh- Telegram helper scripts
- AI Comms reporting
- Vercel/Supabase checks
Change:
- Convert user timers to system services.
- Store secrets in AWS-managed secret storage.
- Add Telegram inbound poller.
- Make EC2 the only active DevOps watcher.
- Leave Vhagar as manual fallback.
Disable on Vhagar after AWS is green:
systemctl --user disable --now keeper-ops-smoke.timer keeper-ops-deep.timer keeper-ops-report.timer keeper-access-audit.timer
10. Definition Of Done
- EC2
keeper-devops-01is reachable via SSM/Tailscale. - Codex DevOps account is logged in on EC2.
- OpenClaw runs from EC2.
keeper-directrepo is cloned and fetchable.- Vercel inspect/logs work from EC2.
- Supabase keeper index check works from EC2.
- AI Comms post works from EC2.
- Telegram problem alert reaches
keeper-direct-devops. - Telegram reply creates an AI Comms directive.
- Vhagar timers are disabled or explicitly marked fallback.
11. Recommendation
Launch t3a.large first.
Reasons:
- 8 GiB RAM gives enough room for OpenClaw, Codex, Vercel CLI, Python helpers, and occasional browser automation.
- x86_64 avoids avoidable ARM compatibility issues.
- On-Demand cost is still modest for a 24/7 ops box.
- It can be stopped, resized to
m7i.large, and restarted if CPU credits become annoying.
Upgrade to m7i.large if:
- CPU credit balance trends down for more than a day.
- Browser automation becomes common.
- OpenClaw runs multiple concurrent agents.
- Latency during incidents matters more than the extra monthly cost.
12. Sources
- AWS Price List Bulk API docs:
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-the-aws-price-list-bulk-api-fetching-price-list-files-manually.html - AWS EC2 On-Demand pricing:
https://aws.amazon.com/ec2/pricing/on-demand/ - AWS EC2 general purpose instance specifications:
https://docs.aws.amazon.com/ec2/latest/instancetypes/gp.html - AWS burstable unlimited mode docs:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode.html - Price data file used:
https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonEC2/current/ap-northeast-2/index.csv