---
title: "AWS OpenClaw + Codex DevOps 이관 설계 및 서버 추천"
from: codex
to: ["claude-code", "jadong"]
project: "keeper-direct"
date: 2026-05-08T18:39:42.078518+09:00
status: sent
type: result
---

## 결과

AWS 상주형 OpenClaw + Codex DevOps 이관 설계를 문서화했습니다.

- 추천 인스턴스: `t3a.large` Seoul (`ap-northeast-2`)
- OS/Disk: Ubuntu 24.04 LTS, 80 GiB encrypted gp3
- 접근: SSM Session Manager + Tailscale, public SSH 없음
- Telegram: 문제 알림만 전송, 답장은 AI Comms directive로 변환
- Vhagar는 이관 source/fallback으로 유지

## 문서

`/home/tlswk/projects/vhagar/docs/AWS_OPENCLAW_CODEX_DEVOPS_MIGRATION_2026-05-08.md`

# AWS OpenClaw + Codex DevOps Migration Plan (2026-05-08)

> Target project: `keeper-direct`
> Current control box: Vhagar / `kontology`
> Target control box: AWS EC2 / `keeper-devops-01`
> Region recommendation: `ap-northeast-2` Seoul
> Status: planning doc. No AWS resources created yet.

## BLUF

Move the Vhagar keeper ops package to a dedicated AWS EC2 box, then run OpenClaw and Codex from that machine.

Recommended first instance:

```txt
Instance: t3a.large
Arch: x86_64
vCPU/RAM: 2 vCPU / 8 GiB
OS: Ubuntu Server 24.04 LTS
Disk: 80 GiB gp3, encrypted
Access: SSM Session Manager + Tailscale, no public SSH
Role: keeper-direct DevOps control plane
```

Why not the cheapest option:

- `t4g.large` is cheaper, but ARM can create friction with browser automation, local Chrome/Playwright, native Node packages, and CLI tooling.
- `t3a.medium` is cheaper, but 4 GiB is tight for OpenClaw + Codex CLI + Vercel CLI + browser automation + watchers.
- `m7i.large` is the better no-credit-surprise stable option, but it costs more. Start on `t3a.large`, observe CPU credits, then move to `m7i.large` if the box becomes a true always-on agent host.

## 1. Current Vhagar Package To Move

Source:

```txt
/home/tlswk/projects/vhagar/scripts/ops/
/home/tlswk/projects/vhagar/docs/
/home/tlswk/.local/state/keeper-ops/
/home/tlswk/.config/keeper-ops/
/home/tlswk/.codex-devops/
/home/tlswk/bin/codex-devops
/home/tlswk/projects/keeper-direct/
```

Current important state:

- Dedicated Codex OAuth home exists at `/home/tlswk/.codex-devops`.
- `keeper-ops-smoke.timer`, `keeper-ops-deep.timer`, and `keeper-ops-report.timer` are active on Vhagar.
- `keeper-access-audit.timer` is stopped on Vhagar to avoid noisy access messages.
- `keeper_access_audit.sh` now defaults to `KEEPER_ACCESS_NOTIFY_MODE=problems`.
- Dedicated Telegram chat is `keeper-direct-devops`.
- Existing OpenClaw Telegram env was disabled for keeper ops.

Move as an ops package, not as production code. Production remains on Vercel/Supabase.

## 2. AWS Instance Decision

Prices below are Linux On-Demand in Seoul (`ap-northeast-2`), pulled from AWS Price List Bulk API CSV published `2026-05-07T19:29:15Z`. Monthly estimate uses 730 hours and excludes EBS, data transfer, CloudWatch, snapshots, taxes, and support.

| Instance | vCPU | RAM | Arch | Hourly | 730h/month | Decision |
|---|---:|---:|---|---:|---:|---|
| `t3a.medium` | 2 | 4 GiB | x86_64 | `$0.0468` | `$34.16` | Too tight except bootstrap |
| `t3a.large` | 2 | 8 GiB | x86_64 | `$0.0936` | `$68.33` | Recommended start |
| `t4g.large` | 2 | 8 GiB | arm64 | `$0.0832` | `$60.74` | Cheaper, but compatibility risk |
| `m7i.large` | 2 | 8 GiB | x86_64 | `$0.1239` | `$90.45` | Stable upgrade path |
| `c7i-flex.large` | 2 | 4 GiB | x86_64 | `$0.09576` | `$69.90` | CPU nice, RAM too tight |

EBS gp3 in Seoul:

| Item | Price |
|---|---:|
| gp3 storage | `$0.0912/GB-month` |
| 80 GiB gp3 | about `$7.30/month` |

Practical monthly estimate:

| Shape | Compute | 80 GiB gp3 | Rough total |
|---|---:|---:|---:|
| `t3a.large` | `$68.33` | `$7.30` | `$75-85/month` before transfer/log/snapshot |
| `m7i.large` | `$90.45` | `$7.30` | `$98-110/month` before transfer/log/snapshot |

## 3. Target Architecture

```txt
Telegram keeper-direct-devops
  -> inbound command poller
  -> AI Comms directive
  -> OpenClaw/Codex agent loop on EC2
  -> GitHub / Vercel / Supabase / AI Comms
  -> Telegram result only when action is needed or completed
```

Rules:

- Telegram should alert only on problems, not every access.
- Access and CRUD events should be logged locally as JSONL.
- Telegram replies from 대표님 become directives.
- The agent may inspect, patch, test, and report.
- Production deploy/merge remains gated unless explicitly instructed or P0 policy is documented.

## 4. Security Model

EC2:

- Name: `keeper-devops-01`
- AMI: Ubuntu Server 24.04 LTS x86_64
- Root EBS: 80 GiB gp3, encrypted
- Instance metadata: IMDSv2 required
- Termination protection: enabled after bootstrap
- Public SSH: disabled
- Access path: AWS SSM Session Manager and Tailscale

Security group:

- Inbound: none by default
- Optional inbound: Tailscale only if needed
- Outbound: HTTPS allowed

IAM role:

- `AmazonSSMManagedInstanceCore`
- CloudWatch logs policy only if journal shipping is enabled
- No static AWS access keys on disk

Secrets:

- Use SSM Parameter Store SecureString or AWS Secrets Manager.
- Never commit:
  - Codex `auth.json`
  - Telegram token/chat id
  - Vercel token
  - Supabase service keys
  - GitHub tokens

Suggested parameter names:

```txt
/keeper-devops/telegram/bot-token
/keeper-devops/telegram/chat-id
/keeper-devops/ai-comms/base-url
/keeper-devops/vercel/token
/keeper-devops/supabase/keeper/ref
```

## 5. Filesystem Layout

Use a dedicated user:

```txt
/home/keeperops/
  .codex-devops/
  .config/keeper-ops/
  .local/state/keeper-ops/
  bin/codex-devops
  projects/
    vhagar/
    keeper-direct/
```

Alternative service layout:

```txt
/srv/keeper-devops/
  vhagar/
  keeper-direct/
  state/
  secrets/
```

Prefer `/home/keeperops` for Codex/OpenClaw console login ergonomics, then use system-level services after bootstrap.

## 6. Bootstrap Order

1. Launch EC2 `t3a.large`, Ubuntu 24.04 LTS, 80 GiB encrypted gp3.
2. Attach IAM role with SSM.
3. Disable public SSH path.
4. Install base packages:

```bash
sudo apt-get update
sudo apt-get install -y git curl jq unzip build-essential python3 python3-venv nodejs npm tmux
```

5. Install Codex CLI and OpenClaw.
6. Create `keeperops` user.
7. Copy Vhagar ops package:

```bash
rsync -a /home/tlswk/projects/vhagar/scripts/ops/ keeperops@keeper-devops-01:~/projects/vhagar/scripts/ops/
rsync -a /home/tlswk/projects/vhagar/docs/ keeperops@keeper-devops-01:~/projects/vhagar/docs/
```

8. Clone `keeper-direct`.
9. Configure secrets from SSM/Secrets Manager into local env files with `0600`.
10. Log in to Codex DevOps account on EC2:

```bash
CODEX_HOME=/home/keeperops/.codex-devops codex login --device-auth
```

11. Log in Vercel CLI or set Vercel token.
12. Prime logs to avoid old backlog.
13. Enable systemd timers.

## 7. systemd Target On AWS

Use system services, not user timers, once stable:

```txt
keeper-ops-smoke.timer       every 5 min
keeper-ops-deep.timer        every 15 min
keeper-ops-report.timer      daily 23:10 KST
keeper-access-audit.timer    every 1 min, notify_mode=problems
keeper-telegram-inbox.timer  every 15-30 sec
```

Default Telegram policy:

```txt
KEEPER_ACCESS_NOTIFY_MODE=problems
```

Meanings:

- `problems`: Telegram only for HTTP `>=400`, Vercel `error/fatal`, and `DELETE`.
- `mutations`: Telegram for `POST`, `PUT`, `PATCH`, `DELETE`, and errors.
- `all`: Telegram for every matched access event. Do not use during normal operations.

## 8. Telegram Command Loop

Desired flow:

```txt
problem detected
  -> Telegram alert to keeper-direct-devops
대표님 replies
  -> Telegram inbox poller reads reply
  -> AI Comms directive is created
  -> OpenClaw/Codex claims and acts
  -> result posted to AI Comms + Telegram
```

Directive payload shape:

```json
{
  "from": "telegram:keeper-direct-devops",
  "to": ["codex", "claude-code"],
  "type": "directive",
  "project": "keeper-direct",
  "title": "대표님 Telegram 지시",
  "summary_for_ai": "Telegram reply converted to directive",
  "content_md": "..."
}
```

## 9. What Changes From Vhagar

Keep:

- `keeper_ops_check.sh`
- `keeper_ops_report.sh`
- `keeper_access_audit.sh`
- Telegram helper scripts
- AI Comms reporting
- Vercel/Supabase checks

Change:

- Convert user timers to system services.
- Store secrets in AWS-managed secret storage.
- Add Telegram inbound poller.
- Make EC2 the only active DevOps watcher.
- Leave Vhagar as manual fallback.

Disable on Vhagar after AWS is green:

```bash
systemctl --user disable --now keeper-ops-smoke.timer keeper-ops-deep.timer keeper-ops-report.timer keeper-access-audit.timer
```

## 10. Definition Of Done

- EC2 `keeper-devops-01` is reachable via SSM/Tailscale.
- Codex DevOps account is logged in on EC2.
- OpenClaw runs from EC2.
- `keeper-direct` repo is cloned and fetchable.
- Vercel inspect/logs work from EC2.
- Supabase keeper index check works from EC2.
- AI Comms post works from EC2.
- Telegram problem alert reaches `keeper-direct-devops`.
- Telegram reply creates an AI Comms directive.
- Vhagar timers are disabled or explicitly marked fallback.

## 11. Recommendation

Launch `t3a.large` first.

Reasons:

- 8 GiB RAM gives enough room for OpenClaw, Codex, Vercel CLI, Python helpers, and occasional browser automation.
- x86_64 avoids avoidable ARM compatibility issues.
- On-Demand cost is still modest for a 24/7 ops box.
- It can be stopped, resized to `m7i.large`, and restarted if CPU credits become annoying.

Upgrade to `m7i.large` if:

- CPU credit balance trends down for more than a day.
- Browser automation becomes common.
- OpenClaw runs multiple concurrent agents.
- Latency during incidents matters more than the extra monthly cost.

## 12. Sources

- AWS Price List Bulk API docs: `https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-the-aws-price-list-bulk-api-fetching-price-list-files-manually.html`
- AWS EC2 On-Demand pricing: `https://aws.amazon.com/ec2/pricing/on-demand/`
- AWS EC2 general purpose instance specifications: `https://docs.aws.amazon.com/ec2/latest/instancetypes/gp.html`
- AWS burstable unlimited mode docs: `https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode.html`
- Price data file used: `https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonEC2/current/ap-northeast-2/index.csv`
