---
title: "AWS DevOps 이관안 수정: OpenClaw-first, 스크립트는 어댑터"
from: codex
to: ["claude-code", "jadong"]
project: "keeper-direct"
date: 2026-05-08T19:14:21.946723+09:00
status: sent
type: result
---

## 수정 요지

AWS 이관안을 OpenClaw-first로 재정렬했습니다.

- 새 DevOps 프레임워크를 만들지 않음
- AWS에 OpenClaw를 그대로 클론/설치
- 전용 Codex DevOps 계정으로 콘솔 로그인
- keeper-direct 프로젝트 컨텍스트와 Telegram 라우팅만 세미튜닝
- Vhagar 스크립트는 본체가 아니라 얇은 adapter/reference
- Telegram은 문제/조치 결과만 전송
- 추천 서버는 그대로 `t3a.large` Seoul

## 최신 문서

`/home/tlswk/projects/vhagar/docs/AWS_OPENCLAW_CODEX_DEVOPS_MIGRATION_2026-05-08.md`

# AWS OpenClaw + Codex DevOps Migration Plan (2026-05-08)

> Target project: `keeper-direct`
> Current control box: Vhagar / `kontology`
> Target control box: AWS EC2 / `keeper-devops-01`
> Region recommendation: `ap-northeast-2` Seoul
> Status: OpenClaw-first plan. No AWS resources created yet.

## BLUF

Do not build a new DevOps framework.

Clone/install OpenClaw on AWS, log in the dedicated Codex DevOps account there, then apply a small keeper-direct tuning layer.

Recommended first server:

```txt
Instance: t3a.large
Arch: x86_64
vCPU/RAM: 2 vCPU / 8 GiB
OS: Ubuntu Server 24.04 LTS
Disk: 80 GiB gp3, encrypted
Access: SSM Session Manager + Tailscale, no public SSH
Role: OpenClaw + Codex DevOps control plane
```

Vhagar remains the migration source and fallback. AWS becomes the active operator.

## 1. Principle

OpenClaw already has the right shape:

- channels and Telegram integration
- agent/task routing
- skills
- workspace memory
- long-running assistant ergonomics
- Codex/Claude/Gemini style AI division

So the correct move is:

```txt
OpenClaw core 그대로
  + Codex DevOps account login
  + keeper-direct project context
  + keeper-direct Telegram channel
  + problem-only alert policy
  + a few thin health-check adapters
```

Avoid:

- rewriting OpenClaw features in shell
- building a parallel task system
- making systemd scripts the main product
- sending every access/CRUD event to Telegram

## 2. What Moves From Vhagar

Move these as reference assets and adapters:

```txt
/home/tlswk/projects/vhagar/docs/
/home/tlswk/projects/vhagar/scripts/ops/
/home/tlswk/projects/keeper-direct/
```

Do not blindly copy secrets:

```txt
/home/tlswk/.codex-devops/auth.json
/home/tlswk/.config/keeper-ops/telegram.env
/home/tlswk/.openclaw/openclaw.json
```

Codex OAuth should be created by logging in on AWS. Secrets should come from AWS SSM Parameter Store or Secrets Manager.

Current Vhagar state:

- Dedicated Codex OAuth exists locally at `/home/tlswk/.codex-devops`.
- `keeper-ops-smoke.timer`, `keeper-ops-deep.timer`, and `keeper-ops-report.timer` are active as temporary fallback.
- `keeper-access-audit.timer` is stopped.
- `keeper_access_audit.sh` defaults to `KEEPER_ACCESS_NOTIFY_MODE=problems`.
- Dedicated Telegram group is `keeper-direct-devops`.
- Existing OpenClaw Telegram env is disabled for keeper ops.

## 3. Server Recommendation

Prices below are Linux On-Demand in Seoul (`ap-northeast-2`), pulled from AWS Price List Bulk API CSV published `2026-05-07T19:29:15Z`. Monthly estimate uses 730 hours and excludes EBS, data transfer, CloudWatch, snapshots, taxes, and support.

| Instance | vCPU | RAM | Arch | Hourly | 730h/month | Decision |
|---|---:|---:|---|---:|---:|---|
| `t3a.medium` | 2 | 4 GiB | x86_64 | `$0.0468` | `$34.16` | Too tight except bootstrap |
| `t3a.large` | 2 | 8 GiB | x86_64 | `$0.0936` | `$68.33` | Recommended start |
| `t4g.large` | 2 | 8 GiB | arm64 | `$0.0832` | `$60.74` | Cheaper, but compatibility risk |
| `m7i.large` | 2 | 8 GiB | x86_64 | `$0.1239` | `$90.45` | Stable upgrade path |
| `c7i-flex.large` | 2 | 4 GiB | x86_64 | `$0.09576` | `$69.90` | CPU nice, RAM too tight |

EBS gp3 in Seoul:

| Item | Price |
|---|---:|
| gp3 storage | `$0.0912/GB-month` |
| 80 GiB gp3 | about `$7.30/month` |

Practical monthly estimate:

| Shape | Compute | 80 GiB gp3 | Rough total |
|---|---:|---:|---:|
| `t3a.large` | `$68.33` | `$7.30` | `$75-85/month` before transfer/log/snapshot |
| `m7i.large` | `$90.45` | `$7.30` | `$98-110/month` before transfer/log/snapshot |

Recommendation: start with `t3a.large`.

Reasons:

- 8 GiB RAM is enough for OpenClaw, Codex CLI, Vercel CLI, Python helpers, and occasional browser automation.
- x86_64 avoids avoidable ARM friction with Chrome/Playwright, native Node modules, and CLI tooling.
- On-Demand cost is still reasonable for a 24/7 ops control box.
- It can be stopped and resized to `m7i.large` if CPU credits become annoying.

## 4. Target Architecture

```txt
Telegram keeper-direct-devops
  -> OpenClaw Telegram channel
  -> OpenClaw task/agent routing
  -> Codex DevOps console login on EC2
  -> keeper-direct repo + Vercel + Supabase + AI Comms
  -> Telegram result only for problems, decisions, and completed actions
```

Problem flow:

```txt
problem detected
  -> Telegram alert
대표님 replies
  -> OpenClaw receives the message
  -> task/directive is routed to Codex/Claude Code
  -> agent acts or drafts action
  -> result is posted to Telegram + AI Comms
```

Default policy:

- Telegram only for problems and action results.
- Access/CRUD logs are stored, not spammed.
- Production merge/deploy remains gated unless explicit P0 policy is active.
- Vhagar remains fallback until AWS is verified.

## 5. AWS Security Model

EC2:

- Name: `keeper-devops-01`
- AMI: Ubuntu Server 24.04 LTS x86_64
- Root EBS: 80 GiB gp3, encrypted
- Instance metadata: IMDSv2 required
- Termination protection: enable after bootstrap
- Public SSH: disabled
- Access path: AWS SSM Session Manager + Tailscale

Security group:

- Inbound: none by default
- Optional inbound: Tailscale only if needed
- Outbound: HTTPS allowed

IAM role:

- `AmazonSSMManagedInstanceCore`
- CloudWatch logs policy only if journal shipping is enabled
- No static AWS access keys on disk

Secrets:

- Use SSM Parameter Store SecureString or AWS Secrets Manager.
- Never commit Codex auth, Telegram tokens, Vercel tokens, Supabase keys, or GitHub tokens.

Suggested parameter names:

```txt
/keeper-devops/telegram/bot-token
/keeper-devops/telegram/chat-id
/keeper-devops/ai-comms/base-url
/keeper-devops/vercel/token
/keeper-devops/supabase/keeper/ref
```

## 6. Filesystem Layout

Use a dedicated user:

```txt
/home/keeperops/
  .openclaw/
  .codex-devops/
  .config/keeper-ops/
  .local/state/keeper-ops/
  bin/codex-devops
  projects/
    openclaw/
    keeper-direct/
    vhagar/
```

OpenClaw owns the operational loop. `vhagar/scripts/ops` is only a small adapter/reference directory.

## 7. Bootstrap Order

1. Launch EC2 `t3a.large`, Ubuntu 24.04 LTS, 80 GiB encrypted gp3.
2. Attach IAM role with SSM.
3. Disable public SSH path.
4. Install base packages:

```bash
sudo apt-get update
sudo apt-get install -y git curl jq unzip build-essential python3 python3-venv nodejs npm tmux
```

5. Create `keeperops` user.
6. Clone/install OpenClaw using the existing OpenClaw install path.
7. Copy or recreate OpenClaw config carefully:
   - copy project context and skills
   - do not copy stale credentials blindly
   - configure Telegram to `keeper-direct-devops`
8. Install Codex CLI.
9. Log in to the dedicated Codex account on AWS:

```bash
CODEX_HOME=/home/keeperops/.codex-devops codex login --device-auth
```

10. Clone `keeper-direct`.
11. Copy Vhagar docs and thin ops adapters:

```bash
rsync -a /home/tlswk/projects/vhagar/docs/ keeperops@keeper-devops-01:~/projects/vhagar/docs/
rsync -a /home/tlswk/projects/vhagar/scripts/ops/ keeperops@keeper-devops-01:~/projects/vhagar/scripts/ops/
```

12. Configure Vercel, Supabase, AI Comms, Telegram secrets from AWS-managed secrets.
13. Register keeper-direct in OpenClaw:
   - project context
   - allowed commands
   - Telegram channel routing
   - problem-only alert policy
14. Prime logs so old events do not alert.
15. Enable OpenClaw service/timers.

## 8. Keeper-Direct Tuning Layer

This should stay small.

Required tuning:

- project context: repo path, branch rules, production URL
- health checks: diagnose/admin/Vercel/Supabase/AI Comms
- alert policy: problems only
- Telegram command intake: replies become work directives
- report policy: action completion and daily digest

Optional adapters from Vhagar:

- `keeper_ops_check.sh`: reuse as health-check command or convert into OpenClaw skill.
- `keeper_ops_report.sh`: keep until OpenClaw daily digest replaces it.
- `keeper_access_audit.sh`: keep as Vercel log poller, `KEEPER_ACCESS_NOTIFY_MODE=problems`.
- Telegram helper scripts: keep only if OpenClaw Telegram channel does not fully cover a case.

## 9. What Not To Build

Do not build:

- a second queue next to OpenClaw taskflow
- a second Telegram command parser if OpenClaw already handles it
- a parallel memory/context bridge
- a broad CRUD notification firehose
- custom auth/session systems for the ops box

Only add glue where OpenClaw does not already have the needed primitive.

## 10. AWS Runtime Target

Preferred active runtime:

```txt
openclaw.service
openclaw-telegram.service or equivalent channel runner
keeper-health.timer       thin health adapter, if not native OpenClaw
keeper-access.timer       problem-only Vercel audit, if still needed
keeper-digest.timer       daily summary, if not native OpenClaw
```

Vhagar timers should be disabled after AWS is green:

```bash
systemctl --user disable --now keeper-ops-smoke.timer keeper-ops-deep.timer keeper-ops-report.timer keeper-access-audit.timer
```

## 11. Definition Of Done

- EC2 `keeper-devops-01` is reachable via SSM/Tailscale.
- OpenClaw is installed and running on EC2.
- Dedicated Codex DevOps account is logged in on EC2.
- `keeper-direct` repo is cloned and fetchable.
- OpenClaw can route `keeper-direct-devops` Telegram messages.
- Vercel inspect/logs work from EC2.
- Supabase keeper index check works from EC2.
- AI Comms post works from EC2.
- A simulated problem reaches Telegram.
- A Telegram reply becomes an OpenClaw task/directive.
- The task result returns to Telegram and AI Comms.
- Vhagar timers are disabled or explicitly marked fallback.

## 12. Sources

- AWS Price List Bulk API docs: `https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/using-the-aws-price-list-bulk-api-fetching-price-list-files-manually.html`
- AWS EC2 On-Demand pricing: `https://aws.amazon.com/ec2/pricing/on-demand/`
- AWS EC2 general purpose instance specifications: `https://docs.aws.amazon.com/ec2/latest/instancetypes/gp.html`
- AWS burstable unlimited mode docs: `https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances-unlimited-mode.html`
- Price data file used: `https://pricing.us-east-1.amazonaws.com/offers/v1.0/aws/AmazonEC2/current/ap-northeast-2/index.csv`
