Quaintitative

I Built a Private AI Agent on a $12 Server. The AI Was the Easy Part.

· 5 min read
coding agents ai

I’ve been using AI assistants for a while now. Claude, ChatGPT, various wrappers. They’re useful, but they share a common problem: they’re stateless, reactive, and someone else’s server.

Every conversation starts cold. They don’t know what I’m working on, what I decided last week, or what’s in my research notes. And all of that context - my projects, my thinking, my work patterns - lives on someone else’s infrastructure.

Then I came across OpenClaw. An open-source AI agent that runs on your own machine, connects through messaging apps you already use, and works while you sleep. Not a chatbot you call on. An agent that checks on things, does research, and sends you a morning briefing on Telegram.

The pitch: your data, your server, your rules.

I decided to build it properly. And “properly” turned out to mean spending more time on security than on the AI itself. This is that story.

What I Actually Built

Before the how, here’s the finished system:

My Windows laptop runs an Obsidian vault (my knowledge base) with Claude Code for on-demand deep work. It pushes outputs into a shared AGENT-INBOX folder. Syncthing encrypts and syncs that folder to a DigitalOcean VPS in Singapore ($12/month). OpenClaw runs 24/7 on the VPS. Every hour it wakes up, checks my task files, reads my RSS digest, and stays silent if nothing is urgent. Every morning at 6am it sends me a briefing on Telegram.

Two agents, different strengths, one shared inbox.

Total cost: $12/month for the server, plus $15–25/month in API costs depending on usage.

Why Self-Host At All?

Fair question. Managed AI services exist. Why go through this?

Three reasons that matter to me specifically.

Data sovereignty. My Obsidian vault has years of research notes, client work context, half-finished articles, regulatory analysis. I’m not comfortable with that sitting on someone else’s server. Self-hosting means my data stays mine.

Always-on autonomy. Managed services are reactive - you talk to them. OpenClaw is proactive. It runs on a schedule, monitors things, and tells you when something needs attention. That’s a different relationship with AI entirely.

Cost at scale. The managed alternative runs $40/month with data hosted in Beijing. My setup runs $12–32/month with data on a server I control in Singapore. For serious use, the economics of self-hosting get better over time.

The tradeoff is setup time and maintenance. This article is about making that tradeoff worth it.

Security Is Architecture, Not Settings

This is where I want to spend real time. Because this is the part most “how to set up X” articles wave their hands and move on. And it’s where most of the lessons are.

The mental model for server security: Every service you run is an attack surface. The goal is to make each surface as small as possible, and add friction at every layer so that even if one layer fails, the next one holds.

Sound familiar? It should. It’s the same principle behind defence in depth in financial risk management. Capital buffers assume risk models could be wrong. Stress tests assume normal conditions won’t hold. No single control is trusted to work alone.

Same thing here. Three layers.

Layer 1 - Basic hardening. A non-root user with SSH key-only authentication. No password logins. Limited login attempts. The server equivalent of locking the front door and not leaving the key under the mat.

Layer 2 - Firewall and intrusion detection. UFW controls who can knock at all. Fail2ban watches for people knocking too many times and bans them. Within minutes of spinning up a new VPS, you’ll see login attempts from IPs around the world. These two tools handle the noise.

Layer 3 - Tailscale. This is the one that makes the security model genuinely strong rather than just “better than default.”

Tailscale creates a private encrypted network across the internet - but only devices you authenticate can join. Every device gets a private IP. Your VPS gets one. Your laptop gets one. They communicate through an encrypted WireGuard tunnel regardless of physical location.

The magic: your VPS’s public IP can have all ports closed. SSH moves to the private Tailscale network only. Run a port scan on the public IP and you see nothing. The server is invisible. No SSH to probe, no services to attack.

By the time someone could attack your SSH, they’d need to compromise your Tailscale account first - which requires MFA, device approval, and your credentials. Each layer assumes the previous one could fail.

I ran OpenClaw’s built-in security audit at the end. Result: 0 critical issues. The audit also told me something important - OpenClaw operates under a “personal assistant” trust model. One trusted operator. Not designed for multiple adversarial users sharing a gateway. If you’re building this for a team, that’s the line that should make you pause.

The Gotchas (So You Don’t Burn the Hours I Did)

The AI part - installing OpenClaw, configuring the heartbeat, connecting Telegram - was straightforward. The infrastructure and its quirks ate most of my weekend. Some things I wish I’d known:

Set the user’s password before you lock root out. I almost locked myself out of my own server. Create the non-root user, set their password, open a second terminal, verify they can SSH in and sudo - only then disable root login. The tutorials always omit this.

User-level vs system-level systemd. OpenClaw installs as a user-level service. systemctl restart openclaw-gateway fails silently. You need systemctl --user restart openclaw-gateway. Every service command needs --user. Burned an hour.

Ubuntu 24.04 renamed the SSH service. systemctl restart sshd fails. systemctl restart ssh works. Small thing, large confusion.

Syncthing version mismatches cause silent failures. Both sides showed “Up to Date.” No files were actually syncing. The version in Ubuntu’s default repo is too old to pair with a newer Windows client. Always install from the official Syncthing apt repo.

Read BOOTSTRAP.md before you wonder why nothing works. OpenClaw ships with a bootstrap file that runs on every gateway startup and waits for a human response. If you’ve completed setup and the file is still there, it blocks the agent indefinitely. The file literally says “Delete this file when you’re done.” I missed it.

The dashboard URL needs the full token. http://localhost:18789/ looks like it loads but shows “pairing required.” The correct URL is http://localhost:18789/#token=YOUR_TOKEN. The #token= fragment is the authentication handshake. Without it you’re knocking on a locked door.

What I Have Now

A private AI agent that:

  • Runs 24/7 on a server I control
  • Has zero open public ports (invisible to port scanners)
  • Sends me a morning briefing on Telegram every day
  • Picks up tasks I write in Obsidian and works on them while I’m doing other things
  • Passes outputs back to my knowledge base automatically
  • Costs $12–32/month depending on API usage

The setup took a weekend. The security architecture took most of that time - and it was worth every hour.

My reflection. The AI was genuinely the easy part. What took thought was the infrastructure around it. The security layers. The sync pipeline. The trust model. It reminded me of something I keep coming back to in AI risk management - the model is rarely the hardest problem. It’s the plumbing around it. The governance. The controls. The architecture that holds it all together.

Agentic AI isn’t magic; it’s plumbing. This was plumbing with a wrench, a VPS, and a lot of second terminals open just in case.

If you’re thinking about self-hosting an AI agent - or any personal infrastructure, really - what’s holding you back? The setup, the security, or something else?

#AI #AgenticAI #SelfHosting #Security #OpenSource