Friend guide / no secret sauce leaked

The Zbam setup

A practical map of how Reinaldo runs OpenClaw, Codex, VPS apps, automations, memory, and private control surfaces from one opinionated AI workspace.

Start your version See the stack
agentOpenClaw + Codex sessions, memory, tools, automations
serverHetzner CCX23, Ubuntu, 4 vCPU, 16 GB RAM, 80 GB disk
appsCoolify/Traefik, Logto, Postgres, Node/React/static sites
controlai.zbam.app and tower.zbam.app for chats, sessions, cron, files
ruleDraft locally first. Nothing external without approval.

Mental model

It is not one app. It is a small operating system.

The useful part is the loop: memory tells the agent what matters, tools let it act, the VPS gives it places to run things, and Control Tower makes the whole setup visible from a browser.

Brain

OpenClaw

Runs the assistant environment: chats, tools, connectors, scheduled heartbeats, memory files, and long-running agent sessions.

Hands

Codex

Does the code work: reads the repo, edits files, runs checks, builds apps, and keeps changes scoped to the task.

Home

Workspace

/root/.openclaw/workspace holds project repos, notes, operating rules, daily memory, scripts, dashboards, and app artifacts.

Stack

What Reinaldo uses today

This is the current practical stack, not a fantasy architecture diagram. Some pieces are mature, some are still lab-grade, and serious external changes require approval.

VPS

Hetzner CCX23 in Nuremberg: 4 vCPU, 16 GB RAM, 80 GB local disk, Ubuntu, Docker. Good enough for OpenClaw, Coolify, Logto, Postgres, and small apps.

Proxy

Coolify's Traefik proxy terminates HTTPS and routes public hosts such as ai.zbam.app, auth.zbam.app, and project domains.

Auth

Logto at auth.zbam.app is the shared identity layer. Google login is configured once, then each app gets its own client.

Apps

Mix of static pages, Node services, React/Vite apps, and generated project sites. Experiments can live on *.zbam.app after approval.

Memory

SOUL.md, USER.md, MEMORY.md, and daily notes define personality, preferences, long-term context, and what happened recently.

Safety

Private data stays local. Secrets live in ignored credential files or service secret managers. Deletions, DNS, security, billing, and public sends need approval.

Daily workflow

How work actually happens

1. Start with context

The agent reads operating rules, recent memory, project notes, and current repo state before acting. That prevents random fresh-chat chaos.

2. Make a local change

Codex edits files, runs the smallest useful validation gate, and preserves unrelated workspace changes.

3. Escalate only when needed

External actions are approval-bound: publishing, DNS, deploys, account changes, emails, social posts, billing, and security hardening.

Start here

How your friend should begin

Do not copy the whole setup on day one. Start with the smallest useful personal operator and add infrastructure only when it hurts not to have it.

Install OpenClaw and create a workspace

Keep one root workspace with AGENTS.md, SOUL.md, USER.md, MEMORY.md, and memory/YYYY-MM-DD.md. Write down operating rules immediately.

Connect only the tools you trust

Start with filesystem, shell, browser, GitHub, calendar/email read access if useful. Do not connect posting, billing, DNS, or destructive tools until rules are explicit.

Add Codex for code work

Use Codex as the engineer inside the workspace: inspect first, patch narrowly, run checks, and never overwrite unrelated changes.

Buy a VPS only when needed

Recommended starter: Hetzner, Ubuntu LTS, 4 vCPU / 8 GB RAM or better, 80 GB disk, backups enabled. Avoid tiny 1 GB servers unless you enjoy pain.

Put apps behind a boring platform

Use Coolify for deploys/proxy, Logto for shared auth, Postgres for app data, and explicit backup/restore checks before real data.

Non-negotiables

Local first. Approval before external.

This setup is powerful because the agent can act. It stays sane because external actions are gated: no public publish, DNS change, security change, email, social post, account action, billing action, or deletion without approval.

Use the start plan

What to copy

The useful parts

Memory files

  • AGENTS.md for rules and workflows
  • SOUL.md for voice and identity
  • USER.md for preferences and boundaries
  • MEMORY.md for curated long-term context

Control surfaces

  • Chat UI for long-running sessions
  • Project cockpit for focus and approvals
  • Heartbeat checks for health and urgent signals
  • HTML artifacts for dense reports

Platform discipline

  • Secrets never in frontend env vars
  • No production data without backups
  • One golden path for auth and DB
  • Prototype, then promote when proven