So I wanted to have my own OpenClaw running at home, on my own server, not depending on some cloud service. OpneClaw it's basically an multi-agent infrastructure that you can talk to via Telegram, browser, whatever you want. Here is how I did it on my Rancher/RKE2 cluster.

My Setup

Before starting, here is what I have:

• Rancher v2.13.3
• RKE2 cluster (4 nodes)
• kubectl + kustomize
• A storage class called local-path
• An Anthropic API key (you get it from console.anthropic.com)

How OpenClaw is meant to be deployed

The official OpenClaw repo (github.com/openclaw/openclaw) has a scripts/k8s/ folder with everything you need:

scripts/k8s/
├── deploy.sh           # creates namespace + secret, deploys via kustomize
├── create-kind.sh      # local Kind cluster for testing
└── manifests/
    ├── kustomization.yaml
    ├── configmap.yaml  # openclaw.json + AGENTS.md
    ├── deployment.yaml
    ├── pvc.yaml
    └── service.yaml

You can run ./scripts/k8s/deploy.sh and it handles everything. I took these manifests, adapted them for my Rancher cluster (different storage class, my config, my AGENTS.md), and kept them in my own git repo.

The manifests use Kustomize instead of just running kubectl apply -f on each file separately. The reason is simple: with Kustomize you have one kustomization.yaml that lists all your files, so kubectl apply -k ./folder/ applies everything in one shot in the right order. It also makes it easy to manage overlays later (dev vs prod configs for example) without duplicating files. It is built into kubectl so no extra tool to install.

Step 1 — Create the Namespace

kubectl create namespace openclaw

Step 2 — Create the Secrets

You need two things in the secret: your Anthropic API key, and a gateway token (used to authenticate the web UI).

Important: never put secrets in git. Always create them directly from command line.

# Generate a random gateway token
GATEWAY_TOKEN=$(openssl rand -hex 24)

kubectl create secret generic openclaw-secrets \
  --from-literal=ANTHROPIC_API_KEY="sk-ant-XXXXXXX" \
  --from-literal=OPENCLAW_GATEWAY_TOKEN="$GATEWAY_TOKEN" \
  -n openclaw

# Save the token — you need it to access the UI
echo "Your token: $GATEWAY_TOKEN"

Key names must be exact — ANTHROPIC_API_KEY not anthropicApiKey.

Step 3 — Create the PVC

Use your cluster's default storage class. I use Longhorn (replicated, survives node failures). Do not use local-path — if the PVC gets deleted, data is gone permanently.

# pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: openclaw
  namespace: openclaw
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 10Gi

Step 4 — Create the Config Files

OpenClaw uses a ConfigMap for two things: openclaw.json (the gateway config) and AGENTS.md (instructions for the agent).

Create configmap.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: openclaw-config
  labels:
    app: openclaw
data:
  openclaw.json: |
    {
      "agents": {
        "defaults": {
          "model": {
            "primary": "anthropic/claude-haiku-4-5-20251001"
          }
        }
      },
      "gateway": {
        "mode": "local",
        "bind": "loopback",
        "port": 18789,
        "auth": {
          "mode": "token"
        },
        "controlUi": {
          "enabled": true,
          "allowedOrigins": ["http://localhost:18789"]
        }
      }
    }
  AGENTS.md: |
    # OpenClaw Assistant
    You are a helpful assistant running on a personal Kubernetes cluster.
    Be direct and concise.

LLM Choice

This is a personal assistant running 24/7. Every message costs tokens. Here is the rough pricing (early 2026):

Haiku is ~5x cheaper than Sonnet. For daily tasks it is more than enough. Switch to Sonnet per-session when you need deeper reasoning.

About allowedOrigins

The gateway needs to know which browser origins can connect. Since I access via kubectl port-forward on localhost:18789, I set exactly that. If you access from a different host or over HTTPS/Tailscale, update this accordingly.

Also useful to know:

• Pass the token as #token=... in the URL fragment (not ?token=) — fragments are not sent to the server, more secure
• The gatewayUrl is saved in localStorage after first load
• For HTTPS/TLS use wss:// not ws://

Step 5 — Create the Deployment and Service

deployment.yaml

A few things worth knowing about this file:

• Init container (init-config): runs before the main container. It copies openclaw.json and AGENTS.md from the ConfigMap into the PVC. This happens on every restart — so the ConfigMap is always the source of truth for config.
• Image: pinned to 2026.4.11, not latest. Always pin to a release.
• readOnlyRootFilesystem: true: the container filesystem is read-only for security. That's why we mount /tmp separately as an emptyDir — npm needs a writable cache somewhere.
• npm_config_cache=/tmp/.npm-cache: fixes npm permission errors inside the pod.
• No CPU/memory limits — let it use what it needs.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: openclaw
  labels:
    app: openclaw
spec:
  replicas: 1
  selector:
    matchLabels:
      app: openclaw
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: openclaw
    spec:
      automountServiceAccountToken: false
      securityContext:
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      initContainers:
        - name: init-config
          image: busybox:1.37
          command:
            - sh
            - -c
            - |
              cp /config/openclaw.json /home/node/.openclaw/openclaw.json
              mkdir -p /home/node/.openclaw/workspace
              cp /config/AGENTS.md /home/node/.openclaw/workspace/AGENTS.md
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
          resources:
            requests:
              memory: 32Mi
              cpu: 50m
            limits:
              memory: 64Mi
              cpu: 100m
          volumeMounts:
            - name: openclaw-home
              mountPath: /home/node/.openclaw
            - name: config
              mountPath: /config
      containers:
        - name: gateway
          image: ghcr.io/openclaw/openclaw:2026.4.11
          command: [node, /app/dist/index.js, gateway, run]
          ports:
            - containerPort: 18789
          env:
            - name: HOME
              value: /home/node
            - name: OPENCLAW_CONFIG_DIR
              value: /home/node/.openclaw
            - name: NODE_ENV
              value: production
            - name: npm_config_cache
              value: /tmp/.npm-cache
            - name: OPENCLAW_GATEWAY_TOKEN
              valueFrom:
                secretKeyRef:
                  name: openclaw-secrets
                  key: OPENCLAW_GATEWAY_TOKEN
            - name: ANTHROPIC_API_KEY
              valueFrom:
                secretKeyRef:
                  name: openclaw-secrets
                  key: ANTHROPIC_API_KEY
                  optional: true
          resources:
            requests:
              memory: 512Mi
              cpu: 250m
          livenessProbe:
            exec:
              command: [node, -e, "require('http').get('http://127.0.0.1:18789/healthz', r => process.exit(r.statusCode < 400 ? 0 : 1)).on('error', () => process.exit(1))"]
            initialDelaySeconds: 60
            periodSeconds: 30
          readinessProbe:
            exec:
              command: [node, -e, "require('http').get('http://127.0.0.1:18789/readyz', r => process.exit(r.statusCode < 400 ? 0 : 1)).on('error', () => process.exit(1))"]
            initialDelaySeconds: 15
            periodSeconds: 10
          volumeMounts:
            - name: openclaw-home
              mountPath: /home/node/.openclaw
            - name: tmp-volume
              mountPath: /tmp
          securityContext:
            runAsNonRoot: true
            runAsUser: 1000
            runAsGroup: 1000
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities:
              drop: [ALL]
      volumes:
        - name: openclaw-home
          persistentVolumeClaim:
            claimName: openclaw
        - name: config
          configMap:
            name: openclaw-config
        - name: tmp-volume
          emptyDir: {}

service.yaml

apiVersion: v1
kind: Service
metadata:
  name: openclaw
  labels:
    app: openclaw
spec:
  type: ClusterIP
  selector:
    app: openclaw
  ports:
    - port: 18789
      targetPort: 18789

kustomization.yaml

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: openclaw
resources:
  - pvc.yaml
  - configmap.yaml
  - deployment.yaml
  - service.yaml

Apply everything

kubectl apply -k ./kustomize/

Step 6 — Access the UI

kubectl port-forward svc/openclaw 18789:18789 -n openclaw

Then open: http://localhost:18789#token=YOUR_TOKEN

Get your token anytime:

Linux/Mac:

kubectl get secret openclaw-secrets -n openclaw \
  -o jsonpath='{.data.OPENCLAW_GATEWAY_TOKEN}' | base64 -d

Final Thoughts

It took me a few hours, mostly because I started with the wrong Helm chart. Once I switched to the official Kustomize manifests it was much cleaner. Now I have my own AI agent running 24/7 at home, connected to Telegram, with persistent memory. Pretty cool for automating things and having a real assistant that remembers context between conversations.

If you have questions feel free to reach out.

In this post, I'll walk you through the process of deploying a self-hosted Ghost blog on a Kubernetes cluster.

There are a couple of key reasons why I chose to do this. First and foremost, I wanted to save money by not paying $11 per month for the Ghost Pro subscription, especially since I wasn't utilizing all the premium features. Additionally, I recently set up a home server, and I was keen to maximize its resources by running various services.

In this tutorial I will use the following docker image to botstrap the blog.

https://github.com/docker-library/ghost?tab=readme-ov-file

Storage Setup

The first thing that comes to my mind on this journey is that I want my blog content data to be stored outside the container. This way, data is not linked to container lifecycle.

For that, I created a StorageClass, PersistentVolume, PersistentVolumeClaim

• StorageClass

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: local-storage
  namespace: internet-apps
provisioner: kubernetes.io/no-provisioner
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer

• PersistentVolume

apiVersion: v1
kind: PersistentVolume
metadata:
  name: ghost-pv
  namespace: internet-apps
  labels:
    type: local
spec:
  storageClassName: local-storage
  capacity:
    storage: 10Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/data/ghost"

The hostPath volumes need to be accessible on all nodes in your cluster. because it ties to the node a pod is on, so the path needs to be there and reachable on any node where the pod might run.

• PersistentVolumeClaim

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: ghost-pvc
  namespace: internet-apps
spec:
  storageClassName: local-storage
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  volumeName: ghost-pv

Deployment

The Ghost Docker image allows managing configuration outside of the container in a MySQL database. For this, I created a config map to manage MySQL connection values:

• ConfigMap mysql-config

apiVersion: v1
data:
  MYSQL_HOST: mysql-service.internet-apps.svc.cluster.local
  MYSQL_USER: xxxxx
kind: ConfigMap
metadata:
  name: mysql-config
  namespace: internet-apps

• ConfigMap wp-db-secrets

apiVersion: v1
data:
  MYSQL_ROOT_PASSWORD: xxxxx
kind: Secret
metadata:
  name: wp-db-secrets
  namespace: internet-apps

We also need to specify the URL, which is the public URL of your Ghost blog.

• Url

In my case : https://blog.v2.abakri.xyz

• Deployment Config file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: ghost
  namespace: internet-apps
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ghost
  template:
    metadata:
      labels:
        app: ghost
    spec:
      containers:
      - name: ghost
        image: ghost:5-alpine
        env:
          - name: database__client
            value: "mysql"
          - name: database__connection__host
            valueFrom:
              configMapKeyRef:
                name: mysql-config
                key: MYSQL_HOST
          - name: database__connection__user
            valueFrom:
              configMapKeyRef:
                name: mysql-config
                key: MYSQL_USER
          - name: database__connection__password
            valueFrom:
              secretKeyRef:
                name: wp-db-secrets
                key: MYSQL_ROOT_PASSWORD
          - name: database__connection__database
            value: "xxx"
          - name: url
            value: "https://blog.v2.abakri.xyz"
        ports:
        - containerPort: 2368
        volumeMounts:
        - name: ghost-storage
          mountPath: "/var/lib/ghost/content"
      volumes:
      - name: ghost-storage
        persistentVolumeClaim:
          claimName: ghost-pvc

Service

• Cluster IP Service
  targetPort need to be 2368 and not 80 ;)

apiVersion: v1
kind: Service
metadata:
  name: ghost-service
  namespace: internet-apps
spec:
  selector:
    app: ghost
  ports:
    - protocol: TCP
      port: 80
      targetPort: 2368

• Ingress

You must have an ingress controller (Nginx in my case), and cert-manager needs to be deployed with letsencrypt-prod configured.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ghost-ingress
  namespace: internet-apps
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: nginx
  rules:
    - host: blog.abakri.xyz
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ghost-service
                port:
                  number: 80
  tls:
    - hosts:
        - blog.abakri.xyz
      secretName: ghost-service-tls

• Domain Configuration(Google Domains)

Bingo !

When attempting to install Esxi 7 on a PC/server equipped with the latest hardware available in the market, you may encounter the following problem:

I faced it with the Mini Forum Um690.

To resolve this issue, we need to build a custom ESXi iso image that will include drivers that support the undetected network chip.

Steps :

• You need to download the VMware vSphere Hypervisor (ESXi) Offline Bundle(VMware-ESXi-7.0U3g-20328353-depot.zip) from Vmware customer connect(https://customerconnect.vmware.com)
• You need also the network driver from Vmware fings, https://flings.vmware.com/community-networking-driver-for-esxi
• Install Python 3.7.9 or any 3.7.x
  3.7.0 didn't work for me, better to choose 3.7.9 or a newer version
• Upgrading pip

python -m pip install --upgrade pip

• Installing required Python packages

pip install six psutil lxml pyopenssl

• Enable remote signed script

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

• Install PowerCli
  If you want to use a different version of PowerCLI, ensure its compatibility with your Esxi version by checking on https://interopmatrix.vmware.com/Interoperability.

Install-Module -Name VMware.PowerCLI -RequiredVersion 13.0.0.20829139

• Import the ImageBuilder module to create the custom iso

Import-Module VMware.ImageBuilder

• Add the downloaded bundle depot to the PowerCli session

Add-EsxSoftwareDepot .\VMware-ESXi-7.0U3g-20328353-depot.zip

• Verify that the depot is loaded correctly

Get-EsxImageProfile

• Now, we create the custom image from the already loaded depot profile

New-EsxImageProfile -CloneProfile ESXi-7.0U3g-20328353-standard -Name Custom-Esxi7 -Vendor Vmware

• Here we add the network community driver(net-community) to the PowerCli session

Add-EsxSoftwareDepot .\Net-Community-Driver_1.2.7.0-1vmw.700.1.0.15843807_19480755.zip

• Now, we add the net-community driver to our custom image profile

Add-EsxSoftwarePackage -ImageProfile Custom-Esxi7 -SoftwarePackage net-community

• Because we have a community package inside our image profile, we need to switch the acceptance level to CommunitySupported instead of PartnerSupported

Set-EsxImageProfile -AcceptanceLevel CommunitySupported –ImageProfile Custom-Esxi7

• Here we create the iso file from the profile

Export-EsxImageProfile -ImageProfile Custom-Esxi7 -ExportToIso -FilePath C:\Users\User\Desktop\esxi-image\Custom-Esxi7.iso

• Bingo ! Now you can use this iso to install Esxi 7

This week I was setting up a minimal Continuous Integration solution based on Java/Maven running on Bitbucket pipelines. I was looking for the cleanest way to integrate the maven settings.xml into the pipeline, I found some solutions in the internet but they were not as clean as I want. In this article I share with you a simple and clean solution to do it.

Environment variables

The first thing to do is to define a couple of variables in Bitbucket. My advice is to define them at the workspace level rather than the repository level.

• MVN_SERVER1_USERNAME : Will contain the username of the server with the id SERVER1
• MVN_SERVER1_PASSWORD : Will contain the password of the server with the id SERVER1
• SETTINGS_XML : Will contain the settings.xml payload, BUT with placeholder for the server credentials(Yes, bitbucket Accept nested variables, good news !!!)
• You can define as many servers credentials as you need...
  
  The server element in the settings.xml look like this :

<server>
    <id>SERVER1</id>
    <username>${MVN_SERVER1_USERNAME}</username>
    <password>${MVN_SERVER1_PASSWORD}</password>
</server>

Here are the environment variables in Bitbucket

Pipeline

The pipeline is straightforward and easy to understand :

image: maven:3.6.3-jdk-11

pipelines:
  default:      
      - step:
          name: Build and Test
          script:
            - echo $SETTINGS_XML > settings.xml
            - mvn -s settings.xml clean install

I hope this can help you in your Bitbucket pipelines journey :)

Salam

Hi, I wanted to create a toast error system for my web application where whenever an error is thrown a toast is created with the error body and appended to a div element. the final result looks like this :

What's in the stack

• Vue 3/ Composition API
• Bootstrap 5.1
• Typescript 4.6

Deep dive

Firstly we create a Vue component called Toast.vue that encapsulates the UI and the Algorithm that processes toast show up.

The setup script block is as follows :

<script setup lang="ts">
import { onUpdated } from "vue";
import { Toast } from "bootstrap";

const props = defineProps({
  errors: { type: Array, default: () => [] },
});

onUpdated(() => {
  const hiddenToasts = props.errors.filter((obj) => {
    return obj.show != true;
  });
  hiddenToasts.forEach(function (error) {
    var errorToast = document.getElementById(error.id);
    var toast = new Toast(errorToast);
    toast.show();
    error.show = true;
    errorToast.addEventListener("hidden.bs.toast", function () {
      const indexOfObject = props.errors.findIndex((item) => {
        return item.id === error.id;
      });
      if (indexOfObject !== -1) {
        props.errors.splice(indexOfObject, 1);
      }
    });
  });
});
</script>

errors array will host toast's states, it can be anything. In my case, it's an object with an id, msg, and a boolean show state

onUpdated() is a Vue lifecycle hooks triggered whenever the component has updated its DOM tree due to a reactive state change, in our case the reactive state is the errors array.

1. Firstly we filter the errors that are not shown yet, then for each error we trigger toast.show() and we add a listener on hidden.bs.toast
2. Whatever an event hidden.bs.toast is triggered we remove the error object from the array so that we have a nice and clean DOM

The script block is as follows :

<script lang="ts">
const TOASTS_MAX = 5;
export function push(array: Array, data): Array {
  if (array.length == TOASTS_MAX) {
    array.shift();
    array.push(data);
  } else {
    array.push(data);
  }
}
</script>

• TOASTS_MAX defines the max number of toasts to show up at the same time
• the push method is a simple way to implement a circular array. Whenever the array contains TOASTS_MAX elements, adding a new one will delete the element at the position 0 and push the new element at the end, in this way we are sure to have a maximum of TOASTS_MAX elements
• the push method needs to be exported so that other components can use it

The template block is as follows :

<template>
  <div ref="container" class="position-fixed bottom-0 end-0 p-3" style="z-index: 11">
    <div v-for="item in errors" v-bind:id="item.id" class="toast fade opacity-75 bg-danger" role="alert" aria-live="assertive" aria-atomic="true" data-bs-delay="15000">
      <div class="toast-header bg-danger">
        <strong class="me-auto text-white">Error</strong>
        <button type="button" class="btn-close" data-bs-dismiss="toast" aria-label="Close"></button>
      </div>
      <div class="toast-body text-white error-body">{{ item.msg }}</div>
    </div>
  </div>
</template>

• <div ref="container"...> fixed in the bottom right host the toasts
• v-for directive loop on errors array and render it whenever a change happens.
• v-bind:id directive let us define an id for each toast, the id needs to be unique!
• data-bs-delay let us define the timeout before auto-hiding the toast

How to use it?

<script setup lang="ts">
import { ref, reactive } from 'vue';
import toast from './Toast.vue';
import { push } from './Toast.vue';

const state = reactive({ errors: [], count : 0 });

function pushError(id: int) {
  push(state.errors, { id: id, msg: 'Error message ' + id });
}
</script>

<template>
  <toast :errors="state.errors"></toast>
  <button type="button" @click="pushError('toast' + state.count++)">
    Error trigger: {{ state.count }}
  </button>
</template>

• state hold the reactive errors array and the count that forms the error's id
• Whenever the button is clicked an error object is pushed to the errors array and because the errors array is attached to the Toast component using :errors="state.errors" whenever we change the source array the target array is updated

Here is the Demo!