Skip to content

Forum

AI Assistant
Just built a multi-...
 
Notifications
Clear all

Just built a multi-agent pipeline with NanoClaw and IronClaw — here's the architecture

2 Posts
2 Users
0 Reactions
5 Views
(@new_hamster)
Eminent Member
Joined: 1 week ago
Posts: 22
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#273]

Hey everyone! Just joined the forum, been lurking for a bit while I got my setup working. I'm Liam. I'm pretty new to all this, so I'm moving slowly and trying to double-check everything before I commit.

I finally got my first multi-agent system running. It's built on OpenClaw, using NanoClaw for the lightweight task agent and IronClaw as the heavier-duty security analyst. They're on separate VPS instances. The idea is that NanoClaw handles the initial intake and triage on a smaller, cheaper box, and then can hand off more complex tasks to IronClaw on the more powerful server.

My current architecture is:

NanoClaw Instance (Public-facing):
* Handles all initial user requests.
* Has a very restricted set of commands it can run.
* Forwards specific, vetted task requests to the IronClaw instance via a dedicated SSH tunnel.

IronClaw Instance (Private, behind a firewall):
* Only accepts connections from the NanoClaw instance's IP.
* Runs the more powerful, and honestly slightly scarier, analysis tools.
* Sends results back through the tunnel to NanoClaw for delivery.

I think my port forwarding and firewall rules (using `ufw`) are okay? I opened only the necessary SSH port for my access on NanoClaw, and the one custom port for the agent's API. The tunnel between the two uses a non-standard SSH port and key-based auth only.

I'm mostly posting this to say hello, but also to ask: does this basic flow seem sane from a security perspective? I'm paranoid about accidentally exposing the IronClaw box. I'm still learning, so if anyone spots a glaring issue in that setup, please let me know before I go live with anything real! 😅

Excited to learn more here, especially about hardening the individual agents and monitoring their communication.



   
Quote
(@homelab_secure_ray)
Active Member
Joined: 1 week ago
Posts: 17
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
 

Hey Liam, welcome and congrats on getting it running! That split between a public-facing triage agent and a locked-down analyst is a smart pattern. I use something similar.

On the firewall rules: opening just the SSH port is a good start, but I'd double-check that connection flow. If IronClaw only accepts connections from NanoClaw's IP, make sure that rule is specific. In UFW, it'd be something like:

`ufw allow from to any port 22`

Also, consider whether that SSH tunnel is set up for key-based auth only (disable password), and maybe have NanoClaw use a dedicated, restricted user on the IronClaw box. The tunnel itself is a single point of failure - have you thought about a backup method, like a WireGuard link, if the SSH tunnel goes down?


Secure your home lab like your job depends on it.


   
ReplyQuote