Skip to content
AI Butler

VPS

This guide walks through a production deployment on a generic Linux VPS (Ubuntu, Debian, Rocky, Arch — any systemd distro). End result: a public HTTPS endpoint with a hardened systemd service, automatic TLS, and scheduled backups.

What You’ll Need

Section titled “What You’ll Need”
  • A Linux VPS with at least 1 vCPU, 1 GB RAM, 20 GB disk (Hetzner CX11, DigitalOcean $6, Linode Nanode all work)
  • A domain pointed at the VPS IP
  • Root or sudo access

1. Install AI Butler

Section titled “1. Install AI Butler”
Terminal window
cd /tmp
curl -sSL https://github.com/LumabyteCo/aibutler/releases/latest/download/aibutler_Linux_x86_64.tar.gz | tar xz
sudo mv aibutler /usr/local/bin/
sudo aibutler version

2. Create a Service Account

Section titled “2. Create a Service Account”
Terminal window
sudo useradd --system --home /var/lib/aibutler --create-home aibutler
sudo mkdir -p /etc/aibutler
sudo chown aibutler:aibutler /var/lib/aibutler /etc/aibutler

3. systemd Service

Section titled “3. systemd Service”

Create /etc/systemd/system/aibutler.service:

[Unit]
Description=AI Butler
After=network-online.target
Wants=network-online.target


[Service]
Type=simple
User=aibutler
Group=aibutler
WorkingDirectory=/var/lib/aibutler
ExecStart=/usr/local/bin/aibutler run --config /etc/aibutler/config.yaml
Restart=on-failure
RestartSec=5s


# Hardening
NoNewPrivileges=true
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
ReadWritePaths=/var/lib/aibutler
CapabilityBoundingSet=
RestrictNamespaces=yes
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
LockPersonality=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectClock=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6


[Install]
WantedBy=multi-user.target

Enable and start:

Terminal window
sudo systemctl daemon-reload
sudo systemctl enable --now aibutler
Section titled “4. Reverse Proxy with Caddy (Recommended)”

Caddy gives you automatic HTTPS with zero config. Install it, then create /etc/caddy/Caddyfile:

aibutler.example.com {
    reverse_proxy localhost:3377 {
        header_up X-Real-IP {remote_host}
        flush_interval -1
    }
    encode gzip
}
Terminal window
sudo systemctl reload caddy

That’s it — TLS is provisioned automatically from Let’s Encrypt.

5. Reverse Proxy with nginx (Alternative)

Section titled “5. Reverse Proxy with nginx (Alternative)”

If you prefer nginx + certbot:

server {
    listen 80;
    server_name aibutler.example.com;
    return 301 https://$host$request_uri;
}


server {
    listen 443 ssl http2;
    server_name aibutler.example.com;


    ssl_certificate     /etc/letsencrypt/live/aibutler.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/aibutler.example.com/privkey.pem;


    client_max_body_size 25M;


    location / {
        proxy_pass http://localhost:3377;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 600s;
        proxy_buffering off;
    }
}
Terminal window
sudo certbot --nginx -d aibutler.example.com

6. Enable Authentication

Section titled “6. Enable Authentication”

On a public VPS, the web chat MUST have auth enabled:

/etc/aibutler/config.yaml
configurations:
  web:
    port: 3377
    bind_address: 127.0.0.1     # bind to loopback, only the proxy can reach it
  auth:
    enabled: true
    require_totp: true           # strongly recommended
    session_timeout: 12h

Create the first admin user:

Terminal window
sudo -u aibutler aibutler user create admin --role admin

See Authentication for OIDC, WebAuthn, and password policy.

7. Firewall

Section titled “7. Firewall”
Terminal window
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw enable

AI Butler itself only listens on localhost — the only public ports are 80/443 (for the reverse proxy) and 22 (for SSH).

8. Backups

Section titled “8. Backups”

Schedule an S3-compatible backup to an off-site location:

configurations:
  backup:
    local:
      enabled: true
      retention_days: 14
    remote:
      provider: s3
      endpoint: s3.us-east-1.amazonaws.com
      bucket: my-aibutler-backups
      # access_key / secret_key via vault
Terminal window
sudo -u aibutler aibutler vault set s3_access_key AKIA...
sudo -u aibutler aibutler vault set s3_secret_key ...

9. Monitoring

Section titled “9. Monitoring”

The health endpoint is at /health:

Terminal window
curl https://aibutler.example.com/health

Add it to your uptime monitor (Uptime Kuma, BetterStack, etc.). Metrics are at /metrics (Prometheus format) if you enable them in config.

10. Updates

Section titled “10. Updates”
Terminal window
sudo systemctl stop aibutler
cd /tmp
curl -sSL https://github.com/LumabyteCo/aibutler/releases/latest/download/aibutler_Linux_x86_64.tar.gz | tar xz
sudo mv aibutler /usr/local/bin/
sudo systemctl start aibutler

Schema migrations run automatically on startup. Watch the logs: journalctl -u aibutler -f.