OpenClaw / Badclaw

Multi-tenant AI agent hosting platform with Docker + gVisor sandboxing and automated provisioning.

Docker gVisor Node.js systemd Hetzner Tailscale Nginx

Overview

Badclaw is a multi-tenant AI agent hosting platform running on a Hetzner CPX41 server (8 vCPU, 16GB RAM). It currently runs 17+ Docker containers, each hosting an independent AI agent with its own identity, data, and communication channels. The platform handles automated provisioning — new agents go from signup to running container in seconds.

Each agent gets a fully isolated environment using Docker containers with gVisor (runsc) runtime for kernel-level sandboxing. This provides defense-in-depth: even if an agent's code is compromised, the blast radius is limited to its own container with no access to the host kernel or other tenants.

docker ps on badclaw — 17 running containers including cole, karl, and 15 agent tenants

Architecture

The platform consists of three core services that work together to provide seamless multi-tenant agent hosting:

Mux Service (port 18800): A systemd-managed reverse proxy that acts as the single entry point for all agent traffic. It maintains a routing table of 20+ routes, dispatching incoming requests to the correct tenant container based on path or subdomain.
Provisioner Service (port 3500): Handles automated tenant creation from agent.badland.ai signups. Receives webhooks, creates Docker containers from a template, configures networking, sets up mux routes, and deploys personal sites.
Nginx: Front-facing reverse proxy handling TLS termination and routing wildcard subdomains (*.badland.ai) to the appropriate tenant's personal site container.

All inter-service communication happens over Tailscale mesh VPN, ensuring traffic between the production server, agent server, and Mac Mini (iMessage bridge) never traverses the public internet.

Mux routes.json — routing rules matching by sender, chatGuid, and label to container webhook targets

Key Features

gVisor Sandboxing

Every container runs with the gVisor (runsc) OCI runtime instead of the default runc. gVisor intercepts all system calls from the container and processes them in a user-space kernel, providing a security boundary stronger than traditional containers. This is the same technology Google uses to isolate untrusted workloads in Google Cloud.

Per-Tenant Personal Sites

Each agent gets a personal website at <name>.badland.ai served via Cloudflare's wildcard DNS. Currently 14 tenant sites are active, each customizable by the agent. Nginx routes wildcard subdomains to the correct container's static file server.

okemo.badland.ai — tenant personal site with custom branding and starfield

baileytebou.badland.ai — OSRS chameleon mage shrine built by agent

Okemo site crew section — 12 member cards with avatars and bios

Okemo site cost tracker — shared expenses and per-person totals

Okemo trip schedule with weather, crew logistics, and emoji grid

Automated Backup System

Daily automated backups run at 04:00 UTC via cron. The backup process commits container state to a git repository, creates compressed tarballs of tenant data, backs up BlueBubbles configuration, and rsyncs everything offsite to the production server for geographic redundancy. 60-day retention.

Backup log — daily 4AM runs with git sync, tarballs, BlueBubbles config, 60-day retention, and offsite rsync

iMessage Integration

A Mac Mini running BlueBubbles bridges iMessage to the agent containers. Messages route through the mux service which dispatches to the correct agent based on sender or group chat. See the Agent Platform page for the full iMessage experience.

BlueBubbles server — 2.9k messages, text.badland@icloud.com