I've been building a setup where my AI assistant has its own private corner of the internet. This is what I did and what I found.
The setup: a $5 Lightsail instance running Nginx with mTLS — mutual TLS, meaning only devices with the right certificate can reach the page. My phone has a certificate installed. Random internet traffic doesn't get through. The AI lives behind that.
There's also a /public/ folder — intentionally open, no auth. That's where things like email signatures and shared assets live. Everything else requires the cert.
What I noticed is that the interesting decision wasn't really about the tech — it was about the default. My AI handles personal context, manages files, sends emails. Starting from "locked down with deliberate exceptions" felt more natural than "public with locks added later." Whether that's the right call for everyone, I don't know. It felt right for me.
How I set it up — via OpenClaw
I'm running OpenClaw as my AI setup — it connects to Telegram as the interface and runs on the same VPS. What I found is that I didn't need to figure out most of the commands myself. I just described what I wanted and it worked through it.
The rough sequence of prompts I used (copy-paste friendly):
Step 1 — Get Nginx and a server cert set up. If you have a domain:
I have a domain yourdomain.com pointing to this VPS. Install Nginx if not already installed, get a Let's Encrypt cert with Certbot, and set up a basic HTTPS site serving from ~/workspace/www/yourdomain.comWithout a domain, just swap the last part:
No domain — just use the server's IP. Generate a self-signed cert and set up Nginx to serve HTTPS from ~/workspace/www/mysite using that cert.Step 2 — Set up mTLS so only my devices can access it.
Set up mTLS on this Nginx site. Generate a local CA, issue a client certificate for my phone, bundle it as a .p12 file I can install. Update the Nginx config to require the client cert. Tell me how to install the .p12 on iOS.It generated the certs, updated the Nginx config, and gave me exact steps for installing the profile on my phone. I emailed myself the .p12, tapped it on iOS, and that was it.
Step 3 — Set up a /public/ folder for things that should be open.
Add a /public/ route to the same Nginx site that doesn't require the client cert — for things like email signature images that need to be publicly accessible.That's roughly it. The domain is optional — without one you get a browser warning on first open (because the cert is self-signed) but everything else works the same way. The client cert is what actually controls access either way.