About Capabilities Builds Experience Writing Contact
Hermes Agent · Docker · Telegram

ITGuy.
AI Infrastructure Agent

A dedicated AI agent that manages a production VPS entirely through Telegram. Deploy websites, monitor server health, manage DNS, run backups. No SSH session, no terminal, no login screen. Just a chat.

See the proof How it's built
ITGuy Agent
ITGuy
Infrastructure Agent for ayebee.xyz
10 min Idea to live site
24/7 Monitoring
0 Terminals opened
100% Audit-logged
Context

The problem this solves

Before

Server management requires a terminal and your full attention

Every deployment means SSH-ing in, writing Docker Compose files, configuring Traefik labels, setting up databases, managing SSL, checking DNS propagation. You need a laptop, a stable connection, and 30-60 minutes of focused terminal time. Want to deploy something while commuting? Forget it. Want to check if your server is healthy at 2 AM? Open a terminal.

After

Send a Telegram message. The agent handles the rest.

Describe what you want in plain language. ITGuy inspects the server, writes a plan, waits for your approval (an exact phrase, not a vague "ok"), executes through vetted scripts, verifies the outcome independently, and logs everything to a git-tracked audit trail. I deployed three production websites from the back seat of a car, on mobile, in 10-12 minutes each.

Demo

See it in action

A walkthrough of the full deployment flow: Telegram message to live, SSL-secured website.

Demo video coming soon
Process

The 7-step workflow

Every state-changing action follows this sequence. No exceptions, no shortcuts.

01
👁️

Observe

Read-only server inspection. Verify actual state.

02
📋

Plan

Write concrete steps with exact commands. No vague proposals.

03
🔐

Approve

Human sends an exact approval phrase. "Ok" won't work.

04

Execute

One step at a time through vetted, root-owned scripts only.

05

Verify

Independently confirm: site responds, HTTPS valid, logs clean.

06
📨

Notify

Report outcome on Telegram. Plain language, including partial failures.

07
📝

Record

Audit log committed to git. Full detail, timestamped, reviewable.

Architecture

The container is the brain. The VPS is the hands. The scripts are the only bridge.

The core security principle: the AI reasons inside a Docker container with zero host privileges. Every action on the server flows through a narrow layer of root-owned, human-reviewed scripts that the agent can execute but never edit. No Docker socket, no raw sudo, no shell access. The agent earns trust one vetted script at a time.

DOCKER CONTAINER VPS HOST Hermes Agent AI reasoning engine No Docker socket No host filesystem Telegram Bot API Human interface commands SSH key auth only itguy user Unprivileged account No docker group, no sudo group scoped sudo Vetted Scripts root:root 755 Execute only, cannot edit Docker Engine Traefik TLS/Routing UFW Firewall Knowledge Base 8 docs, git-tracked + Policy Engine (6 docs) + Audit Trail (git log) Cron Monitoring Daily health, SSL watch Weekly security report
Read-only

Health Dashboard

Uptime, load average, disk, RAM, top processes. Runs automatically, no approval needed.

Read-only

Container Inventory

All containers, status, restart counts, health checks, resource usage, images, volumes.

Read-only

Security Posture

Firewall status, Fail2Ban jails, failed logins, pending patches. Weekly report to Telegram.

Approval-gated

Deploy Ghost / WordPress / Static

Full deployment: container, database, Traefik routing, SSL. Exact approval phrase required.

Approval-gated

Container Management

Restart, stop, backup containers. Pre/post state verification baked into every script.

Approval-gated

SSL Renewal + WordPress Updates

Force ACME re-check, WP-CLI update with pre-update DB backup. Medium risk, scoped execution.

Proof

Real deployments, from a Telegram chat

These sites were built and deployed while I was in a car, heading to a friend's place. No laptop, no terminal, no SSH. Just Telegram messages on a phone.

Telegram: plan and approval flow

Plan → Exact approval phrase

ITGuy writes the plan, then waits. No fuzzy "ok" accepted. You send the exact phrase or nothing happens.

Telegram: execution and verification

Execute → Verify → Audit

Action taken, DNS verified, audit entry committed to git. Every step independently confirmed.

Telegram: site is live confirmation

Site is live

Deployment complete. URL confirmed, SSL valid, full deployment summary with what was deployed and how.

Sites deployed by ITGuy, still running:

Live

codeshow.ayebee.xyz

Static portfolio site. Built from a PDF and a reference URL in a single Telegram session.

Visit site
Live

wpshow.ayebee.xyz

WordPress deployment. Container + MySQL + Traefik + SSL, all provisioned through chat.

Visit site
Live

agnishwarbanerjee.info

This portfolio site. Static deployment to nginx:alpine, managed and maintained by ITGuy.

Visit site
Always watching

Automated monitoring,
delivered to Telegram

Three cron jobs run continuously with zero human intervention. Every morning: a full health report (load, disk, memory, all containers, SSL expiry). Daily: a dedicated SSL certificate watch that flags anything under 14 days. Sundays: a security and backup summary covering firewall state, Fail2Ban activity, failed logins, and pending patches.

Pure observation. No risk, no approval required. Just visibility, delivered where I already am.

Daily health report on Telegram
Results

What it changed

10 min Idea to live site

Including DNS, SSL, and deployment verification

0 SSH sessions needed

All management via Telegram on mobile

3 Auto-monitoring jobs

Health, SSL, security reports on schedule

100% Actions audit-logged

Git-tracked with pre/post state verification

Security model

What the agent deliberately cannot do

The most interesting part of the design is what's missing.

Prohibited by design

  • Run arbitrary shell commands
  • Edit SSH config or firewall rules
  • Use sudo outside vetted scripts
  • Reboot the VPS automatically
  • Delete containers or backups
  • Access the Docker socket

Enforced by architecture

  • SSH restricted to internal Docker bridge
  • Each script individually whitelisted in sudoers
  • Scripts are root-owned, agent can execute not edit
  • Exact-phrase approval (no fuzzy matching)
  • Input validation via regex before execution
  • Every action git-committed to audit trail
Interested?

Ask me to walk you through it

I can show you the live Telegram interface, the audit trail, and the full security model. If you're thinking about how AI agents should interact with production infrastructure, this is a working answer.