Baseworks n8n CrewAI Architecture
ARCHIVED — 2026-03-02 This architecture has been superseded. CrewAI and OpenRouter have been replaced by Claude Code running natively on the OpenClaw VPS, authenticated via Patrick’s Claude Max account and Asia’s Claude Pro account. No API keys or OpenRouter usage going forward. See: Claude-Code-VPS-Setup
Architecture Reference
Section titled “Architecture Reference”Current Status (2026-02-25)
Section titled “Current Status (2026-02-25)”System paused. CrewAI container stopped, all n8n workflows deactivated. Migrating from CrewAI to OpenClaw. See
Deployment-Log.mdsession 2026-02-25 for full context.Local Obsidian Git syncs (Patrick + Ksenia → GitHub) are unaffected and running normally.
System Overview
Section titled “System Overview”Patrick's Mac Ksenia's Mac ├── Claude Code ├── Claude Code ├── Claude Desktop (MCP) ├── Claude Desktop (MCP) ├── Obsidian (vault) ├── Obsidian (vault) └── Browser → n8n UI └── Browser → n8n UI │ │ └──── both push/pull via Git ─────┘ │ GitHub (private repo) p-oancia/baseworks-kb-shared-brain │ Hetzner VPS (xCloud) 167.235.236.99 baseworks-agents ├── n8n (Docker) ├── PostgreSQL (Docker) ├── CrewAI (Docker) ├── Remote MCP Server (Docker) [Phase 6] ├── Vault clone (/opt/baseworks-vault) └── NGINX + Cloudflare Origin SSL │ ┌───────┴───────┐ Slack claude.ai │ ┌────────┴────────┐ Patrick's Ksenia's iPhone iPhone (Claude iOS) (Claude iOS) [Phase 6]Actual Server Details
Section titled “Actual Server Details”| Property | Value |
|---|---|
| Provider | Hetzner via xCloud |
| Server name | baseworks-agents |
| IP | 167.235.236.99 |
| Spec | CX33 — 4 vCPU / 8 GB RAM / 80 GB SSD |
| Region | Falkenstein, DE (Central) |
| OS | Ubuntu 24.04 LTS |
| Stack | Docker 29.2.1 + Compose v5.0.2 + NGINX 1.28.1 |
| SSH | ssh patrick@167.235.236.99 (passwordless sudo) |
| Backups | Hetzner auto snapshots (daily) + Backblaze B2 (to be configured) |
Running Services
Section titled “Running Services”| Container | Image | Internal Port | External | Status |
|---|---|---|---|---|
| baseworks-postgres | postgres:16-alpine | 5432 | 127.0.0.1 only | Running |
| baseworks-n8n | n8nio/n8n:latest | 5678 | https://n8n.baseworks.com | Running |
| baseworks-crewai | custom build | 8000 | 127.0.0.1 only (n8n accesses via crewai:8000) | Running |
Docker Compose file: /opt/baseworks-vault/03-resources/agent-system/docker/docker-compose.yml
Environment file: /opt/baseworks-vault/03-resources/agent-system/docker/.env
DNS & SSL
Section titled “DNS & SSL”| Subdomain | Record | Points to | Cloudflare Proxy | Purpose |
|---|---|---|---|---|
| n8n.baseworks.com | A | 167.235.236.99 | ON | n8n workflow UI |
| mcp.baseworks.com | A | 167.235.236.99 | (Phase 6) | Remote MCP server |
SSL: Cloudflare Origin Certificate (wildcard)
- Covers:
*.baseworks.comandbaseworks.com - Expires: 2041-02-15
- Certificate:
/etc/ssl/cloudflare/baseworks.com.pem - Private key:
/etc/ssl/cloudflare/baseworks.com.key - SSL mode: Full (strict) — do NOT change (affects all Baseworks sites)
Data Flow
Section titled “Data Flow”Vault → Agents (knowledge update)
Section titled “Vault → Agents (knowledge update)”- Patrick/Ksenia edits vault file locally
- Obsidian Git auto-commits (10 min) and pushes
- n8n “Vault Git Sync” workflow pulls every 5 min to
/opt/baseworks-vault - CrewAI crews read vault files as knowledge base on next execution
Note: The original root cron job for git sync was removed on 2026-02-20. The n8n Git Sync workflow is now the sole sync mechanism. This avoids root-owned files in
.git/that would break n8n container access.
Agent → Vault (content creation)
Section titled “Agent → Vault (content creation)”- n8n workflow triggers CrewAI crew
- Crew produces output (draft, summary, etc.)
- n8n writes file to vault clone on VPS
- n8n commits and pushes to GitHub
- Both Macs auto-pull via Obsidian Git
Forum Post → Approved Response
Section titled “Forum Post → Approved Response”- Webhook or poll detects new post → n8n
- n8n calls CrewAI Forum Response crew
- Classifier → Researcher → Drafter (sequential)
- n8n posts draft to Slack #forum-responses
- Patrick/Ksenia reviews → Approve/Edit/Reject
- On approve: n8n posts to forum, logs to vault
Content Creation Cycle
Section titled “Content Creation Cycle”- Weekly cron (Monday 9 AM) → n8n
- n8n reads vault changes (last 7 days)
- n8n calls CrewAI Content Strategy crew
- Analyst → Strategist → Writer → Editor (sequential)
- n8n posts 3 proposals to Slack #content-strategy
- Approve/Edit/Reject per item
Memory Layers
Section titled “Memory Layers”| Layer | Location | Purpose |
|---|---|---|
| OpenMemory (Qdrant) | Patrick’s Mac | Claude Desktop conversation context |
| CrewAI memory | VPS Docker volume | Agent learning from task history |
| Obsidian vault | Everywhere (Git) | Business knowledge, the source of truth |
These are independent. The vault bridges them all.
Mobile Access (Claude iOS/Android)
Section titled “Mobile Access (Claude iOS/Android)”Claude mobile apps support remote MCP servers added via claude.ai. This means phone conversations can interact directly with the agent infrastructure.
Mobile → Vault Workflow
Section titled “Mobile → Vault Workflow”| Method | How it works | Available |
|---|---|---|
Slack #vault-inbox | Copy insight from Claude mobile → paste in Slack → auto-filed by CrewAI | After Phase 3 |
| Remote MCP Server | Claude mobile calls MCP tools directly (vault-capture, trigger-crew) | After Phase 6 |
| Conversation sync | Start on phone → continue on Claude Desktop (MCP) at computer | Now |
Remote MCP Server
Section titled “Remote MCP Server”A lightweight authenticated API on the VPS that exposes vault and crew operations as MCP tools. Registered on claude.ai, automatically available on all mobile devices logged into the same Anthropic account.
Endpoint: https://mcp.baseworks.com
Port Map (VPS)
Section titled “Port Map (VPS)”| Service | Internal Port | External |
|---|---|---|
| n8n | 5678 | https://n8n.baseworks.com (NGINX) |
| CrewAI API | 8000 | 127.0.0.1 only (n8n accesses via Docker service name crewai:8000) |
| Remote MCP Server | 8001 | https://mcp.baseworks.com (NGINX) [Phase 6] |
| PostgreSQL | 5432 | 127.0.0.1 only |
Security
Section titled “Security”- UFW: Only ports 22, 80, 443 open (deny all incoming by default)
- Fail2Ban: SSH protection (active)
- SSH: Key-based only (password auth disabled), passwordless sudo for user
patrick - SSL: Cloudflare Origin Certificate (wildcard, expires 2041)
- Cloudflare: Proxy ON (DDoS protection, edge SSL)
- Docker: All ports bound to 127.0.0.1
- NGINX: Reverse proxy for all external access
- Unattended upgrades: Enabled (automatic security patches)
- Git: PAT-based auth (token: “Baseworks-agents-VPS”, expires ~2026-05-19)
- n8n: Username/password auth (owner: agents@baseworks.com)
Security verified after xCloud reboot on 2026-02-20 — no gaps found.
CrewAI Endpoints
Section titled “CrewAI Endpoints”Important: From within n8n (Docker), access CrewAI at
http://crewai:8000(Docker service name), NOT127.0.0.1:8000. Localhost inside a container refers to that container only.
GET /health — Service health checkGET /status — List running tasksPOST /crews/forum-response — Draft response to forum postPOST /crews/content-strategy — Generate content proposalsPOST /crews/research — Research a topic using vaultPOST /crews/vault-capture — Suggest vault filing locationPOST /stop — Kill switch (cancel all crews)n8n Workflows
Section titled “n8n Workflows”| # | Workflow | ID | Trigger | Uses CrewAI | Status |
|---|---|---|---|---|---|
| 01 | WordPress Monitoring | 1uUisQfjZ0TUqiM4 | Cron (6h) | No | INACTIVE — needs WP_URL + HTTP Basic Auth |
| 02 | Forum Response Pipeline | shLtsDHV6zIqySZ0 | Webhook/Poll | Yes | INACTIVE — needs FORUM_API_URL |
| 03 | Content Creation Pipeline | q1eV3z1aQs9VWh67 | Weekly (Mon 9AM) | Yes | ACTIVE |
| 04 | Kill Switch | v4T9Xu39sxR5CJnB | Slack message (via Event Router) | Yes (stop endpoint) | ACTIVE |
| 05 | Daily Vault Summary | 3QEX4wna4XMr348K | Cron (daily 8AM Berlin) | No | ACTIVE |
| 06 | Vault Capture via Slack | A0hTmPJN38HRe3Ch | Slack message (via Event Router) | Yes | ACTIVE |
| 07 | Vault Git Sync | Oh75ZJIJiIZreS06 | Cron (5min) | No | ACTIVE |
| — | Slack Event Router | fcsJFL21APR2uyV9 | Slack Event Subscriptions webhook | No | ACTIVE |
Slack Event Router
Section titled “Slack Event Router”Slack only allows one Request URL per app for Event Subscriptions. The Slack Event Router workflow receives all Slack events at https://n8n.baseworks.com/webhook/slack-events and dispatches them to the correct workflow based on channel ID:
| Source Channel | Routes To |
|---|---|
#agent-alerts (C0AGFM6AZ09) | Kill Switch |
#vault-inbox (C0AG0MWBP5L) | Vault Capture |
The router also handles Slack’s URL verification challenge (responds with the challenge value).
Related Docs
Section titled “Related Docs”- Baseworks-n8n-CrewAI-Deployment-Guide — Step-by-step deployment with status tracking
- Cloudflare-Access-and-MCP-Integration — Cloudflare API access via Docker MCP