Personal infrastructure playbooks for managing EC2 instances. Lives at ~/ansible on pomelo (primary controller). Uses Python 3 + boto3 + Ansible.
Host inventory at hosts.ini. Hosts follow a fungi naming scheme (kelp, gravlax, reishi, …). See aws/workspace for the companion boto3 scripts in ~/aws/.
secrets.yml is NOT in the repo and must never go into notes. Contains ZoneEdit credentials and the OpenAI API key. Copy to a new controller manually:
scp ~/ansible/secrets.yml <new-host>:~/ansible/secrets.ymlPass to playbooks with -e @secrets.yml. The TLS certificates used by stunnel are separate — see ssl.
ansible/playbooks — full playbook reference with usage examples and tags.
ansible/helper-scripts — files/ directory: EC2 lookup scripts, attach_home_volume.py, Apache vhost configs, uping.py.
ansible/provision-arm-host — runnable sheet: provision a new ARM host end-to-end (launch, SOCKS5/stunnel, pomelo client update, verify).
Ansible writes a log to /var/log/ansible.log on pomelo. This is driven by the syslog_tasks callback in ansible.cfg (callbacks_enabled = profile_tasks, timer, syslog_tasks): each task is emitted to syslog, and rsyslog routes those entries to /var/log/ansible.log (owned by syslog:adm). To watch a live run: tail -f /var/log/ansible.log.
ssl — the mutual-TLS PKI used by stunnel; cert locations and renewal procedure.
aws/workspace — awsctl, awslaunch, awsdeletehost, awsdecomhost, aws_open_port.
aws/awsctl — start/stop instances, sync UDP daemon host registry.
aws/awslaunch — idempotent instance launch by Name tag.
ansible/decom-host — runnable sheet: decommission a host end-to-end (terminate, delete key pair, remove stunnel section, restart stunnel).