All playbooks live in ~/ansible. Run from pomelo. See ansible for repo overview and secrets handling.
Launch or resume an EC2 instance by Name tag. Bootstraps the host from scratch: creates john user, installs Claude Code, Node.js, Python deps, Codex CLI, clones the ansible repo, deploys secrets, sets up rc.local/setdns, updates /etc/hosts and UDP daemon.
ansible-playbook launch_instance.yml -e "name=kelp region=eu-central-1" -e @secrets.ymlTODO: add fonts-symbola to the package install list — needed for Unicode Miscellaneous Technical block characters (e.g. ⎿ U+23BF used by Claude Code output) to render correctly in terminals.
Optional vars: instance_type, ami, spot=yes, aliases='foo bar'.
Application server provisioning. Sets up: microsocks SOCKS5 proxy, stunnel TLS wrapper, gdata-server + MCP, Apache with vhosts, Let's Encrypt certs, rc.local/setdns. All components are tagged and can be run independently.
# Full setup
ansible-playbook setup_server.yml -e "target=gravlax region=eu-north-1" -e @secrets.yml
# Single component, e.g. stunnel only
ansible-playbook setup_server.yml -e "target=gravlax region=eu-north-1" --tags stunnelTags: socks, stunnel, gdata, mcp, apache, certs, ports. Stunnel requires the PKI certs in ~/ssl/C/ — see ssl/pki.
Create a new EBS volume and migrate /home onto it. Creates a gp3 volume via boto3, attaches it, formats ext4, rsyncs /home/ across, renames old /home to /h, mounts the new volume permanently via fstab. Does not require secrets.
ansible-playbook add_home_disk.yml -e "target=kelp region=eu-central-1"Promote a new instance to become an ansible controller: install ansible, deploy secrets, configure inventory. The client-side stunnel setup is not yet automated — see ssl/pki under "Setting Up a New Controller".
Rebuild /etc/hosts and the UDP daemon hosts state from live EC2 data.
Deploy WebLogic 14.1.2.0 + OpenLDAP on an EC2 host, with LDAP authenticator and Google JWT Identity Asserter. Used for the Derek project lab. Run after launch_instance.yml. Reads WLS admin password from ~/pw (≥8 chars, one digit or special char); pass -e wls_admin_pass=<pw> to override.
Tags: weblogic, ldap, ldap-users, jwt-asserter, testapp, breakglass, aws, verify. Port 7001 is opened to the controller IP by the aws tag — connect Remote Console directly to http://<target>:7001, no SSH tunnel needed.
ansible-playbook deploy_weblogic_ldap.yml -e "target=reishi"
# Override WLS version (default 14.1.2.0):
ansible-playbook deploy_weblogic_ldap.yml -e "target=reishi wls_version=12.2.1.4"Script (not a playbook) at ~/aws/awsdecomhost.py. Fully decommissions an EC2 host: terminates the instance, comments out /etc/hosts entry via the UDP daemon, removes from ~/ansible/hosts.ini, clears known_hosts (by name and IP), deletes the local ~/.ssh/<name>.pem, and updates the hosts note. Key pair deletion requires a follow-up (no AWS CLI; use boto3).
python3 ~/aws/awsdecomhost.py <name> --region <region> --yes
# Delete key pair (no aws CLI; use boto3):
python3 -c "import boto3; boto3.client('ec2', region_name='<region>').delete_key_pair(KeyName='<name>'); print('done')"