gravlax is the application server (replacement for noodle). AWS eu-north-1, ARM t4g.small, Debian 12. Provisioned via launch_instance.yml, configured via setup_server.yml.
ansible-playbook setup_server.yml -e "target=gravlax region=eu-north-1" -e @secrets.ymlUse --tags to run a subset: socks, stunnel, gdata, mcp, apache, certs, ports.
| Service | Port | Notes |
|---|---|---|
| dante SOCKS5 | 1080 | loopback only, reached via stunnel |
| stunnel (socks) | 11080 | TLS wrapper for SOCKS5 |
| gdata-mcp-server REST | 8020 | notes REST API + OAuth + web UI |
| gdata-mcp-server MCP | 8023 | MCP StreamableHTTP + SSE |
| stunnel (notes) | 18021 | TLS wrapper — unused externally, kept for CLI |
| stunnel (mcp) | 18023 | TLS wrapper for MCP port |
| Apache | 80 / 443 | www / cv / webdav vhosts |
| File | Purpose |
|---|---|
| ~/ansible/setup_server.yml | Main deployment playbook |
| ~/ansible/secrets.yml | Secrets — not in git, copy manually to new controllers |
| ~/ansible/files/apache/ | Apache vhost configs |
| ~/py/gdata-server/ | gdata-mcp-server source |
| ~/ssl/C/CA/cert + key | Self-signed CA cert for stunnel mutual TLS |
| Public path | Backend |
|---|---|
| /notes/ | 127.0.0.1:8020/notes/ (JSONHTL renderer) |
| /api/ | 127.0.0.1:8020/ (REST, Basic Auth) |
| /mcp | 127.0.0.1:8023/mcp (Bearer Auth) |
| /oauth/ | 127.0.0.1:8020/oauth/ |
| /.well-known/oauth-* | 127.0.0.1:8020/.well-known/... |
systemctl restart stunnel4 does not kill the old daemon. After a config change: sudo pkill -f 'stunnel /etc/stunnel' && sudo stunnel /etc/stunnel/stunnel.conf.