Verified working: March 2026<\/strong> on Rocky Linux 10.1 (kernel 6.12), Debian 12 (Proxmox 8.x), Nginx 1.26.3, Certbot via EPEL<\/em><\/p>\n\n\n\n The first demo shows the complete workflow: install software, configure it, set up SSL, and verify. One conversation, zero manual SSH sessions.<\/p>\n\n\n\n Open Claude Code and type:<\/p>\n\n\n\n Claude Code connects and runs the install:<\/p>\n\n\n\n Nginx 1.26.3 installs from the Rocky Linux 10 base repository:<\/p>\n\n\n\n It creates the custom landing page, starts the service, and verifies:<\/p>\n\n\n\n The service comes up clean:<\/p>\n\n\n\n For SSL, Claude Code notices certbot isn’t in the default repos, installs EPEL first, then runs certbot:<\/p>\n\n\n\n Certificate obtained successfully:<\/p>\n\n\n\n Claude Code then writes the Nginx SSL server block, reloads the config, and confirms HTTPS serves correctly. The final verification:<\/p>\n\n\n\n Returns HTTP\/2 200 with valid SSL:<\/p>\n\n\n\n The HTTPS site is live and serving over HTTP\/2 with a valid Let’s Encrypt certificate:<\/p>\n\n\n\n From zero to a fully provisioned HTTPS web server in a single Claude Code conversation. No Ansible, no Terraform, no shell script. Just a natural language description of what you need. For a deep reference on setting up Let’s Encrypt certificates on Linux<\/a>, that guide covers the manual steps this demo automated.<\/p>\n\n\n\n This demo is worth bookmarking. We break Nginx on purpose, then tell Claude Code the server is down and let it figure out the rest. No hints, no “check the config file.” Just “it’s broken, fix it.”<\/p>\n\n\n\n First, introduce a real config error by removing a semicolon from the Nginx fails:<\/p>\n\n\n\n Now tell Claude Code to diagnose it:<\/p>\n\n\n\n Claude Code runs through its own diagnostic sequence. No instructions needed.<\/p>\n\n\n\n The status reveals the failure with the exact error line:<\/p>\n\n\n\n Confirms the problem:<\/p>\n\n\n\n Claude Code reads lines around the error:<\/p>\n\n\n\n The output reveals the missing semicolon on the Line 14 has Re-validate passes:<\/p>\n\n\n\n Restart and confirm:<\/p>\n\n\n\n HTTPS verification confirms the site is back:<\/p>\n\n\n\n The entire sequence, from “it’s broken” to “it’s fixed and verified,” took about 30 seconds. Claude Code followed the same diagnostic path an experienced sysadmin would: check status, validate config, read the error, inspect the file, fix it, re-validate, restart. The difference is speed. For a full reference on managing services, see the systemctl commands guide<\/a>.<\/p>\n\n\n\n When your monitoring is down (or you don’t have monitoring yet), Claude Code can SSH into every server you own and build a health report. This demo ran against three real servers: a Rocky Linux 10 VM, and two Proxmox hypervisors running Debian 12.<\/p>\n\n\n\n Claude Code SSHes into each server sequentially and aggregates the results. Here is the real output from three production systems:<\/p>\n\n\n\n Three findings that matter:<\/p>\n\n\n\n This is the value of conversational infrastructure checks. A raw After the health check, the natural follow-up is fixing what it found. Here are real maintenance tasks Claude Code ran on the Rocky VM.<\/p>\n\n\n\n Claude Code checks the certificate and certbot config:<\/p>\n\n\n\n The output shows the full certificate status:<\/p>\n\n\n\n 89 days until expiry. Certbot installs a systemd timer for auto-renewal by default, so no manual intervention needed unless the timer is disabled.<\/p>\n\n\n\n Claude Code runs the security check:<\/p>\n\n\n\n The output shows real security patches waiting:<\/p>\n\n\n\n Kernel, glibc, curl, openssl, and systemd all have security patches pending. In a real scenario, you’d tell Claude Code “apply the security updates and schedule a reboot for tonight” and it would run Claude Code runs the port audit:<\/p>\n\n\n\n Port ownership identified:<\/p>\n\n\n\n Claude Code identifies port 9090 as After running these demos, the natural question is: why not just write an Ansible playbook?<\/p>\n\n\n\nWhat You Need<\/h2>\n\n\n\n
\n
curl -fsSL https:\/\/claude.ai\/install.sh | bash<\/code>)<\/li>\n\nProvision a Web Server from Scratch<\/h2>\n\n\n\n
SSH into 10.0.1.50 as rocky. Install Nginx, create a custom landing\npage showing the hostname and OS version, open firewall ports 80 and 443,\nset up Let's Encrypt SSL for sshdemo.computingforgeeks.com, and verify\nthe site loads over HTTPS.<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo dnf install -y nginx\"<\/code><\/pre>\n\n\n\nInstalled:\n nginx-2:1.26.3-1.el10.x86_64 nginx-core-2:1.26.3-1.el10.x86_64\n nginx-filesystem-2:1.26.3-1.el10.noarch rocky-logos-httpd-100.4-7.el10.noarch\n\nComplete!<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo systemctl enable --now nginx\"\nssh rocky@10.0.1.50 \"systemctl status nginx --no-pager\"<\/code><\/pre>\n\n\n\n\u25cf nginx.service - The nginx HTTP and reverse proxy server\n Loaded: loaded (\/usr\/lib\/systemd\/system\/nginx.service; enabled; preset: disabled)\n Active: active (running) since Fri 2026-03-27 23:08:59 UTC; 32ms ago\n Process: 4772 ExecStartPre=\/usr\/sbin\/nginx -t (code=exited, status=0\/SUCCESS)\n Process: 4774 ExecStart=\/usr\/sbin\/nginx (code=exited, status=0\/SUCCESS)\n Main PID: 4775 (nginx)\n Tasks: 2 (limit: 10852)\n Memory: 2.3M (peak: 2.8M)\n CPU: 40ms\n CGroup: \/system.slice\/nginx.service\n \u251c\u25004775 \"nginx: master process \/usr\/sbin\/nginx\"\n \u2514\u25004776 \"nginx: worker process\"<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo dnf install -y epel-release\"\nssh rocky@10.0.1.50 \"sudo dnf install -y certbot python3-certbot-nginx\"\nssh rocky@10.0.1.50 \"sudo certbot certonly --standalone -d sshdemo.computingforgeeks.com --non-interactive --agree-tos -m admin@example.com\"<\/code><\/pre>\n\n\n\nSuccessfully received certificate.\nCertificate is saved at: \/etc\/letsencrypt\/live\/sshdemo.computingforgeeks.com\/fullchain.pem\nKey is saved at: \/etc\/letsencrypt\/live\/sshdemo.computingforgeeks.com\/privkey.pem\nThis certificate expires on 2026-06-25.<\/code><\/pre>\n\n\n\ncurl -sI https:\/\/sshdemo.computingforgeeks.com\/ | head -5<\/code><\/pre>\n\n\n\nHTTP\/2 200\nserver: nginx\/1.26.3\ndate: Fri, 27 Mar 2026 23:10:59 GMT\ncontent-type: text\/html\ncontent-length: 273<\/code><\/pre>\n\n\n\n![\"Nginx](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/03\/01-nginx-https-demo.png\" "\\"\\"")
<\/figure>\n\n\n\nDiagnose and Fix a Broken Service<\/h2>\n\n\n\n
events<\/code> block:<\/p>\n\n\n\nssh rocky@10.0.1.50 \"sudo sed -i 's\/worker_connections 1024;\/worker_connections 1024\/' \/etc\/nginx\/nginx.conf\"\nssh rocky@10.0.1.50 \"sudo systemctl restart nginx\"<\/code><\/pre>\n\n\n\nJob for nginx.service failed because the control process exited with error code.\nSee \"systemctl status nginx.service\" and \"journalctl -xeu nginx.service\" for details.<\/code><\/pre>\n\n\n\nThe web server on 10.0.1.50 is down. SSH in as rocky, figure out\nwhat's wrong, fix it, and verify it's back up.<\/code><\/pre>\n\n\n\nStep 1: Check service status<\/h3>\n\n\n\n
ssh rocky@10.0.1.50 \"systemctl status nginx --no-pager\"<\/code><\/pre>\n\n\n\n\u00d7 nginx.service - The nginx HTTP and reverse proxy server\n Active: failed (Result: exit-code) since Fri 2026-03-27 23:11:46 UTC; 8s ago\n Process: 5618 ExecStartPre=\/usr\/sbin\/nginx -t (code=exited, status=1\/FAILURE)\n\nMar 27 23:11:46 test-rocky-10 nginx[5618]: nginx: [emerg] unexpected \"}\" in \/etc\/nginx\/nginx.conf:15\nMar 27 23:11:46 test-rocky-10 nginx[5618]: nginx: configuration file \/etc\/nginx\/nginx.conf test failed\nMar 27 23:11:46 test-rocky-10 systemd[1]: nginx.service: Control process exited, code=exited, status=1\/FAILURE\nMar 27 23:11:46 test-rocky-10 systemd[1]: Failed to start nginx.service<\/code><\/pre>\n\n\n\nStep 2: Validate config for the exact error<\/h3>\n\n\n\n
ssh rocky@10.0.1.50 \"sudo nginx -t\"<\/code><\/pre>\n\n\n\nnginx: [emerg] unexpected \"}\" in \/etc\/nginx\/nginx.conf:15\nnginx: configuration file \/etc\/nginx\/nginx.conf test failed<\/code><\/pre>\n\n\n\nStep 3: Inspect the broken section<\/h3>\n\n\n\n
ssh rocky@10.0.1.50 \"sed -n '10,20p' \/etc\/nginx\/nginx.conf\"<\/code><\/pre>\n\n\n\nworker_connections<\/code> directive:<\/p>\n\n\n\ninclude \/usr\/share\/nginx\/modules\/*.conf;\n\nevents {\n worker_connections 1024\n}\n\nhttp {\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '<\/code><\/pre>\n\n\n\nworker_connections 1024<\/code> without the required trailing semicolon. The closing brace on line 15 becomes “unexpected” because Nginx is still looking for the semicolon to terminate the directive.<\/p>\n\n\n\nStep 4: Fix, re-validate, restart<\/h3>\n\n\n\n
ssh rocky@10.0.1.50 \"sudo sed -i 's\/worker_connections 1024$\/worker_connections 1024;\/' \/etc\/nginx\/nginx.conf\"<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo nginx -t\"<\/code><\/pre>\n\n\n\nnginx: the configuration file \/etc\/nginx\/nginx.conf syntax is ok\nnginx: configuration file \/etc\/nginx\/nginx.conf test is successful<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo systemctl restart nginx && systemctl is-active nginx\"<\/code><\/pre>\n\n\n\nactive<\/code><\/pre>\n\n\n\nHTTP\/2 200\nserver: nginx\/1.26.3<\/code><\/pre>\n\n\n\nMulti-Server Health Check<\/h2>\n\n\n\n
SSH into these 3 servers and give me a health report for each:\n- 10.0.1.50 (user: rocky)\n- 10.0.1.10 (user: root)\n- 10.0.1.11 (user: root)\n\nFor each server check: OS version, kernel, uptime, disk usage (flag\nanything over 50%), memory, top 5 CPU processes, any failed systemd\nservices, listening ports, and pending updates.<\/code><\/pre>\n\n\n\nServer 1: 10.0.1.50 (Rocky Linux 10.1)<\/h3>\n\n\n\n
OS: Rocky Linux 10.1 (Red Quartz)\nKernel: 6.12.0-124.8.1.el10_1.x86_64\nUptime: 5 minutes\n\nDisk: \/dev\/vda4 19G 1.4G 18G 8% \/ \u2713 OK\n\nMemory: 347Mi used \/ 1.7Gi total (20%)\nSwap: 0B used \/ 0B total\n\nTop CPU:\n rocky 12.9% systemd (user session)\n root 0.8% systemd (PID 1)\n root 0.5% sshd\n\nFailed Services: none\n\nPorts: 22 (SSH), 80 (HTTP), 443 (HTTPS), 9090 (Cockpit\/systemd)\n\nPending Updates: 81 packages (including kernel, curl, glibc security fixes)<\/code><\/pre>\n\n\n\nServer 2: 10.0.1.10 (Debian 12, Proxmox pve01)<\/h3>\n\n\n\n
OS: Debian GNU\/Linux 12 (bookworm)\nKernel: 6.8.12-13-pve\nUptime: 1 week, 4 days, 19 hours\n\nDisk: \/dev\/mapper\/pve-root 70G 39G 32G 56% \/ \u26a0 ABOVE 50%\n\nMemory: 5.6Gi used \/ 62Gi total (9%)\nSwap: 0B used \/ 8.0Gi total\n\nTop CPU:\n root 55.5% systemd\n root 3.2% sshd\n root 2.5% kvm (virtual machine)\n root 1.3% tailscaled\n\nFailed Services:\n \u26a0 zfs-import-scan.service - Import ZFS pools by device scanning (FAILED)\n\nPorts: 22, 25 (SMTP localhost), 85 (Proxmox proxy), 111 (RPC)\n\nPending Updates: 138 packages<\/code><\/pre>\n\n\n\nServer 3: 10.0.1.11 (Debian 12, Proxmox pve02)<\/h3>\n\n\n\n
OS: Debian GNU\/Linux 12 (bookworm)\nKernel: 6.8.12-13-pve\nUptime: 1 week, 6 days, 2 hours\n\nDisk: \/dev\/mapper\/pve-root 68G 35G 34G 52% \/ \u26a0 ABOVE 50%\n\nMemory: 13Gi used \/ 62Gi total (21%)\nSwap: 0B used \/ 8.0Gi total\n\nTop CPU:\n root 25.7% kvm (VM workload)\n root 23.9% kvm (VM workload)\n root 23.9% kvm (VM workload)\n root 0.9% kvm (VM workload)\n\nFailed Services: none\n\nPorts: 22, 25 (localhost), 85, 111, 3128 (Squid proxy), 8006 (Proxmox UI)\n\nPending Updates: 132 packages<\/code><\/pre>\n\n\n\nWhat Claude Code flagged<\/h3>\n\n\n\n
\n
zfs-import-scan.service<\/code>). This could mean a ZFS pool failed to import on boot, which risks data loss if not investigated<\/li>\n\ndf -h<\/code> tells you disk is at 56%. Claude Code connects that to the pending updates and suggests cleaning old kernels to free space. You can follow up: “clean old kernels on pve01 and apply the security updates” and Claude Code handles both.<\/p>\n\n\n\nAutomate Routine Maintenance<\/h2>\n\n\n\n
Check SSL certificate expiry<\/h3>\n\n\n\n
Check when the SSL certificate on 10.0.1.50 expires and whether\nauto-renewal is configured.<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo certbot certificates\"<\/code><\/pre>\n\n\n\nFound the following certs:\n Certificate Name: sshdemo.computingforgeeks.com\n Serial Number: 598c82bccd6f11aa439a5823b430c3591b8\n Key Type: ECDSA\n Domains: sshdemo.computingforgeeks.com\n Expiry Date: 2026-06-25 22:12:05+00:00 (VALID: 89 days)\n Certificate Path: \/etc\/letsencrypt\/live\/sshdemo.computingforgeeks.com\/fullchain.pem\n Private Key Path: \/etc\/letsencrypt\/live\/sshdemo.computingforgeeks.com\/privkey.pem<\/code><\/pre>\n\n\n\nAudit security updates<\/h3>\n\n\n\n
Show me the security updates available on 10.0.1.50. Don't install\nthem yet, just list what's pending.<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo dnf check-update --security\"<\/code><\/pre>\n\n\n\nbinutils.x86_64 2.41-58.el10_1.2 baseos\ncurl.x86_64 8.12.1-2.el10_1.2 baseos\nglibc.x86_64 2.39-58.el10_1.7 baseos\ngnutls.x86_64 3.8.10-3.el10_1 baseos\nkernel-core.x86_64 6.12.0-124.40.1.el10_1 baseos\nlibcurl.x86_64 8.12.1-2.el10_1.2 baseos\nopenssl-libs.x86_64 3.2.4-1.el10_1 baseos\nsystemd.x86_64 257.4-3.el10_1.2 baseos<\/code><\/pre>\n\n\n\ndnf update --security -y<\/code> followed by scheduling a reboot.<\/p>\n\n\n\nAudit open ports<\/h3>\n\n\n\n
Audit the open ports on 10.0.1.50. Identify what process owns each\nport and flag anything unexpected.<\/code><\/pre>\n\n\n\nssh rocky@10.0.1.50 \"sudo ss -tlnp\"<\/code><\/pre>\n\n\n\nState Local Address:Port Process\nLISTEN 0.0.0.0:22 sshd\nLISTEN 0.0.0.0:80 nginx (master)\nLISTEN 0.0.0.0:443 nginx (master)\nLISTEN *:9090 systemd (PID 1)<\/code><\/pre>\n\n\n\nsystemd<\/code> (PID 1), which is the Cockpit web console socket. On Rocky Linux 10, Cockpit is enabled by default. If you’re not using it, Claude Code can disable it: sudo systemctl disable --now cockpit.socket<\/code>. Knowing what’s listening on your servers is the first step of any hardening exercise. The firewalld configuration guide<\/a> covers locking down ports on RHEL systems.<\/p>\n\n\n\nWhen to Use Claude Code vs Ansible<\/h2>\n\n\n\n