diff --git a/group_vars/shell.yml b/group_vars/shell.yml
new file mode 100644
index 0000000..6abe4d2
--- /dev/null
+++ b/group_vars/shell.yml
@@ -0,0 +1,9 @@
+---
+
+# beef up shell hosts
+dsk_size: 40
+mem_size: 4096
+num_cpus: 4
+
+firewall_in:
+  - {proto: tcp, port: 22}
diff --git a/host_vars/shell02.foo.sh.yml b/host_vars/shell02.foo.sh.yml
new file mode 100644
index 0000000..a2e3678
--- /dev/null
+++ b/host_vars/shell02.foo.sh.yml
@@ -0,0 +1,14 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: eth0
+    vlan: 102
+    ipaddr: 37.16.96.156
+    netmask: 255.255.255.240
+    proto: static
+  - device: eth1
+    vlan: 30
+    ipaddr: 172.20.30.22
+    netmask: 255.255.255.0
+    proto: static
+network_default_gateway: 37.16.96.145
diff --git a/hosts b/hosts
index 417cde8..a90914e 100644
--- a/hosts
+++ b/hosts
@@ -31,6 +31,9 @@ atl01.vultr.foo.sh
 proxy01.home.foo.sh
 proxy02.home.foo.sh
 
+[shell]
+shell02.foo.sh
+
 [static]
 static02.home.foo.sh
 
@@ -43,6 +46,7 @@ atl01.vultr.foo.sh
 [centos8:children]
 adm
 nas
+shell
 static
 vmhost
 
diff --git a/playbooks/shell.yml b/playbooks/shell.yml
new file mode 100644
index 0000000..b10b5e1
--- /dev/null
+++ b/playbooks/shell.yml
@@ -0,0 +1,23 @@
+---
+- import_playbook: "include/deploy-kvm-guest.yml myhosts=shell"
+
+- name: configure instance
+  hosts: shell
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  roles:
+    - base
+    - role: kerberos/keytab
+      principals:
+        - "host/{{ inventory_hostname }}@{{ kerberos_realm }}"
+        - "nfs/{{ inventory_hostname }}@{{ kerberos_realm }}"
+    - nfs-client
+    - kerberos/client
+    - kerberos-auth
+    - ldap/client
+    - ldap/nss
+    - autofs