chore(ansible): centralize third-party Docker image versions

Add centralized image version variables in group_vars/all/vars.yml for
vulnerability tracking and controlled upgrades of third-party Docker
images (casdoor, flower, grafana-mcp, gitea-mcp, neo4j, memcached,
nginx, oauth2-proxy, rabbitmq, searxng).

Update vault.yml accordingly.

docs/ouranos.md

@@ -31,6 +31,7 @@ All containers are named after moons of Uranus and resolved via the `.incus` DNS
 | **rosalind** | collaboration | Gitea, LobeChat, Nextcloud, AnythingLLM | ✔ |
 | **sycorax** | language_models | Arke LLM Proxy | ✔ |
 | **titania** | proxy_sso | HAProxy TLS termination + Casdoor SSO | ✔ |
+| **umbriel** | graph_database | Neo4j (Mnemosyne) — dedicated memory graph | ✔ |
 
 ### puck — Project Application Runtime
 
@@ -79,8 +80,20 @@ Intelligent and resourceful — the reliability of relational databases.
 Air spirit — ethereal, interconnected nature mirroring graph relationships.
 
 - Neo4j 5.26.0 (Docker)
-- HTTP API: port 25584
-- Bolt: port 25554
+- HTTP API: port 25554
+- Bolt: port 7687 (reached as `ariel.incus:7687` on the internal network)
+
+### umbriel — Graph Database (Mnemosyne)
+
+Dusky melancholy sprite from Pope's *Rape of the Lock* — keeper of the Cave of
+Spleen, naturally paired with Mnemosyne the Titan of memory. Dedicated Neo4j
+instance so Mnemosyne's `Library`/`Collection`/`Item`/`Chunk`/`Concept` labels,
+vector indexes, and schema migrations can't collide with another tenant's
+graph on Ariel.
+
+- Neo4j 5.26.0 (Docker)
+- HTTP Browser: port 25555
+- Bolt: port 7687 (reached as `umbriel.incus:7687` on the internal network)
 
 ### miranda — MCP Docker Host
 
@@ -373,6 +386,7 @@ terraform import 'incus_instance.uranian_hosts["prospero"]' ouranos/prospero,ima
 terraform import 'incus_instance.uranian_hosts["rosalind"]' ouranos/rosalind,image=75cde3e755b0e657c05f67e03a42683217b233b0339448be747845747df58644
 terraform import 'incus_instance.uranian_hosts["sycorax"]' ouranos/sycorax,image=75cde3e755b0e657c05f67e03a42683217b233b0339448be747845747df58644
 terraform import 'incus_instance.uranian_hosts["titania"]' ouranos/titania,image=75cde3e755b0e657c05f67e03a42683217b233b0339448be747845747df58644
+terraform import 'incus_instance.uranian_hosts["umbriel"]' ouranos/umbriel,image=75cde3e755b0e657c05f67e03a42683217b233b0339448be747845747df58644
 
 # Containers using questing image
 terraform import 'incus_instance.uranian_hosts["caliban"]' ouranos/caliban,image=e78dd4a406b7fa3592ed0a6048862260b3d2e50c76e32a6169930245c0a13fdf
@@ -460,7 +474,7 @@ Playbooks run in dependency order:
 | `pplg/deploy.yml` | Prospero | Full observability stack + HAProxy + OAuth2-Proxy |
 | `postgresql/deploy.yml` | Portia | PostgreSQL with all databases |
 | `postgresql_ssl/deploy.yml` | Titania | Dedicated PostgreSQL for Casdoor |
-| `neo4j/deploy.yml` | Ariel | Neo4j graph database |
+| `neo4j/deploy.yml` | Ariel, Umbriel | Neo4j graph database (Umbriel is the dedicated Mnemosyne instance) |
 | `searxng/deploy.yml` | Oberon | SearXNG privacy search |
 | `haproxy/deploy.yml` | Titania | HAProxy TLS termination and routing |
 | `casdoor/deploy.yml` | Titania | Casdoor SSO |
@@ -520,6 +534,7 @@ collect metrics & logs         storage & visualisation           notifications
 | All LLM apps | Arke (Sycorax) | `http://sycorax.incus:25540` |
 | Open WebUI, Arke, Gitea, Nextcloud, LobeChat | PostgreSQL (Portia) | `portia.incus:5432` |
 | Neo4j MCP | Neo4j (Ariel) | `ariel.incus:7687` (Bolt) |
+| Mnemosyne | Neo4j (Umbriel) | `umbriel.incus:7687` (Bolt) — dedicated tenant |
 | MCP Switchboard | Docker API (Miranda) | `tcp://miranda.incus:2375` |
 | MCP Switchboard | RabbitMQ (Oberon) | `oberon.incus:5672` |
 | Kairos, Spelunker | RabbitMQ (Oberon) | `oberon.incus:5672` |