refactor(ansible): rename freecad_mcp env vars and rework deployment

- Drop `FREECAD_MCP_` prefix from env vars (use `FREECAD_*`) - Update freecad_mcp port from 22032 to 22061 - Document that FreeCAD bridge is required for tool calls - Replace kottos deployment with pallas deployment
2026-05-30 09:37:56 -04:00
parent bc431a3a2a
commit acf3419450
21 changed files with 876 additions and 258 deletions
--- a/ansible/pplg/alert_rules.yml.j2
+++ b/ansible/pplg/alert_rules.yml.j2
@@ -244,6 +244,23 @@ groups:
          summary: "High log ingestion rate"
          description: "Loki is receiving logs at {{ $value | humanize }}/s which may indicate excessive logging"

+  # ============================================================================
+  # Django Application Alerts (generic — any Django app exporting the counter)
+  # ============================================================================
+  # Apps emit django_superuser_logins_total from a user_logged_in signal when
+  # the authenticating user is a superuser. The job/component labels identify
+  # which app fired; forensic detail (user, IP) is in the matching Loki line.
+  - name: django_alerts
+    rules:
+      - alert: DjangoSuperuserLogin
+        expr: increase(django_superuser_logins_total[5m]) > 0
+        for: 0m
+        labels:
+          severity: warning
+        annotations:
+          summary: "Superuser login on {{ $labels.job }}"
+          description: "A superuser account just logged in to {{ $labels.job }} (component {{ $labels.component }}). This account is rarely used — confirm it was expected. Forensic detail (user, IP) in Loki: {service=\"{{ $labels.job }}\"} |= \"event=superuser_login\"."
+
  # ============================================================================
  # Daedalus Application Alerts
  # ============================================================================
--- a/ansible/pplg/prometheus.yml.j2
+++ b/ansible/pplg/prometheus.yml.j2
@@ -68,6 +68,21 @@ scrape_configs:
        labels:
          component: web

+  # Athena — same shape as Mnemosyne: the Django container exposes /metrics
+  # (django-prometheus) proxied via nginx on the app port; a separate
+  # nginx-prometheus-exporter sidecar re-exposes the web container's
+  # stub_status in Prometheus format on the web-metrics port.
+  - job_name: 'athena'
+    metrics_path: '/metrics'
+    scrape_interval: 15s
+    static_configs:
+      - targets: ['{{ athena_app_metrics_host }}:{{ athena_app_metrics_port }}']
+        labels:
+          component: app
+      - targets: ['{{ athena_web_metrics_host }}:{{ athena_web_metrics_port }}']
+        labels:
+          component: web
+
  # Pallas — each deployment is one scrape target (registry port).
  # Pallas uses a single process-global registry, so per-agent /metrics
  # endpoints serve the same snapshot; the `agent` dimension is carried