From b17cdada7c1ccda0878adf11b902af1e3285f5f6 Mon Sep 17 00:00:00 2001
From: Robert Helewka <r@helu.ca>
Date: Sat, 21 Mar 2026 19:42:09 +0000
Subject: [PATCH] refactor: migrate services from oberon to puck and extract
 oauth2-proxy role

Move searxng, openwebui, mcp_switchboard, and hass services from
oberon.incus to puck.incus, consolidating service host variables
accordingly. Clean up oberon to only run alloy, docker, rabbitmq,
and smtp4dev.

Extract oauth2-proxy from a searxng-specific sidecar into a
standalone reusable role with generic naming, supporting multiple
proxy instances per host via parameterized systemd units and
config directories.

Refactor searxng role to use updated templates (settings.yml.j2,
limiter.toml.j2) and integrate with the new generic oauth2-proxy
role. Add Caddy reverse proxy configurations for puck-hosted
services.

Move searxng_oauth2_proxy_version to global vars for consistency.
---
 ansible/inventory/group_vars/all/vars.yml     |   1 +
 ansible/inventory/host_vars/oberon.incus.yml  | 104 +-----------------
 .../inventory/host_vars/rosalind.incus.yml    |  82 ++++++++++++++
 3 files changed, 84 insertions(+), 103 deletions(-)

diff --git a/ansible/inventory/group_vars/all/vars.yml b/ansible/inventory/group_vars/all/vars.yml
index 5525a0a..045af5b 100644
--- a/ansible/inventory/group_vars/all/vars.yml
+++ b/ansible/inventory/group_vars/all/vars.yml
@@ -38,6 +38,7 @@ rommie_rel: master
 # PyPI release version (no 'v' prefix) - https://pypi.org/project/open-webui/
 openwebui_rel: 0.8.3
 pulseaudio_module_xrdp_rel: 
+searxng_oauth2_proxy_version: 7.6.0
 
 # MCP URLs
 argos_mcp_url: http://miranda.incus:25534/mcp
diff --git a/ansible/inventory/host_vars/oberon.incus.yml b/ansible/inventory/host_vars/oberon.incus.yml
index 3c599e4..20deb11 100644
--- a/ansible/inventory/host_vars/oberon.incus.yml
+++ b/ansible/inventory/host_vars/oberon.incus.yml
@@ -4,74 +4,13 @@
 services:
   - alloy
   - docker
-
   - rabbitmq
-  - searxng
   - smtp4dev
 
 # Alloy
 alloy_log_level: "warn"
 rabbitmq_syslog_port: 51402
-searxng_syslog_port: 51403
-
-# MCP Switchboard Configuration
-mcp_switchboard_user: mcpsb
-mcp_switchboard_group: mcpsb
-mcp_switchboard_directory: /srv/mcp_switchboard
-mcp_switchboard_port: 22785
-mcp_switchboard_docker_host: "tcp://miranda.incus:2375"
-mcp_switchboard_db_host: portia.incus
-mcp_switchboard_db_port: 5432
-mcp_switchboard_db_name: mcp_switchboard
-mcp_switchboard_db_user: mcpsb
-mcp_switchboard_db_password: "{{ vault_mcp_switchboard_db_password }}"
-mcp_switchboard_rabbitmq_host: localhost
-mcp_switchboard_rabbitmq_port: 5672
-mcp_switchboard_rabbitmq_user: rabbitmq
-mcp_switchboard_rabbitmq_password: "{{ vault_mcp_switchboard_rabbitmq_password }}"
-mcp_switchboard_secret_key: "{{ vault_mcp_switchboard_secret_key }}"
-
-# Open WebUI Configuration
-openwebui_user: openwebui
-openwebui_group: openwebui
-openwebui_directory: /srv/openwebui
-openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
-openwebui_port: 22088
-openwebui_host: puck.incus
-openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
-openwebui_enable_signup: true
-openwebui_enable_email_login: false
-
-# OAuth/OIDC Configuration (Casdoor SSO)
-openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
-openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
-openwebui_oauth_provider_name: "Casdoor"
-openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"
-
-# Database Configuration
-openwebui_db_host: portia.incus
-openwebui_db_port: 5432
-openwebui_db_name: openwebui
-openwebui_db_user: openwebui
-openwebui_db_password: "{{ vault_openwebui_db_password }}"
-
-# API Keys
-openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
-openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
-openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
-openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"
-
-# Ollama Configuration
-ollama_api_base_url: ""
-openwebui_ollama_api_key: ""
-
-# SSL Configuration
-openwebui_enable_https: false
-openwebui_ssl_cert_path: ""
-openwebui_ssl_key_path: ""
-
-# Logging
-openwebui_log_level: info
+smtp4dev_syslog_port: 51405
 
 # RabbitMQ Config
 rabbitmq_user: rabbitmq
@@ -81,33 +20,6 @@ rabbitmq_amqp_port: 5672
 rabbitmq_management_port: 25582
 rabbitmq_password: "{{ vault_rabbitmq_password }}"
 
-# Redis password
-redis_password: "{{ vault_redis_password }}"
-
-# SearXNG Configuration
-searxng_user: searxng
-searxng_group: searxng
-searxng_directory: /srv/searxng
-searxng_port: 22083
-searxng_base_url: http://oberon.incus:22083/
-searxng_instance_name: "Ouranos Search"
-searxng_secret_key: "{{ vault_searxng_secret_key }}"
-
-# SearXNG OAuth2-Proxy Sidecar
-# Note: Each host supports at most one OAuth2-Proxy sidecar instance
-# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
-searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
-searxng_oauth2_proxy_version: "7.6.0"
-searxng_proxy_port: 22073
-searxng_domain: "ouranos.helu.ca"
-searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
-searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"
-
-# OAuth2 Credentials (from vault)
-searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
-searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
-searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth2_cookie_secret }}"
-
 # smtp4dev Configuration
 smtp4dev_user: smtp4dev
 smtp4dev_group: smtp4dev
@@ -115,18 +27,4 @@ smtp4dev_directory: /srv/smtp4dev
 smtp4dev_port: 22085
 smtp4dev_smtp_port: 22025
 smtp4dev_imap_port: 22045
-smtp4dev_syslog_port: 51405
 
-# Home Assistant Configuration
-hass_user: hass
-hass_group: hass
-hass_directory: /srv/hass
-hass_media_directory: /srv/hass/media
-hass_port: 8123
-hass_version: "2026.2.0"
-hass_db_host: portia.incus
-hass_db_port: 5432
-hass_db_name: hass
-hass_db_user: hass
-hass_db_password: "{{ vault_hass_db_password }}"
-hass_metrics_token: "{{ vault_hass_metrics_token }}"
diff --git a/ansible/inventory/host_vars/rosalind.incus.yml b/ansible/inventory/host_vars/rosalind.incus.yml
index f2dd4af..0395764 100644
--- a/ansible/inventory/host_vars/rosalind.incus.yml
+++ b/ansible/inventory/host_vars/rosalind.incus.yml
@@ -12,10 +12,12 @@ services:
   - nextcloud
   - openwebui
   - hass
+  - searxng
 
 # Alloy
 alloy_log_level: "warn"
 lobechat_syslog_port: 51461
+searxng_syslog_port: 51403
 
 # AnythingLLM Configuration
 anythingllm_user: anythingllm
@@ -99,6 +101,20 @@ gitea_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
 gitea_oauth_userinfo_url: "https://id.ouranos.helu.ca/api/userinfo"
 gitea_oauth_scopes: "openid profile email"
 
+# Home Assistant Configuration
+hass_user: hass
+hass_group: hass
+hass_directory: /srv/hass
+hass_media_directory: /srv/hass/media
+hass_port: 8123
+hass_version: "2026.2.0"
+hass_db_host: portia.incus
+hass_db_port: 5432
+hass_db_name: hass
+hass_db_user: hass
+hass_db_password: "{{ vault_hass_db_password }}"
+hass_metrics_token: "{{ vault_hass_metrics_token }}"
+
 # LobeChat Configuration
 lobechat_user: lobechat
 lobechat_group: lobechat
@@ -155,3 +171,69 @@ nextcloud_domain: nextcloud.ouranos.helu.ca
 nextcloud_instance_id: ""
 nextcloud_password_salt: ""
 nextcloud_secret: ""
+
+
+# Open WebUI Configuration
+openwebui_user: openwebui
+openwebui_group: openwebui
+openwebui_directory: /srv/openwebui
+openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
+openwebui_port: 22088
+openwebui_host: puck.incus
+openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
+openwebui_enable_signup: true
+openwebui_enable_email_login: false
+
+# OAuth/OIDC Configuration (Casdoor SSO)
+openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
+openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
+openwebui_oauth_provider_name: "Casdoor"
+openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"
+
+# Database Configuration
+openwebui_db_host: portia.incus
+openwebui_db_port: 5432
+openwebui_db_name: openwebui
+openwebui_db_user: openwebui
+openwebui_db_password: "{{ vault_openwebui_db_password }}"
+
+# API Keys
+openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
+openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
+openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
+openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"
+
+# Ollama Configuration
+ollama_api_base_url: ""
+openwebui_ollama_api_key: ""
+
+# SSL Configuration
+openwebui_enable_https: false
+openwebui_ssl_cert_path: ""
+openwebui_ssl_key_path: ""
+
+# Logging
+openwebui_log_level: info
+
+# SearXNG Configuration
+searxng_user: searxng
+searxng_group: searxng
+searxng_directory: /srv/searxng
+searxng_port: 22083
+searxng_base_url: http://rosalind.incus:22083/
+searxng_instance_name: "Ouranos Search"
+searxng_secret_key: "{{ vault_searxng_secret_key }}"
+
+# SearXNG OAuth2-Proxy Sidecar
+# Note: Each host supports at most one OAuth2-Proxy sidecar instance
+# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
+searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
+searxng_proxy_port: 22073
+searxng_domain: "ouranos.helu.ca"
+searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"
+
+# OAuth2 Credentials (from vault)
+searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
+searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
+searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth2_cookie_secret }}"
\ No newline at end of file