docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README
including a component overview table, quick start instructions, common
Ansible operations, and links to detailed documentation. Aligns with
Red Panda Approval™ standards.

ansible/inventory/group_vars/all/auth_keys.yml

@@ -0,0 +1,36 @@
+---
+# SSH Authorized Keys Configuration
+# Manages authorized_keys files across all ubuntu hosts
+#
+# Usage:
+#   ansible-playbook ssh_keys.yml
+#
+# To override exclusive mode (remove unlisted keys):
+#   ansible-playbook ssh_keys.yml -e "ssh_exclusive_mode=true"
+
+# When true, removes any keys not in this list (use with caution!)
+ssh_exclusive_mode: false
+
+# List of users and their authorized SSH public keys
+# Each user entry requires:
+#   - name: username (must exist on target hosts)
+#   - keys: list of SSH public key strings
+#
+# Example:
+#   ssh_authorized_users:
+#     - name: robert
+#       keys:
+#         - "ssh-ed25519 AAAAC3Nza... user@host"
+#         - "ssh-rsa AAAAB3Nza... another@host"
+#     - name: deploy
+#       keys:
+#         - "ssh-ed25519 AAAAC3Nza... deploy-key"
+
+ssh_authorized_users:
+  - name: robert
+    keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0xFMMSa1SeMPbX84zJOKWHAT3HtMRuWmNA7GGKr1uw robert@Hercules"
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTcpW11Vb3w1Bi77WCAM5K9Q2vz9MW5PdBpiAIXhjn3 robert@Norma"
+  - name: harper
+    keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOVvIshMkRx1f9m2TTJ1lMHzsaBnuxZdoMFm6hmuzZzo harper@caliban"

ansible/inventory/group_vars/all/vars.yml

@@ -0,0 +1,107 @@
+# Red Panda Approved Sandbox Environment Variables
+remote_user: robert
+remote_group: robert
+deployment_environment: "agathos"
+ansible_python_interpreter: /usr/bin/python3
+
+# Incus configuration (matches terraform.tfvars)
+incus_project_name: agathos
+incus_storage_pool: default
+
+# Gitea Runner
+act_runner_version: "0.2.13"
+gitea_runner_instance_url: "https://gitea.ouranos.helu.ca"
+
+# Release versions for staging playbooks
+anythingllm_rel: master
+athena_rel: master
+athena_mcp_rel: master
+argos_rel: master
+arke_rel: master
+angelia_rel: master
+kairos_rel: master
+kairos_mcp_rel: master
+spelunker_rel: master
+mcp_switchboard_rel: master
+kernos_rel: master
+# PyPI release version (no 'v' prefix) - https://pypi.org/project/open-webui/
+openwebui_rel: 0.8.3
+
+# MCP URLs
+argos_mcp_url: http://miranda.incus:25534/mcp
+angelia_mcp_url: https://ouranos.helu.ca/mcp/
+angelia_mcp_auth: "{{ vault_angelia_mcp_auth }}"
+caliban_mcp_url: http://caliban.incus:22021/mcp
+gitea_mcp_url: http://miranda.incus:25535/mcp
+gitea_mcp_access_token: "{{ vault_gitea_mcp_access_token }}"
+github_personal_access_token: "{{ vault_github_personal_access_token }}"
+grafana_mcp_url: http://miranda.incus:25533/mcp
+huggingface_mcp_token: "{{ vault_huggingface_mcp_token }}"
+neo4j_mcp_url: http://circe.helu.ca:22034/mcp
+nike_mcp_url: http://puck.incus:22031/mcp
+korax_mcp_url: http://korax.helu.ca:22021/mcp
+rommie_mcp_url: http://caliban.incus:22031/mcp
+
+# Monitoring and Logging (internal endpoints on Prospero)
+loki_url: http://prospero.incus:3100/loki/api/v1/push
+prometheus_remote_write_url: http://prospero.incus:9090/api/v1/write
+syslog_format: "rfc3164"
+# Docker configuration
+docker_gpg_key_url: https://download.docker.com/linux/debian/gpg
+docker_gpg_key_path: /etc/apt/keyrings/docker.asc
+docker_gpg_key_checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
+
+# RabbitMQ provisioning config
+rabbitmq_vhosts:
+  - name: kairos
+  - name: spelunker
+
+rabbitmq_users:
+  - name: kairos
+    password: "{{ kairos_rabbitmq_password }}"
+    tags: []
+  - name: spelunker
+    password: "{{ spelunker_rabbitmq_password }}"
+    tags: []
+
+rabbitmq_permissions:
+  - vhost: kairos
+    user: kairos
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+  - vhost: spelunker
+    user: spelunker
+    configure_priv: .*
+    read_priv: .*
+    write_priv: .*
+
+# SMTP (smtp4dev on Oberon)
+smtp_host: oberon.incus
+smtp_port: 22025
+smtp_from: noreply@ouranos.helu.ca
+smtp_from_name: "Agathos"
+
+# Release directory paths
+github_dir: ~/gh
+repo_dir: ~/dv
+rel_dir: ~/rel
+
+# Vault Variable Mappings
+kairos_rabbitmq_password: "{{ vault_kairos_rabbitmq_password }}"
+spelunker_rabbitmq_password: "{{ vault_spelunker_rabbitmq_password }}"
+caliban_x11vnc_password: "{{ vault_caliban_x11vnc_password }}"
+grafana_service_account_token: "{{ vault_grafana_service_account_token }}"
+
+# Home Assistant
+hass_metrics_token: "{{ vault_hass_metrics_token }}"
+
+# Namecheap DNS API (for certbot DNS-01 validation)
+namecheap_username: "{{ vault_namecheap_username }}"
+namecheap_api_key: "{{ vault_namecheap_api_key }}"
+
+# OAuth2-Proxy Vault Mappings (used for SearXNG auth)
+# Note: These must be set in vault.yml after configuring Casdoor application
+# vault_oauth2_proxy_client_id: "<from-casdoor-application>"
+# vault_oauth2_proxy_client_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"
+# vault_oauth2_proxy_cookie_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"

ansible/inventory/group_vars/all/vault.yml

@@ -0,0 +1,415 @@
+$ANSIBLE_VAULT;1.1;AES256
+63343266373930636632373764653162353131386330313565656139663132373764303333623361
+3866643138386134396330643832303263346633653566330a376434643031326663383165393266
+31306366643937396161633864653962313063316133623966333863663832306437393637656335
+3061333530343639620a623663303836373633623266393932393238393338306534323062656363
+32663032333131663138623533613136376666646163346463613563656365393038363733373663
+63323138323338316534616432396636646262393461653761356664623662633962343866366234
+39313330383565623239353031366630373531623033333836316233663436346535356166623962
+65613333613634626634333064613564616462396136373939636433383162366266636331373365
+61383839666563343365393934353764633635626130363562633432643633373431373563656162
+62373236646138313636623838653065333038666364613531306637623731353565313032623765
+66306634646562643234366365643534366430306333323239656435663732333438343262316166
+65306539663363616638643036656136666432373164386636363038376263663636663662656662
+66353837636162653462626430343835306564336365373731643931353766653165363463316466
+32636431643863633531313464303937313564383636623330663061643466393734646462633236
+66643430333731623564336430363061616638356561346262326236663763316563303939393865
+36366632393034313866386234643832653861613330306337353731396537633162363934653863
+62623030366263343732336634343134383861323130366461343930353335356461353735386161
+63306364363430623136616437643765313835363834313432326439323432353463656661623139
+63313738393832323031373238333065646538303331316132636663616663326139323765333231
+38663362646664663835316164343533353663393666653865326439613431646262376566333063
+64346436363933313639326233383934623539396334363431653439303332316534646464613565
+36383031613162343362643230336634303766613536376666623335663433363035313363633065
+38373530343530336132343038323765656436306537353863326238363263626264636434393564
+35363730626434643538643136653766313966616336663666323034643461373462346466316130
+38343736323730623037393639323065616639373533333265333266366161393962303732353034
+62326534613736643335373461666139346661353335313638333339656238316136323262343330
+64396166336466646635376262323563313431393662663138323335313763623066663561653530
+66333362313833346365383666313461383434623734336336656536343633623163666664373232
+61303635646138346338653730656164303966663533643036323131323862363065323631396364
+35663433366363613962303664383032363065656139656532306162353238653464316331323166
+65373364633834633063626334343365323466383264633763306266333732653935363835623039
+33626437383138343839653539653361373032363536633734666330303131346534323333663131
+33623935663663636261313030306366326631316130363663373133616262633137356132393465
+31353464666365666333313639346439313334313861346461303663366161303038323162366564
+31313032623538353230306339383133363662323761366431366563396464663935316334613730
+65633532306132313032356630656630313135626664306138383264666430633831386661653236
+38376530343635656530326466346337623564303162373536386534626237356639333333656339
+37376630373037643830643334656461323735646438313664353961353464306431353438623631
+33646464383663373734373863383663393561633234656261353139616534646331396465653766
+37666236643363363637666463616137613932306462363035623039653532303262356363626434
+31343530333235373835363732643232373261376464363363313464306537316530306430653536
+65653563363763633737626334393735643563363730623262363265326561666563396438636637
+36363036333331373361306663613562623931303037333538363663666362616636633963386266
+34303837653032383261333037363765633234663061316231313766396637386464306430613439
+33636332343335636532333662633632663664346133353865613062343331356637323366653961
+31393733333139316462336564363761626636616561336165323830363732323035326138343364
+34316231303533353637393962316561666232636339396533666435633631313234336530336235
+33346339346237336236326330343939366163646138616237643038396136323235383737306537
+30366665316661316463633163663835353435656330633966333863356633643163313734303161
+34373231373439663937656363663662376539643739663331623239366237306365353663323937
+38646239303964633030376639363365346461333336313965636364336632626435363162366131
+37323961326330343734633430666636663633363866656466346236383631633939373531323830
+30393133646431316532333061643164313639636138636536393666343035646166363539623034
+39653932313761633664386335393635366631333334663137313662303031343462346337633238
+35363334373738313830333833613134643066356637366538326264333161366564323861343862
+63616462346535323434353363323537653163643839666534353931653262366666303236383365
+34343066373065373338666135386133366365633138346465323565313864376564343830323564
+36633261353335386438393437353238626333323539666337353932613034326534333466336431
+65353065303433613236313435353164313539353535353564653062343037306137616639323062
+34656535313133373264383236646234323366386238616563336330636632313263663861383432
+61306435653130663938663633383530356365313531393561373530396165383034373933303537
+66313732396162393266313637623063633065653463393165383864343965346136383939363531
+64663438643139336230653464313736393439326430333864353231613932393462623333386539
+38306538653633656239646364356433323530306138393863386533623636333832333534616237
+65353164383362366464623737336162326162393965646435373532373639386533386132343765
+31353230316432383038623762346164383130323264383933393236643066333166643665383164
+64663965323235643632333435663065333662376537386130313163633361613733306466333338
+65613537353133643632393661353633366631386564636136643635623534353630616337363633
+66346137326335376665383032663039373462363865356532386530396535303234333261373536
+35396137613063336362653561376235373932383465393462306138656539316336643039303864
+37393434336265376161346664393333666335343764333465313165663438643263353633633065
+36353662653566663536396565616366333631643966656632666164343030643734353230323938
+37303531326531386563623365306161396336386634383264386563323365653731323865383930
+64333738353633646366353666643461653965633037333039623366636233356365313765363031
+66373262373935306632663066656263353934343061323761366262643937396164336435636139
+37663366353165646238353239646335643333383233383237633161363762616339643632346663
+36313433643439303036386639343564643061393833663933343032663830383864306363356632
+37326135343364616264353434663234363861313066306630646366356436323939353661383563
+63363031656539626136336130633432646531653831616232643961613462393061383433653939
+62343735306435666231656563616536346639646139336361613637663931393331323138303939
+66343762363032663764336465333264353765613265373536656538666538663866336237303466
+64656534356431643236353133316435353831633339386134333839386138316661383165633166
+64323262616565303065643636383038363235633036343833303163353530666331323363623961
+35613130326330306539306161633764653138383839336466646262373433653466353236356563
+65616432663066376639663539303863396637373533623232303031336365373861366262656532
+64313163633732623030646234386133613935633134613763323536343831626135343164383734
+63646135393461333463343934333362333365363237356430306162666631333235316363376566
+64383632353736363537653434363037613931313761383866306465326433336465316633303763
+38306364613037363537343839353938326138623063323735653834313639663739323139636437
+38663665333839623736323435386332393738643466316666386631396532633865383665323965
+32373130393438656431323861383035386262353261313534646339626535393538393862366530
+34636136363165363863646538653430376236313733613830353665616262303836353338616232
+66376337633831623531613530356138666330373661646133666666316538386661386536363061
+66336332393439646231303634376364623131653536373464323233333531636238326530333539
+62653937363162646232633134646438643735653237396163396631656439366433323038323438
+36393262303664356637363739633836336631326466363639323765633839373164316139323534
+30313862316135323131633337376566656665613735613934383439306266623938356231626639
+35373934396335333138343263316538613535343162613637313239376235346539393832343939
+64306261323965613066393865663939316566366262626132616664303132616565383838353961
+66303439646565386138366533393564353762323339373366393532383935343665653035346636
+62313661636138393930346362656638333230336537336336616634383561356661366136616631
+63626264666439656439336533633362393930336535326636633436646264613866356562376234
+33616239326633643533323637323638346631613264383931373834666633346437323161303466
+36353466396633656461653432393563366231613565663335666432343838326631623861666136
+34373264383435656665616365666334373135666566363738633962393861303635363935346638
+36323761633535633131356235613462636438616431346465323862373038353530666464323064
+31356233326161633838353334353632616232343164616664396437666563393266653132313939
+65303465303137353132646163376463343563333331666637656361336538333030313736343836
+61646339643833346663396661383735626261316239636265343837393161633333616436373064
+31663635653863613638353236393666323364616535363965633136656262386166656135326363
+35373030336139343062333830363734653839633830356138316431363962356538363837306337
+64313962666261663435626236356666333834373261393165316436353936616437343035326262
+61313535666233303366376533383237316138373430636662323565646564333333333436636339
+38643731666462613533353030383535666561643637306565616232613666653435316639653362
+31333563336362373061636139373034373337343261343336613165653438393037316562643766
+30613034353133653936616562663039363533366438336638306461636533363633633166646163
+39303765393133333536643636326238363534653465313833323461656531386637323730616139
+38663830653363333732643464366235336661613732643163323232393264363637313032336230
+39373636353231386361326137613732623238613233323131613836663630633634346532633639
+32333239316365666436323565656265643661663036363163393861356138326463353862663063
+66633462636632386438613165613766653965656435313231623739393162663562393033333237
+66363162653936663637626564613063323865616163393739623437313235366662656665333063
+63353234366436333739386339636436626532303261616332643834306238633334303436353139
+30626361623637653731316539313966656538653033383362356366646233363664373566383365
+35306331366161336432613962333436666539643536623165636130326230346364323437353730
+63323866316632353261663965356431323633313234613563306135346265333431653033633430
+30303861343161636264383235656638373832626436633035343239313939626534343739303063
+65633537383935306161386262386561333862313332313639653032373965343635353063636262
+61313733323135643831353266363134326534616634616638383138373630343434623865343035
+62306165623335366434393164663631326535393965393064623133396264366138626363343234
+63383833643937356462653331633766383363336539653061636566353732353130643861396633
+64633336343263376132386134326665613762386435313665353537346238346132306232633937
+33373264333865333031353231316266376530383830626163366564343939623930376565646365
+64626564653761356230346537333037323937323066393463626137656539326565363734626231
+32373264663031343963646535653031366666623061393736393164373137613466393935623835
+34663735323439643534366263663432393433346533363333386230656237656130383731366330
+36623538343535643062346166613362333532633263316335333262346161613439353639383564
+34646338633537323035623734353933306534646438386537643166633632333365383634376431
+34336661313430383661623739386436613734373837353765313235616632366464613339353532
+32613938623038303834346337383461663963616466313666323639336130623761383133373031
+33643139373466323662616330656562303061613730646461373033363261666632613836613539
+30633539313331373366353638383661613037393137383162313037666163643566346166653761
+31633139356163663033336362393535336163313037616530633365616234393262666433616239
+38653830333063373736323238653430626530323431653133316533613836333736373966376666
+39343738663532343731316661386537336535363764343537303037653261633432363734333362
+64393239333564633837646666343933323834323336666538656665653637653338383463656661
+66643464306338636330323764363437656236383339636532353162663438646335363534626437
+34386231356161623737636436633636306636646162333537663663303532626436656430343161
+64393435656665333837333266373863376265343935666333353765363437653033323866653838
+64643039343263326166613432666365383264663165663536376433333162306265383566336266
+31626239383432333934363734666535303334616535656630323363393436626436616335396662
+32373432656632376333376630653465366336393264643462386162376134396239646439396466
+63373934336437386663633766666634626665353263343361376130333261666162393334383563
+64626436363765353963373665306131343739356539616464363234633739356233646664376566
+66363833336532633439323563316131303065616633336137336232346238656237616235333764
+39303035663635356531393936303766643834333736666461353132623233373862343264363635
+33653439613761383164346637653636653131373030656131333934396431616365353861636461
+65303432616664653534643539386431656338656663313863656138313261373062636337366637
+65643464626435333634313463623130313535653831303765306531623935313563366238363330
+64383763623131346664643461653764623565616365636662633535376366303566306261386165
+62353532663133326433303638666334616235613937623231656531656361333738323939663238
+62646130623732336332313865376136373937643533666531383332303465353438393733306562
+35326265356361346465346332623262346366306435613531303236653836353466323965316538
+30383439336431346332336332626564333530373461343738346530336562646439306636336433
+66353234663930613835393632336532373531633437666365336231643537643764373431373866
+34306565623530393934363932616164393534396334363766393132306466313338366335643638
+37626562656362393464353061373638393430366331376139643664383836613639383764393230
+38613861323536653864346635343065333734346631386231306630663639343863343033636231
+35363731626533383930313130313438656532323161633736646365353663383166383062616364
+61396631373131356134343563666466633937653766356561353437363566383161386564643333
+36303363616262663066343532336632353262633763393964616438316261343432626264616666
+62643164383234666465313961333966363933323665323730633931336538353537393239386635
+65663263376461636561383032353337346264323662373631616537653930356338656264303766
+38656239363539313961363463396139363133666134303936633061663036336538666163323664
+32613234303935353837616566373163383861336166346466646262386563373661623033623864
+35383534353866303764343661306138646265303439343036393462623163313064643433623965
+37343438636539313862626632383831636334333664636131303234383330393334663837336436
+34333032653630633336383535656666393962383863643333616264353163663939373039303337
+62323965626662613435306636363732376433343132646661396665336432653232646637353230
+65303465373137613266333130623063636566663265613435643464303961633962396334663365
+38356161656563333966623935393633326565336533613666663834363561373334363434643839
+39333765303137656362356233386366303736653031643431663138336566383264373536353234
+39326137653634373235303466363663336662653036363338663363616432393135356231656236
+64653836663033333639626533376237356163343961323539323964666239343738346230323337
+63663163666537343463623565633337393036653037656331383736393930373239333631343930
+65656663656663646235313364333062663938393537303261313032663161383535386365326662
+38643764373134336636306338323634386438396563643662393132303561666363663464616535
+62653865633736386233386630306238623563306139353038613737363031393232613934626533
+65616139656265306337663165323338316665613138336164653637373738656332376563346137
+62386161653836633732376161316562393436363536333132356136396361316534343135656334
+35626436396464663832383336313235346331626464313835646466393966613835353537663962
+61633433633134373765373839386663316266643834353533353936313633613436633530666339
+64313962383735313665393261666564656430366563633835343565316335383738653539376334
+66663334653333616464613531376562393639343765643435663835383439343230393562376532
+32323337333438323463346466356533386234303465643739663261396637646536353233326332
+61366232653232343834393765323163636432356234393766353365623636353930336163663434
+64343535383239343862653661393962643861313764636666376362653532383936626564353539
+37306133313833623361396535333235663034343264663131313061353766396365643639396663
+33396630353234336336353034636630613365613964613866313331356539623538616138623539
+39663466646638393436336438653039306166303066303761393838353861666165393035623065
+37626265646436636362613033363066326138666261353931343063363736333135366638626338
+39656466393964346565313839343036356538353464663234643164323865313764346661393066
+66663139353335393936613366383835613030616465613162653763333530653665633830643038
+35363662316566356637313463643461663833646563396635353036616330643565386239343139
+39643533313664613634326637333136626137323833326161663635623235666530303466373535
+30366234303134373733383138366462323062396362626662306234353863336337633263353637
+64613531653436393562343936666336343231383935353264313536323037356638663733376165
+38613333326263646337303630323761386439616333613566333431376638333165613966373962
+30326434663130653434373130393863386163616537343034316462343865616537313364346138
+34363535663539663630383333343836373065623030393135373531663961646661376332363834
+61363331643464323966653737613130376434666362623765386632653665373834396663613963
+63323262323363303733613731663066383261363938303563363462396238643034623437363464
+61383566623764366132386465666630623461656431326333633066303034663262343439613634
+31646662663837663161623036613631363163656364396531363235616133376633323361393535
+32636631613239353637313337643536393538363531373636336563646333333533663563623131
+62393765323432633561613338336362343665633865326130636635366534313837636362373138
+31343231353837366262393237636464313736343063313536383438366263386331393039383033
+39353536326462376263376263303835393331613562633966623763636562613364376239656635
+39363639303938373237393531373538623739626431343939363063623964343138623763616639
+31666566333966306264346263663333343139333765376135383633386137313035373239663833
+39346137333465633239353761393666653231363264383331353435393864626461333863363966
+34663062376537353133346130303330656631386164613263333933333438346132303362353031
+64393338376631343131366362643766396137346431653439323338353338396235333630313233
+36323131643837366237623333643134373666616362663464656364346436323037663135373462
+37303063303033346230373134393366376636393431666136366636383038333966356561386232
+35653766303235336334656336373339303039353935313239303838633236306433666336666664
+66653735633236343235663766383964386237666437386362626336323136393530343839383865
+39343231356164646530393439613832383364316234353733363865616439646239303231653263
+34356564316236343837386261343430323935323066633938613764613465306137653265656132
+61346633616139343430616630643333663636643731356266356530623030636538303737383462
+33373962393235636266393364336331643566366266636162613334333639626430393965343065
+34393261356164336166613063633039346165633263633336626338653762336338633033313239
+65326334653464613330346430393138356331373861656161323736376434396464376136663434
+32343461333934346534343561613530386661396562343730656630313064643766653030363239
+30313064323234316638613733613939303830323736653931393663346130323361663265396634
+62613831313837646364646363363431633033393137326136353363656637343137656539343730
+66386139356261386137613331336266623239383764306265323635383338646332636337623230
+61346462636134653133333733643231356663633032323332626136663232353964656166613763
+32386565316131316134323933353133343034666135383635396535646435396365626631306665
+61353366633865623765306663383837303037303532666135333461303334636639336665376338
+63653338313463373465323536303732303463356166393365333264623537613362656331356337
+34336564343361663039396264646566383330313739643566663861363661353263383531623632
+31616230643239386561323432356237336361333561643831373132393437323036623962343666
+36376530373938613539613734333465616133663833623635333262306138633639666236613661
+32393236653637376265633131336265633333393836663835313765666130323631343537356332
+38653238646630643535393032653263373131313335663161653264636435643135363063323135
+66636666666437326261396664616164303239333666323463373662313463656361386461636438
+30383238643336613861313265366361636664303565333732326134613537376261656639623739
+66313633633764313632663462323862356265353432306362373138393838313334656137353039
+33363933323036653561303933613832633263626562623836633030326630316363653834656166
+37326139306432636566666534343661326565343330616232393434653634306563383962376633
+62373034646139356662353139326163323439666461363937616565323639663237393939643632
+35643632666365316236633461643965303866653037623564363631383338383830346537353232
+30333262316135633639363764353866353631346430333066626564373133663630383065306233
+63653437613137326165653239343130326565313462363235353035366236346261656532626463
+38383130613861343736323961393838313337643062663939643236346531316461306432393265
+37343035346366306561343632373262393437396262306135613330303938346161663065653639
+62623133393338373966353965313265636335303733343234643466643233303561376365613137
+65633761613633336536333136336233633363376530643832333438383634316533323632393437
+62653264306335663438303963366438306463366565663739653835306638633761326562653537
+39313861663837316566393665663565333736363166613733306432353039376430306639343538
+35336531313637386666373337643265313734373532313132393961333831376637623366306436
+63376336663461393961643038353864363766653564313662343062316637373335336131653830
+38663633313861306636616231343337313064343034393062646461386137373534353638313039
+62353165613138626434636336323866396536626364393763336330343435323263663664373966
+33363865373764376231343162353038396366323136396337343536343630323963346536356535
+34613031316531356433313665653838343339643533643862376139313431643764396432323234
+31643964396234353933313032313438366663643231386233623163666233343961613838613334
+37373532646366323865636564376564386664663834663436333133383566666234303435643231
+31373264646534636335646537333565663161386437326561386530396135313939623462633031
+37366663313564346339396636343139623764653232653432666631353663333161353763646331
+31376263636366313361313138653365373165643637663134323530653030663837333637633034
+38616634393031353132343630373162393638333932376234643038643938656437303234613231
+61653832393438393330346366316163363033386636363835336436396434363663633262376130
+63363033313435643639626138636637656333633232386362353936366166323835616437393939
+36363737613134386665363963663538376137326432386265653436626233376631326236313131
+62643336613563643132363635333930323233666562353035626530316438353136663663373666
+63623030336364666632336330626630623837316535323563393231633665626166613765393938
+35303333333633346130323930643262616234313564663136643237656462653161613261396231
+38383064666635393465353634633936643639336638353163656236346666616566636664383936
+61643630326133323439653261633664363833356437613339646230383235663364323137656464
+64626364336133356562313235613235306138626436643331626662383234313363616563386335
+39393334616365343666363763653232393439656638313562346634626431353162316430343931
+38663364623463353339303064373664633536333037346461363636653162323462366263653232
+37303836343163373030373564343139366465343236306235316336333261653964383436643263
+64376632333931346433376632653733613437363934623338346439623738393064333330633936
+31343263376234386238636131663763346466303762363835303231323939643934633662663832
+35366230663237623237313731633539353661613763386438643537363835646336626461313633
+39313235313937383631646463373937353464356633643031316361356331363063393630646337
+61303036643830663763333735303534643935383731313866633863356437343962353964653163
+39623862333162353936643430643038663732356263643635353361626430353833346165633631
+64646166366231643939313164353261373036623761623433666431373230316662373536646338
+30623433383435386133323062633136663437333166366131346164316666616434396530343965
+61643962336438333936303938633536323365386137646235313230313363386561306339373831
+35333134366536653961643434333865343130636565633866366533353361633439333263616636
+37633063386439653937333861626464306163323265343338303235326234303737313365653537
+35326338653638646465376235646639313736616430353739323162373866636361646664303134
+31643830393836626431643064613733313461656437336463363536383737636230333961303466
+36646433643932613166306333346132343366386438353363386134636237323732353433346635
+34373138616664333266386233376363393239366162666534326566386164646138613638656463
+34656335623238623330616137396337353337663838643432393136316133303263376531336431
+32313335636439646664373338623465396132643965653231306634323337393036386437313366
+66373634653536646664393034316234633465363837666134636537666165343437636636363366
+35356563666539383630303562393131386539346431653031313565323665653937396339346465
+37363731303933343961396430653865656535386263386161613864636662666263323834616539
+33636565383336333437643065626532306232376461313463323530353539323062393664383535
+62303362376237313564333339353933363538363636303961663538313337333464636133626361
+61616466353730656235643139633763313733313738363662393130373330633161376266383563
+39666533336531393662393830396231633536333839646266306464366235626662386634333139
+30343536386135333336313430653136316530393939346636383363666335366266326630313261
+64336535316239646566356633366264303335356637343736373234323138366239623761653032
+31346333623238663539383035646266616635336634373730336263626262346538346137343865
+30626332666565383963356634336532663133626239343234633830366639396365613334613764
+63386364346337383962343731373633376135336531633033346666626631323736366230613036
+38636361643935346563643133386334313730396661323738323637356437356664336333366133
+66373739353533353264636235663034336234303862373732636234623965353061616135663262
+34626538316333613139653632313835313663646535643666323438333965383261663633303730
+37623631623530313330396164376465346531613361633662393338383336663233313934316132
+66616637343933353961326461336466333137633138656239656565346639386565323931316431
+39656132666430326434613032353936653335303163616539376434326365386463373539303235
+62326138623834343437326138386230313634383863613266316638383435656666373266333162
+63333166653862623461633330383131366139646666326266303962623465353238326164633937
+32626431636337343437373834336231323431626665393266353362323164383233633262663432
+66313461306666633038653365326137326563396231323734353733653639396564666137353566
+63633063343232346465373132333032633931396263363932653039633739326433613864346339
+39666332366234326434643265393338316664326532383134373366613964326638346163343838
+36303339323563396134663031386439666439346437316136326662316133366230326431643935
+32663330393564376439303965383633353336613966373566623830386331636463336336333066
+62636339383062343133366137663332343536626464323162656236336634646566356134636237
+37396562643333623530363065373230663130623735633366333437346333383466303061653333
+66376261623437343964616131383133316438393337656135633136346161333831616634633733
+33646636633035373664383930376131363334303637346438316161306132653666346439363165
+65376561303036366630316531346363303639643961376530646433653765373533616138366234
+35303130326131353961623630623538316239383330656536316364323838616461303237623966
+65633763333332646531356638613439663239313566383865396234626631383135303431656332
+35383132326166366236323839363461633766366636643832356562386332313666643636373031
+61303364303835306438653330366163656632376365383663626337613534346233313336663062
+61313764366633613063646461376436326339653465316339663461353835303562613538623239
+32386463383638366432303362636635626536343438303362383133386161393731376538336465
+64623561326163386330393833636264663833653739613962326634326233666630643936663830
+63393765356338343463653662626564613962336538373733366430643236383932633666353061
+36353632363131333364333962653239623266346439643537613031323763623833326636616461
+31383836393563373437666662643064386233643935333165313739393730336132306432326430
+61623464343664653161376332393333663764623232363938636161623539336263353539666464
+37383963643933353034626331623064643232643662613633663631356537646465376264623532
+65386430376230613730353831646661613362623235396639623035653135643333373065373234
+30326664356564656634316462333066343338653339653861383239323764623931633630616232
+64303834663338386266323064343663653534333033376364666532313830626237373033316233
+31633665363635353139366162376130653538353861666662653939613066613965383364393065
+36316633636338373535653662316239633434343833613036393934303465656635333335616133
+32313438393361366437666538326466306462336538346366643366343762653530663633633737
+35656134623237396436333437633933663761393636336135353764353631393332613336633466
+63653334646239386365343036323437616330336265643664356263313062373364666461306130
+31323435393765373131326233363530336161393430613965303366653930383565656262396232
+61353562336235343335666439383635306633313063623638343030653665383033623662336430
+34303934313365613263316533386161303034396262363130623661626235666131363665336432
+39343766333363663238313666353864353232363133653431643764653466663739346537636364
+32306335363332623534346362396362663738636561633937343232616634396237336531336139
+66313663636139323331333966373835396632383435383638373539313230626664386233643930
+32373362623933656131653362643861323733373636356266373464326136633332396337376634
+38326662316537353337636332323935323962363365376463333039316639303666336537356166
+63353837376538323266393433303864353735666432303538323730656339306532316639626233
+62636331363235323838636534666339616135333238646330646537346563393134346366346638
+36656363663563373261323566313130393235646362383463323936306131373865623161343061
+39346330643132353033313836633838303931363365303165356338333665643165366261373835
+65313232363932383438623133653330643463623734313830353334353563316163633966303834
+33393235383763373034653364323062376238623064353632346332373364333861343634313562
+35653465663763396330306534313563646261356363343637316631383732623463643662393163
+35306463663063633665366630396135346138656266376465353138396631653239363730336638
+34626461376638663961666236376136383739636264333637393964633438353665326161306437
+63353132306136303132633963616336653031323233373037636136633561613932653333636563
+33336438353065326263646432386265373363316166343931396464616165386630373530393635
+38346434343366616562376238353963306464323535313965663061386436303139373235633562
+37653966396666326533363338386639663436343637376565303032376333623566386131396230
+34653239646531613065386365626564353532356432336365653965643962333536373164303430
+30343639323136643438306438663531633235323161653237626562356430303230663832303463
+37303562373764323764383762356535633734383731666464303632633637346333646337623535
+33323632623763623836616432393231373364623163333162616365313638316162313036616539
+30336665393034303437646132353336623363663230393335633935656663366565326235363439
+36303230313564393637366434646665346665383931393462663531383131346466613563383031
+61363136303537386666353965653330336236346136356535363437366533306539653636353638
+34313835353038383533323232323730336137666430663865306461643239306362323464323264
+38336230393338363461656639393332353563366431333836363935633565383331656230316131
+63663463343266376330323130613332303534623135386639333834313264623637643634653333
+31666135626664323265663461346135366462316433643161316235363563636432616364653361
+66633661653362393139616163646264346566616337616638613861313937346664323934623435
+35306534353062323234383236343532613533336635303464383533333734353861393330383732
+61663566386333626162396666643737636164323237356533383834303930316631346237343732
+64373832303663333535366566336438636139333434633436396233383238663561396432393135
+30623434336539653732383363633164376634363766353764336431623431363537613833343632
+31646366623439373065626139353939626662333061343038313432616361306533626633653135
+63363865643739656561306331313962376536613832636137613831306431613964363434393538
+62613237356564613739666166336334643639633037623230303134623233343861383934353830
+37363861303963636535623336356132633164316339646231306230313066633536353036363839
+65396434663861636230616530386232633837303462313562353734383134353661653138623537
+31313533353331626235663163663061663631303731363565313262366535303932663239616466
+63313234356366323537653736663630633532666265326665303266623761313939643263653132
+38646634626135653737626563306362383835336361396434313062363563363439323831323566
+63626137616561646663333433363037376332643732663838306361653365383831386230643162
+34303863323638363566643733313036336233303037316430663930396565366163623539656338
+31613862336166376166356134336634636537646532313035633331343862376332333838333231
+62393838623030353338666563336533333265336231393830623264633762386237653364393030
+33336361356139396561336463663963666663616231313432313565383034643230346162653231
+66326535653235643361386135616439336434333638633664393138643765613066363963373636
+32343530613539313434363561616336643236333032643835396262373933623732303335376162
+63613663336531323137633762343832343634653638343263626662356161336163396132383439
+62383364323361373639373137393562363464656238623565343362353265663636376565616164
+33346537343366616663346263316237373666613634333763353838636663656139326636653066
+62333638623432616437306533316337356438376362303461343934623366656131623632333935
+66646130303535626565653138353137633232613131653664356466393932633762366161376430
+31643938643466306436316365613938666635366430376665336166613763386338613235356434
+36306463376233653264356363353134313663666666623039313039613039663862643663343132
+37643032666135633438313635313961333638643862616265643561346661643862353331613839
+3234656634393561653937393036376466656339323862653662

ansible/inventory/group_vars/all/vault.yml.example

@@ -0,0 +1,93 @@
+# Ansible Vault Secrets File
+# Copy to vault.yml and encrypt with: ansible-vault encrypt vault.yml
+#
+# All secrets should be prefixed with vault_ and encrypted.
+# Service variables in vars.yml or host_vars reference these with:
+#   service_password: "{{ vault_service_password }}"
+
+# PostgreSQL
+vault_postgres_password: changeme
+
+# Service Database Passwords
+vault_arke_db_password: changeme
+vault_casdoor_db_password: changeme
+vault_mcp_switchboard_db_password: changeme
+vault_openwebui_db_password: changeme
+vault_spelunker_db_password: changeme
+
+# Neo4j
+vault_neo4j_auth_password: changeme
+
+# RabbitMQ
+vault_rabbitmq_password: changeme
+vault_kairos_rabbitmq_password: changeme
+vault_spelunker_rabbitmq_password: changeme
+vault_mcp_switchboard_rabbitmq_password: changeme
+
+# Caliban
+# Note: VNC passwords are limited to 8 characters maximum
+vault_caliban_x11vnc_password: caliban
+
+# Casdoor
+vault_casdoor_auth_state: changeme
+vault_casdoor_radius_secret: changeme
+vault_casdoor_s3_endpoint: changeme
+vault_casdoor_s3_access_key: changeme
+vault_casdoor_s3_secret_key: changeme
+vault_casdoor_s3_bucket: changeme
+vault_casdoor_app_client_secret: changeme
+vault_casdoor_admin_password: changeme
+vault_casdoor_hostmaster_password: changeme
+
+# Gitea
+vault_gitea_db_password: changeme
+vault_gitea_secret_key: changeme
+vault_gitea_lfs_jwt_secret: changeme
+vault_gitea_metrics_token: changeme
+vault_gitea_oauth_client_id: changeme
+vault_gitea_oauth_client_secret: changeme
+
+# OpenWebUI
+vault_openwebui_secret_key: changeme
+vault_openwebui_openai_api_key: changeme
+vault_openwebui_anthropic_api_key: changeme
+vault_openwebui_groq_api_key: changeme
+vault_openwebui_mistral_api_key: changeme
+vault_openwebui_oauth_client_id: changeme
+vault_openwebui_oauth_client_secret: changeme
+
+# MCP Switchboard
+vault_mcp_switchboard_secret_key: changeme
+
+# SearXNG
+vault_searxng_secret_key: changeme
+
+# PgAdmin
+vault_pgadmin_email: admin@example.com
+vault_pgadmin_password: changeme
+
+# Grafana
+vault_grafana_admin_name: Admin
+vault_grafana_admin_login: admin
+vault_grafana_admin_password: changeme
+vault_grafana_viewer_name: Viewer
+vault_grafana_viewer_login: viewer
+vault_grafana_viewer_password: changeme
+
+# Pushover (Alertmanager notifications)
+vault_pushover_user_key: changeme
+vault_pushover_api_token: changeme
+
+# GitHub MCP
+vault_github_personal_access_token: changeme
+
+# MCP Authentication Tokens
+vault_angelia_mcp_auth: changeme
+vault_athena_mcp_auth: changeme
+vault_kairos_mcp_auth: changeme
+
+# Arke NTTh API Tokens
+vault_ntth_token_1_app_secret: changeme
+vault_ntth_token_2_app_secret: changeme
+vault_ntth_token_3_app_secret: changeme
+vault_ntth_token_4_app_secret: changeme

ansible/inventory/host_vars/ariel.incus.yml

@@ -0,0 +1,24 @@
+---
+# Ariel Configuration - Graph Database Host
+# Services: alloy, docker, neo4j
+
+services:
+  - alloy
+  - docker
+  - neo4j
+
+# Alloy
+alloy_log_level: "warn"
+neo4j_syslog_port: 22011
+
+# Neo4j
+neo4j_rel: master
+neo4j_version: "5.26.0"
+neo4j_user: neo4j
+neo4j_group: neo4j
+neo4j_directory: /srv/neo4j
+neo4j_auth_user: neo4j
+neo4j_auth_password: "{{ vault_neo4j_auth_password }}"
+neo4j_http_port: 25554
+neo4j_bolt_port: 7687
+neo4j_apoc_unrestricted: "apoc.*"

ansible/inventory/host_vars/caliban.incus.yml

@@ -0,0 +1,23 @@
+---
+# Caliban Configuration - Agent Automation Host
+# Services: caliban (Agent S), alloy, docker, kernos
+
+services:
+  - alloy
+  - caliban
+  - docker
+  - kernos
+
+# Alloy
+alloy_log_level: "warn"
+
+# Kernos MCP Shell Server Configuration
+kernos_user: harper
+kernos_group: harper
+kernos_directory: /srv/kernos
+kernos_port: 22021
+kernos_host: "0.0.0.0"
+kernos_log_level: INFO
+kernos_log_format: json
+kernos_environment: sandbox
+kernos_allow_commands: "apt,awk,base64,bash,cat,chmod,cp,curl,cut,date,dd,df,dig,dmesg,du,echo,env,file,find,free,git,grep,gunzip,gzip,head,host,hostname,id,jq,kill,less,ln,ls,lsblk,lspci,lsusb,make,mkdir,mv,nc,node,nohup,npm,npx,ping,pip,pkill,pnpm,printenv,ps,pwd,python3,rm,rsync,run-captured,scp,sed,sleep,sort,source,ssh,ssh-keygen,ssh-keyscan,stat,sudo,tail,tar,tee,timeout,touch,tr,tree,uname,uniq,unzip,uptime,wc,wget,which,whoami,xargs,xz,zip"

ansible/inventory/host_vars/korax.helu.ca.yml

@@ -0,0 +1,20 @@
+---
+# Korax Configuration
+# Services: alloy, kernos
+
+services:
+  - alloy
+  - kernos
+
+# Alloy
+alloy_log_level: "warn"
+# Kernos MCP Shell Server Configuration
+kernos_user: harper
+kernos_group: harper
+kernos_directory: /srv/kernos
+kernos_port: 22021
+kernos_host: "0.0.0.0"
+kernos_log_level: INFO
+kernos_log_format: json
+kernos_environment: sandbox
+kernos_allow_commands: "apt,awk,base64,bash,cat,chmod,cp,curl,cut,date,dd,df,dig,dmesg,du,echo,env,file,find,free,git,grep,gunzip,gzip,head,host,hostname,id,jq,kill,less,ln,ls,lsblk,lspci,lsusb,make,mkdir,mv,nc,node,nohup,npm,npx,ping,pip,pkill,pnpm,printenv,ps,pwd,python3,rm,rsync,run-captured,scp,sed,sleep,sort,source,ssh,ssh-keygen,ssh-keyscan,stat,sudo,tail,tar,tee,timeout,touch,tr,tree,uname,uniq,unzip,uptime,wc,wget,which,whoami,xargs,xz,zip"

ansible/inventory/host_vars/miranda.incus.yml

@@ -0,0 +1,74 @@
+---
+# Miranda Configuration - MCP Docker Host
+# Services: alloy, argos, docker, mcpo, neo4j_mcp
+
+services:
+  - alloy
+  - argos
+  - docker
+  - gitea_mcp
+  - grafana_mcp
+  - mcpo
+  - neo4j_mcp
+
+# Alloy
+alloy_log_level: "warn"
+argos_syslog_port: 51434
+neo4j_cypher_syslog_port: 51431
+grafana_mcp_syslog_port: 51433
+gitea_mcp_syslog_port: 51435
+
+# Argos MCP Configuration
+argos_user: argos
+argos_group: argos
+argos_directory: /srv/argos
+argos_port: 25534
+argos_log_level: INFO
+argos_searxng_instances: http://oberon.incus:22083/
+argos_cache_ttl: 300
+argos_max_results: 10
+argos_request_timeout: 30.0
+argos_health_check_timeout: 5.0
+argos_kvdb_host: localhost
+argos_kvdb_port: 11211
+argos_kvdb_prefix: argos
+argos_enable_startup_health_check: true
+
+# Docker API Configuration
+docker_api_enabled: true
+docker_api_port: 2375
+docker_api_host: "0.0.0.0"
+
+# Neo4j MCP Config
+neo4j_mcp_user: neo4j_mcp
+neo4j_mcp_group: neo4j_mcp
+neo4j_mcp_directory: /srv/neo4j_mcp
+
+# Grafana MCP Config
+grafana_mcp_user: grafana_mcp
+grafana_mcp_group: grafana_mcp
+grafana_mcp_directory: /srv/grafana_mcp
+grafana_mcp_port: 25533
+grafana_mcp_grafana_host: prospero.incus
+grafana_mcp_grafana_port: 3000
+grafana_service_account_token: "{{ vault_grafana_service_account_token }}"
+
+# Gitea MCP Config
+gitea_mcp_user: gitea_mcp
+gitea_mcp_group: gitea_mcp
+gitea_mcp_directory: /srv/gitea_mcp
+gitea_mcp_port: 25535
+gitea_mcp_host: https://gitea.ouranos.helu.ca
+gitea_mcp_access_token: "{{ vault_gitea_mcp_access_token }}"
+
+# Neo4j Cypher MCP
+neo4j_host: ariel.incus
+neo4j_bolt_port: 7687
+neo4j_auth_password: "{{ vault_neo4j_auth_password }}"
+neo4j_cypher_mcp_port: 25531
+
+# MCPO Config
+mcpo_user: mcpo
+mcpo_group: mcpo
+mcpo_directory: /srv/mcpo
+mcpo_port: 25530

ansible/inventory/host_vars/oberon.incus.yml

@@ -0,0 +1,134 @@
+---
+# Oberon Configuration
+
+services:
+  - alloy
+  - docker
+  - hass
+  - mcp_switchboard
+  - openwebui
+  - rabbitmq
+  - searxng
+  - smtp4dev
+
+# Alloy
+alloy_log_level: "warn"
+rabbitmq_syslog_port: 51402
+searxng_syslog_port: 51403
+
+# MCP Switchboard Configuration
+mcp_switchboard_user: mcpsb
+mcp_switchboard_group: mcpsb
+mcp_switchboard_directory: /srv/mcp_switchboard
+mcp_switchboard_port: 22785
+mcp_switchboard_docker_host: "tcp://miranda.incus:2375"
+mcp_switchboard_db_host: portia.incus
+mcp_switchboard_db_port: 5432
+mcp_switchboard_db_name: mcp_switchboard
+mcp_switchboard_db_user: mcpsb
+mcp_switchboard_db_password: "{{ vault_mcp_switchboard_db_password }}"
+mcp_switchboard_rabbitmq_host: localhost
+mcp_switchboard_rabbitmq_port: 5672
+mcp_switchboard_rabbitmq_user: rabbitmq
+mcp_switchboard_rabbitmq_password: "{{ vault_mcp_switchboard_rabbitmq_password }}"
+mcp_switchboard_secret_key: "{{ vault_mcp_switchboard_secret_key }}"
+
+# Open WebUI Configuration
+openwebui_user: openwebui
+openwebui_group: openwebui
+openwebui_directory: /srv/openwebui
+openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
+openwebui_port: 22088
+openwebui_host: puck.incus
+openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
+openwebui_enable_signup: true
+openwebui_enable_email_login: false
+
+# OAuth/OIDC Configuration (Casdoor SSO)
+openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
+openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
+openwebui_oauth_provider_name: "Casdoor"
+openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"
+
+# Database Configuration
+openwebui_db_host: portia.incus
+openwebui_db_port: 5432
+openwebui_db_name: openwebui
+openwebui_db_user: openwebui
+openwebui_db_password: "{{ vault_openwebui_db_password }}"
+
+# API Keys
+openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
+openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
+openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
+openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"
+
+# Ollama Configuration
+ollama_api_base_url: ""
+openwebui_ollama_api_key: ""
+
+# SSL Configuration
+openwebui_enable_https: false
+openwebui_ssl_cert_path: ""
+openwebui_ssl_key_path: ""
+
+# Logging
+openwebui_log_level: info
+
+# RabbitMQ Config
+rabbitmq_user: rabbitmq
+rabbitmq_group: rabbitmq
+rabbitmq_directory: /srv/rabbitmq
+rabbitmq_amqp_port: 5672
+rabbitmq_management_port: 25582
+rabbitmq_password: "{{ vault_rabbitmq_password }}"
+
+# Redis password
+redis_password: "{{ vault_redis_password }}"
+
+# SearXNG Configuration
+searxng_user: searxng
+searxng_group: searxng
+searxng_directory: /srv/searxng
+searxng_port: 22083
+searxng_base_url: http://oberon.incus:22083/
+searxng_instance_name: "Agathos Search"
+searxng_secret_key: "{{ vault_searxng_secret_key }}"
+
+# SearXNG OAuth2-Proxy Sidecar
+# Note: Each host supports at most one OAuth2-Proxy sidecar instance
+# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
+searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
+searxng_oauth2_proxy_version: "7.6.0"
+searxng_proxy_port: 22073
+searxng_domain: "ouranos.helu.ca"
+searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"
+
+# OAuth2 Credentials (from vault)
+searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
+searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
+searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth2_cookie_secret }}"
+
+# smtp4dev Configuration
+smtp4dev_user: smtp4dev
+smtp4dev_group: smtp4dev
+smtp4dev_directory: /srv/smtp4dev
+smtp4dev_port: 22085
+smtp4dev_smtp_port: 22025
+smtp4dev_imap_port: 22045
+smtp4dev_syslog_port: 51405
+
+# Home Assistant Configuration
+hass_user: hass
+hass_group: hass
+hass_directory: /srv/hass
+hass_media_directory: /srv/hass/media
+hass_port: 8123
+hass_version: "2026.2.0"
+hass_db_host: portia.incus
+hass_db_port: 5432
+hass_db_name: hass
+hass_db_user: hass
+hass_db_password: "{{ vault_hass_db_password }}"
+hass_metrics_token: "{{ vault_hass_metrics_token }}"

ansible/inventory/host_vars/portia.incus.yml

@@ -0,0 +1,48 @@
+---
+# Portia Configuration - Relational Database Host
+# Services: alloy, postgresql
+# Note: PgAdmin moved to Prospero (PPLG stack)
+
+services:
+  - alloy
+  - postgresql
+
+# Alloy
+alloy_log_level: "warn"
+
+# PostgreSQL Config
+postgres_user: postgres
+postgres_group: postgres
+postgresql_port: 5432
+postgresql_data_dir: /var/lib/postgresql
+arke_db_name: arke
+arke_db_user: arke
+arke_db_password: "{{ vault_arke_db_password }}"
+anythingllm_db_name: anythingllm
+anythingllm_db_user: anythingllm
+anythingllm_db_password: "{{ vault_anythingllm_db_password }}"
+# Note: Casdoor uses dedicated PostgreSQL on Titania (not Portia)
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password: "{{ vault_gitea_db_password }}"
+lobechat_db_name: lobechat
+lobechat_db_user: lobechat
+lobechat_db_password: "{{ vault_lobechat_db_password }}"
+nextcloud_db_name: nextcloud
+nextcloud_db_user: nextcloud
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+openwebui_db_name: openwebui
+openwebui_db_user: openwebui
+openwebui_db_password: "{{ vault_openwebui_db_password }}"
+spelunker_db_name: spelunker
+spelunker_db_user: spelunker
+spelunker_db_password: "{{ vault_spelunker_db_password }}"
+hass_db_name: hass
+hass_db_user: hass
+hass_db_password: "{{ vault_hass_db_password }}"
+nike_db_name: nike
+nike_db_user: nike
+nike_db_password: "{{ vault_nike_db_password }}"
+
+# PostgreSQL admin password
+postgres_password: "{{ vault_postgres_password }}"

ansible/inventory/host_vars/prospero.incus.yml

@@ -0,0 +1,141 @@
+---
+# Prospero Configuration - PPLG Observability & Admin Stack
+# Services: pplg (PgAdmin, Prometheus, Loki, Grafana + HAProxy + OAuth2-Proxy)
+
+services:
+  - alloy
+  - pplg
+
+# Alloy
+alloy_log_level: "warn"
+
+# ============================================================================
+# PPLG HAProxy Configuration
+# ============================================================================
+
+pplg_haproxy_user: haproxy
+pplg_haproxy_group: haproxy
+pplg_haproxy_uid: 800
+pplg_haproxy_gid: 800
+pplg_haproxy_domain: "ouranos.helu.ca"
+pplg_haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
+pplg_haproxy_stats_port: 8404
+pplg_haproxy_syslog_port: 51405
+
+# ============================================================================
+# Grafana
+# ============================================================================
+
+# Grafana Datasources
+prometheus_datasource_name: Prospero-Prometheus
+prometheus_host: prospero.incus
+prometheus_port: 9090
+prometheus_datasource_uid: prospero-prometheus
+loki_datasource_name: Prospero-Loki
+loki_host: prospero.incus
+loki_port: 3100
+loki_datasource_uid: prospero-loki
+
+# Grafana Users
+grafana_admin_name: "{{ vault_grafana_admin_name }}"
+grafana_admin_login: "{{ vault_grafana_admin_login }}"
+grafana_admin_password: "{{ vault_grafana_admin_password }}"
+grafana_viewer_name: "{{ vault_grafana_viewer_name }}"
+grafana_viewer_login: "{{ vault_grafana_viewer_login }}"
+grafana_viewer_password: "{{ vault_grafana_viewer_password }}"
+
+# Grafana OAuth (Casdoor SSO)
+grafana_oauth_enabled: true
+grafana_oauth_name: "Casdoor"
+grafana_oauth_client_id: "{{ vault_grafana_oauth_client_id }}"
+grafana_oauth_client_secret: "{{ vault_grafana_oauth_client_secret }}"
+grafana_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
+grafana_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
+grafana_oauth_api_url: "https://id.ouranos.helu.ca/api/userinfo"
+grafana_oauth_scopes: "openid profile email"
+grafana_root_url: "https://grafana.ouranos.helu.ca"
+grafana_oauth_allow_sign_up: true
+grafana_oauth_skip_tls_verify: false
+
+# ============================================================================
+# Prometheus
+# ============================================================================
+
+prometheus_user: prometheus
+prometheus_group: prometheus
+prometheus_scrape_interval: 15s
+prometheus_evaluation_interval: 15s
+alertmanager_host: prospero.incus
+alertmanager_port: 9093
+loki_metrics_port: 3100
+prometheus_targets:
+  - 'oberon.incus:9100'
+  - 'portia.incus:9100'
+  - 'ariel.incus:9100'
+  - 'puck.incus:9100'
+  - 'puck.incus:25571'
+  - 'miranda.incus:9100'
+  - 'sycorax.incus:9100'
+  - 'prospero.incus:9100'
+  - 'rosalind.incus:9100'
+
+# Prometheus OAuth2-Proxy Sidecar
+prometheus_proxy_port: 9091
+prometheus_oauth2_proxy_dir: /etc/oauth2-proxy-prometheus
+prometheus_oauth2_proxy_version: "7.6.0"
+prometheus_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+prometheus_oauth2_client_id: "{{ vault_prometheus_oauth2_client_id }}"
+prometheus_oauth2_client_secret: "{{ vault_prometheus_oauth2_client_secret }}"
+prometheus_oauth2_cookie_secret: "{{ vault_prometheus_oauth2_cookie_secret }}"
+
+# ============================================================================
+# Alertmanager
+# ============================================================================
+
+alertmanager_user: prometheus
+alertmanager_group: prometheus
+alertmanager_resolve_timeout: 5m
+alertmanager_group_wait: 30s
+alertmanager_group_interval: 5m
+alertmanager_repeat_interval: 4h
+pushover_user_key: "{{ vault_pushover_user_key }}"
+pushover_api_token: "{{ vault_pushover_api_token }}"
+pushover_priority: 1
+pushover_retry: 30
+pushover_expire: 3600
+
+# ============================================================================
+# Loki
+# ============================================================================
+
+loki_user: loki
+loki_group: loki
+loki_data_dir: /var/lib/loki
+loki_config_dir: /etc/loki
+loki_config_file: config.yml
+loki_grpc_port: 9096
+
+# ============================================================================
+# PgAdmin (Gunicorn - no Apache)
+# ============================================================================
+
+pgadmin_user: pgadmin
+pgadmin_group: pgadmin
+pgadmin_port: 5050
+pgadmin_data_dir: /var/lib/pgadmin
+pgadmin_log_dir: /var/log/pgadmin
+pgadmin_email: "{{ vault_pgadmin_email }}"
+pgadmin_password: "{{ vault_pgadmin_password }}"
+
+# PgAdmin OAuth (Casdoor SSO)
+pgadmin_oauth_client_id: "{{ vault_pgadmin_oauth_client_id }}"
+pgadmin_oauth_client_secret: "{{ vault_pgadmin_oauth_client_secret }}"
+
+# ============================================================================
+# Casdoor Metrics (for Prometheus scraping)
+# ============================================================================
+
+casdoor_metrics_host: "titania.incus"
+casdoor_metrics_port: 22081
+casdoor_prometheus_access_key: "{{ vault_casdoor_prometheus_access_key }}"
+casdoor_prometheus_access_secret: "{{ vault_casdoor_prometheus_access_secret }}"

ansible/inventory/host_vars/puck.incus.yml

@@ -0,0 +1,46 @@
+---
+# Puck Configuration - Application Runtime
+# Services: alloy, docker, lxqt, jupyterlab
+
+services:
+  - alloy
+  - docker
+  - gitea_runner
+  - jupyterlab
+
+# Gitea Runner
+gitea_runner_name: "puck-runner"
+
+# Alloy
+alloy_log_level: "warn"
+angelia_syslog_port: 51421
+sagittarius_syslog_port: 51431
+athena_syslog_port: 51441
+kairos_syslog_port: 51451
+icarlos_syslog_port: 51461
+spelunker_syslog_port: 51481
+jupyterlab_syslog_port: 51491
+
+# =============================================================================
+# JupyterLab Configuration
+# =============================================================================
+jupyterlab_user: robert
+jupyterlab_group: robert
+jupyterlab_notebook_dir: /home/robert
+jupyterlab_venv_dir: /home/robert/env/jupyter
+
+# Ports
+jupyterlab_port: 22081           # JupyterLab (localhost only)
+jupyterlab_proxy_port: 22071     # OAuth2-Proxy (exposed to HAProxy)
+
+# OAuth2-Proxy Configuration
+jupyterlab_oauth2_proxy_dir: /etc/oauth2-proxy-jupyter
+jupyterlab_oauth2_proxy_version: "7.6.0"
+jupyterlab_domain: "ouranos.helu.ca"
+jupyterlab_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+jupyterlab_oauth2_redirect_url: "https://jupyterlab.ouranos.helu.ca/oauth2/callback"
+
+# OAuth2 Credentials (from vault)
+jupyterlab_oauth_client_id: "{{ vault_jupyterlab_oauth_client_id }}"
+jupyterlab_oauth_client_secret: "{{ vault_jupyterlab_oauth_client_secret }}"
+jupyterlab_oauth2_cookie_secret: "{{ vault_jupyterlab_oauth2_cookie_secret }}"

ansible/inventory/host_vars/rosalind.incus.yml

@@ -0,0 +1,155 @@
+---
+# Rosalind Configuration - GO, Node.js, PHP Apps
+# Services: alloy, gitea, lobechat, nextcloud
+
+services:
+  - alloy
+  - anythingllm
+  - docker
+  - gitea
+  - lobechat
+  - memcached
+  - nextcloud
+
+# Alloy
+alloy_log_level: "warn"
+lobechat_syslog_port: 51461
+
+# AnythingLLM Configuration
+anythingllm_user: anythingllm
+anythingllm_group: anythingllm
+anythingllm_directory: /srv/anythingllm
+anythingllm_port: 22084
+
+# AnythingLLM Database (Portia PostgreSQL)
+anythingllm_db_host: portia.incus
+anythingllm_db_port: 5432
+anythingllm_db_name: anythingllm
+anythingllm_db_user: anythingllm
+anythingllm_db_password: "{{ vault_anythingllm_db_password }}"
+
+# AnythingLLM Security
+anythingllm_jwt_secret: "{{ vault_anythingllm_jwt_secret }}"
+anythingllm_sig_key: "{{ vault_anythingllm_sig_key }}"
+anythingllm_sig_salt: "{{ vault_anythingllm_sig_salt }}"
+
+# AnythingLLM LLM Provider (Generic OpenAI / llama-cpp)
+anythingllm_llm_base_url: "http://nyx.helu.ca:25540/v1"
+anythingllm_llm_model: "global.anthropic.claude-opus-4-6-v1"
+anythingllm_llm_token_limit: 200000
+anythingllm_llm_api_key: "ak_WX_7paeOky041GeX7MtQ51gam4lJsff3ghlClwdcbiI"
+
+# AnythingLLM Embedding
+anythingllm_embedding_engine: "generic-openai"
+anythingllm_embedding_model: "Qwen3-Embedding-0.6B-Q8_0"
+
+# AnythingLLM TTS (FastKokoro)
+anythingllm_tts_provider: "openai"
+anythingllm_tts_api_key: "not-needed"
+anythingllm_tts_endpoint: "http://pan.helu.ca:22070/v1"
+anythingllm_tts_model: "kokoro"
+anythingllm_tts_voice: "am_echo"
+
+# Gitea User and Directories
+gitea_user: git
+gitea_group: git
+gitea_home_dir: /srv/git
+gitea_work_dir: /var/lib/gitea
+gitea_data_dir: /var/lib/gitea/data
+gitea_lfs_dir: /var/lib/gitea/data/lfs
+gitea_repo_root: /mnt/dv
+gitea_config_file: /etc/gitea/app.ini
+# Ports
+gitea_web_port: 22082
+gitea_ssh_port: 22022
+gitea_metrics_port: 22092
+# Network
+gitea_domain: ouranos.helu.ca
+gitea_root_url: https://gitea.ouranos.helu.ca/
+# Database Configuration
+gitea_db_type: postgres
+gitea_db_host: portia.incus
+gitea_db_port: 5432
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password: "{{vault_gitea_db_password}}"
+gitea_db_ssl_mode: disable
+# Features
+gitea_lfs_enabled: true
+gitea_metrics_enabled: true
+# Service Settings
+gitea_disable_registration: true  # Use Casdoor SSO instead
+gitea_require_signin_view: false
+# Security (vault secrets)
+gitea_secret_key: "{{vault_gitea_secret_key}}"
+gitea_lfs_jwt_secret: "{{vault_gitea_lfs_jwt_secret}}"
+gitea_metrics_token: "{{vault_gitea_metrics_token}}"
+# OAuth2 (Casdoor SSO)
+gitea_oauth_enabled: true
+gitea_oauth_name: "casdoor"
+gitea_oauth_display_name: "Sign in with Casdoor"
+gitea_oauth_client_id: "{{vault_gitea_oauth_client_id}}"
+gitea_oauth_client_secret: "{{vault_gitea_oauth_client_secret}}"
+# Auth URL uses external HAProxy address (user's browser)
+gitea_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
+# Token and userinfo URLs use internal Casdoor address (server-to-server)
+gitea_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
+gitea_oauth_userinfo_url: "https://id.ouranos.helu.ca/api/userinfo"
+gitea_oauth_scopes: "openid profile email"
+
+# LobeChat Configuration
+lobechat_user: lobechat
+lobechat_group: lobechat
+lobechat_directory: /srv/lobechat
+lobechat_port: 22081
+# Database Configuration
+lobechat_db_host: portia.incus
+lobechat_db_port: 5432
+lobechat_db_name: lobechat
+lobechat_db_user: lobechat
+lobechat_db_password: "{{vault_lobechat_db_password}}"
+lobechat_key_vaults_secret: "{{vault_lobechat_key_vaults_secret}}"
+# Authentication
+# NEXTAUTH_URL must be the public URL users access (not internal)
+lobechat_nextauth_url: https://lobechat.ouranos.helu.ca
+lobechat_next_auth_secret: "{{vault_lobechat_next_auth_secret}}"
+lobechat_next_auth_sso_providers: casdoor
+# Issuer must match exactly what Casdoor returns in .well-known/openid-configuration
+lobechat_auth_casdoor_issuer: http://titania.incus:22081
+lobechat_auth_casdoor_id: "{{vault_lobechat_auth_casdoor_id}}"
+lobechat_auth_casdoor_secret: "{{vault_lobechat_auth_casdoor_secret}}"
+# S3 Storage
+lobechat_s3_endpoint: https://pan.helu.ca:8555
+lobechat_s3_public_domain: https://pan.helu.ca:8555
+lobechat_s3_access_key: "{{vault_lobechat_s3_access_key}}"
+lobechat_s3_secret_key: "{{vault_lobechat_s3_secret_key}}"
+lobechat_s3_bucket: lobechat
+# Search
+lobechat_searxng_url: http://oberon.incus:25599
+# AI Models
+lobechat_openai_proxy_url: http://sycorax.incus:25540/v1
+lobechat_openai_key: "{{vault_lobechat_openai_api_key}}"
+lobechat_ollama_proxy_url: http://perseus.helu.ca:11434
+lobechat_anthropic_api_key: "{{vault_lobechat_anthropic_api_key}}"
+lobechat_google_api_key: "{{vault_lobechat_google_api_key}}"
+lobechat_app_url: https://lobechat.ouranos.helu.ca/
+
+# Nextcloud Configuration
+nextcloud_web_port: 22083
+nextcloud_data_dir: /mnt/nextcloud
+# Database Configuration
+nextcloud_db_type: pgsql
+nextcloud_db_host: portia.incus
+nextcloud_db_port: 5432
+nextcloud_db_name: nextcloud
+nextcloud_db_user: nextcloud
+nextcloud_db_password: "{{vault_nextcloud_db_password}}"
+# Admin Configuration
+nextcloud_admin_user: admin
+nextcloud_admin_password: "{{vault_nextcloud_admin_password}}"
+# Domain Configuration
+nextcloud_domain: nextcloud.ouranos.helu.ca
+# Instance secrets (generated during install)
+nextcloud_instance_id: ""
+nextcloud_password_salt: ""
+nextcloud_secret: ""

ansible/inventory/host_vars/sycorax.incus.yml

@@ -0,0 +1,71 @@
+---
+# Sycorax Configuration - Language Models
+# Services: alloy, arke
+
+services:
+  - alloy
+  - arke
+
+# Alloy
+alloy_log_level: "warn"
+
+# Arke Configuration
+arke_user: arke
+arke_group: arke
+arke_directory: /srv/arke
+arke_port: 25540
+
+# Server Configuration
+arke_reload: false
+
+# Memcached config
+arke_memcached_host: localhost
+arke_memcached_port: 11211
+
+# Database Configuration
+arke_db_host: portia.incus
+arke_db_port: 5432
+arke_db_name: arke
+arke_db_user: arke
+arke_db_password: "{{ vault_arke_db_password }}"
+
+# NTTh API Configuration
+arke_session_limit: 90
+arke_session_ttl: 3600
+arke_token_cache_ttl: 82800
+ntth_token_1_app_name: "{{ vault_ntth_token_1_app_name }}"
+ntth_token_1_app_id: "{{ vault_ntth_token_1_app_id }}"
+ntth_token_1_app_secret: "{{ vault_ntth_token_1_app_secret }}"
+ntth_token_2_app_name: "{{ vault_ntth_token_2_app_name }}"
+ntth_token_2_app_id: "{{ vault_ntth_token_2_app_id }}"
+ntth_token_2_app_secret: "{{ vault_ntth_token_2_app_secret }}"
+ntth_token_3_app_name: "{{ vault_ntth_token_3_app_name }}"
+ntth_token_3_app_id: "{{ vault_ntth_token_3_app_id }}"
+ntth_token_3_app_secret: "{{ vault_ntth_token_3_app_secret }}"
+ntth_token_4_app_name: "{{ vault_ntth_token_4_app_name }}"
+ntth_token_4_app_id: "{{ vault_ntth_token_4_app_id }}"
+ntth_token_4_app_secret: "{{ vault_ntth_token_4_app_secret }}"
+
+# Embedding Provider Configuration
+arke_embedding_provider: openai
+
+# OpenAI-Compatible Configuration
+arke_openai_embedding_base_url: http://pan.helu.ca:22079/v1
+arke_openai_embedding_api_key: 0000
+arke_openai_embedding_model: Qwen3-Embedding-0.6B-Q8_0
+
+# Common Embedding Configuration
+arke_embedding_batch_size: 16
+arke_embedding_ubatch_size: 512
+arke_embedding_max_context: 8192
+arke_embedding_timeout: 30.0
+
+# Memory System Configuration
+arke_memory_enabled: true
+arke_max_context_tokens: 8000
+arke_similarity_threshold: 0.7
+arke_min_importance_score: 0.7
+
+# Monitoring Configuration
+arke_prometheus_enabled: true
+arke_metrics_port: 25540

ansible/inventory/host_vars/titania.incus.yml

@@ -0,0 +1,217 @@
+---
+# Titania Configuration - Proxy & SSO Services
+# Services: alloy, certbot, docker, haproxy, postgresql_ssl, casdoor
+
+services:
+  - alloy
+  - certbot
+  - docker
+  - haproxy
+  - postgresql_ssl
+  - casdoor
+
+# PostgreSQL SSL Configuration (dedicated database for identity services)
+postgresql_ssl_postgres_password: "{{ vault_postgresql_ssl_postgres_password }}"
+postgresql_ssl_port: 5432
+postgresql_ssl_cert_path: /etc/postgresql/17/main/ssl/server.crt
+
+# Alloy
+alloy_log_level: "warn"
+casdoor_syslog_port: 51401
+haproxy_syslog_port: 51404
+
+# Certbot Configuration (Let's Encrypt DNS-01 with Namecheap)
+certbot_user: certbot
+certbot_group: certbot
+certbot_directory: /srv/certbot
+certbot_email: webmaster@helu.ca
+certbot_cert_name: ouranos.helu.ca
+certbot_domains:
+  - "*.ouranos.helu.ca"
+  - "ouranos.helu.ca"
+prometheus_node_exporter_text_directory: /var/lib/prometheus/node-exporter
+
+# HAProxy Configuration
+haproxy_user: haproxy
+haproxy_group: haproxy
+haproxy_uid: 800
+haproxy_gid: 800
+haproxy_directory: /srv/haproxy
+haproxy_http_port: 8080
+haproxy_https_port: 8443
+haproxy_stats_port: 8404
+haproxy_domain: "ouranos.helu.ca"
+haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
+
+# HAProxy TCP Backend Definitions (mode tcp passthrough)
+haproxy_tcp_backends:
+  - name: gitea_ssh
+    listen_port: 22022
+    backend_host: "rosalind.incus"
+    backend_port: 22022
+
+# HAProxy Backend Definitions
+haproxy_backends:
+  - subdomain: ""  # Root domain (ouranos.helu.ca)
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+    # timeout_server: "50s"  # Optional override
+
+  - subdomain: "id"  # Casdoor SSO (id.ouranos.helu.ca)
+    backend_host: "titania.incus"
+    backend_port: 22081
+    health_path: "/api/health"
+    redirect_root: "/login/heluca"  # Redirect root to branded org login page
+
+  - subdomain: "openwebui"
+    backend_host: "oberon.incus"
+    backend_port: 22088
+    health_path: "/"
+
+  - subdomain: "anythingllm"
+    backend_host: "rosalind.incus"
+    backend_port: 22084
+    health_path: "/api/ping"
+
+  - subdomain: "arke"
+    backend_host: "sycorax.incus"
+    backend_port: 25540
+    health_path: "/health"
+  
+  # SearXNG - routed through OAuth2-Proxy sidecar on Oberon
+  - subdomain: "searxng"
+    backend_host: "oberon.incus"
+    backend_port: 22073
+    health_path: "/ping"
+
+  - subdomain: "pgadmin"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/misc/ping"
+    ssl_backend: true
+
+  - subdomain: "grafana"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/api/health"
+    ssl_backend: true
+
+  - subdomain: "prometheus"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ping"
+    ssl_backend: true
+
+  - subdomain: "loki"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ready"
+    ssl_backend: true
+
+  - subdomain: "alertmanager"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/-/healthy"
+    ssl_backend: true
+
+  - subdomain: "gitea"
+    backend_host: "rosalind.incus"
+    backend_port: 22082
+    health_path: "/api/healthz"
+    timeout_server: 120s
+
+  - subdomain: "lobechat"
+    backend_host: "rosalind.incus"
+    backend_port: 22081
+    health_path: "/chat"
+
+  - subdomain: "nextcloud"
+    backend_host: "rosalind.incus"
+    backend_port: 22083
+    health_path: "/status.php"
+
+  - subdomain: "angelia"
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+
+  - subdomain: "athena"
+    backend_host: "puck.incus"
+    backend_port: 22481
+    health_path: "/ready/"
+
+  - subdomain: "kairos"
+    backend_host: "puck.incus"
+    backend_port: 22581
+    health_path: "/ready/"
+
+  - subdomain: "icarlos"
+    backend_host: "puck.incus"
+    backend_port: 22681
+    health_path: "/ready/"
+
+  - subdomain: "mcp-switchboard"
+    backend_host: "puck.incus"
+    backend_port: 22781
+    health_path: "/ready/"
+
+  - subdomain: "spelunker"
+    backend_host: "puck.incus"
+    backend_port: 22881
+    health_path: "/ready/"
+
+  - subdomain: "peitho"
+    backend_host: "puck.incus"
+    backend_port: 22981
+    health_path: "/ready/"
+
+  - subdomain: "jupyterlab"
+    backend_host: "puck.incus"
+    backend_port: 22071  # OAuth2-Proxy port
+    health_path: "/ping"
+    timeout_server: 300s  # WebSocket support
+
+  - subdomain: "hass"
+    backend_host: "oberon.incus"
+    backend_port: 8123
+    health_path: "/api/"
+    timeout_server: 300s  # WebSocket support for HA frontend
+
+  - subdomain: "smtp4dev"
+    backend_host: "oberon.incus"
+    backend_port: 22085
+    health_path: "/"
+
+# Casdoor Configuration
+casdoor_user: casdoor
+casdoor_group: casdoor
+casdoor_directory: /srv/casdoor
+# Web Configuration
+casdoor_port: 22081
+casdoor_runmode: dev
+casdoor_copyrequestbody: true
+casdoor_drivername: postgres
+# Database Configuration
+casdoor_db_port: 5432
+casdoor_db_name: casdoor
+casdoor_db_user: casdoor
+casdoor_db_password: "{{ vault_casdoor_db_password }}"
+casdoor_db_sslmode: disable
+casdoor_showsql: false
+# Redis and Storage
+casdoor_redis_endpoint: ""
+casdoor_default_storage_provider: ""
+# Authentication
+casdoor_auth_state: "{{ vault_casdoor_auth_state }}"
+# Origin must include port for internal OIDC endpoints to work correctly
+casdoor_origin: "https://id.ouranos.helu.ca"
+casdoor_origin_frontend: "https://id.ouranos.helu.ca"
+# Timeouts and Ports
+casdoor_inactive_timeout_minutes: 60
+casdoor_ldap_server_port: 0
+casdoor_ldaps_cert_id: ""
+casdoor_ldaps_server_port: 0
+casdoor_radius_server_port: 1812
+casdoor_radius_default_organization: "built-in"
+casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"

ansible/inventory/hosts

@@ -0,0 +1,50 @@
+---
+# Ansible Inventory - Simplified
+# Variables moved to:
+#  - host_vars/{hostname}.yml (host-specific config)
+#  - group_vars/all/vars.yml (common variables)
+
+# Red Panda Approved Uranian Hosts
+ubuntu:
+  hosts:
+    ariel.incus:
+    caliban.incus:
+    miranda.incus:
+    oberon.incus:
+    portia.incus:
+    prospero.incus:
+    puck.incus:
+    rosalind.incus:
+    sycorax.incus:
+    titania.incus:
+    korax.helu.ca:
+
+# Service-specific groups for targeted deployments
+agent_s:
+  hosts:
+    caliban.incus:
+
+arke:
+  hosts:
+    sycorax.incus:
+
+casdoor:
+  hosts:
+    titania.incus:
+
+kernos:
+  hosts:
+    caliban.incus:
+    korax.helu.ca:
+
+searxng:
+  hosts:
+    oberon.incus:
+
+gitea:
+  hosts:
+    rosalind.incus:
+
+mcpo:
+  hosts:
+    miranda.incus: