docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README including a component overview table, quick start instructions, common Ansible operations, and links to detailed documentation. Aligns with Red Panda Approval™ standards.
2026-03-03 12:49:06 +00:00
parent c7be03a743
commit b4d60f2f38
219 changed files with 34586 additions and 2 deletions
--- a/ansible/inventory/host_vars/ariel.incus.yml
+++ b/ansible/inventory/host_vars/ariel.incus.yml
@@ -0,0 +1,24 @@
+---
+# Ariel Configuration - Graph Database Host
+# Services: alloy, docker, neo4j
+
+services:
+  - alloy
+  - docker
+  - neo4j
+
+# Alloy
+alloy_log_level: "warn"
+neo4j_syslog_port: 22011
+
+# Neo4j
+neo4j_rel: master
+neo4j_version: "5.26.0"
+neo4j_user: neo4j
+neo4j_group: neo4j
+neo4j_directory: /srv/neo4j
+neo4j_auth_user: neo4j
+neo4j_auth_password: "{{ vault_neo4j_auth_password }}"
+neo4j_http_port: 25554
+neo4j_bolt_port: 7687
+neo4j_apoc_unrestricted: "apoc.*"
--- a/ansible/inventory/host_vars/caliban.incus.yml
+++ b/ansible/inventory/host_vars/caliban.incus.yml
@@ -0,0 +1,23 @@
+---
+# Caliban Configuration - Agent Automation Host
+# Services: caliban (Agent S), alloy, docker, kernos
+
+services:
+  - alloy
+  - caliban
+  - docker
+  - kernos
+
+# Alloy
+alloy_log_level: "warn"
+
+# Kernos MCP Shell Server Configuration
+kernos_user: harper
+kernos_group: harper
+kernos_directory: /srv/kernos
+kernos_port: 22021
+kernos_host: "0.0.0.0"
+kernos_log_level: INFO
+kernos_log_format: json
+kernos_environment: sandbox
+kernos_allow_commands: "apt,awk,base64,bash,cat,chmod,cp,curl,cut,date,dd,df,dig,dmesg,du,echo,env,file,find,free,git,grep,gunzip,gzip,head,host,hostname,id,jq,kill,less,ln,ls,lsblk,lspci,lsusb,make,mkdir,mv,nc,node,nohup,npm,npx,ping,pip,pkill,pnpm,printenv,ps,pwd,python3,rm,rsync,run-captured,scp,sed,sleep,sort,source,ssh,ssh-keygen,ssh-keyscan,stat,sudo,tail,tar,tee,timeout,touch,tr,tree,uname,uniq,unzip,uptime,wc,wget,which,whoami,xargs,xz,zip"
--- a/ansible/inventory/host_vars/korax.helu.ca.yml
+++ b/ansible/inventory/host_vars/korax.helu.ca.yml
@@ -0,0 +1,20 @@
+---
+# Korax Configuration
+# Services: alloy, kernos
+
+services:
+  - alloy
+  - kernos
+
+# Alloy
+alloy_log_level: "warn"
+# Kernos MCP Shell Server Configuration
+kernos_user: harper
+kernos_group: harper
+kernos_directory: /srv/kernos
+kernos_port: 22021
+kernos_host: "0.0.0.0"
+kernos_log_level: INFO
+kernos_log_format: json
+kernos_environment: sandbox
+kernos_allow_commands: "apt,awk,base64,bash,cat,chmod,cp,curl,cut,date,dd,df,dig,dmesg,du,echo,env,file,find,free,git,grep,gunzip,gzip,head,host,hostname,id,jq,kill,less,ln,ls,lsblk,lspci,lsusb,make,mkdir,mv,nc,node,nohup,npm,npx,ping,pip,pkill,pnpm,printenv,ps,pwd,python3,rm,rsync,run-captured,scp,sed,sleep,sort,source,ssh,ssh-keygen,ssh-keyscan,stat,sudo,tail,tar,tee,timeout,touch,tr,tree,uname,uniq,unzip,uptime,wc,wget,which,whoami,xargs,xz,zip"
--- a/ansible/inventory/host_vars/miranda.incus.yml
+++ b/ansible/inventory/host_vars/miranda.incus.yml
@@ -0,0 +1,74 @@
+---
+# Miranda Configuration - MCP Docker Host
+# Services: alloy, argos, docker, mcpo, neo4j_mcp
+
+services:
+  - alloy
+  - argos
+  - docker
+  - gitea_mcp
+  - grafana_mcp
+  - mcpo
+  - neo4j_mcp
+
+# Alloy
+alloy_log_level: "warn"
+argos_syslog_port: 51434
+neo4j_cypher_syslog_port: 51431
+grafana_mcp_syslog_port: 51433
+gitea_mcp_syslog_port: 51435
+
+# Argos MCP Configuration
+argos_user: argos
+argos_group: argos
+argos_directory: /srv/argos
+argos_port: 25534
+argos_log_level: INFO
+argos_searxng_instances: http://oberon.incus:22083/
+argos_cache_ttl: 300
+argos_max_results: 10
+argos_request_timeout: 30.0
+argos_health_check_timeout: 5.0
+argos_kvdb_host: localhost
+argos_kvdb_port: 11211
+argos_kvdb_prefix: argos
+argos_enable_startup_health_check: true
+
+# Docker API Configuration
+docker_api_enabled: true
+docker_api_port: 2375
+docker_api_host: "0.0.0.0"
+
+# Neo4j MCP Config
+neo4j_mcp_user: neo4j_mcp
+neo4j_mcp_group: neo4j_mcp
+neo4j_mcp_directory: /srv/neo4j_mcp
+
+# Grafana MCP Config
+grafana_mcp_user: grafana_mcp
+grafana_mcp_group: grafana_mcp
+grafana_mcp_directory: /srv/grafana_mcp
+grafana_mcp_port: 25533
+grafana_mcp_grafana_host: prospero.incus
+grafana_mcp_grafana_port: 3000
+grafana_service_account_token: "{{ vault_grafana_service_account_token }}"
+
+# Gitea MCP Config
+gitea_mcp_user: gitea_mcp
+gitea_mcp_group: gitea_mcp
+gitea_mcp_directory: /srv/gitea_mcp
+gitea_mcp_port: 25535
+gitea_mcp_host: https://gitea.ouranos.helu.ca
+gitea_mcp_access_token: "{{ vault_gitea_mcp_access_token }}"
+
+# Neo4j Cypher MCP
+neo4j_host: ariel.incus
+neo4j_bolt_port: 7687
+neo4j_auth_password: "{{ vault_neo4j_auth_password }}"
+neo4j_cypher_mcp_port: 25531
+
+# MCPO Config
+mcpo_user: mcpo
+mcpo_group: mcpo
+mcpo_directory: /srv/mcpo
+mcpo_port: 25530
--- a/ansible/inventory/host_vars/oberon.incus.yml
+++ b/ansible/inventory/host_vars/oberon.incus.yml
@@ -0,0 +1,134 @@
+---
+# Oberon Configuration
+
+services:
+  - alloy
+  - docker
+  - hass
+  - mcp_switchboard
+  - openwebui
+  - rabbitmq
+  - searxng
+  - smtp4dev
+
+# Alloy
+alloy_log_level: "warn"
+rabbitmq_syslog_port: 51402
+searxng_syslog_port: 51403
+
+# MCP Switchboard Configuration
+mcp_switchboard_user: mcpsb
+mcp_switchboard_group: mcpsb
+mcp_switchboard_directory: /srv/mcp_switchboard
+mcp_switchboard_port: 22785
+mcp_switchboard_docker_host: "tcp://miranda.incus:2375"
+mcp_switchboard_db_host: portia.incus
+mcp_switchboard_db_port: 5432
+mcp_switchboard_db_name: mcp_switchboard
+mcp_switchboard_db_user: mcpsb
+mcp_switchboard_db_password: "{{ vault_mcp_switchboard_db_password }}"
+mcp_switchboard_rabbitmq_host: localhost
+mcp_switchboard_rabbitmq_port: 5672
+mcp_switchboard_rabbitmq_user: rabbitmq
+mcp_switchboard_rabbitmq_password: "{{ vault_mcp_switchboard_rabbitmq_password }}"
+mcp_switchboard_secret_key: "{{ vault_mcp_switchboard_secret_key }}"
+
+# Open WebUI Configuration
+openwebui_user: openwebui
+openwebui_group: openwebui
+openwebui_directory: /srv/openwebui
+openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
+openwebui_port: 22088
+openwebui_host: puck.incus
+openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
+openwebui_enable_signup: true
+openwebui_enable_email_login: false
+
+# OAuth/OIDC Configuration (Casdoor SSO)
+openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
+openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
+openwebui_oauth_provider_name: "Casdoor"
+openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"
+
+# Database Configuration
+openwebui_db_host: portia.incus
+openwebui_db_port: 5432
+openwebui_db_name: openwebui
+openwebui_db_user: openwebui
+openwebui_db_password: "{{ vault_openwebui_db_password }}"
+
+# API Keys
+openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
+openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
+openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
+openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"
+
+# Ollama Configuration
+ollama_api_base_url: ""
+openwebui_ollama_api_key: ""
+
+# SSL Configuration
+openwebui_enable_https: false
+openwebui_ssl_cert_path: ""
+openwebui_ssl_key_path: ""
+
+# Logging
+openwebui_log_level: info
+
+# RabbitMQ Config
+rabbitmq_user: rabbitmq
+rabbitmq_group: rabbitmq
+rabbitmq_directory: /srv/rabbitmq
+rabbitmq_amqp_port: 5672
+rabbitmq_management_port: 25582
+rabbitmq_password: "{{ vault_rabbitmq_password }}"
+
+# Redis password
+redis_password: "{{ vault_redis_password }}"
+
+# SearXNG Configuration
+searxng_user: searxng
+searxng_group: searxng
+searxng_directory: /srv/searxng
+searxng_port: 22083
+searxng_base_url: http://oberon.incus:22083/
+searxng_instance_name: "Agathos Search"
+searxng_secret_key: "{{ vault_searxng_secret_key }}"
+
+# SearXNG OAuth2-Proxy Sidecar
+# Note: Each host supports at most one OAuth2-Proxy sidecar instance
+# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
+searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
+searxng_oauth2_proxy_version: "7.6.0"
+searxng_proxy_port: 22073
+searxng_domain: "ouranos.helu.ca"
+searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"
+
+# OAuth2 Credentials (from vault)
+searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
+searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
+searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth2_cookie_secret }}"
+
+# smtp4dev Configuration
+smtp4dev_user: smtp4dev
+smtp4dev_group: smtp4dev
+smtp4dev_directory: /srv/smtp4dev
+smtp4dev_port: 22085
+smtp4dev_smtp_port: 22025
+smtp4dev_imap_port: 22045
+smtp4dev_syslog_port: 51405
+
+# Home Assistant Configuration
+hass_user: hass
+hass_group: hass
+hass_directory: /srv/hass
+hass_media_directory: /srv/hass/media
+hass_port: 8123
+hass_version: "2026.2.0"
+hass_db_host: portia.incus
+hass_db_port: 5432
+hass_db_name: hass
+hass_db_user: hass
+hass_db_password: "{{ vault_hass_db_password }}"
+hass_metrics_token: "{{ vault_hass_metrics_token }}"
--- a/ansible/inventory/host_vars/portia.incus.yml
+++ b/ansible/inventory/host_vars/portia.incus.yml
@@ -0,0 +1,48 @@
+---
+# Portia Configuration - Relational Database Host
+# Services: alloy, postgresql
+# Note: PgAdmin moved to Prospero (PPLG stack)
+
+services:
+  - alloy
+  - postgresql
+
+# Alloy
+alloy_log_level: "warn"
+
+# PostgreSQL Config
+postgres_user: postgres
+postgres_group: postgres
+postgresql_port: 5432
+postgresql_data_dir: /var/lib/postgresql
+arke_db_name: arke
+arke_db_user: arke
+arke_db_password: "{{ vault_arke_db_password }}"
+anythingllm_db_name: anythingllm
+anythingllm_db_user: anythingllm
+anythingllm_db_password: "{{ vault_anythingllm_db_password }}"
+# Note: Casdoor uses dedicated PostgreSQL on Titania (not Portia)
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password: "{{ vault_gitea_db_password }}"
+lobechat_db_name: lobechat
+lobechat_db_user: lobechat
+lobechat_db_password: "{{ vault_lobechat_db_password }}"
+nextcloud_db_name: nextcloud
+nextcloud_db_user: nextcloud
+nextcloud_db_password: "{{ vault_nextcloud_db_password }}"
+openwebui_db_name: openwebui
+openwebui_db_user: openwebui
+openwebui_db_password: "{{ vault_openwebui_db_password }}"
+spelunker_db_name: spelunker
+spelunker_db_user: spelunker
+spelunker_db_password: "{{ vault_spelunker_db_password }}"
+hass_db_name: hass
+hass_db_user: hass
+hass_db_password: "{{ vault_hass_db_password }}"
+nike_db_name: nike
+nike_db_user: nike
+nike_db_password: "{{ vault_nike_db_password }}"
+
+# PostgreSQL admin password
+postgres_password: "{{ vault_postgres_password }}"
--- a/ansible/inventory/host_vars/prospero.incus.yml
+++ b/ansible/inventory/host_vars/prospero.incus.yml
@@ -0,0 +1,141 @@
+---
+# Prospero Configuration - PPLG Observability & Admin Stack
+# Services: pplg (PgAdmin, Prometheus, Loki, Grafana + HAProxy + OAuth2-Proxy)
+
+services:
+  - alloy
+  - pplg
+
+# Alloy
+alloy_log_level: "warn"
+
+# ============================================================================
+# PPLG HAProxy Configuration
+# ============================================================================
+
+pplg_haproxy_user: haproxy
+pplg_haproxy_group: haproxy
+pplg_haproxy_uid: 800
+pplg_haproxy_gid: 800
+pplg_haproxy_domain: "ouranos.helu.ca"
+pplg_haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
+pplg_haproxy_stats_port: 8404
+pplg_haproxy_syslog_port: 51405
+
+# ============================================================================
+# Grafana
+# ============================================================================
+
+# Grafana Datasources
+prometheus_datasource_name: Prospero-Prometheus
+prometheus_host: prospero.incus
+prometheus_port: 9090
+prometheus_datasource_uid: prospero-prometheus
+loki_datasource_name: Prospero-Loki
+loki_host: prospero.incus
+loki_port: 3100
+loki_datasource_uid: prospero-loki
+
+# Grafana Users
+grafana_admin_name: "{{ vault_grafana_admin_name }}"
+grafana_admin_login: "{{ vault_grafana_admin_login }}"
+grafana_admin_password: "{{ vault_grafana_admin_password }}"
+grafana_viewer_name: "{{ vault_grafana_viewer_name }}"
+grafana_viewer_login: "{{ vault_grafana_viewer_login }}"
+grafana_viewer_password: "{{ vault_grafana_viewer_password }}"
+
+# Grafana OAuth (Casdoor SSO)
+grafana_oauth_enabled: true
+grafana_oauth_name: "Casdoor"
+grafana_oauth_client_id: "{{ vault_grafana_oauth_client_id }}"
+grafana_oauth_client_secret: "{{ vault_grafana_oauth_client_secret }}"
+grafana_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
+grafana_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
+grafana_oauth_api_url: "https://id.ouranos.helu.ca/api/userinfo"
+grafana_oauth_scopes: "openid profile email"
+grafana_root_url: "https://grafana.ouranos.helu.ca"
+grafana_oauth_allow_sign_up: true
+grafana_oauth_skip_tls_verify: false
+
+# ============================================================================
+# Prometheus
+# ============================================================================
+
+prometheus_user: prometheus
+prometheus_group: prometheus
+prometheus_scrape_interval: 15s
+prometheus_evaluation_interval: 15s
+alertmanager_host: prospero.incus
+alertmanager_port: 9093
+loki_metrics_port: 3100
+prometheus_targets:
+  - 'oberon.incus:9100'
+  - 'portia.incus:9100'
+  - 'ariel.incus:9100'
+  - 'puck.incus:9100'
+  - 'puck.incus:25571'
+  - 'miranda.incus:9100'
+  - 'sycorax.incus:9100'
+  - 'prospero.incus:9100'
+  - 'rosalind.incus:9100'
+
+# Prometheus OAuth2-Proxy Sidecar
+prometheus_proxy_port: 9091
+prometheus_oauth2_proxy_dir: /etc/oauth2-proxy-prometheus
+prometheus_oauth2_proxy_version: "7.6.0"
+prometheus_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+prometheus_oauth2_client_id: "{{ vault_prometheus_oauth2_client_id }}"
+prometheus_oauth2_client_secret: "{{ vault_prometheus_oauth2_client_secret }}"
+prometheus_oauth2_cookie_secret: "{{ vault_prometheus_oauth2_cookie_secret }}"
+
+# ============================================================================
+# Alertmanager
+# ============================================================================
+
+alertmanager_user: prometheus
+alertmanager_group: prometheus
+alertmanager_resolve_timeout: 5m
+alertmanager_group_wait: 30s
+alertmanager_group_interval: 5m
+alertmanager_repeat_interval: 4h
+pushover_user_key: "{{ vault_pushover_user_key }}"
+pushover_api_token: "{{ vault_pushover_api_token }}"
+pushover_priority: 1
+pushover_retry: 30
+pushover_expire: 3600
+
+# ============================================================================
+# Loki
+# ============================================================================
+
+loki_user: loki
+loki_group: loki
+loki_data_dir: /var/lib/loki
+loki_config_dir: /etc/loki
+loki_config_file: config.yml
+loki_grpc_port: 9096
+
+# ============================================================================
+# PgAdmin (Gunicorn - no Apache)
+# ============================================================================
+
+pgadmin_user: pgadmin
+pgadmin_group: pgadmin
+pgadmin_port: 5050
+pgadmin_data_dir: /var/lib/pgadmin
+pgadmin_log_dir: /var/log/pgadmin
+pgadmin_email: "{{ vault_pgadmin_email }}"
+pgadmin_password: "{{ vault_pgadmin_password }}"
+
+# PgAdmin OAuth (Casdoor SSO)
+pgadmin_oauth_client_id: "{{ vault_pgadmin_oauth_client_id }}"
+pgadmin_oauth_client_secret: "{{ vault_pgadmin_oauth_client_secret }}"
+
+# ============================================================================
+# Casdoor Metrics (for Prometheus scraping)
+# ============================================================================
+
+casdoor_metrics_host: "titania.incus"
+casdoor_metrics_port: 22081
+casdoor_prometheus_access_key: "{{ vault_casdoor_prometheus_access_key }}"
+casdoor_prometheus_access_secret: "{{ vault_casdoor_prometheus_access_secret }}"
--- a/ansible/inventory/host_vars/puck.incus.yml
+++ b/ansible/inventory/host_vars/puck.incus.yml
@@ -0,0 +1,46 @@
+---
+# Puck Configuration - Application Runtime
+# Services: alloy, docker, lxqt, jupyterlab
+
+services:
+  - alloy
+  - docker
+  - gitea_runner
+  - jupyterlab
+
+# Gitea Runner
+gitea_runner_name: "puck-runner"
+
+# Alloy
+alloy_log_level: "warn"
+angelia_syslog_port: 51421
+sagittarius_syslog_port: 51431
+athena_syslog_port: 51441
+kairos_syslog_port: 51451
+icarlos_syslog_port: 51461
+spelunker_syslog_port: 51481
+jupyterlab_syslog_port: 51491
+
+# =============================================================================
+# JupyterLab Configuration
+# =============================================================================
+jupyterlab_user: robert
+jupyterlab_group: robert
+jupyterlab_notebook_dir: /home/robert
+jupyterlab_venv_dir: /home/robert/env/jupyter
+
+# Ports
+jupyterlab_port: 22081           # JupyterLab (localhost only)
+jupyterlab_proxy_port: 22071     # OAuth2-Proxy (exposed to HAProxy)
+
+# OAuth2-Proxy Configuration
+jupyterlab_oauth2_proxy_dir: /etc/oauth2-proxy-jupyter
+jupyterlab_oauth2_proxy_version: "7.6.0"
+jupyterlab_domain: "ouranos.helu.ca"
+jupyterlab_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
+jupyterlab_oauth2_redirect_url: "https://jupyterlab.ouranos.helu.ca/oauth2/callback"
+
+# OAuth2 Credentials (from vault)
+jupyterlab_oauth_client_id: "{{ vault_jupyterlab_oauth_client_id }}"
+jupyterlab_oauth_client_secret: "{{ vault_jupyterlab_oauth_client_secret }}"
+jupyterlab_oauth2_cookie_secret: "{{ vault_jupyterlab_oauth2_cookie_secret }}"
--- a/ansible/inventory/host_vars/rosalind.incus.yml
+++ b/ansible/inventory/host_vars/rosalind.incus.yml
@@ -0,0 +1,155 @@
+---
+# Rosalind Configuration - GO, Node.js, PHP Apps
+# Services: alloy, gitea, lobechat, nextcloud
+
+services:
+  - alloy
+  - anythingllm
+  - docker
+  - gitea
+  - lobechat
+  - memcached
+  - nextcloud
+
+# Alloy
+alloy_log_level: "warn"
+lobechat_syslog_port: 51461
+
+# AnythingLLM Configuration
+anythingllm_user: anythingllm
+anythingllm_group: anythingllm
+anythingllm_directory: /srv/anythingllm
+anythingllm_port: 22084
+
+# AnythingLLM Database (Portia PostgreSQL)
+anythingllm_db_host: portia.incus
+anythingllm_db_port: 5432
+anythingllm_db_name: anythingllm
+anythingllm_db_user: anythingllm
+anythingllm_db_password: "{{ vault_anythingllm_db_password }}"
+
+# AnythingLLM Security
+anythingllm_jwt_secret: "{{ vault_anythingllm_jwt_secret }}"
+anythingllm_sig_key: "{{ vault_anythingllm_sig_key }}"
+anythingllm_sig_salt: "{{ vault_anythingllm_sig_salt }}"
+
+# AnythingLLM LLM Provider (Generic OpenAI / llama-cpp)
+anythingllm_llm_base_url: "http://nyx.helu.ca:25540/v1"
+anythingllm_llm_model: "global.anthropic.claude-opus-4-6-v1"
+anythingllm_llm_token_limit: 200000
+anythingllm_llm_api_key: "ak_WX_7paeOky041GeX7MtQ51gam4lJsff3ghlClwdcbiI"
+
+# AnythingLLM Embedding
+anythingllm_embedding_engine: "generic-openai"
+anythingllm_embedding_model: "Qwen3-Embedding-0.6B-Q8_0"
+
+# AnythingLLM TTS (FastKokoro)
+anythingllm_tts_provider: "openai"
+anythingllm_tts_api_key: "not-needed"
+anythingllm_tts_endpoint: "http://pan.helu.ca:22070/v1"
+anythingllm_tts_model: "kokoro"
+anythingllm_tts_voice: "am_echo"
+
+# Gitea User and Directories
+gitea_user: git
+gitea_group: git
+gitea_home_dir: /srv/git
+gitea_work_dir: /var/lib/gitea
+gitea_data_dir: /var/lib/gitea/data
+gitea_lfs_dir: /var/lib/gitea/data/lfs
+gitea_repo_root: /mnt/dv
+gitea_config_file: /etc/gitea/app.ini
+# Ports
+gitea_web_port: 22082
+gitea_ssh_port: 22022
+gitea_metrics_port: 22092
+# Network
+gitea_domain: ouranos.helu.ca
+gitea_root_url: https://gitea.ouranos.helu.ca/
+# Database Configuration
+gitea_db_type: postgres
+gitea_db_host: portia.incus
+gitea_db_port: 5432
+gitea_db_name: gitea
+gitea_db_user: gitea
+gitea_db_password: "{{vault_gitea_db_password}}"
+gitea_db_ssl_mode: disable
+# Features
+gitea_lfs_enabled: true
+gitea_metrics_enabled: true
+# Service Settings
+gitea_disable_registration: true  # Use Casdoor SSO instead
+gitea_require_signin_view: false
+# Security (vault secrets)
+gitea_secret_key: "{{vault_gitea_secret_key}}"
+gitea_lfs_jwt_secret: "{{vault_gitea_lfs_jwt_secret}}"
+gitea_metrics_token: "{{vault_gitea_metrics_token}}"
+# OAuth2 (Casdoor SSO)
+gitea_oauth_enabled: true
+gitea_oauth_name: "casdoor"
+gitea_oauth_display_name: "Sign in with Casdoor"
+gitea_oauth_client_id: "{{vault_gitea_oauth_client_id}}"
+gitea_oauth_client_secret: "{{vault_gitea_oauth_client_secret}}"
+# Auth URL uses external HAProxy address (user's browser)
+gitea_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
+# Token and userinfo URLs use internal Casdoor address (server-to-server)
+gitea_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
+gitea_oauth_userinfo_url: "https://id.ouranos.helu.ca/api/userinfo"
+gitea_oauth_scopes: "openid profile email"
+
+# LobeChat Configuration
+lobechat_user: lobechat
+lobechat_group: lobechat
+lobechat_directory: /srv/lobechat
+lobechat_port: 22081
+# Database Configuration
+lobechat_db_host: portia.incus
+lobechat_db_port: 5432
+lobechat_db_name: lobechat
+lobechat_db_user: lobechat
+lobechat_db_password: "{{vault_lobechat_db_password}}"
+lobechat_key_vaults_secret: "{{vault_lobechat_key_vaults_secret}}"
+# Authentication
+# NEXTAUTH_URL must be the public URL users access (not internal)
+lobechat_nextauth_url: https://lobechat.ouranos.helu.ca
+lobechat_next_auth_secret: "{{vault_lobechat_next_auth_secret}}"
+lobechat_next_auth_sso_providers: casdoor
+# Issuer must match exactly what Casdoor returns in .well-known/openid-configuration
+lobechat_auth_casdoor_issuer: http://titania.incus:22081
+lobechat_auth_casdoor_id: "{{vault_lobechat_auth_casdoor_id}}"
+lobechat_auth_casdoor_secret: "{{vault_lobechat_auth_casdoor_secret}}"
+# S3 Storage
+lobechat_s3_endpoint: https://pan.helu.ca:8555
+lobechat_s3_public_domain: https://pan.helu.ca:8555
+lobechat_s3_access_key: "{{vault_lobechat_s3_access_key}}"
+lobechat_s3_secret_key: "{{vault_lobechat_s3_secret_key}}"
+lobechat_s3_bucket: lobechat
+# Search
+lobechat_searxng_url: http://oberon.incus:25599
+# AI Models
+lobechat_openai_proxy_url: http://sycorax.incus:25540/v1
+lobechat_openai_key: "{{vault_lobechat_openai_api_key}}"
+lobechat_ollama_proxy_url: http://perseus.helu.ca:11434
+lobechat_anthropic_api_key: "{{vault_lobechat_anthropic_api_key}}"
+lobechat_google_api_key: "{{vault_lobechat_google_api_key}}"
+lobechat_app_url: https://lobechat.ouranos.helu.ca/
+
+# Nextcloud Configuration
+nextcloud_web_port: 22083
+nextcloud_data_dir: /mnt/nextcloud
+# Database Configuration
+nextcloud_db_type: pgsql
+nextcloud_db_host: portia.incus
+nextcloud_db_port: 5432
+nextcloud_db_name: nextcloud
+nextcloud_db_user: nextcloud
+nextcloud_db_password: "{{vault_nextcloud_db_password}}"
+# Admin Configuration
+nextcloud_admin_user: admin
+nextcloud_admin_password: "{{vault_nextcloud_admin_password}}"
+# Domain Configuration
+nextcloud_domain: nextcloud.ouranos.helu.ca
+# Instance secrets (generated during install)
+nextcloud_instance_id: ""
+nextcloud_password_salt: ""
+nextcloud_secret: ""
--- a/ansible/inventory/host_vars/sycorax.incus.yml
+++ b/ansible/inventory/host_vars/sycorax.incus.yml
@@ -0,0 +1,71 @@
+---
+# Sycorax Configuration - Language Models
+# Services: alloy, arke
+
+services:
+  - alloy
+  - arke
+
+# Alloy
+alloy_log_level: "warn"
+
+# Arke Configuration
+arke_user: arke
+arke_group: arke
+arke_directory: /srv/arke
+arke_port: 25540
+
+# Server Configuration
+arke_reload: false
+
+# Memcached config
+arke_memcached_host: localhost
+arke_memcached_port: 11211
+
+# Database Configuration
+arke_db_host: portia.incus
+arke_db_port: 5432
+arke_db_name: arke
+arke_db_user: arke
+arke_db_password: "{{ vault_arke_db_password }}"
+
+# NTTh API Configuration
+arke_session_limit: 90
+arke_session_ttl: 3600
+arke_token_cache_ttl: 82800
+ntth_token_1_app_name: "{{ vault_ntth_token_1_app_name }}"
+ntth_token_1_app_id: "{{ vault_ntth_token_1_app_id }}"
+ntth_token_1_app_secret: "{{ vault_ntth_token_1_app_secret }}"
+ntth_token_2_app_name: "{{ vault_ntth_token_2_app_name }}"
+ntth_token_2_app_id: "{{ vault_ntth_token_2_app_id }}"
+ntth_token_2_app_secret: "{{ vault_ntth_token_2_app_secret }}"
+ntth_token_3_app_name: "{{ vault_ntth_token_3_app_name }}"
+ntth_token_3_app_id: "{{ vault_ntth_token_3_app_id }}"
+ntth_token_3_app_secret: "{{ vault_ntth_token_3_app_secret }}"
+ntth_token_4_app_name: "{{ vault_ntth_token_4_app_name }}"
+ntth_token_4_app_id: "{{ vault_ntth_token_4_app_id }}"
+ntth_token_4_app_secret: "{{ vault_ntth_token_4_app_secret }}"
+
+# Embedding Provider Configuration
+arke_embedding_provider: openai
+
+# OpenAI-Compatible Configuration
+arke_openai_embedding_base_url: http://pan.helu.ca:22079/v1
+arke_openai_embedding_api_key: 0000
+arke_openai_embedding_model: Qwen3-Embedding-0.6B-Q8_0
+
+# Common Embedding Configuration
+arke_embedding_batch_size: 16
+arke_embedding_ubatch_size: 512
+arke_embedding_max_context: 8192
+arke_embedding_timeout: 30.0
+
+# Memory System Configuration
+arke_memory_enabled: true
+arke_max_context_tokens: 8000
+arke_similarity_threshold: 0.7
+arke_min_importance_score: 0.7
+
+# Monitoring Configuration
+arke_prometheus_enabled: true
+arke_metrics_port: 25540
--- a/ansible/inventory/host_vars/titania.incus.yml
+++ b/ansible/inventory/host_vars/titania.incus.yml
@@ -0,0 +1,217 @@
+---
+# Titania Configuration - Proxy & SSO Services
+# Services: alloy, certbot, docker, haproxy, postgresql_ssl, casdoor
+
+services:
+  - alloy
+  - certbot
+  - docker
+  - haproxy
+  - postgresql_ssl
+  - casdoor
+
+# PostgreSQL SSL Configuration (dedicated database for identity services)
+postgresql_ssl_postgres_password: "{{ vault_postgresql_ssl_postgres_password }}"
+postgresql_ssl_port: 5432
+postgresql_ssl_cert_path: /etc/postgresql/17/main/ssl/server.crt
+
+# Alloy
+alloy_log_level: "warn"
+casdoor_syslog_port: 51401
+haproxy_syslog_port: 51404
+
+# Certbot Configuration (Let's Encrypt DNS-01 with Namecheap)
+certbot_user: certbot
+certbot_group: certbot
+certbot_directory: /srv/certbot
+certbot_email: webmaster@helu.ca
+certbot_cert_name: ouranos.helu.ca
+certbot_domains:
+  - "*.ouranos.helu.ca"
+  - "ouranos.helu.ca"
+prometheus_node_exporter_text_directory: /var/lib/prometheus/node-exporter
+
+# HAProxy Configuration
+haproxy_user: haproxy
+haproxy_group: haproxy
+haproxy_uid: 800
+haproxy_gid: 800
+haproxy_directory: /srv/haproxy
+haproxy_http_port: 8080
+haproxy_https_port: 8443
+haproxy_stats_port: 8404
+haproxy_domain: "ouranos.helu.ca"
+haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
+
+# HAProxy TCP Backend Definitions (mode tcp passthrough)
+haproxy_tcp_backends:
+  - name: gitea_ssh
+    listen_port: 22022
+    backend_host: "rosalind.incus"
+    backend_port: 22022
+
+# HAProxy Backend Definitions
+haproxy_backends:
+  - subdomain: ""  # Root domain (ouranos.helu.ca)
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+    # timeout_server: "50s"  # Optional override
+
+  - subdomain: "id"  # Casdoor SSO (id.ouranos.helu.ca)
+    backend_host: "titania.incus"
+    backend_port: 22081
+    health_path: "/api/health"
+    redirect_root: "/login/heluca"  # Redirect root to branded org login page
+
+  - subdomain: "openwebui"
+    backend_host: "oberon.incus"
+    backend_port: 22088
+    health_path: "/"
+
+  - subdomain: "anythingllm"
+    backend_host: "rosalind.incus"
+    backend_port: 22084
+    health_path: "/api/ping"
+
+  - subdomain: "arke"
+    backend_host: "sycorax.incus"
+    backend_port: 25540
+    health_path: "/health"
+  
+  # SearXNG - routed through OAuth2-Proxy sidecar on Oberon
+  - subdomain: "searxng"
+    backend_host: "oberon.incus"
+    backend_port: 22073
+    health_path: "/ping"
+
+  - subdomain: "pgadmin"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/misc/ping"
+    ssl_backend: true
+
+  - subdomain: "grafana"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/api/health"
+    ssl_backend: true
+
+  - subdomain: "prometheus"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ping"
+    ssl_backend: true
+
+  - subdomain: "loki"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ready"
+    ssl_backend: true
+
+  - subdomain: "alertmanager"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/-/healthy"
+    ssl_backend: true
+
+  - subdomain: "gitea"
+    backend_host: "rosalind.incus"
+    backend_port: 22082
+    health_path: "/api/healthz"
+    timeout_server: 120s
+
+  - subdomain: "lobechat"
+    backend_host: "rosalind.incus"
+    backend_port: 22081
+    health_path: "/chat"
+
+  - subdomain: "nextcloud"
+    backend_host: "rosalind.incus"
+    backend_port: 22083
+    health_path: "/status.php"
+
+  - subdomain: "angelia"
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+
+  - subdomain: "athena"
+    backend_host: "puck.incus"
+    backend_port: 22481
+    health_path: "/ready/"
+
+  - subdomain: "kairos"
+    backend_host: "puck.incus"
+    backend_port: 22581
+    health_path: "/ready/"
+
+  - subdomain: "icarlos"
+    backend_host: "puck.incus"
+    backend_port: 22681
+    health_path: "/ready/"
+
+  - subdomain: "mcp-switchboard"
+    backend_host: "puck.incus"
+    backend_port: 22781
+    health_path: "/ready/"
+
+  - subdomain: "spelunker"
+    backend_host: "puck.incus"
+    backend_port: 22881
+    health_path: "/ready/"
+
+  - subdomain: "peitho"
+    backend_host: "puck.incus"
+    backend_port: 22981
+    health_path: "/ready/"
+
+  - subdomain: "jupyterlab"
+    backend_host: "puck.incus"
+    backend_port: 22071  # OAuth2-Proxy port
+    health_path: "/ping"
+    timeout_server: 300s  # WebSocket support
+
+  - subdomain: "hass"
+    backend_host: "oberon.incus"
+    backend_port: 8123
+    health_path: "/api/"
+    timeout_server: 300s  # WebSocket support for HA frontend
+
+  - subdomain: "smtp4dev"
+    backend_host: "oberon.incus"
+    backend_port: 22085
+    health_path: "/"
+
+# Casdoor Configuration
+casdoor_user: casdoor
+casdoor_group: casdoor
+casdoor_directory: /srv/casdoor
+# Web Configuration
+casdoor_port: 22081
+casdoor_runmode: dev
+casdoor_copyrequestbody: true
+casdoor_drivername: postgres
+# Database Configuration
+casdoor_db_port: 5432
+casdoor_db_name: casdoor
+casdoor_db_user: casdoor
+casdoor_db_password: "{{ vault_casdoor_db_password }}"
+casdoor_db_sslmode: disable
+casdoor_showsql: false
+# Redis and Storage
+casdoor_redis_endpoint: ""
+casdoor_default_storage_provider: ""
+# Authentication
+casdoor_auth_state: "{{ vault_casdoor_auth_state }}"
+# Origin must include port for internal OIDC endpoints to work correctly
+casdoor_origin: "https://id.ouranos.helu.ca"
+casdoor_origin_frontend: "https://id.ouranos.helu.ca"
+# Timeouts and Ports
+casdoor_inactive_timeout_minutes: 60
+casdoor_ldap_server_port: 0
+casdoor_ldaps_cert_id: ""
+casdoor_ldaps_server_port: 0
+casdoor_radius_server_port: 1812
+casdoor_radius_default_organization: "built-in"
+casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"