docs: rewrite README with structured overview and quick start guide

Replaces the minimal project description with a comprehensive README
including a component overview table, quick start instructions, common
Ansible operations, and links to detailed documentation. Aligns with
Red Panda Approval™ standards.

ansible/inventory/host_vars/titania.incus.yml

@@ -0,0 +1,217 @@
+---
+# Titania Configuration - Proxy & SSO Services
+# Services: alloy, certbot, docker, haproxy, postgresql_ssl, casdoor
+
+services:
+  - alloy
+  - certbot
+  - docker
+  - haproxy
+  - postgresql_ssl
+  - casdoor
+
+# PostgreSQL SSL Configuration (dedicated database for identity services)
+postgresql_ssl_postgres_password: "{{ vault_postgresql_ssl_postgres_password }}"
+postgresql_ssl_port: 5432
+postgresql_ssl_cert_path: /etc/postgresql/17/main/ssl/server.crt
+
+# Alloy
+alloy_log_level: "warn"
+casdoor_syslog_port: 51401
+haproxy_syslog_port: 51404
+
+# Certbot Configuration (Let's Encrypt DNS-01 with Namecheap)
+certbot_user: certbot
+certbot_group: certbot
+certbot_directory: /srv/certbot
+certbot_email: webmaster@helu.ca
+certbot_cert_name: ouranos.helu.ca
+certbot_domains:
+  - "*.ouranos.helu.ca"
+  - "ouranos.helu.ca"
+prometheus_node_exporter_text_directory: /var/lib/prometheus/node-exporter
+
+# HAProxy Configuration
+haproxy_user: haproxy
+haproxy_group: haproxy
+haproxy_uid: 800
+haproxy_gid: 800
+haproxy_directory: /srv/haproxy
+haproxy_http_port: 8080
+haproxy_https_port: 8443
+haproxy_stats_port: 8404
+haproxy_domain: "ouranos.helu.ca"
+haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
+
+# HAProxy TCP Backend Definitions (mode tcp passthrough)
+haproxy_tcp_backends:
+  - name: gitea_ssh
+    listen_port: 22022
+    backend_host: "rosalind.incus"
+    backend_port: 22022
+
+# HAProxy Backend Definitions
+haproxy_backends:
+  - subdomain: ""  # Root domain (ouranos.helu.ca)
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+    # timeout_server: "50s"  # Optional override
+
+  - subdomain: "id"  # Casdoor SSO (id.ouranos.helu.ca)
+    backend_host: "titania.incus"
+    backend_port: 22081
+    health_path: "/api/health"
+    redirect_root: "/login/heluca"  # Redirect root to branded org login page
+
+  - subdomain: "openwebui"
+    backend_host: "oberon.incus"
+    backend_port: 22088
+    health_path: "/"
+
+  - subdomain: "anythingllm"
+    backend_host: "rosalind.incus"
+    backend_port: 22084
+    health_path: "/api/ping"
+
+  - subdomain: "arke"
+    backend_host: "sycorax.incus"
+    backend_port: 25540
+    health_path: "/health"
+  
+  # SearXNG - routed through OAuth2-Proxy sidecar on Oberon
+  - subdomain: "searxng"
+    backend_host: "oberon.incus"
+    backend_port: 22073
+    health_path: "/ping"
+
+  - subdomain: "pgadmin"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/misc/ping"
+    ssl_backend: true
+
+  - subdomain: "grafana"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/api/health"
+    ssl_backend: true
+
+  - subdomain: "prometheus"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ping"
+    ssl_backend: true
+
+  - subdomain: "loki"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/ready"
+    ssl_backend: true
+
+  - subdomain: "alertmanager"
+    backend_host: "prospero.incus"
+    backend_port: 443
+    health_path: "/-/healthy"
+    ssl_backend: true
+
+  - subdomain: "gitea"
+    backend_host: "rosalind.incus"
+    backend_port: 22082
+    health_path: "/api/healthz"
+    timeout_server: 120s
+
+  - subdomain: "lobechat"
+    backend_host: "rosalind.incus"
+    backend_port: 22081
+    health_path: "/chat"
+
+  - subdomain: "nextcloud"
+    backend_host: "rosalind.incus"
+    backend_port: 22083
+    health_path: "/status.php"
+
+  - subdomain: "angelia"
+    backend_host: "puck.incus"
+    backend_port: 22281
+    health_path: "/"
+
+  - subdomain: "athena"
+    backend_host: "puck.incus"
+    backend_port: 22481
+    health_path: "/ready/"
+
+  - subdomain: "kairos"
+    backend_host: "puck.incus"
+    backend_port: 22581
+    health_path: "/ready/"
+
+  - subdomain: "icarlos"
+    backend_host: "puck.incus"
+    backend_port: 22681
+    health_path: "/ready/"
+
+  - subdomain: "mcp-switchboard"
+    backend_host: "puck.incus"
+    backend_port: 22781
+    health_path: "/ready/"
+
+  - subdomain: "spelunker"
+    backend_host: "puck.incus"
+    backend_port: 22881
+    health_path: "/ready/"
+
+  - subdomain: "peitho"
+    backend_host: "puck.incus"
+    backend_port: 22981
+    health_path: "/ready/"
+
+  - subdomain: "jupyterlab"
+    backend_host: "puck.incus"
+    backend_port: 22071  # OAuth2-Proxy port
+    health_path: "/ping"
+    timeout_server: 300s  # WebSocket support
+
+  - subdomain: "hass"
+    backend_host: "oberon.incus"
+    backend_port: 8123
+    health_path: "/api/"
+    timeout_server: 300s  # WebSocket support for HA frontend
+
+  - subdomain: "smtp4dev"
+    backend_host: "oberon.incus"
+    backend_port: 22085
+    health_path: "/"
+
+# Casdoor Configuration
+casdoor_user: casdoor
+casdoor_group: casdoor
+casdoor_directory: /srv/casdoor
+# Web Configuration
+casdoor_port: 22081
+casdoor_runmode: dev
+casdoor_copyrequestbody: true
+casdoor_drivername: postgres
+# Database Configuration
+casdoor_db_port: 5432
+casdoor_db_name: casdoor
+casdoor_db_user: casdoor
+casdoor_db_password: "{{ vault_casdoor_db_password }}"
+casdoor_db_sslmode: disable
+casdoor_showsql: false
+# Redis and Storage
+casdoor_redis_endpoint: ""
+casdoor_default_storage_provider: ""
+# Authentication
+casdoor_auth_state: "{{ vault_casdoor_auth_state }}"
+# Origin must include port for internal OIDC endpoints to work correctly
+casdoor_origin: "https://id.ouranos.helu.ca"
+casdoor_origin_frontend: "https://id.ouranos.helu.ca"
+# Timeouts and Ports
+casdoor_inactive_timeout_minutes: 60
+casdoor_ldap_server_port: 0
+casdoor_ldaps_cert_id: ""
+casdoor_ldaps_server_port: 0
+casdoor_radius_server_port: 1812
+casdoor_radius_default_organization: "built-in"
+casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"