feat(infra): add Jellyfin media server configuration and logging support

Add Jellyfin service to ansible inventory with hardware
transcoding and Casdoor SSO configuration. Configure
Alloy syslog listener to capture Jellyfin logs to Loki.
Update documentation with new service mapping and S3
bucket credential retrieval instructions.

docs/ouranos.md

@@ -126,6 +126,7 @@ Witty and resourceful moon for PHP, Go, and Node.js runtimes.
 - LobeChat AI chat interface (port 22081)
 - Nextcloud file sharing and collaboration (port 22083)
 - AnythingLLM document AI workspace (port 22084)
+- Jellyfin media server (port 22086, NVIDIA transcoding, Casdoor SSO)
 - Nextcloud data on dedicated Incus storage volume
 - Open WebUI LLM interface (port 22088, PostgreSQL backend on Portia
 - Home Assistant (port 8123)
@@ -269,6 +270,7 @@ Titania provides TLS termination and reverse proxy for all services.
 | `grafana.ouranos.helu.ca` | prospero.incus:443 (SSL) | Grafana |
 | `hass.ouranos.helu.ca` | oberon.incus:8123 | Home Assistant |
 | `id.ouranos.helu.ca` | titania.incus:22081 | Casdoor SSO |
+| `jellyfin.ouranos.helu.ca` | rosalind.incus:22086 | Jellyfin |
 | `icarlos.ouranos.helu.ca` | puck.incus:22681 | Icarlos (Django) |
 | `jupyterlab.ouranos.helu.ca` | puck.incus:22071 | JupyterLab (OAuth2-Proxy) |
 | `kairos.ouranos.helu.ca` | puck.incus:22581 | Kairos (Django) |
@@ -449,13 +451,45 @@ ansible-vault encrypt new_secrets.yml
 
 Terraform provisions Incus S3 buckets for services requiring object storage:
 
-| Service | Host | Purpose |
-|---------|------|---------|
-| **Casdoor** | Titania | User avatars and SSO resource storage |
-| **LobeChat** | Rosalind | File uploads and attachments |
+| Name                | Description                      |
+|---------------------|----------------------------------|
+| `casdoor`           | Casdoor file storage bucket      |
+| `daedalus`          | Daedalus file storage bucket     |
+| `lobechat`          | Lobechat file storage bucket     |
+| `mnemosyne-content` | Mnemosyne content storage bucket |
+| `spelunker`         | Spelunker file storage bucket    |
 
 > S3 credentials (access key, secret key, endpoint) are stored as sensitive Terraform outputs and managed in Ansible Vault with the `vault_*_s3_*` prefix.
 
+### Retrieving S3 Bucket Credentials
+
+The bucket credentials are declared as **sensitive** Terraform outputs, so a plain
+`terraform output` will mask them. Use the `-json` (or `-raw`) flag to reveal the
+values:
+
+```bash
+cd terraform
+
+# List all outputs (sensitive values shown as <sensitive>)
+terraform output
+
+# Show a specific bucket's credentials as JSON
+terraform output -json casdoor_s3_credentials
+terraform output -json daedalus_s3_credentials
+terraform output -json lobechat_s3_credentials
+terraform output -json mnemosyne_s3_credentials
+terraform output -json spelunker_s3_credentials
+
+# Extract a single field (e.g. access_key) with jq
+terraform output -json casdoor_s3_credentials | jq -r .access_key
+terraform output -json casdoor_s3_credentials | jq -r .secret_key
+terraform output -json casdoor_s3_credentials | jq -r .endpoint
+```
+
+Each `*_s3_credentials` output contains `bucket`, `access_key`, `secret_key`, and
+`endpoint`. Copy these into `inventory/group_vars/all/vault.yml` as
+`vault_<service>_s3_access_key`, `vault_<service>_s3_secret_key`, etc.
+
 ---
 
 ## Ansible Automation
@@ -498,6 +532,7 @@ Services with standalone deploy playbooks (not in `site.yml`):
 | `gitea_mcp/deploy.yml` | Miranda | Gitea MCP Server |
 | `gitea_runner/deploy.yml` | Puck | Gitea CI/CD runner |
 | `grafana_mcp/deploy.yml` | Miranda | Grafana MCP Server |
+| `jellyfin/deploy.yml` | Rosalind | Jellyfin media server |
 | `jupyterlab/deploy.yml` | Puck | JupyterLab + OAuth2-Proxy |
 | `kernos/deploy.yml` | Caliban | Kernos MCP shell server |
 | `lobechat/deploy.yml` | Rosalind | LobeChat AI chat |