Introduce structured journal relabel rules on puck to tag Pallas-managed
units with {service, project, component} labels matching the Mnemosyne
and Daedalus schema. Add kottos release variable and vault secrets
example entries for the new Pallas FastAgent runtime.
Remove the defunct mnemosyne syslog listener now that Mnemosyne ships
JSON logs via the docker-socket pipeline.
- Add Jellyfin backend to HAProxy configuration on titania.incus
- Simplify deployment by using community.docker.docker_compose_v2 module
- Consolidate handlers and remove redundant Docker commands
- Update Jellyfin systemd service from oneshot to simple type
- Remove PUID/PGID environment variables from docker-compose template
Add Jellyfin service to ansible inventory with hardware
transcoding and Casdoor SSO configuration. Configure
Alloy syslog listener to capture Jellyfin logs to Loki.
Update documentation with new service mapping and S3
bucket credential retrieval instructions.
- Configure mnemosyne database credentials in ansible inventory
- Update postgresql playbook to provision user and database
- Add setup instructions and DB list to documentation
Enable JupyterLab on caliban host and disable it on puck host.
This migration updates the Ansible inventory host_vars to reflect
the new service distribution across the infrastructure.
Update variable references in the prospero.incus.yml inventory file to remove the redundant _oauth2 suffix from vault keys. This aligns the ansible configuration with the updated secret naming convention.
- Add repo URLs and conditional clone tasks for Agent-S, pulseaudio-module-xrdp, and rommie repositories
- Create required directories (github_dir and repo_dir) before cloning
- Update fetch/pull commands to only execute when repositories are not freshly cloned
- Fix vault variable naming inconsistencies in host_vars files (rosalind.incus.yml, titania.incus.yml)
Add pgadmin_oauth_client_id and pgadmin_oauth_client_secret variables to the titania inventory. This enables OAuth2 authentication for pgAdmin on the titania host.
Add comprehensive terraform import documentation for Incus resources.
Includes syntax for importing containers with for_each keys, retrieving
image fingerprints, and specific import commands for Uranian hosts.
Covers troubleshooting for common import issues and state verification.
Removes obsolete korax.helu.ca host from ansible inventory.
Move TLS termination and reverse proxying entirely to Titania's
HAProxy, eliminating the redundant HAProxy instance on Prospero.
Backends now communicate over plain HTTP within the internal network.
- Remove HAProxy container, config, certs, and syslog from Prospero
- Remove ssl_backend flags from Titania backend definitions
- Replace pplg_haproxy_* vars with single pplg_domain variable
- Remove HAProxy syslog source from Alloy config
- Update OAuth2-Proxy to listen on all interfaces for Titania access
- Upgrade rommie model from Qwen3-VL-30B-A3B to Qwen3.5-35B-A3B-UD-Q4_K_XL
and update model URL port to 22079
- Reassign freecad_mcp_port (22032 -> 22063) and kernos_port
(20201 -> 22062) for consistent port numbering
- Flush handlers before health check to ensure systemd reload
completes before verifying the endpoint
- Update expected MCP health check status code from 405 to 406
Move searxng, openwebui, mcp_switchboard, and hass services from
oberon.incus to puck.incus, consolidating service host variables
accordingly. Clean up oberon to only run alloy, docker, rabbitmq,
and smtp4dev.
Extract oauth2-proxy from a searxng-specific sidecar into a
standalone reusable role with generic naming, supporting multiple
proxy instances per host via parameterized systemd units and
config directories.
Refactor searxng role to use updated templates (settings.yml.j2,
limiter.toml.j2) and integrate with the new generic oauth2-proxy
role. Add Caddy reverse proxy configurations for puck-hosted
services.
Move searxng_oauth2_proxy_version to global vars for consistency.
- Updated vault.yml.example to include Athena secrets: secret key, DB password, OAuth client ID, and client secret.
- Modified puck.incus.yml to add Athena service and configuration details, including user, group, directory, port, and domain.
- Updated titania.incus.yml to change OAuth client ID and secret variable names for consistency with Athena.
- Added Athena configuration to mcpo config template, including URL and authorization headers.
- Updated HAProxy configuration template to reflect changes for the Taurus Production Environment, including SSL settings and rate limiting for specific endpoints.
- Introduced new playbooks for certificate distribution and validation with OCI Vault, ensuring certificates are correctly managed and renewed.
- Added hooks for uploading renewed certificates to OCI Vault and validating their integrity.
- Enhanced the HAProxy configuration playbook to ensure proper service management and verification of the HAProxy service.
- Updated inventory variables for certificate management and ensured compatibility with the new structure.
- Updated user addition tasks across multiple playbooks (mcp_switchboard, mcpo, neo4j, neo4j_mcp, openwebui, postgresql, rabbitmq, searxng, smtp4dev) to replace references to ansible_user and remote_user with keeper_user.
- Modified PostgreSQL deployment to create directories and manage files under keeper_user's home.
- Enhanced documentation to clarify account taxonomy and usage of keeper_user in playbooks.
- Introduced new deployment for Agent S, including environment setup, desktop environment installation, XRDP configuration, and accessibility support.
- Added staging playbook for preparing release tarballs from local repositories.
- Created templates for XRDP configuration and environment activation scripts.
- Removed obsolete sunwait documentation.
Replaces the minimal project description with a comprehensive README
including a component overview table, quick start instructions, common
Ansible operations, and links to detailed documentation. Aligns with
Red Panda Approval™ standards.
