---
# Titania Configuration - Proxy & SSO Services
# Services: alloy, certbot, docker, haproxy, postgresql_ssl, casdoor

services:
  - alloy
  - certbot
  - docker
  - haproxy
  - postgresql_ssl
  - casdoor

# PostgreSQL SSL Configuration (dedicated database for identity services)
postgresql_ssl_postgres_password: "{{ vault_postgresql_ssl_postgres_password }}"
postgresql_ssl_port: 5432
postgresql_ssl_cert_path: /etc/postgresql/17/main/ssl/server.crt

# Alloy
alloy_log_level: "warn"
casdoor_syslog_port: 51401
haproxy_syslog_port: 51404

# Certbot Configuration (Let's Encrypt DNS-01 with Namecheap)
certbot_user: certbot
certbot_group: certbot
certbot_directory: /srv/certbot
certbot_email: webmaster@helu.ca
certbot_cert_name: ouranos.helu.ca
certbot_domains:
  - "*.ouranos.helu.ca"
  - "ouranos.helu.ca"
prometheus_node_exporter_text_directory: /var/lib/prometheus/node-exporter

# HAProxy Configuration
haproxy_user: haproxy
haproxy_group: haproxy
haproxy_uid: 800
haproxy_gid: 800
haproxy_directory: /srv/haproxy
haproxy_http_port: 8080
haproxy_https_port: 8443
haproxy_stats_port: 8404
haproxy_domain: "ouranos.helu.ca"
haproxy_cert_path: /etc/haproxy/certs/ouranos.pem

# HAProxy TCP Backend Definitions (mode tcp passthrough)
haproxy_tcp_backends:
  - name: gitea_ssh
    listen_port: 22022
    backend_host: "rosalind.incus"
    backend_port: 22022

# HAProxy Backend Definitions
haproxy_backends:
  - subdomain: ""  # Root domain (ouranos.helu.ca)
    backend_host: "puck.incus"
    backend_port: 22281
    health_path: "/"
    # timeout_server: "50s"  # Optional override

  - subdomain: "id"  # Casdoor SSO (id.ouranos.helu.ca)
    backend_host: "titania.incus"
    backend_port: 22081
    health_path: "/api/health"
    redirect_root: "/login/heluca"  # Redirect root to branded org login page

  - subdomain: "openwebui"
    backend_host: "oberon.incus"
    backend_port: 22088
    health_path: "/"

  - subdomain: "anythingllm"
    backend_host: "rosalind.incus"
    backend_port: 22084
    health_path: "/api/ping"

  - subdomain: "arke"
    backend_host: "sycorax.incus"
    backend_port: 25540
    health_path: "/health"
  
  # SearXNG - routed through OAuth2-Proxy sidecar on Oberon
  - subdomain: "searxng"
    backend_host: "oberon.incus"
    backend_port: 22073
    health_path: "/ping"

  - subdomain: "pgadmin"
    backend_host: "prospero.incus"
    backend_port: 443
    health_path: "/misc/ping"
    ssl_backend: true

  - subdomain: "grafana"
    backend_host: "prospero.incus"
    backend_port: 443
    health_path: "/api/health"
    ssl_backend: true

  - subdomain: "prometheus"
    backend_host: "prospero.incus"
    backend_port: 443
    health_path: "/ping"
    ssl_backend: true

  - subdomain: "loki"
    backend_host: "prospero.incus"
    backend_port: 443
    health_path: "/ready"
    ssl_backend: true

  - subdomain: "alertmanager"
    backend_host: "prospero.incus"
    backend_port: 443
    health_path: "/-/healthy"
    ssl_backend: true

  - subdomain: "gitea"
    backend_host: "rosalind.incus"
    backend_port: 22082
    health_path: "/api/healthz"
    timeout_server: 120s

  - subdomain: "lobechat"
    backend_host: "rosalind.incus"
    backend_port: 22081
    health_path: "/chat"

  - subdomain: "nextcloud"
    backend_host: "rosalind.incus"
    backend_port: 22083
    health_path: "/status.php"

  - subdomain: "angelia"
    backend_host: "puck.incus"
    backend_port: 22281
    health_path: "/"

  - subdomain: "athena"
    backend_host: "puck.incus"
    backend_port: 22481
    health_path: "/ready/"

  - subdomain: "kairos"
    backend_host: "puck.incus"
    backend_port: 22581
    health_path: "/ready/"

  - subdomain: "icarlos"
    backend_host: "puck.incus"
    backend_port: 22681
    health_path: "/ready/"

  - subdomain: "mcp-switchboard"
    backend_host: "puck.incus"
    backend_port: 22781
    health_path: "/ready/"

  - subdomain: "spelunker"
    backend_host: "puck.incus"
    backend_port: 22881
    health_path: "/ready/"

  - subdomain: "peitho"
    backend_host: "puck.incus"
    backend_port: 22981
    health_path: "/ready/"

  - subdomain: "jupyterlab"
    backend_host: "puck.incus"
    backend_port: 22071  # OAuth2-Proxy port
    health_path: "/ping"
    timeout_server: 300s  # WebSocket support

  - subdomain: "hass"
    backend_host: "oberon.incus"
    backend_port: 8123
    health_path: "/api/"
    timeout_server: 300s  # WebSocket support for HA frontend

  - subdomain: "smtp4dev"
    backend_host: "oberon.incus"
    backend_port: 22085
    health_path: "/"

# Casdoor Configuration
casdoor_user: casdoor
casdoor_group: casdoor
casdoor_directory: /srv/casdoor
# Web Configuration
casdoor_port: 22081
casdoor_runmode: dev
casdoor_copyrequestbody: true
casdoor_drivername: postgres
# Database Configuration
casdoor_db_port: 5432
casdoor_db_name: casdoor
casdoor_db_user: casdoor
casdoor_db_password: "{{ vault_casdoor_db_password }}"
casdoor_db_sslmode: disable
casdoor_showsql: false
# Redis and Storage
casdoor_redis_endpoint: ""
casdoor_default_storage_provider: ""
# Authentication
casdoor_auth_state: "{{ vault_casdoor_auth_state }}"
# Origin must include port for internal OIDC endpoints to work correctly
casdoor_origin: "https://id.ouranos.helu.ca"
casdoor_origin_frontend: "https://id.ouranos.helu.ca"
# Timeouts and Ports
casdoor_inactive_timeout_minutes: 60
casdoor_ldap_server_port: 0
casdoor_ldaps_cert_id: ""
casdoor_ldaps_server_port: 0
casdoor_radius_server_port: 1812
casdoor_radius_default_organization: "built-in"
casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"