r/ouranos
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
257e743d9adecc2a98b84d7282e1eab1dc64d0ad
ouranos/ansible/inventory/host_vars/titania.incus.yml
Robert Helewka 0f21380fd0 refactor: remove HAProxy from Prospero, centralize TLS on Titania 
Move TLS termination and reverse proxying entirely to Titania's
HAProxy, eliminating the redundant HAProxy instance on Prospero.
Backends now communicate over plain HTTP within the internal network.

- Remove HAProxy container, config, certs, and syslog from Prospero
- Remove ssl_backend flags from Titania backend definitions
- Replace pplg_haproxy_* vars with single pplg_domain variable
- Remove HAProxy syslog source from Alloy config
- Update OAuth2-Proxy to listen on all interfaces for Titania access
2026-04-08 17:57:09 +00:00

263 lines
7.5 KiB
YAML
Raw Blame History

---
# Titania Configuration - Proxy & SSO Services
# Services: alloy, certbot, docker, haproxy, postgresql_ssl, casdoor
services:
- alloy
- certbot
- docker
- haproxy
- postgresql_ssl
- casdoor
# PostgreSQL SSL Configuration (dedicated database for identity services)
postgresql_ssl_postgres_password: "{{ vault_postgresql_ssl_postgres_password }}"
postgresql_ssl_port: 5432
postgresql_ssl_cert_path: /etc/postgresql/17/main/ssl/server.crt
# Alloy
alloy_log_level: "warn"
casdoor_syslog_port: 51401
haproxy_syslog_port: 51404
# Certbot Configuration (Let's Encrypt DNS-01 with Namecheap)
certbot_user: certbot
certbot_group: certbot
certbot_directory: /srv/certbot
certbot_email: webmaster@helu.ca
certbot_cert_name: ouranos.helu.ca
prometheus_node_exporter_text_directory: /var/lib/prometheus/node-exporter
certbot_certificates:
- cert_name: wildcard.ouranos.helu.ca
domains: ["*.ouranos.helu.ca", "ouranos.helu.ca"]
# HAProxy Configuration
haproxy_user: haproxy
haproxy_group: haproxy
haproxy_uid: 800
haproxy_gid: 800
haproxy_directory: /srv/haproxy
haproxy_http_port: 8080
haproxy_https_port: 8443
haproxy_stats_port: 8404
haproxy_domain: "ouranos.helu.ca"
haproxy_cert_path: /etc/haproxy/certs/ouranos.pem
# HAProxy TCP Backend Definitions (mode tcp passthrough)
haproxy_tcp_backends:
- name: gitea_ssh
listen_port: 22022
backend_host: "rosalind.incus"
backend_port: 22022
# HAProxy Backend Definitions
haproxy_backends:
- subdomain: "" # Root domain (ouranos.helu.ca)
backend_host: "puck.incus"
backend_port: 22281
health_path: "/"
# timeout_server: "50s" # Optional override
- subdomain: "id" # Casdoor SSO (id.ouranos.helu.ca)
backend_host: "titania.incus"
backend_port: 22081
health_path: "/api/health"
redirect_root: "/login/heluca" # Redirect root to branded org login page
- subdomain: "openwebui"
backend_host: "rosalind.incus"
backend_port: 22088
health_path: "/"
- subdomain: "anythingllm"
backend_host: "rosalind.incus"
backend_port: 22084
health_path: "/api/ping"
- subdomain: "arke"
backend_host: "sycorax.incus"
backend_port: 25540
health_path: "/health"
# SearXNG - routed through OAuth2-Proxy sidecar on Oberon
- subdomain: "searxng"
backend_host: "rosalind.incus"
backend_port: 22079
health_path: "/ping"
- subdomain: "pgadmin"
backend_host: "prospero.incus"
backend_port: 5050
health_path: "/misc/ping"
- subdomain: "grafana"
backend_host: "prospero.incus"
backend_port: 3000
health_path: "/api/health"
- subdomain: "prometheus"
backend_host: "prospero.incus"
backend_port: 9091 # OAuth2-Proxy sidecar (skips auth for /api/v1/write and /ping)
health_path: "/ping"
- subdomain: "loki"
backend_host: "prospero.incus"
backend_port: 3100
health_path: "/ready"
- subdomain: "alertmanager"
backend_host: "prospero.incus"
backend_port: 9093
health_path: "/-/healthy"
- subdomain: "gitea"
backend_host: "rosalind.incus"
backend_port: 22082
health_path: "/api/healthz"
- subdomain: "daedalus"
backend_host: "puck.incus"
backend_port: 20080
health_path: "/api/health"
timeout_server: 120s
- subdomain: "lobechat"
backend_host: "rosalind.incus"
backend_port: 22081
health_path: "/chat"
- subdomain: "mnemosyne"
backend_host: "puck.incus"
backend_port: 23181
health_path: "/ready/"
- subdomain: "nextcloud"
backend_host: "rosalind.incus"
backend_port: 22083
health_path: "/status.php"
- subdomain: "angelia"
backend_host: "puck.incus"
backend_port: 22281
health_path: "/"
- subdomain: "athena"
backend_host: "puck.incus"
backend_port: 22481
health_path: "/ready/"
- subdomain: "kairos"
backend_host: "puck.incus"
backend_port: 22581
health_path: "/ready/"
- subdomain: "icarlos"
backend_host: "puck.incus"
backend_port: 22681
health_path: "/ready/"
- subdomain: "mcp-switchboard"
backend_host: "puck.incus"
backend_port: 22781
health_path: "/ready/"
- subdomain: "nike"
backend_host: "puck.incus"
backend_port: 20681
health_path: "/ready/"
- subdomain: "periplus"
backend_host: "puck.incus"
backend_port: 20581
health_path: "/ready/"
- subdomain: "spelunker"
backend_host: "puck.incus"
backend_port: 22881
health_path: "/ready/"
- subdomain: "peitho"
backend_host: "puck.incus"
backend_port: 22981
health_path: "/ready/"
- subdomain: "jupyterlab"
backend_host: "puck.incus"
backend_port: 22071 # OAuth2-Proxy port
health_path: "/ping"
timeout_server: 300s # WebSocket support
- subdomain: "hass"
backend_host: "oberon.incus"
backend_port: 8123
health_path: "/api/"
timeout_server: 300s # WebSocket support for HA frontend
- subdomain: "freecad-mcp"
backend_host: "caliban.incus"
backend_port: 22032
health_path: "/mcp"
timeout_server: 300s # SSE streaming support for MCP
- subdomain: "rommie"
backend_host: "caliban.incus"
backend_port: 22031
health_path: "/mcp"
timeout_server: 300s # SSE streaming support for MCP
- subdomain: "smtp4dev"
backend_host: "oberon.incus"
backend_port: 22085
health_path: "/"
# Casdoor Configuration
casdoor_user: casdoor
casdoor_group: casdoor
casdoor_directory: /srv/casdoor
# Web Configuration
casdoor_port: 22081
casdoor_runmode: dev
casdoor_copyrequestbody: true
casdoor_drivername: postgres
# Database Configuration
casdoor_db_port: 5432
casdoor_db_name: casdoor
casdoor_db_user: casdoor
casdoor_db_password: "{{ vault_casdoor_db_password }}"
casdoor_db_sslmode: disable
casdoor_showsql: false
# Redis and Storage
casdoor_redis_endpoint: ""
casdoor_default_storage_provider: ""
# Authentication
casdoor_auth_state: "{{ vault_casdoor_auth_state }}"
# Origin must include port for internal OIDC endpoints to work correctly
casdoor_origin: "https://id.ouranos.helu.ca"
casdoor_origin_frontend: "https://id.ouranos.helu.ca"
# Timeouts and Ports
casdoor_inactive_timeout_minutes: 60
casdoor_ldap_server_port: 0
casdoor_ldaps_cert_id: ""
casdoor_ldaps_server_port: 0
casdoor_radius_server_port: 1812
casdoor_radius_default_organization: "built-in"
casdoor_radius_secret: "{{ vault_casdoor_radius_secret }}"
# Oath2
angelia_oauth2_client_id: "{{ vault_angelia_oauth_client_id }}"
angelia_oauth2_client_secret: "{{ vault_angelia_oauth_client_secret }}"
athena_oauth2_client_id: "{{ vault_athena_oauth_client_id }}"
athena_oauth2_client_secret: "{{ vault_athena_oauth_client_secret }}"
daedalus_oauth2_client_id: "{{ vault_daedalus_oauth2_client_id }}"
daedalus_oauth2_client_secret: "{{ vault_daedalus_oauth2_client_secret }}"
gitea_oauth2_client_id: "{{ vault_gitea_oauth_client_id }}"
gitea_oauth2_client_secret: "{{ vault_gitea_oauth_client_secret }}"
jupyterlab_oauth2_client_id: "{{ vault_jupyterlab_oauth_client_id }}"
jupyterlab_oauth2_client_secret: "{{ vault_jupyterlab_oauth_client_secret }}"
kairos_oauth2_client_id: "{{ vault_athena_oauth_client_id }}"
kairos_oauth2_client_secret: "{{ vault_athena_oauth_client_secret }}"
openwebui_oauth2_client_id: "{{ vault_openwebui_oauth_client_id }}"
openwebui_oauth2_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
spelunker_oauth2_client_id: "{{ vault_spelunker_oauth_client_id }}"
spelunker_oauth2_client_secret: "{{ vault_spelunker_oauth_client_secret }}"
Reference in New Issue View Git Blame Copy Permalink