Robert Helewka
343b0e13d6
The renewal deploy-hook ran as the certbot user but lacked permissions to write the combined PEM to /etc/haproxy/certs and to reload HAProxy, causing silent failures that left a stale certificate in production until expiry. - Add certbot user to the haproxy group so it can write the combined PEM - Grant certbot NOPASSWD sudo for `systemctl reload haproxy` only - Make the Prometheus textfile directory group-owned by certbot (0775) so cert-metrics.sh can atomically update ssl_cert.prom - Refactor renewal-hook.sh to always refresh cert metrics on exit via a trap, ensuring expiry alerts fire when the hook itself is broken - Replace `set -e` with explicit error handling and structured logging
84 lines
2.9 KiB
YAML
84 lines
2.9 KiB
YAML
---
|
|
# Caliban Configuration - Agent Automation Host
|
|
# Services: caliban (Agent S), alloy, docker, kernos
|
|
|
|
services:
|
|
- alloy
|
|
- caliban
|
|
- docker
|
|
- freecad_mcp
|
|
- jupyterlab
|
|
- kernos
|
|
- rommie
|
|
|
|
# Account Taxonomy
|
|
# principal_user is the AI agent operator account on this host
|
|
principal_user: robert
|
|
principal_uid: 1000
|
|
|
|
# Alloy
|
|
alloy_log_level: "warn"
|
|
|
|
# Rommie MCP Server Configuration (Agent S GUI Automation)
|
|
rommie_port: 20361
|
|
rommie_host: "0.0.0.0"
|
|
rommie_display: ":10"
|
|
rommie_model: Qwen3.6-27B-Q5_K_M
|
|
rommie_model_url: "http://nyx.helu.ca:29000"
|
|
rommie_provider: "openai"
|
|
rommie_ground_provider: "huggingface"
|
|
rommie_ground_url: "http://pan.helu.ca:29000"
|
|
rommie_ground_model: "UI-TARS-7B-DPO-Q6_K_L.gguf"
|
|
rommie_grounding_width: 1024
|
|
rommie_grounding_height: 1024
|
|
# get_screenshot output for the parent agent (Agent S autonomous capture unaffected)
|
|
rommie_screenshot_jpeg_quality: 80
|
|
rommie_screenshot_max_kb: 512
|
|
|
|
# FreeCAD Robust MCP Server Configuration
|
|
freecad_mcp_user: harper
|
|
freecad_mcp_group: harper
|
|
freecad_mcp_directory: /srv/freecad-mcp
|
|
freecad_mcp_port: 22061
|
|
freecad_mcp_xmlrpc_port: 9875
|
|
freecad_mcp_socket_port: 9876
|
|
|
|
# FreeCAD MCP Bridge (GUI, runs as principal_user on the XRDP display)
|
|
freecad_mcp_bridge_directory: "/home/{{ principal_user }}/freecad-mcp-bridge"
|
|
freecad_mcp_bridge_display: ":10"
|
|
|
|
|
|
# JupyterLab Configuration
|
|
jupyterlab_user: robert
|
|
jupyterlab_group: robert
|
|
jupyterlab_notebook_dir: /home/robert/notebook
|
|
jupyterlab_venv_dir: /home/robert/env/jupyter
|
|
|
|
## Ports
|
|
jupyterlab_port: 22081 # JupyterLab (localhost only)
|
|
jupyterlab_proxy_port: 22071 # OAuth2-Proxy (exposed to HAProxy)
|
|
|
|
## OAuth2-Proxy Configuration
|
|
jupyterlab_oauth2_proxy_dir: /etc/oauth2-proxy-jupyter
|
|
jupyterlab_oauth2_proxy_version: "7.6.0"
|
|
jupyterlab_domain: "ouranos.helu.ca"
|
|
jupyterlab_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
|
|
jupyterlab_oauth2_redirect_url: "https://jupyterlab.ouranos.helu.ca/oauth2/callback"
|
|
|
|
## OAuth2 Credentials (from vault)
|
|
jupyterlab_oauth_client_id: "{{ vault_jupyterlab_oauth_client_id }}"
|
|
jupyterlab_oauth_client_secret: "{{ vault_jupyterlab_oauth_client_secret }}"
|
|
jupyterlab_oauth2_cookie_secret: "{{ vault_jupyterlab_oauth2_cookie_secret }}"
|
|
|
|
|
|
# Kernos MCP Shell Server Configuration
|
|
kernos_user: harper
|
|
kernos_group: harper
|
|
kernos_api_keys: "{{ vault_caliban_kernos_api_keys }}"
|
|
kernos_directory: /srv/kernos
|
|
kernos_port: 20261
|
|
kernos_host: "0.0.0.0"
|
|
kernos_log_level: INFO
|
|
kernos_log_format: json
|
|
kernos_environment: sandbox
|
|
kernos_allow_commands: "apt,awk,base64,bash,cat,chmod,cp,curl,cut,date,dd,df,dig,dmesg,docker,du,echo,env,file,find,free,git,grep,gunzip,gzip,head,host,hostname,id,ip,jq,kill,less,ln,ls,lsblk,lspci,lsusb,make,mkdir,mv,nc,node,nohup,npm,npx,ping,pip,pkill,pnpm,printenv,ps,pwd,python3,rm,rsync,run-captured,scp,sed,sleep,sort,source,ssh,ssh-keygen,ssh-keyscan,stat,sudo,tail,tar,tee,timeout,touch,tr,tree,uname,uniq,unzip,uptime,wc,wget,which,whoami,xargs,xz,zip" |