ouranos/ansible/inventory/group_vars/all/vars.yml

# Account Taxonomy
# keeper_user  - Ansible/Terraform management account (sudo). Use {{ keeper_user }} in playbooks.
# watcher_user - Non-sudo observation account.
# principal_user - AI agent / human operator account (host-specific, defined in host_vars).
# NOTE: ansible.cfg retains 'remote_user = ponos' as the Ansible SSH built-in keyword.
#       Never use {{ remote_user }} or {{ ansible_user }} as Jinja2 variables in playbooks.
keeper_user: robert
keeper_uid: 1000
keeper_group: robert
keeper_home: /srv/ponos
watcher_user: poros
watcher_uid: 520
deployment_environment: "agathos"
ansible_python_interpreter: /usr/bin/python3

# Incus configuration (matches terraform.tfvars)
incus_project_name: agathos
incus_storage_pool: default

# Gitea Runner
act_runner_version: "0.2.13"
gitea_runner_instance_url: "https://gitea.ouranos.helu.ca"

# Release versions for staging playbooks
anythingllm_rel: master
athena_rel: master
athena_mcp_rel: master
argos_rel: master
arke_rel: master
angelia_rel: master
kairos_rel: master
kairos_mcp_rel: master
spelunker_rel: master
mcp_switchboard_rel: master
kernos_rel: master
# PyPI release version (no 'v' prefix) - https://pypi.org/project/open-webui/
openwebui_rel: 0.8.3

# MCP URLs
argos_mcp_url: http://miranda.incus:25534/mcp
angelia_mcp_url: https://ouranos.helu.ca/mcp/
angelia_mcp_auth: "{{ vault_angelia_mcp_auth }}"
caliban_mcp_url: http://caliban.incus:22021/mcp
gitea_mcp_url: http://miranda.incus:25535/mcp
gitea_mcp_access_token: "{{ vault_gitea_mcp_access_token }}"
github_personal_access_token: "{{ vault_github_personal_access_token }}"
grafana_mcp_url: http://miranda.incus:25533/mcp
huggingface_mcp_token: "{{ vault_huggingface_mcp_token }}"
neo4j_mcp_url: http://circe.helu.ca:22034/mcp
nike_mcp_url: http://puck.incus:22031/mcp
korax_mcp_url: http://korax.helu.ca:22021/mcp
rommie_mcp_url: http://caliban.incus:22031/mcp

# Monitoring and Logging (internal endpoints on Prospero)
loki_url: http://prospero.incus:3100/loki/api/v1/push
prometheus_remote_write_url: http://prospero.incus:9090/api/v1/write
syslog_format: "rfc3164"
# Docker configuration
docker_gpg_key_url: https://download.docker.com/linux/debian/gpg
docker_gpg_key_path: /etc/apt/keyrings/docker.asc
docker_gpg_key_checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570

# RabbitMQ provisioning config
rabbitmq_vhosts:
  - name: kairos
  - name: spelunker

rabbitmq_users:
  - name: kairos
    password: "{{ kairos_rabbitmq_password }}"
    tags: []
  - name: spelunker
    password: "{{ spelunker_rabbitmq_password }}"
    tags: []

rabbitmq_permissions:
  - vhost: kairos
    user: kairos
    configure_priv: .*
    read_priv: .*
    write_priv: .*
  - vhost: spelunker
    user: spelunker
    configure_priv: .*
    read_priv: .*
    write_priv: .*

# SMTP (smtp4dev on Oberon)
smtp_host: oberon.incus
smtp_port: 22025
smtp_from: noreply@ouranos.helu.ca
smtp_from_name: "Agathos"

# Release directory paths
github_dir: ~/gh
repo_dir: ~/dv
rel_dir: ~/rel

# Vault Variable Mappings
kairos_rabbitmq_password: "{{ vault_kairos_rabbitmq_password }}"
spelunker_rabbitmq_password: "{{ vault_spelunker_rabbitmq_password }}"
caliban_x11vnc_password: "{{ vault_caliban_x11vnc_password }}"
grafana_service_account_token: "{{ vault_grafana_service_account_token }}"

# Home Assistant
hass_metrics_token: "{{ vault_hass_metrics_token }}"

# Namecheap DNS API (for certbot DNS-01 validation)
namecheap_username: "{{ vault_namecheap_username }}"
namecheap_api_key: "{{ vault_namecheap_api_key }}"

# OAuth2-Proxy Vault Mappings (used for SearXNG auth)
# Note: These must be set in vault.yml after configuring Casdoor application
# vault_oauth2_proxy_client_id: "<from-casdoor-application>"
# vault_oauth2_proxy_client_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"
# vault_oauth2_proxy_cookie_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"