r/ouranos
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
b17cdada7c1ccda0878adf11b902af1e3285f5f6
ouranos/ansible/inventory/group_vars/all/vars.yml
Robert Helewka b17cdada7c refactor: migrate services from oberon to puck and extract oauth2-proxy role 
Move searxng, openwebui, mcp_switchboard, and hass services from
oberon.incus to puck.incus, consolidating service host variables
accordingly. Clean up oberon to only run alloy, docker, rabbitmq,
and smtp4dev.

Extract oauth2-proxy from a searxng-specific sidecar into a
standalone reusable role with generic naming, supporting multiple
proxy instances per host via parameterized systemd units and
config directories.

Refactor searxng role to use updated templates (settings.yml.j2,
limiter.toml.j2) and integrate with the new generic oauth2-proxy
role. Add Caddy reverse proxy configurations for puck-hosted
services.

Move searxng_oauth2_proxy_version to global vars for consistency.
2026-03-21 19:42:09 +00:00

125 lines
4.1 KiB
YAML
Raw Blame History

# Account Taxonomy
# keeper_user - Ansible/Terraform management account (sudo). Use {{ keeper_user }} in playbooks.
# watcher_user - Non-sudo observation account.
# principal_user - AI agent / human operator account (host-specific, defined in host_vars).
# NOTE: ansible.cfg retains 'remote_user = ponos' as the Ansible SSH built-in keyword.
# Never use {{ remote_user }} or {{ ansible_user }} as Jinja2 variables in playbooks.
keeper_user: ponos
keeper_uid: 519
keeper_group: ponos
keeper_home: /srv/ponos
watcher_user: poros
watcher_uid: 520
deployment_environment: "ouranos"
ansible_python_interpreter: /usr/bin/python3
# Incus configuration (matches terraform.tfvars)
incus_project_name: ouranos
incus_storage_pool: default
# Gitea Runner
act_runner_version: "0.2.13"
gitea_runner_instance_url: "https://gitea.ouranos.helu.ca"
# Release versions for staging playbooks
agent_s_rel: master
anythingllm_rel: master
athena_rel: main
athena_mcp_rel: main
argos_rel: master
arke_rel: main
angelia_rel: master
kairos_rel: master
kairos_mcp_rel: master
spelunker_rel: master
mcp_switchboard_rel: master
kernos_rel: master
rommie_rel: master
# PyPI release version (no 'v' prefix) - https://pypi.org/project/open-webui/
openwebui_rel: 0.8.3
pulseaudio_module_xrdp_rel:
searxng_oauth2_proxy_version: 7.6.0
# MCP URLs
argos_mcp_url: http://miranda.incus:25534/mcp
angelia_mcp_url: https://ouranos.helu.ca/mcp/
angelia_mcp_auth: "{{ vault_angelia_mcp_auth }}"
caliban_mcp_url: http://caliban.incus:22021/mcp
gitea_mcp_url: http://miranda.incus:25535/mcp
gitea_mcp_access_token: "{{ vault_gitea_mcp_access_token }}"
github_personal_access_token: "{{ vault_github_personal_access_token }}"
grafana_mcp_url: http://miranda.incus:25533/mcp
huggingface_mcp_token: "{{ vault_huggingface_mcp_token }}"
neo4j_mcp_url: http://circe.helu.ca:22034/mcp
nike_mcp_url: http://puck.incus:22031/mcp
korax_mcp_url: http://korax.helu.ca:22021/mcp
rommie_mcp_url: http://caliban.incus:22031/mcp
freecad_mcp_url: http://caliban.incus:22082/mcp
# Monitoring and Logging (internal endpoints on Prospero)
loki_url: http://prospero.incus:3100/loki/api/v1/push
prometheus_remote_write_url: http://prospero.incus:9090/api/v1/write
syslog_format: "rfc3164"
# Docker configuration
docker_gpg_key_url: https://download.docker.com/linux/debian/gpg
docker_gpg_key_path: /etc/apt/keyrings/docker.asc
docker_gpg_key_checksum: sha256:1500c1f56fa9e26b9b8f42452a553675796ade0807cdce11975eb98170b3a570
# RabbitMQ provisioning config
rabbitmq_vhosts:
- name: kairos
- name: spelunker
rabbitmq_users:
- name: kairos
password: "{{ kairos_rabbitmq_password }}"
tags: []
- name: mnemosyne
password: "{{ vault_mnemosyne_rabbitmq_password }}"
tags: []
- name: spelunker
password: "{{ spelunker_rabbitmq_password }}"
tags: []
rabbitmq_permissions:
- vhost: kairos
user: kairos
configure_priv: .*
read_priv: .*
write_priv: .*
- vhost: spelunker
user: spelunker
configure_priv: .*
read_priv: .*
write_priv: .*
# SMTP (smtp4dev on Oberon)
smtp_host: oberon.incus
smtp_port: 22025
smtp_from: noreply@ouranos.helu.ca
smtp_from_name: "Ouranos"
# Release directory paths
github_dir: ~/gh
repo_dir: ~/git
rel_dir: ~/rel
# Vault Variable Mappings
kairos_rabbitmq_password: "{{ vault_kairos_rabbitmq_password }}"
spelunker_rabbitmq_password: "{{ vault_spelunker_rabbitmq_password }}"
caliban_x11vnc_password: "{{ vault_caliban_x11vnc_password }}"
grafana_service_account_token: "{{ vault_grafana_service_account_token }}"
# Home Assistant
hass_metrics_token: "{{ vault_hass_metrics_token }}"
# Namecheap DNS API (for certbot DNS-01 validation)
namecheap_username: "{{ vault_namecheap_username }}"
namecheap_api_key: "{{ vault_namecheap_api_key }}"
# OAuth2-Proxy Vault Mappings (used for SearXNG auth)
# Note: These must be set in vault.yml after configuring Casdoor application
# vault_oauth2_proxy_client_id: "<from-casdoor-application>"
# vault_oauth2_proxy_client_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"
# vault_oauth2_proxy_cookie_secret: "<generate with: python3 -c 'import secrets; print(secrets.token_urlsafe(32))'>"
Reference in New Issue View Git Blame Copy Permalink