ouranos/ansible/inventory/host_vars/rosalind.incus.yml

---
# Rosalind Configuration - GO, Node.js, PHP Apps
# Services: alloy, gitea, lobechat, nextcloud

services:
  - alloy
  - anythingllm
  - docker
  - gitea
  - lobechat
  - memcached
  - nextcloud
  - openwebui
  - hass
  - searxng

# Alloy
alloy_log_level: "warn"
lobechat_syslog_port: 51461
searxng_syslog_port: 51403

# AnythingLLM Configuration
anythingllm_user: anythingllm
anythingllm_group: anythingllm
anythingllm_directory: /srv/anythingllm
anythingllm_port: 22084

# AnythingLLM Database (Portia PostgreSQL)
anythingllm_db_host: portia.incus
anythingllm_db_port: 5432
anythingllm_db_name: anythingllm
anythingllm_db_user: anythingllm
anythingllm_db_password: "{{ vault_anythingllm_db_password }}"

# AnythingLLM Security
anythingllm_jwt_secret: "{{ vault_anythingllm_jwt_secret }}"
anythingllm_sig_key: "{{ vault_anythingllm_sig_key }}"
anythingllm_sig_salt: "{{ vault_anythingllm_sig_salt }}"

# AnythingLLM LLM Provider (Generic OpenAI / llama-cpp)
anythingllm_llm_base_url: "http://nyx.helu.ca:25540/v1"
anythingllm_llm_model: "global.anthropic.claude-opus-4-6-v1"
anythingllm_llm_token_limit: 200000
anythingllm_llm_api_key: "ak_WX_7paeOky041GeX7MtQ51gam4lJsff3ghlClwdcbiI"

# AnythingLLM Embedding
anythingllm_embedding_engine: "generic-openai"
anythingllm_embedding_model: "Qwen3-Embedding-0.6B-Q8_0"

# AnythingLLM TTS (FastKokoro)
anythingllm_tts_provider: "openai"
anythingllm_tts_api_key: "not-needed"
anythingllm_tts_endpoint: "http://pan.helu.ca:22070/v1"
anythingllm_tts_model: "kokoro"
anythingllm_tts_voice: "am_echo"

# Gitea User and Directories
gitea_user: git
gitea_group: git
gitea_home_dir: /srv/git
gitea_work_dir: /var/lib/gitea
gitea_data_dir: /var/lib/gitea/data
gitea_lfs_dir: /var/lib/gitea/data/lfs
gitea_repo_root: /mnt/dv
gitea_config_file: /etc/gitea/app.ini
# Ports
gitea_web_port: 22082
gitea_ssh_port: 22022
gitea_metrics_port: 22092
# Network
gitea_domain: ouranos.helu.ca
gitea_root_url: https://gitea.ouranos.helu.ca/
# Database Configuration
gitea_db_type: postgres
gitea_db_host: portia.incus
gitea_db_port: 5432
gitea_db_name: gitea
gitea_db_user: gitea
gitea_db_password: "{{vault_gitea_db_password}}"
gitea_db_ssl_mode: disable
# Features
gitea_lfs_enabled: true
gitea_metrics_enabled: true
# Service Settings
gitea_disable_registration: true  # Use Casdoor SSO instead
gitea_require_signin_view: false
# Security (vault secrets)
gitea_secret_key: "{{vault_gitea_secret_key}}"
gitea_lfs_jwt_secret: "{{vault_gitea_lfs_jwt_secret}}"
gitea_metrics_token: "{{vault_gitea_metrics_token}}"
# OAuth2 (Casdoor SSO)
gitea_oauth_enabled: true
gitea_oauth_name: "casdoor"
gitea_oauth_display_name: "Sign in with Casdoor"
gitea_oauth_client_id: "{{vault_gitea_oauth_client_id}}"
gitea_oauth_client_secret: "{{vault_gitea_oauth_client_secret}}"
# Auth URL uses external HAProxy address (user's browser)
gitea_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
# Token and userinfo URLs use internal Casdoor address (server-to-server)
gitea_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
gitea_oauth_userinfo_url: "https://id.ouranos.helu.ca/api/userinfo"
gitea_oauth_scopes: "openid profile email"

# Home Assistant Configuration
hass_user: hass
hass_group: hass
hass_directory: /srv/hass
hass_media_directory: /srv/hass/media
hass_port: 8123
hass_version: "2026.2.0"
hass_db_host: portia.incus
hass_db_port: 5432
hass_db_name: hass
hass_db_user: hass
hass_db_password: "{{ vault_hass_db_password }}"
hass_metrics_token: "{{ vault_hass_metrics_token }}"

# LobeChat Configuration
lobechat_user: lobechat
lobechat_group: lobechat
lobechat_directory: /srv/lobechat
lobechat_port: 22081
# Database Configuration
lobechat_db_host: portia.incus
lobechat_db_port: 5432
lobechat_db_name: lobechat
lobechat_db_user: lobechat
lobechat_db_password: "{{vault_lobechat_db_password}}"
lobechat_key_vaults_secret: "{{vault_lobechat_key_vaults_secret}}"
# Authentication
# NEXTAUTH_URL must be the public URL users access (not internal)
lobechat_nextauth_url: https://lobechat.ouranos.helu.ca
lobechat_next_auth_secret: "{{vault_lobechat_next_auth_secret}}"
lobechat_next_auth_sso_providers: casdoor
# Issuer must match exactly what Casdoor returns in .well-known/openid-configuration
lobechat_auth_casdoor_issuer: http://titania.incus:22081
lobechat_auth_casdoor_id: "{{vault_lobechat_auth_casdoor_id}}"
lobechat_auth_casdoor_secret: "{{vault_lobechat_auth_casdoor_secret}}"
# S3 Storage
lobechat_s3_endpoint: https://pan.helu.ca:8555
lobechat_s3_public_domain: https://pan.helu.ca:8555
lobechat_s3_access_key: "{{vault_lobechat_s3_access_key}}"
lobechat_s3_secret_key: "{{vault_lobechat_s3_secret_key}}"
lobechat_s3_bucket: lobechat
# Search
lobechat_searxng_url: http://oberon.incus:25599
# AI Models
lobechat_openai_proxy_url: http://sycorax.incus:25540/v1
lobechat_openai_key: "{{vault_lobechat_openai_api_key}}"
lobechat_ollama_proxy_url: http://perseus.helu.ca:11434
lobechat_anthropic_api_key: "{{vault_lobechat_anthropic_api_key}}"
lobechat_google_api_key: "{{vault_lobechat_google_api_key}}"
lobechat_app_url: https://lobechat.ouranos.helu.ca/

# Nextcloud Configuration
nextcloud_web_port: 22083
nextcloud_data_dir: /mnt/nextcloud
# Database Configuration
nextcloud_db_type: pgsql
nextcloud_db_host: portia.incus
nextcloud_db_port: 5432
nextcloud_db_name: nextcloud
nextcloud_db_user: nextcloud
nextcloud_db_password: "{{vault_nextcloud_db_password}}"
# Admin Configuration
nextcloud_admin_user: admin
nextcloud_admin_password: "{{vault_nextcloud_admin_password}}"
# Domain Configuration
nextcloud_domain: nextcloud.ouranos.helu.ca
# Instance secrets (generated during install)
nextcloud_instance_id: ""
nextcloud_password_salt: ""
nextcloud_secret: ""


# Open WebUI Configuration
openwebui_user: openwebui
openwebui_group: openwebui
openwebui_directory: /srv/openwebui
openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
openwebui_port: 22088
openwebui_host: puck.incus
openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
openwebui_enable_signup: true
openwebui_enable_email_login: false

# OAuth/OIDC Configuration (Casdoor SSO)
openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
openwebui_oauth_provider_name: "Casdoor"
openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"

# Database Configuration
openwebui_db_host: portia.incus
openwebui_db_port: 5432
openwebui_db_name: openwebui
openwebui_db_user: openwebui
openwebui_db_password: "{{ vault_openwebui_db_password }}"

# API Keys
openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"

# Ollama Configuration
ollama_api_base_url: ""
openwebui_ollama_api_key: ""

# SSL Configuration
openwebui_enable_https: false
openwebui_ssl_cert_path: ""
openwebui_ssl_key_path: ""

# Logging
openwebui_log_level: info

# SearXNG Configuration
searxng_user: searxng
searxng_group: searxng
searxng_directory: /srv/searxng
searxng_port: 22083
searxng_base_url: http://rosalind.incus:22083/
searxng_instance_name: "Ouranos Search"
searxng_secret_key: "{{ vault_searxng_secret_key }}"

# SearXNG OAuth2-Proxy Sidecar
# Note: Each host supports at most one OAuth2-Proxy sidecar instance
# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
searxng_proxy_port: 22073
searxng_domain: "ouranos.helu.ca"
searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"

# OAuth2 Credentials (from vault)
searxng_oauth2_client_id: "{{ vault_searxng_oauth2_client_id }}"
searxng_oauth2_client_secret: "{{ vault_searxng_oauth2_client_secret }}"
searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth2_cookie_secret }}"