Robert Helewka
f818b7917d
Add Jellyfin service to ansible inventory with hardware transcoding and Casdoor SSO configuration. Configure Alloy syslog listener to capture Jellyfin logs to Loki. Update documentation with new service mapping and S3 bucket credential retrieval instructions.
268 lines
8.7 KiB
YAML
268 lines
8.7 KiB
YAML
---
|
|
# Rosalind Configuration - GO, Node.js, PHP Apps
|
|
# Services: alloy, gitea, lobechat, nextcloud
|
|
|
|
services:
|
|
- alloy
|
|
- anythingllm
|
|
- docker
|
|
- gitea
|
|
- jellyfin
|
|
- lobechat
|
|
- memcached
|
|
- nextcloud
|
|
- openwebui
|
|
- hass
|
|
- searxng
|
|
|
|
# Alloy
|
|
alloy_log_level: "warn"
|
|
lobechat_syslog_port: 51461
|
|
searxng_syslog_port: 51403
|
|
|
|
# AnythingLLM Configuration
|
|
anythingllm_user: anythingllm
|
|
anythingllm_group: anythingllm
|
|
anythingllm_directory: /srv/anythingllm
|
|
anythingllm_port: 22084
|
|
|
|
# AnythingLLM Database (Portia PostgreSQL)
|
|
anythingllm_db_host: portia.incus
|
|
anythingllm_db_port: 5432
|
|
anythingllm_db_name: anythingllm
|
|
anythingllm_db_user: anythingllm
|
|
anythingllm_db_password: "{{ vault_anythingllm_db_password }}"
|
|
|
|
# AnythingLLM Security
|
|
anythingllm_jwt_secret: "{{ vault_anythingllm_jwt_secret }}"
|
|
anythingllm_sig_key: "{{ vault_anythingllm_sig_key }}"
|
|
anythingllm_sig_salt: "{{ vault_anythingllm_sig_salt }}"
|
|
|
|
# AnythingLLM LLM Provider (Generic OpenAI / llama-cpp)
|
|
anythingllm_llm_base_url: "http://nyx.helu.ca:25540/v1"
|
|
anythingllm_llm_model: "global.anthropic.claude-opus-4-6-v1"
|
|
anythingllm_llm_token_limit: 200000
|
|
anythingllm_llm_api_key: "ak_WX_7paeOky041GeX7MtQ51gam4lJsff3ghlClwdcbiI"
|
|
|
|
# AnythingLLM Embedding
|
|
anythingllm_embedding_engine: "generic-openai"
|
|
anythingllm_embedding_model: "Qwen3-Embedding-0.6B-Q8_0"
|
|
|
|
# AnythingLLM TTS (FastKokoro)
|
|
anythingllm_tts_provider: "openai"
|
|
anythingllm_tts_api_key: "not-needed"
|
|
anythingllm_tts_endpoint: "http://pan.helu.ca:22070/v1"
|
|
anythingllm_tts_model: "kokoro"
|
|
anythingllm_tts_voice: "am_echo"
|
|
|
|
# Gitea User and Directories
|
|
gitea_user: git
|
|
gitea_group: git
|
|
gitea_home_dir: /srv/git
|
|
gitea_work_dir: /var/lib/gitea
|
|
gitea_data_dir: /var/lib/gitea/data
|
|
gitea_lfs_dir: /var/lib/gitea/data/lfs
|
|
gitea_repo_root: /mnt/dv
|
|
gitea_config_file: /etc/gitea/app.ini
|
|
# Ports
|
|
gitea_web_port: 22082
|
|
gitea_ssh_port: 22022
|
|
gitea_metrics_port: 22092
|
|
# Network
|
|
gitea_domain: ouranos.helu.ca
|
|
gitea_root_url: https://gitea.ouranos.helu.ca/
|
|
# Database Configuration
|
|
gitea_db_type: postgres
|
|
gitea_db_host: portia.incus
|
|
gitea_db_port: 5432
|
|
gitea_db_name: gitea
|
|
gitea_db_user: gitea
|
|
gitea_db_password: "{{vault_gitea_db_password}}"
|
|
gitea_db_ssl_mode: disable
|
|
# Features
|
|
gitea_lfs_enabled: true
|
|
gitea_metrics_enabled: true
|
|
# Service Settings
|
|
gitea_disable_registration: true # Use Casdoor SSO instead
|
|
gitea_require_signin_view: false
|
|
# Security (vault secrets)
|
|
gitea_secret_key: "{{vault_gitea_secret_key}}"
|
|
gitea_lfs_jwt_secret: "{{vault_gitea_lfs_jwt_secret}}"
|
|
gitea_metrics_token: "{{vault_gitea_metrics_token}}"
|
|
# OAuth2 (Casdoor SSO)
|
|
gitea_oauth_enabled: true
|
|
gitea_oauth_name: "casdoor"
|
|
gitea_oauth_display_name: "Sign in with Casdoor"
|
|
gitea_oauth_client_id: "{{vault_gitea_oauth_client_id}}"
|
|
gitea_oauth_client_secret: "{{vault_gitea_oauth_client_secret}}"
|
|
# Auth URL uses external HAProxy address (user's browser)
|
|
gitea_oauth_auth_url: "https://id.ouranos.helu.ca/login/oauth/authorize"
|
|
# Token and userinfo URLs use internal Casdoor address (server-to-server)
|
|
gitea_oauth_token_url: "https://id.ouranos.helu.ca/api/login/oauth/access_token"
|
|
gitea_oauth_userinfo_url: "https://id.ouranos.helu.ca/api/userinfo"
|
|
gitea_oauth_scopes: "openid profile email"
|
|
|
|
# Home Assistant Configuration
|
|
hass_user: hass
|
|
hass_group: hass
|
|
hass_directory: /srv/hass
|
|
hass_media_directory: /srv/hass/media
|
|
hass_port: 8123
|
|
hass_version: "2026.2.0"
|
|
hass_db_host: portia.incus
|
|
hass_db_port: 5432
|
|
hass_db_name: hass
|
|
hass_db_user: hass
|
|
hass_db_password: "{{ vault_hass_db_password }}"
|
|
hass_metrics_token: "{{ vault_hass_metrics_token }}"
|
|
|
|
# LobeChat Configuration
|
|
lobechat_user: lobechat
|
|
lobechat_group: lobechat
|
|
lobechat_directory: /srv/lobechat
|
|
lobechat_port: 22081
|
|
# Database Configuration
|
|
lobechat_db_host: portia.incus
|
|
lobechat_db_port: 5432
|
|
lobechat_db_name: lobechat
|
|
lobechat_db_user: lobechat
|
|
lobechat_db_password: "{{vault_lobechat_db_password}}"
|
|
lobechat_key_vaults_secret: "{{vault_lobechat_key_vaults_secret}}"
|
|
# Authentication
|
|
# NEXTAUTH_URL must be the public URL users access (not internal)
|
|
lobechat_nextauth_url: https://lobechat.ouranos.helu.ca
|
|
lobechat_next_auth_secret: "{{vault_lobechat_next_auth_secret}}"
|
|
lobechat_next_auth_sso_providers: casdoor
|
|
# Issuer must match exactly what Casdoor returns in .well-known/openid-configuration
|
|
lobechat_auth_casdoor_issuer: http://titania.incus:22081
|
|
lobechat_auth_casdoor_id: "{{vault_lobechat_auth_casdoor_id}}"
|
|
lobechat_auth_casdoor_secret: "{{vault_lobechat_auth_casdoor_secret}}"
|
|
# S3 Storage
|
|
lobechat_s3_endpoint: https://pan.helu.ca:8555
|
|
lobechat_s3_public_domain: https://pan.helu.ca:8555
|
|
lobechat_s3_access_key: "{{vault_lobechat_s3_access_key}}"
|
|
lobechat_s3_secret_key: "{{vault_lobechat_s3_secret_key}}"
|
|
lobechat_s3_bucket: lobechat
|
|
# Search
|
|
lobechat_searxng_url: http://oberon.incus:25599
|
|
# AI Models
|
|
lobechat_openai_proxy_url: http://sycorax.incus:25540/v1
|
|
lobechat_openai_key: "{{vault_lobechat_openai_api_key}}"
|
|
lobechat_ollama_proxy_url: http://perseus.helu.ca:11434
|
|
lobechat_anthropic_api_key: "{{vault_lobechat_anthropic_api_key}}"
|
|
lobechat_google_api_key: "{{vault_lobechat_google_api_key}}"
|
|
lobechat_app_url: https://lobechat.ouranos.helu.ca/
|
|
|
|
# Nextcloud Configuration
|
|
nextcloud_web_port: 22083
|
|
nextcloud_data_dir: /mnt/nextcloud
|
|
# Database Configuration
|
|
nextcloud_db_type: pgsql
|
|
nextcloud_db_host: portia.incus
|
|
nextcloud_db_port: 5432
|
|
nextcloud_db_name: nextcloud
|
|
nextcloud_db_user: nextcloud
|
|
nextcloud_db_password: "{{vault_nextcloud_db_password}}"
|
|
# Admin Configuration
|
|
nextcloud_admin_user: admin
|
|
nextcloud_admin_password: "{{vault_nextcloud_admin_password}}"
|
|
# Domain Configuration
|
|
nextcloud_domain: nextcloud.ouranos.helu.ca
|
|
# Instance secrets (generated during install)
|
|
nextcloud_instance_id: ""
|
|
nextcloud_password_salt: ""
|
|
nextcloud_secret: ""
|
|
|
|
|
|
# Open WebUI Configuration
|
|
openwebui_user: openwebui
|
|
openwebui_group: openwebui
|
|
openwebui_directory: /srv/openwebui
|
|
openwebui_cors_allow_origin: https://openwebui.ouranos.helu.ca
|
|
openwebui_port: 22088
|
|
openwebui_host: puck.incus
|
|
openwebui_secret_key: "{{ vault_openwebui_secret_key }}"
|
|
openwebui_enable_signup: true
|
|
openwebui_enable_email_login: false
|
|
|
|
# OAuth/OIDC Configuration (Casdoor SSO)
|
|
openwebui_oauth_client_id: "{{ vault_openwebui_oauth_client_id }}"
|
|
openwebui_oauth_client_secret: "{{ vault_openwebui_oauth_client_secret }}"
|
|
openwebui_oauth_provider_name: "Casdoor"
|
|
openwebui_oauth_provider_url: "https://id.ouranos.helu.ca/.well-known/openid-configuration"
|
|
|
|
# Database Configuration
|
|
openwebui_db_host: portia.incus
|
|
openwebui_db_port: 5432
|
|
openwebui_db_name: openwebui
|
|
openwebui_db_user: openwebui
|
|
openwebui_db_password: "{{ vault_openwebui_db_password }}"
|
|
|
|
# API Keys
|
|
openwebui_openai_api_key: "{{ vault_openwebui_openai_api_key }}"
|
|
openwebui_anthropic_api_key: "{{ vault_openwebui_anthropic_api_key }}"
|
|
openwebui_groq_api_key: "{{ vault_openwebui_groq_api_key }}"
|
|
openwebui_mistral_api_key: "{{ vault_openwebui_mistral_api_key }}"
|
|
|
|
# Ollama Configuration
|
|
ollama_api_base_url: ""
|
|
openwebui_ollama_api_key: ""
|
|
|
|
# SSL Configuration
|
|
openwebui_enable_https: false
|
|
openwebui_ssl_cert_path: ""
|
|
openwebui_ssl_key_path: ""
|
|
|
|
# Logging
|
|
openwebui_log_level: info
|
|
|
|
# SearXNG Configuration
|
|
searxng_user: searxng
|
|
searxng_group: searxng
|
|
searxng_directory: /srv/searxng
|
|
searxng_port: 22089
|
|
searxng_base_url: http://rosalind.incus:22089/
|
|
searxng_instance_name: "Ouranos Search"
|
|
searxng_secret_key: "{{ vault_searxng_secret_key }}"
|
|
|
|
# SearXNG OAuth2-Proxy Sidecar
|
|
# Note: Each host supports at most one OAuth2-Proxy sidecar instance
|
|
# (binary shared at /usr/local/bin/oauth2-proxy, unique systemd unit per service)
|
|
searxng_oauth2_proxy_dir: /etc/oauth2-proxy-searxng
|
|
searxng_proxy_port: 22079
|
|
searxng_domain: "ouranos.helu.ca"
|
|
searxng_oauth2_oidc_issuer_url: "https://id.ouranos.helu.ca"
|
|
searxng_oauth2_redirect_url: "https://searxng.ouranos.helu.ca/oauth2/callback"
|
|
|
|
# OAuth2 Credentials (from vault)
|
|
searxng_oauth2_client_id: "{{ vault_searxng_oauth_client_id }}"
|
|
searxng_oauth2_client_secret: "{{ vault_searxng_oauth_client_secret }}"
|
|
searxng_oauth2_cookie_secret: "{{ vault_searxng_oauth_cookie_secret }}"
|
|
|
|
# Jellyfin Configuration
|
|
jellyfin_user: jellyfin
|
|
jellyfin_group: jellyfin
|
|
jellyfin_uid: 521
|
|
jellyfin_gid: 521
|
|
jellyfin_directory: /srv/jellyfin
|
|
jellyfin_port: 22086
|
|
jellyfin_syslog_port: 51426
|
|
|
|
# Storage paths
|
|
jellyfin_config_dir: /srv/jellyfin/config
|
|
jellyfin_cache_dir: /srv/jellyfin/cache
|
|
jellyfin_media_dir: /mnt/media
|
|
|
|
# Hardware transcoding (NVIDIA GPU passthrough)
|
|
jellyfin_enable_hwtranscode: true
|
|
|
|
# External access URL
|
|
jellyfin_published_server_url: "https://jellyfin.ouranos.helu.ca"
|
|
|
|
# SSO / OIDC Configuration (Casdoor)
|
|
jellyfin_sso_enabled: true
|
|
jellyfin_casdoor_client_id: "{{ vault_jellyfin_casdoor_client_id }}"
|
|
jellyfin_casdoor_client_secret: "{{ vault_jellyfin_casdoor_client_secret }}"
|
|
jellyfin_casdoor_issuer: "https://id.ouranos.helu.ca"
|
|
jellyfin_casdoor_redirect_uri: "https://jellyfin.ouranos.helu.ca/api/plugin/sso/callback"
|