Enhance infrastructure and application configurations

- Updated AGENTS.md to include new directories for execution plans and implemented feature reports.
- Modified Ansible host variables for dev-02 and gpu-01 to change API endpoints and add new configurations for Scaleway.
- Adjusted firewall rules in gpu-01 to allow HTTPS traffic instead of the previous Ollama port.
- Added OAuth2 proxy configurations to gpu-01 for enhanced security.
- Removed deprecated open-webui module from Terraform app configurations.
- Updated Terraform configurations to reflect changes in local variables and removed unused secrets.
- Created a new sectool.json file for CloudNS integration with Bitwarden.
- Enhanced SELinux configurations for nginx to allow connections to any port and added oauth2-proxy port.
This commit is contained in:
2026-07-12 16:28:45 -04:00
parent a4a8554fb6
commit 8724360fb2
23 changed files with 2106 additions and 77 deletions
@@ -83,7 +83,7 @@ linux_dev_station_opencode_config:
name: "alexpires.me"
npm: "@ai-sdk/openai-compatible"
options:
baseURL: "https://open-webui.lab.alexpires.me/api"
baseURL: "https://llm.lab.alexpires.me/api/v1"
apiKey: "{{ lookup('env', 'OPEN_WEBUI_API_KEY', default='') }}"
timeout: 3000000
chunkTimeout: 3000000
@@ -92,6 +92,12 @@ linux_dev_station_opencode_config:
name: "qwen3-6-27b-mtp-q4-0"
qwen3-6-35b-a3b-mtp-ud-q4-m:
name: "qwen3-6-35b-a3b-mtp-ud-q4-m"
scaleway:
name: "scaleway"
npm: "@ai-sdk/openai-compatible"
options:
baseURL: "https://api.scaleway.ai/{{ lookup('env', 'SCW_DEFAULT_ORGANIZATION_ID', default='') }}/v1"
apiKey: "{{ lookup('env', 'SCW_INFERENCE_API_KEY', default='') }}"
mcp:
deepwiki:
type: "remote"
+35 -2
View File
@@ -39,8 +39,8 @@ ufw_enable: true
fw_allowed_ports:
- { rule: "allow", port: "22", proto: "tcp", from: "10.5.5.5/32" } # Wireguard VPN (Laptop)
- { rule: "allow", port: "22", proto: "tcp", from: "10.19.4.0/24" } # local network
- { rule: "allow", port: "11434", proto: "tcp", from: "10.19.4.0/24" } # Ollama (local network)
- { rule: "allow", port: "11434", proto: "tcp", from: "10.5.5.5/32" } # Ollama (Laptop)
- { rule: "allow", port: "443", proto: "tcp", from: "10.19.4.0/24" } # HTTPS (nginx reverse proxy)
- { rule: "allow", port: "443", proto: "tcp", from: "10.5.5.5/32" } # HTTPS (nginx reverse proxy, VPN)
- { rule: "allow", port: "8880", proto: "tcp", from: "10.19.4.0/24" } # Kokoro-FastAPI (local network)
- { rule: "allow", port: "8880", proto: "tcp", from: "10.5.5.5/32" } # Kokoro-FastAPI (Laptop)
- { rule: "allow", port: "8188", proto: "tcp", from: "10.19.4.0/24" } # ComfyUI (local network)
@@ -112,6 +112,7 @@ llama_server_home: "/mnt/data/llamacpp"
llama_server_user_pubkey: "ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHHOPBR9p9kq5Cqzpe4cr3jHnweaYrHPXv5sXNzt+sCXP54uc5rWUBhxW2OQVvQzJ47dEVhEKi4WSC7LcuKS2G5AQDzWXNiasHvYIYQU3F/EknVCZnsiXYqXphYkJA6rJCNRnISZCIC1mocq6PB7J08ONdRFCvjfUBuVRT8BNGXNmQ/zQ=="
llama_server_port: 11434
llama_server_bind: "127.0.0.1"
llama_server_devices:
- "nvidia.com/gpu=all"
- "/dev/kfd:/dev/kfd:rw"
@@ -202,6 +203,8 @@ llama_server_models:
llama_server_argv_extra:
[
"--api-key",
"{{ lookup('env', 'OPEN_WEBUI_API_KEY', default='') }}",
"-t",
10,
"-np",
@@ -249,3 +252,33 @@ auto_suspend_cpu_idle_threshold: 90.0
# llama_server_preset_global:
# ctx-size: 98304
# n-gpu-layers: all
# nginx_proxy: TLS + OAuth2/OIDC SSO for llm.lab.alexpires.me
nginx_proxy_certbot_email: "c.alexandre.pires@alexpires.me"
nginx_proxy_oauth2_proxy_enabled: true
nginx_proxy_oauth2_proxy_provider: "oidc"
nginx_proxy_oauth2_proxy_provider_url: "https://code.alexpires.me"
nginx_proxy_oauth2_proxy_redirect_urls:
- "https://llm.lab.alexpires.me/oauth2/callback"
nginx_proxy_oauth2_proxy_email_domains:
- "*"
nginx_proxy_oauth2_proxy_cookie_secret: "{{ lookup('env', 'OAUTH2_PROXY_COOKIE_SECRET', default='') }}"
nginx_proxy_oauth2_proxy_client_id: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_ID', default='') }}"
nginx_proxy_oauth2_proxy_client_secret: "{{ lookup('env', 'OAUTH2_PROXY_CLIENT_SECRET', default='') }}"
nginx_proxy_sites:
- name: llm
server_name: "llm.lab.alexpires.me"
upstream:
host: "127.0.0.1"
port: 11434
websocket: true
extra_locations:
- path: /api/
config:
proxy_pass: "http://127.0.0.1:11434/"
proxy_buffering: "off"
proxy_read_timeout: "1800s"
proxy_send_timeout: "1800s"
proxy_http_version: "1.1"
proxy_set_header Upgrade: "$http_upgrade"
proxy_set_header Connection: "$connection_upgrade"
@@ -10,6 +10,7 @@ llama_server_extra_groups: "users,video"
llama_server_devices: []
llama_server_env: {}
llama_server_port: 11434
llama_server_bind: "0.0.0.0"
llama_server_preset_global: {}
llama_server_host: "127.0.0.1"
llama_server_argv_extra: []
+1 -1
View File
@@ -135,7 +135,7 @@
state: started
device: "{{ llama_server_devices | default(omit) }}"
env: "{{ llama_server_env | default(omit) }}"
ports: "0.0.0.0:{{ llama_server_port }}:8080/tcp"
ports: "{{ llama_server_bind }}:{{ llama_server_port }}:8080/tcp"
volumes:
- "{{ llama_server_home }}/models:/models:Z"
- "{{ llama_server_home }}/.cache:/app/.cache:Z"
+15
View File
@@ -44,3 +44,18 @@
become: true
ansible.builtin.command: restorecon -Rv /etc/letsencrypt
changed_when: false
- name: Set SELinux boolean to allow nginx to connect to any port
become: true
ansible.builtin.command: semanage boolean -m --on nginx_connect_any
failed_when: false
changed_when: false
when: ansible_selinux.status == "enabled"
- name: Add oauth2-proxy port to SELinux http_port_t
become: true
ansible.builtin.command: >-
semanage port -a -t http_port_t -p tcp {{ nginx_proxy_oauth2_proxy_port }}
failed_when: false
changed_when: false
when: ansible_selinux.status == "enabled"
@@ -22,6 +22,7 @@
mode: "0755"
owner: root
group: root
remote_src: true
- name: Create oauth2-proxy config directory
become: true
@@ -13,6 +13,7 @@ server {
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
{% if not (item.no_auth | default(false) | bool) %}
# Redirect unauthenticated requests to OAuth2 sign-in
error_page 401 = /oauth2/sign_in;
@@ -52,13 +53,16 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
}
{% endif %}
location / {
{% if not (item.no_auth | default(false) | bool) %}
auth_request /oauth2/auth;
auth_request_set $auth_status $upstream_status;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
{% endif %}
add_header Strict-Transport-Security "max-age={{ nginx_proxy_nginx_hsts_max_age }}; {{ nginx_proxy_nginx_hsts_include_subdomains | ternary('includeSubDomains', '') }}" always;
proxy_pass http://{{ item.upstream.host }}:{{ item.upstream.port }};
+2
View File
@@ -24,3 +24,5 @@ OPEN_WEBUI_API_KEY=$OPEN_WEBUI_API_KEY
OAUTH2_PROXY_COOKIE_SECRET=$OAUTH2_PROXY_COOKIE_SECRET
OAUTH2_PROXY_CLIENT_ID=$OAUTH2_PROXY_CLIENT_ID
OAUTH2_PROXY_CLIENT_SECRET=$OAUTH2_PROXY_CLIENT_SECRET
SCW_DEFAULT_ORGANIZATION_ID=$SCALEWAY_ORGANIZATION_ID
SCW_INFERENCE_API_KEY=$SCW_INFERENCE_API_KEY