eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/ansible/roles/heph/defaults/main.yml
Erich Blume d99c962fe1 Add hephaestus sync hub to indri (launchagent, PWA, device-code OIDC) 
Deploy hephd --mode server on indri as a self-updating LaunchAgent managed
by Ansible (ansible/roles/heph, tag heph), making indri the canonical heph
hub for the hub-and-spoke task/context system.

- Server mode on 0.0.0.0:8787, self-update every 10 minutes (cargo install
  from the public forge URL; ~/.cargo/bin on the agent PATH).
- heph-pwa shell served via --web-root straight from a version-pinned checkout,
  TLS-terminated at heph.ops.eblu.me through Caddy (new caddy_services entry).
- New Authentik device-code (RFC 8628) OIDC app 'heph' (public client) plus a
  default-device-code-flow bound to the default brand's flow_device_code.
- Docs: new services/hephaestus.md service card (incl. Path A seeding runbook
  and the gilbert spoke caveat), indri.md service list, changelog fragment.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 22:14:24 -07:00

42 lines
1.9 KiB
YAML
Raw Blame History

---
# hephaestus hub — the canonical heph replica (server mode) on indri.
# Other devices (e.g. gilbert) are spokes that sync against this hub.
# See [[set-up-sync-hub]] and [[host-heph-pwa]] in the hephaestus repo.
# Pinned release used for the initial `cargo install` and the PWA shell.
# After bootstrap, hephd's own --self-update keeps the binary current; this
# pin only governs the first install and the bundled PWA shell version.
heph_version: v1.2.0
# Anonymous public HTTPS clone — matches hephd's INSTALL_GIT_URL so the initial
# install and unattended self-update build from the same source (no ssh-agent).
heph_repo_url: https://forge.eblu.me/eblume/hephaestus.git
heph_bin_dir: /Users/erichblume/.cargo/bin
heph_binary: "{{ heph_bin_dir }}/hephd"
heph_data_dir: /Users/erichblume/.local/share/heph
heph_db: "{{ heph_data_dir }}/heph.db"
heph_socket: "{{ heph_data_dir }}/hephd.sock"
heph_log_dir: /Users/erichblume/Library/Logs
# Version-pinned source checkout; the PWA static shell is served directly from
# its heph-pwa/ subdir (no copy), keeping shell and hub in lockstep at heph_version.
heph_pwa_src_dir: /Users/erichblume/.cache/heph-pwa-src
heph_web_root: "{{ heph_pwa_src_dir }}/heph-pwa"
# Hub listens on all interfaces so tailnet spokes can reach it directly
# (http://indri.tail8d86e.ts.net:8787) and Caddy can proxy heph.ops.eblu.me.
# Access is gated by Authentik OIDC regardless — tailnet reachability is not
# enough (this is the owner's most sensitive data).
heph_http_addr: 0.0.0.0:8787
heph_port: 8787
heph_external_url: https://heph.ops.eblu.me
# Authentik OIDC — issuer + audience together turn hub auth on. The audience is
# the device-code client id (see argocd/manifests/authentik heph blueprint).
heph_oidc_issuer: https://authentik.ops.eblu.me/application/o/heph/
heph_oidc_audience: heph
# Self-update poll interval (seconds). 10 minutes.
heph_self_update_interval_secs: 600
Reference in a new issue View git blame Copy permalink