wiseflat · wiseflat · Jan 14, 2026 · Jan 13, 2026 · Jan 14, 2026 · Jan 14, 2026
diff --git a/ansible/playbooks/paas/main.yml b/ansible/playbooks/paas/main.yml
@@ -58,10 +58,14 @@
     - unattended-upgrades
     - ansible-ufw
 
+- name: Configure sshd
+  ansible.builtin.import_playbook: sshd.yml
 - name: Configure timesyncd
   ansible.builtin.import_playbook: timesyncd.yml
 - name: Configure systemd resolved
   ansible.builtin.import_playbook: systemd-resolved.yml
+- name: Configure nvidia
+  ansible.builtin.import_playbook: nvidia.yml
 - name: Configure docker
   ansible.builtin.import_playbook: docker.yml
 - name: Configure nomad

diff --git a/ansible/playbooks/paas/metrology.yml b/ansible/playbooks/paas/metrology.yml
@@ -5,9 +5,9 @@
   gather_facts: true
   become: true
   tasks:
-    - name: End the play for hosts that are not in admins group
-      ansible.builtin.meta: end_host
-      when: fact_instance.location != 'admins'
+    # - name: End the play for hosts that are not in admins group
+    #   ansible.builtin.meta: end_host
+    #   when: fact_instance.location != 'admins'
 
     - name: Install prometheus
       ansible.builtin.import_role:

diff --git a/...ble/playbooks/saas/nomad-clean-errors.yml → ...ble/playbooks/paas/nomad-clean-errors.yml b/...ble/playbooks/saas/nomad-clean-errors.yml → ...ble/playbooks/paas/nomad-clean-errors.yml
diff --git a/ansible/playbooks/paas/nvidia.yml b/ansible/playbooks/paas/nvidia.yml
@@ -18,6 +18,10 @@
 
   pre_tasks:
 
+    - name: End the play for hosts that don't have nvidia gpu
+      ansible.builtin.meta: end_host
+      when: not nvidia_enable
+
     - name: Créer le répertoire du keyring s'il n'existe pas
       ansible.builtin.file:
         path: "{{ nvidia_keyring_path | dirname }}"

diff --git a/ansible/playbooks/paas/scan_exporter.yml b/ansible/playbooks/paas/scan_exporter.yml
@@ -1,10 +1,10 @@
 ---
-- name: Uninstall scan_exporter
+- name: Install scan_exporter
   any_errors_fatal: true
   hosts: "{{ hosts_limit | default('infrastructure') }}"
   gather_facts: true
   become: true
   pre_tasks:
-    - name: Uninstall scan_exporter
+    - name: Install scan_exporter
       ansible.builtin.include_role:
         name: scan_exporter
diff --git a/ansible/playbooks/paas/sshd.yml b/ansible/playbooks/paas/sshd.yml
@@ -4,5 +4,9 @@
   hosts: "{{ hosts_limit | default('infrastructure') }}"
   gather_facts: true
   become: true
+  pre_tasks:
+    - name: End the play for hosts that are not in frontends group
+      ansible.builtin.meta: end_host
+      when: fact_instance.location != 'frontends'
   roles:
     - sshd
diff --git a/ansible/playbooks/paas/timesyncd.yml b/ansible/playbooks/paas/timesyncd.yml
@@ -27,6 +27,8 @@
 
     - name: Use RTC in UTC
       ansible.builtin.command: timedatectl set-local-rtc 0
+      register: timedatectl
+      changed_when: false
 
   handlers:
     - name: Restart timesyncd

diff --git a/ansible/playbooks/saas/image-forkable.yml b/ansible/playbooks/saas/image-forkable.yml
@@ -93,15 +93,15 @@
       failed_when: ui_update.status != 200
       become: false
 
+  post_tasks:
+    - name: Trigger cleanup on failure
+      ansible.builtin.meta: clear_host_errors
+      when: ansible_failed_result is defined
+      notify: Cleanup build directory
+
   handlers:
     - name: Cleanup build directory
       ansible.builtin.file:
         path: "{{ build_work_dir }}"
         state: absent
       listen: cleanup_build
-
-  post_tasks:
-    - name: Trigger cleanup on failure
-      ansible.builtin.meta: clear_host_errors
-      when: ansible_failed_result is defined
-      notify: Cleanup build directory
diff --git a/ansible/playbooks/saas/image.yml b/ansible/playbooks/saas/image.yml
@@ -45,13 +45,16 @@
     - name: Build
       when: image_definition.build
       block:
-        - name: Build and publish image
+        - name: Build and publish multi-arch image
           community.docker.docker_image_build:
             name: "{{ docker_private_registry.url }}/{% if docker_private_registry.project is defined %}{{ docker_private_registry.project }}/{% endif %}{{ image_definition.name }}:{{ image_version }}"
             tag: latest
             path: "{{ build_work_dir }}"
             dockerfile: Dockerfile
             labels: "{{ image_definition.labels }}"
+            platform:
+              - linux/amd64
+              - linux/arm64
             rebuild: always
             outputs:
               - type: image

diff --git a/ansible/playbooks/saas/roles/grafana/README.md b/ansible/playbooks/saas/roles/grafana/README.md
@@ -12,3 +12,44 @@ www.domain.com:
   domain_alias: domain.com    # (string) Primary domain name for the application.
   ipfilter: []                # (list) List of allowed IPs for access control (empty for unrestricted access).
   basic_auth: False           # (bool) Enable/disable HTTP Basic Authentication (True/False).
+```
+
+## variable
+
+```yaml
+passwd: s3cret!
+user: myuser
+```
+
+## Secret
+
+```yaml
+plugins:
+  - disabled: false
+    jsonData:
+      models:
+        default: base
+        mapping:
+          base: gpt-oss-120b
+          large: gpt-oss-120b
+      openAI:
+        apiPath: /api/openai_compat/v1
+        url: https://llm.public.api
+      provider: custom
+      vector:
+        embed:
+          grafanaVectorAPI:
+            authType: no-auth
+            url: http://vectorStore.default.service.nomad:8687
+          type: grafana/vectorapi
+        enabled: true
+        model: BAAI/bge-small-en-v1.5
+        store:
+          grafanaVectorAPI:
+            authType: no-auth
+            url: http://vectorStore.default.service.nomad:8687
+          type: grafana/vectorapi
+    secureJsonData:
+      openAIKey: <secretkey>
+    type: grafana-llm-app
+```
diff --git a/ansible/playbooks/saas/roles/grafana/templates/provisioning/plugins/llm.yaml.j2 b/ansible/playbooks/saas/roles/grafana/templates/provisioning/plugins/llm.yaml.j2
@@ -1,4 +1,4 @@
 apiVersion: 1
 
 apps:
-{{ (lookup('simple-stack-ui', type='secret', key=domain, subkey='plugins', missing='error') | from_json) | to_nice_yaml }}
+{{ (lookup('simple-stack-ui', type='secret', key=domain, subkey='plugins', missing='error') | from_json) | to_nice_yaml | default() }}
diff --git a/ansible/playbooks/saas/roles/litellm/README.md b/ansible/playbooks/saas/roles/litellm/README.md
@@ -1 +1,53 @@
 # Role: `litellm`
+
+## variable
+
+```yaml
+litellm_dbhost: postgresql
+litellm_config:
+  general_settings:
+    store_model_in_db: true
+    supported_db_objects:
+      - mcp
+  litellm_settings:
+    drop_params: true
+  mcp_servers:
+    news_mcp:
+      description: My MCP description
+      transport: http
+      url: http://192.168.0.46:8001/mcp
+  model_list:
+    - litellm_params:
+        api_key: os.environ/OVHCLOUD_API_KEY
+        model: ovhcloud/gpt-oss-120b
+      model_name: ovhcloud/gpt-oss-120b
+    - litellm_params:
+        api_key: os.environ/OVHCLOUD_API_KEY
+        model: ovhcloud/bge-multilingual-gemma2
+      model_name: ovhcloud/bge-multilingual-gemma2
+    - litellm_params:
+        api_key: os.environ/OVHCLOUD_API_KEY
+        model: ovhcloud/Deepseek-R1-Distill-Llama-70B
+      model_name: ovhcloud/Deepseek-R1-Distill-Llama-70B
+    - litellm_params:
+        api_key: os.environ/OVHCLOUD_API_KEY
+        model: ovhcloud/BGE-M3
+      model_name: ovhcloud/BGE-M3
+```
+
+## Secret
+
+```yaml
+litellm_dbpasswd: 123456
+litellm_env:
+  - key: LITELLM_MASTER_KEY
+    value: sk-123456789
+  - key: LITELLM_SALT_KEY
+    value: sk-12345678-123456789-12345678
+  - key: DATABASE_URL
+    value: postgresql://user:passwd@postgresql.default.service.nomad:5432/litellm
+  - key: STORE_MODEL_IN_DB
+    value: true
+  - key: OVHCLOUD_API_KEY
+    value: APIKEY
+```
diff --git a/ansible/playbooks/saas/roles/milvus/README.md b/ansible/playbooks/saas/roles/milvus/README.md
@@ -1 +1,8 @@
 # Role: `milvus`
+
+
+## Secret
+
+```yaml
+passwd: 123456
+```
diff --git a/ansible/playbooks/saas/roles/postgresql/README.md b/ansible/playbooks/saas/roles/postgresql/README.md
@@ -13,3 +13,17 @@ www.domain.com:
   ipfilter: []                # (list) List of allowed IPs for access control (empty for unrestricted access).
   basic_auth: False           # (bool) Enable/disable HTTP Basic Authentication (True/False).
   size: small
+```
+
+## variable
+
+```yaml
+static_port: 5432
+```
+
+## Secret
+
+```yaml
+passwd: 123456
+```
+
diff --git a/ansible/playbooks/saas/roles/wordpress/vars/main.yml b/ansible/playbooks/saas/roles/wordpress/vars/main.yml
@@ -5,10 +5,10 @@ image:
   upstream:
     source: apk
     repository: community
-    package: php83-fpm
+    package: php84-fpm
   labels:
-    version: 83
-    conf: /etc/php83
+    version: 84
+    conf: /etc/php84
   name: wordpress
   origin: alpine:latest
   dependances:

diff --git a/ansible/playbooks/saas/setup-buildx.yml b/ansible/playbooks/saas/setup-buildx.yml
@@ -0,0 +1,65 @@
+---
+- name: Setup Docker Buildx for multi-architecture builds
+  hosts: "{{ hosts_limit | default('infrastructure') }}"
+  become: true
+  gather_facts: true
+
+  tasks:
+    - name: Ensure Docker is installed and running
+      ansible.builtin.service:
+        name: docker
+        state: started
+        enabled: true
+
+    - name: Install QEMU user static binaries
+      ansible.builtin.package:
+        name:
+          - qemu-user-static
+          - binfmt-support
+        state: present
+
+    - name: Register QEMU binfmt handlers
+      ansible.builtin.command:
+        cmd: docker run --rm --privileged tonistiigi/binfmt --install all
+      register: binfmt_result
+      changed_when: "'installing' in binfmt_result.stdout"
+
+    - name: Check if buildx builder exists
+      ansible.builtin.command:
+        cmd: docker buildx inspect multiarch-builder
+      register: buildx_inspect
+      failed_when: false
+      changed_when: false
+
+    - name: Create buildx builder for multi-arch
+      ansible.builtin.command:
+        cmd: docker buildx create --name multiarch-builder --driver docker-container --use --bootstrap
+      when: buildx_inspect.rc != 0
+      register: buildx_create
+
+    - name: Set multiarch-builder as default
+      ansible.builtin.command:
+        cmd: docker buildx use multiarch-builder
+      when: buildx_inspect.rc == 0
+      changed_when: false
+
+    - name: Verify buildx platforms support
+      ansible.builtin.command:
+        cmd: docker buildx inspect --bootstrap
+      register: buildx_platforms
+      changed_when: false
+
+    - name: Display supported platforms
+      ansible.builtin.debug:
+        msg: "{{ buildx_platforms.stdout_lines }}"
+
+    - name: Verify multi-arch support is working
+      ansible.builtin.command:
+        cmd: docker buildx ls
+      register: buildx_ls
+      changed_when: false
+
+    - name: Show buildx configuration
+      ansible.builtin.debug:
+        var: buildx_ls.stdout_lines
+
diff --git a/ansible/rulebook.yml b/ansible/rulebook.yml
@@ -28,39 +28,19 @@
             extra_vars:
               hosts_limit: "{{ event.payload.meta.hosts }}"
 
-    - name: paas
-      condition: event.payload.type == "paas/main"
+    - name: paas-main
+      condition: event.payload.type == "paas-main"
       actions:
         - run_playbook:
             name: playbooks/paas/main.yml
             extra_vars:
               hosts_limit: "{{ event.payload.meta.hosts }}"
+
+    - name: paas-nomad-clean-errors
+      condition: event.payload.type == "paas-nomad-clean-errors"
+      actions:
         - run_playbook:
-            name: playbooks/paas/timesyncd.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/firewall.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/docker.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/nomad.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/coredns.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/metrology.yml
-            extra_vars:
-              hosts_limit: "{{ event.payload.meta.hosts }}"
-        - run_playbook:
-            name: playbooks/paas/sshd.yml
+            name: playbooks/paas/nomad-clean-errors.yml
             extra_vars:
               hosts_limit: "{{ event.payload.meta.hosts }}"
 

diff --git a/ui/controllers/api.js b/ui/controllers/api.js
@@ -30,12 +30,17 @@ exports.install = function() {
 	ROUTE('+API    /api/       +catalogs_remove/{id}       --> Catalogs/remove');
 	ROUTE('+API    /api/       +catalogs_execute/{id}      --> Catalogs/execute');
 
+	ROUTE('+API    /api/       +events_create              --> Events/create');
+	ROUTE('+API    /api/       +events_read                --> Events/read');
+	ROUTE('+API    /api/       +events_remove              --> Events/remove');
+
 	// infrastructures
 	ROUTE('+API    /api/       -infrastructures                   --> Infrastructures/list');
 	ROUTE('+API    /api/       +infrastructures_read/{id}         --> Infrastructures/read');
 	ROUTE('+API    /api/       +infrastructures_create            --> Infrastructures/create');
 	ROUTE('+API    /api/       +infrastructures_update/{id}       --> Infrastructures/update');
 	ROUTE('+API    /api/       +infrastructures_remove/{id}       --> Infrastructures/remove');
+	ROUTE('+API    /api/       +infrastructures_execute/{id}      --> Infrastructures/execute');
 
 	ROUTE('+POST   /api/tfstates/{id}/                            --> Infrastructures/tfstates_update');
 	ROUTE('+GET    /api/tfstates/{id}/                            --> Infrastructures/tfstates_read');