Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

ansible/roles/noble_newt/tasks/pangolin_sync.yml

@@ -0,0 +1,95 @@
+---
+# Pangolin Integration API — public HTTP resources → Newt site → Traefik (see clusters/noble/bootstrap/newt/README.md §4).
+# Included only when **noble_pangolin_sync_http_resources** is true.
+- name: Build Pangolin HTTP FQDN list
+  ansible.builtin.set_fact:
+    noble_pangolin_http_fqdns_effective: >-
+      {{
+        (
+          noble_pangolin_http_fqdns_extra | default([])
+          + (noble_authentik_ingress_extra_hosts | default([]))
+          + ([noble_open_webui_public_host | trim] if (noble_open_webui_public_host | default('') | trim | length) > 0 else [])
+        ) | unique | list
+      }}
+
+- name: Discover Traefik LoadBalancer IP for Pangolin targets (when not set explicitly)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - get
+      - svc
+      - -n
+      - traefik
+      - -l
+      - app.kubernetes.io/name=traefik
+      - -o
+      - jsonpath={.items[0].status.loadBalancer.ingress[0].ip}
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_pangolin_traefik_lb_ip
+  changed_when: false
+  failed_when: false
+  when:
+    - noble_pangolin_http_fqdns_effective | length > 0
+    - noble_pangolin_traefik_target_ip | default('') | trim | length == 0
+
+- name: Resolve Traefik IP for Pangolin sync
+  ansible.builtin.set_fact:
+    noble_pangolin_traefik_ip_resolved: >-
+      {{
+        (noble_pangolin_traefik_target_ip | default('') | trim)
+        if (noble_pangolin_traefik_target_ip | default('') | trim | length > 0)
+        else (noble_pangolin_traefik_lb_ip.stdout | default('') | trim)
+      }}
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Require Traefik IP for Pangolin sync
+  ansible.builtin.assert:
+    that:
+      - noble_pangolin_traefik_ip_resolved | length > 0
+    fail_msg: >-
+      Set **noble_pangolin_traefik_target_ip** in inventory (Traefik Service LoadBalancer / MetalLB IP), or ensure
+      **kubectl** can read **traefik** Services (see **clusters/noble/bootstrap/traefik/**).
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Stat repository .env for Pangolin API credentials
+  ansible.builtin.stat:
+    path: "{{ noble_repo_root }}/.env"
+  register: noble_pangolin_env_file
+  changed_when: false
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Require .env for Pangolin Integration API secrets
+  ansible.builtin.assert:
+    that:
+      - noble_pangolin_env_file.stat.exists | default(false)
+    fail_msg: >-
+      Pangolin sync needs **.env** at the repo root with **NOBLE_PANGOLIN_*** variables (see **.env.sample**).
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Sync Pangolin public HTTP resources (Integration API)
+  ansible.builtin.command:
+    argv:
+      - python3
+      - "{{ noble_repo_root }}/clusters/noble/bootstrap/newt/scripts/sync_pangolin_http_resources.py"
+      - "--env-file"
+      - "{{ noble_repo_root }}/.env"
+      - "--fqdns"
+      - "{{ noble_pangolin_http_fqdns_effective | join(',') }}"
+      - "--traefik-ip"
+      - "{{ noble_pangolin_traefik_ip_resolved }}"
+      - "--traefik-port"
+      - "{{ noble_pangolin_traefik_target_port | int | string }}"
+  register: noble_pangolin_sync_cmd
+  changed_when: >-
+    '[create]' in (noble_pangolin_sync_cmd.stdout | default(''))
+    or '[target]' in (noble_pangolin_sync_cmd.stdout | default(''))
+    or 'target created' in (noble_pangolin_sync_cmd.stdout | default(''))
+  when: noble_pangolin_http_fqdns_effective | length > 0
+
+- name: Skip Pangolin sync (no public FQDNs configured)
+  ansible.builtin.debug:
+    msg: >-
+      noble_pangolin_sync_http_resources is true but the FQDN list is empty
+      (set **noble_authentik_ingress_extra_hosts**, **noble_open_webui_public_host**, and/or **noble_pangolin_http_fqdns_extra**).
+  when: noble_pangolin_http_fqdns_effective | length == 0