feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm
Adds k3s and ess_pro roles to replace the planned Nextcloud Talk stack. Integrates with existing Keycloak (OIDC), Garage (S3 media) and OpenBao (secrets). Hostnames under digitalboard.ch.
This commit is contained in:
parent
c11f019aae
commit
01fd12d75c
18 changed files with 1098 additions and 0 deletions
129
roles/ess-pro/defaults/main.yml
Normal file
129
roles/ess-pro/defaults/main.yml
Normal file
|
|
@ -0,0 +1,129 @@
|
|||
# SPDX-License-Identifier: MIT-0
|
||||
---
|
||||
# =============================================================================
|
||||
# ess-pro role — defaults
|
||||
# =============================================================================
|
||||
# Secrets (registry token, OIDC client secret, S3 keys, Postgres passwords)
|
||||
# are intentionally left empty here. Provide them via
|
||||
# `group_vars/ess_servers.yml` — either as plain values (PoC), via
|
||||
# ansible-vault, or as OpenBao lookups, matching the pattern used by the
|
||||
# other digitalboard.core roles (bookstack, opnform, homarr).
|
||||
#
|
||||
# Example OpenBao lookup:
|
||||
# ess_pro_registry_token: "{{ lookup('community.hashi_vault.vault_kv2_get',
|
||||
# 'digitalboard/ess-pro',
|
||||
# mount_point='kv').data.data.token }}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Helm release
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_namespace: "ess"
|
||||
ess_pro_release_name: "ess"
|
||||
ess_pro_chart_ref: "oci://registry.element.io/matrix-stack"
|
||||
# Pin a chart version in production. Leave empty to track the latest stable.
|
||||
ess_pro_chart_version: ""
|
||||
ess_pro_helm_timeout: "15m"
|
||||
ess_pro_helm_wait: true
|
||||
|
||||
# Where to store rendered values.yaml on the target host.
|
||||
ess_pro_config_dir: "/etc/ess"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Matrix server identity
|
||||
# -----------------------------------------------------------------------------
|
||||
# The Matrix serverName forms the user ID domain (@user:serverName) and the
|
||||
# federation key. It cannot be changed after the first deploy without data
|
||||
# loss. Override for production deployments (e.g. wksbern.ch).
|
||||
ess_pro_server_name: "digitalboard.ch"
|
||||
|
||||
# Per-service hostnames. The DMZ Traefik (reference-ansible) terminates TLS
|
||||
# for these and forwards to the K3s node.
|
||||
#
|
||||
# Convention follows the other digitalboard.core roles:
|
||||
# wiki.digitalboard.ch (bookstack)
|
||||
# forms.digitalboard.ch (opnform)
|
||||
# home.digitalboard.ch (homarr)
|
||||
# auth.digitalboard.ch (keycloak) <- already taken — MAS uses `mas.`
|
||||
# chat.digitalboard.ch (this role, Element Web)
|
||||
ess_pro_hostnames:
|
||||
synapse: "matrix.{{ ess_pro_server_name }}"
|
||||
mas: "mas.{{ ess_pro_server_name }}"
|
||||
element_web: "chat.{{ ess_pro_server_name }}"
|
||||
element_admin: "admin.{{ ess_pro_server_name }}"
|
||||
matrix_rtc: "rtc.{{ ess_pro_server_name }}"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Element image registry credentials (from customer.element.io)
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_registry_url: "registry.element.io"
|
||||
ess_pro_registry_username: "" # set in group_vars/ess_servers.yml
|
||||
ess_pro_registry_token: "" # set in group_vars/ess_servers.yml
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Ingress / TLS strategy
|
||||
# -----------------------------------------------------------------------------
|
||||
# The reference-ansible pattern terminates TLS on the DMZ Traefik. Inside
|
||||
# K3s, workloads serve plain HTTP.
|
||||
ess_pro_tls_terminate_externally: true
|
||||
ess_pro_ingress_class: "traefik"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# PostgreSQL
|
||||
# -----------------------------------------------------------------------------
|
||||
# Chart-internal Postgres for demo. For production, point at an external DB.
|
||||
ess_pro_postgres_external: false
|
||||
ess_pro_postgres_host: ""
|
||||
ess_pro_postgres_port: 5432
|
||||
ess_pro_postgres_sslmode: "prefer"
|
||||
ess_pro_postgres_synapse_db: "synapse"
|
||||
ess_pro_postgres_synapse_user: "synapse"
|
||||
ess_pro_postgres_synapse_password: ""
|
||||
ess_pro_postgres_mas_db: "mas"
|
||||
ess_pro_postgres_mas_user: "mas"
|
||||
ess_pro_postgres_mas_password: ""
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Delegated authentication via the digitalboard Keycloak
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create a confidential OIDC client `ess-mas` in the `Digitalboard` realm
|
||||
# with redirect_uri
|
||||
# https://{{ ess_pro_hostnames.mas }}/upstream/callback/01J0KCK0DNNNDIGITALBOARDKC01
|
||||
ess_pro_oidc_enabled: false
|
||||
ess_pro_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard"
|
||||
ess_pro_oidc_client_id: "ess-mas"
|
||||
ess_pro_oidc_client_secret: ""
|
||||
ess_pro_oidc_provider_name: "Digitalboard"
|
||||
ess_pro_oidc_scopes:
|
||||
- "openid"
|
||||
- "profile"
|
||||
- "email"
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Media storage (Garage S3)
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_s3_media_enabled: false
|
||||
ess_pro_s3_endpoint: "https://s3.digitalboard.ch"
|
||||
ess_pro_s3_region: "garage"
|
||||
ess_pro_s3_bucket: "ess-media"
|
||||
ess_pro_s3_access_key: ""
|
||||
ess_pro_s3_secret_key: ""
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Matrix RTC Backend / Element Call (LiveKit SFU + lk-jwt-service)
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_rtc_enabled: true
|
||||
ess_pro_rtc_udp_port_range_start: 50000
|
||||
ess_pro_rtc_udp_port_range_end: 60000
|
||||
# Externally reachable IP for LiveKit ICE candidates (DMZ public IP).
|
||||
ess_pro_rtc_external_ip: ""
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Initial admin (chart creates @localadmin:<serverName> by default)
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_create_initial_admin: true
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Helm CLI install
|
||||
# -----------------------------------------------------------------------------
|
||||
ess_pro_helm_version: "v3.16.4"
|
||||
ess_pro_helm_install_dir: "/usr/local/bin"
|
||||
Loading…
Add table
Add a link
Reference in a new issue