feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm

Adds k3s and ess_pro roles to replace the planned Nextcloud Talk
stack. Integrates with existing Keycloak (OIDC), Garage (S3 media)
and OpenBao (secrets). Hostnames under digitalboard.ch.

roles/ess-pro/tasks/credentials.yml

@@ -0,0 +1,41 @@
+# SPDX-License-Identifier: MIT-0
+---
+# Helm needs to authenticate against registry.element.io to pull both the
+# matrix-stack chart AND the Pro container images. We do both:
+#   1. `helm registry login` so the chart pull works.
+#   2. A docker-registry Secret in the namespace so pods can pull images.
+
+- name: Log in to Element Helm/OCI registry
+  ansible.builtin.command:
+    cmd: >-
+      {{ ess_pro_helm_install_dir }}/helm registry login {{ ess_pro_registry_url }}
+      --username {{ ess_pro_registry_username | quote }}
+      --password-stdin
+    stdin: "{{ ess_pro_registry_token }}"
+  register: helm_login
+  changed_when: "'Login Succeeded' in (helm_login.stdout + helm_login.stderr)"
+  no_log: true
+
+- name: Create image pull Secret for the ESS namespace
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ess_pro_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: kubernetes.io/dockerconfigjson
+      metadata:
+        name: "{{ ess_pro_image_pull_secret_name }}"
+        namespace: "{{ ess_pro_namespace }}"
+        labels:
+          app.kubernetes.io/managed-by: ansible
+      data:
+        .dockerconfigjson: "{{ _dockerconfig | to_json | b64encode }}"
+  vars:
+    _dockerconfig:
+      auths:
+        "{{ ess_pro_registry_url }}":
+          username: "{{ ess_pro_registry_username }}"
+          password: "{{ ess_pro_registry_token }}"
+          auth: "{{ (ess_pro_registry_username ~ ':' ~ ess_pro_registry_token) | b64encode }}"
+  no_log: true