Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions

feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm

Browse source 
Adds k3s and ess_pro roles to replace the planned Nextcloud Talk
stack. Integrates with existing Keycloak (OIDC), Garage (S3 media)
and OpenBao (secrets). Hostnames under digitalboard.ch.
This commit is contained in:
Tobias Wüst 2026-05-27 23:46:37 +02:00
parent c11f019aae
commit 01fd12d75c
18 changed files with 1098 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

51
roles/ess-pro/tasks/main.yml Normal file
View file

@ -0,0 +1,51 @@
# SPDX-License-Identifier: MIT-0
---
- name: Validate required variables
ansible.builtin.assert:
that:
- ess_pro_server_name | length > 0
- ess_pro_registry_username | length > 0
- ess_pro_registry_token | length > 0
fail_msg: >-
ess_pro_server_name, ess_pro_registry_username and ess_pro_registry_token
must be set. Provide them in group_vars/ess_servers.yml (typically as
OpenBao lookups, following the digitalboard.core convention).
quiet: true
- name: Validate OIDC variables when OIDC is enabled
ansible.builtin.assert:
that:
- ess_pro_oidc_issuer | length > 0
- ess_pro_oidc_client_secret | length > 0
fail_msg: ess_pro_oidc_issuer and ess_pro_oidc_client_secret must be set when OIDC is enabled.
quiet: true
when: ess_pro_oidc_enabled | bool
- name: Validate S3 variables when S3 media is enabled
ansible.builtin.assert:
that:
- ess_pro_s3_endpoint | length > 0
- ess_pro_s3_access_key | length > 0
- ess_pro_s3_secret_key | length > 0
fail_msg: S3 endpoint, access key and secret key must be set when S3 media is enabled.
quiet: true
when: ess_pro_s3_media_enabled | bool
- name: Validate external Postgres variables
ansible.builtin.assert:
that:
- ess_pro_postgres_host | length > 0
- ess_pro_postgres_synapse_password | length > 0
- ess_pro_postgres_mas_password | length > 0
fail_msg: External Postgres host and per-component passwords must be set when ess_pro_postgres_external is true.
quiet: true
when: ess_pro_postgres_external | bool
- name: Run prerequisite tasks (Helm CLI, namespace)
ansible.builtin.import_tasks: prerequisites.yml
- name: Authenticate against Element image registry and create pull secret
ansible.builtin.import_tasks: credentials.yml
- name: Render values.yaml and deploy the Helm release
ansible.builtin.import_tasks: deploy.yml