feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm

Adds k3s and ess_pro roles to replace the planned Nextcloud Talk stack. Integrates with existing Keycloak (OIDC), Garage (S3 media) and OpenBao (secrets). Hostnames under digitalboard.ch.
2026-05-27 23:46:37 +02:00 · 2026-05-27 23:46:37 +02:00 · 01fd12d75c
commit 01fd12d75c
parent c11f019aae
18 changed files with 1098 additions and 0 deletions
--- a/roles/ess-pro/tasks/prerequisites.yml
+++ b/roles/ess-pro/tasks/prerequisites.yml
@ -0,0 +1,66 @@
+---
+- name: Ensure required OS packages are present
+  ansible.builtin.apt:
+    name:
+      - python3-kubernetes
+      - python3-yaml
+      - ca-certificates
+      - curl
+    state: present
+    update_cache: true
+
+- name: Check whether Helm is already installed
+  ansible.builtin.stat:
+    path: "{{ ess_pro_helm_install_dir }}/helm"
+  register: helm_binary
+
+- name: Check installed Helm version
+  ansible.builtin.command: "{{ ess_pro_helm_install_dir }}/helm version --short"
+  register: helm_version_check
+  changed_when: false
+  failed_when: false
+  when: helm_binary.stat.exists
+
+- name: Download Helm tarball
+  ansible.builtin.get_url:
+    url: "https://get.helm.sh/helm-{{ ess_pro_helm_version }}-linux-amd64.tar.gz"
+    dest: "/tmp/helm-{{ ess_pro_helm_version }}.tar.gz"
+    mode: "0644"
+  when: not helm_binary.stat.exists or (ess_pro_helm_version not in (helm_version_check.stdout | default('')))
+
+- name: Unpack Helm
+  ansible.builtin.unarchive:
+    src: "/tmp/helm-{{ ess_pro_helm_version }}.tar.gz"
+    dest: /tmp/
+    remote_src: true
+    creates: "/tmp/linux-amd64/helm"
+  when: not helm_binary.stat.exists or (ess_pro_helm_version not in (helm_version_check.stdout | default('')))
+
+- name: Install Helm binary
+  ansible.builtin.copy:
+    src: /tmp/linux-amd64/helm
+    dest: "{{ ess_pro_helm_install_dir }}/helm"
+    remote_src: true
+    mode: "0755"
+  when: not helm_binary.stat.exists or (ess_pro_helm_version not in (helm_version_check.stdout | default('')))
+
+- name: Ensure ESS config directory exists
+  ansible.builtin.file:
+    path: "{{ ess_pro_config_dir }}"
+    state: directory
+    mode: "0750"
+    owner: root
+    group: root
+
+- name: Ensure ESS namespace exists
+  kubernetes.core.k8s:
+    kubeconfig: "{{ ess_pro_kubeconfig }}"
+    state: present
+    definition:
+      apiVersion: v1
+      kind: Namespace
+      metadata:
+        name: "{{ ess_pro_namespace }}"
+        labels:
+          app.kubernetes.io/managed-by: ansible
+          app.kubernetes.io/part-of: digitalboard