feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm

Adds k3s and ess_pro roles to replace the planned Nextcloud Talk
stack. Integrates with existing Keycloak (OIDC), Garage (S3 media)
and OpenBao (secrets). Hostnames under digitalboard.ch.

roles/k3s/README.md

@@ -0,0 +1,29 @@
+# Role: k3s
+
+Installs a single-node K3s cluster on Debian bookworm. Used as the runtime for
+the `ess-pro` role.
+
+## Design choices
+
+- **Traefik disabled inside K3s** because the project's DMZ Traefik already
+  fronts the cluster. Routing happens via NodePort/ClusterIP through the
+  external Traefik. If you want K3s' bundled Traefik as the ingress
+  controller, remove `traefik` from `k3s_disable_components` and adjust the
+  upstream Traefik to route by host headers only.
+- **servicelb (Klipper) disabled** for the same reason — no LoadBalancer
+  services needed in the PoC.
+
+## Variables
+
+See `defaults/main.yml`. Override `k3s_version` to pin a specific K3s
+release. The cluster/service CIDRs default to K3s' standard ranges; only
+change if they clash with your libvirt networks.
+
+## Usage
+
+```yaml
+- hosts: vdmzess01
+  roles:
+    - role: k3s
+    - role: ess-pro
+```

roles/k3s/defaults/main.yml

@@ -0,0 +1,27 @@
+---
+# K3s installation defaults
+# See https://docs.k3s.io/installation/configuration for all options.
+
+k3s_version: "v1.31.5+k3s1"
+k3s_install_script_url: "https://get.k3s.io"
+
+# Disable K3s' built-in Traefik because the project's DMZ Traefik is already
+# in front and we don't want two competing ingress controllers.
+# Also disable servicelb (Klipper) since we route via the K3s node IP directly.
+k3s_disable_components:
+  - traefik
+  - servicelb
+
+# Bind kubeconfig readable for the deploy user (default vagrant).
+# In production tighten this back to 600 and copy explicitly.
+k3s_write_kubeconfig_mode: "0644"
+
+# Channel selection. Use stable for PoC, lock to k3s_version above for prod.
+k3s_channel: "stable"
+
+# Cluster CIDRs (rarely need touching, set if conflicting with libvirt nets).
+k3s_cluster_cidr: "10.42.0.0/16"
+k3s_service_cidr: "10.43.0.0/16"
+
+# Extra args appended to INSTALL_K3S_EXEC.
+k3s_extra_args: []

roles/k3s/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: Restart k3s
+  ansible.builtin.systemd:
+    name: k3s
+    state: restarted

roles/k3s/meta/main.yml

@@ -0,0 +1,12 @@
+---
+galaxy_info:
+  role_name: k3s
+  author: digitalboard
+  description: Install single-node K3s suitable for hosting ESS Pro
+  license: MIT
+  min_ansible_version: "2.14"
+  platforms:
+    - name: Debian
+      versions:
+        - bookworm
+dependencies: []

roles/k3s/tasks/main.yml

@@ -0,0 +1,86 @@
+---
+# Install K3s as a single-node Kubernetes cluster.
+# This role is intentionally minimal: it installs K3s, waits for the API,
+# and makes kubectl + the kubeconfig usable for the downstream ess-pro role.
+
+- name: Check whether K3s is already installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_binary
+
+- name: Ensure curl is installed
+  ansible.builtin.apt:
+    name: curl
+    state: present
+    update_cache: true
+  when: not k3s_binary.stat.exists
+
+- name: Download K3s install script
+  ansible.builtin.get_url:
+    url: "{{ k3s_install_script_url }}"
+    dest: /tmp/k3s-install.sh
+    mode: "0755"
+  when: not k3s_binary.stat.exists
+
+- name: Build INSTALL_K3S_EXEC string
+  ansible.builtin.set_fact:
+    k3s_exec_args: >-
+      {{
+        (['--write-kubeconfig-mode=' ~ k3s_write_kubeconfig_mode]
+          + (k3s_disable_components | map('regex_replace', '^(.*)$', '--disable=\\1') | list)
+          + ['--cluster-cidr=' ~ k3s_cluster_cidr,
+             '--service-cidr=' ~ k3s_service_cidr]
+          + k3s_extra_args) | join(' ')
+      }}
+
+- name: Install K3s
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    INSTALL_K3S_CHANNEL: "{{ k3s_channel }}"
+    INSTALL_K3S_EXEC: "{{ k3s_exec_args }}"
+  args:
+    creates: /usr/local/bin/k3s
+  notify: Restart k3s
+
+- name: Ensure k3s service is started and enabled
+  ansible.builtin.systemd:
+    name: k3s
+    state: started
+    enabled: true
+
+- name: Wait for kubeconfig to appear
+  ansible.builtin.wait_for:
+    path: /etc/rancher/k3s/k3s.yaml
+    state: present
+    timeout: 60
+
+- name: Wait for Kubernetes API to respond
+  ansible.builtin.command: kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get --raw=/readyz
+  register: k3s_ready
+  retries: 30
+  delay: 5
+  until: k3s_ready.rc == 0
+  changed_when: false
+
+- name: Create symlink for kubectl
+  ansible.builtin.file:
+    src: /usr/local/bin/k3s
+    dest: /usr/local/bin/kubectl
+    state: link
+    force: false
+  failed_when: false
+
+- name: Ensure ~/.kube exists for root
+  ansible.builtin.file:
+    path: /root/.kube
+    state: directory
+    mode: "0700"
+
+- name: Provide kubeconfig at /root/.kube/config
+  ansible.builtin.copy:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: /root/.kube/config
+    remote_src: true
+    mode: "0600"