feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm

Adds k3s and ess_pro roles to replace the planned Nextcloud Talk stack. Integrates with existing Keycloak (OIDC), Garage (S3 media) and OpenBao (secrets). Hostnames under digitalboard.ch.
2026-05-27 23:46:37 +02:00 · 2026-05-27 23:46:37 +02:00 · 01fd12d75c
commit 01fd12d75c
parent c11f019aae
18 changed files with 1098 additions and 0 deletions
--- a/roles/k3s/tasks/main.yml
+++ b/roles/k3s/tasks/main.yml
@ -0,0 +1,86 @@
+---
+# Install K3s as a single-node Kubernetes cluster.
+# This role is intentionally minimal: it installs K3s, waits for the API,
+# and makes kubectl + the kubeconfig usable for the downstream ess-pro role.
+
+- name: Check whether K3s is already installed
+  ansible.builtin.stat:
+    path: /usr/local/bin/k3s
+  register: k3s_binary
+
+- name: Ensure curl is installed
+  ansible.builtin.apt:
+    name: curl
+    state: present
+    update_cache: true
+  when: not k3s_binary.stat.exists
+
+- name: Download K3s install script
+  ansible.builtin.get_url:
+    url: "{{ k3s_install_script_url }}"
+    dest: /tmp/k3s-install.sh
+    mode: "0755"
+  when: not k3s_binary.stat.exists
+
+- name: Build INSTALL_K3S_EXEC string
+  ansible.builtin.set_fact:
+    k3s_exec_args: >-
+      {{
+        (['--write-kubeconfig-mode=' ~ k3s_write_kubeconfig_mode]
+          + (k3s_disable_components | map('regex_replace', '^(.*)$', '--disable=\\1') | list)
+          + ['--cluster-cidr=' ~ k3s_cluster_cidr,
+             '--service-cidr=' ~ k3s_service_cidr]
+          + k3s_extra_args) | join(' ')
+      }}
+
+- name: Install K3s
+  ansible.builtin.command:
+    cmd: /tmp/k3s-install.sh
+  environment:
+    INSTALL_K3S_VERSION: "{{ k3s_version }}"
+    INSTALL_K3S_CHANNEL: "{{ k3s_channel }}"
+    INSTALL_K3S_EXEC: "{{ k3s_exec_args }}"
+  args:
+    creates: /usr/local/bin/k3s
+  notify: Restart k3s
+
+- name: Ensure k3s service is started and enabled
+  ansible.builtin.systemd:
+    name: k3s
+    state: started
+    enabled: true
+
+- name: Wait for kubeconfig to appear
+  ansible.builtin.wait_for:
+    path: /etc/rancher/k3s/k3s.yaml
+    state: present
+    timeout: 60
+
+- name: Wait for Kubernetes API to respond
+  ansible.builtin.command: kubectl --kubeconfig /etc/rancher/k3s/k3s.yaml get --raw=/readyz
+  register: k3s_ready
+  retries: 30
+  delay: 5
+  until: k3s_ready.rc == 0
+  changed_when: false
+
+- name: Create symlink for kubectl
+  ansible.builtin.file:
+    src: /usr/local/bin/k3s
+    dest: /usr/local/bin/kubectl
+    state: link
+    force: false
+  failed_when: false
+
+- name: Ensure ~/.kube exists for root
+  ansible.builtin.file:
+    path: /root/.kube
+    state: directory
+    mode: "0700"
+
+- name: Provide kubeconfig at /root/.kube/config
+  ansible.builtin.copy:
+    src: /etc/rancher/k3s/k3s.yaml
+    dest: /root/.kube/config
+    remote_src: true
+    mode: "0600"