feat(ess-pro/compose): deploy Element Server Suite Pro via Compose

initial commit of the converted role from helm charts for qubernetis to compose ansible role
2026-06-04 10:52:05 +02:00 · 2026-06-04 10:52:05 +02:00 · 32eca6b923
commit 32eca6b923
parent c11f019aae
33 changed files with 1906 additions and 0 deletions
--- a/roles/ess_pro_compose/defaults/main.yml
+++ b/roles/ess_pro_compose/defaults/main.yml
@ -0,0 +1,149 @@
+# SPDX-License-Identifier: MIT-0
+---
+# =============================================================================
+# ess_pro_compose role — defaults
+# =============================================================================
+# Deploys the full ESS Pro stack (matrix-stack chart v26.5.1) as a docker
+# compose project, including the Pro federation-reader worker. Same conventions
+# as the other digitalboard.core roles. Secrets are sourced from OpenBao.
+
+# -----------------------------------------------------------------------------
+# Chart version we're modelling
+# -----------------------------------------------------------------------------
+ess_chart_version: "26.5.1"
+
+# -----------------------------------------------------------------------------
+# Project layout on the target host
+# -----------------------------------------------------------------------------
+ess_compose_dir: "/opt/ess"
+ess_compose_project_name: "ess"
+
+# Where rendered configs and runtime data live (mounted into containers)
+ess_compose_conf_dir: "{{ ess_compose_dir }}/conf"        # rendered configs
+ess_compose_secrets_dir: "{{ ess_compose_dir }}/secrets"  # generated secrets (0600)
+ess_compose_data_dir: "{{ ess_compose_dir }}/data"        # volumes
+
+# -----------------------------------------------------------------------------
+# Docker networks
+# -----------------------------------------------------------------------------
+# Public-facing Traefik network (external, managed by the shared traefik role).
+ess_compose_traefik_network: "proxy"
+ess_compose_traefik_entrypoint: "websecure"
+ess_compose_traefik_certresolver: "letsencrypt"
+
+# Internal network for service-to-service traffic only.
+ess_compose_internal_network: "ess_internal"
+
+# -----------------------------------------------------------------------------
+# Matrix identity
+# -----------------------------------------------------------------------------
+# Matrix serverName is the domain part of @user:serverName. Immutable.
+ess_server_name: "digitalboard.ch"
+
+# Hostnames. Convention follows the official Element docs (account.*, mrtc.*).
+# Override per environment in group_vars if you want different prefixes.
+ess_hostnames:
+  synapse: "matrix.{{ ess_server_name }}"      # client + federation, fronts HAProxy
+  mas: "account.{{ ess_server_name }}"          # Matrix Authentication Service
+  element_web: "chat.{{ ess_server_name }}"
+  element_admin: "admin.{{ ess_server_name }}"
+  matrix_rtc: "mrtc.{{ ess_server_name }}"      # Element Call SFU + auth
+
+# -----------------------------------------------------------------------------
+# Image references (Pro images from registry.element.io, chart 26.5.1)
+# -----------------------------------------------------------------------------
+# Pin to specific tags for production. The chart bundles digests; we use
+# version-aligned tags so they're readable. Override individually as needed.
+ess_images:
+  synapse: "registry.element.io/synapse-onprem:sha-63110a4"
+  synapse_pro_worker: "registry.element.io/synapse-pro-worker:0.4.0"
+  mas: "registry.element.io/matrix-authentication-service:1.17.0"
+  element_web: "registry.element.io/element-web-pro:1.12.18"
+  element_admin: "registry.element.io/element-admin:1.5.0"
+  haproxy: "registry.element.io/haproxy:3.2-alpine"
+  livekit: "registry.element.io/livekit-server-distroless:1.9.1"
+  lk_jwt: "registry.element.io/lk-jwt-service:0.3.0"
+  postgres: "registry.element.io/postgres:16-alpine"
+  postgres_exporter: "registry.element.io/postgres-exporter:0.18.1"
+  redis: "registry.element.io/redis-distroless:7.4"
+  matrix_tools: "registry.element.io/matrix-tools:0.17.8"
+
+# -----------------------------------------------------------------------------
+# Element registry credentials (from customer.element.io)
+# -----------------------------------------------------------------------------
+ess_registry_url: "registry.element.io"
+ess_registry_username: ""   # OpenBao lookup in group_vars
+ess_registry_token: ""      # OpenBao lookup in group_vars
+
+# -----------------------------------------------------------------------------
+# Federation reader worker
+# -----------------------------------------------------------------------------
+# The Rust-based Pro worker that handles /state, /state_ids, /event federation
+# reads. The chart deploys this with 20 replicas; for compose we run it as
+# scaled instances.
+ess_synapse_fed_reader_replicas: 1
+
+# -----------------------------------------------------------------------------
+# Delegated authentication via the digitalboard IdP
+# -----------------------------------------------------------------------------
+# Authentik in the demo environment, Keycloak in production. Discover the
+# exact issuer with:
+#   curl -s <issuer>/.well-known/openid-configuration | jq .issuer
+ess_oidc_enabled: false
+ess_oidc_issuer: ""
+ess_oidc_client_id: "ess-mas"
+ess_oidc_client_secret: ""        # OpenBao
+ess_oidc_provider_name: "Digitalboard"
+ess_oidc_provider_ulid: "01JBADAUTHENTIKDIGITALBOARD01"
+ess_oidc_scopes: "openid profile email"
+
+# -----------------------------------------------------------------------------
+# Matrix RTC / Element Call (LiveKit SFU)
+# -----------------------------------------------------------------------------
+# Element's Pro chart fixes RTC to TCP 30001 + UDP 30002 (muxed). Forward
+# those on the DMZ firewall to this host.
+ess_rtc_tcp_port: 30001
+ess_rtc_udp_port: 30002
+
+# Public IP for ICE candidates (the DMZ NAT address). Required.
+ess_rtc_external_ip: ""
+# LiveKit non-secret key id (the secret comes from the generated bundle).
+ess_livekit_key: "matrix-rtc"
+
+# -----------------------------------------------------------------------------
+# Registration / federation policy
+# -----------------------------------------------------------------------------
+ess_enable_registration: false
+ess_enable_federation: true       # internet federation; turn off for isolated POCs
+ess_admin_contact: "mailto:admin@{{ ess_server_name }}"
+
+# -----------------------------------------------------------------------------
+# Initial admin user
+# -----------------------------------------------------------------------------
+# A localadmin user is created on first deploy via mas-cli. The generated
+# password lands in {{ ess_compose_secrets_dir }}/ADMIN_USER_PASSWORD.
+ess_admin_localpart: "localadmin"
+ess_create_admin_user: true
+
+# -----------------------------------------------------------------------------
+# Element Admin / Synapse Admin allow-list
+# -----------------------------------------------------------------------------
+# Source IPs (CIDR) allowed to hit /_synapse/admin/. Default: everyone. Lock
+# this down for production (e.g. just the office network + bastion).
+ess_admin_allow_ips:
+  - "0.0.0.0/0"
+  - "::/0"
+
+# -----------------------------------------------------------------------------
+# Resources / sizing (Postgres args)
+# -----------------------------------------------------------------------------
+# Chart defaults assume a fairly beefy node. Adjust for your VM.
+ess_postgres_max_connections: 256
+ess_postgres_shared_buffers: "1024MB"
+ess_postgres_effective_cache_size: "3840MB"
+
+# -----------------------------------------------------------------------------
+# Synapse media store
+# -----------------------------------------------------------------------------
+ess_synapse_max_upload_size: "100M"
+ess_synapse_url_previews_enabled: true