feat(ess-pro/compose): deploy Element Server Suite Pro via Compose

initial commit of the converted role from helm charts for qubernetis to compose ansible role

roles/ess_pro_compose/examples/group_vars-ess_servers.yml

@@ -0,0 +1,63 @@
+# SPDX-License-Identifier: MIT-0
+---
+# inventory/group_vars/ess_servers.yml
+# Production config: full Pro stack, secrets from OpenBao.
+
+# ---- Matrix identity ----------------------------------------------------
+ess_server_name: "digitalboard.ch"
+# Default hostnames (matrix./account./chat./admin./mrtc.) inherit from
+# ess_server_name. Override `ess_hostnames` here if you need different prefixes.
+
+# ---- Pro worker scaling -------------------------------------------------
+# Federation-reader workers (Rust). Chart deploys 20 in K8s with HPA.
+# For a 500-700 user vocational school deployment, 3-5 is plenty.
+ess_synapse_fed_reader_replicas: 5
+
+# ---- DMZ Traefik integration --------------------------------------------
+ess_compose_traefik_network: "proxy"
+ess_compose_traefik_entrypoint: "websecure"
+ess_compose_traefik_certresolver: "letsencrypt"
+
+# ---- Registration / federation policy -----------------------------------
+ess_enable_registration: false
+ess_enable_federation: true
+
+# ---- Delegated auth via Authentik (demo) / Keycloak (prod) --------------
+ess_oidc_enabled: true
+# Verify the actual issuer with:
+#   curl -s <issuer>/.well-known/openid-configuration | jq .issuer
+ess_oidc_issuer: "https://authentik.digitalboard.ch/application/o/ess/"
+ess_oidc_client_id: "ess-mas"
+ess_oidc_provider_name: "Digitalboard"
+
+# ---- Matrix RTC / Element Call ------------------------------------------
+ess_rtc_external_ip: "203.0.113.42"   # DMZ public IP — set for your env
+
+# ---- Admin allow-list (lock down for prod!) -----------------------------
+ess_admin_allow_ips:
+  - "10.0.0.0/8"        # internal RFC1918
+  - "172.16.0.0/12"
+  - "192.168.0.0/16"
+  - "203.0.113.5/32"    # bastion IP
+
+# =============================================================================
+# Secrets — from OpenBao (same pattern as bookstack/opnform/homarr)
+# =============================================================================
+#
+# Stored at kv/digitalboard/ess-compose with two keys (registry creds only —
+# the cryptographic material is generated locally by the role's
+# generate-secrets script and lives in {{ ess_compose_secrets_dir }} on the
+# host). The OIDC client secret also lives in OpenBao because it's shared
+# with the IdP side.
+
+ess_registry_username: "{{ lookup('community.hashi_vault.vault_kv2_get',
+                                  'digitalboard/ess-compose',
+                                  mount_point='kv').data.data.registry_username }}"
+
+ess_registry_token: "{{ lookup('community.hashi_vault.vault_kv2_get',
+                               'digitalboard/ess-compose',
+                               mount_point='kv').data.data.registry_token }}"
+
+ess_oidc_client_secret: "{{ lookup('community.hashi_vault.vault_kv2_get',
+                                   'digitalboard/ess-compose',
+                                   mount_point='kv').data.data.oidc_client_secret }}"

roles/ess_pro_compose/examples/openbao-bootstrap.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Bootstrap the OpenBao entry for ess_pro_compose.
+# Only stores the registry credentials and the OIDC client secret —
+# the rest of the cryptographic material is generated by the role locally
+# on first deploy (and persists in {{ ess_compose_secrets_dir }} on the host).
+
+set -euo pipefail
+MOUNT="${MOUNT:-kv}"
+PATH_="${PATH_:-digitalboard/ess-compose}"
+
+read -p  "Element registry username (from customer.element.io): " REG_USER
+read -sp "Element registry token: "                                 REG_TOKEN; echo
+read -sp "Authentik OIDC client_secret for ess-mas: "               OIDC_SECRET; echo
+
+bao kv put "${MOUNT}/${PATH_}" \
+  registry_username="${REG_USER}" \
+  registry_token="${REG_TOKEN}" \
+  oidc_client_secret="${OIDC_SECRET}"
+
+echo "Done. Verify: bao kv get ${MOUNT}/${PATH_}"

roles/ess_pro_compose/examples/site.yml

@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: MIT-0
+---
+- name: Deploy ESS Pro v26.5.1 (full stack with federation-reader worker)
+  hosts: ess_servers
+  become: true
+  roles:
+    - digitalboard.core.ess_pro_compose