feat(ess-pro/compose): deploy Element Server Suite Pro via Compose

initial commit of the converted role from helm charts for qubernetis to compose ansible role

roles/ess_pro_compose/templates/mas/config.yaml.j2

@@ -0,0 +1,114 @@
+## {{ ansible_managed }}
+## Matrix Authentication Service — merged from chart fragments.
+## Adapted from ess-helm {{ ess_chart_version }} for docker compose.
+
+http:
+  public_base: "https://{{ ess_hostnames.mas }}/"
+  issuer: "https://{{ ess_hostnames.mas }}/"
+  listeners:
+    # Public web UI + OAuth + GraphQL + admin API. Fronted by DMZ Traefik.
+    - name: web
+      binds:
+        - host: 0.0.0.0
+          port: 8080
+      resources:
+        - name: human
+        - name: oauth
+        - name: assets
+        - name: graphql
+          undocumented_oauth2_access: true
+        - name: adminapi
+    # Internal — never exposed publicly. Used for healthchecks and metrics.
+    - name: internal
+      binds:
+        - host: 0.0.0.0
+          port: 8081
+      resources:
+        - name: health
+        - name: prometheus
+        - name: connection-info
+    # Root domain — serves .well-known/openid-configuration et al. on
+    # https://{{ ess_hostnames.mas }} root. Mounted as the public listener
+    # since DMZ Traefik strips paths.
+    - name: root
+      binds:
+        - host: 0.0.0.0
+          port: 8082
+      resources:
+        - name: discovery
+        - name: compat
+    # Talks to Synapse on the internal network only.
+    - name: synapse
+      binds:
+        - host: 0.0.0.0
+          port: 8083
+      resources:
+        - name: discovery
+        - name: oauth
+
+database:
+  uri: "postgresql://matrixauthenticationservice_user:{{ _ess_secrets.POSTGRES_MATRIX_AUTHENTICATION_SERVICE_PASSWORD }}@postgres:5432/matrixauthenticationservice?sslmode=prefer&application_name=matrix-authentication-service"
+
+telemetry:
+  metrics:
+    exporter: prometheus
+
+matrix:
+  homeserver: "{{ ess_server_name }}"
+  secret_file: {{ _ess_secret_mount }}/MAS_SYNAPSE_SHARED_SECRET
+  endpoint: "http://synapse-main:8008"
+  kind: synapse_modern
+
+# ---- OAuth2 clients -------------------------------------------------------
+clients:
+  # Matrix-tools admin client used by mas-cli operations.
+  - client_id: "000000000000000MATR1XT001S"
+    client_auth_method: client_secret_basic
+    client_secret_file: {{ _ess_secret_mount }}/MAS_MATRIX_TOOLS_OIDC_CLIENT_SECRET
+
+# ---- Signing keys & encryption (file-mounted) ----------------------------
+secrets:
+  encryption_file: {{ _ess_secret_mount }}/MAS_ENCRYPTION_SECRET
+  keys:
+    - key_file: {{ _ess_secret_mount }}/MAS_RSA_PRIVATE_KEY
+    - key_file: {{ _ess_secret_mount }}/MAS_ECDSA_PRIME256V1_PRIVATE_KEY
+
+# ---- Policy ---------------------------------------------------------------
+policy:
+  data:
+    admin_clients:
+      - "000000000000000MATR1XT001S"
+    admin_users: []
+    client_registration:
+      allow_host_mismatch: false
+      allow_insecure_uris: false
+
+account:
+  password_registration_enabled: {{ ess_enable_registration | bool | lower }}
+
+passwords:
+  enabled: true
+
+{% if ess_oidc_enabled %}
+# ---- Upstream OIDC (Authentik for demo, Keycloak for prod) ----------------
+upstream_oauth2:
+  providers:
+    - id: "{{ ess_oidc_provider_ulid }}"
+      human_name: "{{ ess_oidc_provider_name }}"
+      issuer: "{{ ess_oidc_issuer }}"
+      client_id: "{{ ess_oidc_client_id }}"
+      client_secret: "{{ ess_oidc_client_secret }}"
+      token_endpoint_auth_method: client_secret_basic
+      scope: "{{ ess_oidc_scopes }}"
+      claims_imports:
+        localpart:
+          action: require
+          template: "{{ '{{ user.preferred_username }}' }}"
+        displayname:
+          action: suggest
+          template: "{{ '{{ user.name }}' }}"
+        email:
+          action: suggest
+          template: "{{ '{{ user.email }}' }}"
+          set_email_verification: always
+{% endif %}