feat(ess-pro/compose): deploy Element Server Suite Pro via Compose

initial commit of the converted role from helm charts for qubernetis to compose ansible role

roles/ess_pro_compose/templates/synapse/federation-reader.yaml.j2

@@ -0,0 +1,23 @@
+## {{ ansible_managed }}
+## synapse-pro-worker (Rust) federation reader.
+## This is a different config schema than Python Synapse.
+
+http:
+  bind_addr: "::"
+  bind_port: 8008
+
+metrics:
+  bind_addr: "::"
+  bind_port: 9001
+
+synapse:
+  server_name: "{{ ess_server_name }}"
+
+database:
+  connection_string: "postgresql://synapse_user:{{ _ess_secrets.POSTGRES_SYNAPSE_PASSWORD }}@postgres:5432/synapse?sslmode=prefer"
+
+redis:
+  host: redis
+  port: 6379
+
+logging: basic

roles/ess_pro_compose/templates/synapse/homeserver.yaml.j2

@@ -0,0 +1,159 @@
+## {{ ansible_managed }}
+## Synapse homeserver config — merged from chart fragments
+## 01-homeserver-underrides + 04-homeserver-overrides + 05-main.
+## Adapted from ess-helm {{ ess_chart_version }} for docker compose.
+
+server_name: "{{ ess_server_name }}"
+public_baseurl: "https://{{ ess_hostnames.synapse }}/"
+web_client_location: "https://{{ ess_hostnames.element_web }}/"
+admin_contact: "{{ ess_admin_contact }}"
+
+pid_file: /data/homeserver.pid
+signing_key_path: {{ _ess_secret_mount }}/SYNAPSE_SIGNING_KEY
+macaroon_secret_key_path: {{ _ess_secret_mount }}/SYNAPSE_MACAROON
+registration_shared_secret_path: {{ _ess_secret_mount }}/SYNAPSE_REGISTRATION_SHARED_SECRET
+worker_replication_secret_path: {{ _ess_secret_mount }}/SYNAPSE_WORKERS_REPLICATION_SECRET
+
+log_config: "/conf/log_config.yaml"
+enable_metrics: true
+report_stats: false
+
+# ---- Listeners (from 05-main.yaml) ----------------------------------------
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    bind_addresses: ['0.0.0.0', '::']
+    x_forwarded: true
+    resources:
+      - names: [client, federation]
+        compress: false
+  - port: 9093
+    tls: false
+    type: http
+    bind_addresses: ['0.0.0.0', '::']
+    x_forwarded: false
+    resources:
+      - names: [replication]
+        compress: false
+  - port: 8080
+    tls: false
+    type: http
+    bind_addresses: ['0.0.0.0', '::']
+    x_forwarded: false
+    resources:
+      - names: [health]
+        compress: false
+  - type: metrics
+    port: 9001
+    bind_addresses: ['::']
+
+enable_media_repo: true
+media_store_path: "/media/media_store"
+max_upload_size: "{{ ess_synapse_max_upload_size }}"
+
+# ---- Pro modules ----------------------------------------------------------
+modules:
+  - module: "synapse_ess_pro.EssPro"
+    config:
+      version_path: /ess/version
+  - module: "synapse_mass_local_room_upgrades.MassLocalRoomUpgradesModule"
+    config: {}
+
+# ---- Database -------------------------------------------------------------
+database:
+  name: psycopg2
+  args:
+    user: synapse_user
+    password: "{{ _ess_secrets.POSTGRES_SYNAPSE_PASSWORD }}"
+    dbname: synapse
+    host: postgres
+    port: 5432
+    sslmode: prefer
+    keepalives: 1
+    keepalives_idle: 10
+    keepalives_interval: 10
+    keepalives_count: 3
+    cp_min: 5
+    cp_max: 10
+
+# ---- Redis (required for workers) -----------------------------------------
+redis:
+  enabled: true
+  host: redis
+  port: 6379
+
+# Replication topology — fed-reader connects back to the main on 9093.
+instance_map:
+  main:
+    host: synapse-main
+    port: 9093
+
+# ---- Matrix 2.0 features (MSC4108 QR login, MSC4222 syncv2, MSC4143 RTC) --
+experimental_features:
+  msc4143_enabled: true
+  msc4222_enabled: true
+  msc4108_enabled: true
+  msc4028_push_encrypted_events: true
+
+# ---- Delegated auth to MAS (stable since Synapse 1.118) -------------------
+matrix_authentication_service:
+  enabled: true
+  secret_path: {{ _ess_secret_mount }}/MAS_SYNAPSE_SHARED_SECRET
+  endpoint: "http://mas:8083/"
+  force_http2: true
+
+password_config:
+  localdb_enabled: false
+  enabled: false
+
+# ---- Matrix RTC (Element Call discovery) ----------------------------------
+matrix_rtc:
+  transports:
+    - type: livekit
+      livekit_service_url: "https://{{ ess_hostnames.matrix_rtc }}"
+
+# ---- URL previews ---------------------------------------------------------
+url_preview_enabled: {{ ess_synapse_url_previews_enabled | bool | lower }}
+url_preview_ip_range_whitelist: []
+url_preview_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/10'
+  - 'fc00::/7'
+
+# ---- Federation -----------------------------------------------------------
+{% if ess_enable_federation %}
+send_federation: true
+federation_client_minimum_tls_version: '1.2'
+{% else %}
+send_federation: false
+federation_domain_whitelist: []
+{% endif %}
+
+# ---- Other defaults from chart underrides ---------------------------------
+require_auth_for_profile_requests: true
+presence:
+  enabled: false
+start_pushers: true
+max_event_delay_duration: 24h
+
+room_list_publication_rules:
+  - action: allow
+    user_id: "@*:{{ ess_server_name }}"
+
+rc_message:
+  per_second: 0.5
+  burst_count: 30
+rc_delayed_event_mgmt:
+  per_second: 1
+  burst_count: 20
+
+trusted_key_servers:
+  - server_name: "matrix.org"
+suppress_key_server_warning: true

roles/ess_pro_compose/templates/synapse/log_config.yaml.j2

@@ -0,0 +1,16 @@
+## {{ ansible_managed }}
+version: 1
+formatters:
+  precise:
+    format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+handlers:
+  console:
+    class: logging.StreamHandler
+    formatter: precise
+loggers:
+  synapse.storage.SQL:
+    level: INFO
+root:
+  level: INFO
+  handlers: [console]
+disable_existing_loggers: false