# SPDX-License-Identifier: MIT-0 --- # ============================================================================= # ess-pro role — defaults # ============================================================================= # Secrets (registry token, OIDC client secret, S3 keys, Postgres passwords) # are intentionally left empty here. Provide them via # `group_vars/ess_servers.yml` — either as plain values (PoC), via # ansible-vault, or as OpenBao lookups, matching the pattern used by the # other digitalboard.core roles (bookstack, opnform, homarr). # # Example OpenBao lookup: # ess_pro_registry_token: "{{ lookup('community.hashi_vault.vault_kv2_get', # 'digitalboard/ess-pro', # mount_point='kv').data.data.token }}" # ----------------------------------------------------------------------------- # Helm release # ----------------------------------------------------------------------------- ess_pro_namespace: "ess" ess_pro_release_name: "ess" ess_pro_chart_ref: "oci://registry.element.io/matrix-stack" # Pin a chart version in production. Leave empty to track the latest stable. ess_pro_chart_version: "" ess_pro_helm_timeout: "15m" ess_pro_helm_wait: true # Where to store rendered values.yaml on the target host. ess_pro_config_dir: "/etc/ess" # ----------------------------------------------------------------------------- # Matrix server identity # ----------------------------------------------------------------------------- # The Matrix serverName forms the user ID domain (@user:serverName) and the # federation key. It cannot be changed after the first deploy without data # loss. Override for production deployments (e.g. wksbern.ch). ess_pro_server_name: "digitalboard.ch" # Per-service hostnames. The DMZ Traefik (reference-ansible) terminates TLS # for these and forwards to the K3s node. # # Convention follows the other digitalboard.core roles: # wiki.digitalboard.ch (bookstack) # forms.digitalboard.ch (opnform) # home.digitalboard.ch (homarr) # auth.digitalboard.ch (keycloak) <- already taken — MAS uses `mas.` # chat.digitalboard.ch (this role, Element Web) ess_pro_hostnames: synapse: "matrix.{{ ess_pro_server_name }}" mas: "mas.{{ ess_pro_server_name }}" element_web: "chat.{{ ess_pro_server_name }}" element_admin: "admin.{{ ess_pro_server_name }}" matrix_rtc: "rtc.{{ ess_pro_server_name }}" # ----------------------------------------------------------------------------- # Element image registry credentials (from customer.element.io) # ----------------------------------------------------------------------------- ess_pro_registry_url: "registry.element.io" ess_pro_registry_username: "" # set in group_vars/ess_servers.yml ess_pro_registry_token: "" # set in group_vars/ess_servers.yml # ----------------------------------------------------------------------------- # Ingress / TLS strategy # ----------------------------------------------------------------------------- # The reference-ansible pattern terminates TLS on the DMZ Traefik. Inside # K3s, workloads serve plain HTTP. ess_pro_tls_terminate_externally: true ess_pro_ingress_class: "traefik" # ----------------------------------------------------------------------------- # PostgreSQL # ----------------------------------------------------------------------------- # Chart-internal Postgres for demo. For production, point at an external DB. ess_pro_postgres_external: false ess_pro_postgres_host: "" ess_pro_postgres_port: 5432 ess_pro_postgres_sslmode: "prefer" ess_pro_postgres_synapse_db: "synapse" ess_pro_postgres_synapse_user: "synapse" ess_pro_postgres_synapse_password: "" ess_pro_postgres_mas_db: "mas" ess_pro_postgres_mas_user: "mas" ess_pro_postgres_mas_password: "" # ----------------------------------------------------------------------------- # Delegated authentication via the digitalboard Keycloak # ----------------------------------------------------------------------------- # Create a confidential OIDC client `ess-mas` in the `Digitalboard` realm # with redirect_uri # https://{{ ess_pro_hostnames.mas }}/upstream/callback/01J0KCK0DNNNDIGITALBOARDKC01 ess_pro_oidc_enabled: false ess_pro_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard" ess_pro_oidc_client_id: "ess-mas" ess_pro_oidc_client_secret: "" ess_pro_oidc_provider_name: "Digitalboard" ess_pro_oidc_scopes: - "openid" - "profile" - "email" # ----------------------------------------------------------------------------- # Media storage (Garage S3) # ----------------------------------------------------------------------------- ess_pro_s3_media_enabled: false ess_pro_s3_endpoint: "https://s3.digitalboard.ch" ess_pro_s3_region: "garage" ess_pro_s3_bucket: "ess-media" ess_pro_s3_access_key: "" ess_pro_s3_secret_key: "" # ----------------------------------------------------------------------------- # Matrix RTC Backend / Element Call (LiveKit SFU + lk-jwt-service) # ----------------------------------------------------------------------------- ess_pro_rtc_enabled: true ess_pro_rtc_udp_port_range_start: 50000 ess_pro_rtc_udp_port_range_end: 60000 # Externally reachable IP for LiveKit ICE candidates (DMZ public IP). ess_pro_rtc_external_ip: "" # ----------------------------------------------------------------------------- # Initial admin (chart creates @localadmin: by default) # ----------------------------------------------------------------------------- ess_pro_create_initial_admin: true # ----------------------------------------------------------------------------- # Helm CLI install # ----------------------------------------------------------------------------- ess_pro_helm_version: "v3.16.4" ess_pro_helm_install_dir: "/usr/local/bin"