# SPDX-License-Identifier: MIT-0 --- # ============================================================================= # ess_pro_compose role — defaults # ============================================================================= # Deploys the full ESS Pro stack (matrix-stack chart v26.5.1) as a docker # compose project, including the Pro federation-reader worker. Same conventions # as the other digitalboard.core roles. Secrets are sourced from OpenBao. # ----------------------------------------------------------------------------- # Chart version we're modelling # ----------------------------------------------------------------------------- ess_chart_version: "26.5.1" # ----------------------------------------------------------------------------- # Project layout on the target host # ----------------------------------------------------------------------------- ess_compose_dir: "/opt/ess" ess_compose_project_name: "ess" # Where rendered configs and runtime data live (mounted into containers) ess_compose_conf_dir: "{{ ess_compose_dir }}/conf" # rendered configs ess_compose_secrets_dir: "{{ ess_compose_dir }}/secrets" # generated secrets (0600) ess_compose_data_dir: "{{ ess_compose_dir }}/data" # volumes # ----------------------------------------------------------------------------- # Docker networks # ----------------------------------------------------------------------------- # Public-facing Traefik network (external, managed by the shared traefik role). ess_compose_traefik_network: "proxy" ess_compose_traefik_entrypoint: "websecure" ess_compose_traefik_certresolver: "letsencrypt" # Internal network for service-to-service traffic only. ess_compose_internal_network: "ess_internal" # ----------------------------------------------------------------------------- # Matrix identity # ----------------------------------------------------------------------------- # Matrix serverName is the domain part of @user:serverName. Immutable. ess_server_name: "digitalboard.ch" # Hostnames. Convention follows the official Element docs (account.*, mrtc.*). # Override per environment in group_vars if you want different prefixes. ess_hostnames: synapse: "matrix.{{ ess_server_name }}" # client + federation, fronts HAProxy mas: "account.{{ ess_server_name }}" # Matrix Authentication Service element_web: "chat.{{ ess_server_name }}" element_admin: "admin.{{ ess_server_name }}" matrix_rtc: "mrtc.{{ ess_server_name }}" # Element Call SFU + auth # ----------------------------------------------------------------------------- # Image references (Pro images from registry.element.io, chart 26.5.1) # ----------------------------------------------------------------------------- # Pin to specific tags for production. The chart bundles digests; we use # version-aligned tags so they're readable. Override individually as needed. ess_images: synapse: "registry.element.io/synapse-onprem:sha-63110a4" synapse_pro_worker: "registry.element.io/synapse-pro-worker:0.4.0" mas: "registry.element.io/matrix-authentication-service:1.17.0" element_web: "registry.element.io/element-web-pro:1.12.18" element_admin: "registry.element.io/element-admin:1.5.0" haproxy: "registry.element.io/haproxy:3.2-alpine" livekit: "registry.element.io/livekit-server-distroless:1.9.1" lk_jwt: "registry.element.io/lk-jwt-service:0.3.0" postgres: "registry.element.io/postgres:16-alpine" postgres_exporter: "registry.element.io/postgres-exporter:0.18.1" redis: "registry.element.io/redis-distroless:7.4" matrix_tools: "registry.element.io/matrix-tools:0.17.8" # ----------------------------------------------------------------------------- # Element registry credentials (from customer.element.io) # ----------------------------------------------------------------------------- ess_registry_url: "registry.element.io" ess_registry_username: "" # OpenBao lookup in group_vars ess_registry_token: "" # OpenBao lookup in group_vars # ----------------------------------------------------------------------------- # Federation reader worker # ----------------------------------------------------------------------------- # The Rust-based Pro worker that handles /state, /state_ids, /event federation # reads. The chart deploys this with 20 replicas; for compose we run it as # scaled instances. ess_synapse_fed_reader_replicas: 1 # ----------------------------------------------------------------------------- # Delegated authentication via the digitalboard IdP # ----------------------------------------------------------------------------- # Authentik in the demo environment, Keycloak in production. Discover the # exact issuer with: # curl -s /.well-known/openid-configuration | jq .issuer ess_oidc_enabled: false ess_oidc_issuer: "" ess_oidc_client_id: "ess-mas" ess_oidc_client_secret: "" # OpenBao ess_oidc_provider_name: "Digitalboard" ess_oidc_provider_ulid: "01JBADAUTHENTIKDIGITALBOARD01" ess_oidc_scopes: "openid profile email" # ----------------------------------------------------------------------------- # Matrix RTC / Element Call (LiveKit SFU) # ----------------------------------------------------------------------------- # Element's Pro chart fixes RTC to TCP 30001 + UDP 30002 (muxed). Forward # those on the DMZ firewall to this host. ess_rtc_tcp_port: 30001 ess_rtc_udp_port: 30002 # Public IP for ICE candidates (the DMZ NAT address). Required. ess_rtc_external_ip: "" # LiveKit non-secret key id (the secret comes from the generated bundle). ess_livekit_key: "matrix-rtc" # ----------------------------------------------------------------------------- # Registration / federation policy # ----------------------------------------------------------------------------- ess_enable_registration: false ess_enable_federation: true # internet federation; turn off for isolated POCs ess_admin_contact: "mailto:admin@{{ ess_server_name }}" # ----------------------------------------------------------------------------- # Initial admin user # ----------------------------------------------------------------------------- # A localadmin user is created on first deploy via mas-cli. The generated # password lands in {{ ess_compose_secrets_dir }}/ADMIN_USER_PASSWORD. ess_admin_localpart: "localadmin" ess_create_admin_user: true # ----------------------------------------------------------------------------- # Element Admin / Synapse Admin allow-list # ----------------------------------------------------------------------------- # Source IPs (CIDR) allowed to hit /_synapse/admin/. Default: everyone. Lock # this down for production (e.g. just the office network + bastion). ess_admin_allow_ips: - "0.0.0.0/0" - "::/0" # ----------------------------------------------------------------------------- # Resources / sizing (Postgres args) # ----------------------------------------------------------------------------- # Chart defaults assume a fairly beefy node. Adjust for your VM. ess_postgres_max_connections: 256 ess_postgres_shared_buffers: "1024MB" ess_postgres_effective_cache_size: "3840MB" # ----------------------------------------------------------------------------- # Synapse media store # ----------------------------------------------------------------------------- ess_synapse_max_upload_size: "100M" ess_synapse_url_previews_enabled: true