Digitalboard/digitalboard.core
6
2
Fork 0
Code Pull requests 1 Releases Packages Activity Actions
digitalboard.core/roles/ess-pro/defaults/main.yml
Tobias Wüst 01fd12d75c feat(ess_pro): deploy Element Server Suite Pro via K3s + Helm 
Adds k3s and ess_pro roles to replace the planned Nextcloud Talk
stack. Integrates with existing Keycloak (OIDC), Garage (S3 media)
and OpenBao (secrets). Hostnames under digitalboard.ch.
2026-05-27 23:46:37 +02:00

129 lines
5.7 KiB
YAML
Raw Blame History

# SPDX-License-Identifier: MIT-0
---
# =============================================================================
# ess-pro role — defaults
# =============================================================================
# Secrets (registry token, OIDC client secret, S3 keys, Postgres passwords)
# are intentionally left empty here. Provide them via
# `group_vars/ess_servers.yml` — either as plain values (PoC), via
# ansible-vault, or as OpenBao lookups, matching the pattern used by the
# other digitalboard.core roles (bookstack, opnform, homarr).
#
# Example OpenBao lookup:
# ess_pro_registry_token: "{{ lookup('community.hashi_vault.vault_kv2_get',
# 'digitalboard/ess-pro',
# mount_point='kv').data.data.token }}"
# -----------------------------------------------------------------------------
# Helm release
# -----------------------------------------------------------------------------
ess_pro_namespace: "ess"
ess_pro_release_name: "ess"
ess_pro_chart_ref: "oci://registry.element.io/matrix-stack"
# Pin a chart version in production. Leave empty to track the latest stable.
ess_pro_chart_version: ""
ess_pro_helm_timeout: "15m"
ess_pro_helm_wait: true
# Where to store rendered values.yaml on the target host.
ess_pro_config_dir: "/etc/ess"
# -----------------------------------------------------------------------------
# Matrix server identity
# -----------------------------------------------------------------------------
# The Matrix serverName forms the user ID domain (@user:serverName) and the
# federation key. It cannot be changed after the first deploy without data
# loss. Override for production deployments (e.g. wksbern.ch).
ess_pro_server_name: "digitalboard.ch"
# Per-service hostnames. The DMZ Traefik (reference-ansible) terminates TLS
# for these and forwards to the K3s node.
#
# Convention follows the other digitalboard.core roles:
# wiki.digitalboard.ch (bookstack)
# forms.digitalboard.ch (opnform)
# home.digitalboard.ch (homarr)
# auth.digitalboard.ch (keycloak) <- already taken — MAS uses `mas.`
# chat.digitalboard.ch (this role, Element Web)
ess_pro_hostnames:
synapse: "matrix.{{ ess_pro_server_name }}"
mas: "mas.{{ ess_pro_server_name }}"
element_web: "chat.{{ ess_pro_server_name }}"
element_admin: "admin.{{ ess_pro_server_name }}"
matrix_rtc: "rtc.{{ ess_pro_server_name }}"
# -----------------------------------------------------------------------------
# Element image registry credentials (from customer.element.io)
# -----------------------------------------------------------------------------
ess_pro_registry_url: "registry.element.io"
ess_pro_registry_username: "" # set in group_vars/ess_servers.yml
ess_pro_registry_token: "" # set in group_vars/ess_servers.yml
# -----------------------------------------------------------------------------
# Ingress / TLS strategy
# -----------------------------------------------------------------------------
# The reference-ansible pattern terminates TLS on the DMZ Traefik. Inside
# K3s, workloads serve plain HTTP.
ess_pro_tls_terminate_externally: true
ess_pro_ingress_class: "traefik"
# -----------------------------------------------------------------------------
# PostgreSQL
# -----------------------------------------------------------------------------
# Chart-internal Postgres for demo. For production, point at an external DB.
ess_pro_postgres_external: false
ess_pro_postgres_host: ""
ess_pro_postgres_port: 5432
ess_pro_postgres_sslmode: "prefer"
ess_pro_postgres_synapse_db: "synapse"
ess_pro_postgres_synapse_user: "synapse"
ess_pro_postgres_synapse_password: ""
ess_pro_postgres_mas_db: "mas"
ess_pro_postgres_mas_user: "mas"
ess_pro_postgres_mas_password: ""
# -----------------------------------------------------------------------------
# Delegated authentication via the digitalboard Keycloak
# -----------------------------------------------------------------------------
# Create a confidential OIDC client `ess-mas` in the `Digitalboard` realm
# with redirect_uri
# https://{{ ess_pro_hostnames.mas }}/upstream/callback/01J0KCK0DNNNDIGITALBOARDKC01
ess_pro_oidc_enabled: false
ess_pro_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard"
ess_pro_oidc_client_id: "ess-mas"
ess_pro_oidc_client_secret: ""
ess_pro_oidc_provider_name: "Digitalboard"
ess_pro_oidc_scopes:
- "openid"
- "profile"
- "email"
# -----------------------------------------------------------------------------
# Media storage (Garage S3)
# -----------------------------------------------------------------------------
ess_pro_s3_media_enabled: false
ess_pro_s3_endpoint: "https://s3.digitalboard.ch"
ess_pro_s3_region: "garage"
ess_pro_s3_bucket: "ess-media"
ess_pro_s3_access_key: ""
ess_pro_s3_secret_key: ""
# -----------------------------------------------------------------------------
# Matrix RTC Backend / Element Call (LiveKit SFU + lk-jwt-service)
# -----------------------------------------------------------------------------
ess_pro_rtc_enabled: true
ess_pro_rtc_udp_port_range_start: 50000
ess_pro_rtc_udp_port_range_end: 60000
# Externally reachable IP for LiveKit ICE candidates (DMZ public IP).
ess_pro_rtc_external_ip: ""
# -----------------------------------------------------------------------------
# Initial admin (chart creates @localadmin:<serverName> by default)
# -----------------------------------------------------------------------------
ess_pro_create_initial_admin: true
# -----------------------------------------------------------------------------
# Helm CLI install
# -----------------------------------------------------------------------------
ess_pro_helm_version: "v3.16.4"
ess_pro_helm_install_dir: "/usr/local/bin"
View git blame Copy permalink