digitalboard.core/roles/ess-pro/examples/group_vars-ess_servers.yml

# SPDX-License-Identifier: MIT-0
---
# inventory/group_vars/ess_servers.yml
# Public configuration for the ESS Pro deployment. All secrets are pulled
# from OpenBao at runtime — same pattern as bookstack/opnform/homarr.

# ---- Matrix identity ----------------------------------------------------
ess_pro_server_name: "digitalboard.ch"

# Hostnames default to:
#   matrix.digitalboard.ch  (Synapse)
#   mas.digitalboard.ch     (Matrix Authentication Service)
#   chat.digitalboard.ch    (Element Web)
#   admin.digitalboard.ch   (Element Admin Panel)
#   rtc.digitalboard.ch     (Matrix RTC / LiveKit)
# `auth.digitalboard.ch` is intentionally avoided — Keycloak already owns it.

# ---- DMZ Traefik terminates TLS -----------------------------------------
ess_pro_tls_terminate_externally: true

# ---- External Postgres --------------------------------------------------
# Disable for first PoC iteration (uses chart-internal Postgres).
ess_pro_postgres_external: false
# ess_pro_postgres_host: "postgres.svc.digitalboard.ch"

# ---- Delegated auth via the Digitalboard Keycloak -----------------------
ess_pro_oidc_enabled: true
ess_pro_oidc_issuer: "https://auth.digitalboard.ch/realms/Digitalboard"
ess_pro_oidc_client_id: "ess-mas"
ess_pro_oidc_provider_name: "Digitalboard"

# ---- Garage S3 media store ----------------------------------------------
ess_pro_s3_media_enabled: true
ess_pro_s3_endpoint: "https://s3.digitalboard.ch"
ess_pro_s3_bucket: "ess-media"

# ---- Matrix RTC / LiveKit -----------------------------------------------
# Public-facing IP of the DMZ NAT so LiveKit publishes the right ICE
# candidates. Use the same address that the DMZ Traefik lives behind.
ess_pro_rtc_external_ip: "203.0.113.42"   # placeholder — set for your env

# =============================================================================
# Secrets — sourced from OpenBao via community.hashi_vault, same as the
# other digitalboard.core roles.
#
# OpenBao paths (KV v2, mount `kv`):
#
#   digitalboard/ess-pro
#     ├── username           (Element customer.element.io username)
#     ├── token              (Element customer.element.io token)
#     ├── client_secret      (Keycloak ess-mas OIDC client secret)
#     ├── s3_access_key      (Garage access key for ess-media bucket)
#     ├── s3_secret_key      (Garage secret key)
#     ├── synapse_db_password (only if postgres_external: true)
#     └── mas_db_password     (only if postgres_external: true)
#
# Bootstrap once with:
#   bao kv put kv/digitalboard/ess-pro \
#     username='ess-customer-xxx' \
#     token='paste-from-customer-portal' \
#     client_secret='from-keycloak' \
#     s3_access_key='...' s3_secret_key='...'
# =============================================================================

ess_pro_registry_username: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                     'digitalboard/ess-pro',
                                     mount_point='kv').data.data.username }}"

ess_pro_registry_token: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                  'digitalboard/ess-pro',
                                  mount_point='kv').data.data.token }}"

ess_pro_oidc_client_secret: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                       'digitalboard/ess-pro',
                                       mount_point='kv').data.data.client_secret }}"

ess_pro_s3_access_key: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                  'digitalboard/ess-pro',
                                  mount_point='kv').data.data.s3_access_key }}"

ess_pro_s3_secret_key: "{{ lookup('community.hashi_vault.vault_kv2_get',
                                  'digitalboard/ess-pro',
                                  mount_point='kv').data.data.s3_secret_key }}"

# Uncomment when ess_pro_postgres_external is true:
# ess_pro_postgres_synapse_password: "{{ lookup('community.hashi_vault.vault_kv2_get',
#                                              'digitalboard/ess-pro',
#                                              mount_point='kv').data.data.synapse_db_password }}"
#
# ess_pro_postgres_mas_password: "{{ lookup('community.hashi_vault.vault_kv2_get',
#                                          'digitalboard/ess-pro',
#                                          mount_point='kv').data.data.mas_db_password }}"