digitalboard.core/roles/ess_pro_compose/defaults/main.yml

# SPDX-License-Identifier: MIT-0
---
# =============================================================================
# ess_pro_compose role — defaults
# =============================================================================
# Deploys the full ESS Pro stack (matrix-stack chart v26.5.1) as a docker
# compose project, including the Pro federation-reader worker. Same conventions
# as the other digitalboard.core roles. Secrets are sourced from OpenBao.

# -----------------------------------------------------------------------------
# Chart version we're modelling
# -----------------------------------------------------------------------------
ess_chart_version: "26.5.1"

# -----------------------------------------------------------------------------
# Project layout on the target host
# -----------------------------------------------------------------------------
ess_compose_dir: "/opt/ess"
ess_compose_project_name: "ess"

# Where rendered configs and runtime data live (mounted into containers)
ess_compose_conf_dir: "{{ ess_compose_dir }}/conf"        # rendered configs
ess_compose_secrets_dir: "{{ ess_compose_dir }}/secrets"  # generated secrets (0600)
ess_compose_data_dir: "{{ ess_compose_dir }}/data"        # volumes

# -----------------------------------------------------------------------------
# Docker networks
# -----------------------------------------------------------------------------
# Public-facing Traefik network (external, managed by the shared traefik role).
ess_compose_traefik_network: "proxy"
ess_compose_traefik_entrypoint: "websecure"
ess_compose_traefik_certresolver: "letsencrypt"

# Internal network for service-to-service traffic only.
ess_compose_internal_network: "ess_internal"

# -----------------------------------------------------------------------------
# Matrix identity
# -----------------------------------------------------------------------------
# Matrix serverName is the domain part of @user:serverName. Immutable.
ess_server_name: "digitalboard.ch"

# Hostnames. Convention follows the official Element docs (account.*, mrtc.*).
# Override per environment in group_vars if you want different prefixes.
ess_hostnames:
  synapse: "matrix.{{ ess_server_name }}"      # client + federation, fronts HAProxy
  mas: "account.{{ ess_server_name }}"          # Matrix Authentication Service
  element_web: "chat.{{ ess_server_name }}"
  element_admin: "admin.{{ ess_server_name }}"
  matrix_rtc: "mrtc.{{ ess_server_name }}"      # Element Call SFU + auth

# -----------------------------------------------------------------------------
# Image references (Pro images from registry.element.io, chart 26.5.1)
# -----------------------------------------------------------------------------
# Pin to specific tags for production. The chart bundles digests; we use
# version-aligned tags so they're readable. Override individually as needed.
ess_images:
  synapse: "registry.element.io/synapse-onprem:sha-63110a4"
  synapse_pro_worker: "registry.element.io/synapse-pro-worker:0.4.0"
  mas: "registry.element.io/matrix-authentication-service:1.17.0"
  element_web: "registry.element.io/element-web-pro:1.12.18"
  element_admin: "registry.element.io/element-admin:1.5.0"
  haproxy: "registry.element.io/haproxy:3.2-alpine"
  livekit: "registry.element.io/livekit-server-distroless:1.9.1"
  lk_jwt: "registry.element.io/lk-jwt-service:0.3.0"
  postgres: "registry.element.io/postgres:16-alpine"
  postgres_exporter: "registry.element.io/postgres-exporter:0.18.1"
  redis: "registry.element.io/redis-distroless:7.4"
  matrix_tools: "registry.element.io/matrix-tools:0.17.8"

# -----------------------------------------------------------------------------
# Element registry credentials (from customer.element.io)
# -----------------------------------------------------------------------------
ess_registry_url: "registry.element.io"
ess_registry_username: ""   # OpenBao lookup in group_vars
ess_registry_token: ""      # OpenBao lookup in group_vars

# -----------------------------------------------------------------------------
# Federation reader worker
# -----------------------------------------------------------------------------
# The Rust-based Pro worker that handles /state, /state_ids, /event federation
# reads. The chart deploys this with 20 replicas; for compose we run it as
# scaled instances.
ess_synapse_fed_reader_replicas: 1

# -----------------------------------------------------------------------------
# Delegated authentication via the digitalboard IdP
# -----------------------------------------------------------------------------
# Authentik in the demo environment, Keycloak in production. Discover the
# exact issuer with:
#   curl -s <issuer>/.well-known/openid-configuration | jq .issuer
ess_oidc_enabled: false
ess_oidc_issuer: ""
ess_oidc_client_id: "ess-mas"
ess_oidc_client_secret: ""        # OpenBao
ess_oidc_provider_name: "Digitalboard"
ess_oidc_provider_ulid: "01JBADAUTHENTIKDIGITALBOARD01"
ess_oidc_scopes: "openid profile email"

# -----------------------------------------------------------------------------
# Matrix RTC / Element Call (LiveKit SFU)
# -----------------------------------------------------------------------------
# Element's Pro chart fixes RTC to TCP 30001 + UDP 30002 (muxed). Forward
# those on the DMZ firewall to this host.
ess_rtc_tcp_port: 30001
ess_rtc_udp_port: 30002

# Public IP for ICE candidates (the DMZ NAT address). Required.
ess_rtc_external_ip: ""
# LiveKit non-secret key id (the secret comes from the generated bundle).
ess_livekit_key: "matrix-rtc"

# -----------------------------------------------------------------------------
# Registration / federation policy
# -----------------------------------------------------------------------------
ess_enable_registration: false
ess_enable_federation: true       # internet federation; turn off for isolated POCs
ess_admin_contact: "mailto:admin@{{ ess_server_name }}"

# -----------------------------------------------------------------------------
# Initial admin user
# -----------------------------------------------------------------------------
# A localadmin user is created on first deploy via mas-cli. The generated
# password lands in {{ ess_compose_secrets_dir }}/ADMIN_USER_PASSWORD.
ess_admin_localpart: "localadmin"
ess_create_admin_user: true

# -----------------------------------------------------------------------------
# Element Admin / Synapse Admin allow-list
# -----------------------------------------------------------------------------
# Source IPs (CIDR) allowed to hit /_synapse/admin/. Default: everyone. Lock
# this down for production (e.g. just the office network + bastion).
ess_admin_allow_ips:
  - "0.0.0.0/0"
  - "::/0"

# -----------------------------------------------------------------------------
# Resources / sizing (Postgres args)
# -----------------------------------------------------------------------------
# Chart defaults assume a fairly beefy node. Adjust for your VM.
ess_postgres_max_connections: 256
ess_postgres_shared_buffers: "1024MB"
ess_postgres_effective_cache_size: "3840MB"

# -----------------------------------------------------------------------------
# Synapse media store
# -----------------------------------------------------------------------------
ess_synapse_max_upload_size: "100M"
ess_synapse_url_previews_enabled: true