Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into maubot

5 лет назад · 20bf99eef3
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 /inventory/*
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
 !/inventory/scripts
 /roles/*/files/scratchpad
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,8 +1,40 @@
 # 2020-04-09

 ## Skype bridging support

 Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Skype](https://www.skype.com) via the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge.

 See our [Setting up MX Puppet Skype bridging](docs/configuring-playbook-bridge-mx-puppet-skype.md) documentation page for getting started.


 # 2020-04-05

 ## Private Jitsi support

 The [Jitsi support](#jitsi-support) we had landed a few weeks ago was working well, but it was always open to the whole world.

 Running such an open instance is not desirable to most people, so [teutat3s](https://github.com/teutat3s) has contributed support for making Jitsi use authentication.

 To make your Jitsi server more private, see the [configure internal Jitsi authentication and guests mode](docs/configuring-playbook-jitsi.md#optional-configure-internal-jitsi-authentication-and-guests-mode) section in our Jitsi documentation.


 # 2020-04-03

 ## (Potential Backward Compatibility Break) ma1sd replaces mxisd

 Thanks to [Marcel Partap](https://github.com/eMPee584)'s efforts, the [mxisd](https://github.com/kamax-io/mxisd) identity server, which has been deprecated for a long time, has finally been replaced by [ma1sd](https://github.com/ma1uta/ma1sd), a compatible fork.

 **If you're using the default playbook configuration**, you don't need to do anything -- your mxisd installation will be replaced with ma1sd and all existing data will be migrated automatically the next time you run the playbook.

 **If you're doing something more special** (defining custom `matrix_mxisd_*` variables), the playbook will ask you to rename them to `matrix_ma1sd_*`.
 You're also encouraged to test that ma1sd works well for such a more custom setup.


 # 2020-03-29

 ## Archlinux support

 Thanks to [Christian](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server.
 Thanks to [Christian Lupus](https://github.com/christianlupus)'s efforts, the playbook now supports installing to an [Archlinux](https://www.archlinux.org/) server.


 # 2020-03-24
--- a/README.md
+++ b/README.md
@@ -20,13 +20,13 @@ Using this playbook, you can get the following services configured on your serve

 - (optional, default) a [Riot](https://riot.im/) web UI, which is configured to connect to your own Synapse server by default

 - (optional, default) an [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server
 - (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server

 - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)

 - (optional, default) an [nginx](http://nginx.org/) web server, listening on ports 80 and 443 - standing in front of all the other services. Using your own webserver [is possible](docs/configuring-playbook-own-webserver.md)

 - (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) REST authentication password provider module
 - (optional, advanced) the [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) REST authentication password provider module

 - (optional, advanced) the [matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) password provider module

@@ -112,7 +112,7 @@ This playbook sets up your server using the following Docker images:

 - [vectorim/riot-web](https://hub.docker.com/r/vectorim/riot-web/) - the [Riot.im](https://about.riot.im/) web client (optional)

 - [kamax/mxisd](https://hub.docker.com/r/kamax/mxisd/) - the [mxisd](https://github.com/kamax-io/mxisd) Matrix Identity server (optional)
 - [ma1uta/ma1sd](https://hub.docker.com/r/ma1uta/ma1sd/) - the [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server (optional)

 - [postgres](https://hub.docker.com/_/postgres/) - the [Postgres](https://www.postgresql.org/) database server (optional)

@@ -144,6 +144,8 @@ This playbook sets up your server using the following Docker images:

 - [turt2live/matrix-appservice-webhooks](https://hub.docker.com/r/turt2live/matrix-appservice-webhooks) - the [Appservice Webhooks](https://github.com/turt2live/matrix-appservice-webhooks) bridge (optional)

 - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional)

 - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional)

 - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional)
--- a/docs/alternative-architectures.md
+++ b/docs/alternative-architectures.md
@@ -0,0 +1,24 @@
 # Alternative architectures
 As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used.

 To that end add the following variable to your `vars.yaml` file:
 ```
 matrix_architecture = <your-matrix-server-architecture>
 ```
 Currently supported architectures are the following:
 - `amd64` (the default)
 - `arm64`
 - `arm32`

 so for the Raspberry Pi the following should be in your `vars.yaml` file:
 ```
 matrix_architecture = "arm32"
 ```

 ## Implementation details
 This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection.

 On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases:
 - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well,
 - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well,
 - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling.
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@@ -44,7 +44,7 @@ The `jitsi.<your-domain>` subdomain may be necessary, because this playbook coul

 ## `_matrix-identity._tcp` SRV record setup

 To make the [mxisd](https://github.com/kamax-io/mxisd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this:
 To make the [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server (which this playbook installs for you) be authoritative for your domain name, set up one more SRV record that looks like this:
 - Name: `_matrix-identity._tcp` (use this text as-is)
 - Content: `10 0 443 matrix.<your-domain>` (replace `<your-domain>` with your own)

--- a/docs/configuring-playbook-bridge-appservice-discord.md
+++ b/docs/configuring-playbook-bridge-appservice-discord.md
@@ -4,13 +4,15 @@ The playbook can install and configure [matrix-appservice-discord](https://githu

 See the project's [documentation](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/README.md) to learn what it does and why it might be useful to you.

 Setup Instructions:

 loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up)
 ## Setup Instructions

 1. Create a Discord Application [here](https://discordapp.com/developers/applications/me/create).
 2. Retrieve Client ID and Bot token from this Application.
 3. Enable the bridge with the following configuration in your `vars.yml` file:
 Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appservice-discord#setting-up).

 1. Create a Discord Application [here](https://discordapp.com/developers/applications).
 2. Retrieve Client ID.
 3. Create a bot from the Bot tab and retrieve the Bot token.
 4. Enable the bridge with the following configuration in your `vars.yml` file:

 ```yaml
 matrix_appservice_discord_enabled: true
@@ -24,3 +26,25 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
 7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id`

 Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.


 ## Getting Administrator access in a room

 By default, you won't have Administrator access in rooms created by the bridge.

 To [adjust room access privileges](#adjusting-room-access-privileges) or do various other things (change the room name subsequently, etc.), you'd wish to become an Administrator.

 There's the Discord bridge's guide for [setting privileges on bridge managed rooms](https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#set-privileges-on-bridge-managed-rooms). To do the same with our container setup, run the following command on the server:

 ```
 docker exec -it matrix-appservice-discord /bin/sh -c 'cp /build/tools/adminme.js /tmp/adminme.js && cp /cfg/registration.yaml /tmp/discord-registration.yaml && cd /tmp && node /tmp/adminme.js -c /cfg/config.yaml -r "!ROOM_ID:SERVER" -u "@USER:SERVER" -p 100'
 ```


 ## Adjusting room access privileges

 All rooms created by the bridge are **listed publicly** in your server's directory and **joinable by everyone** by default.

 To get more control of them, [make yourself a room Administrator](#getting-administrator-access-in-a-room) first.

 You can then unlist the room from the directory and change the join rules.
--- a/docs/configuring-playbook-bridge-appservice-slack.md
+++ b/docs/configuring-playbook-bridge-appservice-slack.md
@@ -4,7 +4,7 @@ The playbook can install and configure [matrix-appservice-slack](https://github.

 See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you.

 Setup Instructions:
 ## Setup Instructions:

 loosely based on [this](https://github.com/matrix-org/matrix-appservice-slack#Setup)

@@ -29,7 +29,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi

 5. Create a new Slack App [here](https://api.slack.com/apps).

    Name the app & select the team/workspace this app will belong to.
    Name the app "matrixbot" (or anything else you'll remember).

    Select the team/workspace this app will belong to.

    Click on bot users and add a new bot user. We will use this account to bridge the the rooms.

@@ -61,9 +63,9 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi

    * Create a Matrix room in the usual manner for your client. Take a note of its Matrix room ID - it will look something like !aBcDeF:example.com.

    * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @slackbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix.
    * Invite the bot user to both the Slack and Matrix channels you would like to bridge using `/invite @matrixbot` for slack and `/invite @slackbot:MY.DOMAIN` for matrix.

    * Determine the "channel ID" that Slack uses to identify the channel, which can be found in the url https://XXX.slack.com/messages/<channel id>/.
    * Determine the "channel ID" that Slack uses to identify the channel. You can see it when you open a given Slack channel in a browser. The URL reads like this: `https://app.slack.com/client/XXX/<the channel id>/details/`.

    * Issue a link command in the administration control room with these collected values as arguments:

@@ -81,3 +83,28 @@ Note that the bot's domain is your server's domain **without the `matrix.` prefi
    ```

 Other configuration options are available via the `matrix_appservice_slack_configuration_extension_yaml` variable.

 10. Unlinking

    Channels can be unlinked again like this:
    ```
       unlink --room !the-matrix:room.id
    ```

    Unlinking doesn't only disconnect the bridge, but also makes the slackbot leave the bridged matrix room. So in case you want to re-link later, don't forget to re-invite the slackbot into this room again.

 ## Troubleshooting

 * as always, check the logs:
 `journalctl -fu matrix-appservice-slack`

 * linking: "Room is now pending-name"
 This typically means that you haven't used the correct slack channel id. Unlink the room and recheck 'Determine the "channel ID"' from above.

 * Messages work from M to S, but not the other way around
 Check you logs, if they say something like

 `WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) <the channel id> <some other id>`

 then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link 
 your room multiple times without unlinking it after each failed attempt.
--- a/docs/configuring-playbook-bridge-mx-puppet-skype.md
+++ b/docs/configuring-playbook-bridge-mx-puppet-skype.md
@@ -0,0 +1,30 @@
 # Setting up MX Puppet Skype (optional)

 The playbook can install and configure
 [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) for you.

 See the project page to learn what it does and why it might be useful to you.

 To enable the [Skype](https://www.skype.com/) bridge just use the following
 playbook configuration:


 ```yaml
 matrix_mx_puppet_skype_enabled: true
 ```


 ## Usage

 Once the bot is enabled you need to start a chat with `Skype Puppet Bridge` with
 the handle `@_skypepuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base
 domain, not the `matrix.` domain).

 Send `link <username> <password>` to the bridge bot to link your skype account.

 Once logged in, send `list` to the bot user to list the available rooms.

 Clicking rooms in the list will result in you receiving an invitation to the
 bridged room.

 Also send `help` to the bot to see the commands available.
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@@ -24,16 +24,69 @@ Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 ```yaml
 matrix_jitsi_enabled: true

 # We only need this temporarily - until Jitsi integration in riot-web is finalized.
 # Remove this line in the future, to switch back to a stable riot-web version.
 matrix_riot_web_docker_image: "vectorim/riot-web:develop"
 # Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
 # or define your own strong passwords manually.
 matrix_jitsi_jicofo_component_secret: ""
 matrix_jitsi_jicofo_auth_password: ""
 matrix_jitsi_jvb_auth_password: ""
 matrix_jitsi_jibri_recorder_password: ""
 matrix_jitsi_jibri_xmpp_password: ""
 ```


 ## (Optional) configure internal Jitsi authentication and guests mode

 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.

 If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).

 If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room.

 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
 matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
 ```

 ## Apply changes

 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`

 ## Required if configuring Jitsi with its internal authentication: register new users

 Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
 Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:

 ```bash
 docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> matrix-jitsi-web <PASSWORD>
 ```

 Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.

 **If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).


 ## Usage

 You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.

 To use it via riot-web, make sure you've installed the `develop` version and fully reloaded your riot-web page (at `riot.DOMAIN`). Starting a video-conference in a room containing more than 2 members should then create a Jitsi widget which utilizes your self-hosted Jitsi server.
 To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.


 ## Troubleshooting

 ### Rebuilding your Jitsi installation

 **If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.

 We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.

 These files are not all managed by Ansible (at least not yet), so you may sometimes need to delete them all and start fresh.

 To rebuild your Jitsi configuration:

 - SSH into the server and do this:
  - stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
  - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
 - ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
--- a/docs/configuring-playbook-ldap-auth.md
+++ b/docs/configuring-playbook-ldap-auth.md
@@ -28,5 +28,5 @@ If you wish for users to **authenticate only against configured password provide
 matrix_synapse_password_config_localdb_enabled: false
 ```

 ## Using mxisd Identity Server for authentication
 If you wish to use the mxisd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md#authentication).
 ## Using ma1sd Identity Server for authentication
 If you wish to use the ma1sd Identity Server for LDAP authentication instead of [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) consult [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md#authentication).
--- a/docs/configuring-playbook-ma1sd.md
+++ b/docs/configuring-playbook-ma1sd.md
@@ -0,0 +1,86 @@
 # Adjusting ma1sd Identity Server configuration (optional)

 By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd) Identity Server for you.

 This server is private by default, potentially at the expense of user discoverability.

 ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.

 ## Matrix.org lookup forwarding

 To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).

 Enabling this is discouraged and you'd better [learn more](https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups) before proceeding.

 Enabling matrix.org forwarding can happen with the following configuration:

 ```yaml
 matrix_ma1sd_matrixorg_forwarding_enabled: true
 ```


 ## Customizing email templates

 If you'd like to change the default email templates used by ma1sd, take a look at the `matrix_ma1sd_threepid_medium_email_custom_` variables
 (in the `roles/matrix-ma1sd/defaults/main.yml` file.


 ## ma1sd-controlled Registration

 To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) feature of ma1sd, you can make use of the following variables:

 - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse

 - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering

 - variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality

 - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.

 ## Authentication

 [Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server:

 ```yaml
 matrix_synapse_ext_password_provider_rest_auth_enabled: true

 # matrix-ma1sd is the hostname of the ma1sd Docker container
 matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"

 matrix_ma1sd_configuration_extension_yaml: |
  ldap:
    enabled: true
    connection:
      host: ldapHostnameOrIp
      tls: false
      port: 389
      baseDNs: ['OU=Users,DC=example,DC=org']
      bindDn: CN=My ma1sd User,OU=Users,DC=example,DC=org
      bindPassword: TheUserPassword
 ```

 ## Additional features

 What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services.

 A few variables can be toggled in this playbook to alter the ma1sd configuration that gets generated.

 Still, ma1sd can do much more.
 You can refer to the [ma1sd website](https://github.com/ma1uta/ma1sd) for more details and configuration options.

 To use a more custom configuration, you can define a `matrix_ma1sd_configuration_extension_yaml` string variable
 and put your configuration in it.
 To learn more about how to do this, refer to the information about `matrix_ma1sd_configuration_extension_yaml` in the [default variables file](../roles/matrix-ma1sd/defaults/main.yml) of the ma1sd component.


 ## Troubleshooting

 If email address validation emails sent by ma1sd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).

 If you'd like additional logging information, temporarily enable verbose logging for ma1sd.

 Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`):

 ```yaml
 matrix_ma1sd_verbose_logging: true
 ```
--- a/docs/configuring-playbook-mxisd.md
+++ b/docs/configuring-playbook-mxisd.md
@@ -1,85 +0,0 @@
 # Adjusting mxisd Identity Server configuration (optional)

 By default, this playbook configures an [mxisd](https://github.com/kamax-io/mxisd) Identity Server for you.

 This server is private by default, potentially at the expense of user discoverability.


 ## Matrix.org lookup forwarding

 To ensure maximum discovery, you can make your identity server also forward lookups to the central matrix.org Identity server (at the cost of potentially leaking all your contacts information).

 Enabling this is discouraged and you'd better [learn more](https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups) before proceeding.

 Enabling matrix.org forwarding can happen with the following configuration:

 ```yaml
 matrix_mxisd_matrixorg_forwarding_enabled: true
 ```


 ## Customizing email templates

 If you'd like to change the default email templates used by mxisd, take a look at the `matrix_mxisd_threepid_medium_email_custom_` variables
 (in the `roles/matrix-mxisd/defaults/main.yml` file.


 ## mxisd-controlled Registration

 To use the [Registration](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) feature of mxisd, you can make use of the following variables:

 - `matrix_synapse_enable_registration` - to enable user-initiated registration in Synapse

 - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering

 - variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to mxisd (instead of Synapse), so it can apply its additional functionality

 - `matrix_mxisd_configuration_extension_yaml` - to configure mxisd as required. See the [Registration feature's docs](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_mxisd_configuration_extension_yaml`.

 ## Authentication

 [Authentication](https://github.com/kamax-matrix/mxisd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server:

 ```yaml
 matrix_synapse_ext_password_provider_rest_auth_enabled: true

 # matrix-mxisd is the hostname of the mxisd Docker container
 matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090"

 matrix_mxisd_configuration_extension_yaml: |
  ldap:
    enabled: true
    connection:
      host: ldapHostnameOrIp
      tls: false
      port: 389
      baseDNs: ['OU=Users,DC=example,DC=org']
      bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
      bindPassword: TheUserPassword
 ```

 ## Additional features

 What this playbook configures for your is some bare minimum Identity Server functionality, so that you won't need to rely on external 3rd party services.

 A few variables can be toggled in this playbook to alter the mxisd configuration that gets generated.

 Still, mxisd can do much more.
 You can refer to the [mxisd website](https://github.com/kamax-io/mxisd) for more details and configuration options.

 To use a more custom configuration, you can define a `matrix_mxisd_configuration_extension_yaml` string variable
 and put your configuration in it.
 To learn more about how to do this, refer to the information about `matrix_mxisd_configuration_extension_yaml` in the [default variables file](../roles/matrix-mxisd/defaults/main.yml) of the mxisd component.


 ## Troubleshooting

 If email address validation emails sent by mxisd are not reaching you, you should look into [Adjusting email-sending settings](configuring-playbook-email.md).

 If you'd like additional logging information, temporarily enable verbose logging for mxisd.

 Example configuration (`inventory/host_vars/matrix.DOMAIN/vars.yml`):

 ```yaml
 matrix_mxisd_verbose_logging: true
 ```
--- a/docs/configuring-playbook-rest-auth.md
+++ b/docs/configuring-playbook-rest-auth.md
@@ -1,6 +1,6 @@
 # Setting up the REST authentication password provider module (optional, advanced)

 The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/kamax-io/matrix-synapse-rest-auth) for you.
 The playbook can install and configure [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) for you.

 See that project's documentation to learn what it does and why it might be useful to you.

@@ -8,7 +8,7 @@ If you decide that you'd like to let this playbook install it for you, you need

 ```yaml
 matrix_synapse_ext_password_provider_rest_auth_enabled: true
 matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-mxisd:8090"
 matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
 matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
 matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
 matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -44,7 +44,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional)

 - [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) (optional)
 - [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) (optional)

 - [Adjusting SSL certificate retrieval](configuring-playbook-ssl-certificates.md) (optional, advanced)

@@ -97,4 +97,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up Appservice Webhooks bridging](configuring-playbook-bridge-appservice-webhooks.md) (optional)

 - [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional)

 - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@@ -107,7 +107,9 @@ server {
 **For Caddy**, it would be something like this:

 ```caddy
 proxy /.well-known/matrix https://matrix.DOMAIN
 reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
 	header_up Host {http.reverse_proxy.upstream.hostport}
 }
 ```

 **For HAProxy**, it would be something like this:
--- a/docs/maintenance-and-troubleshooting.md
+++ b/docs/maintenance-and-troubleshooting.md
@@ -38,6 +38,6 @@ Re-run the playbook after making these configuration changes.

 See the dedicated [PostgreSQL Maintenance](maintenance-postgres.md) documentation page.

 ## Mxisd
 ## Ma1sd

 See the dedicated [Adjusting mxisd Identity Server configuration](configuring-playbook-mxisd.md) documentation page.
 See the dedicated [Adjusting ma1sd Identity Server configuration](configuring-playbook-ma1sd.md) documentation page.
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -1,6 +1,6 @@
 # Prerequisites

 - An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
 - An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+), **Ubuntu** (16.04+), or **Archlinux**. This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.

 - `root` access to your server (or a user capable of elevating to `root` via `sudo`).

@@ -16,6 +16,6 @@

 - properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md))

 - some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP).
 - some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP)

 When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
--- a/docs/self-building.md
+++ b/docs/self-building.md
@@ -1,19 +1,22 @@
 # Self-building

 The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd).
 **Caution: self-building does not have to be used on its own. See the [Alternative Architectures](alternative-architectures.md) page.**

 The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for ma1sd).

 To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file:
 ```yaml
 matrix_container_images_self_build = true
 matrix_container_images_self_build: true
 ```
 Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well.

 List of roles where self-building the docker image is currently possible:
 - synapse
 - riot-web
 - coturn
 - mxisd
 - matrix-bridge-mautrix-facebook
 - matrix-bridge-mautrix-hangouts
 List of roles where self-building the Docker image is currently possible:
 - `matrix-synapse`
 - `matrix-riot-web`
 - `matrix-coturn`
 - `matrix-ma1sd`
 - `matrix-mautrix-facebook`
 - `matrix-mautrix-hangouts`
 - `matrix-mx-puppet-skype`

 Adding self-building support to other roles is welcome. Feel free to contribute!
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -18,12 +18,28 @@

 matrix_identity_server_url: "{{ 'https://' + matrix_synapse_trusted_third_party_id_servers[0] if matrix_synapse_trusted_third_party_id_servers|length > 0 else None }}"

 matrix_riot_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"

 ######################################################################
 #
 # /matrix-base
 #
 ######################################################################

 ######################################################################
 #
 # matrix-architecture
 #
 ######################################################################

 matrix_architecture: "amd64"

 ######################################################################
 #
 # /matrix-architecture
 #
 ######################################################################


 ######################################################################
 #
@@ -172,7 +188,7 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key |
 # We don't enable bridges by default.
 matrix_mautrix_facebook_enabled: false

 matrix_mautrix_facebook_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_mautrix_facebook_systemd_required_services_list: |
  {{
@@ -203,7 +219,7 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 # We don't enable bridges by default.
 matrix_mautrix_hangouts_enabled: false

 matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_mautrix_hangouts_systemd_required_services_list: |
  {{
@@ -290,6 +306,37 @@ matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 ######################################################################


 ######################################################################
 #
 # matrix-bridge-mx-puppet-skype
 #
 ######################################################################

 # We don't enable bridges by default.
 matrix_mx_puppet_skype_enabled: false

 matrix_mx_puppet_skype_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 matrix_mx_puppet_skype_systemd_required_services_list: |
  {{
    ['docker.service']
    +
    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
  }}

 matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"

 matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"

 matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 ######################################################################
 #
 # /matrix-bridge-mx-puppet-skype
 #
 ######################################################################


 ######################################################################
 #
 # matrix-corporal
@@ -333,7 +380,7 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati

 matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_coturn_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"

@@ -412,11 +459,11 @@ matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | passwor
 matrix_jitsi_web_stun_servers: |
  {{
    [
      matrix_server_fqn_matrix + ':5349',
      matrix_server_fqn_matrix + ':3478',
      'stun:' + matrix_server_fqn_matrix + ':5349',
      'stun:' + matrix_server_fqn_matrix + ':3478',
    ]
    if matrix_coturn_enabled
    else [ 'stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
    else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
  }}

 ######################################################################
@@ -435,7 +482,7 @@ matrix_jitsi_web_stun_servers: |

 # By default, this playbook sets up a postfix mailer server (running in a container).
 # This is so that Synapse can send email reminders for unread messages.
 # Other services (like mxisd), also use the mailer.
 # Other services (like ma1sd), also use the mailer.
 matrix_mailer_enabled: true

 ######################################################################
@@ -448,41 +495,41 @@ matrix_mailer_enabled: true

 ######################################################################
 #
 # matrix-mxisd
 # matrix-ma1sd
 #
 ######################################################################

 # By default, this playbook installs the mxisd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
 # By default, this playbook installs the ma1sd identity server on the same domain as Synapse (`matrix_server_fqn_matrix`).
 # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
 matrix_mxisd_enabled: true
 matrix_ma1sd_enabled: true

 matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
 # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # mxisd's web-server port.
 matrix_mxisd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"
 # ma1sd's web-server port.
 matrix_ma1sd_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8090' }}"

 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
 # your own configuration in `matrix_mxisd_configuration_extension_yaml`.
 matrix_mxisd_synapsesql_enabled: true
 matrix_mxisd_synapsesql_type: postgresql
 matrix_mxisd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}
 # your own configuration in `matrix_ma1sd_configuration_extension_yaml`.
 matrix_ma1sd_synapsesql_enabled: true
 matrix_ma1sd_synapsesql_type: postgresql
 matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matrix_synapse_database_database }}?user={{ matrix_synapse_database_user | urlencode() }}&password={{ matrix_synapse_database_password | urlencode() }}

 matrix_mxisd_dns_overwrite_enabled: true
 matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 matrix_mxisd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"
 matrix_ma1sd_dns_overwrite_enabled: true
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-synapse:8008' }}"

 # By default, we send mail through the `matrix-mailer` service.
 matrix_mxisd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
 matrix_mxisd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
 matrix_mxisd_threepid_medium_email_connectors_smtp_port: 8025
 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 0
 matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
 matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
 matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0

 matrix_mxisd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"
 matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else false }}"

 matrix_mxisd_systemd_wanted_services_list: |
 matrix_ma1sd_systemd_wanted_services_list: |
  {{
    (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service'])
    +
@@ -493,7 +540,7 @@ matrix_mxisd_systemd_wanted_services_list: |

 ######################################################################
 #
 # /matrix-mxisd
 # /matrix-ma1sd
 #
 ######################################################################

@@ -523,8 +570,8 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_mxisd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"

 # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
@@ -536,7 +583,7 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"

 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_mxisd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"

@@ -548,7 +595,7 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-corporal.service'] if matrix_corporal_enabled else [])
    +
    (['matrix-mxisd.service'] if matrix_mxisd_enabled else [])
    (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
    +
    (['matrix-riot-web.service'] if matrix_riot_web_enabled else [])
  }}
@@ -566,6 +613,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
  }}

 matrix_ssl_architecture: "{{ matrix_architecture }}"

 ######################################################################
 #
 # /matrix-nginx-proxy
@@ -605,7 +654,7 @@ matrix_postgres_db_name: "homeserver"
 # If you wish to connect to your Matrix server by other means, you may wish to disable this.
 matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_riot_web_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
@@ -650,10 +699,15 @@ matrix_riot_web_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jit
 #
 ######################################################################

 matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}"
 matrix_synapse_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 # When ma1sd is enabled, we can use it instead of the default public Identity servers.
 matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_ma1sd_enabled else matrix_synapse_id_servers_public }}"

 # When mxisd is enabled, we can use it instead of the default public Identity servers.
 matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
 # When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
 # Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
 matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"
 matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:8090' if matrix_ma1sd_enabled else '' }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it,
--- a/inventory/scripts/jitsi-generate-passwords.sh
+++ b/inventory/scripts/jitsi-generate-passwords.sh
@@ -0,0 +1,26 @@
 #!/usr/bin/env bash
 # This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
 # https://github.com/spantaleev/matrix-docker-ansible-deploy

 function generatePassword() {
    openssl rand -hex 16
 }

 echo "# If this script fails, it's likely because you don't have the openssl tool installed."
 echo "# Install it before using this script, or simply create your own passwords manually."

 echo ""

 JICOFO_COMPONENT_SECRET=$(generatePassword)
 JICOFO_AUTH_PASSWORD=$(generatePassword)
 JVB_AUTH_PASSWORD=$(generatePassword)
 JIBRI_RECORDER_PASSWORD=$(generatePassword)
 JIBRI_XMPP_PASSWORD=$(generatePassword)

 echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
 echo ""
 echo "matrix_jitsi_jicofo_component_secret: "$JICOFO_COMPONENT_SECRET
 echo "matrix_jitsi_jicofo_auth_password: "$JICOFO_AUTH_PASSWORD
 echo "matrix_jitsi_jvb_auth_password: "$JVB_AUTH_PASSWORD
 echo "matrix_jitsi_jibri_recorder_password: "$JIBRI_RECORDER_PASSWORD
 echo "matrix_jitsi_jibri_xmpp_password: "$JIBRI_XMPP_PASSWORD
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -33,6 +33,9 @@ matrix_systemd_path: "/etc/systemd/system"
 matrix_cron_path: "/etc/cron.d"
 matrix_local_bin_path: "/usr/local/bin"

 matrix_ntpd_package: "ntp"
 matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"

 matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

 matrix_identity_server_url: ~
@@ -40,6 +43,11 @@ matrix_identity_server_url: ~
 matrix_integration_manager_rest_url: ~
 matrix_integration_manager_ui_url: ~

 # The domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Riot clients to use that Jitsi server.
 # See: https://github.com/vector-im/riot-web/blob/develop/docs/jitsi.md#configuring-riot-to-use-your-self-hosted-jitsi-server
 matrix_riot_jitsi_preferredDomain: ''

 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"

--- a/roles/matrix-base/tasks/main.yml
+++ b/roles/matrix-base/tasks/main.yml
@@ -21,7 +21,7 @@
  when: run_setup|bool
  tags:
    - setup-all
    - setup-mxisd
    - setup-ma1sd
    - setup-synapse
    - setup-nginx-proxy

--- a/roles/matrix-base/tasks/self_check_dns.yml
+++ b/roles/matrix-base/tasks/self_check_dns.yml
@@ -5,16 +5,16 @@

 - block:
    - set_fact:
        dns_srv_record_check_mxisd:
        dns_srv_record_check_ma1sd:
          service_and_protocol: "_matrix-identity._tcp"
          domain: "{{ (matrix_domain + '.') }}"
          expected_target: "{{ (matrix_server_fqn_matrix + '.') }}"
          expected_port: 443

    - name: Determine domains that we require certificates for (mxisd)
    - name: Determine domains that we require certificates for (ma1sd)
      set_fact:
        dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_mxisd] }}"
  when: matrix_mxisd_enabled|bool
        dns_srv_record_checks: "{{ dns_srv_record_checks + [dns_srv_record_check_ma1sd] }}"
  when: matrix_ma1sd_enabled|bool

 - name: Perform DNS SRV checks
  include_tasks: "{{ role_path }}/tasks/self_check_dns_srv.yml"
--- a/roles/matrix-base/tasks/server_base/setup.yml
+++ b/roles/matrix-base/tasks/server_base/setup.yml
@@ -18,8 +18,8 @@
    state: started
    enabled: yes

 - name: Ensure ntpd is started and autoruns
 - name: "Ensure {{ matrix_ntpd_service }} is started and autoruns"
  service:
    name: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"
    name: "{{ matrix_ntpd_service }}"
    state: started
    enabled: yes
--- a/roles/matrix-base/tasks/server_base/setup_archlinux.yml
+++ b/roles/matrix-base/tasks/server_base/setup_archlinux.yml
@@ -3,9 +3,8 @@
 - name: Install host dependencies
  pacman:
    name:
      - bash-completion
      - python-docker
      - ntp
      - "{{ matrix_ntpd_package }}"
      # TODO This needs to be verified. Which version do we need?
      - fuse3
      - python-dnspython
--- a/roles/matrix-base/tasks/server_base/setup_centos.yml
+++ b/roles/matrix-base/tasks/server_base/setup_centos.yml
@@ -20,9 +20,7 @@
 - name: Ensure yum packages are installed
  yum:
    name:
      - bash-completion
      - docker-python
      - ntp
      - "{{ matrix_ntpd_package }}"
      - fuse
    state: latest
    update_cache: yes
@@ -31,5 +29,6 @@
  yum:
    name:
      - "{{ matrix_docker_package_name }}"
      - docker-python
    state: latest
  when: matrix_docker_installation_enabled|bool
--- a/roles/matrix-base/tasks/server_base/setup_debian.yml
+++ b/roles/matrix-base/tasks/server_base/setup_debian.yml
@@ -27,9 +27,7 @@
 - name: Ensure APT packages are installed
  apt:
    name:
      - bash-completion
      - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
      - ntp
      - "{{ matrix_ntpd_package }}"
      - fuse
    state: latest
    update_cache: yes
@@ -38,5 +36,6 @@
  apt:
    name:
      - "{{ matrix_docker_package_name }}"
      - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
    state: latest
  when: matrix_docker_installation_enabled|bool
--- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml
+++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml
@@ -27,9 +27,8 @@
 - name: Ensure APT packages are installed
  apt:
    name:
      - bash-completion
      - python-docker
      - ntp
      - "{{ matrix_ntpd_package }}"
      - fuse
    state: latest
    update_cache: yes
--- a/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-client.j2
@@ -18,4 +18,9 @@
 		]
 	}
 	{% endif %}
 	{% if matrix_riot_jitsi_preferredDomain %},
 	"im.vector.riot.jitsi": {
 		"preferredDomain": {{ matrix_riot_jitsi_preferredDomain|to_json }}
 	}
 	{% endif %}
 }
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -141,6 +141,17 @@ matrix_mautrix_facebook_configuration_yaml: |
      presence: true
      # Whether or not to update avatars when syncing all contacts at startup.
      update_avatar_initial_sync: true
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Permissions for using the bridge.
      # Permitted values:
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@@ -36,17 +36,19 @@
    dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
 #    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
    force: "yes"
  register: matrix_mautrix_facebook_git_pull_results
  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"

 - name: Ensure Mautrix Facebook Docker image is built
  docker_image:
    name: "{{ matrix_mautrix_facebook_docker_image }}"
    source: build
    force_source: yes
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
      pull: yes
  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"
  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build and matrix_mautrix_facebook_git_pull_results.changed"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@@ -124,6 +124,17 @@ matrix_mautrix_hangouts_configuration_yaml: |
      login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }}
      # Whether or not to update avatars when syncing all contacts at startup.
      update_avatar_initial_sync: true
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Public website and API configs
      web:
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@@ -35,17 +35,19 @@
    repo: https://github.com/tulir/mautrix-hangouts.git
    dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
    force: "yes"
  register: matrix_mautrix_hangouts_git_pull_results
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"

 - name: Ensure Mautrix Hangouts Docker image is built
  docker_image:
    name: "{{ matrix_mautrix_hangouts_docker_image }}"
    source: build
    force_source: yes
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
      pull: yes
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build and matrix_mautrix_hangouts_git_pull_results.changed"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -227,6 +227,18 @@ matrix_mautrix_telegram_configuration_yaml: |
              height: 256
              background: "020202"  # only for gif
              fps: 30               # only for webm
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Overrides for base power levels.
      initial_power_level_overrides:
          user: {}
--- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
@@ -0,0 +1,209 @@
 # Mx Puppet Skype is a Matrix <-> Skype bridge
 # See: https://github.com/Sorunome/mx-puppet-skype

 matrix_mx_puppet_skype_enabled: true

 matrix_mx_puppet_skype_container_image_self_build: false

 matrix_mx_puppet_skype_docker_image: "sorunome/mx-puppet-skype:latest"
 matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}"

 matrix_mx_puppet_skype_base_path: "{{ matrix_base_data_path }}/mx-puppet-skype"
 matrix_mx_puppet_skype_config_path: "{{ matrix_mx_puppet_skype_base_path }}/config"
 matrix_mx_puppet_skype_data_path: "{{ matrix_mx_puppet_skype_base_path }}/data"
 matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_path }}/docker-src"

 matrix_mx_puppet_skype_appservice_port: "8438"

 matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}'

 # A list of extra arguments to pass to the container
 matrix_mx_puppet_skype_container_extra_arguments: []

 # List of systemd services that matrix-puppet-skype.service depends on.
 matrix_mx_puppet_skype_systemd_required_services_list: ['docker.service']

 # List of systemd services that matrix-puppet-skype.service wants
 matrix_mx_puppet_skype_systemd_wanted_services_list: []

 matrix_mx_puppet_skype_appservice_token: ''
 matrix_mx_puppet_skype_homeserver_token: ''

 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_skype_login_shared_secret: ''

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mx_puppet_skype_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  bridge:
    # Address for the bridge to bind to; if running as a Docker container, you
    # probably want 0.0.0.0 here
    bindAddress: 0.0.0.0
    # Port to host the bridge on which your homeserver will connect to
    port: {{ matrix_mx_puppet_skype_appservice_port }}
    # Name of your homeserver
    domain: {{ matrix_mx_puppet_skype_homeserver_domain }}
    # URL where the bridge can connect to your homeserver
    homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }}
    # Optionally specify a different media URL used for the media store
    mediaURL: https://{{ matrix_server_fqn_matrix }}
    # This enabled automatic double-puppeting:
    # A map for shared secrets of the homeserver URL to the shared secret
    # See https://github.com/devture/matrix-synapse-shared-secret-auth
    #loginSharedSecretMap:
    #  yourserver.com: supersecretsharedsecret
    {% if matrix_mx_puppet_skype_login_shared_secret != '' %}
    loginSharedSecretMap:
      {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }}
    {% endif %}
    # optionally override the display name of the bridge bot
    #displayname: Protocol Bot
    # optionally set the avatar of the bridge bot
    #avatarUrl: mxc://yourserver.com/somefile

  logging:
    # Log level of console output
    # Allowed values starting with most verbose:
    # silly, debug, verbose, info, warn, error
    console: info
    # Optionally, you can apply filters to the console logging
    #console:
    #  level: info
    #  enabled:
    #    - Store
    #  disabled:
    #    - PresenceHandler

    # Date and time formatting
    lineDateFormat: MMM-D HH:mm:ss.SSS
    # Logging files
    # Log files are rotated daily by default
    files:
      # Log file path
      - file: "/data/bridge.log"
        # Log level for this file
        # Allowed values starting with most verbose:
        # silly, debug, verbose, info, warn, error
        level: info
        # Date and time formatting
        datePattern: YYYY-MM-DD
        # Maximum number of logs to keep.
        # This can be a number of files or number of days.
        # If using days, add 'd' as a suffix
        maxFiles: 14d
        # Maximum size of the file after which it will rotate. This can be a
        # number of bytes, or units of kb, mb, and gb. If using the units, add
        # 'k', 'm', or 'g' as the suffix
        maxSize: 50m
        # Optionally enable/disable logging for certain modules
        #disabled:
        #  - PresenceHandler
        #  - module: bot-sdk-MatrixLiteClient
        #    regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log
        #enabled:
        #  - Store

  database:
    # Use Postgres as a database backend
    # If set, will be used instead of SQLite3
    # Connection string to connect to the Postgres instance
    # with username "user", password "pass", host "localhost" and database name "dbname".
    # Modify each value as necessary
    #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
    # Use SQLite3 as a database backend
    # The name of the database file
    filename: /data/database.db

  provisioning:
    # Regex of Matrix IDs allowed to use the puppet bridge
    whitelist:
      # Allow a specific user
      #- "@user:server\\.com"
      # Allow users on a specific homeserver
      - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}'
      # Allow anyone
      #- ".*"
    # Regex of Matrix IDs forbidden from using the puppet bridge
    #blacklist:
      # Disallow a specific user
      #- "@user:server\\.com"
      # Disallow users on a specific homeserver
      #- "@.*:yourserver\\.com"

  presence:
    # Bridge online/offline status
    enabled: true
    # How often to send status to the homeserver in milliseconds
    interval: 500
    # if the im.vector.user_status state setting should be diabled
    #disableStatusState: false
    # A blacklist of remote user IDs for the im.vector.user_status state setting
    #statusStateBlacklist:
    # - baduser

  relay:
    # Regex of Matrix IDs to allow to use the relay mode
    # Same format as in provisioning
    whitelist:
      - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}'
    #blacklist:
      #- "@user:yourserver\\.com"

  # Map certain homeserver URLs to the C-S API endpoint
  # Useful for double-puppeting if .well-known is unavailable for some reason
  #homeserverUrlMap:
  #  yourserver.com: http://localhost:1234

  namePatterns:
    # Override the protocols set default name patterns
    # Which variables are available depends on protocol implementation
    user: :name
    room: :name

  limits:
    # Up to how many users should be auto-joined on room creation? -1 to disable
    # Defaults to 200
    maxAutojoinUsers: 200
    # How long the delay between two autojoin users should be, in millisectonds.
    # Defaults to 5000
    roomUserAutojoinDelay: 5000

 matrix_mx_puppet_skype_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
  # This configuration extends the default starting configuration (`matrix_mx_puppet_skype_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_mx_puppet_skype_configuration_yaml`.

 matrix_mx_puppet_skype_configuration_extension: "{{ matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml if matrix_mx_puppet_skype_configuration_extension_yaml|from_yaml is mapping else {} }}"

 # Holds the final configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_skype_configuration_yaml`.
 matrix_mx_puppet_skype_configuration: "{{ matrix_mx_puppet_skype_configuration_yaml|from_yaml|combine(matrix_mx_puppet_skype_configuration_extension, recursive=True) }}"

 matrix_mx_puppet_skype_registration_yaml: |
  as_token: "{{ matrix_mx_puppet_skype_appservice_token }}"
  hs_token: "{{ matrix_mx_puppet_skype_homeserver_token }}"
  id: skype-puppet
  namespaces:
    users:
      - exclusive: true
        regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}'
    rooms: []
    aliases:
      - exclusive: true
        regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}'
  protocols: []
  rate_limited: false
  sender_localpart: _skypepuppet_bot
  url: {{ matrix_mx_puppet_skype_appservice_address }}

 matrix_mx_puppet_skype_registration: "{{ matrix_mx_puppet_skype_registration_yaml|from_yaml }}"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
@@ -0,0 +1,23 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}"
  when: matrix_mx_puppet_skype_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
    matrix_synapse_container_extra_arguments: >
      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
      ["--mount type=bind,src={{ matrix_mx_puppet_skype_config_path }}/registration.yaml,dst=/matrix-mx-puppet-skype-registration.yaml,ro"]

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
      {{ ["/matrix-mx-puppet-skype-registration.yaml"] }}
  when: matrix_mx_puppet_skype_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/main.yml
@@ -0,0 +1,21 @@
 - import_tasks: "{{ role_path }}/tasks/init.yml"
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-skype

 - import_tasks: "{{ role_path }}/tasks/setup_install.yml"
  when: "run_setup|bool and matrix_mx_puppet_skype_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-skype

 - import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  when: "run_setup|bool and not matrix_mx_puppet_skype_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-skype
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
@@ -0,0 +1,94 @@
 ---

 # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
 # We don't want to fail in such cases.
 - name: Fail if matrix-synapse role already executed
  fail:
    msg: >-
      The matrix-bridge-mx-puppet-skype role needs to execute before the matrix-synapse role.
  when: "matrix_synapse_role_executed|default(False)"

 - name: Ensure MX Puppet Skype image is pulled
  docker_image:
    name: "{{ matrix_mx_puppet_skype_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}"
  when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build

 - name: Ensure MX Puppet Skype paths exist
  file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_skype_data_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}", when: "{{ matrix_mx_puppet_skype_container_image_self_build }}" }
  when: matrix_mx_puppet_skype_enabled|bool and item.when|bool

 - name: Ensure MX Puppet Skype repository is present on self build
  git:
    repo: https://github.com/Sorunome/mx-puppet-skype.git
    dest: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"
    force: "yes"
  register: matrix_mx_puppet_skype_git_pull_results
  when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build"

 - name: Ensure MX Puppet Skype Docker image is built
  docker_image:
    name: "{{ matrix_mx_puppet_skype_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"
      pull: yes
  when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build and matrix_mx_puppet_skype_git_pull_results.changed"

 - name: Check if an old database file already exists
  stat:
    path: "{{ matrix_mx_puppet_skype_base_path }}/database.db"
  register: matrix_mx_puppet_skype_stat_database

 - name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped
  service:
    name: matrix-mx-puppet-skype
    state: stopped
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_skype_stat_database.stat.exists"

 - name: (Data relocation) Move mx-puppet-skype database file to ./data directory
  command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db"
  when: "matrix_mx_puppet_skype_stat_database.stat.exists"

 - name: Ensure mx-puppet-skype config.yaml installed
  copy:
    content: "{{ matrix_mx_puppet_skype_configuration|to_nice_yaml }}"
    dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"

 - name: Ensure mx-puppet-skype skype-registration.yaml installed
  copy:
    content: "{{ matrix_mx_puppet_skype_registration|to_nice_yaml }}"
    dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"

 - name: Ensure matrix-mx-puppet-skype.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-skype.service.j2"
    dest: "/etc/systemd/system/matrix-mx-puppet-skype.service"
    mode: 0644
  register: matrix_mx_puppet_skype_systemd_service_result

 - name: Ensure systemd reloaded after matrix-mx-puppet-skype.service installation
  service:
    daemon_reload: yes
  when: "matrix_mx_puppet_skype_systemd_service_result.changed"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_uninstall.yml
@@ -0,0 +1,24 @@
 ---

 - name: Check existence of matrix-mx-puppet-skype service
  stat:
    path: "/etc/systemd/system/matrix-mx-puppet-skype.service"
  register: matrix_mx_puppet_skype_service_stat

 - name: Ensure matrix-mx-puppet-skype is stopped
  service:
    name: matrix-mx-puppet-skype
    state: stopped
    daemon_reload: yes
  when: "matrix_mx_puppet_skype_service_stat.stat.exists"

 - name: Ensure matrix-mx-puppet-skype.service doesn't exist
  file:
    path: "/etc/systemd/system/matrix-mx-puppet-skype.service"
    state: absent
  when: "matrix_mx_puppet_skype_service_stat.stat.exists"

 - name: Ensure systemd reloaded after matrix-mx-puppet-skype.service removal
  service:
    daemon_reload: yes
  when: "matrix_mx_puppet_skype_service_stat.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/validate_config.yml
@@ -0,0 +1,10 @@
 ---

 - name: Fail if required settings not defined
  fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  with_items:
    - "matrix_mx_puppet_skype_appservice_token"
    - "matrix_mx_puppet_skype_homeserver_token"
--- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
@@ -0,0 +1,41 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mx Puppet Skype server
 {% for service in matrix_mx_puppet_skype_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mx_puppet_skype_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype
 ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-e CONFIG_PATH=/config/config.yaml \
 			-e REGISTRATION_PATH=/config/registration.yaml \
 			-v {{ matrix_mx_puppet_skype_config_path }}:/config:z \
 			-v {{ matrix_mx_puppet_skype_data_path }}:/data:z \
 			{% for arg in matrix_mx_puppet_skype_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mx_puppet_skype_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype
 ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mx-puppet-skype

 [Install]
 WantedBy=multi-user.target
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

 matrix_corporal_docker_image: "devture/matrix-corporal:1.8.0"
 matrix_corporal_docker_image: "devture/matrix-corporal:1.9.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"

 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@@ -23,12 +23,12 @@ matrix_jitsi_recorder_domain: recorder.meet.jitsi
 matrix_jitsi_jibri_brewery_muc: jibribrewery
 matrix_jitsi_jibri_pending_timeout: 90
 matrix_jitsi_jibri_xmpp_user: jibri
 matrix_jitsi_jibri_xmpp_password: jibri-password
 matrix_jitsi_jibri_xmpp_password: ''
 matrix_jitsi_jibri_recorder_user: recorder
 matrix_jitsi_jibri_recorder_password: recorder-password
 matrix_jitsi_jibri_recorder_password: ''


 matrix_jitsi_web_docker_image: "jitsi/web:4101"
 matrix_jitsi_web_docker_image: "jitsi/web:4384"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@@ -38,7 +38,8 @@ matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts
 matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"

 # STUN servers used in the web UI. Feel free to point them to your own STUN server.
 matrix_jitsi_web_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
 # Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`.
 matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443']

 # Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
 #
@@ -51,8 +52,29 @@ matrix_jitsi_web_container_extra_arguments: []
 # List of systemd services that matrix-jitsi-web.service depends on
 matrix_jitsi_web_systemd_required_services_list: ['docker.service']


 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4101"
 matrix_jitsi_web_config_defaultLanguage: 'en'
 matrix_jitsi_web_config_start_with_audio_muted: false
 matrix_jitsi_web_config_start_with_video_muted: false
 matrix_jitsi_web_config_testing_enableFirefoxSimulcast: false
 matrix_jitsi_web_config_testing_p2pTestMode: false

 matrix_jitsi_web_interface_config_lang_detection: false
 matrix_jitsi_web_interface_config_show_jitsi_watermark: true
 matrix_jitsi_web_interface_config_jitsi_watermark_link: "https://jitsi.org"
 matrix_jitsi_web_interface_config_show_brand_watermark: false
 matrix_jitsi_web_interface_config_brand_watermark_link: ""
 matrix_jitsi_web_interface_config_show_watermark_for_guests: true
 matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page: true
 matrix_jitsi_web_interface_config_display_welcome_page_content: true
 matrix_jitsi_web_interface_config_app_name: "Jitsi Meet"
 matrix_jitsi_web_interface_config_native_app_name: "Jitsi Meet"
 matrix_jitsi_web_interface_config_provider_name: "Jitsi"
 matrix_jitsi_web_interface_config_invitation_powered_by: true
 matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false

 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"

 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
@@ -65,7 +87,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']


 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4101"
 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"

 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@@ -77,12 +99,12 @@ matrix_jitsi_jicofo_container_extra_arguments: []
 # List of systemd services that matrix-jitsi-jicofo.service depends on
 matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']

 matrix_jitsi_jicofo_component_secret: s3cr37
 matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: passw0rd
 matrix_jitsi_jicofo_auth_password: ''


 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4101"
 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
@@ -95,11 +117,11 @@ matrix_jitsi_jvb_container_extra_arguments: []
 matrix_jitsi_jvb_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']

 matrix_jitsi_jvb_auth_user: jvb
 matrix_jitsi_jvb_auth_password: passw0rd
 matrix_jitsi_jvb_auth_password: ''

 # STUN servers used by JVB on the server-side, so it can discover its own external IP address.
 # Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
 matrix_jitsi_jvb_stun_servers: ['stun.l.google.com:19302', 'stun1.l.google.com:19302', 'stun2.l.google.com:19302']
 matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443']

 matrix_jitsi_jvb_brewery_muc: jvbbrewery
 matrix_jitsi_jvb_rtp_udp_port: 10000
--- a/roles/matrix-jitsi/tasks/main.yml
+++ b/roles/matrix-jitsi/tasks/main.yml
@@ -2,6 +2,12 @@
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool and matrix_jitsi_enabled|bool"
  tags:
    - setup-all
    - setup-jitsi

 - import_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
  when: run_setup|bool
  tags:
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
@@ -34,6 +34,13 @@
    - logging.properties
  when: matrix_jitsi_enabled|bool

 - name: Ensure jitsi-jvb environment variables file created
  template:
    src: "{{ role_path }}/templates/jvb/env.j2"
    dest: "{{ matrix_jitsi_jvb_base_path }}/env"
    mode: 0640
  when: matrix_jitsi_enabled|bool

 - name: Ensure matrix-jitsi-jvb.service installed
  template:
    src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
--- a/roles/matrix-jitsi/tasks/validate_config.yml
+++ b/roles/matrix-jitsi/tasks/validate_config.yml
@@ -0,0 +1,21 @@
 ---

 - name: Fail if required Jitsi settings not defined
  fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.

      If you're setting up Jitsi for the first time, you may have missed a step.
      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).

      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
      it means that your installation may be using some default passwords that the playbook used to define until now.
      This is not secure and we urge you to rebuild your Jitsi setup.
      Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
  when: "vars[item] == ''"
  with_items:
    - "matrix_jitsi_jibri_xmpp_password"
    - "matrix_jitsi_jibri_recorder_password"
    - "matrix_jitsi_jicofo_component_secret"
    - "matrix_jitsi_jicofo_auth_password"
    - "matrix_jitsi_jvb_auth_password"
--- a/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2
+++ b/roles/matrix-jitsi/templates/jicofo/sip-communicator.properties.j2
@@ -3,3 +3,7 @@ org.jitsi.jicofo.BRIDGE_MUC={{ matrix_jitsi_jvb_brewery_muc }}@{{ matrix_jitsi_x

 org.jitsi.jicofo.jibri.BREWERY={{ matrix_jitsi_jibri_brewery_muc }}@{{ matrix_jitsi_xmpp_internal_muc_domain }}
 org.jitsi.jicofo.jibri.PENDING_TIMEOUT=90

 {% if matrix_jitsi_enable_auth %}
 org.jitsi.jicofo.auth.URL=XMPP:{{ matrix_jitsi_xmpp_domain }}
 {% endif %}
--- a/roles/matrix-jitsi/templates/jvb/env.j2
+++ b/roles/matrix-jitsi/templates/jvb/env.j2
@@ -0,0 +1 @@
 JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@@ -14,6 +14,7 @@ ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_jvb_base_path }}/env \
 			{% if matrix_jitsi_jvb_container_rtp_udp_host_bind_port %}
 			-p {{ matrix_jitsi_jvb_container_rtp_udp_host_bind_port }}:{{ matrix_jitsi_jvb_rtp_udp_port }}/udp \
 			{% endif %}
--- a/roles/matrix-jitsi/templates/web/config.js.j2
+++ b/roles/matrix-jitsi/templates/web/config.js.j2
@@ -18,9 +18,11 @@ var config = {
        // XMPP domain.
        domain: '{{ matrix_jitsi_xmpp_domain }}',

        {% if matrix_jitsi_enable_auth %}
        {% if matrix_jitsi_enable_guests %}
        // When using authentication, domain for guest users.
 		anonymousdomain: 'guest.example.com',
        anonymousdomain: '{{ matrix_jitsi_xmpp_guest_domain }}',
        {% endif %}

        // Domain for authenticated users. Defaults to <domain>.
        authdomain: '{{ matrix_jitsi_xmpp_domain }}',
@@ -54,11 +56,11 @@ var config = {

    testing: {
        // Enables experimental simulcast support on Firefox.
        enableFirefoxSimulcast: false,
        enableFirefoxSimulcast: {{ matrix_jitsi_web_config_testing_enableFirefoxSimulcast|to_json }},

        // P2P test mode disables automatic switching to P2P when there are 2
        // participants in the conference.
        p2pTestMode: false
        p2pTestMode: {{ matrix_jitsi_web_config_testing_p2pTestMode|to_json }}

        // Enables the test specific features consumed by jitsi-meet-torture
        // testMode: false
@@ -91,6 +93,7 @@ var config = {
    // Start calls with audio muted. Unlike the option above, this one is only
    // applied locally. FIXME: having these 2 options is confusing.
    // startWithAudioMuted: false,
    startWithAudioMuted: {{ matrix_jitsi_web_config_start_with_audio_muted|to_json }},

    // Enabling it (with #params) will disable local audio output of remote
    // participants and to enable it back a reload is needed.
@@ -135,6 +138,7 @@ var config = {
    // Start calls with video muted. Unlike the option above, this one is only
    // applied locally. FIXME: having these 2 options is confusing.
    // startWithVideoMuted: false,
    startWithVideoMuted: {{ matrix_jitsi_web_config_start_with_video_muted|to_json }},

    // If set to true, prefer to use the H.264 video codec (if supported).
    // Note that it's not recommended to do this because simulcast is not
@@ -263,7 +267,7 @@ hiddenDomain: {{ matrix_jitsi_recorder_domain|to_json }},
    // disable1On1Mode: false,

    // Default language for the user interface.
    // defaultLanguage: 'en',
    defaultLanguage: {{ matrix_jitsi_web_config_defaultLanguage|to_json }},

    // If true all users without a token will be considered guests and all users
    // with token will be considered non-guests. Only guests will be allowed to
--- a/roles/matrix-jitsi/templates/web/interface_config.js.j2
+++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2
@@ -16,22 +16,22 @@ var interfaceConfig = {
    TOOLBAR_ALWAYS_VISIBLE: false,
    DEFAULT_REMOTE_DISPLAY_NAME: 'Fellow Jitster',
    DEFAULT_LOCAL_DISPLAY_NAME: 'me',
    SHOW_JITSI_WATERMARK: true,
    JITSI_WATERMARK_LINK: 'https://jitsi.org',
    SHOW_JITSI_WATERMARK: {{ matrix_jitsi_web_interface_config_show_jitsi_watermark|to_json }},
    JITSI_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_jitsi_watermark_link|to_json }},

    // if watermark is disabled by default, it can be shown only for guests
    SHOW_WATERMARK_FOR_GUESTS: true,
    SHOW_BRAND_WATERMARK: false,
    BRAND_WATERMARK_LINK: '',
    SHOW_POWERED_BY: false,
    SHOW_DEEP_LINKING_IMAGE: false,
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: true,
    DISPLAY_WELCOME_PAGE_CONTENT: true,
    APP_NAME: 'Jitsi Meet',
    NATIVE_APP_NAME: 'Jitsi Meet',
    PROVIDER_NAME: 'Jitsi',
    LANG_DETECTION: false, // Allow i18n to detect the system language
    INVITATION_POWERED_BY: true,
    SHOW_WATERMARK_FOR_GUESTS: {{ matrix_jitsi_web_interface_config_show_watermark_for_guests|to_json }},
    SHOW_BRAND_WATERMARK: {{ matrix_jitsi_web_interface_config_show_brand_watermark|to_json }},
    BRAND_WATERMARK_LINK: {{ matrix_jitsi_web_interface_config_brand_watermark_link|to_json }},
    SHOW_POWERED_BY: {{ matrix_jitsi_web_interface_config_show_powered_by|to_json }},
    SHOW_DEEP_LINKING_IMAGE: {{ matrix_jisti_web_interface_config_show_deep_linking_image|to_json }},
    GENERATE_ROOMNAMES_ON_WELCOME_PAGE: {{ matrix_jitsi_web_interface_config_generate_room_names_on_welcome_page|to_json }},
    DISPLAY_WELCOME_PAGE_CONTENT: {{ matrix_jitsi_web_interface_config_display_welcome_page_content|to_json }},
    APP_NAME: {{ matrix_jitsi_web_interface_config_app_name|to_json }},
    NATIVE_APP_NAME: {{ matrix_jitsi_web_interface_config_native_app_name|to_json }},
    PROVIDER_NAME: {{ matrix_jitsi_web_interface_config_provider_name|to_json }},
    LANG_DETECTION: {{ matrix_jitsi_web_interface_config_lang_detection|to_json }}, // Allow i18n to detect the system language
    INVITATION_POWERED_BY: {{ matrix_jitsi_web_interface_config_invitation_powered_by|to_json }},

    /**
     * If we should show authentication block in profile
@@ -92,7 +92,7 @@ var interfaceConfig = {
     *
     * @type {boolean}
     */
    DISABLE_TRANSCRIPTION_SUBTITLES: false,
    DISABLE_TRANSCRIPTION_SUBTITLES: {{ matrix_jitsi_web_interface_config_disable_transcription_subtitles|to_json }},

    /**
     * Whether the ringing sound in the call/ring overlay is disabled. If
--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@@ -0,0 +1,178 @@
 # ma1sd is a Federated Matrix Identity Server
 # See: https://github.com/ma1uta/ma1sd

 matrix_ma1sd_enabled: true

 matrix_ma1sd_container_image_self_build: false

 matrix_ma1sd_docker_image: "ma1uta/ma1sd:2.3.0"
 matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"

 matrix_ma1sd_base_path: "{{ matrix_base_data_path }}/ma1sd"
 matrix_ma1sd_docker_src_files_path: "{{ matrix_ma1sd_base_path }}/docker-src"
 matrix_ma1sd_config_path: "{{ matrix_ma1sd_base_path }}/config"
 matrix_ma1sd_data_path: "{{ matrix_ma1sd_base_path }}/data"

 # Controls whether the matrix-ma1sd container exposes its HTTP port (tcp/8090 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
 matrix_ma1sd_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_ma1sd_container_extra_arguments: []

 # List of systemd services that matrix-ma1sd.service depends on
 matrix_ma1sd_systemd_required_services_list: ['docker.service']

 # List of systemd services that matrix-ma1sd.service wants
 matrix_ma1sd_systemd_wanted_services_list: []

 # Your identity server is private by default.
 # To ensure maximum discovery, you can make your identity server
 # also forward lookups to the central matrix.org Identity server
 # (at the cost of potentially leaking all your contacts information).
 # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
 matrix_ma1sd_matrixorg_forwarding_enabled: false

 # ma1sd has serveral supported identity stores.
 # One of them is storing identities directly in Synapse's database.
 # Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
 matrix_ma1sd_synapsesql_enabled: false
 matrix_ma1sd_synapsesql_type: ""
 matrix_ma1sd_synapsesql_connection: ""

 # Setting up email-sending settings is required for using ma1sd.
 matrix_ma1sd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}"
 matrix_ma1sd_threepid_medium_email_connectors_smtp_host: ""
 matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 587
 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 1
 matrix_ma1sd_threepid_medium_email_connectors_smtp_login: ""
 matrix_ma1sd_threepid_medium_email_connectors_smtp_password: ""

 # DNS overwrites are useful for telling ma1sd how it can reach the homeserver directly.
 # Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to ma1sd,
 # so that ma1sd can rewrite the original URL to one that would reach the homeserver.
 matrix_ma1sd_dns_overwrite_enabled: false
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"

 # Override the default email templates
 # To use this, fill in the template variables with the full desired template as a multi-line YAML variable
 #
 # More info:
 # https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
 # https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email
 matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false
 matrix_ma1sd_threepid_medium_email_custom_invite_template: ""
 matrix_ma1sd_threepid_medium_email_custom_session_validation_template: ""
 matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: ""
 matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""

 # Controls whether the self-check feature should validate SSL certificates.
 matrix_ma1sd_self_check_validate_certificates: true

 # Controls ma1sd logging verbosity for troubleshooting.
 #
 # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
 matrix_ma1sd_verbose_logging: false

 # Default ma1sd configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_ma1sd_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}

  server:
    name: {{ matrix_server_fqn_matrix }}

  key:
    path: /var/ma1sd/sign.key

  storage:
    provider:
      sqlite:
        database: /var/ma1sd/ma1sd.db

  {% if matrix_ma1sd_dns_overwrite_enabled %}
  dns:
    overwrite:
      homeserver:
        client:
          - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
            value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
  {% endif %}

  {% if matrix_ma1sd_matrixorg_forwarding_enabled %}
  forward:
    servers: ['matrix-org']
  {% endif %}

  threepid:
    medium:
      email:
        identity:
          from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
        connectors:
          smtp:
            host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
            port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
            tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
            login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
            password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
  {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
        generators:
          template:
            {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
            invite: '/var/ma1sd/invite-template.eml'
            {% endif %}
            {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
            session:
              {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
              validation: '/var/ma1sd/validate-template.eml'
              {% endif %}
              {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
              unbind:
                frandulent: '/var/ma1sd/unbind-fraudulent.eml'
              {% endif %}
            {% endif %}
            {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
            generic:
              matrixId: '/var/ma1sd/mxid-template.eml'
            {% endif %}
  {% endif %}

  synapseSql:
    enabled: {{ matrix_ma1sd_synapsesql_enabled }}
    type: {{ matrix_ma1sd_synapsesql_type }}
    connection: {{ matrix_ma1sd_synapsesql_connection }}

 matrix_ma1sd_configuration_extension_yaml: |
  # Your custom YAML configuration for ma1sd goes here.
  # This configuration extends the default starting configuration (`matrix_ma1sd_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_ma1sd_configuration_yaml`.
  #
  # Example configuration extension follows:
  #
  # ldap:
  #   enabled: true
  #   connection:
  #     host: ldapHostnameOrIp
  #     tls: false
  #     port: 389
  #     baseDNs: ['OU=Users,DC=example,DC=org']
  #     bindDn: CN=My Ma1sd User,OU=Users,DC=example,DC=org
  #     bindPassword: TheUserPassword

 matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml is mapping else {} }}"

 # Holds the final ma1sd configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_ma1sd_configuration_yaml`.
 matrix_ma1sd_configuration: "{{ matrix_ma1sd_configuration_yaml|from_yaml|combine(matrix_ma1sd_configuration_extension, recursive=True) }}"
--- a/roles/matrix-ma1sd/tasks/init.yml
+++ b/roles/matrix-ma1sd/tasks/init.yml
@@ -1,10 +1,10 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}"
  when: matrix_mxisd_enabled|bool
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}"
  when: matrix_ma1sd_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build"
    msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build"
--- a/roles/matrix-ma1sd/tasks/main.yml
+++ b/roles/matrix-ma1sd/tasks/main.yml
@@ -0,0 +1,21 @@
 - import_tasks: "{{ role_path }}/tasks/init.yml"
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool and matrix_ma1sd_enabled|bool"
  tags:
    - setup-all
    - setup-ma1sd

 - import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml"
  tags:
    - setup-all
    - setup-ma1sd

 - import_tasks: "{{ role_path }}/tasks/self_check_ma1sd.yml"
  delegate_to: 127.0.0.1
  become: false
  when: "run_self_check|bool and matrix_ma1sd_enabled|bool"
  tags:
    - self-check
--- a/roles/matrix-ma1sd/tasks/migrate_mxisd.yml
+++ b/roles/matrix-ma1sd/tasks/migrate_mxisd.yml
@@ -0,0 +1,72 @@
 ---

 # This task is for migrating existing mxisd data when transitioning to the ma1sd fork.

 - name: Check for existent mxisd data
  stat:
    path: "{{ matrix_base_data_path }}/mxisd/data"
  register: ma1sd_migrate_mxisd_data_dir_stat

 - name: Warn if mxisd data detected
  debug:
    msg: >
      You seem to have an existing mxisd folder in `{{ matrix_base_data_path }}/mxisd`.
      We are going to migrate it to ma1sd and rename the folder to mxisd.migrated.
  when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"

 - name: Check existence of old matrix-mxisd service
  stat:
    path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
  register: matrix_mxisd_service_stat

 - name: Ensure matrix-mxisd is stopped
  service:
    name: matrix-mxisd
    state: stopped
    daemon_reload: yes
  when: "matrix_mxisd_service_stat.stat.exists"

 - name: Check existence of matrix-ma1sd service
  stat:
    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
  register: matrix_ma1sd_service_stat
  when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"

 - name: Ensure matrix-ma1sd is stopped
  service:
    name: matrix-ma1sd
    state: stopped
    daemon_reload: yes
  when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists and matrix_ma1sd_service_stat.stat.exists"

 # We use shell commands for the migration, because the Ansible copy module cannot
 # recursively copy remote directories (like `/matrix/mxisd/data/sign.key`) in older versions of Ansible.
 - block:
  - name: Copy mxisd data files to ma1sd folder
    command: "cp -ar {{ matrix_base_data_path }}/mxisd/data {{ matrix_ma1sd_base_path }}"

  - name: Check existence of mxisd.db file
    stat:
      path: "{{ matrix_ma1sd_data_path }}/mxisd.db"
    register: matrix_ma1sd_mxisd_db_stat

  - name: Rename database (mxisd.db -> ma1sd.db)
    command: "mv {{ matrix_ma1sd_data_path }}/mxisd.db {{ matrix_ma1sd_data_path }}/ma1sd.db"
    when: "matrix_ma1sd_mxisd_db_stat.stat.exists"

  - name: Rename mxisd folder
    command: "mv {{ matrix_base_data_path }}/mxisd {{ matrix_base_data_path }}/mxisd.migrated"
  when: "ma1sd_migrate_mxisd_data_dir_stat.stat.exists"

 - name: Ensure outdated matrix-mxisd.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
    state: absent
  when: "matrix_mxisd_service_stat.stat.exists"

 - name: Ensure systemd reloaded after removing outdated matrix-mxisd.service
  service:
    daemon_reload: yes
  when: "matrix_mxisd_service_stat.stat.exists"


--- a/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml
+++ b/roles/matrix-ma1sd/tasks/self_check_ma1sd.yml
@@ -0,0 +1,21 @@
 ---

 - set_fact:
    ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"

 - name: Check ma1sd Identity Service
  uri:
    url: "{{ ma1sd_url_endpoint_public }}"
    follow_redirects: none
    validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
  register: result_ma1sd
  ignore_errors: true

 - name: Fail if ma1sd Identity Service not working
  fail:
    msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
  when: "result_ma1sd.failed or 'json' not in result_ma1sd"

 - name: Report working ma1sd Identity Service
  debug:
    msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
--- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
+++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
@@ -0,0 +1,140 @@
 ---

 #
 # Tasks related to setting up ma1sd
 #

 - name: Ensure ma1sd paths exist
  file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - { path: "{{ matrix_ma1sd_config_path }}", when: true }
    - { path: "{{ matrix_ma1sd_data_path }}", when: true }
    - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"}
  when: matrix_ma1sd_enabled|bool and item.when

 - import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml"
  when: matrix_ma1sd_enabled|bool

 - name: Ensure ma1sd image is pulled
  docker_image:
    name: "{{ matrix_ma1sd_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}"
  when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build

 - block:
  - name: Ensure gradle is installed for self-building (Debian)
    apt:
      name:
        - gradle
      state: present
      update_cache: yes
    when: (ansible_os_family == 'Debian')

  - name: Ensure gradle is installed for self-building (CentOS)
    fail:
      msg: "Installing gradle on CentOS is currently not supported, so self-building ma1sd cannot happen at this time"
    when: ansible_distribution == 'CentOS'

  - name: Ensure gradle is installed for self-building (Archlinux)
    pacman:
      name:
        - gradle
      state: latest
      update_cache: yes
    when: ansible_distribution == 'Archlinux'

  - name: Ensure ma1sd repository is present on self-build
    git:
      repo: https://github.com/ma1uta/ma1sd.git
      dest: "{{ matrix_ma1sd_docker_src_files_path }}"
      version: "v{{ matrix_ma1sd_docker_image.split(':')[1] }}"
      force: "yes"

  - name: Ensure ma1sd Docker image is built
    shell: "./gradlew dockerBuild"
    args:
      chdir: "{{ matrix_ma1sd_docker_src_files_path }}"
  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build"

 - name: Ensure ma1sd config installed
  copy:
    content: "{{ matrix_ma1sd_configuration|to_nice_yaml }}"
    dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  when: matrix_ma1sd_enabled|bool

 - name: Ensure custom templates are installed if any
  copy:
    content: "{{ item.value }}"
    dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'}
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"

 - name: Ensure matrix-ma1sd.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
    mode: 0644
  register: matrix_ma1sd_systemd_service_result
  when: matrix_ma1sd_enabled|bool

 - name: Ensure systemd reloaded after matrix-ma1sd.service installation
  service:
    daemon_reload: yes
  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed"

 #
 # Tasks related to getting rid of ma1sd (if it was previously enabled)
 #

 - name: Check existence of matrix-ma1sd service
  stat:
    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
  register: matrix_ma1sd_service_stat

 - name: Ensure matrix-ma1sd is stopped
  service:
    name: matrix-ma1sd
    state: stopped
    daemon_reload: yes
  register: stopping_result
  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"

 - name: Ensure matrix-ma1sd.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
    state: absent
  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"

 - name: Ensure systemd reloaded after matrix-ma1sd.service removal
  service:
    daemon_reload: yes
  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"

 - name: Ensure Matrix ma1sd paths don't exist
  file:
    path: "{{ matrix_ma1sd_base_path }}"
    state: absent
  when: "not matrix_ma1sd_enabled|bool"

 - name: Ensure ma1sd Docker image doesn't exist
  docker_image:
    name: "{{ matrix_ma1sd_docker_image }}"
    state: absent
  when: "not matrix_ma1sd_enabled|bool"
--- a/roles/matrix-ma1sd/tasks/validate_config.yml
+++ b/roles/matrix-ma1sd/tasks/validate_config.yml
@@ -0,0 +1,66 @@
 ---

 - name: (Deprecation) Warn about ma1sd variables that are not used anymore
  fail:
    msg: >
      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
      You'll need to adapt to the new way of extending ma1sd configuration.
      See the CHANGELOG and the `matrix_ma1sd_configuration_extension_yaml` variable for more information and examples.
  when: "item in vars"
  with_items:
    - 'matrix_ma1sd_ldap_enabled'
    - 'matrix_ma1sd_ldap_connection_host'
    - 'matrix_ma1sd_ldap_connection_tls'
    - 'matrix_ma1sd_ldap_connection_port'
    - 'matrix_ma1sd_ldap_connection_baseDn'
    - 'matrix_ma1sd_ldap_connection_baseDns'
    - 'matrix_ma1sd_ldap_connection_bindDn'
    - 'matrix_ma1sd_ldap_connection_bindPassword'
    - 'matrix_ma1sd_ldap_filter'
    - 'matrix_ma1sd_ldap_attribute_uid_type'
    - 'matrix_ma1sd_ldap_attribute_uid_value'
    - 'matrix_ma1sd_ldap_connection_bindPassword'
    - 'matrix_ma1sd_ldap_attribute_name'
    - 'matrix_ma1sd_ldap_attribute_threepid_email'
    - 'matrix_ma1sd_ldap_attribute_threepid_msisdn'
    - 'matrix_ma1sd_ldap_identity_filter'
    - 'matrix_ma1sd_ldap_identity_medium'
    - 'matrix_ma1sd_ldap_auth_filter'
    - 'matrix_ma1sd_ldap_directory_filter'
    - 'matrix_ma1sd_template_config'

 - name: Ensure ma1sd configuration does not contain any dot-notation keys
  fail:
    msg: >
      Since version 1.3.0, ma1sd will not accept property-style configuration keys.
      You have defined a key (`{{ item.key }}`) which contains a dot.
      Instead, use nesting. See: https://github.com/ma1uta/ma1sd/wiki/Upgrade-Notes#v130
  when: "'.' in item.key"
  with_dict: "{{ matrix_ma1sd_configuration }}"

 - name: Fail if required ma1sd settings not defined
  fail:
    msg: >
      You need to define a required configuration setting (`{{ item }}`) for using ma1sd.
  when: "vars[item] == ''"
  with_items:
    - "matrix_ma1sd_threepid_medium_email_connectors_smtp_host"

 - name: (Deprecation) Catch and report renamed ma1sd variables
  fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
  with_items:
    - {'old': 'matrix_ma1sd_container_expose_port', 'new': '<superseded by matrix_ma1sd_container_http_host_bind_port>'}

 - name: (Deprecation) Catch and report mxisd variables
  fail:
    msg: >-
      mxisd is deprecated and has been replaced with ma1sd (https://github.com/ma1uta/ma1sd), a compatible fork.
      The playbook will migrate your existing mxisd configuration and data automatically, but you need to adjust variable names.
      Please change your configuration (vars.yml) to rename all mxisd variables (`{{ item.old }}` -> `{{ item.new }}`).
  when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
  with_items:
    - {'old': 'matrix_mxisd_.*', 'new': 'matrix_ma1sd_.*'}
--- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@@ -0,0 +1,46 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix ma1sd Identity server
 {% for service in matrix_ma1sd_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_ma1sd_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-ma1sd
 ExecStartPre=-/usr/bin/docker rm matrix-ma1sd

 # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
 # so /tmp needs to be mounted with an exec option.
 ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,exec,nosuid,size=10m \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_ma1sd_container_http_host_bind_port %}
 			-p {{ matrix_ma1sd_container_http_host_bind_port }}:8090 \
 			{% endif %}
 			{% if matrix_ma1sd_verbose_logging %}
 			-e MA1SD_LOG_LEVEL=debug \
 			{% endif %}
 			-v {{ matrix_ma1sd_config_path }}:/etc/ma1sd:ro \
 			-v {{ matrix_ma1sd_data_path }}:/var/ma1sd:rw \
 			{% for arg in matrix_ma1sd_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_ma1sd_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-ma1sd
 ExecStop=-/usr/bin/docker rm matrix-ma1sd
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-ma1sd

 [Install]
 WantedBy=multi-user.target
--- a/roles/matrix-ma1sd/vars/main.yml
+++ b/roles/matrix-ma1sd/vars/main.yml
@@ -0,0 +1,5 @@
 ---

 # Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
 # We need to ensure it's a dictionary or `|combine` (when building `matrix_ma1sd_configuration`) will fail later.
 matrix_ma1sd_configuration_extension: "{{ matrix_ma1sd_configuration_extension_yaml|from_yaml if matrix_ma1sd_configuration_extension_yaml|from_yaml else {} }}"
--- a/roles/matrix-mxisd/defaults/main.yml
+++ b/roles/matrix-mxisd/defaults/main.yml
@@ -1,178 +0,0 @@
 # mxisd is a Federated Matrix Identity Server
 # See: https://github.com/kamax-matrix/mxisd

 matrix_mxisd_enabled: true

 matrix_mxisd_container_image_self_build: false

 matrix_mxisd_docker_image: "kamax/mxisd:1.4.6"
 matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}"

 matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
 matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src"
 matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
 matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"

 # Controls whether the matrix-mxisd container exposes its HTTP port (tcp/8090 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8090"), or empty string to not expose.
 matrix_mxisd_container_http_host_bind_port: ''

 # A list of extra arguments to pass to the container
 matrix_mxisd_container_extra_arguments: []

 # List of systemd services that matrix-mxisd.service depends on
 matrix_mxisd_systemd_required_services_list: ['docker.service']

 # List of systemd services that matrix-mxisd.service wants
 matrix_mxisd_systemd_wanted_services_list: []

 # Your identity server is private by default.
 # To ensure maximum discovery, you can make your identity server
 # also forward lookups to the central matrix.org Identity server
 # (at the cost of potentially leaking all your contacts information).
 # Enabling this is discouraged. Learn more here: https://github.com/kamax-io/mxisd/blob/master/docs/features/identity.md#lookups
 matrix_mxisd_matrixorg_forwarding_enabled: false

 # mxisd has serveral supported identity stores.
 # One of them is storing identities directly in Synapse's database.
 # Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
 matrix_mxisd_synapsesql_enabled: false
 matrix_mxisd_synapsesql_type: ""
 matrix_mxisd_synapsesql_connection: ""

 # Setting up email-sending settings is required for using mxisd.
 matrix_mxisd_threepid_medium_email_identity_from: "matrix@{{ matrix_domain }}"
 matrix_mxisd_threepid_medium_email_connectors_smtp_host: ""
 matrix_mxisd_threepid_medium_email_connectors_smtp_port: 587
 matrix_mxisd_threepid_medium_email_connectors_smtp_tls: 1
 matrix_mxisd_threepid_medium_email_connectors_smtp_login: ""
 matrix_mxisd_threepid_medium_email_connectors_smtp_password: ""

 # DNS overwrites are useful for telling mxisd how it can reach the homeserver directly.
 # Useful when reverse-proxying certain URLs (e.g. `/_matrix/client/r0/user_directory/search`) to mxisd,
 # so that mxisd can rewrite the original URL to one that would reach the homeserver.
 matrix_mxisd_dns_overwrite_enabled: false
 matrix_mxisd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 matrix_mxisd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"

 # Override the default email templates
 # To use this, fill in the template variables with the full desired template as a multi-line YAML variable
 #
 # More info:
 # https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notification/template-generator.md
 # https://github.com/kamax-matrix/mxisd/tree/master/src/main/resources/threepids/email
 matrix_mxisd_threepid_medium_email_custom_templates_enabled: false
 matrix_mxisd_threepid_medium_email_custom_invite_template: ""
 matrix_mxisd_threepid_medium_email_custom_session_validation_template: ""
 matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template: ""
 matrix_mxisd_threepid_medium_email_custom_matrixid_template: ""

 # Controls whether the self-check feature should validate SSL certificates.
 matrix_mxisd_self_check_validate_certificates: true

 # Controls mxisd logging verbosity for troubleshooting.
 #
 # According to: https://github.com/kamax-matrix/mxisd/blob/master/docs/troubleshooting.md#increase-verbosity
 matrix_mxisd_verbose_logging: false

 # Default mxisd configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mxisd_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mxisd_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}

  server:
    name: {{ matrix_server_fqn_matrix }}

  key:
    path: /var/mxisd/sign.key

  storage:
    provider:
      sqlite:
        database: /var/mxisd/mxisd.db

  {% if matrix_mxisd_dns_overwrite_enabled %}
  dns:
    overwrite:
      homeserver:
        client:
          - name: {{ matrix_mxisd_dns_overwrite_homeserver_client_name }}
            value: {{ matrix_mxisd_dns_overwrite_homeserver_client_value }}
  {% endif %}

  {% if matrix_mxisd_matrixorg_forwarding_enabled %}
  forward:
    servers: ['matrix-org']
  {% endif %}

  threepid:
    medium:
      email:
        identity:
          from: {{ matrix_mxisd_threepid_medium_email_identity_from }}
        connectors:
          smtp:
            host: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_host }}
            port: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_port }}
            tls: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_tls }}
            login: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_login }}
            password: {{ matrix_mxisd_threepid_medium_email_connectors_smtp_password }}
  {% if matrix_mxisd_threepid_medium_email_custom_templates_enabled %}
        generators:
          template:
            {% if matrix_mxisd_threepid_medium_email_custom_invite_template %}
            invite: '/var/mxisd/invite-template.eml'
            {% endif %}
            {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template or matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %}
            session:
              {% if matrix_mxisd_threepid_medium_email_custom_session_validation_template %}
              validation: '/var/mxisd/validate-template.eml'
              {% endif %}
              {% if matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template %}
              unbind:
                frandulent: '/var/mxisd/unbind-fraudulent.eml'
              {% endif %}
            {% endif %}
            {% if matrix_mxisd_threepid_medium_email_custom_matrixid_template %}
            generic:
              matrixId: '/var/mxisd/mxid-template.eml'
            {% endif %}
  {% endif %}

  synapseSql:
    enabled: {{ matrix_mxisd_synapsesql_enabled }}
    type: {{ matrix_mxisd_synapsesql_type }}
    connection: {{ matrix_mxisd_synapsesql_connection }}

 matrix_mxisd_configuration_extension_yaml: |
  # Your custom YAML configuration for mxisd goes here.
  # This configuration extends the default starting configuration (`matrix_mxisd_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_mxisd_configuration_yaml`.
  #
  # Example configuration extension follows:
  #
  # ldap:
  #   enabled: true
  #   connection:
  #     host: ldapHostnameOrIp
  #     tls: false
  #     port: 389
  #     baseDNs: ['OU=Users,DC=example,DC=org']
  #     bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
  #     bindPassword: TheUserPassword

 matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml is mapping else {} }}"

 # Holds the final mxisd configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
 matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"
--- a/roles/matrix-mxisd/tasks/main.yml
+++ b/roles/matrix-mxisd/tasks/main.yml
@@ -1,21 +0,0 @@
 - import_tasks: "{{ role_path }}/tasks/init.yml"
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool and matrix_mxisd_enabled|bool"
  tags:
    - setup-all
    - setup-mxisd

 - import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
  tags:
    - setup-all
    - setup-mxisd

 - import_tasks: "{{ role_path }}/tasks/self_check_mxisd.yml"
  delegate_to: 127.0.0.1
  become: false
  when: "run_self_check|bool and matrix_mxisd_enabled|bool"
  tags:
    - self-check
--- a/roles/matrix-mxisd/tasks/self_check_mxisd.yml
+++ b/roles/matrix-mxisd/tasks/self_check_mxisd.yml
@@ -1,21 +0,0 @@
 ---

 - set_fact:
    mxisd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"

 - name: Check mxisd Identity Service
  uri:
    url: "{{ mxisd_url_endpoint_public }}"
    follow_redirects: none
    validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}"
  register: result_mxisd
  ignore_errors: true

 - name: Fail if mxisd Identity Service not working
  fail:
    msg: "Failed checking mxisd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ mxisd_url_endpoint_public }}`). Is mxisd running? Is port 443 open in your firewall? Full error: {{ result_mxisd }}"
  when: "result_mxisd.failed or 'json' not in result_mxisd"

 - name: Report working mxisd Identity Service
  debug:
    msg: "mxisd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ mxisd_url_endpoint_public }}`)"
--- a/roles/matrix-mxisd/tasks/setup_mxisd.yml
+++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml
@@ -1,137 +0,0 @@
 ---

 #
 # Tasks related to setting up mxisd
 #

 - name: Ensure mxisd paths exist
  file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - { path: "{{ matrix_mxisd_config_path }}", when: true }
    - { path: "{{ matrix_mxisd_data_path }}", when: true }
    - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"}
  when: matrix_mxisd_enabled|bool and item.when

 - name: Ensure mxisd image is pulled
  docker_image:
    name: "{{ matrix_mxisd_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}"
  when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build

 - block:
  - name: Ensure gradle is installed for self-building (Debian)
    apt:
      name:
        - gradle
      state: present
      update_cache: yes
    when: (ansible_os_family == 'Debian')

  - name: Ensure gradle is installed for self-building (CentOS)
    fail:
      msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time"
    when: ansible_distribution == 'CentOS'

  - name: Ensure gradle is installed for self-building (Archlinux)
    pacman:
      name:
        - gradle
      state: latest
      update_cache: yes
    when: ansible_distribution == 'Archlinux'

  - name: Ensure mxisd repository is present on self-build
    git:
      repo: https://github.com/kamax-matrix/mxisd.git
      dest: "{{ matrix_mxisd_docker_src_files_path }}"
      version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}"
      force: "yes"

  - name: Ensure mxisd Docker image is built
    shell: "./gradlew dockerBuild"
    args:
      chdir: "{{ matrix_mxisd_docker_src_files_path }}"
  when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build"

 - name: Ensure mxisd config installed
  copy:
    content: "{{ matrix_mxisd_configuration|to_nice_yaml }}"
    dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  when: matrix_mxisd_enabled|bool

 - name: Ensure custom templates are installed if any
  copy:
    content: "{{ item.value }}"
    dest: "{{ matrix_mxisd_data_path }}/{{ item.location }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - {value: "{{ matrix_mxisd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
    - {value: "{{ matrix_mxisd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
    - {value: "{{ matrix_mxisd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'}
    - {value: "{{ matrix_mxisd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
  when: "matrix_mxisd_enabled|bool and matrix_mxisd_threepid_medium_email_custom_templates_enabled|bool and item.value"

 - name: Ensure matrix-mxisd.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-mxisd.service"
    mode: 0644
  register: matrix_mxisd_systemd_service_result
  when: matrix_mxisd_enabled|bool

 - name: Ensure systemd reloaded after matrix-mxisd.service installation
  service:
    daemon_reload: yes
  when: "matrix_mxisd_enabled|bool and matrix_mxisd_systemd_service_result.changed"

 #
 # Tasks related to getting rid of mxisd (if it was previously enabled)
 #

 - name: Check existence of matrix-mxisd service
  stat:
    path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
  register: matrix_mxisd_service_stat

 - name: Ensure matrix-mxisd is stopped
  service:
    name: matrix-mxisd
    state: stopped
    daemon_reload: yes
  register: stopping_result
  when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists"

 - name: Ensure matrix-mxisd.service doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-mxisd.service"
    state: absent
  when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists"

 - name: Ensure systemd reloaded after matrix-mxisd.service removal
  service:
    daemon_reload: yes
  when: "not matrix_mxisd_enabled|bool and matrix_mxisd_service_stat.stat.exists"

 - name: Ensure Matrix mxisd paths don't exist
  file:
    path: "{{ matrix_mxisd_base_path }}"
    state: absent
  when: "not matrix_mxisd_enabled|bool"

 - name: Ensure mxisd Docker image doesn't exist
  docker_image:
    name: "{{ matrix_mxisd_docker_image }}"
    state: absent
  when: "not matrix_mxisd_enabled|bool"
--- a/roles/matrix-mxisd/tasks/validate_config.yml
+++ b/roles/matrix-mxisd/tasks/validate_config.yml
@@ -1,57 +0,0 @@
 ---

 - name: (Deprecation) Warn about mxisd variables that are not used anymore
  fail:
    msg: >
      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
      You'll need to adapt to the new way of extending mxisd configuration.
      See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
  when: "item in vars"
  with_items:
    - 'matrix_mxisd_ldap_enabled'
    - 'matrix_mxisd_ldap_connection_host'
    - 'matrix_mxisd_ldap_connection_tls'
    - 'matrix_mxisd_ldap_connection_port'
    - 'matrix_mxisd_ldap_connection_baseDn'
    - 'matrix_mxisd_ldap_connection_baseDns'
    - 'matrix_mxisd_ldap_connection_bindDn'
    - 'matrix_mxisd_ldap_connection_bindPassword'
    - 'matrix_mxisd_ldap_filter'
    - 'matrix_mxisd_ldap_attribute_uid_type'
    - 'matrix_mxisd_ldap_attribute_uid_value'
    - 'matrix_mxisd_ldap_connection_bindPassword'
    - 'matrix_mxisd_ldap_attribute_name'
    - 'matrix_mxisd_ldap_attribute_threepid_email'
    - 'matrix_mxisd_ldap_attribute_threepid_msisdn'
    - 'matrix_mxisd_ldap_identity_filter'
    - 'matrix_mxisd_ldap_identity_medium'
    - 'matrix_mxisd_ldap_auth_filter'
    - 'matrix_mxisd_ldap_directory_filter'
    - 'matrix_mxisd_template_config'

 - name: Ensure mxisd configuration does not contain any dot-notation keys
  fail:
    msg: >
      Since version 1.3.0, mxisd will not accept property-style configuration keys.
      You have defined a key (`{{ item.key }}`) which contains a dot.
      Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
  when: "'.' in item.key"
  with_dict: "{{ matrix_mxisd_configuration }}"

 - name: Fail if required mxisd settings not defined
  fail:
    msg: >
      You need to define a required configuration setting (`{{ item }}`) for using mxisd.
  when: "vars[item] == ''"
  with_items:
    - "matrix_mxisd_threepid_medium_email_connectors_smtp_host"


 - name: (Deprecation) Catch and report renamed mxisd variables
  fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_mxisd_container_expose_port', 'new': '<superseded by matrix_mxisd_container_http_host_bind_port>'}
--- a/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
+++ b/roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
@@ -1,46 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix mxisd Identity server
 {% for service in matrix_mxisd_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mxisd_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mxisd
 ExecStartPre=-/usr/bin/docker rm matrix-mxisd

 # mxisd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
 # so /tmp needs to be mounted with an exec option.
 ExecStart=/usr/bin/docker run --rm --name matrix-mxisd \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,exec,nosuid,size=10m \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_mxisd_container_http_host_bind_port %}
 			-p {{ matrix_mxisd_container_http_host_bind_port }}:8090 \
 			{% endif %}
 			{% if matrix_mxisd_verbose_logging %}
 			-e MXISD_LOG_LEVEL=debug \
 			{% endif %}
 			-v {{ matrix_mxisd_config_path }}:/etc/mxisd:ro \
 			-v {{ matrix_mxisd_data_path }}:/var/mxisd:rw \
 			{% for arg in matrix_mxisd_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mxisd_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mxisd
 ExecStop=-/usr/bin/docker rm matrix-mxisd
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mxisd

 [Install]
 WantedBy=multi-user.target
--- a/roles/matrix-mxisd/vars/main.yml
+++ b/roles/matrix-mxisd/vars/main.yml
@@ -1,5 +0,0 @@
 ---

 # Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
 # We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
 matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
 matrix_nginx_proxy_docker_image: "nginx:1.17.9-alpine"
 matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@@ -116,21 +116,21 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:410

 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
 # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
 # To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/directory.md
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:8090"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:8090"

 # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
 # This allows another service to control registrations involving 3PIDs.
 # To learn more, see: https://github.com/kamax-matrix/mxisd/blob/master/docs/features/registration.md
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
 matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:8090"
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:8090"

 # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-mxisd:8090"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:8090"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"

 # Controls whether proxying for metrics (`/_synapse/metrics`) should be done (on the matrix domain)
@@ -184,6 +184,12 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true

 # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
 #
 # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
 # so we default to not following redirects as well.
 matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none

 # By default, this playbook automatically retrieves and auto-renews
 # free SSL certificates from Let's Encrypt.
 #
@@ -207,12 +213,14 @@ matrix_nginx_proxy_self_check_validate_certificates: true
 # plain HTTP traffic only (usually, on the loopback interface only) and you'd be terminating SSL using another reverse-proxy.
 matrix_ssl_retrieval_method: "lets-encrypt"

 matrix_ssl_architecture: "amd64"

 # The list of domains that this role will obtain certificates for.
 matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.3.0"
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
+++ b/roles/matrix-nginx-proxy/tasks/self_check_well_known.yml
@@ -6,7 +6,7 @@
      - path: /.well-known/matrix/client
        purpose: Client Discovery
        cors: true
        follow_redirects: none
        follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"

 - block:
@@ -18,7 +18,7 @@
          follow_redirects: safe
          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"

    - name: Determine domains that we require certificates for (mxisd)
    - name: Determine domains that we require certificates for (ma1sd)
      set_fact:
        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
  when: matrix_well_known_matrix_server_enabled|bool
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@@ -11,7 +11,7 @@ docker run \
 	--rm \
 	--name=matrix-certbot \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
    --cap-drop=ALL \
 	--cap-drop=ALL \
 	--network="{{ matrix_docker_network }}" \
 	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
 	-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2
@@ -11,9 +11,9 @@ fi
 docker run \
 	-it \
 	--rm \
 	--user=991:991 \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 	--cap-drop=ALL \
 	--env-file=/matrix/postgres/env-postgres-psql \
 	--network matrix \
 	postgres:12.1-alpine \
 	psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'"
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
 	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'"
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
@@ -5,7 +5,7 @@ docker run \
 	-it \
 	--rm \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
    --cap-drop=ALL \
 	--cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2
@@ -9,7 +9,7 @@ fi
 docker run \
 	--rm \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
    --cap-drop=ALL \
 	--cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@@ -2,7 +2,7 @@ matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: false

 matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.13"
 matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
--- a/roles/matrix-riot-web/templates/config.json.j2
+++ b/roles/matrix-riot-web/templates/config.json.j2
@@ -30,10 +30,9 @@
 	"embeddedPages": {
 		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }}
 	},
 	{% if matrix_riot_web_jitsi_preferredDomain is not none %}
 	{% if matrix_riot_web_jitsi_preferredDomain %}
 	"jitsi": {
        "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }},
        "externalApiUrl": "https://{{ matrix_riot_web_jitsi_preferredDomain }}/libs/external_api.min.js"
        "preferredDomain": {{ matrix_riot_web_jitsi_preferredDomain|to_json }}
    },
 	{% endif %}
 	"branding": {
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -5,7 +5,7 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.0"
 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@@ -164,6 +164,21 @@ matrix_synapse_enable_group_creation: false
 # A list of 3PID types which users must supply when registering (possible values: email, msisdn).
 matrix_synapse_registrations_require_3pid: []

 # A list of patterns 3pids must match in order to permit registration, e.g.:
 #  - medium: email
 #    pattern: '.*@example\.com'
 #  - medium: msisdn
 #    pattern: '\+44'
 matrix_synapse_allowed_local_3pids: []

 # The server to use for email threepid validation. When empty, Synapse does it by itself.
 # Otherwise, this should be pointed to an identity server.
 matrix_synapse_account_threepid_delegates_email: ''

 # The server to use for phone number threepid validation. When empty, validation cannot happen, as Synapse doesn't support it.
 # To make it work, this should be pointed to an identity server.
 matrix_synapse_account_threepid_delegates_msisdn: ''

 # Users who register on this homeserver will automatically be joined to these rooms.
 # Rooms are to be specified using addresses (e.g. `#address:example.com`)
 matrix_synapse_auto_join_rooms: []
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -967,7 +967,7 @@ account_validity:
 #registrations_require_3pid:
 #  - email
 #  - msisdn
 {% if matrix_synapse_registrations_require_3pid %}
 {% if matrix_synapse_registrations_require_3pid|length > 0 %}
 registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json }}
 {% endif %}

@@ -986,6 +986,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json
 #    pattern: '.*@vector\.im'
 #  - medium: msisdn
 #    pattern: '\+44'
 {% if matrix_synapse_allowed_local_3pids|length > 0 %}
 allowed_local_3pids: {{ matrix_synapse_allowed_local_3pids|to_json }}
 {% endif %}

 # Enable 3PIDs lookup requests to identity servers from this server.
 #
@@ -1060,8 +1063,8 @@ trusted_third_party_id_servers:
 # If a delegate is specified, the config option public_baseurl must also be filled out.
 #
 account_threepid_delegates:
    #email: https://example.com     # Delegate email sending to example.com
    #msisdn: http://localhost:8090  # Delegate SMS sending to this local process
    email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
    msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}

 # Users who register on this homeserver will automatically be joined
 # to these rooms
--- a/setup.yml
+++ b/setup.yml
@@ -16,10 +16,11 @@
    - matrix-bridge-mautrix-hangouts
    - matrix-bridge-mautrix-telegram
    - matrix-bridge-mautrix-whatsapp
    - matrix-bridge-mx-puppet-skype
    - matrix-synapse
    - matrix-riot-web
    - matrix-jitsi
    - matrix-mxisd
    - matrix-ma1sd
    - matrix-dimension
    - matrix-email2matrix
    - matrix-nginx-proxy