Merge branch 'master' into element-call-integration

11 miesięcy temu · 2c1c49444a
--- a/docs/configuring-playbook-appservice-draupnir-for-all.md
+++ b/docs/configuring-playbook-appservice-draupnir-for-all.md
@@ -45,7 +45,7 @@ Add the following configuration to your `inventory/host_vars/matrix.example.com/
 ```yaml
 matrix_appservice_draupnir_for_all_enabled: true

 matrix_appservice_draupnir_for_all_master_control_room_alias: "MANAGEMENT_ROOM_ALIAS_HERE"
 matrix_appservice_draupnir_for_all_config_adminRoom: "MANAGEMENT_ROOM_ALIAS_HERE"
 ```

 ### Extending the configuration
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -54,11 +54,11 @@ To enable the native E2EE support, add the following configuration to your `vars

 ```yaml
 # Enables the native E2EE support
 matrix_bot_draupnir_enable_experimental_rust_crypto: true
 matrix_bot_draupnir_config_experimentalRustCrypto: true

 # Access token which the bot will use for logging in.
 # Comment out `matrix_bot_draupnir_login_native` when using this option.
 matrix_bot_draupnir_access_token: "CLEAN_ACCESS_TOKEN_HERE"
 matrix_bot_draupnir_config_accessToken: "CLEAN_ACCESS_TOKEN_HERE"
 ```

 ## Adjusting the playbook configuration
@@ -73,13 +73,13 @@ matrix_bot_draupnir_enabled: true
 # matrix_bot_draupnir_login: bot.draupnir

 # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
 # If creating the user on your own and using `matrix_bot_draupnir_access_token` to login you can comment out this line.
 # If creating the user on your own and using `matrix_bot_draupnir_config_accessToken` to login you can comment out this line.
 matrix_bot_draupnir_password: PASSWORD_FOR_THE_BOT

 # Comment out if using `matrix_bot_draupnir_enable_experimental_rust_crypto: true` or `matrix_bot_draupnir_access_token` to login.
 # Comment out if using `matrix_bot_draupnir_config_experimentalRustCrypto: true` or `matrix_bot_draupnir_config_accessToken` to login.
 matrix_bot_draupnir_login_native: true

 matrix_bot_draupnir_management_room: "MANAGEMENT_ROOM_ID_HERE"
 matrix_bot_draupnir_config_managementRoom: "MANAGEMENT_ROOM_ID_HERE"
 ```

 ### Create and invite the bot to the management room
@@ -142,7 +142,7 @@ Draupnir can receive reports in the management room.
 The bot can intercept the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver. If you are using Traefik, this playbook can set this up for you:

 ```yaml
 matrix_bot_draupnir_abuse_reporting_enabled: true
 matrix_bot_draupnir_config_web_abuseReporting: true
 ```

 <!--
--- a/docs/configuring-playbook-ntfy.md
+++ b/docs/configuring-playbook-ntfy.md
@@ -115,7 +115,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju

 ## Usage

 To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.
 To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.

 For details about installing and configuring the ntfy Android app, take a look at [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ntfy/blob/main/docs/configuring-ntfy.md#install-the-ntfy-androidios-app) on the role's documentation.

--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@@ -11,57 +11,60 @@ SPDX-License-Identifier: AGPL-3.0-or-later

 # Adjusting SSL certificate retrieval (optional, advanced)

 By default, this playbook retrieves and auto-renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) for the domains it needs (e.g. `matrix.example.com` and others)
 By default, the playbook retrieves and automatically renews free SSL certificates from [Let's Encrypt](https://letsencrypt.org/) via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) for the domains of the services it installs (e.g. `matrix.example.com` and others). Refer this guide if you want to modify settings about how it manages SSL certificates or have the Traefik server use yours.

 This guide is about using the integrated Traefik server and doesn't apply if you're using [your own webserver](configuring-playbook-own-webserver.md).
 **Notes**:
 - This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
 - Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiriation notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).

 ## Using staging Let's Encrypt certificates instead of real ones
  The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).

 For testing purposes, you may wish to use staging certificates provide by Let's Encrypt.
 ## Use staging Let's Encrypt certificates

 Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 For testing purposes, you may wish to use staging certificates provided by Let's Encrypt to avoid hitting [its rate limits](https://letsencrypt.org/docs/rate-limits/).

 To use ones, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:

 ```yaml
 traefik_config_certificatesResolvers_acme_use_staging: true
 ```

 ## Disabling SSL termination
 ## Disable SSL termination

 For testing or other purposes, you may wish to install services without SSL termination and have services exposed to `http://` instead of `https://`.

 Add the following configuration to your `vars.yml` file:
 To do so, add the following configuration to your `vars.yml` file:

 ```yaml
 traefik_config_entrypoint_web_secure_enabled: false
 ```

 ## Using self-signed SSL certificates
 ## Use self-signed SSL certificates

 If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)):
 To use self-signed certificates, generate them and follow the documentation below about using your own certificates.

 - generate your self-signed certificate files
 - follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below
 ## Use your own SSL certificates

 ## Using your own SSL certificates
 To use your own certificates, prepare them and follow the steps below:

 To use your own SSL certificates with Traefik, you need to:
 - Disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
 - Put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 - Register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
 - Put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually

 - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
 - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
 - put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 For those steps, you can add the following configuration to your `vars.yml` file (adapt to your needs). If you will put the custom configuration files manually, make sure to remove the `aux_file_definitions` variable.

 ```yaml
 # Disable ACME / Let's Encrypt support.
 traefik_config_certificatesResolvers_acme_enabled: false

 # Disabling ACME support (above) automatically disables the creation of the SSL directory.
 # Force-enable it here, because we'll add our certificate files there.
 # Disabling ACME support (above) automatically disables the SSL directory to be created.
 # Force-enable it to be created with this configuration, because we'll add our certificate files there.
 traefik_ssl_dir_enabled: true

 # Tell Traefik to load our custom ssl key pair by extending provider configuration.
 # Tell Traefik to load our custom SSL key pair by extending provider configuration.
 # The key pair files are created below, in `aux_file_definitions`.
 # The `/ssl/…` path is an in-container path, not a path on the host (like `/matrix/traefik/ssl`). Do not change it!
 # Note that the `/ssl/…` path is an **in-container path**, not a path on the host (like `/matrix/traefik/ssl`). Do not change it!
 traefik_provider_configuration_extension_yaml:
  tls:
    certificates:
@@ -74,14 +77,14 @@ traefik_provider_configuration_extension_yaml:
          keyFile: /ssl/privkey.pem

 # Use the aux role to create our custom files on the server.
 # If you'd like to do this manually, you remove this `aux_file_definitions` variable.
 # If you'd like to do this manually, remove this `aux_file_definitions` variable.
 aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ traefik_ssl_dir_path }}/privkey.pem"
    src: /path/on/your/Ansible/computer/to/privkey.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
    # Mind the indentation level (indented with two white space characters).
    # content: |
    #   FILE CONTENT
    #   HERE
@@ -91,20 +94,22 @@ aux_file_definitions:
  - dest: "{{ traefik_ssl_dir_path }}/cert.pem"
    src: /path/on/your/Ansible/computer/to/cert.pem
    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
    # Note the indentation level.
    # Mind the indentation level (indented with two white space characters).
    # content: |
    #   FILE CONTENT
    #   HERE
 ```

 ## Using a DNS-01 ACME challenge type, instead of HTTP-01
 ## Use a DNS-01 ACME challenge type, instead of HTTP-01

 You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for Let's Encrypt. This is less commonly used than the default [HTTP-01 challenge type](https://letsencrypt.org/docs/challenge-types/#http-01-challenge), but it can be helpful to:
 You can configure Traefik to use the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) for Let's Encrypt. This is less commonly used than the default [HTTP-01 challenge type](https://letsencrypt.org/docs/challenge-types/#http-01-challenge), but can be helpful to:

 - hide your public IP from Let's Encrypt logs
 - allow you to obtain SSL certificates for servers which are not accessible (via HTTP) from the public internet (and for which the HTTP-01 challenge would fail)

 This is an example for how to edit the `vars.yml` file if you're using Cloudflare:
 ### Example: Cloudflare

 Here is an example for configurations on the `vars.yml` file for Cloudflare. Please adjust it as necessary before applying it.

 ```yaml
 traefik_config_certificatesResolvers_acme_dnsChallenge_enabled: true
--- a/docs/playbook-tags.md
+++ b/docs/playbook-tags.md
@@ -27,7 +27,7 @@ Here are some playbook tags that you should be familiar with:

 - `stop` — stops all systemd services

 - `ensure-matrix-users-created` — a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created
 - `ensure-matrix-users-created` or its alias `ensure-users-created` — a special tag which ensures that all special users needed by the playbook (for bots, etc.) are created

 **Notes**:
 - `setup-*` tags and `install-*` tags **do not start services** automatically, because you may wish to do things before starting services, such as importing a database dump, restoring data from another server, etc.
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -3194,10 +3194,10 @@ matrix_bot_draupnir_container_additional_networks_auto: |-
    ) | unique
  }}

 matrix_bot_draupnir_homeserver_url: "{{ 'http://matrix-pantalaimon:8009' if matrix_bot_draupnir_pantalaimon_use else matrix_addons_homeserver_client_api_url }}"
 matrix_bot_draupnir_raw_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_bot_draupnir_config_homeserverUrl: "{{ 'http://matrix-pantalaimon:8009' if matrix_bot_draupnir_pantalaimon_use else matrix_addons_homeserver_client_api_url }}"  # noqa var-naming
 matrix_bot_draupnir_config_rawHomeserverUrl: "{{ matrix_addons_homeserver_client_api_url }}"  # noqa var-naming

 matrix_bot_draupnir_container_labels_traefik_enabled: "{{ matrix_bot_draupnir_web_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_bot_draupnir_container_labels_traefik_enabled: "{{ matrix_bot_draupnir_config_web_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_bot_draupnir_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_bot_draupnir_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
--- a/group_vars/matrix_servers.license
+++ b/group_vars/matrix_servers.license
@@ -52,7 +52,7 @@ SPDX-FileCopyrightText: 2023 - 2024 Michael Hollister
 SPDX-FileCopyrightText: 2023 - 2024 Pierre 'McFly' Marty
 SPDX-FileCopyrightText: 2023 Antonis Christofides
 SPDX-FileCopyrightText: 2023 Benjamin Kampmann
 SPDX-FileCopyrightText: 2023 Catalan Lover
 SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2023 Cody Wyatt Neiman
 SPDX-FileCopyrightText: 2023 Johan Swetzén
 SPDX-FileCopyrightText: 2023 Kabir Kwatra
--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2024 - 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -51,12 +52,12 @@ matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 # This room is diffrent for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_master_control_room_alias: ""
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming

 # Placeholder Remenant of the fact that Cat belived Master Control Room to be separated from Access Control Policy List.
 # The alias of the Policy list used to control who can provision a bot for them selfs.
 # This should be a room alias - not a matrix.to URL.
 # matrix_appservice_draupnir_for_all_management_policy_list_alias: ""
 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
 matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled: false  # noqa var-naming

 matrix_appservice_draupnir_for_all_database_username: matrix_appservice_draupnir_for_all
 matrix_appservice_draupnir_for_all_database_password: 'some-passsword'
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_uninstall.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
@@ -10,7 +11,7 @@
  ansible.builtin.fail:
    msg: "The `{{ item }}` variable must be defined and have a non-null value."
  with_items:
    - "matrix_appservice_draupnir_for_all_master_control_room_alias"
    - "matrix_appservice_draupnir_for_all_config_adminRoom"
    - "matrix_bot_draupnir_container_network"
  when: "vars[item] == '' or vars[item] is none"

@@ -22,3 +23,5 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_appservice_draupnir_for_all_docker_image_name_prefix', 'new': 'matrix_appservice_draupnir_for_all_docker_image_registry_prefix'}
    - {'old': 'matrix_appservice_draupnir_for_all_enable_room_state_backing_store', 'new': 'matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled'}
    - {'old': 'matrix_appservice_draupnir_for_all_master_control_room_alias', 'new': 'matrix_appservice_draupnir_for_all_config_adminRoom'}
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-appservice.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
@@ -18,8 +19,14 @@ db:

 # A room you have created that scopes who can access the appservice.
 # See docs/access_control.md
 adminRoom: "{{ matrix_appservice_draupnir_for_all_master_control_room_alias }}"
 adminRoom: {{ matrix_appservice_draupnir_for_all_config_adminRoom | to_json }}

 # This is a web api that the widget connects to in order to interact with the appservice.
 webAPI:
  port: 9000

 # The directory the bot should store various bits of information in
 dataPath: "/data"

 roomStateBackingStore:
  enabled: {{ matrix_appservice_draupnir_for_all_config_roomStateBackingStore_enabled | to_json }}
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/production-bots.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -73,3 +74,20 @@ commands:
      - "brigading"
      - "harassment"
      - "disagreement"

 # Safe mode provides recovery options for some failure modes when Draupnir
 # fails to start. For example, if the bot fails to resolve a room alias in
 # a watched list, or if the server has parted from a protected room and can't
 # find a way back in. Safe mode will provide different options to recover from
 # these. Such as unprotecting the room or unwatching the policy list.
 # By default Draupnir will boot into safe mode only when the failure mode
 # is recoverable.
 # It may be desirable to prevent the bot from starting into safe mode if you have
 # a pager system when Draupnir is down, as Draupnir could prevent your monitoring
 # system from identifying a failure to start.
 #safeMode:
 #  # The option for entering safe mode when Draupnir fails to start up.
 #  # - "RecoveryOnly" will only start the bot in safe mode when there are recovery options available. This is the default.
 #  # - "Never" will never start the bot in safe mode when Draupnir fails to start normally.
 #  # - "Always" will always start the bot in safe mode when Draupnir fails to start normally.
 #  bootOption: RecoveryOnly
--- a/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license
+++ b/roles/custom/matrix-appservice-draupnir-for-all/templates/systemd/matrix-appservice-draupnir-for-all.service.j2.license
@@ -1,4 +1,5 @@
 SPDX-FileCopyrightText: 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2024 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
@@ -27,9 +28,9 @@ matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"

 matrix_bot_draupnir_abuse_reporting_enabled: false
 matrix_bot_draupnir_web_enabled: "{{ matrix_bot_draupnir_abuse_reporting_enabled }}"
 matrix_bot_draupnir_display_reports: "{{ matrix_bot_draupnir_abuse_reporting_enabled }}"
 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
 matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming
 matrix_bot_draupnir_config_displayReports: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming

 matrix_bot_draupnir_container_network: ""

@@ -56,7 +57,7 @@ matrix_bot_draupnir_systemd_wanted_services_list: []

 # Whether Draupnir should talk to the homeserver through Pantalaimon
 # If true, then other variables must be provided including pointing
 # `matrix_bot_draupnir_homeserver_url` to the Pantalaimon URL.
 # `matrix_bot_draupnir_config_homeserverUrl` to the Pantalaimon URL.
 #
 # The upstream project discourages enabling this option, because it is
 # known that running Draupnir along with Pantalaimon breaks all workflows that involve
@@ -70,39 +71,41 @@ matrix_bot_draupnir_pantalaimon_breakage_ignore: false
 # Tells the bot if it should use its native E2EE support in the form of experimental Rust Crypto in the bot SDK.
 # This option is mutually exclusive with `matrix_bot_draupnir_pantalaimon_use`.
 # Rust Crypto requires a clean access token that has not touched E2EE so curl is recommended as a method to obtain it.
 matrix_bot_draupnir_enable_experimental_rust_crypto: false
 matrix_bot_draupnir_config_experimentalRustCrypto: false  # noqa var-naming

 # The access token for the bot user. Required if Pantalaimon is NOT used.
 # (Otherwise provide `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password` instead.)
 matrix_bot_draupnir_access_token: ""
 matrix_bot_draupnir_config_accessToken: ""  # noqa var-naming

 # Username and password for the bot. Required if Pantalaimon is used.
 # (Otherwise provide `matrix_bot_draupnir_access_token` instead.)
 # (Otherwise provide `matrix_bot_draupnir_config_accessToken` instead.)
 matrix_bot_draupnir_pantalaimon_username: ""
 matrix_bot_draupnir_pantalaimon_password: ""

 # Username and password the bot uses for logging in directly. If Pantalaimon is used,
 # these values become the values of `matrix_bot_draupnir_pantalaimon_username` and `matrix_bot_draupnir_pantalaimon_password`
 # These config options do not follow the common naming schema as to not cause user confusion over them being called Pantalaimon when using native login.
 matrix_bot_draupnir_login: "{{ matrix_bot_draupnir_pantalaimon_username if matrix_bot_draupnir_pantalaimon_use == 'true' else 'bot.draupnir' }}"
 matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"

 # Controls if we activate the config block for Pantalaimon for now. Its name will
 # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase.
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: ""

 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias or room ID - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
 matrix_bot_draupnir_management_room: ""
 matrix_bot_draupnir_config_managementRoom: ""  # noqa var-naming

 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API).
 # Set this to the Pantalaimon URL if you're using that.
 matrix_bot_draupnir_homeserver_url: ""
 matrix_bot_draupnir_config_homeserverUrl: ""  # noqa var-naming

 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/).
 # Only set this to the public-internet homeserver client API URL. Do NOT set this to the Pantalaimon URL.
 matrix_bot_draupnir_raw_homeserver_url: ""
 matrix_bot_draupnir_config_rawHomeserverUrl: ""  # noqa var-naming

 # Disable Server ACL is used if you do not want to give the bot the right to apply Server ACLs in rooms without complaints from the bot.
 # This setting is described the following way in the configuration.
@@ -112,12 +115,12 @@ matrix_bot_draupnir_raw_homeserver_url: ""
 # It is recommended to consult with people from the upstream project beforehand.
 #
 # It is exposed here because it is common enough to be valid to expose.
 matrix_bot_draupnir_disable_server_acl: "false"
 matrix_bot_draupnir_config_disableServerACL: false  # noqa var-naming

 # Controls if the room state backing store is activated.
 # Room state backing store makes restarts of the bot lightning fast as the bot does not suffer from amnesia.
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
 matrix_bot_draupnir_enable_room_state_backing_store: "true"
 matrix_bot_draupnir_config_roomStateBackingStore_enabled: true  # noqa var-naming

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bot-draupnir/tasks/main.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_install.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 David Mehren
 # SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
--- a/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/setup_uninstall.yml
@@ -1,4 +1,5 @@
 # SPDX-FileCopyrightText: 2023 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 Catalan Lover <catalanlover@protonmail.com>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -1,20 +1,40 @@
 # SPDX-FileCopyrightText: 2023 - 2025 MDAD project contributors
 # SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: (Deprecation) Catch and report renamed Draupnir settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_bot_draupnir_container_image_name_prefix', 'new': 'matrix_bot_draupnir_container_image_registry_prefix'}
    - {'old': 'matrix_bot_draupnir_enable_room_state_backing_store', 'new': 'matrix_bot_draupnir_config_roomStateBackingStore_enabled'}
    - {'old': 'matrix_bot_draupnir_disable_server_acl', 'new': 'matrix_bot_draupnir_config_disableServerACL'}
    - {'old': 'matrix_bot_draupnir_enable_experimental_rust_crypto', 'new': 'matrix_bot_draupnir_config_experimentalRustCrypto'}
    - {'old': 'matrix_bot_draupnir_access_token', 'new': 'matrix_bot_draupnir_config_accessToken'}
    - {'old': 'matrix_bot_draupnir_management_room', 'new': 'matrix_bot_draupnir_config_managementRoom'}
    - {'old': 'matrix_bot_draupnir_homeserver_url', 'new': 'matrix_bot_draupnir_config_homeserverUrl'}
    - {'old': 'matrix_bot_draupnir_raw_homeserver_url', 'new': 'matrix_bot_draupnir_config_rawHomeserverUrl'}
    - {'old': 'matrix_bot_draupnir_web_enabled', 'new': 'matrix_bot_draupnir_config_web_enabled'}
    - {'old': 'matrix_bot_draupnir_abuse_reporting_enabled', 'new': 'matrix_bot_draupnir_config_web_abuseReporting'}
    - {'old': 'matrix_bot_draupnir_display_reports', 'new': 'matrix_bot_draupnir_config_displayReports'}

 - name: Fail if required matrix-bot-draupnir variables are undefined
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be defined and have a non-null value."
  with_items:
    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
    - {'name': 'matrix_bot_draupnir_management_room', when: true}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ not matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_config_experimentalRustCrypto }}"}
    - {'name': 'matrix_bot_draupnir_config_managementRoom', when: true}
    - {'name': 'matrix_bot_draupnir_container_network', when: true}
    - {'name': 'matrix_bot_draupnir_homeserver_url', when: true}
    - {'name': 'matrix_bot_draupnir_raw_homeserver_url', when: true}
    - {'name': 'matrix_bot_draupnir_config_homeserverUrl', when: true}
    - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
    - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
@@ -23,9 +43,9 @@
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
  with_items:
    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_access_token', when: "{{ matrix_bot_draupnir_login_native }}"}
    - {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{  matrix_bot_draupnir_enable_experimental_rust_crypto }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
    - {'name': 'matrix_bot_draupnir_pantalaimon_use', when: "{{  matrix_bot_draupnir_config_experimentalRustCrypto }}"}
  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"

 - when: "matrix_bot_draupnir_pantalaimon_use == 'true' and matrix_bot_draupnir_pantalaimon_breakage_ignore == 'false'"
@@ -37,15 +57,6 @@
            devture_playbook_runtime_messages_list | default([])
            +
            [
              "Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_enable_experimental_rust_crypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
              "Note: Draupnir does not support running with Pantalaimon as it would break all workflows that involve answering prompts with reactions. To enable E2EE for Draupnir, it is recommended to use matrix_bot_draupnir_config_experimentalRustCrypto instead. This warning can be disabled by setting matrix_bot_draupnir_pantalaimon_breakage_ignore to true."
            ]
          }}

 - name: (Deprecation) Catch and report renamed Draupnir settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_bot_draupnir_container_image_name_prefix', 'new': 'matrix_bot_draupnir_container_image_registry_prefix'}
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
 SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2024 Suguru Hirahara

@@ -7,16 +8,16 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 # Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
 homeserverUrl: {{ matrix_bot_draupnir_homeserver_url | to_json }}
 homeserverUrl: {{ matrix_bot_draupnir_config_homeserverUrl | to_json }}

 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
 # only set this to the public-internet homeserver client API URL, do NOT set this to the pantalaimon URL.
 rawHomeserverUrl: {{ matrix_bot_draupnir_raw_homeserver_url | to_json }}
 rawHomeserverUrl: {{ matrix_bot_draupnir_config_rawHomeserverUrl | to_json }}

 # Matrix Access Token to use, Draupnir will only use this if pantalaimon.use is false.
 # This option can be loaded from a file by passing "--access-token-path <path>" at the command line,
 # which would allow using secret management systems such as systemd's service credentials.
 accessToken: {{ matrix_bot_draupnir_access_token | to_json }}
 accessToken: {{ matrix_bot_draupnir_config_accessToken | to_json }}

 {% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
 # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
@@ -42,7 +43,7 @@ pantalaimon:
 # Make sure Pantalaimon is disabled in Draupnir's configuration.
 #
 # Warning: At this time this is not considered production safe.
 experimentalRustCrypto: {{ matrix_bot_draupnir_enable_experimental_rust_crypto | to_json }}
 experimentalRustCrypto: {{ matrix_bot_draupnir_config_experimentalRustCrypto | to_json }}

 # The path Draupnir will store its state/data in, leave default ("/data/storage") when using containers.
 dataPath: "/data"
@@ -65,7 +66,7 @@ recordIgnoredInvites: false
 #
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_management_room | to_json }}
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}

 # Deprecated and will be removed in a future version.
 # Running with verboseLogging is unsupported.
@@ -93,7 +94,7 @@ noop: false

 # Whether or not Draupnir should apply `m.room.server_acl` events.
 # DO NOT change this to `true` unless you are very confident that you know what you are doing.
 disableServerACL: {{ matrix_bot_draupnir_disable_server_acl | to_json }}
 disableServerACL: {{ matrix_bot_draupnir_config_disableServerACL | to_json }}

 # A case-insensitive list of ban reasons to have the bot also automatically redact the user's messages for.
 #
@@ -199,7 +200,7 @@ commands:
 # homeserver and know that Draupnir is starting up quickly. If your homeserver can
 # respond quickly to Draupnir's requests for `/state` then you might not need this option.
 roomStateBackingStore:
  enabled: {{ matrix_bot_draupnir_enable_room_state_backing_store | to_json }}
  enabled: {{ matrix_bot_draupnir_config_roomStateBackingStore_enabled | to_json }}

 # Safe mode provides recovery options for some failure modes when Draupnir
 # fails to start. For example, if the bot fails to resolve a room alias in
@@ -261,7 +262,7 @@ health:
    # and 1.0 means "trace performance at every opportunity".
    # tracesSampleRate: 0.5

 {% if matrix_bot_draupnir_web_enabled %}
 {% if matrix_bot_draupnir_config_web_enabled %}
 # Options for exposing web APIs.
 web:
  # Whether to enable web APIs.
@@ -287,7 +288,7 @@ web:
  # to configure a reverse proxy, see e.g. test/nginx.conf
  abuseReporting:
    # Whether to enable this feature.
    enabled: {{ matrix_bot_draupnir_abuse_reporting_enabled | to_json }}
    enabled: {{ matrix_bot_draupnir_config_web_abuseReporting | to_json }}
 {% endif %}

 # FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
@@ -300,4 +301,4 @@ web:

 # Whether or not new reports, received either by webapi or polling,
 # should be printed to our managementRoom.
 displayReports: {{ matrix_bot_draupnir_display_reports | to_json }}
 displayReports: {{ matrix_bot_draupnir_config_displayReports | to_json }}
--- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license
+++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2.license
@@ -1,4 +1,5 @@
 SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2023 - 2024 Catalan Lover <catalanlover@protonmail.com>
 SPDX-FileCopyrightText: 2024 MDAD project contributors

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1275,6 +1275,13 @@ matrix_synapse_experimental_features_msc4140_enabled: false
 # See `matrix_synapse_experimental_features_msc4140_enabled`.
 matrix_synapse_max_event_delay_duration: 24h

 # Controls whether to enable the MSC4133 experimental feature (Custom profile fields).
 #
 # This allows clients to set custom profile fields (e.g. User Time Zone in Element Web)
 #
 # See https://github.com/matrix-org/matrix-spec-proposals/pull/4133
 matrix_synapse_experimental_features_msc4133_enabled: false

 # Controls whether to enable the MSC4222 experimental feature (adding `state_after` to sync v2).
 #
 # Allow clients to opt-in to a change of the sync v2 API that allows them to correctly track the state of the room.
@@ -1331,7 +1338,8 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeserve
 # See: https://github.com/matrix-org/mjolnir#synapse-module
 matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir"
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.6.4"
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.9.2"
 matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
 # Flag messages sent by servers/users in the ban lists as spam. Currently
 # this means that spammy messages will appear as empty to users. Default
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -47,6 +47,14 @@

    - {'name': 'matrix_synapse_container_labels_traefik_compression_middleware_name', when: "{{ matrix_synapse_container_labels_traefik_compression_middleware_enabled }}"}

 # If only MSC 4108 is enabled, Synapse fails with: "MSC4108 requires MSC3861 to be enabled"
 - name: Fail if Synapse experimental feature QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
  ansible.builtin.fail:
    msg: >-
      QR code login (MSC4108) requires Next-Gen Auth (MSC3861) to be enabled or Synapse will fail to start.
      Enable `matrix_synapse_experimental_features_msc3861_enabled` when using `matrix_synapse_experimental_features_msc4108_enabled`.
  when: "matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled"

 - name: Fail if asking for more than 1 instance of single-instance workers
  ansible.builtin.fail:
    msg: >-
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2987,6 +2987,9 @@ experimental_features:
  {% if matrix_synapse_experimental_features_msc4108_enabled %}
  msc4108_enabled: true
  {% endif %}
  {% if matrix_synapse_experimental_features_msc4133_enabled %}
  msc4133_enabled: true
  {% endif %}
  {% if matrix_synapse_experimental_features_msc4140_enabled %}
  msc4140_enabled: true
  {% endif %}