0.2.1 revision

před 5 roky · 33ec5710d9
--- a/docs/configuring-awx-system.md
+++ b/docs/configuring-awx-system.md
@@ -0,0 +1,43 @@
 # Configuring AWX System (optional)
 An AWX setup for managing multiple Matrix servers.
 This section is used in an AWX system that can create and manage multiple [Matrix](http://matrix.org/) servers. You can issue members an AWX login to their own 'organisation', which they can use to manage/configure 1 to N servers.
 Members can be assigned a server from Digitalocean, or they can connect their own on-premises server. This script is free to use in a commercial context with the 'MemberPress Plus' and 'WP Oauth Sever' addons. It can also be run in a non-commercial context.
 The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
 Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
 Warning: This project is currently alpha quality and should only be run by the brave.
 ## Other Required Playbooks
 The following repositories allow you to copy and use this setup:
 [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) - Creates and configures the AWX system for you.
 [Ansible Create Delete Subscription Membership](https://gitlab.com/GoMatrixHosting/ansible-create-delete-subscription-membership) - Used by the AWX system to create memberships and subscriptions.
 [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
 ## Testing Fork For This Playbook
 Updates to this section are trailed here:
 [GoMatrixHosting Matrix Docker Ansible Deploy](https://gitlab.com/GoMatrixHosting/gomatrixhosting-matrix-docker-ansible-deploy)
 ## Does I need an AWX setup to use this? How do I configure it? 
 Yes, you'll need to configure an AWX instance, the [Create AWX System](https://gitlab.com/GoMatrixHosting/create-awx-system) repository makes it easy to do. Just follow the steps listed in '/docs/Installation.md' of that repository.
 ## Does I need a front-end WordPress site? And a DigitalOcean account? 
 You do not need a front-end WordPress site or any of the mentioned WordPress plugins to use this setup. It can be run on it's own in a non-commercial context.
 You also don't need a DigitalOcean account, but this will limit you to only being able to connect 'On-Premises' servers.
--- a/docs/configuring-playbook-bridge-mautrix-telegram.md
+++ b/docs/configuring-playbook-bridge-mautrix-telegram.md
@@ -4,7 +4,7 @@ The playbook can install and configure [mautrix-telegram](https://github.com/tul
 See the project's [documentation](https://github.com/tulir/mautrix-telegram/wiki#usage) to learn what it does and why it might be useful to you.
 You'll need to obtain API keys from `https://my.telegram.org/apps` and then use the following playbook configuration:
 You'll need to obtain API keys from [https://my.telegram.org/apps](https://my.telegram.org/apps) and then use the following playbook configuration:
 ```yaml
 matrix_mautrix_telegram_enabled: true
--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@@ -4,6 +4,8 @@ It can be useful to have some (visual) insight into the performance of your home
 You can enable this with the following settings in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 Remember to add `stats.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
 ```yaml
 matrix_prometheus_enabled: true
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -289,7 +289,7 @@ matrix_mailer_enabled: false
 # You can also disable this to save more RAM,
 # at the expense of audio/video calls being unreliable.
 matrix_coturn_enabled: true
 matrix_coturn_enabled: false
 # This makes Synapse not keep track of who is online/offline.
 #
--- a/docs/maintenance-postgres.md
+++ b/docs/maintenance-postgres.md
@@ -51,20 +51,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=run-postgres-vacuum,start
 To make a back up of the current PostgreSQL database, make sure it's running and then execute a command like this on the server:
 ```bash
 docker run \
 --rm \
 --log-driver=none \
 --network=matrix \
 /usr/bin/docker exec \
 --env-file=/matrix/postgres/env-postgres-psql \
 docker.io/postgres:13.1-alpine \
 pg_dumpall -h matrix-postgres \
 matrix-postgres \
 /usr/local/bin/pg_dumpall -h matrix-postgres \
 | gzip -c \
 > /postgres.sql.gz
 > /matrix/postgres.sql.gz
 ```
 If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because the credentials file (`/matrix/postgres/env-postgres-psql`) is not available.
 If your server is on the ARM32 [architecture](alternative-architectures.md), you may need to remove the `-alpine` suffix from the image name in the command above.
 If you are using an [external Postgres server](configuring-playbook-external-postgres.md), the above command will not work, because neither the credentials file (`/matrix/postgres/env-postgres-psql`), nor the `matrix-postgres` container is available.
 Restoring a backup made this way can be done by [importing it](importing-postgres.md).
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -29,6 +29,22 @@ matrix_homeserver_container_url: "{{ 'http://matrix-nginx-proxy:12080' if matrix
 ######################################################################
 ######################################################################
 #
 # matrix-awx
 #
 ######################################################################
 matrix_nginx_proxy_data_path: "{{ '/chroot/website' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else (matrix_nginx_proxy_base_path + '/data') }}"
 matrix_nginx_proxy_data_path_in_container: "{{ '/nginx-data/matrix-domain' if (matrix_awx_enabled and not matrix_nginx_proxy_base_domain_homepage_enabled) else '/nginx-data' }}"
 ######################################################################
 #
 # /matrix-awx
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-appservice-discord
@@ -1074,6 +1090,9 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:1
 matrix_nginx_proxy_proxy_synapse_enabled: "{{ matrix_synapse_enabled }}"
 matrix_nginx_proxy_proxy_synapse_federation_api_enabled: "{{ matrix_nginx_proxy_proxy_matrix_federation_api_enabled }}"
 # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
 matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"
 matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}"
 # This used to be hooked to `matrix_synapse_metrics_enabled`, but we don't do it anymore.
@@ -1224,7 +1243,7 @@ matrix_postgres_additional_databases: |
      'username': matrix_mautrix_instagram_database_username,
      'password': matrix_mautrix_instagram_database_password,
    }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == 'matrix-postgres') else [])
    +    
    +
    ([{
      'name': matrix_mautrix_signal_database_name,
      'username': matrix_mautrix_signal_database_username,
--- a/roles/matrix-awx/surveys/configure_website_access_backup.json.j2
+++ b/roles/matrix-awx/surveys/configure_website_access_backup.json.j2
@@ -1,30 +0,0 @@
 {
  "name": "Configure Website Access Backup",
  "description": "Configure base domain website settings and access the services backup.",
  "spec": [
    {
      "question_name": "Customise Base Domain Website",
      "question_description": "Set if you want to adjust the base domain website using SFTP.",
      "required": true,
      "min": null,
      "max": null,
      "default": "{{ customise_base_domain_website|string|lower }}",
      "choices": "true\nfalse",
      "new_question": true,
      "variable": "customise_base_domain_website",
      "type": "multiplechoice"
    },
    {
      "question_name": "SFTP Password",
      "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as download the latest copy of your services backup. If empty the password won't be updated. WARNING: You must set a strong and unique password here.",
      "required": false,
      "min": 0,
      "max": 64,
      "default": "{{ sftp_password }}",
      "choices": "",
      "new_question": true,
      "variable": "sftp_password",
      "type": "password"
    }
  ]
 }
--- a/roles/matrix-awx/surveys/configure_website_access_export.json.j2
+++ b/roles/matrix-awx/surveys/configure_website_access_export.json.j2
@@ -0,0 +1,54 @@
 {
  "name": "Configure Website Access Backup",
  "description": "Configure base domain website settings and access the services backup.",
  "spec": [
    {
      "question_name": "Customise Base Domain Website",
      "question_description": "Set if you want to adjust the base domain website using SFTP.",
      "required": true,
      "min": null,
      "max": null,
      "default": "{{ customise_base_domain_website | string | lower }}",
      "choices": "true\nfalse",
      "new_question": true,
      "variable": "customise_base_domain_website",
      "type": "multiplechoice"
    },
    {
      "question_name": "SFTP Authorisation Method",
      "question_description": "Set whether you want to disable SFTP, use a password to connect to SFTP or connect with a more secure SSH key.",
      "required": true,
      "min": null,
      "max": null,
      "default": "{{ sftp_auth_method | string }}",
      "choices": "Disabled\nPassword\nSSH Key",
      "new_question": true,
      "variable": "sftp_auth_method",
      "type": "multiplechoice"
    },
    {
      "question_name": "SFTP Password",
      "question_description": "Sets the password of the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'Password' method is selected. WARNING: You must set a strong and unique password here.",
      "required": false,
      "min": 0,
      "max": 64,
      "default": "{{ sftp_password }}",
      "choices": "",
      "new_question": true,
      "variable": "sftp_password",
      "type": "password"
    },
    {
      "question_name": "SFTP Public SSH Key (More Secure)",
      "question_description": "Sets the public SSH key used to access the 'sftp' account, which allows you to upload a multi-file static website by SFTP, as well as export the latest copy of your Matrix service. Must be defined if 'SSH Key' method is selected.",
      "required": false,
      "min": 0,
      "max": 16384,
      "default": "{{ sftp_public_key }}",
      "choices": "",
      "new_question": true,
      "variable": "sftp_public_key",
      "type": "text"
    }
  ]
 }
--- a/roles/matrix-awx/tasks/create_user.yml
+++ b/roles/matrix-awx/tasks/create_user.yml
@@ -20,7 +20,7 @@
 - name: Create user account
  command: |
    /usr/local/bin/matrix-synapse-register-user {{ new_username }} '{{ new_password }}' {{ admin_bool }}
    /usr/local/bin/matrix-synapse-register-user {{ new_username | quote }} {{ new_password | quote }} {{ admin_bool }}
  register: cmd
 - name: Result
--- a/roles/matrix-awx/tasks/customise_website_access_export.yml
+++ b/roles/matrix-awx/tasks/customise_website_access_export.yml
@@ -21,17 +21,20 @@
  with_dict:
    'matrix_nginx_proxy_base_domain_homepage_enabled': 'false'
  when: customise_base_domain_website|bool == true
 - name: Record 'Customise Website + Access Backup' variables locally on AWX
 - name: Record custom 'Customise Website + Access Export' variables locally on AWX
  delegate_to: 127.0.0.1
  lineinfile:
    path: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
    regexp: "^#? *{{ item.key | regex_escape() }}:"
    line: "{{ item.key }}: {{ item.value }}"
    insertafter: '# AWX Settings'
    insertafter: '# Custom Settings'
  with_dict:
    'customise_base_domain_website': '{{ customise_base_domain_website }}'
    'sftp_auth_method': '"{{ sftp_auth_method }}"'
    'sftp_password': '"{{ sftp_password }}"'
    'sftp_public_key': '"{{ sftp_public_key }}"'
 - name: Copy new 'matrix_vars.yml' to target machine
  copy:
    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
@@ -41,17 +44,18 @@
 - name: Reload vars in matrix_vars.yml
  include_vars:
    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
  no_log: True
 - name: Save new 'Customise Website + Access Backup' survey.json to the AWX tower, template
 - name: Save new 'Customise Website + Access Export' survey.json to the AWX tower, template
  delegate_to: 127.0.0.1
  template:
    src: './roles/matrix-awx/surveys/configure_website_access_backup.json.j2'
    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
    src: './roles/matrix-awx/surveys/configure_website_access_export.json.j2'
    dest: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
 - name: Copy new 'Customise Website + Access Backup' survey.json to target machine
 - name: Copy new 'Customise Website + Access Export' survey.json to target machine
  copy:
    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json'
    dest:  '/matrix/awx/configure_website_access_backup.json'
    src: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json'
    dest:  '/matrix/awx/configure_website_access_export.json'
    mode: '0660'
 - name: Collect AWX admin token the hard way!
@@ -61,11 +65,11 @@
  register: tower_token
  no_log: True
 - name: Recreate 'Customise Base Domain Website' job template
 - name: Recreate 'Customise Base Domain Export' job template
  delegate_to: 127.0.0.1
  awx.awx.tower_job_template:
    name: "{{ matrix_domain }} - 1 - Configure Website + Access Backup"
    description: "Configure base domain website settings and access the services backup."
    name: "{{ matrix_domain }} - 1 - Configure Website + Access Export"
    description: "Configure base domain website settings and access the servers export."
    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
    job_type: run
    job_tags: "start,setup-nginx-proxy"
@@ -74,7 +78,7 @@
    playbook: setup.yml
    credential: "{{ member_id }} - AWX SSH Key"
    survey_enabled: true
    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_backup.json') }}"
    survey_spec: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/configure_website_access_export.json') }}"
    become_enabled: yes
    state: present
    verbosity: 1
@@ -82,40 +86,32 @@
    tower_oauthtoken: "{{ tower_token.stdout }}"
    validate_certs: yes
 # Copied over from provision stage
 - name: Copy ssh_sftp.service file
  copy:
    src: './roles/matrix-awx/templates/sftp/ssh_sftp.service'
    dest: '/lib/systemd/system/ssh_sftp.service'
    mode: 0644
 - name: Copy sshd config file
  copy:
    src: './roles/matrix-awx/templates/sftp/sshd_sftp_config'
    dest: '/etc/ssh/sshd_sftp_config'
    mode: 0644
 - name: Ensure group "sftp" exists
  group:
    name: sftp
    state: present
 - name: If user defines sftp_password, enable account / set password on 'stfp' account.
 - name: If user doesn't define a sftp_password, create a disabled 'sftp' account
  user:
    name: sftp
    comment: SFTP user to set custom web files
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp/
    home: /home/sftp
    group: sftp
    password: "{{ sftp_password | password_hash('sha512') }}"
    password: '*'
    update_password: always
  when: (sftp_password is defined) and (sftp_password|length > 0)
  when: sftp_password|length == 0
 # would be safer if it generated the password for you!
 - name: Setup SFTP users default root path
  shell: sudo usermod -d / sftp
 - name: If user defines sftp_password, enable account and set password on 'stfp' account
  user:
    name: sftp
    comment: SFTP user to set custom web files and access servers export
    shell: /bin/false
    home: /home/sftp
    group: sftp
    password: "{{ sftp_password | password_hash('sha512') }}"
    update_password: always
  when: sftp_password|length > 0
 - name: adding existing user 'sftp' to group matrix
  user:
@@ -131,7 +127,7 @@
    group: root
    mode: '1755'
 - name: Create the rw /chroot/website directory if it doesn't exist.
 - name: Ensure /chroot/website location exists.
  file:
    path: /chroot/website
    state: directory
@@ -139,21 +135,96 @@
    group: matrix
    mode: '0574'
 - name: Ensure /chroot/backup/ location exists
 - name: Ensure /chroot/export location exists
  file:
    path: /chroot/backup
    path: /chroot/export
    state: directory
    owner: sftp
    group: sftp
    mode: '0700'
 - name: Enable service ssh_sftp.service
  service:
    name: ssh_sftp.service
    enabled: yes
 - name: Ensure /home/sftp/.ssh location exists
  file:
    path: /home/sftp/.ssh
    state: directory
    owner: sftp
    group: sftp
    mode: '0700'
 - name: Ensure /home/sftp/authorized_keys exists
  file:
    path: /home/sftp/.ssh/authorized_keys
    state: touch
    owner: sftp
    group: sftp
    mode: '0644'
 - name: Clear authorized_keys file
  shell: echo "" > /home/sftp/.ssh/authorized_keys
 - name: Start service ssh_sftp.service
 - name: Insert public SSH key into authorized_keys file
  lineinfile:
    path: /home/sftp/.ssh/authorized_keys
    line: "{{ sftp_public_key }}"
    owner: sftp
    group: sftp
    mode: '0644'
  when: (sftp_public_key | length > 0) and (sftp_auth_method == "SSH Key")
 - name: Alter SSH Subsystem State 1
  lineinfile:
    path: /etc/ssh/sshd_config
    line: "Subsystem sftp	/usr/lib/openssh/sftp-server"
    state: absent
 - name: Alter SSH Subsystem State 2
  lineinfile:
    path: /etc/ssh/sshd_config
    insertafter: "^# override default of no subsystems"
    line: "Subsystem sftp internal-sftp"
 - name: Add SSH Match User section for disabled auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: absent
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          PasswordAuthentication yes
          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
  when: sftp_auth_method == "Disabled"
 - name: Add SSH Match User section for password auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: present
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          PasswordAuthentication yes
  when: sftp_auth_method == "Password"
 - name: Add SSH Match User section for publickey auth
  blockinfile:
    path: /etc/ssh/sshd_config
    state: present
    block: |
      Match User sftp
          ChrootDirectory /chroot
          PermitTunnel no
          X11Forwarding no
          AllowTcpForwarding no
          AuthorizedKeysFile /home/sftp/.ssh/authorized_keys
  when: sftp_auth_method == "SSH Key"
 - name: Restart service ssh.service
  service:
    name: ssh_sftp.service
    state: started
    name: ssh.service
    state: restarted
--- a/roles/matrix-awx/tasks/load_matrix_variables.yml
+++ b/roles/matrix-awx/tasks/load_matrix_variables.yml
@@ -2,5 +2,5 @@
 - name: Include vars in matrix_vars.yml
  include_vars:
    file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
 #  no_log: True
  no_log: True
--- a/roles/matrix-awx/tasks/main.yml
+++ b/roles/matrix-awx/tasks/main.yml
@@ -23,8 +23,8 @@
  tags:
    - import-awx
 # Configure SFTP so user can upload a static website
 - import_tasks: "{{ role_path }}/tasks/customise_website_access_backup.yml"
 # Configure SFTP so user can upload a static website or access the servers export
 - import_tasks: "{{ role_path }}/tasks/customise_website_access_export.yml"
  when: run_setup|bool and matrix_awx_enabled|bool
  tags:
    - setup-nginx-proxy
--- a/roles/matrix-awx/templates/sftp/ssh_sftp.service
+++ b/roles/matrix-awx/templates/sftp/ssh_sftp.service
@@ -1,23 +0,0 @@
 [Unit]
 Description=OpenBSD Secure Shell server
 Documentation=man:sshd(8) man:sshd_config(5)
 After=network.target auditd.service
 ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
 [Service]
 EnvironmentFile=-/etc/default/ssh
 ExecStartPre=/usr/sbin/sshd -t
 ExecStart=/usr/sbin/sshd -D -f /etc/ssh/sshd_sftp_config $SSHD_OPTS
 ExecReload=/usr/sbin/sshd -t
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
 RestartPreventExitStatus=255
 Type=notify
 RuntimeDirectory=sshd
 RuntimeDirectoryMode=0755
 [Install]
 WantedBy=multi-user.target
 Alias=sshd_sftp.service
--- a/roles/matrix-awx/templates/sftp/sshd_sftp_config
+++ b/roles/matrix-awx/templates/sftp/sshd_sftp_config
@@ -1,33 +0,0 @@
 #	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 Port 2222
 PermitRootLogin no
 PasswordAuthentication yes
 ChallengeResponseAuthentication no
 UsePAM yes
 X11Forwarding yes
 PrintMotd no
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem sftp internal-sftp
 Match User sftp
    ChrootDirectory /chroot
    PermitTunnel no
    X11Forwarding no
    AllowTcpForwarding no
    ForceCommand internal-sftp
--- a/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
+++ b/roles/matrix-bot-matrix-reminder-bot/defaults/main.yml
@@ -2,8 +2,8 @@
 # See: https://github.com/anoadragon453/matrix-reminder-bot
 matrix_bot_matrix_reminder_bot_enabled: true
 matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:release-v0.2.0"
 matrix_bot_matrix_reminder_bot_version: release-v0.2.0
 matrix_bot_matrix_reminder_bot_docker_image: "docker.io/anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_appservice_discord_enabled: true
 matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0"
 matrix_appservice_discord_version: v1.0.0
 matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:{{ matrix_appservice_discord_version }}"
 matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"
 matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@@ -7,7 +7,8 @@ matrix_appservice_irc_container_self_build: false
 matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
 matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
 matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.23.0"
 matrix_appservice_irc_version: release-0.23.0
 matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_version }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@@ -7,7 +7,8 @@ matrix_appservice_slack_container_self_build: false
 matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
 matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
 matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
 matrix_appservice_slack_version: release-1.5.0
 matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_version }}"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
 matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_appservice_webhooks_enabled: true
 matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:latest"
 matrix_appservice_webhooks_version: latest
 matrix_appservice_webhooks_docker_image: "docker.io/turt2live/matrix-appservice-webhooks:{{ matrix_appservice_webhooks_version }}"
 matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
 matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -6,8 +6,9 @@ matrix_mautrix_facebook_enabled: true
 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://github.com/tulir/mautrix-facebook.git"
 matrix_mautrix_facebook_version: latest
 # See: https://mau.dev/tulir/mautrix-facebook/container_registry
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:latest"
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@@ -6,8 +6,9 @@ matrix_mautrix_hangouts_enabled: true
 matrix_mautrix_hangouts_container_image_self_build: false
 matrix_mautrix_hangouts_container_image_self_build_repo: "https://github.com/tulir/mautrix-hangouts.git"
 matrix_mautrix_hangouts_version: latest
 # See: https://mau.dev/tulir/mautrix-hangouts/container_registry
 matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:latest"
 matrix_mautrix_hangouts_docker_image: "{{ matrix_mautrix_hangouts_docker_image_name_prefix }}tulir/mautrix-hangouts:{{ matrix_mautrix_hangouts_version }}"
 matrix_mautrix_hangouts_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_hangouts_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
@@ -6,8 +6,9 @@ matrix_mautrix_instagram_enabled: true
 matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/tulir/mautrix-instagram.git"
 matrix_mautrix_instagram_version: latest
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:latest"
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}tulir/mautrix-instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}"
@@ -16,7 +17,7 @@ matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/
 matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data"
 matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src"
 matrix_mautrix_instagram_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mautrix_instagram_homeserver_address: "{{ matrix_homeserver_container_url }}"
 matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330'
@@ -34,7 +35,7 @@ matrix_mautrix_instagram_homeserver_token: ''
 # Database-related configuration fields.
 # 
 #
 # To use Postgres:
 # - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables
 matrix_mautrix_instagram_database_engine: 'postgres'
--- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -3,11 +3,13 @@
 matrix_mautrix_signal_enabled: true
 matrix_mautrix_signal_version: latest
 matrix_mautrix_signal_daemon_version: latest
 # See: https://mau.dev/tulir/mautrix-signal/container_registry
 matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest"
 matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:{{ matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
 matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest"
 matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
 matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -7,8 +7,9 @@ matrix_mautrix_telegram_container_self_build: false
 matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
 matrix_mautrix_telegram_version: v0.9.0
 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
--- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -3,15 +3,16 @@
 matrix_mautrix_whatsapp_enabled: true
 matrix_mautrix_whatsapp_version: latest
 # See: https://mau.dev/tulir/mautrix-whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:latest"
 matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}"
 matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"
 matrix_mautrix_whatsapp_config_path: "{{ matrix_mautrix_whatsapp_base_path }}/config"
 matrix_mautrix_whatsapp_data_path: "{{ matrix_mautrix_whatsapp_base_path }}/data"
 matrix_mautrix_whatsapp_homeserver_address: "http://matrix-synapse:8008"
 matrix_mautrix_whatsapp_homeserver_address: "{{ matrix_homeserver_container_url }}"
 matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
--- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
@@ -11,7 +11,8 @@ matrix_mx_puppet_discord_container_image_self_build_repo: "https://github.com/ma
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_discord_container_http_host_bind_port: ''
 matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:latest"
 matrix_mx_puppet_discord_version: latest
 matrix_mx_puppet_discord_docker_image: "{{ matrix_mx_puppet_discord_docker_image_name_prefix }}sorunome/mx-puppet-discord:{{ matrix_mx_puppet_discord_version }}"
 matrix_mx_puppet_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_discord_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_discord_docker_image_force_pull: "{{ matrix_mx_puppet_discord_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-groupme/defaults/main.yml
@@ -11,7 +11,8 @@ matrix_mx_puppet_groupme_container_image_self_build_repo: "https://gitlab.com/ro
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8437"), or empty string to not expose.
 matrix_mx_puppet_groupme_container_http_host_bind_port: ''
 matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:latest"
 matrix_mx_puppet_groupme_version: latest
 matrix_mx_puppet_groupme_docker_image: "{{ matrix_mx_puppet_groupme_docker_image_name_prefix }}xangelix/mx-puppet-groupme:{{ matrix_mx_puppet_groupme_version }}"
 matrix_mx_puppet_groupme_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_groupme_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_groupme_docker_image_force_pull: "{{ matrix_mx_puppet_groupme_docker_image.endswith(':latest') }}"
@@ -22,7 +23,7 @@ matrix_mx_puppet_groupme_docker_src_files_path: "{{ matrix_mx_puppet_groupme_bas
 matrix_mx_puppet_groupme_appservice_port: "8437"
 matrix_mx_puppet_groupme_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mx_puppet_groupme_homeserver_address: "{{ matrix_homeserver_container_url }}"
 matrix_mx_puppet_groupme_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_groupme_appservice_address: 'http://matrix-mx-puppet-groupme:{{ matrix_mx_puppet_groupme_appservice_port }}'
--- a/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml
@@ -6,7 +6,8 @@ matrix_mx_puppet_instagram_enabled: true
 matrix_mx_puppet_instagram_container_image_self_build: false
 matrix_mx_puppet_instagram_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-instagram.git"
 matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:latest"
 matrix_mx_puppet_instagram_version: latest
 matrix_mx_puppet_instagram_docker_image: "{{ matrix_mx_puppet_instagram_docker_image_name_prefix }}sorunome/mx-puppet-instagram:{{ matrix_mx_puppet_instagram_version }}"
 matrix_mx_puppet_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_instagram_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_instagram_docker_image_force_pull: "{{ matrix_mx_puppet_instagram_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
@@ -6,7 +6,8 @@ matrix_mx_puppet_skype_enabled: true
 matrix_mx_puppet_skype_container_image_self_build: false
 matrix_mx_puppet_skype_container_image_self_build_repo: "https://github.com/Sorunome/mx-puppet-skype.git"
 matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:latest"
 matrix_mx_puppet_skype_version: latest
 matrix_mx_puppet_skype_docker_image: "{{ matrix_mx_puppet_skype_docker_image_name_prefix }}sorunome/mx-puppet-skype:{{ matrix_mx_puppet_skype_version }}"
 matrix_mx_puppet_skype_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_skype_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_skype_docker_image_force_pull: "{{ matrix_mx_puppet_skype_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
@@ -11,7 +11,8 @@ matrix_mx_puppet_slack_container_image_self_build_repo: "https://github.com/Soru
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_slack_container_http_host_bind_port: ''
 matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:latest"
 matrix_mx_puppet_slack_version: latest
 matrix_mx_puppet_slack_docker_image: "{{ matrix_mx_puppet_slack_docker_image_name_prefix }}sorunome/mx-puppet-slack:{{ matrix_mx_puppet_slack_version }}"
 matrix_mx_puppet_slack_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_slack_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/defaults/main.yml
@@ -11,7 +11,8 @@ matrix_mx_puppet_steam_container_image_self_build_repo: "https://github.com/icew
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_steam_container_http_host_bind_port: ''
 matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:latest"
 matrix_mx_puppet_steam_version: latest
 matrix_mx_puppet_steam_docker_image: "{{ matrix_mx_puppet_steam_docker_image_name_prefix }}icewind1991/mx-puppet-steam:{{ matrix_mx_puppet_steam_version }}"
 matrix_mx_puppet_steam_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_steam_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_steam_docker_image_force_pull: "{{ matrix_mx_puppet_steam_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml
@@ -11,7 +11,8 @@ matrix_mx_puppet_twitter_container_image_self_build_repo: "https://github.com/So
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_twitter_container_http_host_bind_port: ''
 matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:latest"
 matrix_mx_puppet_twitter_version: latest
 matrix_mx_puppet_twitter_docker_image: "{{ matrix_mx_puppet_twitter_docker_image_name_prefix }}sorunome/mx-puppet-twitter:{{ matrix_mx_puppet_twitter_version }}"
 matrix_mx_puppet_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mx_puppet_twitter_container_image_self_build else 'docker.io/' }}"
 matrix_mx_puppet_twitter_docker_image_force_pull: "{{ matrix_mx_puppet_twitter_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-sms/defaults/main.yml
+++ b/roles/matrix-bridge-sms/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_sms_bridge_enabled: true
 matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5"
 matrix_sms_bridge_version: 0.5.5
 matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:{{ matrix_sms_bridge_version }}"
 matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
 matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config"
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@@ -3,7 +3,8 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
 matrix_client_element_version: v1.7.21
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-common-after/tasks/awx_post.yml
+++ b/roles/matrix-common-after/tasks/awx_post.yml
@@ -2,7 +2,7 @@
 - name: Create user account
  command: |
    /usr/local/bin/matrix-synapse-register-user janitor '{{ matrix_awx_janitor_user_password }}' 1
    /usr/local/bin/matrix-synapse-register-user janitor {{ matrix_awx_janitor_user_password | quote }} 1
  register: cmd
  when: not matrix_awx_janitor_user_created|bool
  no_log: True
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@@ -22,9 +22,10 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']
 matrix_corporal_version: 2.1.0
 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
 matrix_corporal_docker_image_tag: "2.1.0"
 matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -3,7 +3,8 @@ matrix_coturn_enabled: true
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
 matrix_coturn_version: 4.5.2
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
@@ -3,8 +3,8 @@ Description=Reloads matrix-coturn periodically so that new SSL certificates can
 [Timer]
 Unit=matrix-coturn-reload.service
 OnCalendar=Sunday *-*-* 13:00:00
 RandomizedDelaySec=3h
 OnCalendar=*-*-* 06:30:00
 RandomizedDelaySec=1h
 [Install]
 WantedBy=timers.target
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@@ -12,7 +12,8 @@ matrix_dimension_widgets_allow_self_signed_ssl_certificates: false
 matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
 matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest"
 matrix_dimension_version: latest
 matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:{{ matrix_dimension_version }}"
 matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
 # List of systemd services that matrix-dimension.service depends on.
--- a/roles/matrix-dynamic-dns/defaults/main.yml
+++ b/roles/matrix-dynamic-dns/defaults/main.yml
@@ -4,8 +4,10 @@ matrix_dynamic_dns_enabled: true
 # The dynamic dns daemon interval
 matrix_dynamic_dns_daemon_interval: '300'
 matrix_dynamic_dns_version: v3.9.1-ls45
 # The docker container to use when in mode
 matrix_dynamic_dns_docker_image: '{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:v3.9.1-ls45'
 matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
 matrix_dynamic_dns_docker_image_name_prefix: "{{ 'localhost/' if matrix_dynamic_dns_container_image_self_build else 'docker.io/' }}"
--- a/roles/matrix-email2matrix/defaults/main.yml
+++ b/roles/matrix-email2matrix/defaults/main.yml
@@ -3,7 +3,8 @@ matrix_email2matrix_enabled: true
 matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix"
 matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config"
 matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:1.0.1"
 matrix_email2matrix_version: 1.0.1
 matrix_email2matrix_docker_image: "docker.io/devture/email2matrix:{{ matrix_email2matrix_version }}"
 matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}"
 # A list of extra arguments to pass to the container
--- a/roles/matrix-etherpad/defaults/main.yml
+++ b/roles/matrix-etherpad/defaults/main.yml
@@ -2,7 +2,8 @@ matrix_etherpad_enabled: false
 matrix_etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
 matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:1.8.7"
 matrix_etherpad_version: 1.8.7
 matrix_etherpad_docker_image: "docker.io/etherpad/etherpad:{{ matrix_etherpad_version }}"
 matrix_etherpad_docker_image_force_pull: "{{ matrix_etherpad_docker_image.endswith(':latest') }}"
 # List of systemd services that matrix-etherpad.service depends on.
@@ -22,12 +23,7 @@ matrix_etherpad_user_gid: '5001'
 matrix_etherpad_container_http_host_bind_port: ''
 # A list of extra arguments to pass to the container
 #
 # We assume that a reverse proxy is used and tell the container to trust it
 #   Details: https://github.com/ether/etherpad-lite/blob/develop/doc/docker.md
 matrix_etherpad_container_extra_arguments: [
  '--env TRUST_PROXY=true'
 ]
 matrix_etherpad_container_extra_arguments: []
 matrix_etherpad_public_endpoint: '/etherpad'
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_grafana_enabled: false
 matrix_grafana_docker_image: "docker.io/grafana/grafana:7.4.0"
 matrix_grafana_version: 7.4.0
 matrix_grafana_docker_image: "docker.io/grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 # Not conditional, because when someone disables metrics
--- a/roles/matrix-grafana/tasks/setup.yml
+++ b/roles/matrix-grafana/tasks/setup.yml
@@ -28,7 +28,7 @@
    - "{{ matrix_grafana_config_path }}/dashboards"
    - "{{ matrix_grafana_data_path }}"
  when: matrix_grafana_enabled|bool
 - name: Ensure grafana.ini present
  template:
    src: "{{ role_path }}/templates/grafana.ini.j2"
@@ -37,7 +37,7 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_grafana_enabled|bool
 - name: Ensure provisioning/datasources/default.yaml present
  template:
    src: "{{ role_path }}/templates/datasources.yaml.j2"
@@ -46,7 +46,7 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_grafana_enabled|bool
 - name: Ensure provisioning/dashboards/default.yaml present
  template:
    src: "{{ role_path }}/templates/dashboards.yaml.j2"
@@ -55,7 +55,7 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_grafana_enabled|bool
 - name: Ensure dashboard(s) downloaded
  get_url:
    url: "{{ item }}"
@@ -108,8 +108,3 @@
    daemon_reload: yes
  when: "not matrix_grafana_enabled|bool and matrix_grafana_service_stat.stat.exists"
 - name: Ensure matrix-grafana Docker image doesn't exist
  docker_image:
    name: "{{ matrix_grafana_docker_image }}"
    state: absent
  when: "not matrix_grafana_enabled|bool"
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@@ -52,7 +52,8 @@ matrix_jitsi_jibri_recorder_password: ''
 matrix_jitsi_enable_lobby: false
 matrix_jitsi_container_image_tag: "stable-5142"
 matrix_jitsi_version: stable-5142
 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
 matrix_jitsi_web_docker_image: "docker.io/jitsi/web:{{ matrix_jitsi_container_image_tag }}"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@@ -7,7 +7,8 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
 matrix_mailer_version: 4.93-r1
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -1,13 +1,15 @@
 matrix_nginx_proxy_enabled: true
 matrix_nginx_proxy_version: 1.19.6-alpine
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
 matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
 matrix_nginx_proxy_docker_image: "docker.io/nginx:{{ matrix_nginx_proxy_version }}"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
 matrix_nginx_proxy_data_path: "{{ matrix_nginx_proxy_base_path }}/data"
 matrix_nginx_proxy_data_path_in_container: "/nginx-data"
 matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_base_path }}/conf.d"
 # List of systemd services that matrix-nginx-proxy.service depends on
@@ -110,6 +112,10 @@ matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
 # Controls whether proxying the matrix domain should be done.
 matrix_nginx_proxy_proxy_matrix_enabled: false
 matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
 # The port name used for federation in the nginx configuration.
 # This is not necessarily the port that it's actually on,
 # as port-mapping happens (`-p ..`) for the `matrix-nginx-proxy` container.
 matrix_nginx_proxy_proxy_matrix_federation_port: 8448
 # Controls whether proxying the dimension domain should be done.
 matrix_nginx_proxy_proxy_dimension_enabled: false
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@@ -11,7 +11,6 @@
    - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
    - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
    - "/etc/cron.d/matrix-ssl-lets-encrypt"
    - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
 #
 # Tasks related to setting up Let's Encrypt's management of certificates
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -199,10 +199,10 @@ server {
 #}
 server {
 	{% if matrix_nginx_proxy_https_enabled %}
 		listen 8448 ssl http2;
 		listen [::]:8448 ssl http2;
 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
 		listen [::]:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} ssl http2;
 	{% else %}
 		listen 8448;
 		listen {{ matrix_nginx_proxy_proxy_matrix_federation_port }};
 	{% endif %}
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -30,15 +30,10 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			-p {{ matrix_nginx_proxy_container_https_host_bind_port }}:8443 \
 			{% endif %}
 			{% if matrix_nginx_proxy_proxy_matrix_federation_api_enabled and matrix_nginx_proxy_container_federation_host_bind_port %}
 			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:8448 \
 			-p {{ matrix_nginx_proxy_container_federation_host_bind_port }}:{{ matrix_nginx_proxy_proxy_matrix_federation_port }} \
 			{% endif %}
 			--mount type=bind,src={{ matrix_nginx_proxy_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
 			{% if matrix_awx_enabled|bool == false or matrix_nginx_proxy_base_domain_homepage_enabled %}
 			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst=/nginx-data,ro \
 			{% endif %}
 			{% if matrix_awx_enabled and matrix_nginx_proxy_base_domain_homepage_enabled|bool == false %}
 			--mount type=bind,src=/chroot/website,dst=/nginx-data/matrix-domain,ro \
 			{% endif %}
 			--mount type=bind,src={{ matrix_nginx_proxy_data_path }},dst={{ matrix_nginx_proxy_data_path_in_container }},ro \
 			--mount type=bind,src={{ matrix_nginx_proxy_confd_path }},dst=/etc/nginx/conf.d,ro \
 			{% if matrix_ssl_retrieval_method != 'none' %}
 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2
@@ -3,8 +3,8 @@ Description=Renews Let's Encrypt SSL certificates periodically
 [Timer]
 Unit=matrix-ssl-lets-encrypt-certificates-renew.service
 OnCalendar=Sunday *-*-* 05:00:00
 RandomizedDelaySec=3h
 OnCalendar=*-*-* 04:00:00
 RandomizedDelaySec=2h
 [Install]
 WantedBy=timers.target
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2
@@ -3,8 +3,8 @@ Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates
 [Timer]
 Unit=matrix-ssl-nginx-proxy-reload.service
 OnCalendar=Sunday *-*-* 13:00:00
 RandomizedDelaySec=3h
 OnCalendar=*-*-* 06:30:00
 RandomizedDelaySec=1h
 [Install]
 WantedBy=timers.target
--- a/roles/matrix-prometheus-node-exporter/defaults/main.yml
+++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_prometheus_node_exporter_enabled: false
 matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:v1.1.0"
 matrix_prometheus_node_exporter_version: v1.1.0
 matrix_prometheus_node_exporter_docker_image: "docker.io/prom/node-exporter:{{ matrix_prometheus_node_exporter_version }}"
 matrix_prometheus_node_exporter_docker_image_force_pull: "{{ matrix_prometheus_node_exporter_docker_image.endswith(':latest') }}"
 # A list of extra arguments to pass to the container
--- a/roles/matrix-prometheus-node-exporter/tasks/setup.yml
+++ b/roles/matrix-prometheus-node-exporter/tasks/setup.yml
@@ -52,9 +52,3 @@
  service:
    daemon_reload: yes
  when: "not matrix_prometheus_node_exporter_enabled|bool and matrix_prometheus_node_exporter_service_stat.stat.exists"
 - name: Ensure matrix-prometheus-node-exporter Docker image doesn't exist
  docker_image:
    name: "{{ matrix_prometheus_node_exporter_docker_image }}"
    state: absent
  when: "not matrix_prometheus_node_exporter_enabled|bool"
--- a/roles/matrix-prometheus/defaults/main.yml
+++ b/roles/matrix-prometheus/defaults/main.yml
@@ -3,7 +3,8 @@
 matrix_prometheus_enabled: false
 matrix_prometheus_docker_image: "docker.io/prom/prometheus:v2.24.1"
 matrix_prometheus_version: v2.24.1
 matrix_prometheus_docker_image: "docker.io/prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
 matrix_prometheus_base_path: "{{ matrix_base_data_path }}/prometheus"
--- a/roles/matrix-prometheus/tasks/setup_uninstall.yml
+++ b/roles/matrix-prometheus/tasks/setup_uninstall.yml
@@ -23,9 +23,3 @@
  service:
    daemon_reload: yes
  when: "matrix_prometheus_service_stat.stat.exists|bool"
 - name: Ensure matrix-prometheus Docker image doesn't exist
  docker_image:
    name: "{{ matrix_prometheus_docker_image }}"
    state: absent
  when: "not matrix_prometheus_enabled|bool"
--- a/roles/matrix-redis/defaults/main.yml
+++ b/roles/matrix-redis/defaults/main.yml
@@ -5,7 +5,8 @@ matrix_redis_connection_password: ""
 matrix_redis_base_path: "{{ matrix_base_data_path }}/redis"
 matrix_redis_data_path: "{{ matrix_redis_base_path }}/data"
 matrix_redis_docker_image_v6: "docker.io/redis:6.0.10-alpine"
 matrix_redis_version: 6.0.10-alpine
 matrix_redis_docker_image_v6: "docker.io/redis:{{ matrix_redis_version }}"
 matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}"
 matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}'
--- a/roles/matrix-synapse-admin/defaults/main.yml
+++ b/roles/matrix-synapse-admin/defaults/main.yml
@@ -8,7 +8,8 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:0.7.0"
 matrix_synapse_admin_version: 0.7.0
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else 'docker.io/' }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -15,7 +15,9 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
 matrix_synapse_docker_image_tag: "{{ 'v1.27.0' if matrix_architecture in ['arm32', 'amd64'] else 'v1.26.0' }}"
 matrix_synapse_version: v1.28.0
 matrix_synapse_version_arm64: v1.28.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -141,6 +141,7 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #  - '100.64.0.0/10'
 #  - '192.0.0.0/24'
 #  - '169.254.0.0/16'
 #  - '192.88.99.0/24'
 #  - '198.18.0.0/15'
 #  - '192.0.2.0/24'
 #  - '198.51.100.0/24'
@@ -149,6 +150,9 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 #  - '::1/128'
 #  - 'fe80::/10'
 #  - 'fc00::/7'
 #  - '2001:db8::/32'
 #  - 'ff00::/8'
 #  - 'fec0::/10'
 # List of IP address CIDR ranges that should be allowed for federation,
 # identity servers, push servers, and for checking key validity for
@@ -993,6 +997,7 @@ url_preview_ip_range_blacklist:
  - '100.64.0.0/10'
  - '192.0.0.0/24'
  - '169.254.0.0/16'
  - '192.88.99.0/24'
  - '198.18.0.0/15'
  - '192.0.2.0/24'
  - '198.51.100.0/24'
@@ -1001,6 +1006,9 @@ url_preview_ip_range_blacklist:
  - '::1/128'
  - 'fe80::/10'
  - 'fc00::/7'
  - '2001:db8::/32'
  - 'ff00::/8'
  - 'fec0::/10'
 # List of IP address CIDR ranges that the URL preview spider is allowed
 # to access even if they are specified in url_preview_ip_range_blacklist.
@@ -1327,6 +1335,8 @@ account_threepid_delegates:
 # By default, any room aliases included in this list will be created
 # as a publicly joinable room when the first user registers for the
 # homeserver. This behaviour can be customised with the settings below.
 # If the room already exists, make certain it is a publicly joinable
 # room. The join rule of the room must be set to 'public'.
 #
 #auto_join_rooms:
 #  - "#example:example.com"
@@ -1869,9 +1879,9 @@ oidc_providers:
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
  #      localpart_template: "{ user.login }"
  #      display_name_template: "{ user.name }"
  #      email_template: "{ user.email }"
  #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
  #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
  #      email_template: "{% raw %}{{ user.email }}{% endraw %}"
  # For use with Keycloak
  #
@@ -1898,8 +1908,8 @@ oidc_providers:
  #  user_mapping_provider:
  #    config:
  #      subject_claim: "id"
  #      localpart_template: "{ user.login }"
  #      display_name_template: "{ user.name }"
  #      localpart_template: "{% raw %}{{ user.login }}{% endraw %}"
  #      display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
 # Enable Central Authentication Service (CAS) for registration and login.
@@ -2227,11 +2237,11 @@ password_config:
      #require_uppercase: true
 ui_auth:
    # The number of milliseconds to allow a user-interactive authentication
    # session to be active.
    # The amount of time to allow a user-interactive authentication session
    # to be active.
    #
    # This defaults to 0, meaning the user is queried for their credentials
    # before every action, but this can be overridden to alow a single
    # before every action, but this can be overridden to allow a single
    # validation to be re-used.  This weakens the protections afforded by
    # the user-interactive authentication process, by allowing for multiple
    # (and potentially different) operations to use the same validation session.
@@ -2239,7 +2249,7 @@ ui_auth:
    # Uncomment below to allow for credential validation to last for 15
    # seconds.
    #
    #session_timeout: 15000
    #session_timeout: "15s"
 {% if matrix_synapse_email_enabled %}
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
@@ -22,6 +22,11 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_wor
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_synapse_worker_details.port != 0 %}
 			--health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \
 			{% else %}
 			--no-healthcheck \
 			{% endif %}
 			{% if matrix_synapse_workers_enabled and matrix_synapse_workers_container_host_bind_address %}
 			{% if matrix_synapse_worker_details.port != 0 %}
 			-p {{ '' if matrix_synapse_workers_container_host_bind_address == '*' else (matrix_synapse_workers_container_host_bind_address + ':') }}{{ matrix_synapse_worker_details.port }}:{{ matrix_synapse_worker_details.port }} \
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@@ -107,7 +107,8 @@ matrix_synapse_workers_generic_worker_endpoints:
  # Ensure that all SSO logins go to a single process.
  # For multiple workers not handling the SSO endpoints properly, see
  # [#7530](https://github.com/matrix-org/synapse/issues/7530).
  # [#7530](https://github.com/matrix-org/synapse/issues/7530) and 
  # [#9427](https://github.com/matrix-org/synapse/issues/9427).
  # Note that a HTTP listener with `client` and `federation` resources must be
  # configured in the `worker_listeners` option in the worker config.
@@ -203,7 +204,15 @@ matrix_synapse_workers_generic_worker_endpoints:
  # REST endpoints itself, but you should set `start_pushers: False` in the
  # shared configuration file to stop the main synapse sending push notifications.
  # Note this worker cannot be load-balanced: only one instance should be active.
  # To run multiple instances at once the `pusher_instances` option should list all
  # pusher instances by their worker name, e.g.:
  # ```yaml
  # pusher_instances:
  #     - pusher_worker1
  #     - pusher_worker2
  # ```
 # ]
 # appservice worker (no API endpoints) [