Merge branch 'spantaleev:master' into master

4 лет назад · 3441e1a307
--- a/.github/workflows/ansible-lint.yml
+++ b/.github/workflows/ansible-lint.yml
@@ -0,0 +1,22 @@
 name: Ansible Lint
 on: [push, pull_request]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Lint Ansible Playbook
      uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc
      with:
        # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
        targets: "./"
        override-deps: |
          ansible-lint==5.3.1
        args: "-x metadata, formatting"
--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@@ -27,6 +27,10 @@ matrix.DOMAIN.tld {
        not path /matrix/static-files/*
  }
  @wellknown {
        path /.well-known/matrix/*
  }
  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@@ -69,6 +73,15 @@ matrix.DOMAIN.tld {
        }
  }
  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  handle {
        encode zstd gzip
@@ -102,17 +115,17 @@ element.DOMAIN.tld {
      # tls your@email.com
      header {
         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
        	X-XSS-Protection "1; mode=block"
        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        	X-Content-Type-Options "nosniff"
        	# Disallow the site to be rendered within a frame (clickjacking protection)
        	X-Frame-Options "DENY"
        	# X-Robots-Tag
        	X-Robots-Tag "noindex, noarchive, nofollow"
  	}
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }
        handle {
              encode zstd gzip
--- a/roles/matrix-awx/defaults/main.yml
+++ b/roles/matrix-awx/defaults/main.yml
@@ -1 +1,6 @@
 matrix_awx_enabled: true
 # Defaults for 'Customise Website + Access Export' template
 awx_sftp_auth_method: 'Disabled'
 awx_sftp_password: ''
 awx_sftp_public_key: ''
--- a/roles/matrix-awx/tasks/purge_database_main.yml
+++ b/roles/matrix-awx/tasks/purge_database_main.yml
@@ -29,9 +29,9 @@
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
  register: awx_synapse_container_ip
 - name: Collect access token for @_janitor user
 - name: Collect access token for @admin-janitor user
  shell: |
    curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
    curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
  when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
  register: awx_janitors_token
  no_log: True
--- a/roles/matrix-awx/tasks/purge_media_main.yml
+++ b/roles/matrix-awx/tasks/purge_media_main.yml
@@ -21,9 +21,9 @@
  shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
  register: awx_synapse_container_ip
 - name: Collect access token for @_janitor user
 - name: Collect access token for @admin-janitor user
  shell: |
    curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
    curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
  register: awx_janitors_token
  no_log: True
--- a/roles/matrix-awx/tasks/self_check.yml
+++ b/roles/matrix-awx/tasks/self_check.yml
@@ -50,12 +50,14 @@
 - name: Calculate size of local media repository
  shell: du -sh /matrix/synapse/storage/media-store/local*
  register: awx_local_media_size_stat
  async: 600
  ignore_errors: yes
  no_log: True
 - name: Calculate size of remote media repository
  shell: du -sh /matrix/synapse/storage/media-store/remote*
  register: awx_remote_media_size_stat
  async: 600
  ignore_errors: yes
  no_log: True
--- a/roles/matrix-awx/tasks/set_variables_dimension.yml
+++ b/roles/matrix-awx/tasks/set_variables_dimension.yml
@@ -12,9 +12,9 @@
      - curl
    state: present
 - name: Collect access token of @_dimension user
 - name: Collect access token of @admin-dimension user
  shell: |
    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
  register: awx_dimension_user_access_token
 - name: Record Synapse variables locally on AWX
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 matrix_client_element_version: v1.9.7
 matrix_client_element_version: v1.9.8
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-common-after/tasks/awx_post.yml
+++ b/roles/matrix-common-after/tasks/awx_post.yml
@@ -1,11 +1,11 @@
 ---
 - name: Create user account @_janitor
 - name: Create user account @admin-janitor
  command: |
    /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1
    /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1
  register: cmd
  when: not awx_janitor_user_created|bool
  no_log: True
  no_log: false
 - name: Update AWX janitor user created variable
  delegate_to: 127.0.0.1
@@ -18,12 +18,12 @@
    'awx_janitor_user_created': 'true'
  when: not awx_janitor_user_created|bool
 - name: Create user account @_dimension
 - name: Create user account @admin-dimension
  command: |
    /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0
    /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0
  register: cmd
  when: not awx_dimension_user_created|bool
  no_log: True
  no_log: false
 - name: Update AWX dimension user created variable
  delegate_to: 127.0.0.1
@@ -36,12 +36,12 @@
    'awx_dimension_user_created': 'true'
  when: not awx_dimension_user_created|bool
 - name: Create user account @_mjolnir
 - name: Create user account @admin-mjolnir
  command: |
    /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0
    /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0
  register: cmd
  when: not awx_mjolnir_user_created|bool
  no_log: True
  no_log: false
 - name: Update AWX dimension user created variable
  delegate_to: 127.0.0.1
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 matrix_coturn_version: 4.5.2-r4
 matrix_coturn_version: 4.5.2-r8
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@@ -3,7 +3,7 @@
 matrix_grafana_enabled: false
 matrix_grafana_version: 8.3.1
 matrix_grafana_version: 8.3.3
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@@ -8,6 +8,7 @@ matrix_jitsi_enable_recording: false
 matrix_jitsi_enable_transcriptions: false
 matrix_jitsi_enable_p2p: true
 matrix_jitsi_enable_av_moderation: true
 matrix_jitsi_enable_breakout_rooms: true
 # Authentication type, must be one of internal, jwt or ldap.
 # Currently only internal and ldap mechanisms are supported by this playbook.
@@ -67,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: ''
 matrix_jitsi_enable_lobby: false
 matrix_jitsi_version: stable-6726
 matrix_jitsi_version: stable-6726-1
 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
 matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
@@ -76,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends
 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
 matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
 matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
 matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs"
 matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
--- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
@@ -15,6 +15,7 @@
    - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_web_config_path }}", when: true }
    - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true }
    - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true }
  when: matrix_jitsi_enabled|bool and item.when
 - name: Ensure jitsi-web Docker image is pulled
--- a/roles/matrix-jitsi/templates/jicofo/env.j2
+++ b/roles/matrix-jitsi/templates/jicofo/env.j2
@@ -9,6 +9,7 @@ ENABLE_CODEC_H264
 ENABLE_OCTO
 ENABLE_RECORDING
 ENABLE_SCTP
 ENABLE_AUTO_LOGIN
 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
 JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
 JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
@@ -26,6 +27,9 @@ JIGASI_SIP_URI
 JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
 MAX_BRIDGE_PARTICIPANTS
 OCTO_BRIDGE_SELECTION_STRATEGY
 SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
 SENTRY_ENVIRONMENT
 SENTRY_RELEASE
 TZ={{ matrix_jitsi_timezone }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
--- a/roles/matrix-jitsi/templates/jicofo/logging.properties.j2
+++ b/roles/matrix-jitsi/templates/jicofo/logging.properties.j2
@@ -1,4 +1,10 @@
 {% raw %}
 {{ if .Env.SENTRY_DSN | default "0" | toBool }}
 handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
 {{ else }}
 handlers= java.util.logging.ConsoleHandler
 {{ end }}
 {% endraw %}
 java.util.logging.ConsoleHandler.level = ALL
 java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
@@ -10,6 +16,7 @@ net.sf.level=SEVERE
 net.java.sip.communicator.plugin.reconnectplugin.level=FINE
 org.ice4j.level=SEVERE
 org.jitsi.impl.neomedia.level=SEVERE
 io.sentry.jul.SentryHandler.level=WARNING
 # Do not worry about missing strings
 net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE
--- a/roles/matrix-jitsi/templates/jvb/env.j2
+++ b/roles/matrix-jitsi/templates/jvb/env.j2
@@ -1,9 +1,6 @@
 DOCKER_HOST_ADDRESS
 ENABLE_COLIBRI_WEBSOCKET
 ENABLE_OCTO
 DOCKER_HOST_ADDRESS
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
 XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
 JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
 JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
 JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
@@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
 {% if matrix_jitsi_jvb_stun_servers|length > 0 %}
 JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }}
 {% endif %}
 JVB_ENABLE_APIS
 JVB_WS_DOMAIN
 JVB_WS_SERVER_ID
 PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 JVB_OCTO_BIND_ADDRESS
 JVB_OCTO_PUBLIC_ADDRESS
 JVB_OCTO_BIND_PORT
 JVB_OCTO_REGION
 JVB_WS_DOMAIN
 JVB_WS_SERVER_ID
 PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
 SENTRY_ENVIRONMENT
 SENTRY_RELEASE
 COLIBRI_REST_ENABLED
 SHUTDOWN_REST_ENABLED
 TZ={{ matrix_jitsi_timezone }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
 XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
 {{ matrix_jitsi_jvb_environment_variables_extension }}
--- a/roles/matrix-jitsi/templates/jvb/logging.properties.j2
+++ b/roles/matrix-jitsi/templates/jvb/logging.properties.j2
@@ -1,4 +1,10 @@
 {% raw %}
 {{ if .Env.SENTRY_DSN | default "0" | toBool }}
 handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
 {{ else }}
 handlers= java.util.logging.ConsoleHandler
 {{ end }}
 {% endraw %}
 java.util.logging.ConsoleHandler.level = ALL
 java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
@@ -8,6 +14,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB
 .level=INFO
 org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE
 io.sentry.jul.SentryHandler.level=WARNING
 # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge.
 org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING
--- a/roles/matrix-jitsi/templates/prosody/env.j2
+++ b/roles/matrix-jitsi/templates/prosody/env.j2
@@ -1,44 +1,24 @@
 AUTH_TYPE={{ matrix_jitsi_auth_type }}
 DISABLE_POLLS
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}}
 ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
 ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }}
 ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}}
 ENABLE_XMPP_WEBSOCKET
 GLOBAL_MODULES
 GLOBAL_CONFIG
 LDAP_URL={{ matrix_jitsi_ldap_url }}
 LDAP_BASE={{ matrix_jitsi_ldap_base }}
 LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
 LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
 LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
 LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
 LDAP_VERSION={{ matrix_jitsi_ldap_version }}
 LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
 LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
 LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
 LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
 LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
 LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
 XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
 XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
 XMPP_MODULES={{ matrix_jitsi_xmpp_modules }}
 XMPP_MUC_MODULES=
 XMPP_INTERNAL_MUC_MODULES=
 XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
 XMPP_CROSS_DOMAIN=true
 GLOBAL_MODULES
 JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
 JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
 JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
 JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
 JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
 JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
 JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
 JICOFO_COMPONENT_SECRET
 JIGASI_XMPP_USER=
 JIGASI_XMPP_PASSWORD=
 JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
 JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
 JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
 JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
 JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
 JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
 JWT_APP_ID
 JWT_APP_SECRET
 JWT_ACCEPTED_ISSUERS
@@ -48,6 +28,19 @@ JWT_ALLOW_EMPTY
 JWT_AUTH_TYPE
 JWT_TOKEN_AUTH_MODULE
 LOG_LEVEL
 LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
 LDAP_BASE={{ matrix_jitsi_ldap_base }}
 LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
 LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
 LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
 LDAP_VERSION={{ matrix_jitsi_ldap_version }}
 LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
 LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
 LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
 LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
 LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
 LDAP_URL={{ matrix_jitsi_ldap_url }}
 LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
 PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }}
 TURN_HOST={{ matrix_jitsi_turn_host }}
@@ -55,3 +48,13 @@ TURNS_HOST={{ matrix_jitsi_turns_host }}
 TURN_PORT={{ matrix_jitsi_turn_port }}
 TURNS_PORT={{ matrix_jitsi_turns_port }}
 TZ={{ matrix_jitsi_timezone }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
 XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
 XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
 XMPP_MODULES={{ matrix_jitsi_xmpp_modules }}
 XMPP_MUC_MODULES=
 XMPP_INTERNAL_MUC_MODULES=
 XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
 XMPP_CROSS_DOMAIN=true
--- a/roles/matrix-jitsi/templates/web/env.j2
+++ b/roles/matrix-jitsi/templates/web/env.j2
@@ -1,16 +1,3 @@
 ENABLE_COLIBRI_WEBSOCKET
 ENABLE_FLOC=0
 ENABLE_LETSENCRYPT=0
 ENABLE_HTTP_REDIRECT=0
 ENABLE_HSTS=0
 ENABLE_XMPP_WEBSOCKET
 DISABLE_HTTPS=0
 DISABLE_DEEP_LINKING
 LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }}
 LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }}
 LETSENCRYPT_USE_STAGING=0
 PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 TZ={{ matrix_jitsi_timezone }}
 AMPLITUDE_ID
 ANALYTICS_SCRIPT_URLS
 ANALYTICS_WHITELISTED_EVENTS
@@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE
 DEPLOYMENTINFO_REGION
 DEPLOYMENTINFO_SHARD
 DEPLOYMENTINFO_USERREGION
 DESKTOP_SHARING_FRAMERATE_MIN
 DESKTOP_SHARING_FRAMERATE_MAX
 DIALIN_NUMBERS_URL
 DIALOUT_AUTH_URL
 DIALOUT_CODES_URL
 DISABLE_AUDIO_LEVELS
 DISABLE_DEEP_LINKING
 DISABLE_HTTPS=0
 DISABLE_POLLS
 DISABLE_REACTIONS
 DROPBOX_APPKEY
 DROPBOX_REDIRECT_URI
 DYNAMIC_BRANDING_URL
 ENABLE_AUDIO_PROCESSING
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}}
 ENABLE_CALENDAR
 ENABLE_COLIBRI_WEBSOCKET
 ENABLE_FILE_RECORDING_SERVICE
 ENABLE_FILE_RECORDING_SERVICE_SHARING
 ENABLE_FLOC=0
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
 ENABLE_HSTS=0
 ENABLE_HTTP_REDIRECT=0
 ENABLE_IPV6
 ENABLE_LETSENCRYPT=0
 ENABLE_LIPSYNC
 ENABLE_NO_AUDIO_DETECTION
 ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }}
 ENABLE_NOISY_MIC_DETECTION
 ENABLE_PREJOIN_PAGE
 ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }}
 ENABLE_WELCOME_PAGE
 ENABLE_CLOSE_PAGE
 ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }}
@@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS
 ENABLE_TALK_WHILE_MUTED
 ENABLE_TCC
 ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }}
 ENABLE_XMPP_WEBSOCKET
 ETHERPAD_PUBLIC_URL
 ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}}
 GOOGLE_ANALYTICS_ID
 GOOGLE_API_APP_CLIENT_ID
 INVITE_SERVICE_URL
 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
 LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }}
 LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }}
 LETSENCRYPT_USE_STAGING=0
 MATOMO_ENDPOINT
 MATOMO_SITE_ID
 MICROSOFT_API_APP_CLIENT_ID
@@ -68,29 +73,38 @@ NGINX_RESOLVER
 NGINX_WORKER_PROCESSES
 NGINX_WORKER_CONNECTIONS
 PEOPLE_SEARCH_URL
 PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }}
 RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }}
 RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }}
 RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }}
 START_AUDIO_ONLY
 START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }}
 START_WITH_AUDIO_MUTED
 START_SILENT
 DISABLE_AUDIO_LEVELS
 ENABLE_NOISY_MIC_DETECTION
 START_AUDIO_ONLY
 START_BITRATE
 DESKTOP_SHARING_FRAMERATE_MIN
 DESKTOP_SHARING_FRAMERATE_MAX
 START_SILENT
 START_WITH_AUDIO_MUTED
 START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }}
 START_WITH_VIDEO_MUTED
 TESTING_CAP_SCREENSHARE_BITRATE
 TESTING_OCTO_PROBABILITY
 TOKEN_AUTH_URL
 TZ={{ matrix_jitsi_timezone }}
 VIDEOQUALITY_BITRATE_H264_LOW
 VIDEOQUALITY_BITRATE_H264_STANDARD
 VIDEOQUALITY_BITRATE_H264_HIGH
 VIDEOQUALITY_BITRATE_VP8_LOW
 VIDEOQUALITY_BITRATE_VP8_STANDARD
 VIDEOQUALITY_BITRATE_VP8_HIGH
 VIDEOQUALITY_BITRATE_VP9_LOW
 VIDEOQUALITY_BITRATE_VP9_STANDARD
 VIDEOQUALITY_BITRATE_VP9_HIGH
 VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
 VIDEOQUALITY_PREFERRED_CODEC
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
 XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
 XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
 TOKEN_AUTH_URL
 {{ matrix_jitsi_web_environment_variables_extension }}
--- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
+++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
@@ -23,6 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \
 			{% endif %}
 			--mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \
 			--mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \
 			{% for arg in matrix_jitsi_web_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -442,7 +442,14 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains
 matrix_ssl_additional_domains_to_obtain_certificates_for: []
 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 # If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`
 matrix_ssl_lets_encrypt_staging: false
 # Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).
 # By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).
 # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
 matrix_ssl_lets_encrypt_server: ''
 matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -42,6 +42,7 @@
    --non-interactive
    --work-dir=/tmp
    --http-01-port 8080
    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
    --standalone
    --preferred-challenges http
@@ -70,6 +71,7 @@
    --non-interactive
    --work-dir=/tmp
    --http-01-port 8080
    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
    --standalone
    --preferred-challenges http
--- a/roles/matrix-synapse-admin/defaults/main.yml
+++ b/roles/matrix-synapse-admin/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 matrix_synapse_admin_version: 0.8.1
 matrix_synapse_admin_version: 0.8.4
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
 matrix_synapse_version: v1.48.0
 matrix_synapse_version_arm64: v1.48.0
 matrix_synapse_version: v1.49.0
 matrix_synapse_version_arm64: v1.49.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
@@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true
 # URLs shared by users.
 matrix_synapse_url_preview_enabled: true
 # A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation
 matrix_url_preview_accept_language: ['en-US', 'en']
 # Enable exposure of metrics to Prometheus
 # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
 matrix_synapse_metrics_enabled: false
--- a/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml
+++ b/roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml
@@ -8,6 +8,7 @@
    name: "{{ item.key }}"
    state: stopped
  with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}"
  when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461
 - name: Find worker configs to be cleaned
  find:
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1149,8 +1149,7 @@ max_spider_size: 10M
 #   - fr;q=0.8
 #   - *;q=0.7
 #
 url_preview_accept_language:
 #   - en
 url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }}
 ## Captcha ##
@@ -1227,6 +1226,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #
 #session_lifetime: 24h
 # Time that an access token remains valid for, if the session is
 # using refresh tokens.
 # For more information about refresh tokens, please see the manual.
 # Note that this only applies to clients which advertise support for
 # refresh tokens.
 #
 # Note also that this is calculated at login time and refresh time:
 # changes are not applied to existing sessions until they are refreshed.
 #
 # By default, this is 5 minutes.
 #
 #refreshable_access_token_lifetime: 5m
 # Time that a refresh token remains valid for (provided that it is not
 # exchanged for another one first).
 # This option can be used to automatically log-out inactive sessions.
 # Please see the manual for more information.
 #
 # Note also that this is calculated at login time and refresh time:
 # changes are not applied to existing sessions until they are refreshed.
 #
 # By default, this is infinite.
 #
 #refresh_token_lifetime: 24h
 # Time that an access token remains valid for, if the session is NOT
 # using refresh tokens.
 # Please note that not all clients support refresh tokens, so setting
 # this to a short value may be inconvenient for some users who will
 # then be logged out frequently.
 #
 # Note also that this is calculated at login time: changes are not applied
 # retrospectively to existing sessions for users that have already logged in.
 #
 # By default, this is infinite.
 #
 #nonrefreshable_access_token_lifetime: 24h
 # The user must provide all of the below types of 3PID when registering.
 # The user must provide all of the below types of 3PID when registering.
 #
 #registrations_require_3pid:
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/federation/v1/get_groups_publicised$
  - ^/_matrix/key/v2/query
  - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
  - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/
  # Inbound federation transaction request
  - ^/_matrix/federation/v1/send/
@@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$
  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
  - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$
  - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$