Merge branch 'master' into master

5 years ago · 3564635f0f
--- a/docs/configuring-playbook-bridge-mautrix-facebook.md
+++ b/docs/configuring-playbook-bridge-mautrix-facebook.md
@@ -2,16 +2,37 @@

 The playbook can install and configure [mautrix-facebook](https://github.com/tulir/mautrix-facebook) for you.

 See the project's [documentation](https://github.com/tulir/mautrix-facebook/wiki#usage) to learn what it does and why it might be useful to you.
 See the project's [documentation](https://github.com/tulir/mautrix-facebook/blob/master/ROADMAP.md) to learn what it does and why it might be useful to you.

 ```yaml
 matrix_mautrix_facebook_enabled: true
 ```

 There are some additional things you may wish to configure about the bridge before you continue.

 Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
 ```yaml
 matrix_mautrix_facebook_configuration_extension_yaml: |
  bridge:
    encryption:
      allow: true
      default: true
 ```

 If you would like to be able to administrate the bridge from your account it can be configured like this:
 ```yaml
 matrix_mautrix_facebook_configuration_extension_yaml: |
  bridge:
    permissions:
      '@YOUR_USERNAME:YOUR_DOMAIN': admin
 ```

 You may wish to look at `roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2` to find other things you would like to configure.


 ## Set up Double Puppeting

 If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-facebook/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it.
 If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.

 ### Method 1: automatically, by enabling Shared Secret Auth

@@ -42,9 +63,7 @@ https://matrix.DOMAIN/_matrix/client/r0/login

 You then need to start a chat with `@facebookbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).

 Send `login YOUR_FACEBOOK_EMAIL_ADDRESS YOUR_FACEBOOK_PASSWORD` to the bridge bot to enable bridging for your Facebook/Messenger account.

 You can learn more here about authentication from the bridge's [official documentation on Authentication](https://github.com/tulir/mautrix-facebook/wiki/Authentication).
 Send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/facebook/authentication.html).

 If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.

--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@@ -13,8 +13,8 @@ Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record.

 You may also need to open the following ports to your server:

 - `10000/udp` - RTP media over UDP
 - `4443/tcp` - RTP media fallback over TCP
 - `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).


 ## Installation
--- a/docs/configuring-playbook-synapse-admin.md
+++ b/docs/configuring-playbook-synapse-admin.md
@@ -6,6 +6,8 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix

 See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.

 **Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).


 ## Adjusting the playbook configuration

--- a/docs/container-images.md
+++ b/docs/container-images.md
@@ -11,7 +11,7 @@ These services are enabled and used by default, but you can turn them off, if yo

 - [matrixdotorg/synapse](https://hub.docker.com/r/matrixdotorg/synapse/) - the official [Synapse](https://github.com/matrix-org/synapse) Matrix homeserver (optional)

 - [instrumentisto/coturn](https://hub.docker.com/r/instrumentisto/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)
 - [coturn/coturn](https://hub.docker.com/r/coturn/coturn/) - the [Coturn](https://github.com/coturn/coturn) STUN/TURN server (optional)

 - [vectorim/element-web](https://hub.docker.com/r/vectorim/element-web/) - the [Element](https://element.io/) web client (optional)

--- a/docs/faq.md
+++ b/docs/faq.md
@@ -297,7 +297,7 @@ matrix_coturn_enabled: false
 # hundreds of servers inside is insanely heavy (https://github.com/matrix-org/synapse/issues/3971).
 #
 # If your server does not federate with hundreds of others, enabling this doesn't hurt much.
 matrix_synapse_use_presence: false
 matrix_synapse_presence_enabled: false
 ```

 You can also consider implementing a restriction on room complexity, in order to prevent users from joining very heavy rooms:
--- a/docs/maintenance-synapse.md
+++ b/docs/maintenance-synapse.md
@@ -74,7 +74,7 @@ You should then be able to browse the adminer database administration GUI at htt

 ## Make Synapse faster

 Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_use_presence: false` to your `vars.yml` file.
 Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file.

 Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor.

--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -34,7 +34,6 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
  - `5349/udp`: TURN over UDP (used by Coturn)
  - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
  - the range `49152-49172/udp`: TURN over UDP
  - `4443/tcp`: Jitsi Harvester fallback
  - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
  - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.

 When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -64,7 +64,7 @@ matrix_appservice_discord_enabled: false
 matrix_appservice_discord_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9005' }}"

 # If the homeserver disables presence, it's likely better (less wasteful) to also disable presence on the bridge side.
 matrix_appservice_discord_bridge_disablePresence: "{{ matrix_synapse_use_presence }}"
 matrix_appservice_discord_bridge_disablePresence: "{{ not matrix_synapse_presence_enabled }}"

 matrix_appservice_discord_systemd_required_services_list: |
  {{
@@ -188,7 +188,7 @@ matrix_appservice_irc_container_http_host_bind_port: "{{ '' if matrix_nginx_prox

 # The IRC bridge docs say that if homeserver presence is disabled, it's better to also disable
 # IRC bridge presence, for performance reasons.
 matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_use_presence }}"
 matrix_appservice_irc_homeserver_enablePresence: "{{ matrix_synapse_presence_enabled }}"

 matrix_appservice_irc_systemd_required_services_list: |
  {{
@@ -242,7 +242,7 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key

 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
 matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"

 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
@@ -325,7 +325,7 @@ matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke

 matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
 matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"

 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
@@ -1211,7 +1211,7 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m

 matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"

 matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_use_presence }}"
 matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"

 matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
 matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
@@ -1527,7 +1527,7 @@ matrix_client_element_registration_enabled: "{{ matrix_synapse_enable_registrati
 matrix_client_element_enable_presence_by_hs_url: |
  {{
    none
    if matrix_synapse_use_presence
    if matrix_synapse_presence_enabled
    else {matrix_client_element_default_hs_url: false}
  }}

@@ -1675,11 +1675,6 @@ matrix_synapse_admin_container_self_build: "{{ matrix_architecture != 'amd64' }}

 matrix_prometheus_node_exporter_enabled: false

 # Normally, matrix-nginx-proxy is enabled and nginx can reach Prometheus Node Exporter over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # Prometheus' HTTP port to the local host.
 matrix_prometheus_node_exporter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9200' }}"

 ######################################################################
 #
 # /matrix-prometheus-node-exporter
@@ -1706,6 +1701,7 @@ matrix_prometheus_scraper_synapse_targets: ['matrix-synapse:{{ matrix_synapse_me
 matrix_prometheus_scraper_synapse_rules_synapse_tag: "{{ matrix_synapse_docker_image_tag }}"

 matrix_prometheus_scraper_node_enabled: "{{ matrix_prometheus_node_exporter_enabled }}"
 matrix_prometheus_scraper_node_targets: "{{ ['matrix-prometheus-node-exporter:9100'] if matrix_prometheus_node_exporter_enabled else [] }}"

 ######################################################################
 #
--- a/roles/matrix-awx/surveys/configure_synapse.json.j2
+++ b/roles/matrix-awx/surveys/configure_synapse.json.j2
@@ -56,10 +56,10 @@
      "required": false,
      "min": null,
      "max": null,
      "default": "{{ matrix_synapse_use_presence | string | lower }}",
      "default": "{{ matrix_synapse_presence_enabled | string | lower }}",
      "choices": "true\nfalse",
      "new_question": true,
      "variable": "matrix_synapse_use_presence",
      "variable": "matrix_synapse_presence_enabled",
      "type": "multiplechoice"
    },
    {
--- a/roles/matrix-awx/tasks/main.yml
+++ b/roles/matrix-awx/tasks/main.yml
@@ -8,6 +8,15 @@
  tags:
    - always

 # Renames the variables if needed
 - include_tasks: 
    file: "rename_variables.yml"
    apply:
      tags: always
  when: run_setup|bool and matrix_awx_enabled|bool
  tags:
    - always

 # Perform a backup of the server
 - include_tasks: 
    file: "backup_server.yml"
--- a/roles/matrix-awx/tasks/rename_variables.yml
+++ b/roles/matrix-awx/tasks/rename_variables.yml
@@ -0,0 +1,8 @@

 - name: Rename synapse presence variable
  delegate_to: 127.0.0.1
  replace:
    path: "/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml"
    regexp: 'matrix_synapse_use_presence'
    replace: 'matrix_synapse_presence_enabled'

--- a/roles/matrix-awx/tasks/set_variables_synapse.yml
+++ b/roles/matrix-awx/tasks/set_variables_synapse.yml
@@ -21,7 +21,7 @@
    'matrix_synapse_enable_registration': '{{ matrix_synapse_enable_registration }}'
    'matrix_synapse_federation_enabled': '{{ matrix_synapse_federation_enabled }}'
    'matrix_synapse_enable_group_creation': '{{ matrix_synapse_enable_group_creation }}'
    'matrix_synapse_use_presence': '{{ matrix_synapse_use_presence }}'
    'matrix_synapse_presence_enabled': '{{ matrix_synapse_presence_enabled }}'
    'matrix_synapse_max_upload_size_mb': '{{ matrix_synapse_max_upload_size_mb }}'
    'matrix_synapse_url_preview_enabled': '{{ matrix_synapse_url_preview_enabled }}'
    'matrix_synapse_allow_guest_access': '{{ matrix_synapse_allow_guest_access }}'
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -1,10 +1,10 @@
 matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn/tree/master/docker/coturn/alpine.git"

 matrix_coturn_version: 4.5.2
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:{{ matrix_coturn_version }}"
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@@ -17,6 +17,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--cap-add=NET_BIND_SERVICE \
 			--entrypoint=turnserver \
 			--read-only \
 			--tmpfs=/var/tmp:rw,noexec,nosuid,size=100m \
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@@ -3,7 +3,7 @@

 matrix_grafana_enabled: false

 matrix_grafana_version: 7.5.2
 matrix_grafana_version: 7.5.4
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -269,6 +269,16 @@ matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the base domain server configuration (matrix-base-domain.conf).
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses for all vhosts meant to be accessed by users.
 #
 # Learn more about what it is here:
 # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
 # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
 # - https://amifloced.org/
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 matrix_nginx_proxy_floc_optout_enabled: true

 # Specifies the SSL configuration that should be used for the SSL protocols and ciphers
 # This is based on the Mozilla Server Side TLS Recommended configurations.
 #
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
@@ -5,6 +5,11 @@

 	gzip on;
 	gzip_types text/plain application/json;

 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
@@ -3,8 +3,10 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;

 {% for configuration_block in matrix_nginx_proxy_proxy_bot_go_neb_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@@ -3,12 +3,19 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-XSS-Protection "1; mode=block";
 	add_header X-Frame-Options SAMEORIGIN;
 	add_header Content-Security-Policy "frame-ancestors 'none'; require-trusted-types-for 'script'; base-uri 'self'";
 	add_header Referrer-Policy "strict-origin-when-cross-origin";

 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}


 	{% for configuration_block in matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@@ -3,8 +3,13 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 {% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -17,6 +17,10 @@
 	gzip on;
 	gzip_types text/plain application/json;

 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
 		{#
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@@ -3,13 +3,19 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
 	# duplicate X-Content-Type-Options & X-Frame-Options header
 	# Enabled by grafana by default
 	# add_header X-Content-Type-Options nosniff;
 	# add_header X-Frame-Options SAMEORIGIN;
 	add_header Referrer-Policy "strict-origin-when-cross-origin";
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 	proxy_cookie_path / "/; HTTPOnly; Secure";

 	{% for configuration_block in matrix_nginx_proxy_proxy_grafana_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@@ -3,8 +3,13 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 {% for configuration_block in matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2
@@ -1,6 +1,10 @@
 #jinja2: lstrip_blocks: "True"

 {% macro render_vhost_directives() %}
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}

 	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@@ -3,9 +3,11 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;

 	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 	add_header X-Content-Type-Options nosniff;
 	add_header X-Frame-Options DENY;

 {% for configuration_block in matrix_nginx_proxy_proxy_sygnal_additional_server_configuration_blocks %}
 	{{- configuration_block }}
 {% endfor %}
--- a/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2
@@ -48,6 +48,8 @@ http {

 	keepalive_timeout 65;

 	server_tokens off;

 	#gzip on;
 	{# Map directive needed for proxied WebSocket upgrades #}
 	map $http_upgrade $connection_upgrade {
--- a/roles/matrix-prometheus-node-exporter/defaults/main.yml
+++ b/roles/matrix-prometheus-node-exporter/defaults/main.yml
@@ -19,4 +19,16 @@ matrix_prometheus_node_exporter_systemd_wanted_services_list: []
 # Controls whether the matrix-prometheus container exposes its HTTP port (tcp/9100 in the container).
 #
 # Takes an "<ip>:<port>" value (e.g. "127.0.0.1:9100"), or empty string to not expose.
 #
 # Official recommendations are to run this container with `--net=host`,
 # but we don't do that, since it:
 # - likely exposes the metrics web server way too publicly (before applying https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1008)
 # - or listens on a loopback interface only (--net=host and 127.0.0.1:9100), which is not reachable from another container (like `matrix-prometheus`)
 #
 # Using `--net=host` and binding to Docker's `matrix` bridge network may be a solution to both,
 # but that's trickier to accomplish and won't necessarily work (hasn't been tested).
 #
 # Not using `--net=host` means that our network statistic reports are likely broken (inaccurate),
 # because node-exporter can't see all interfaces, etc.
 # For now, we'll live with that, until someone develops a better solution.
 matrix_prometheus_node_exporter_container_http_host_bind_port: ''
--- a/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2
+++ b/roles/matrix-prometheus-node-exporter/templates/systemd/matrix-prometheus-node-exporter.service.j2
@@ -25,15 +25,13 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-prometheus-nod
 			{% for arg in matrix_prometheus_node_exporter_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			--net=host \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
 			-p {{ matrix_prometheus_node_exporter_container_http_host_bind_port }}:9100 \
 			{% endif %}
 			--pid=host \
 			--mount type=bind,src=/,dst=/host,ro,bind-propagation=rslave \
 			{{ matrix_prometheus_node_exporter_docker_image }} \
 			{% if matrix_prometheus_node_exporter_container_http_host_bind_port %}
 			--web.listen-address={{ matrix_prometheus_node_exporter_container_http_host_bind_port }} \
 			{% else %}
 			--web.listen-address=localhost:9100 \
 			{% endif %}
 			--path.rootfs=/host

 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-prometheus-node-exporter 2>/dev/null'
--- a/roles/matrix-prometheus/tasks/setup_install.yml
+++ b/roles/matrix-prometheus/tasks/setup_install.yml
@@ -19,24 +19,6 @@
    - "{{ matrix_prometheus_config_path }}"
    - "{{ matrix_prometheus_data_path }}"

 - block:
    # Well, this actually creates the network if it doesn't exist, but..
    # The network should have been created by `matrix-base` already.
    # We don't rely on that other call and its result, because it runs
    # on `--tags=setup-all`, but will get skipped during `--tags=setup-prometheus`.
    - name: Fetch Matrix Docker network details
      docker_network:
        name: "{{ matrix_docker_network }}"
        driver: bridge
      register: matrix_docker_network_info

    # The `matrix_docker_network_info.ansible_facts.docker_network` workaroudn is for Ansible <= 2.8.
    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/907
    - set_fact:
        matrix_prometheus_scraper_node_targets: ["{{ matrix_docker_network_info.network|default(matrix_docker_network_info.ansible_facts.docker_network).IPAM.Config[0].Gateway }}:9100"]
  when: "matrix_prometheus_scraper_node_enabled|bool and matrix_prometheus_scraper_node_targets|length == 0"


 - name: Download synapse-v2.rules
  get_url:
    url: "{{ matrix_prometheus_scraper_synapse_rules_download_url }}"
--- a/roles/matrix-synapse-admin/defaults/main.yml
+++ b/roles/matrix-synapse-admin/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech

 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"

 matrix_synapse_admin_version: 0.7.0
 matrix_synapse_admin_version: 0.7.2
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
 matrix_synapse_version: v1.31.0
 matrix_synapse_version_arm64: v1.31.0
 matrix_synapse_version: v1.32.2
 matrix_synapse_version_arm64: v1.32.2
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

@@ -170,7 +170,7 @@ matrix_synapse_report_stats: false
 # Controls whether the Matrix server will track presence status (online, offline, unavailable) for users.
 # If users participate in large rooms with many other servers,
 # disabling this will decrease server load significantly.
 matrix_synapse_use_presence: true
 matrix_synapse_presence_enabled: true

 # Controls whether accessing the server's public rooms directory can be done without authentication.
 # For private servers, you most likely wish to require authentication,
--- a/roles/matrix-synapse/tasks/validate_config.yml
+++ b/roles/matrix-synapse/tasks/validate_config.yml
@@ -47,6 +47,7 @@
    - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
    - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
    - {'old': 'matrix_synapse_trusted_third_party_id_servers', 'new': '<deprecated in Synapse v0.99.4 and removed in Synapse v1.19.0>'}
    - {'old': 'matrix_synapse_use_presence', 'new': 'matrix_synapse_presence_enabled'}

 - name: (Deprecation) Catch and report renamed settings in matrix_synapse_configuration_extension_yaml
  fail:
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -58,9 +58,28 @@ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
 #
 #soft_file_limit: 0

 # Set to false to disable presence tracking on this homeserver.
 # Presence tracking allows users to see the state (e.g online/offline)
 # of other local and remote users.
 #
 use_presence: {{ matrix_synapse_use_presence|to_json }}
 presence:
  # Uncomment to disable presence tracking on this homeserver. This option
  # replaces the previous top-level 'use_presence' option.
  #
  enabled: {{ matrix_synapse_presence_enabled|to_json }}

  # Presence routers are third-party modules that can specify additional logic
  # to where presence updates from users are routed.
  #
  presence_router:
    # The custom module's class. Uncomment to use a custom presence router module.
    #
    #module: "my_custom_router.PresenceRouter"

    # Configuration options of the custom module. Refer to your module's
    # documentation for available options.
    #
    #config:
    #  example_option: 'something'

 # Whether to require authentication to retrieve profile data (avatars,
 # display names) of other users through the client API. Defaults to
@@ -1252,9 +1271,9 @@ registrations_require_3pid: {{ matrix_synapse_registrations_require_3pid|to_json
 #
 #allowed_local_3pids:
 #  - medium: email
 #    pattern: '.*@matrix\.org'
 #    pattern: '^[^@]+@matrix\.org$'
 #  - medium: email
 #    pattern: '.*@vector\.im'
 #    pattern: '^[^@]+@vector\.im$'
 #  - medium: msisdn
 #    pattern: '\+44'
 {% if matrix_synapse_allowed_local_3pids|length > 0 %}
@@ -1467,14 +1486,31 @@ report_stats: {{ matrix_synapse_report_stats|to_json }}

 ## API Configuration ##

 # A list of event types that will be included in the room_invite_state
 # Controls for the state that is shared with users who receive an invite
 # to a room
 #
 #room_invite_state_types:
 #  - "m.room.join_rules"
 #  - "m.room.canonical_alias"
 #  - "m.room.avatar"
 #  - "m.room.encryption"
 #  - "m.room.name"
 room_prejoin_state:
   # By default, the following state event types are shared with users who
   # receive invites to the room:
   #
   # - m.room.join_rules
   # - m.room.canonical_alias
   # - m.room.avatar
   # - m.room.encryption
   # - m.room.name
   #
   # Uncomment the following to disable these defaults (so that only the event
   # types listed in 'additional_event_types' are shared). Defaults to 'false'.
   #
   #disable_default_event_types: true

   # Additional state event types to share with users when they are invited
   # to a room.
   #
   # By default, this list is empty (so only the default event types are shared).
   #
   #additional_event_types:
   #  - org.example.custom.event.type


 # A list of application service config files to use
--- a/roles/matrix-synapse/vars/main.yml
+++ b/roles/matrix-synapse/vars/main.yml
@@ -6,7 +6,6 @@ matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn
 # Tells whether this role had executed or not. Toggled to `true` during runtime.
 matrix_synapse_role_executed: false

 matrix_synapse_media_store_parent_path: "{{ matrix_synapse_media_store_path|dirname }}"
 matrix_synapse_media_store_directory_name: "{{ matrix_synapse_media_store_path|basename }}"

 # A Synapse generic worker can handle both federation and client-server API endpoints.