Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

CHANGELOG.md

@@ -10,6 +10,56 @@ To revert to the old behaviour just set `matrix_nginx_proxy_ssl_config` to `"Cus
 If you are setting `matrix_nginx_proxy_ssl_protocols` to a custom value, you will need to `matrix_nginx_proxy_ssl_config` to `"Custom"`,
 otherwise it this variable will be ignored.
 
+# 2021-01-03
+
+## Signal bridging support via mautrix-signal
+
+Thanks to [laszabine](https://github.com/laszabine)'s efforts, the playbook now supports bridging to [Signal](https://www.signal.org/) via the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge. See our [Setting up Mautrix Signal bridging](docs/configuring-playbook-bridge-mautrix-signal.md) documentation page for getting started.
+
+If you had installed the mautrix-signal bridge while its Pull Request was still work-in-progress, you can migrate your data to the new and final setup by referring to [this comment](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686#issuecomment-753510789).
+
+
+# 2020-12-23
+
+## The big move to all-on-Postgres (potentially dangerous)
+
+**TLDR**: all your bridges (and other services) will likely be auto-migrated from SQLite/nedb to Postgres, hopefully without trouble. You can opt-out (see how below), if too worried about breakage.
+
+Until now, we've only used Postgres as a database for Synapse. All other services (bridges, bots, etc.) were kept simple and used a file-based database (SQLite or nedb).
+
+Since [this huge pull request](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/740), **all of our services now use Postgres by default**. Thanks to [Johanna Dorothea Reichmann](https://github.com/jdreichmann) for starting the work on it and for providing great input!
+
+Moving all services to Postgres brings a few **benefits** to us:
+
+- **improved performance**
+- **improved compatibility**. Most bridges are deprecating SQLite/nedb support or offer less features when not on Postgres.
+- **easier backups**. It's still some effort to take a proper backup (Postgres dump + various files, keys), but a Postgres dump now takes you much further.
+- we're now **more prepared to introduce other services** that need a Postgres database - [Dendrite](https://github.com/matrix-org/dendrite), the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge (existing [pull request](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/686)), etc.
+
+### Key takeway
+
+- existing installations that use an [external Postgres](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-external-postgres.md) server should be unaffected (they remain on SQLite/nedb for all services, except Synapse)
+
+- for existing installations which use our integrated Postgres database server (`matrix-postgres`, which is the default), **we automatically migrate data** from SQLite/nedb to Postgres and **archive the database files** (`something.db` -> `something.db.backup`), so you can restore them if you need to go back (see how below).
+
+### Opting-out of the Postgres migration
+
+This is a **very large and somewhat untested change** (potentially dangerous), so **if you're not feeling confident/experimental, opt-out** of it for now. Still, it's the new default and what we (and various bridges) will focus on going forward, so don't stick to old ways for too long.
+
+You can remain on SQLite/nedb (at least for now) by adding a variable like this to your `vars.yml` file for each service you use: `matrix_COMPONENT_database_engine: sqlite` (e.g. `matrix_mautrix_facebook_database_engine: sqlite`).
+
+Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them.
+
+### Going back to SQLite/nedb if things went wrong
+
+If you went with the Postgres migration and it went badly for you (some bridge not working as expected or not working at all), do this:
+
+- stop all services (`ansible-playbook -i inventory/hosts setup.yml --tags=stop`)
+- SSH into the server and rename the old database files (`something.db.backup` -> `something.db`). Example: `mv /matrix/mautrix-facebook/data/mautrix-facebook.db.backup /matrix/mautrix-facebook/data/mautrix-facebook.db`
+- switch the affected service back to SQLite (e.g. `matrix_mautrix_facebook_database_engine: sqlite`). Some services (like `appservice-irc` and `appservice-slack`) don't use SQLite, so use `nedb`, instead of `sqlite` for them.
+- re-run the playbook (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`)
+- [get in touch](README.md#support) with us
+
 # 2020-12-11
 
 ## synapse-janitor support removed

README.md

@@ -46,6 +46,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts)
 
+- (optional) the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge for bridging your Matrix server to [Signal](https://www.signal.org/)
+
 - (optional) the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for bridging your Matrix server to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat)
 
 - (optional) the [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) bridge for bridging your Matrix server to [Discord](https://discordapp.com/)
@@ -150,13 +152,15 @@ This playbook sets up your server using the following Docker images:
 
 - [certbot/certbot](https://hub.docker.com/r/certbot/certbot/) - the [certbot](https://certbot.eff.org/) tool for obtaining SSL certificates from [Let's Encrypt](https://letsencrypt.org/) (optional)
 
-- [tulir/mautrix-telegram](https://hub.docker.com/r/tulir/mautrix-telegram/) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional)
+- [tulir/mautrix-telegram](https://mau.dev/tulir/mautrix-telegram/container_registry) - the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge to [Telegram](https://telegram.org/) (optional)
+
+- [tulir/mautrix-whatsapp](https://mau.dev/tulir/mautrix-whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional)
 
-- [tulir/mautrix-whatsapp](https://hub.docker.com/r/tulir/mautrix-whatsapp/) - the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional)
+- [tulir/mautrix-facebook](https://mau.dev/tulir/mautrix-facebook/container_registry) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional)
 
-- [tulir/mautrix-facebook](https://hub.docker.com/r/tulir/mautrix-facebook/) - the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge to [Facebook](https://facebook.com/) (optional)
+- [tulir/mautrix-hangouts](https://mau.dev/tulir/mautrix-hangouts/container_registry) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional)
 
-- [tulir/mautrix-hangouts](https://hub.docker.com/r/tulir/mautrix-hangouts/) - the [mautrix-hangouts](https://github.com/tulir/mautrix-hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional)
+- [tulir/mautrix-signal](https://mau.dev/tulir/mautrix-signal/container_registry) - the [mautrix-signal](https://github.com/tulir/mautrix-signal) bridge to [Signal](https://www.signal.org/) (optional)
 
 - [matrixdotorg/matrix-appservice-irc](https://hub.docker.com/r/matrixdotorg/matrix-appservice-irc) - the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge to [IRC](https://wikipedia.org/wiki/Internet_Relay_Chat) (optional)
 

docs/ansible.md

@@ -9,9 +9,9 @@ If your local computer cannot run Ansible, you can also run Ansible on some serv
 
 ## Supported Ansible versions
 
-Ansible 2.7.0 or newer is required.
+Ansible 2.7.1 or newer is required ([last discussion about Ansible versions](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/743)).
 
-Ubuntu (at least 20.04) ships with a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more detaisl in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669]([669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669))). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below).
+Note: Ubuntu 20.04 ships with Ansible 2.9.6 which is a buggy version (see this [bug](https://bugs.launchpad.net/ubuntu/+source/ansible/+bug/1880359)), which can't be used in combination with a host running new systemd (more details in [#517](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/517), [#669](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/669)). If this problem affects you, you can: avoid running Ubuntu 20.04 on your host; run Ansible from another machine targeting your host; or try to upgrade to a newer Ansible version (see below).
 
 
 ## Checking your Ansible version

docs/configuring-playbook-bridge-mautrix-signal.md

@@ -0,0 +1,46 @@
+# Setting up Mautrix Signal (optional)
+
+The playbook can install and configure [mautrix-signal](https://github.com/tulir/mautrix-signal) for you.
+
+See the project's [documentation](https://github.com/tulir/mautrix-signal/wiki) to learn what it does and why it might be useful to you.
+
+**Note/Prerequisite**: If you're running with the Postgres database server integrated by the playbook (which is the default), you don't need to do anything special and can easily proceed with installing. However, if you're [using an external Postgres server](configuring-playbook-external-postgres.md), you'd need to manually prepare a Postgres database for this bridge and adjust the variables related to that (`matrix_mautrix_signal_database_*`).
+
+Use the following playbook configuration:
+
+```yaml
+matrix_mautrix_signal_enabled: true
+```
+
+## Set up Double Puppeting
+
+If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-whatsapp/wiki/Authentication#replacing-whatsapp-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it.
+
+### Method 1: automatically, by enabling Shared Secret Auth
+
+The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+
+This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+### Method 2: manually, by asking each user to provide a working access token
+
+**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
+
+When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
+
+- retrieve a Matrix access token for yourself. You can use the following command:
+
+```
+curl \
+--data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Signal", "initial_device_display_name": "Mautrix-Signal"}' \
+https://matrix.DOMAIN/_matrix/client/r0/login
+```
+
+- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
+
+- make sure you don't log out the `Mautrix-Signal` device some time in the future, as that would break the Double Puppeting feature
+
+
+## Usage
+
+You then need to start a chat with `@signalbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).

docs/configuring-playbook-nginx.md

@@ -55,3 +55,11 @@ If you want to use OpenID Connect as an SSO provider (as per the [Synapse OpenID
 ```yaml
 matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled: true
 ```
+
+## Disable Nginx access logs
+
+This will disable the access logging for nginx.
+
+```yaml
+matrix_nginx_proxy_access_log_enabled: false
+```

docs/configuring-playbook.md

@@ -94,6 +94,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Mautrix Hangouts bridging](configuring-playbook-bridge-mautrix-hangouts.md) (optional)
 
+- [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)
 
 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional)

docs/howto-server-delegation.md

@@ -22,20 +22,20 @@ If this is okay with you, feel free to not read ahead.
 
 Server Delegation by means of a `/.well-known/matrix/server` file is the most straightforward, but suffers from the following downsides:
 
-- you need to have a working HTTPS server for the base domain (`<your-domain>`)
+- you need to have a working HTTPS server for the base domain (`<your-domain>`). If you don't have any server for the base domain at all, you can easily solve it by making the playbook [serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md).
 
 - any downtime on the base domain (`<your-domain>`) or network trouble between the matrix subdomain (`matrix.<your-domain>`) and the base `<domain>` may cause Matrix Federation outages. As the [Server-Server spec says](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery):
 
 > Errors are recommended to be cached for up to an hour, and servers are encouraged to exponentially back off for repeated failures.
 
-If this is not a concern for you, feel free to not read ahead.
+**For most people, this is a reasonable tradeoff** given that it's easy and straightforward to set up. We recommend you stay on this path.
 
-Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced).
+Otherwise, you can decide to go against the default for this playbook, and instead set up [Server Delegation via a DNS SRV record (advanced)](#server-delegation-via-a-dns-srv-record-advanced) (much more complicated).
 
 
 ## Server Delegation via a DNS SRV record (advanced)
 
-**NOTE**: doing Server Delegation via a DNS SRV record is a more advanced way to do it and is not the default for this playbook.
+**NOTE**: doing Server Delegation via a DNS SRV record is a more **advanced** way to do it and is not the default for this playbook. This is usually **much more complicated** to set up, so **we don't recommend it**. If you're not an experience sysadmin, you'd better stay away from this.
 
 As per the [Server-Server spec](https://matrix.org/docs/spec/server_server/r0.1.0.html#server-discovery), it's possible to do Server Delegation using only a SRV record (without a `/.well-known/matrix/server` file).
 
@@ -47,7 +47,7 @@ To use DNS SRV record validation, you need to:
 
 - ensure that you have a `_matrix._tcp` DNS SRV record for your base domain (`<your-domain>`) with a value of `10 0 8448 matrix.<your-domain>`
 
-- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `<your-domain>` (not `matrix.<your-domain>`!). See below.
+- ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `<your-domain>` (not `matrix.<your-domain>`!). Getting this certificate to the `matrix.<your-domain>` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below.
 
 
 ### Obtaining certificates

docs/updating-users-passwords.md

@@ -26,7 +26,7 @@ and then connecting to the postgres server and executing:
 ```
 UPDATE users SET password_hash = '<password-hash>' WHERE name = '@someone:server.com'
 ```
-`
+
 where `<password-hash>` is the hash returned by the docker command above.
 
 

examples/caddy2/Caddyfile

@@ -1,4 +1,8 @@
 matrix.DOMAIN.tld {
+
+  # creates letsencrypt certificate
+  # tls your@email.com
+
   @identity {
         path /_matrix/identity/*
   }
@@ -93,35 +97,12 @@ matrix.DOMAIN.tld:8448 {
     }
 }
 
-dimension.DOMAIN.tld {
-header {
-         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
-        	X-XSS-Protection "1; mode=block"
-        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-        	X-Content-Type-Options "nosniff"
-        	# Disallow the site to be rendered within a frame (clickjacking protection)
-        	X-Frame-Options "DENY"
-        	# X-Robots-Tag
-        	X-Robots-Tag "noindex, noarchive, nofollow"
-  	}
-
-    	handle {
-        	encode zstd gzip
-
-        	reverse_proxy localhost:8184  {
-               		header_up X-Forwarded-Port {http.request.port}
-               		header_up X-Forwarded-Proto {http.request.scheme}
-               		header_up X-Forwarded-TlsProto {tls_protocol}
-               		header_up X-Forwarded-TlsCipher {tls_cipher}
-               		header_up X-Forwarded-HttpsProto {proto}
-        	}
-  	}
-}
-
 element.DOMAIN.tld {
- 	header {
+
+      # creates letsencrypt certificate
+      # tls your@email.com
+ 	
+      header {
          	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
         	# Enable cross-site filter (XSS) and tell browser to block detected attacks
@@ -145,3 +126,79 @@ element.DOMAIN.tld {
                      header_up X-Forwarded-HttpsProto {proto}
         }
 }
+
+#dimension.DOMAIN.tld {
+#      
+#      # creates letsencrypt certificate
+#      # tls your@email.com
+#      
+#      header {
+#          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#          # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#          X-XSS-Protection "1; mode=block"
+#          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#          X-Content-Type-Options "nosniff"
+#          # Disallow the site to be rendered within a frame (clickjacking protection)
+#          X-Frame-Options "DENY"
+#          # X-Robots-Tag
+#          X-Robots-Tag "noindex, noarchive, nofollow"
+#    }
+#
+#      handle {
+#          encode zstd gzip
+#
+#          reverse_proxy localhost:8184  {
+#                  header_up X-Forwarded-Port {http.request.port}
+#                  header_up X-Forwarded-Proto {http.request.scheme}
+#                  header_up X-Forwarded-TlsProto {tls_protocol}
+#                  header_up X-Forwarded-TlsCipher {tls_cipher}
+#                  header_up X-Forwarded-HttpsProto {proto}
+#          }
+#    }
+#}
+
+
+#jitsi.DOMAIN.tld {
+#  
+#  creates letsencrypt certificate
+#  tls your@email.com
+#
+#  header {
+#        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#
+#        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#        X-XSS-Protection "1; mode=block"
+#
+#        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#        X-Content-Type-Options "nosniff"
+#
+#        # Disallow the site to be rendered within a frame (clickjacking protection)
+#        X-Frame-Options "SAMEORIGIN"
+#
+#        # Disable some features
+#        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+#
+#        # Referer
+#        Referrer-Policy "no-referrer"
+#
+#        # X-Robots-Tag
+#        X-Robots-Tag "none"
+#
+#        # Remove Server header
+#        -Server
+#  }
+#
+#  handle {
+#        encode zstd gzip
+#
+#        reverse_proxy 127.0.0.1:12080 {
+#               header_up X-Forwarded-Port {http.request.port}
+#               header_up X-Forwarded-Proto {http.request.scheme}
+#               header_up X-Forwarded-TlsProto {tls_protocol}
+#               header_up X-Forwarded-TlsCipher {tls_cipher}
+#               header_up X-Forwarded-HttpsProto {proto}
+#        }
+#  }
+#}

examples/caddy2/README.md

@@ -0,0 +1,12 @@
+# Caddyfile
+
+This directory contains sample files that show you how to do reverse-proxying using Caddy2.
+
+## Config
+
+| Variable           | Function |
+| ------------------ | -------- |
+| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
+| tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
+| Dimnension         | To enable Dimension support uncomment the lines for Dimension and set your data |
+| Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |

group_vars/matrix_servers

@@ -47,12 +47,19 @@ matrix_appservice_discord_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
 
 matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
 
+# We only make this use Postgres if our own Postgres server is enabled.
+# It's only then (for now) that we can automatically create the necessary database and user for this service.
+matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-appservice-discord
@@ -121,6 +128,10 @@ matrix_appservice_slack_systemd_required_services_list: |
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
   }}
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-appservice-slack
@@ -156,6 +167,10 @@ matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key |
 
 matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
 
+matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}"
+matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}"
+
+
 ######################################################################
 #
 # /matrix-bridge-appservice-irc
@@ -179,6 +194,8 @@ matrix_mautrix_facebook_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
@@ -189,6 +206,10 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 
 matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-facebook
@@ -212,6 +233,8 @@ matrix_mautrix_hangouts_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}"
@@ -222,6 +245,10 @@ matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_pr
 
 matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-hangouts
@@ -229,7 +256,44 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 ######################################################################
 
 
+######################################################################
+#
+# matrix-bridge-mautrix-signal
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_mautrix_signal_enabled: false
+
+matrix_mautrix_signal_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+    +
+    ['matrix-mautrix-signal-daemon.service']
+  }}
+
+matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
+
+matrix_mautrix_signal_homeserver_address: "{{ 'http://matrix-synapse:8008' if matrix_synapse_enabled else '' }}"
 
+matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}"
+
+matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}"
+
+matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+
+matrix_mautrix_signal_database_engine: 'postgres'
+matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}"
+
+######################################################################
+#
+# /matrix-bridge-mautrix-signal
+#
+######################################################################
 
 
 ######################################################################
@@ -246,6 +310,8 @@ matrix_mautrix_telegram_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
@@ -258,6 +324,10 @@ matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_pr
 
 matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-telegram
@@ -278,6 +348,8 @@ matrix_mautrix_whatsapp_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
@@ -286,6 +358,10 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
 
 matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-whatsapp
@@ -334,6 +410,8 @@ matrix_mx_puppet_skype_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
@@ -342,6 +420,10 @@ matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
 
 matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-skype
@@ -365,6 +447,8 @@ matrix_mx_puppet_slack_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"
@@ -373,6 +457,10 @@ matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
 
 matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-slack
@@ -395,6 +483,8 @@ matrix_mx_puppet_twitter_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"
@@ -405,6 +495,10 @@ matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_pr
 
 matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_mx_puppet_twitter_appservice_port) }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-twitter
@@ -428,6 +522,8 @@ matrix_mx_puppet_instagram_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"
@@ -436,6 +532,10 @@ matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_
 
 matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-instagram
@@ -458,6 +558,8 @@ matrix_mx_puppet_discord_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"
@@ -466,6 +568,10 @@ matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_ke
 
 matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-discord
@@ -488,6 +594,8 @@ matrix_mx_puppet_steam_systemd_required_services_list: |
     ['docker.service']
     +
     (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
 matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"
@@ -496,6 +604,10 @@ matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key
 
 matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bridge-mx-puppet-steam
@@ -512,6 +624,17 @@ matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_prov
 # We don't enable bots by default.
 matrix_bot_matrix_reminder_bot_enabled: false
 
+matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+  }}
+
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-bot-matrix-reminder-bot
@@ -606,6 +729,17 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
 matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
 matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"
 
+matrix_dimension_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+  }}
+
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-dimension
@@ -750,6 +884,11 @@ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
 
 matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
 
+matrix_ma1sd_systemd_required_services_list: |
+  {{
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+  }}
+
 matrix_ma1sd_systemd_wanted_services_list: |
   {{
     (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-synapse.service'])
@@ -759,6 +898,10 @@ matrix_ma1sd_systemd_wanted_services_list: |
     (['matrix-mailer.service'] if matrix_mailer_enabled else [])
   }}
 
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-ma1sd
@@ -875,6 +1018,133 @@ matrix_postgres_connection_username: "synapse"
 matrix_postgres_connection_password: "synapse-password"
 matrix_postgres_db_name: "homeserver"
 
+matrix_postgres_pgloader_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
+matrix_postgres_additional_databases: |
+  {{
+    ([{
+      'name': matrix_ma1sd_database_name,
+      'username': matrix_ma1sd_database_username,
+      'password': matrix_ma1sd_database_password,
+    }] if (matrix_ma1sd_enabled and matrix_ma1sd_database_engine == 'postgres' and matrix_ma1sd_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_bot_matrix_reminder_bot_database_name,
+      'username': matrix_bot_matrix_reminder_bot_database_username,
+      'password': matrix_bot_matrix_reminder_bot_database_password,
+    }] if (matrix_bot_matrix_reminder_bot_enabled and matrix_bot_matrix_reminder_bot_database_engine == 'postgres' and matrix_bot_matrix_reminder_bot_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_registration_database_name,
+      'username': matrix_registration_database_username,
+      'password': matrix_registration_database_password,
+    }] if (matrix_registration_enabled and matrix_registration_database_engine == 'postgres' and matrix_registration_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_appservice_discord_database_name,
+      'username': matrix_appservice_discord_database_username,
+      'password': matrix_appservice_discord_database_password,
+    }] if (matrix_appservice_discord_enabled and matrix_appservice_discord_database_engine == 'postgres' and matrix_appservice_discord_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_appservice_slack_database_name,
+      'username': matrix_appservice_slack_database_username,
+      'password': matrix_appservice_slack_database_password,
+    }] if (matrix_appservice_slack_enabled and matrix_appservice_slack_database_engine == 'postgres' and matrix_appservice_slack_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_appservice_irc_database_name,
+      'username': matrix_appservice_irc_database_username,
+      'password': matrix_appservice_irc_database_password,
+    }] if (matrix_appservice_irc_enabled and matrix_appservice_irc_database_engine == 'postgres' and matrix_appservice_irc_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mautrix_facebook_database_name,
+      'username': matrix_mautrix_facebook_database_username,
+      'password': matrix_mautrix_facebook_database_password,
+    }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mautrix_hangouts_database_name,
+      'username': matrix_mautrix_hangouts_database_username,
+      'password': matrix_mautrix_hangouts_database_password,
+    }] if (matrix_mautrix_hangouts_enabled and matrix_mautrix_hangouts_database_engine == 'postgres' and matrix_mautrix_hangouts_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mautrix_signal_database_name,
+      'username': matrix_mautrix_signal_database_username,
+      'password': matrix_mautrix_signal_database_password,
+    }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mautrix_telegram_database_name,
+      'username': matrix_mautrix_telegram_database_username,
+      'password': matrix_mautrix_telegram_database_password,
+    }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mautrix_whatsapp_database_name,
+      'username': matrix_mautrix_whatsapp_database_username,
+      'password': matrix_mautrix_whatsapp_database_password,
+    }] if (matrix_mautrix_whatsapp_enabled and matrix_mautrix_whatsapp_database_engine == 'postgres' and matrix_mautrix_whatsapp_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_skype_database_name,
+      'username': matrix_mx_puppet_skype_database_username,
+      'password': matrix_mx_puppet_skype_database_password,
+    }] if (matrix_mx_puppet_skype_enabled and matrix_mx_puppet_skype_database_engine == 'postgres' and matrix_mx_puppet_skype_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_slack_database_name,
+      'username': matrix_mx_puppet_slack_database_username,
+      'password': matrix_mx_puppet_slack_database_password,
+    }] if (matrix_mx_puppet_slack_enabled and matrix_mx_puppet_slack_database_engine == 'postgres' and matrix_mx_puppet_slack_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_twitter_database_name,
+      'username': matrix_mx_puppet_twitter_database_username,
+      'password': matrix_mx_puppet_twitter_database_password,
+    }] if (matrix_mx_puppet_twitter_enabled and matrix_mx_puppet_twitter_database_engine == 'postgres' and matrix_mx_puppet_twitter_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_instagram_database_name,
+      'username': matrix_mx_puppet_instagram_database_username,
+      'password': matrix_mx_puppet_instagram_database_password,
+    }] if (matrix_mx_puppet_instagram_enabled and matrix_mx_puppet_instagram_database_engine == 'postgres' and matrix_mx_puppet_instagram_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_discord_database_name,
+      'username': matrix_mx_puppet_discord_database_username,
+      'password': matrix_mx_puppet_discord_database_password,
+    }] if (matrix_mx_puppet_discord_enabled  and matrix_mx_puppet_discord_database_engine == 'postgres' and matrix_mx_puppet_discord_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_mx_puppet_steam_database_name,
+      'username': matrix_mx_puppet_steam_database_username,
+      'password': matrix_mx_puppet_steam_database_password,
+    }] if (matrix_mx_puppet_steam_enabled and matrix_mx_puppet_steam_database_engine == 'postgres' and matrix_mx_puppet_steam_database_hostname == 'matrix-postgres') else [])
+    +
+    ([{
+      'name': matrix_dimension_database_name,
+      'username': matrix_dimension_database_username,
+      'password': matrix_dimension_database_password,
+    }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == 'matrix-postgres') else [])
+   }}
+
+matrix_postgres_import_roles_to_ignore: |
+  {{
+    [matrix_postgres_connection_username]
+    +
+    matrix_postgres_additional_databases|map(attribute='username')|list
+  }}
+
+matrix_postgres_import_databases_to_ignore: |
+  {{
+    [matrix_postgres_db_name]
+    +
+    matrix_postgres_additional_databases|map(attribute='name')|list
+  }}
+
 ######################################################################
 #
 # /matrix-postgres
@@ -1071,6 +1341,17 @@ matrix_registration_api_validate_certs: "{{ false if matrix_ssl_retrieval_method
 
 matrix_registration_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 
+matrix_registration_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+  }}
+
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}"
+
 ######################################################################
 #
 # /matrix-registration

roles/matrix-base/tasks/sanity_check.yml

@@ -1,10 +1,19 @@
 ---
 
-# We generally support Ansible 2.7.0 and above.
-- name: Fail if running on Ansible < 2.7
+# We generally support Ansible 2.7.1 and above.
+- name: Fail if running on Ansible < 2.7.1
   fail:
     msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md"
-  when: "(ansible_version.major < 2) or (ansible_version.major <= 2 and ansible_version.minor < 7)"
+  when:
+    - "(ansible_version.major < 2) or (ansible_version.major == 2 and ansible_version.minor < 7) or (ansible_version.major == 2 and ansible_version.minor == 7 and ansible_version.revision < 1)"
+
+# Though we do not support Ansible 2.9.6 which is buggy
+- name: Fail if running on Ansible 2.9.6 on Ubuntu
+  fail:
+    msg: "You are running on Ansible {{ ansible_version.string }}, which is not supported. See our guide about Ansible: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/ansible.md"
+  when:
+    - ansible_distribution == 'Ubuntu'
+    - "ansible_version.major == 2 and ansible_version.minor == 9 and ansible_version.revision == 6"
 
 - name: (Deprecation) Catch and report renamed settings
   fail:

roles/matrix-base/tasks/setup_matrix_base.yml

@@ -19,31 +19,10 @@
     mode: '0660'
   when: "matrix_vars_yml_snapshotting_enabled|bool"
 
-# `docker_network` doesn't work as expected when the given network
-# is a substring of a network that already exists.
-#
-# See:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/12
-# - https://github.com/ansible/ansible/issues/32926
-#
-# Due to that, we employ a workaround below.
-#
-# - name: Ensure Matrix network is created in Docker
-#   docker_network:
-#     name: "{{ matrix_docker_network }}"
-#     driver: bridge
-
-- name: Check existence of Matrix network in Docker
-  shell:
-    cmd: "docker network ls -q --filter='name=^{{ matrix_docker_network }}$'"
-  register: result_check_docker_network
-  changed_when: false
-  check_mode: no
-
-- name: Create Matrix network in Docker
-  shell:
-    cmd: "docker network create --driver=bridge {{ matrix_docker_network }}"
-  when: "result_check_docker_network.stdout == '' and not ansible_check_mode"
+- name: Ensure Matrix network is created in Docker
+  docker_network:
+    name: "{{ matrix_docker_network }}"
+    driver: bridge
 
 - name: Ensure matrix-remove-all script created
   template:

roles/matrix-bot-matrix-reminder-bot/defaults/main.yml

@@ -21,6 +21,34 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: ['docker.service'
 matrix_bot_matrix_reminder_bot_systemd_wanted_services_list: []
 
 
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_bot_matrix_reminder_bot_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_bot_matrix_reminder_bot_database_*` variables
+matrix_bot_matrix_reminder_bot_database_engine: 'sqlite'
+
+matrix_bot_matrix_reminder_bot_sqlite_database_path_local: "{{ matrix_bot_matrix_reminder_bot_data_path }}/bot.db"
+matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container: "/data/bot.db"
+
+matrix_bot_matrix_reminder_bot_database_username: 'matrix_reminder_bot'
+matrix_bot_matrix_reminder_bot_database_password: 'some-password'
+matrix_bot_matrix_reminder_bot_database_hostname: 'matrix-postgres'
+matrix_bot_matrix_reminder_bot_database_port: 5432
+matrix_bot_matrix_reminder_bot_database_name: 'matrix_reminder_bot'
+
+matrix_bot_matrix_reminder_bot_database_connection_string: 'postgres://{{ matrix_bot_matrix_reminder_bot_database_username }}:{{ matrix_bot_matrix_reminder_bot_database_password }}@{{ matrix_bot_matrix_reminder_bot_database_hostname }}:{{ matrix_bot_matrix_reminder_bot_database_port }}/{{ matrix_bot_matrix_reminder_bot_database_name }}'
+
+matrix_bot_matrix_reminder_bot_storage_database: "{{
+	{
+		'sqlite': ('sqlite://' + matrix_bot_matrix_reminder_bot_sqlite_database_path_in_container),
+		'postgres': matrix_bot_matrix_reminder_bot_database_connection_string,
+	}[matrix_bot_matrix_reminder_bot_database_engine]
+}}"
+
+
 # The bot's username. This user needs to be created manually beforehand.
 # Also see `matrix_bot_matrix_reminder_bot_user_password`.
 matrix_bot_matrix_reminder_bot_matrix_user_id_localpart: "bot.matrix-reminder-bot"

roles/matrix-bot-matrix-reminder-bot/tasks/main.yml

@@ -8,7 +8,14 @@
     - setup-all
     - setup-bot-matrix-reminder-bot
 
-- import_tasks: "{{ role_path }}/tasks/setup.yml"
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_bot_matrix_reminder_bot_enabled|bool"
+  tags:
+    - setup-all
+    - setup-bot-matrix-reminder-bot
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_bot_matrix_reminder_bot_enabled|bool"
   tags:
     - setup-all
     - setup-bot-matrix-reminder-bot

roles/matrix-bot-matrix-reminder-bot/tasks/setup.yml

@@ -1,88 +0,0 @@
----
-
-#
-# Tasks related to setting up matrix-reminder-bot
-#
-
-- name: Ensure matrix-reminder-bot paths exist
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true }
-    - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true }
-    - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true }
-  when: matrix_bot_matrix_reminder_bot_enabled|bool and item.when
-
-- name: Ensure matrix-reminder-bot image is pulled
-  docker_image:
-    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}"
-  when: matrix_bot_matrix_reminder_bot_enabled|bool
-
-- name: Ensure matrix-reminder-bot config installed
-  copy:
-    content: "{{ matrix_bot_matrix_reminder_bot_configuration|to_nice_yaml }}"
-    dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml"
-    mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  when: matrix_bot_matrix_reminder_bot_enabled|bool
-
-- name: Ensure matrix-matrix-reminder-bot.service installed
-  template:
-    src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2"
-    dest: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service"
-    mode: 0644
-  register: matrix_bot_matrix_reminder_bot_systemd_service_result
-  when: matrix_bot_matrix_reminder_bot_enabled|bool
-
-- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service installation
-  service:
-    daemon_reload: yes
-  when: "matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_systemd_service_result.changed"
-
-#
-# Tasks related to getting rid of matrix-reminder-bot (if it was previously enabled)
-#
-
-- name: Check existence of matrix-matrix-reminder-bot service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service"
-  register: matrix_bot_matrix_reminder_bot_service_stat
-
-- name: Ensure matrix-matrix-reminder-bot is stopped
-  service:
-    name: matrix-matrix-reminder-bot
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
-
-- name: Ensure matrix-matrix-reminder-bot.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-matrix-reminder-bot.service"
-    state: absent
-  when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
-
-- name: Ensure systemd reloaded after matrix-matrix-reminder-bot.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_bot_matrix_reminder_bot_enabled|bool and matrix_bot_matrix_reminder_bot_service_stat.stat.exists"
-
-- name: Ensure Matrix matrix-reminder-bot paths don't exist
-  file:
-    path: "{{ matrix_bot_matrix_reminder_bot_base_path }}"
-    state: absent
-  when: "not matrix_bot_matrix_reminder_bot_enabled|bool"
-
-- name: Ensure matrix-reminder-bot Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
-    state: absent
-  when: "not matrix_bot_matrix_reminder_bot_enabled|bool"

roles/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml

@@ -0,0 +1,73 @@
+---
+
+- set_fact:
+    matrix_bot_matrix_reminder_bot_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}"
+      register: matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_bot_matrix_reminder_bot_sqlite_database_path_local }}"
+              dst: "{{ matrix_bot_matrix_reminder_bot_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_bot_matrix_reminder_bot_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-bot-matrix-reminder-bot.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_bot_matrix_reminder_bot_requires_restart: true
+      when: "matrix_bot_matrix_reminder_bot_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_bot_matrix_reminder_bot_database_engine == 'postgres'"
+
+- name: Ensure matrix-reminder-bot paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true }
+    - { path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true }
+    - { path: "{{ matrix_bot_matrix_reminder_bot_data_store_path }}", when: true }
+  when: "item.when|bool"
+
+- name: Ensure matrix-reminder-bot image is pulled
+  docker_image:
+    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_bot_matrix_reminder_bot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_docker_image_force_pull }}"
+
+- name: Ensure matrix-reminder-bot config installed
+  copy:
+    content: "{{ matrix_bot_matrix_reminder_bot_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-bot-matrix-reminder-bot.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service"
+    mode: 0644
+  register: matrix_bot_matrix_reminder_bot_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_bot_matrix_reminder_bot_systemd_service_result.changed|bool"
+
+- name: Ensure matrix-bot-matrix-reminder-bot.service restarted, if necessary
+  service:
+    name: "matrix-bot-matrix-reminder-bot.service"
+    state: restarted
+  when: "matrix_bot_matrix_reminder_bot_requires_restart|bool"

roles/matrix-bot-matrix-reminder-bot/tasks/setup_uninstall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Check existence of matrix-matrix-reminder-bot service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service"
+  register: matrix_bot_matrix_reminder_bot_service_stat
+
+- name: Ensure matrix-matrix-reminder-bot is stopped
+  service:
+    name: matrix-matrix-reminder-bot
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-bot-matrix-reminder-bot.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-bot-matrix-reminder-bot.service"
+    state: absent
+  when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-bot-matrix-reminder-bot.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_bot_matrix_reminder_bot_service_stat.stat.exists|bool"
+
+- name: Ensure Matrix matrix-reminder-bot paths don't exist
+  file:
+    path: "{{ matrix_bot_matrix_reminder_bot_base_path }}"
+    state: absent
+
+- name: Ensure matrix-reminder-bot Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
+    state: absent

roles/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2

@@ -23,7 +23,7 @@ storage:
   # For Postgres, this would look like:
   #     database: "postgres://username:password@localhost/dbname?sslmode=disable"
   #database: "postgres://matrix-reminder-bot:remindme@localhost/matrix-reminder-bot?sslmode=disable"
-  database: "sqlite:///data/bot.db"
+  database: {{ matrix_bot_matrix_reminder_bot_storage_database|to_json }}
   # The path to a directory for internal bot storage
   # containing encryption keys, sync tokens, etc.
   store_path: "/data/store"

roles/matrix-bridge-appservice-discord/defaults/main.yml

@@ -41,6 +41,30 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
 matrix_appservice_discord_bridge_disablePresence: false
 matrix_appservice_discord_bridge_enableSelfServiceBridging: false
 
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables
+matrix_appservice_discord_database_engine: 'sqlite'
+
+matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db"
+matrix_appservice_discord_sqlite_database_path_in_container: "/data/discord.db"
+
+matrix_appservice_discord_database_username: 'matrix_appservice_discord'
+matrix_appservice_discord_database_password: 'some-password'
+matrix_appservice_discord_database_hostname: 'matrix-postgres'
+matrix_appservice_discord_database_port: 5432
+matrix_appservice_discord_database_name: 'matrix_appservice_discord'
+
+# These 2 variables are what actually ends up in the bridge configuration.
+# It's best if you don't change them directly, but rather redefine the sub-variables that constitute them.
+matrix_appservice_discord_database_filename: "{{ matrix_appservice_discord_sqlite_database_path_in_container }}"
+matrix_appservice_discord_database_connString: 'postgresql://{{ matrix_appservice_discord_database_username }}:{{ matrix_appservice_discord_database_password }}@{{ matrix_appservice_discord_database_hostname }}:{{ matrix_appservice_discord_database_port }}/{{ matrix_appservice_discord_database_name }}'
+
+
 # Tells whether the bot should make use of "Privileged Gateway Intents".
 #
 # Enabling this means that you need to enable it for the bot (Discord application) as well,

roles/matrix-bridge-appservice-discord/tasks/setup_install.yml

@@ -1,5 +1,31 @@
 ---
 
+- set_fact:
+    matrix_appservice_discord_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_appservice_discord_sqlite_database_path_local }}"
+      register: matrix_appservice_discord_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_appservice_discord_sqlite_database_path_local }}"
+              dst: "{{ matrix_appservice_discord_database_connString }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_appservice_discord_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-appservice-discord.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_appservice_discord_requires_restart: true
+      when: "matrix_appservice_discord_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_appservice_discord_database_engine == 'postgres'"
+
 - name: Ensure Appservice Discord image is pulled
   docker_image:
     name: "{{ matrix_appservice_discord_docker_image }}"
@@ -80,3 +106,9 @@
   service:
     daemon_reload: yes
   when: "matrix_appservice_discord_systemd_service_result.changed"
+
+- name: Ensure matrix-appservice-discord.service restarted, if necessary
+  service:
+    name: "matrix-appservice-discord.service"
+    state: restarted
+  when: "matrix_appservice_discord_requires_restart|bool"

roles/matrix-bridge-appservice-discord/tasks/validate_config.yml

@@ -20,3 +20,7 @@
   when: "item.old in vars"
   with_items:
     - {'old': 'matrix_appservice_discord_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_discord_container_http_host_bind_port>'}
+
+- name: Require a valid database engine
+  fail: msg="`matrix_appservice_discord_database_engine` needs to be either 'sqlite' or 'postgres'"
+  when: "matrix_appservice_discord_database_engine not in ['sqlite', 'postgres']"

roles/matrix-bridge-appservice-discord/templates/config.yaml.j2

@@ -58,8 +58,11 @@ database:
   # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
   # WARNING: You will almost certainly be fine with sqlite unless your bridge
   # is in heavy demand and you suffer from IO slowness.
-  filename: "/data/discord.db"
-  # connString: "postgresql://user:password@localhost/database_name"
+  {% if matrix_appservice_discord_database_engine == 'sqlite' %}
+  filename: {{ matrix_appservice_discord_database_filename|to_json }}
+  {% else %}
+  connString: {{ matrix_appservice_discord_database_connString|to_json }}
+  {% endif %}
 room:
   # Set the default visibility of alias rooms, defaults to "public".
   # One of: "public", "private"

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -16,6 +16,25 @@ matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}'
 matrix_appservice_irc_homeserver_enablePresence: true
 matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999'
 
+matrix_appservice_irc_database_engine: nedb
+matrix_appservice_irc_database_username: matrix_appservice_irc
+matrix_appservice_irc_database_password: ~
+matrix_appservice_irc_database_hostname: 'matrix-postgres'
+matrix_appservice_irc_database_port: 5432
+matrix_appservice_irc_database_name: matrix_appservice_irc
+
+# This is just the Postgres connection string, if Postgres is used.
+# Naming clashes with `matrix_appservice_irc_database_connectionString` somewhat.
+matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable'
+
+# This is what actually goes into `database.connectionString` for the bridge.
+matrix_appservice_irc_database_connectionString: "{{
+	{
+		'nedb': 'nedb:///data',
+		'postgres': matrix_appservice_irc_database_connection_string,
+	}[matrix_appservice_irc_database_engine]
+}}"
+
 matrix_appservice_irc_ircService_servers: []
 
 # Example of `matrix_appservice_irc_ircService_servers` with one server (and all its options):

roles/matrix-bridge-appservice-irc/tasks/migrate_nedb_to_postgres.yml

@@ -0,0 +1,64 @@
+- name: Fail if Postgres not enabled
+  fail:
+    msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate."
+  when: "not matrix_postgres_enabled|bool"
+
+# Defaults
+
+- name: Set postgres_start_wait_time, if not provided
+  set_fact:
+    postgres_start_wait_time: 15
+  when: "postgres_start_wait_time|default('') == ''"
+
+# Actual import work
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: matrix_postgres_service_start_result
+
+- name: Wait a bit, so that Postgres can start
+  wait_for:
+    timeout: "{{ postgres_start_wait_time }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "matrix_postgres_service_start_result.changed|bool"
+
+- name: Ensure matrix-appservice-irc is stopped
+  service:
+    name: matrix-appservice-irc
+    state: stopped
+
+- name: Import appservice-irc NeDB database into Postgres
+  command:
+    cmd: >-
+      {{ matrix_host_command_docker }} run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --network={{ matrix_docker_network }}
+      --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data
+      --entrypoint=/bin/sh
+      {{ matrix_appservice_irc_docker_image }}
+      -c
+      '/usr/local/bin/node /app/lib/scripts/migrate-db-to-pgres.js --dbdir /data --privateKey /data/passkey.pem --connectionString {{ matrix_appservice_irc_database_connection_string }}'
+
+- name: Archive NeDB database files
+  command:
+    cmd: "mv {{ matrix_appservice_irc_data_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}.backup"
+  with_items:
+    - rooms.db
+    - users.db
+
+- name: Inject result
+  set_fact:
+    matrix_playbook_runtime_results: |
+      {{
+        matrix_playbook_runtime_results|default([])
+        +
+        [
+          "NOTE: Your appservice-irc database files have been imported into Postgres. The original database files have been moved from `{{ matrix_appservice_irc_data_path }}/*.db` to `{{ matrix_appservice_irc_data_path }}/*.db.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete these files."
+        ]
+      }}

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -1,12 +1,5 @@
 ---
 
-- name: Ensure Appservice IRC image is pulled
-  docker_image:
-    name: "{{ matrix_appservice_irc_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}"
-
 - name: Ensure Appservice IRC paths exist
   file:
     path: "{{ item }}"
@@ -24,25 +17,48 @@
     path: "{{ matrix_appservice_irc_base_path }}/passkey.pem"
   register: matrix_appservice_irc_stat_passkey
 
-- name: (Data relocation) Ensure matrix-appservice-irc.service is stopped
-  service:
-    name: matrix-appservice-irc
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
+- block:
+    - name: (Data relocation) Ensure matrix-appservice-irc.service is stopped
+      service:
+        name: matrix-appservice-irc
+        state: stopped
+        daemon_reload: yes
+      failed_when: false
+
+    - name: (Data relocation) Move AppService IRC passkey.pem file to ./data directory
+      command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem"
+
+    - name: (Data relocation) Move AppService IRC database files to ./data directory
+      command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}"
+      with_items:
+        - rooms.db
+        - users.db
+      failed_when: false
   when: "matrix_appservice_irc_stat_passkey.stat.exists"
 
-- name: (Data relocation) Move AppService IRC passkey.pem file to ./data directory
-  command: "mv {{ matrix_appservice_irc_base_path }}/passkey.pem {{ matrix_appservice_irc_data_path }}/passkey.pem"
-  when: "matrix_appservice_irc_stat_passkey.stat.exists"
+- set_fact:
+    matrix_appservice_irc_requires_restart: false
 
-- name: (Data relocation) Move AppService IRC database files to ./data directory
-  command: "mv {{ matrix_appservice_irc_base_path }}/{{ item }} {{ matrix_appservice_irc_data_path }}/{{ item }}"
-  with_items:
-    - rooms.db
-    - users.db
-  failed_when: false
-  when: "matrix_appservice_irc_stat_passkey.stat.exists"
+- block:
+    - name: Check if a nedb database already exists
+      stat:
+        path: "{{ matrix_appservice_irc_data_path }}/users.db"
+      register: matrix_appservice_irc_nedb_database_path_local_stat_result
+
+    - block:
+        - import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml"
+
+        - set_fact:
+            matrix_appservice_irc_requires_restart: true
+      when: "matrix_appservice_irc_nedb_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_appservice_irc_database_engine == 'postgres'"
+
+- name: Ensure Appservice IRC image is pulled
+  docker_image:
+    name: "{{ matrix_appservice_irc_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}"
 
 - name: Ensure Matrix Appservice IRC config installed
   copy:
@@ -147,3 +163,9 @@
   service:
     daemon_reload: yes
   when: "matrix_appservice_irc_systemd_service_result.changed"
+
+- name: Ensure matrix-appservice-irc.service restarted, if necessary
+  service:
+    name: "matrix-appservice-irc.service"
+    state: restarted
+  when: "matrix_appservice_irc_requires_restart|bool"

roles/matrix-bridge-appservice-irc/templates/config.yaml.j2

@@ -127,8 +127,8 @@ advanced:
 # Use an external database to store bridge state.
 database:
   # database engine (must be 'postgres' or 'nedb'). Default: nedb
-  engine: "nedb"
+  engine: {{ matrix_appservice_irc_database_engine|to_json }}
   # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
   # For postgres, it must start with postgres://
   # For NeDB, it must start with nedb://. The path is relative to the project directory.
-  connectionString: "nedb:///data"
+  connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }}

roles/matrix-bridge-appservice-slack/defaults/main.yml

@@ -45,6 +45,26 @@ matrix_appservice_slack_appservice_token: ''
 matrix_appservice_slack_homeserver_token: ''
 matrix_appservice_slack_id_token: ''
 
+matrix_appservice_slack_database_engine: nedb
+matrix_appservice_slack_database_username: matrix_appservice_slack
+matrix_appservice_slack_database_password: ~
+matrix_appservice_slack_database_hostname: 'matrix-postgres'
+matrix_appservice_slack_database_port: 5432
+matrix_appservice_slack_database_name: matrix_appservice_slack
+
+# This is just the Postgres connection string, if Postgres is used.
+# Naming clashes with `matrix_appservice_slack_database_connectionString` somewhat.
+matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable'
+
+# This is what actually goes into `database.connectionString` for the bridge.
+matrix_appservice_slack_database_connectionString: "{{
+	{
+		'nedb': 'nedb:///data',
+		'postgres': matrix_appservice_slack_database_connection_string,
+	}[matrix_appservice_slack_database_engine]
+}}"
+
+
 matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
 
 matrix_appservice_slack_configuration_extension_yaml: |

roles/matrix-bridge-appservice-slack/tasks/migrate_nedb_to_postgres.yml

@@ -0,0 +1,66 @@
+- name: Fail if Postgres not enabled
+  fail:
+    msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot migrate."
+  when: "not matrix_postgres_enabled|bool"
+
+# Defaults
+
+- name: Set postgres_start_wait_time, if not provided
+  set_fact:
+    postgres_start_wait_time: 15
+  when: "postgres_start_wait_time|default('') == ''"
+
+# Actual import work
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: matrix_postgres_service_start_result
+
+- name: Wait a bit, so that Postgres can start
+  wait_for:
+    timeout: "{{ postgres_start_wait_time }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "matrix_postgres_service_start_result.changed|bool"
+
+- name: Ensure matrix-appservice-slack is stopped
+  service:
+    name: matrix-appservice-slack
+    state: stopped
+
+- name: Import appservice-slack NeDB database into Postgres
+  command:
+    cmd: >-
+      {{ matrix_host_command_docker }} run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --network={{ matrix_docker_network }}
+      --mount type=bind,src={{ matrix_appservice_slack_data_path }},dst=/data
+      --entrypoint=/bin/sh
+      {{ matrix_appservice_slack_docker_image }}
+      -c
+      '/usr/local/bin/node /usr/src/app/lib/scripts/migrateToPostgres.js --dbdir /data --connectionString {{ matrix_appservice_slack_database_connection_string }}'
+
+- name: Archive NeDB database files
+  command:
+    cmd: "mv {{ matrix_appservice_slack_data_path }}/{{ item }} {{ matrix_appservice_slack_data_path }}/{{ item }}.backup"
+  with_items:
+    - teams.db
+    - room-store.db
+    - user-store.db
+    - event-store.db
+
+- name: Inject result
+  set_fact:
+    matrix_playbook_runtime_results: |
+      {{
+        matrix_playbook_runtime_results|default([])
+        +
+        [
+          "NOTE: Your appservice-slack database files have been imported into Postgres. The original database files have been moved from `{{ matrix_appservice_slack_data_path }}/*.db` to `{{ matrix_appservice_slack_data_path }}/*.db.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete these files."
+        ]
+      }}

roles/matrix-bridge-appservice-slack/tasks/setup_install.yml

@@ -1,12 +1,5 @@
 ---
 
-- name: Ensure Appservice Slack image is pulled
-  docker_image:
-    name: "{{ matrix_appservice_slack_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}"
-
 - name: Ensure AppService Slack paths exist
   file:
     path: "{{ item }}"
@@ -19,6 +12,30 @@
     - "{{ matrix_appservice_slack_config_path }}"
     - "{{ matrix_appservice_slack_data_path }}"
 
+- set_fact:
+    matrix_appservice_slack_requires_restart: false
+
+- block:
+    - name: Check if a nedb database already exists
+      stat:
+        path: "{{ matrix_appservice_slack_data_path }}/teams.db"
+      register: matrix_appservice_slack_nedb_database_path_local_stat_result
+
+    - block:
+        - import_tasks: "{{ role_path }}/tasks/migrate_nedb_to_postgres.yml"
+
+        - set_fact:
+            matrix_appservice_slack_requires_restart: true
+      when: "matrix_appservice_slack_nedb_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_appservice_slack_database_engine == 'postgres'"
+
+- name: Ensure Appservice Slack image is pulled
+  docker_image:
+    name: "{{ matrix_appservice_slack_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}"
+
 - name: Ensure Matrix Appservice Slack config installed
   copy:
     content: "{{ matrix_appservice_slack_configuration|to_nice_yaml }}"
@@ -46,3 +63,9 @@
   service:
     daemon_reload: yes
   when: "matrix_appservice_slack_systemd_service_result.changed"
+
+- name: Ensure matrix-appservice-slack.service restarted, if necessary
+  service:
+    name: "matrix-appservice-slack.service"
+    state: restarted
+  when: "matrix_appservice_slack_requires_restart|bool"

roles/matrix-bridge-appservice-slack/tasks/validate_config.yml

@@ -9,4 +9,4 @@
     - "matrix_appservice_slack_control_room_id"
     - "matrix_appservice_slack_appservice_token"
     - "matrix_appservice_slack_homeserver_token"
-    - "matrix_appservice_slack_id_token"
+    - "matrix_appservice_slack_id_token"

roles/matrix-bridge-appservice-slack/templates/config.yaml.j2

@@ -9,6 +9,12 @@ homeserver:
     url: "{{ matrix_appservice_slack_homeserver_url }}"
     server_name: "{{ matrix_domain }}"
 
+{% if matrix_appservice_slack_database_engine == 'nedb' %}
 dbdir: "/data"
+{% else %}
+db:
+    engine: {{ matrix_appservice_slack_database_engine|to_json }}
+    connectionString: {{ matrix_appservice_slack_database_connectionString|to_json }}
+{% endif %}
 
 matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}"

roles/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -32,6 +32,35 @@ matrix_mautrix_facebook_systemd_wanted_services_list: []
 matrix_mautrix_facebook_appservice_token: ''
 matrix_mautrix_facebook_homeserver_token: ''
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_mautrix_facebook_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables
+matrix_mautrix_facebook_database_engine: 'sqlite'
+
+matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
+matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db"
+
+matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook'
+matrix_mautrix_facebook_database_password: 'some-password'
+matrix_mautrix_facebook_database_hostname: 'matrix-postgres'
+matrix_mautrix_facebook_database_port: 5432
+matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook'
+
+matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}'
+
+matrix_mautrix_facebook_appservice_database: "{{
+	{
+		'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container),
+		'postgres': matrix_mautrix_facebook_database_connection_string,
+	}[matrix_mautrix_facebook_database_engine]
+}}"
+
+
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_facebook_login_shared_secret: ''
 

roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml

@@ -8,6 +8,32 @@
       The matrix-bridge-mautrix-facebook role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
+- set_fact:
+    matrix_mautrix_facebook_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}"
+      register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}"
+              dst: "{{ matrix_mautrix_facebook_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mautrix_facebook_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mautrix-facebook.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mautrix_facebook_requires_restart: true
+      when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mautrix_facebook_database_engine == 'postgres'"
+
 - name: Ensure Mautrix Facebook image is pulled
   docker_image:
     name: "{{ matrix_mautrix_facebook_docker_image }}"
@@ -94,3 +120,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mautrix_facebook_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-facebook.service restarted, if necessary
+  service:
+    name: "matrix-mautrix-facebook.service"
+    state: restarted
+  when: "matrix_mautrix_facebook_requires_restart|bool"

roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2

@@ -27,7 +27,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:///filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: sqlite:////data/mautrix-facebook.db
+    database: {{ matrix_mautrix_facebook_appservice_database|to_json }}
 
     # Public part of web server for out-of-Matrix interaction with the bridge.
     public:

roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2

@@ -18,6 +18,7 @@ ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-fac
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_facebook_config_path }}:/config:z \
 			-v {{ matrix_mautrix_facebook_data_path }}:/data:z \
 			{{ matrix_mautrix_facebook_docker_image }} \

roles/matrix-bridge-mautrix-hangouts/defaults/main.yml

@@ -39,6 +39,35 @@ matrix_mautrix_hangouts_systemd_wanted_services_list: []
 matrix_mautrix_hangouts_appservice_token: ''
 matrix_mautrix_hangouts_homeserver_token: ''
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables
+matrix_mautrix_hangouts_database_engine: 'sqlite'
+
+matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
+matrix_mautrix_hangouts_sqlite_database_path_in_container: "/data/mautrix-hangouts.db"
+
+matrix_mautrix_hangouts_database_username: 'matrix_mautrix_hangouts'
+matrix_mautrix_hangouts_database_password: 'some-password'
+matrix_mautrix_hangouts_database_hostname: 'matrix-postgres'
+matrix_mautrix_hangouts_database_port: 5432
+matrix_mautrix_hangouts_database_name: 'matrix_mautrix_hangouts'
+
+matrix_mautrix_hangouts_database_connection_string: 'postgres://{{ matrix_mautrix_hangouts_database_username }}:{{ matrix_mautrix_hangouts_database_password }}@{{ matrix_mautrix_hangouts_database_hostname }}:{{ matrix_mautrix_hangouts_database_port }}/{{ matrix_mautrix_hangouts_database_name }}'
+
+matrix_mautrix_hangouts_appservice_database: "{{
+	{
+		'sqlite': ('sqlite:///' + matrix_mautrix_hangouts_sqlite_database_path_in_container),
+		'postgres': matrix_mautrix_hangouts_database_connection_string,
+	}[matrix_mautrix_hangouts_database_engine]
+}}"
+
+
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_hangouts_login_shared_secret: ''
 

roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml

@@ -8,6 +8,32 @@
       The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
+- set_fact:
+    matrix_mautrix_hangouts_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}"
+      register: matrix_mautrix_hangouts_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mautrix_hangouts_sqlite_database_path_local }}"
+              dst: "{{ matrix_mautrix_hangouts_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mautrix_hangouts_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mautrix-hangouts.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mautrix_hangouts_requires_restart: true
+      when: "matrix_mautrix_hangouts_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mautrix_hangouts_database_engine == 'postgres'"
+
 - name: Ensure Mautrix Hangouts image is pulled
   docker_image:
     name: "{{ matrix_mautrix_hangouts_docker_image }}"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mautrix_hangouts_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-hangouts.service restarted, if necessary
+  service:
+    name: "matrix-mautrix-hangouts.service"
+    state: restarted
+  when: "matrix_mautrix_hangouts_requires_restart|bool"

roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2

@@ -27,7 +27,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:///filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: sqlite:////data/mautrix-hangouts.db
+    database: {{ matrix_mautrix_hangouts_appservice_database|to_json }}
 
     # The unique ID of this appservice.
     id: hangouts

roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2

@@ -18,6 +18,7 @@ ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-han
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_hangouts_config_path }}:/config:z \
 			-v {{ matrix_mautrix_hangouts_data_path }}:/data:z \
 			{{ matrix_mautrix_hangouts_docker_image }} \

roles/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -0,0 +1,95 @@
+# mautrix-signal is a Matrix <-> Signal bridge
+# See: https://github.com/tulir/mautrix-signal
+
+matrix_mautrix_signal_enabled: true
+
+# See: https://mau.dev/tulir/mautrix-signal/container_registry
+matrix_mautrix_signal_docker_image: "dock.mau.dev/tulir/mautrix-signal:latest"
+matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:latest"
+matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
+matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge"
+matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald"
+
+matrix_mautrix_signal_homeserver_address: ''
+matrix_mautrix_signal_homeserver_domain: ''
+matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328'
+
+# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
+matrix_mautrix_signal_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_signal_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-signal.service depends on.
+matrix_mautrix_signal_systemd_required_services_list:
+  - 'docker.service'
+  - 'matrix-mautrix-signal-daemon.service'
+
+# List of systemd services that matrix-mautrix-signal.service wants
+matrix_mautrix_signal_systemd_wanted_services_list: []
+
+# List of systemd services that matrix-mautrix-signal-daemon.service depends on.
+matrix_mautrix_signal_daemon_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-mautrix-signal-daemon.service wants
+matrix_mautrix_signal_daemon_systemd_wanted_services_list: []
+
+matrix_mautrix_signal_appservice_token: ''
+matrix_mautrix_signal_homeserver_token: ''
+
+# Database-related configuration fields
+#
+# This bridge only supports postgres.
+#
+matrix_mautrix_signal_database_engine: 'postgres'
+
+matrix_mautrix_signal_database_username: 'matrix_mautrix_signal'
+matrix_mautrix_signal_database_password: 'some-password'
+matrix_mautrix_signal_database_hostname: 'matrix-postgres'
+matrix_mautrix_signal_database_port: 5432
+matrix_mautrix_signal_database_name: 'matrix_mautrix_signal'
+
+matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}'
+
+matrix_mautrix_signal_appservice_database: "{{
+ 	{
+ 		'postgres': matrix_mautrix_facebook_database_connection_string,
+ 	}[matrix_mautrix_signal_database_engine]
+ }}"
+
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+matrix_mautrix_signal_login_shared_secret: ''
+
+# Default configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_signal_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_signal_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_mautrix_signal_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_signal_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_signal_configuration_yaml`.
+
+matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configuration_extension_yaml|from_yaml if matrix_mautrix_signal_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_signal_configuration_yaml`.
+matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml|from_yaml|combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}"
+
+matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml|from_yaml }}"
+
+matrix_mautrix_signal_log_level: 'DEBUG'

roles/matrix-bridge-mautrix-signal/tasks/init.yml

@@ -0,0 +1,16 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}"
+  when: matrix_mautrix_signal_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-mautrix-signal-registration.yaml"] }}
+  when: matrix_mautrix_signal_enabled|bool

roles/matrix-bridge-mautrix-signal/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_mautrix_signal_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-signal

roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml

@@ -0,0 +1,72 @@
+---
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-mautrix-signal role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- name: Ensure Mautrix Signal image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_signal_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
+  when: matrix_mautrix_signal_enabled|bool
+
+- name: Ensure Mautrix Signal Daemon image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_signal_daemon_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
+  when: matrix_mautrix_signal_enabled|bool
+
+- name: Ensure Mautrix Signal paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_mautrix_signal_base_path }}"
+    - "{{ matrix_mautrix_signal_config_path }}"
+    - "{{ matrix_mautrix_signal_daemon_path }}"
+
+- name: Ensure mautrix-signal config.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_signal_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_signal_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-signal registration.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_signal_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_signal_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-mautrix-signal-daemon.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-daemon.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+    mode: 0644
+  register: matrix_mautrix_signal_daemon_systemd_service_result
+
+- name: Ensure matrix-mautrix-signal.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+    mode: 0644
+  register: matrix_mautrix_signal_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-signal.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_systemd_service_result.changed or matrix_mautrix_signal_daemon_systemd_service_result.changed"

roles/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml

@@ -0,0 +1,45 @@
+---
+
+# Signal daemon service
+- name: Check existence of matrix-mautrix-signal-daemon service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+  register: matrix_mautrix_signal_daemon_service_stat
+
+- name: Ensure matrix-mautrix-signal-daemon is stopped
+  service:
+    name: matrix-mautrix-signal-daemon
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_daemon_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-signal-daemon.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal-daemon.service"
+    state: absent
+  when: "matrix_mautrix_signal_daemon_service_stat.stat.exists"
+
+# Bridge service
+- name: Check existence of matrix-mautrix-signal service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+  register: matrix_mautrix_signal_service_stat
+
+- name: Ensure matrix-mautrix-signal is stopped
+  service:
+    name: matrix-mautrix-signal
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-signal.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-signal.service"
+    state: absent
+  when: "matrix_mautrix_signal_service_stat.stat.exists"
+
+# All services
+- name: Ensure systemd reloaded after matrix-mautrix-signal_X.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_signal_service_stat.stat.exists or matrix_mautrix_signal_daemon_service_stat.stat.exists"

roles/matrix-bridge-mautrix-signal/tasks/validate_config.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_mautrix_signal_homeserver_domain"
+    - "matrix_mautrix_signal_homeserver_address"
+    - "matrix_mautrix_signal_homeserver_token"
+    - "matrix_mautrix_signal_appservice_token"
+
+- name: (Deprecation) Catch and report renamed Signal variables
+  fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_signal_container_exposed_port_number', 'new': '<superseded by matrix_mautrix_signal_container_http_host_bind_port>'}
+    - {'old': 'matrix_mautrix_signal_db_user', 'new': 'matrix_mautrix_signal_database_username'}
+    - {'old': 'matrix_mautrix_signal_db_password', 'new': 'matrix_mautrix_signal_database_password'}
+    - {'old': 'matrix_mautrix_signal_db_database', 'new': 'matrix_mautrix_signal_database_name'}
+    - {'old': 'matrix_mautrix_signal_db_host', 'new': 'matrix_mautrix_signal_database_hostname'}
+    - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'}
+    - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'}
+    - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': '<superseded by matrix_mautrix_signal_configuration_extension_yaml>'}

roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -0,0 +1,202 @@
+#jinja2: lstrip_blocks: "True"
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: {{ matrix_mautrix_signal_homeserver_address }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix_mautrix_signal_homeserver_domain }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    asmux: false
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: {{ matrix_mautrix_signal_appservice_address }}
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29328
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. Only Postgres is currently supported.
+    database: {{ matrix_mautrix_signal_database_connection_string }}
+
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: true
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision/v1
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+
+    # The unique ID of this appservice.
+    id: signal
+    # Username of the appservice bot.
+    bot_username: signalbot
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Signal bridge bot
+    bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
+
+    # Community ID for bridged users (changes registration file) and rooms.
+    # Must be created manually.
+    #
+    # Example: "+signal:example.com". Set to false to disable.
+    community_id: false
+
+    # Authentication tokens for AS <-> HS communication.
+    as_token: "{{ matrix_mautrix_signal_appservice_token }}"
+    hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"
+
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+
+signal:
+    # Path to signald unix socket
+    socket_path: /signald/signald.sock
+    # Directory for temp files when sending files to Signal. This should be an
+    # absolute path that signald can read. For attachments in the other direction,
+    # make sure signald is configured to use an absolute path as the data directory.
+    outgoing_attachment_dir: /signald/attachments
+    # Directory where signald stores avatars for groups.
+    avatar_dir: /signald/avatars
+    # Directory where signald stores auth data. Used to delete data when logging out.
+    data_dir: /signald/data
+    # Whether or not message attachments should be removed from disk after they're bridged.
+    remove_file_after_handling: true
+
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Signal users.
+    # {userid} is replaced with an identifier for the Signal user.
+    username_template: "signal_{userid}"
+    # Displayname template for Signal users.
+    # {displayname} is replaced with the displayname of the Signal user, which is the first
+    # available variable in displayname_preference. The variables in displayname_preference
+    # can also be used here directly.
+    displayname_template: "{displayname} (Signal)"
+    # Whether or not contact list displaynames should be used.
+    # Using this isn't recommended on multi-user instances.
+    allow_contact_list_name_updates: false
+    # Available variables: full_name, first_name, last_name, phone, uuid
+    displayname_preference:
+    - full_name
+    - phone
+
+    # Whether or not to create portals for all groups on login/connect.
+    autocreate_group_portal: true
+    # Whether or not to create portals for all contacts on login/connect.
+    autocreate_contact_portal: false
+    # Whether or not to use /sync to get read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: true
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
+    double_puppet_server_map: {}
+    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, custom puppets will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    # If using this for other servers than the bridge's server,
+    # you must also set the URL in the double_puppet_server_map.
+    login_shared_secret_map:
+        {{ matrix_mautrix_signal_homeserver_domain }}: {{ matrix_mautrix_signal_login_shared_secret|to_json }}
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: true
+    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
+    # and login_shared_secret to be configured in order to get a device for the bridge bot.
+    #
+    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
+    # application service.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: false
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: false
+        # Options for automatic key sharing.
+        key_sharing:
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow: false
+            # Require the requesting device to have a valid cross-signing signature?
+            # This doesn't require that the bridge has verified the device, only that the user has verified it.
+            # Not yet implemented.
+            require_cross_signing: false
+            # Require devices to be verified by the bridge?
+            # Verification by the bridge is not yet implemented.
+            require_verification: true
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: false
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Signal. This let's you check manually whether the bridge is receiving your
+    # messages.
+    # Note that this is not related to Signal delivery receipts.
+    delivery_receipts: false
+    # Whether or not delivery errors should be reported as messages in the Matrix room. (not yet implemented)
+    delivery_error_reports: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!signal"
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+      '{{ matrix_mautrix_signal_homeserver_domain }}': user
+
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_signal.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: {{ matrix_mautrix_signal_log_level }}
+        aiohttp:
+            level: INFO
+    root:
+        level: {{ matrix_mautrix_signal_log_level }}
+        handlers: [console]

roles/matrix-bridge-mautrix-signal/templates/registration.yaml.j2

@@ -0,0 +1,14 @@
+#jinja2: lstrip_blocks: "True"
+id: signal
+as_token: "{{ matrix_mautrix_signal_appservice_token }}"
+hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"
+namespaces:
+    users:
+    - exclusive: true
+      regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$'
+    aliases:
+    - exclusive: true
+      regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain|regex_escape }}$'
+url: {{ matrix_mautrix_signal_appservice_address }}
+sender_localpart: signalbot
+rate_limited: false

roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2

@@ -0,0 +1,38 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Signal daemon
+
+{% for service in matrix_mautrix_signal_daemon_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+{% for service in matrix_mautrix_signal_daemon_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+
+ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon
+ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
+			{{ matrix_mautrix_signal_daemon_docker_image }}
+
+ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon
+ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon
+
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-signal-daemon
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2

@@ -0,0 +1,44 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Signal server
+
+{% for service in matrix_mautrix_signal_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+{% for service in matrix_mautrix_signal_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
+ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal \
+			--log-driver=none \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_mautrix_signal_container_http_host_bind_port %}
+			-p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \
+			{% endif %}
+			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
+			-v {{ matrix_mautrix_signal_config_path }}:/data:z \
+			{% for arg in matrix_mautrix_signal_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_signal_docker_image }} \
+			python3 -m mautrix_signal -c /data/config.yaml
+
+ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
+ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal
+
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-signal
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -43,6 +43,35 @@ matrix_mautrix_telegram_systemd_wanted_services_list: []
 matrix_mautrix_telegram_appservice_token: ''
 matrix_mautrix_telegram_homeserver_token: ''
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables
+matrix_mautrix_telegram_database_engine: 'sqlite'
+
+matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
+matrix_mautrix_telegram_sqlite_database_path_in_container: "/data/mautrix-telegram.db"
+
+matrix_mautrix_telegram_database_username: 'matrix_mautrix_telegram'
+matrix_mautrix_telegram_database_password: 'some-password'
+matrix_mautrix_telegram_database_hostname: 'matrix-postgres'
+matrix_mautrix_telegram_database_port: 5432
+matrix_mautrix_telegram_database_name: 'matrix_mautrix_telegram'
+
+matrix_mautrix_telegram_database_connection_string: 'postgres://{{ matrix_mautrix_telegram_database_username }}:{{ matrix_mautrix_telegram_database_password }}@{{ matrix_mautrix_telegram_database_hostname }}:{{ matrix_mautrix_telegram_database_port }}/{{ matrix_mautrix_telegram_database_name }}'
+
+matrix_mautrix_telegram_appservice_database: "{{
+	{
+		'sqlite': ('sqlite:///' + matrix_mautrix_telegram_sqlite_database_path_in_container),
+		'postgres': matrix_mautrix_telegram_database_connection_string,
+	}[matrix_mautrix_telegram_database_engine]
+}}"
+
+
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_telegram_login_shared_secret: ''
 

roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml

@@ -8,6 +8,32 @@
       The matrix-bridge-mautrix-telegram role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
+- set_fact:
+    matrix_mautrix_telegram_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}"
+      register: matrix_mautrix_telegram_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mautrix_telegram_sqlite_database_path_local }}"
+              dst: "{{ matrix_mautrix_telegram_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mautrix_telegram_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mautrix-telegram.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mautrix_telegram_requires_restart: true
+      when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mautrix_telegram_database_engine == 'postgres'"
+
 - name: Ensure Mautrix Telegram image is pulled
   docker_image:
     name: "{{ matrix_mautrix_telegram_docker_image }}"
@@ -71,3 +97,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mautrix_telegram_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-telegram.service restarted, if necessary
+  service:
+    name: "matrix-mautrix-telegram.service"
+    state: restarted
+  when: "matrix_mautrix_telegram_requires_restart|bool"

roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -27,7 +27,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:///filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: sqlite:////data/mautrix-telegram.db
+    database: {{ matrix_mautrix_telegram_appservice_database|to_json }}
 
     # Public part of web server for out-of-Matrix interaction with the bridge.
     # Used for things like login if the user wants to make sure the 2FA password isn't stored in

roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -27,6 +27,42 @@ matrix_mautrix_whatsapp_systemd_wanted_services_list: []
 matrix_mautrix_whatsapp_appservice_token: ''
 matrix_mautrix_whatsapp_homeserver_token: ''
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables
+matrix_mautrix_whatsapp_database_engine: 'sqlite'
+
+matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
+matrix_mautrix_whatsapp_sqlite_database_path_in_container: "/data/mautrix-whatsapp.db"
+
+matrix_mautrix_whatsapp_database_username: 'matrix_mautrix_whatsapp'
+matrix_mautrix_whatsapp_database_password: 'some-password'
+matrix_mautrix_whatsapp_database_hostname: 'matrix-postgres'
+matrix_mautrix_whatsapp_database_port: 5432
+matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp'
+
+matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode=disable'
+
+matrix_mautrix_whatsapp_appservice_database_type: "{{
+	{
+		'sqlite': 'sqlite3',
+		'postgres':'postgres',
+	}[matrix_mautrix_whatsapp_database_engine]
+}}"
+
+matrix_mautrix_whatsapp_appservice_database_uri: "{{
+	{
+		'sqlite': matrix_mautrix_whatsapp_sqlite_database_path_in_container,
+		'postgres': matrix_mautrix_whatsapp_database_connection_string,
+	}[matrix_mautrix_whatsapp_database_engine]
+}}"
+
+
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_whatsapp_login_shared_secret: ''
 

roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml

@@ -8,6 +8,32 @@
       The matrix-bridge-mautrix-whatsapp role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
+- set_fact:
+    matrix_mautrix_whatsapp_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}"
+      register: matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mautrix_whatsapp_sqlite_database_path_local }}"
+              dst: "{{ matrix_mautrix_whatsapp_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mautrix_whatsapp_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mautrix-whatsapp.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mautrix_whatsapp_requires_restart: true
+      when: "matrix_mautrix_whatsapp_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mautrix_whatsapp_database_engine == 'postgres'"
+
 - name: Ensure Mautrix Whatsapp image is pulled
   docker_image:
     name: "{{ matrix_mautrix_whatsapp_docker_image }}"
@@ -26,12 +52,12 @@
     - "{{ matrix_mautrix_whatsapp_base_path }}"
     - "{{ matrix_mautrix_whatsapp_config_path }}"
     - "{{ matrix_mautrix_whatsapp_data_path }}"
-    
+
 - name: Check if an old database file exists
   stat:
     path: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db"
   register: matrix_mautrix_whatsapp_stat_database
-  
+
 - name: Check if an old matrix state file exists
   stat:
     path: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json"
@@ -48,7 +74,7 @@
 - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory
   command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
   when: "matrix_mautrix_whatsapp_stat_database.stat.exists"
-  
+
 - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory
   command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json"
   when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists"
@@ -80,3 +106,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mautrix_whatsapp_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-whatsapp.service restarted, if necessary
+  service:
+    name: "matrix-mautrix-whatsapp.service"
+    state: restarted
+  when: "matrix_mautrix_whatsapp_requires_restart|bool"

roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -19,11 +19,11 @@ appservice:
     # Database config.
     database:
         # The database type. "sqlite3" and "postgres" are supported.
-        type: sqlite3
+        type: {{ matrix_mautrix_whatsapp_appservice_database_type|to_json }}
         # The database URI.
         #   SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database
-        uri: mautrix-whatsapp.db
+        uri: {{ matrix_mautrix_whatsapp_appservice_database_uri|to_json }}
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2

roles/matrix-bridge-mx-puppet-discord/defaults/main.yml

@@ -55,6 +55,20 @@ matrix_mx_puppet_discord_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_discord_login_shared_secret: ''
 
+# Database configuration
+matrix_mx_puppet_discord_database_engine: 'sqlite'
+
+matrix_mx_puppet_discord_sqlite_database_path_local: "{{ matrix_mx_puppet_discord_data_path }}/database.db"
+matrix_mx_puppet_discord_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_discord_database_username: matrix_mx_puppet_discord
+matrix_mx_puppet_discord_database_password: ~
+matrix_mx_puppet_discord_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_discord_database_port: 5432
+matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord
+
+matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml

@@ -8,14 +8,6 @@
       The matrix-bridge-mx-puppet-discord role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
-- name: Ensure MX Puppet Discord image is pulled
-  docker_image:
-    name: "{{ matrix_mx_puppet_discord_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_mx_puppet_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_docker_image_force_pull }}"
-  when: matrix_mx_puppet_discord_enabled|bool and not matrix_mx_puppet_discord_container_image_self_build
-
 - name: Ensure MX Puppet Discord paths exist
   file:
     path: "{{ item.path }}"
@@ -30,6 +22,57 @@
     - { path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}", when: "{{ matrix_mx_puppet_discord_container_image_self_build }}" }
   when: matrix_mx_puppet_discord_enabled|bool and item.when|bool
 
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mx_puppet_discord_base_path }}/database.db"
+  register: matrix_mx_puppet_discord_stat_database
+
+- block:
+    - name: (Data relocation) Ensure matrix-mx-puppet-discord.service is stopped
+      service:
+        name: matrix-mx-puppet-discord
+        state: stopped
+        daemon_reload: yes
+      failed_when: False
+
+    - name: (Data relocation) Move mx-puppet-discord database file to ./data directory
+      command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db"
+  when: "matrix_mx_puppet_discord_stat_database.stat.exists"
+
+- set_fact:
+    matrix_mx_puppet_discord_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_discord_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_discord_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_discord_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_discord_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-discord.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_discord_requires_restart: true
+      when: "matrix_mx_puppet_discord_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_discord_database_engine == 'postgres'"
+
+- name: Ensure MX Puppet Discord image is pulled
+  docker_image:
+    name: "{{ matrix_mx_puppet_discord_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mx_puppet_discord_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_docker_image_force_pull }}"
+  when: matrix_mx_puppet_discord_enabled|bool and not matrix_mx_puppet_discord_container_image_self_build
+
 - name: Ensure MX Puppet Discord repository is present on self build
   git:
     repo: "{{ matrix_mx_puppet_discord_container_image_self_build_repo }}"
@@ -49,23 +92,6 @@
       pull: yes
   when: "matrix_mx_puppet_discord_enabled|bool and matrix_mx_puppet_discord_container_image_self_build|bool"
 
-- name: Check if an old database file already exists
-  stat:
-    path: "{{ matrix_mx_puppet_discord_base_path }}/database.db"
-  register: matrix_mx_puppet_discord_stat_database
-
-- name: (Data relocation) Ensure matrix-mx-puppet-discord.service is stopped
-  service:
-    name: matrix-mx-puppet-discord
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
-  when: "matrix_mx_puppet_discord_stat_database.stat.exists"
-
-- name: (Data relocation) Move mx-puppet-discord database file to ./data directory
-  command: "mv {{ matrix_mx_puppet_discord_base_path }}/database.db {{ matrix_mx_puppet_discord_data_path }}/database.db"
-  when: "matrix_mx_puppet_discord_stat_database.stat.exists"
-
 - name: Ensure mx-puppet-discord config.yaml installed
   copy:
     content: "{{ matrix_mx_puppet_discord_configuration|to_nice_yaml }}"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mx_puppet_discord_systemd_service_result.changed"
+
+- name: Ensure matrix-mx-puppet-discord.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-discord.service"
+    state: restarted
+  when: "matrix_mx_puppet_discord_requires_restart|bool"

roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -100,15 +100,18 @@ namePatterns:
   group: :name
 
 database:
+{% if matrix_mx_puppet_discord_database_engine == 'sqlite' %}
+  # Use SQLite3 as a database backend
+  # The name of the database file
+  filename: {{ matrix_mx_puppet_discord_sqlite_database_path_in_container|to_json }}
+{% else %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
-  # Use SQLite3 as a database backend
-  # The name of the database file
-  filename: /data/database.db
+  connString: {{ matrix_mx_puppet_discord_database_connection_string|to_json }}
+{% endif %}
 
 logging:
   # Log level of console output

roles/matrix-bridge-mx-puppet-instagram/defaults/main.yml

@@ -46,6 +46,19 @@ matrix_mx_puppet_instagram_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_instagram_login_shared_secret: ''
 
+matrix_mx_puppet_instagram_database_engine: sqlite
+
+matrix_mx_puppet_instagram_sqlite_database_path_local: "{{ matrix_mx_puppet_instagram_data_path }}/database.db"
+matrix_mx_puppet_instagram_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_instagram_database_username: matrix_mx_puppet_instagram
+matrix_mx_puppet_instagram_database_password: ~
+matrix_mx_puppet_instagram_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_instagram_database_port: 5432
+matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram
+
+matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml

@@ -8,6 +8,33 @@
       The matrix-bridge-mx-puppet-instagram role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
+
+- set_fact:
+    matrix_mx_puppet_instagram_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_instagram_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_instagram_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_instagram_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-instagram.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_instagram_requires_restart: true
+      when: "matrix_mx_puppet_instagram_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_instagram_database_engine == 'postgres'"
+
 - name: Ensure mx-puppet-instagram image is pulled
   docker_image:
     name: "{{ matrix_mx_puppet_instagram_docker_image }}"
@@ -77,4 +104,8 @@
     daemon_reload: yes
   when: "matrix_mx_puppet_instagram_systemd_service_result.changed"
 
-
+- name: Ensure matrix-mx-puppet-instagram.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-instagram.service"
+    state: restarted
+  when: "matrix_mx_puppet_instagram_requires_restart|bool"

roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2

@@ -44,15 +44,18 @@ provisioning:
   apiPrefix: /_matrix/provision
 
 database:
+{% if matrix_mx_puppet_instagram_database_engine == 'postgres' %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
+  connString: {{ matrix_mx_puppet_instagram_database_connection_string|to_json }}
+{% else %}
   # Use SQLite3 as a database backend
   # The name of the database file
-  filename: /data/database.db
+  filename: {{ matrix_mx_puppet_instagram_sqlite_database_path_in_container|to_json }}
+{% endif %}
 
 logging:
   # Log level of console output

roles/matrix-bridge-mx-puppet-skype/defaults/main.yml

@@ -53,6 +53,20 @@ matrix_mx_puppet_skype_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_skype_login_shared_secret: ''
 
+# Database configuration, role default is `sqlite` but playbook default is `postgres`
+matrix_mx_puppet_skype_database_engine: sqlite
+
+matrix_mx_puppet_skype_sqlite_database_path_local: "{{ matrix_mx_puppet_skype_data_path }}/database.db"
+matrix_mx_puppet_skype_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_skype_database_username: matrix_mx_puppet_skype
+matrix_mx_puppet_skype_database_password: ~
+matrix_mx_puppet_skype_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_skype_database_port: 5432
+matrix_mx_puppet_skype_database_name: matrix_mx_puppet_skype
+
+matrix_mx_puppet_skype_database_connection_string: 'postgresql://{{ matrix_mx_puppet_skype_database_username }}:{{ matrix_mx_puppet_skype_database_password }}@{{ matrix_mx_puppet_skype_database_hostname }}:{{ matrix_mx_puppet_skype_database_port }}/{{ matrix_mx_puppet_skype_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml

@@ -8,14 +8,6 @@
       The matrix-bridge-mx-puppet-skype role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
-- name: Ensure MX Puppet Skype image is pulled
-  docker_image:
-    name: "{{ matrix_mx_puppet_skype_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}"
-  when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build
-
 - name: Ensure MX Puppet Skype paths exist
   file:
     path: "{{ item.path }}"
@@ -30,6 +22,57 @@
     - { path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}", when: "{{ matrix_mx_puppet_skype_container_image_self_build }}" }
   when: matrix_mx_puppet_skype_enabled|bool and item.when|bool
 
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mx_puppet_skype_base_path }}/database.db"
+  register: matrix_mx_puppet_skype_stat_database
+
+- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped
+  service:
+    name: matrix-mx-puppet-skype
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_mx_puppet_skype_stat_database.stat.exists"
+
+- name: (Data relocation) Move mx-puppet-skype database file to ./data directory
+  command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db"
+  when: "matrix_mx_puppet_skype_stat_database.stat.exists"
+
+- set_fact:
+    matrix_mx_puppet_skype_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_skype_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_skype_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_skype_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_skype_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_skype_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-skype.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_skype_requires_restart: true
+      when: "matrix_mx_puppet_skype_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_skype_database_engine == 'postgres'"
+
+- name: Ensure MX Puppet Skype image is pulled
+  docker_image:
+    name: "{{ matrix_mx_puppet_skype_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mx_puppet_skype_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_docker_image_force_pull }}"
+  when: matrix_mx_puppet_skype_enabled|bool and not matrix_mx_puppet_skype_container_image_self_build
+
 - name: Ensure MX Puppet Skype repository is present on self build
   git:
     repo: "{{ matrix_mx_puppet_skype_container_image_self_build_repo }}"
@@ -49,23 +92,6 @@
       pull: yes
   when: "matrix_mx_puppet_skype_enabled|bool and matrix_mx_puppet_skype_container_image_self_build|bool"
 
-- name: Check if an old database file already exists
-  stat:
-    path: "{{ matrix_mx_puppet_skype_base_path }}/database.db"
-  register: matrix_mx_puppet_skype_stat_database
-
-- name: (Data relocation) Ensure matrix-mx-puppet-skype.service is stopped
-  service:
-    name: matrix-mx-puppet-skype
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
-  when: "matrix_mx_puppet_skype_stat_database.stat.exists"
-
-- name: (Data relocation) Move mx-puppet-skype database file to ./data directory
-  command: "mv {{ matrix_mx_puppet_skype_base_path }}/database.db {{ matrix_mx_puppet_skype_data_path }}/database.db"
-  when: "matrix_mx_puppet_skype_stat_database.stat.exists"
-
 - name: Ensure mx-puppet-skype config.yaml installed
   copy:
     content: "{{ matrix_mx_puppet_skype_configuration|to_nice_yaml }}"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mx_puppet_skype_systemd_service_result.changed"
+
+- name: Ensure matrix-mx-puppet-skype.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-skype.service"
+    state: restarted
+  when: "matrix_mx_puppet_skype_requires_restart|bool"

roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2

@@ -68,15 +68,18 @@ logging:
       #  - Store
 
 database:
+{% if matrix_mx_puppet_skype_database_engine == 'postgres' %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
+  connString: {{ matrix_mx_puppet_skype_database_connection_string|to_json }}
+{% else %}
   # Use SQLite3 as a database backend
   # The name of the database file
-  filename: /data/database.db
+  filename: {{ matrix_mx_puppet_skype_sqlite_database_path_in_container|to_json }}
+{% endif %}
 
 provisioning:
   # Regex of Matrix IDs allowed to use the puppet bridge

roles/matrix-bridge-mx-puppet-slack/defaults/main.yml

@@ -57,6 +57,20 @@ matrix_mx_puppet_slack_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_slack_login_shared_secret: ''
 
+# Database configuration, role uses 'sqlite' per default but playbook sets up postgres by default
+matrix_mx_puppet_slack_database_engine: sqlite
+
+matrix_mx_puppet_slack_sqlite_database_path_local: "{{ matrix_mx_puppet_slack_data_path }}/database.db"
+matrix_mx_puppet_slack_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_slack_database_username: matrix_mx_puppet_slack
+matrix_mx_puppet_slack_database_password: ~
+matrix_mx_puppet_slack_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_slack_database_port: 5432
+matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack
+
+matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml

@@ -8,14 +8,6 @@
       The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
-- name: Ensure MX Puppet Slack image is pulled
-  docker_image:
-    name: "{{ matrix_mx_puppet_slack_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}"
-  when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build
-
 - name: Ensure MX Puppet Slack paths exist
   file:
     path: "{{ item.path }}"
@@ -30,6 +22,53 @@
     - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" }
   when: matrix_mx_puppet_slack_enabled|bool and item.when|bool
 
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mx_puppet_slack_base_path }}/database.db"
+  register: matrix_mx_puppet_slack_stat_database
+
+- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped
+  service:
+    name: matrix-mx-puppet-slack
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_mx_puppet_slack_stat_database.stat.exists"
+
+- set_fact:
+    matrix_mx_puppet_slack_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_slack_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_slack_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_slack_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_slack_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-slack.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_slack_requires_restart: true
+      when: "matrix_mx_puppet_slack_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_slack_database_engine == 'postgres'"
+
+- name: Ensure MX Puppet Slack image is pulled
+  docker_image:
+    name: "{{ matrix_mx_puppet_slack_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}"
+  when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build
+
 - name: Ensure MX Puppet Slack repository is present on self build
   git:
     repo: "{{ matrix_mx_puppet_slack_container_image_self_build_repo }}"
@@ -49,19 +88,6 @@
       pull: yes
   when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build"
 
-- name: Check if an old database file already exists
-  stat:
-    path: "{{ matrix_mx_puppet_slack_base_path }}/database.db"
-  register: matrix_mx_puppet_slack_stat_database
-
-- name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped
-  service:
-    name: matrix-mx-puppet-slack
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
-  when: "matrix_mx_puppet_slack_stat_database.stat.exists"
-
 - name: (Data relocation) Move mx-puppet-slack database file to ./data directory
   command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db"
   when: "matrix_mx_puppet_slack_stat_database.stat.exists"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mx_puppet_slack_systemd_service_result.changed"
+
+- name: Ensure matrix-mx-puppet-slack.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-slack.service"
+    state: restarted
+  when: "matrix_mx_puppet_slack_requires_restart|bool"

roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2

@@ -58,15 +58,18 @@ provisioning:
   apiPrefix: /_matrix/provision
 
 database:
+{% if matrix_mx_puppet_slack_database_engine == 'postgres' %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
+  connString: {{ matrix_mx_puppet_slack_database_connection_string|to_json }}
+{% else %}
   # Use SQLite3 as a database backend
   # The name of the database file
-  filename: /data/database.db
+  filename: {{ matrix_mx_puppet_slack_sqlite_database_path_in_container|to_json }}
+{% endif %}
 
 logging:
   # Log level of console output

roles/matrix-bridge-mx-puppet-steam/defaults/main.yml

@@ -55,6 +55,19 @@ matrix_mx_puppet_steam_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_steam_login_shared_secret: ''
 
+matrix_mx_puppet_steam_database_engine: sqlite
+
+matrix_mx_puppet_steam_sqlite_database_path_local: "{{ matrix_mx_puppet_steam_data_path }}/database.db"
+matrix_mx_puppet_steam_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_steam_database_username: matrix_mx_puppet_steam
+matrix_mx_puppet_steam_database_password: ~
+matrix_mx_puppet_steam_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_steam_database_port: 5432
+matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam
+
+matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml

@@ -8,14 +8,6 @@
       The matrix-bridge-mx-puppet-steam role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
-- name: Ensure MX Puppet Steam image is pulled
-  docker_image:
-    name: "{{ matrix_mx_puppet_steam_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_mx_puppet_steam_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_docker_image_force_pull }}"
-  when: matrix_mx_puppet_steam_enabled|bool and not matrix_mx_puppet_steam_container_image_self_build
-
 - name: Ensure MX Puppet Steam paths exist
   file:
     path: "{{ item.path }}"
@@ -30,6 +22,57 @@
     - { path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}", when: "{{ matrix_mx_puppet_steam_container_image_self_build }}" }
   when: matrix_mx_puppet_steam_enabled|bool and item.when|bool
 
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mx_puppet_steam_base_path }}/database.db"
+  register: matrix_mx_puppet_steam_stat_database
+
+- name: (Data relocation) Ensure matrix-mx-puppet-steam.service is stopped
+  service:
+    name: matrix-mx-puppet-steam
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
+
+- name: (Data relocation) Move mx-puppet-steam database file to ./data directory
+  command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db"
+  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
+
+- set_fact:
+    matrix_mx_puppet_steam_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_steam_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_steam_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_steam_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_steam_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-steam.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_steam_requires_restart: true
+      when: "matrix_mx_puppet_steam_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_steam_database_engine == 'postgres'"
+
+- name: Ensure MX Puppet Steam image is pulled
+  docker_image:
+    name: "{{ matrix_mx_puppet_steam_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mx_puppet_steam_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_docker_image_force_pull }}"
+  when: matrix_mx_puppet_steam_enabled|bool and not matrix_mx_puppet_steam_container_image_self_build
+
 - name: Ensure MX Puppet Steam repository is present on self build
   git:
     repo: "{{ matrix_mx_puppet_steam_container_image_self_build_repo }}"
@@ -49,23 +92,6 @@
       pull: yes
   when: "matrix_mx_puppet_steam_enabled|bool and matrix_mx_puppet_steam_container_image_self_build"
 
-- name: Check if an old database file already exists
-  stat:
-    path: "{{ matrix_mx_puppet_steam_base_path }}/database.db"
-  register: matrix_mx_puppet_steam_stat_database
-
-- name: (Data relocation) Ensure matrix-mx-puppet-steam.service is stopped
-  service:
-    name: matrix-mx-puppet-steam
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
-  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
-
-- name: (Data relocation) Move mx-puppet-steam database file to ./data directory
-  command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db"
-  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
-
 - name: Ensure mx-puppet-steam config.yaml installed
   copy:
     content: "{{ matrix_mx_puppet_steam_configuration|to_nice_yaml }}"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mx_puppet_steam_systemd_service_result.changed"
+
+- name: Ensure matrix-mx-puppet-steam.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-steam.service"
+    state: restarted
+  when: "matrix_mx_puppet_steam_requires_restart|bool"

roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2

@@ -61,15 +61,18 @@ selfService:
   blacklist: {{ matrix_mx_puppet_steam_provisioning_blacklist|to_json }}
 
 database:
+{% if matrix_mx_puppet_steam_database_engine == 'postgres' %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
+  connString: {{ matrix_mx_puppet_steam_database_connection_string|to_json }}
+{% else %}
   # Use SQLite3 as a database backend
   # The name of the database file
-  filename: /data/database.db
+  filename: {{ matrix_mx_puppet_steam_sqlite_database_path_in_container|to_json }}
+{% endif %}
 
 logging:
   # Log level of console output

roles/matrix-bridge-mx-puppet-twitter/defaults/main.yml

@@ -60,6 +60,20 @@ matrix_mx_puppet_twitter_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_twitter_login_shared_secret: ''
 
+# Database configuration
+matrix_mx_puppet_twitter_database_engine: sqlite
+
+matrix_mx_puppet_twitter_sqlite_database_path_local: "{{ matrix_mx_puppet_twitter_data_path }}/database.db"
+matrix_mx_puppet_twitter_sqlite_database_path_in_container: "/data/database.db"
+
+matrix_mx_puppet_twitter_database_username: mx_puppet_twitter
+matrix_mx_puppet_twitter_database_password: ~
+matrix_mx_puppet_twitter_database_hostname: 'matrix-postgres'
+matrix_mx_puppet_twitter_database_port: 5432
+matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter
+
+matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable'
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml

@@ -8,14 +8,6 @@
       The matrix-bridge-mx-puppet-twitter role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
 
-- name: Ensure MX Puppet Twitter image is pulled
-  docker_image:
-    name: "{{ matrix_mx_puppet_twitter_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_mx_puppet_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_docker_image_force_pull }}"
-  when: matrix_mx_puppet_twitter_enabled|bool and not matrix_mx_puppet_twitter_container_image_self_build
-
 - name: Ensure MX Puppet Twitter paths exist
   file:
     path: "{{ item.path }}"
@@ -30,6 +22,57 @@
     - { path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}", when: "{{ matrix_mx_puppet_twitter_container_image_self_build }}" }
   when: matrix_mx_puppet_twitter_enabled|bool and item.when|bool
 
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mx_puppet_twitter_base_path }}/database.db"
+  register: matrix_mx_puppet_twitter_stat_database
+
+- name: (Data relocation) Ensure matrix-mx-puppet-twitter.service is stopped
+  service:
+    name: matrix-mx-puppet-twitter
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
+
+- name: (Data relocation) Move mx-puppet-twitter database file to ./data directory
+  command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db"
+  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
+
+- set_fact:
+    matrix_mx_puppet_twitter_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}"
+      register: matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_mx_puppet_twitter_sqlite_database_path_local }}"
+              dst: "{{ matrix_mx_puppet_twitter_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_mx_puppet_twitter_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mx-puppet-twitter.service']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_mx_puppet_twitter_requires_restart: true
+      when: "matrix_mx_puppet_twitter_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_mx_puppet_twitter_database_engine == 'postgres'"
+
+- name: Ensure MX Puppet Twitter image is pulled
+  docker_image:
+    name: "{{ matrix_mx_puppet_twitter_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mx_puppet_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_docker_image_force_pull }}"
+  when: matrix_mx_puppet_twitter_enabled|bool and not matrix_mx_puppet_twitter_container_image_self_build
+
 - name: Ensure MX Puppet Twitter repository is present on self build
   git:
     repo: "{{ matrix_mx_puppet_twitter_container_image_self_build_repo }}"
@@ -49,23 +92,6 @@
       pull: yes
   when: "matrix_mx_puppet_twitter_enabled|bool and matrix_mx_puppet_twitter_container_image_self_build"
 
-- name: Check if an old database file already exists
-  stat:
-    path: "{{ matrix_mx_puppet_twitter_base_path }}/database.db"
-  register: matrix_mx_puppet_twitter_stat_database
-
-- name: (Data relocation) Ensure matrix-mx-puppet-twitter.service is stopped
-  service:
-    name: matrix-mx-puppet-twitter
-    state: stopped
-    daemon_reload: yes
-  failed_when: false
-  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
-
-- name: (Data relocation) Move mx-puppet-twitter database file to ./data directory
-  command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db"
-  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
-
 - name: Ensure mx-puppet-twitter config.yaml installed
   copy:
     content: "{{ matrix_mx_puppet_twitter_configuration|to_nice_yaml }}"
@@ -93,3 +119,9 @@
   service:
     daemon_reload: yes
   when: "matrix_mx_puppet_twitter_systemd_service_result.changed"
+
+- name: Ensure matrix-mx-puppet-twitter.service restarted, if necessary
+  service:
+    name: "matrix-mx-puppet-twitter.service"
+    state: restarted
+  when: "matrix_mx_puppet_twitter_requires_restart|bool"

roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2

@@ -54,15 +54,18 @@ provisioning:
   apiPrefix: /_matrix/provision
 
 database:
+{% if matrix_mx_puppet_twitter_database_engine == 'postgres' %}
   # Use Postgres as a database backend
   # If set, will be used instead of SQLite3
   # Connection string to connect to the Postgres instance
   # with username "user", password "pass", host "localhost" and database name "dbname".
   # Modify each value as necessary
-  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
+  connString: {{ matrix_mx_puppet_twitter_database_connection_string|to_json }}
+{% else %}
   # Use SQLite3 as a database backend
   # The name of the database file
-  filename: /data/database.db
+  filename: {{ matrix_mx_puppet_twitter_sqlite_database_path_in_container|to_json }}
+{% endif %}
 
 logging:
   # Log level of console output

roles/matrix-client-element/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
 
-matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.15"
+matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.16"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
 

roles/matrix-corporal/defaults/main.yml

@@ -23,7 +23,7 @@ matrix_corporal_container_extra_arguments: []
 matrix_corporal_systemd_required_services_list: ['docker.service']
 
 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
-matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}"
+matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
 matrix_corporal_docker_image_tag: "1.11.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
 

roles/matrix-coturn/tasks/setup_coturn.yml

@@ -59,22 +59,11 @@
     mode: 0644
   when: matrix_coturn_enabled|bool
 
-# `docker_network` doesn't work as expected when the given network
-# is a substring of a network that already exists.
-#
-# See our other comments in `roles/matrix-base/tasks/setup_matrix_base.yml`
-- name: Check existence of Coturn network in Docker
-  shell:
-    cmd: "docker network ls -q --filter='name=^{{ matrix_coturn_docker_network }}$'"
-  register: matrix_coturn_result_docker_network
-  changed_when: false
+- name: Ensure Coturn network is created in Docker
+  docker_network:
+    name: "{{ matrix_coturn_docker_network }}"
+    driver: bridge
   when: matrix_coturn_enabled|bool
-  check_mode: no
-
-- name: Create Coturn network in Docker
-  shell:
-    cmd: "docker network create --driver=bridge {{ matrix_coturn_docker_network }}"
-  when: "matrix_coturn_enabled|bool and matrix_coturn_result_docker_network.stdout == '' and not ansible_check_mode"
 
 - name: Ensure matrix-coturn.service installed
   template:

roles/matrix-dimension/defaults/main.yml

@@ -15,6 +15,12 @@ matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
 matrix_dimension_docker_image: "docker.io/turt2live/matrix-dimension:latest"
 matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
 
+# List of systemd services that matrix-dimension.service depends on.
+matrix_dimension_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-dimension.service wants
+matrix_dimension_systemd_wanted_services_list: []
+
 # The user and group id correspond to the node user in the `turt2live/matrix-dimension` image.
 matrix_dimension_user_uid: '1000'
 matrix_dimension_user_gid: '1000'
@@ -34,6 +40,28 @@ matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_di
 
 matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048"
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_dimension_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_dimension_postgres_*` variables
+matrix_dimension_database_engine: 'sqlite'
+
+matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db"
+matrix_dimension_sqlite_database_path_in_container: "dimension.db"
+
+matrix_dimension_database_username: 'matrix_dimension'
+matrix_dimension_database_password: 'some-password'
+matrix_dimension_database_hostname: 'matrix-postgres'
+matrix_dimension_database_port: 5432
+matrix_dimension_database_name: 'matrix_dimension'
+
+matrix_dimension_database_connection_string: 'postgres://{{ matrix_dimension_database_username }}:{{ matrix_dimension_database_password }}@{{ matrix_dimension_database_hostname }}:{{ matrix_dimension_database_port }}/{{ matrix_dimension_database_name }}'
+
+
 # Default Dimension configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/matrix-dimension/tasks/main.yml

@@ -8,8 +8,14 @@
     - setup-all
     - setup-dimension
 
-- import_tasks: "{{ role_path }}/tasks/setup_dimension.yml"
-  when: run_setup|bool
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: run_setup|bool and matrix_dimension_enabled|bool
+  tags:
+    - setup-all
+    - setup-dimension
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: run_setup|bool and not matrix_dimension_enabled|bool
   tags:
     - setup-all
     - setup-dimension

roles/matrix-dimension/tasks/setup_dimension.yml

@@ -1,85 +0,0 @@
----
-
-#
-# Tasks related to setting up the dimension
-#
-
-- name: Ensure Dimension base path exists
-  file:
-    path: "{{ matrix_dimension_base_path }}"
-    state: directory
-    mode: 0770
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_dimension_user_gid }}"
-  when: matrix_dimension_enabled|bool
-
-- name: Ensure Dimension config installed
-  copy:
-    content: "{{ matrix_dimension_configuration|to_nice_yaml }}"
-    dest: "{{ matrix_dimension_base_path }}/config.yaml"
-    mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_dimension_user_gid }}"
-  when: matrix_dimension_enabled|bool
-
-- name: Ensure Dimension image is pulled
-  docker_image:
-    name: "{{ matrix_dimension_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
-  when: matrix_dimension_enabled|bool
-
-- name: Ensure matrix-dimension.service installed
-  template:
-    src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2"
-    dest: "{{ matrix_systemd_path }}/matrix-dimension.service"
-    mode: 0644
-  register: matrix_dimension_systemd_service_result
-  when: matrix_dimension_enabled|bool
-
-- name: Ensure systemd reloaded after matrix-dimension.service installation
-  service:
-    daemon_reload: yes
-  when: "matrix_dimension_enabled|bool and matrix_dimension_systemd_service_result.changed"
-
-#
-# Tasks related to getting rid of the dimension (if it was previously enabled)
-#
-
-- name: Check existence of matrix-dimension service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-dimension.service"
-  register: matrix_dimension_service_stat
-  when: "not matrix_dimension_enabled|bool"
-
-- name: Ensure matrix-dimension is stopped
-  service:
-    name: matrix-dimension
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists"
-
-- name: Ensure matrix-dimension.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-dimension.service"
-    state: absent
-  when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists"
-
-- name: Ensure systemd reloaded after matrix-dimension.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_dimension_enabled|bool and matrix_dimension_service_stat.stat.exists"
-
-- name: Ensure Dimension environment variables path doesn't exist
-  file:
-    path: "{{ matrix_dimension_base_path }}"
-    state: absent
-  when: "not matrix_dimension_enabled|bool"
-
-- name: Ensure Dimension Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_dimension_docker_image }}"
-    state: absent
-  when: "not matrix_dimension_enabled|bool"

roles/matrix-dimension/tasks/setup_install.yml

@@ -0,0 +1,109 @@
+---
+
+- set_fact:
+    matrix_dimension_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_dimension_sqlite_database_path_local }}"
+      register: matrix_dimension_sqlite_database_path_local_stat_result
+
+    - block:
+        # pgloader makes a few columns `smallint`, instead of `boolean`.
+        # We need to fix them up.
+        - set_fact:
+            matrix_dimension_pgloader_additional_psql_statements_list: []
+
+        - set_fact:
+            matrix_dimension_pgloader_additional_psql_statements_list: |
+              {{
+                matrix_dimension_pgloader_additional_psql_statements_list
+                +
+                ([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" DROP default;'])
+                +
+                (['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" TYPE BOOLEAN USING("' + item.column + '"::text::boolean);'])
+                +
+                ([] if item.default == '' else ['ALTER TABLE ' + item.table + ' ALTER COLUMN "' + item.column + '" SET default ' + item.default + ';'])
+              }}
+          with_items:
+            - {'table': 'dimension_widgets', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_widgets', 'column': 'isPublic', 'default': ''}
+            - {'table': 'dimension_webhook_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_user_sticker_packs', 'column': 'isSelected', 'default': ''}
+            - {'table': 'dimension_scalar_tokens', 'column': 'isDimensionToken', 'default': ''}
+            - {'table': 'dimension_users', 'column': 'isSelfBot', 'default': 'false'}
+            - {'table': 'dimension_telegram_bridges', 'column': 'allowTgPuppets', 'default': ''}
+            - {'table': 'dimension_telegram_bridges', 'column': 'allowMxPuppets', 'default': ''}
+            - {'table': 'dimension_telegram_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_sticker_packs', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_sticker_packs', 'column': 'isPublic', 'default': ''}
+            - {'table': 'dimension_slack_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_neb_integrations', 'column': 'isPublic', 'default': ''}
+            - {'table': 'dimension_irc_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_irc_bridge_networks', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_gitter_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_custom_simple_bots', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_custom_simple_bots', 'column': 'isPublic', 'default': ''}
+            - {'table': 'dimension_bridges', 'column': 'isEnabled', 'default': ''}
+            - {'table': 'dimension_bridges', 'column': 'isPublic', 'default': ''}
+
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_dimension_sqlite_database_path_local }}"
+              dst: "{{ matrix_dimension_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_dimension_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-dimension.service']
+              pgloader_options: ['--with "quote identifiers"']
+              additional_psql_statements_list: "{{ matrix_dimension_pgloader_additional_psql_statements_list }}"
+              additional_psql_statements_db_name: "{{ matrix_dimension_database_name }}"
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_dimension_requires_restart: true
+      when: "matrix_dimension_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_dimension_database_engine == 'postgres'"
+
+- name: Ensure Dimension base path exists
+  file:
+    path: "{{ matrix_dimension_base_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_dimension_user_gid }}"
+
+- name: Ensure Dimension config installed
+  copy:
+    content: "{{ matrix_dimension_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_dimension_base_path }}/config.yaml"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_dimension_user_gid }}"
+
+- name: Ensure Dimension image is pulled
+  docker_image:
+    name: "{{ matrix_dimension_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
+
+- name: Ensure matrix-dimension.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-dimension.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-dimension.service"
+    mode: 0644
+  register: matrix_dimension_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-dimension.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_dimension_systemd_service_result.changed|bool"
+
+- name: Ensure matrix-dimension.service restarted, if necessary
+  service:
+    name: "matrix-dimension.service"
+    state: restarted
+  when: "matrix_dimension_requires_restart|bool"

roles/matrix-dimension/tasks/setup_uninstall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Check existence of matrix-dimension service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-dimension.service"
+  register: matrix_dimension_service_stat
+
+- name: Ensure matrix-dimension is stopped
+  service:
+    name: matrix-dimension
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_dimension_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-dimension.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-dimension.service"
+    state: absent
+  when: "matrix_dimension_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-dimension.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_dimension_service_stat.stat.exists|bool"
+
+- name: Ensure Dimension base directory doesn't exist
+  file:
+    path: "{{ matrix_dimension_base_path }}"
+    state: absent
+
+- name: Ensure Dimension Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_dimension_docker_image }}"
+    state: absent

roles/matrix-dimension/templates/config.yaml.j2

@@ -44,7 +44,11 @@ widgetBlacklist:
 
 # Where the database for Dimension is
 database:
-  file: "dimension.db"
+{% if matrix_dimension_database_engine == 'sqlite' %}
+  file: {{ matrix_dimension_sqlite_database_path_in_container|to_json }}
+{% elif matrix_dimension_database_engine == 'postgres' %}
+  uri: {{ matrix_dimension_database_connection_string|to_json }}
+{% endif %}
 
 # Display settings that apply to self-hosted go-neb instances
 goneb:

roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2

@@ -1,8 +1,13 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Dimension
-After=docker.service
-Requires=docker.service
+{% for service in matrix_dimension_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_dimension_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
 DefaultDependencies=no
 
 [Service]
@@ -11,7 +16,9 @@ ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension
 
 # Fixup database ownership if it got changed somehow (during a server migration, etc.)
-ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db
+{% if matrix_dimension_database_engine == 'sqlite' %}
+ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_sqlite_database_path_local }}
+{% endif %}
 
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \
 			--log-driver=none \

roles/matrix-ma1sd/defaults/main.yml

@@ -39,6 +39,28 @@ matrix_ma1sd_systemd_wanted_services_list: []
 # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
 matrix_ma1sd_matrixorg_forwarding_enabled: false
 
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables
+matrix_ma1sd_database_engine: 'sqlite'
+
+matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"
+matrix_ma1sd_sqlite_database_path_in_container: "/var/ma1sd/ma1sd.db"
+
+matrix_ma1sd_database_username: 'matrix_ma1sd'
+matrix_ma1sd_database_password: 'some-password'
+matrix_ma1sd_database_hostname: 'matrix-postgres'
+matrix_ma1sd_database_port: 5432
+matrix_ma1sd_database_name: 'matrix_ma1sd'
+
+matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}'
+
+
 # ma1sd has serveral supported identity stores.
 # One of them is storing identities directly in Synapse's database.
 # Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
@@ -61,6 +83,17 @@ matrix_ma1sd_dns_overwrite_enabled: false
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"
 
+# Override the default session templates
+# To use this, fill in the template variables with the full desired template as a multi-line YAML variable
+#
+# More info:
+# https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/session/session-views.md
+matrix_ma1sd_view_session_custom_templates_enabled: false
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitSuccess.html
+matrix_ma1sd_view_session_custom_onTokenSubmit_success_template: ""
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/templates/session/tokenSubmitFailure.html
+matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template: ""
+
 # Override the default email templates
 # To use this, fill in the template variables with the full desired template as a multi-line YAML variable
 #
@@ -68,9 +101,13 @@ matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://matrix-synapse:8008"
 # https://github.com/ma1uta/ma1sd/blob/master/docs/threepids/notification/template-generator.md
 # https://github.com/ma1uta/ma1sd/tree/master/src/main/resources/threepids/email
 matrix_ma1sd_threepid_medium_email_custom_templates_enabled: false
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/invite-template.eml
 matrix_ma1sd_threepid_medium_email_custom_invite_template: ""
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/validate-template.eml
 matrix_ma1sd_threepid_medium_email_custom_session_validation_template: ""
-matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template: ""
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/unbind-notification.eml
+matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template: ""
+# Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
 matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""
 
 # Controls whether the self-check feature should validate SSL certificates.

roles/matrix-ma1sd/tasks/main.yml

@@ -8,7 +8,14 @@
     - setup-all
     - setup-ma1sd
 
-- import_tasks: "{{ role_path }}/tasks/setup_ma1sd.yml"
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_ma1sd_enabled|bool"
+  tags:
+    - setup-all
+    - setup-ma1sd
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_ma1sd_enabled|bool"
   tags:
     - setup-all
     - setup-ma1sd

roles/matrix-ma1sd/tasks/setup_ma1sd.yml → roles/matrix-ma1sd/tasks/setup_install.yml

@@ -1,9 +1,5 @@
 ---
 
-#
-# Tasks related to setting up ma1sd
-#
-
 - name: Ensure ma1sd paths exist
   file:
     path: "{{ item.path }}"
@@ -15,10 +11,39 @@
     - { path: "{{ matrix_ma1sd_config_path }}", when: true }
     - { path: "{{ matrix_ma1sd_data_path }}", when: true }
     - { path: "{{ matrix_ma1sd_docker_src_files_path }}", when: "{{ matrix_ma1sd_container_image_self_build }}"}
-  when: matrix_ma1sd_enabled|bool and item.when
+  when: "item.when|bool"
 
 - import_tasks: "{{ role_path }}/tasks/migrate_mxisd.yml"
-  when: matrix_ma1sd_enabled|bool
+
+
+# These (SQLite -> Postgres) migration tasks are usually at the top,
+# but we'd like to run them after `migrate_mxisd.yml`, which requires the ma1sd paths to exist.
+- set_fact:
+    matrix_ma1sd_requires_restart: false
+
+- block:
+    - name: Check if an SQLite database already exists
+      stat:
+        path: "{{ matrix_ma1sd_sqlite_database_path_local }}"
+      register: matrix_ma1sd_sqlite_database_path_local_stat_result
+
+    - block:
+        - set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_ma1sd_sqlite_database_path_local }}"
+              dst: "{{ matrix_ma1sd_database_connection_string }}"
+              caller: "{{ role_path|basename }}"
+              engine_variable_name: 'matrix_ma1sd_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-ma1sd.service']
+              pgloader_options: ['--with "quote identifiers"']
+
+        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"
+
+        - set_fact:
+            matrix_ma1sd_requires_restart: true
+      when: "matrix_ma1sd_sqlite_database_path_local_stat_result.stat.exists|bool"
+  when: "matrix_ma1sd_database_engine == 'postgres'"
 
 - name: Ensure ma1sd image is pulled
   docker_image:
@@ -26,7 +51,7 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_ma1sd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ma1sd_docker_image_force_pull }}"
-  when: matrix_ma1sd_enabled|bool and not matrix_ma1sd_container_image_self_build
+  when: "not matrix_ma1sd_container_image_self_build|bool"
 
 - block:
   - name: Ensure gradle is installed for self-building (Debian)
@@ -72,7 +97,7 @@
       repository: "{{ matrix_ma1sd_docker_image }}"
       force_tag: yes
       source: local
-  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_container_image_self_build"
+  when: "matrix_ma1sd_container_image_self_build|bool"
 
 - name: Ensure ma1sd config installed
   copy:
@@ -81,21 +106,44 @@
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
-  when: matrix_ma1sd_enabled|bool
 
-- name: Ensure custom templates are installed if any
+- name: Ensure custom view templates are installed, if any
+  copy:
+    content: "{{ item.value }}"
+    dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_success_template }}", location: 'tokenSubmitSuccess.html'}
+    - {value: "{{ matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template }}", location: 'tokenSubmitFailure.html'}
+  when: "matrix_ma1sd_view_session_custom_templates_enabled|bool and item.value"
+
+- name: Ensure custom email templates are installed, if any
   copy:
     content: "{{ item.value }}"
-    dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
+    dest: "{{ matrix_ma1sd_config_path }}/{{ item.location }}"
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
   with_items:
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
-    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template }}", location: 'unbind-fraudulent.eml'}
+    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
-  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"
+  when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"
+
+# Only cleaning up for people who define the respective templates
+- name: (Cleanup) Ensure custom email templates are not in data/ anymore (we've put them in config/)
+  file:
+    path: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
+    state: absent
+  with_items:
+    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
+    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
+    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template }}", location: 'unbind-notification.eml'}
+    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
+  when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled|bool and item.value"
 
 - name: Ensure matrix-ma1sd.service installed
   template:
@@ -103,49 +151,14 @@
     dest: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
     mode: 0644
   register: matrix_ma1sd_systemd_service_result
-  when: matrix_ma1sd_enabled|bool
 
 - name: Ensure systemd reloaded after matrix-ma1sd.service installation
   service:
     daemon_reload: yes
-  when: "matrix_ma1sd_enabled|bool and matrix_ma1sd_systemd_service_result.changed"
-
-#
-# Tasks related to getting rid of ma1sd (if it was previously enabled)
-#
-
-- name: Check existence of matrix-ma1sd service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
-  register: matrix_ma1sd_service_stat
-
-- name: Ensure matrix-ma1sd is stopped
-  service:
-    name: matrix-ma1sd
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"
-
-- name: Ensure matrix-ma1sd.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
-    state: absent
-  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"
+  when: "matrix_ma1sd_systemd_service_result.changed|bool"
 
-- name: Ensure systemd reloaded after matrix-ma1sd.service removal
+- name: Ensure matrix-ma1sd.service restarted, if necessary
   service:
-    daemon_reload: yes
-  when: "not matrix_ma1sd_enabled|bool and matrix_ma1sd_service_stat.stat.exists"
-
-- name: Ensure Matrix ma1sd paths don't exist
-  file:
-    path: "{{ matrix_ma1sd_base_path }}"
-    state: absent
-  when: "not matrix_ma1sd_enabled|bool"
-
-- name: Ensure ma1sd Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_ma1sd_docker_image }}"
-    state: absent
-  when: "not matrix_ma1sd_enabled|bool"
+    name: "matrix-ma1sd.service"
+    state: restarted
+  when: "matrix_ma1sd_requires_restart|bool"

roles/matrix-ma1sd/tasks/setup_uninstall.yml

@@ -0,0 +1,35 @@
+---
+
+- name: Check existence of matrix-ma1sd service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
+  register: matrix_ma1sd_service_stat
+
+- name: Ensure matrix-ma1sd is stopped
+  service:
+    name: matrix-ma1sd
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "matrix_ma1sd_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-ma1sd.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-ma1sd.service"
+    state: absent
+  when: "matrix_ma1sd_service_stat.stat.exists|bool"
+
+- name: Ensure systemd reloaded after matrix-ma1sd.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_ma1sd_service_stat.stat.exists|bool"
+
+- name: Ensure Matrix ma1sd paths don't exist
+  file:
+    path: "{{ matrix_ma1sd_base_path }}"
+    state: absent
+
+- name: Ensure ma1sd Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_ma1sd_docker_image }}"
+    state: absent

roles/matrix-ma1sd/tasks/validate_config.yml

@@ -54,6 +54,7 @@
   when: "vars | dict2items | selectattr('key', 'match', item.old) | list | items2dict"
   with_items:
     - {'old': 'matrix_ma1sd_container_expose_port', 'new': '<superseded by matrix_ma1sd_container_http_host_bind_port>'}
+    - {'old': 'matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template', 'new': 'matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template'}
 
 - name: (Deprecation) Catch and report mxisd variables
   fail:

roles/matrix-ma1sd/templates/ma1sd.yaml.j2

@@ -11,9 +11,19 @@ key:
   path: /var/ma1sd/sign.key
 
 storage:
-  provider:
-    sqlite:
-      database: /var/ma1sd/ma1sd.db
+  {% if matrix_ma1sd_database_engine == 'sqlite' %}
+    backend: sqlite
+    provider:
+      sqlite:
+        database: {{ matrix_ma1sd_sqlite_database_path_in_container|to_json }}
+  {% elif matrix_ma1sd_database_engine == 'postgres' %}
+    backend: postgresql
+    provider:
+      postgresql:
+        database: //{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}
+        username: {{ matrix_ma1sd_database_username|to_json }}
+        password: {{ matrix_ma1sd_database_password|to_json }}
+  {% endif %}
 
 {% if matrix_ma1sd_dns_overwrite_enabled %}
 dns:
@@ -45,24 +55,36 @@ threepid:
       generators:
         template:
           {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
-          invite: '/var/ma1sd/invite-template.eml'
+          invite: '/etc/ma1sd/invite-template.eml'
           {% endif %}
-          {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
+          {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
           session:
             {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
-            validation: '/var/ma1sd/validate-template.eml'
+            validation: '/etc/ma1sd/validate-template.eml'
             {% endif %}
-            {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
+            {% if matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template %}
             unbind:
-              frandulent: '/var/ma1sd/unbind-fraudulent.eml'
+              notification: '/etc/ma1sd/unbind-notification.eml'
             {% endif %}
           {% endif %}
           {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
           generic:
-            matrixId: '/var/ma1sd/mxid-template.eml'
+            matrixId: '/etc/ma1sd/mxid-template.eml'
           {% endif %}
 {% endif %}
 
+{% if matrix_ma1sd_view_session_custom_templates_enabled %}
+view:
+  session:
+    onTokenSubmit:
+      {% if matrix_ma1sd_view_session_custom_onTokenSubmit_success_template %}
+      success: '/etc/ma1sd/tokenSubmitSuccess.html'
+      {% endif %}
+      {% if matrix_ma1sd_view_session_custom_onTokenSubmit_failure_template %}
+      failure: '/etc/ma1sd/tokenSubmitFailure.html'
+      {% endif %}
+{% endif %}
+
 {% if matrix_ma1sd_hashing_enabled %}
 hashing:
   enabled: true # enable or disable the hash lookup MSC2140 (default is false)

roles/matrix-nginx-proxy/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
-matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine"
+matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.6-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
 
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@@ -92,6 +92,8 @@ matrix_nginx_proxy_base_domain_homepage_template: |-
     </body>
   </html>
 
+# Option to disable the access log
+matrix_nginx_proxy_access_log_enabled: true
 
 # Controls whether proxying the riot domain should be done.
 matrix_nginx_proxy_proxy_riot_compat_redirect_enabled: false

roles/matrix-nginx-proxy/templates/nginx/nginx.conf.j2

@@ -33,7 +33,11 @@ http {
 					'$status $body_bytes_sent "$http_referer" '
 					'"$http_user_agent" "$http_x_forwarded_for"';
 
+	{% if matrix_nginx_proxy_access_log_enabled %}
 	access_log /var/log/nginx/access.log main;
+	{% else %}
+	access_log off;
+	{% endif %}
 
 	sendfile on;
 	#tcp_nopush on;

roles/matrix-postgres/defaults/main.yml

@@ -30,3 +30,50 @@ matrix_postgres_container_extra_arguments: []
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5432"), or empty string to not expose.
 matrix_postgres_container_postgres_bind_port: ""
+
+# A list of additional (databases and their credentials) to create.
+#
+# Example:
+# matrix_postgres_additional_databases:
+#   - name: matrix_appservice_discord
+#     username: matrix_appservice_discord
+#     password: some_password
+#   - name: matrix_appservice_slack
+#     username: matrix_appservice_slack
+#     password: some_password
+matrix_postgres_additional_databases: []
+
+# A list of roles/users to avoid creating when importing (or upgrading) the database.
+# If a dump file contains the roles and they've also been created beforehand (see `matrix_postgres_additional_databases`),
+# importing would fail.
+# We either need to not create them or to ignore the `CREATE ROLE` statements in the dump.
+matrix_postgres_import_roles_to_ignore: [matrix_postgres_connection_username]
+
+matrix_postgres_import_roles_ignore_regex: "^CREATE ROLE ({{ matrix_postgres_import_roles_to_ignore|join('|') }});"
+
+# A list of databases to avoid creating when importing (or upgrading) the database.
+# If a dump file contains the databases and they've also been created beforehand (see `matrix_postgres_additional_databases`),
+# importing would fail.
+# We either need to not create them or to ignore the `CREATE DATABASE` statements in the dump.
+matrix_postgres_import_databases_to_ignore: [matrix_postgres_db_name]
+
+matrix_postgres_import_databases_ignore_regex: "^CREATE DATABASE ({{ matrix_postgres_import_databases_to_ignore|join('|') }})\\s"
+
+# The number of seconds to wait after starting `matrix-postgres.service`
+# and before trying to run queries for creating additional databases/users against it.
+#
+# For most (subsequent) runs, Postgres would already be running, so no waiting will be happening at all.
+matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds: 15
+
+
+matrix_postgres_pgloader_container_image_self_build: false
+matrix_postgres_pgloader_container_image_self_build_repo: "https://github.com/illagrenan/pgloader-docker.git"
+matrix_postgres_pgloader_container_image_self_build_repo_branch: "v{{ matrix_postgres_pgloader_docker_image_tag }}"
+matrix_postgres_pgloader_container_image_self_build_src_path: "{{ matrix_postgres_base_path }}/pgloader-container-src"
+
+# We use illagrenan/pgloader, instead of the more official dimitri/pgloader image,
+# because the official one only provides a `latest` tag.
+matrix_postgres_pgloader_docker_image: "{{ matrix_postgres_pgloader_docker_image_name_prefix }}illagrenan/pgloader:{{ matrix_postgres_pgloader_docker_image_tag }}"
+matrix_postgres_pgloader_docker_image_name_prefix: "{{ 'localhost/' if matrix_postgres_pgloader_container_image_self_build else 'docker.io/' }}"
+matrix_postgres_pgloader_docker_image_tag: "3.6.2"
+matrix_postgres_pgloader_docker_image_force_pull: "{{ matrix_postgres_pgloader_docker_image.endswith(':latest') }}"

roles/matrix-postgres/tasks/import_generic_sqlite_db.yml

@@ -0,0 +1,97 @@
+---
+
+# Pre-checks
+
+- name: Fail if Postgres not enabled
+  fail:
+    msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
+  when: "not matrix_postgres_enabled|bool"
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: "The `sqlite_database_path` variable needs to be provided to this playbook, via --extra-vars"
+  when: "sqlite_database_path is not defined or sqlite_database_path.startswith('<')"
+
+- name: Check if the provided SQLite database file exists
+  stat:
+    path: "{{ sqlite_database_path }}"
+  register: sqlite_database_path_stat_result
+
+- name: Fail if provided SQLite database file doesn't exist
+  fail:
+    msg: "File cannot be found on the server at {{ sqlite_database_path }}"
+  when: "not sqlite_database_path_stat_result.stat.exists"
+
+# We either expect `postgres_db_connection_string` specifying a full Postgres database connection string,
+# or `postgres_connection_string_variable_name`, specifying a name of a variable, which contains a valid connection string.
+
+- block:
+    - name: Fail if postgres_connection_string_variable_name points to an undefined variable
+      fail: msg="postgres_connection_string_variable_name is defined, but there is no variable with the name `{{ postgres_connection_string_variable_name }}`"
+      when: "postgres_connection_string_variable_name not in vars"
+
+    - name: Get Postgres connection string from variable
+      set_fact:
+        postgres_db_connection_string: "{{ lookup('vars', postgres_connection_string_variable_name) }}"
+  when: 'postgres_connection_string_variable_name is defined'
+
+- name: Fail if playbook called incorrectly
+  fail:
+    msg: >-
+      Either a `postgres_db_connection_string` variable or a `postgres_connection_string_variable_name` needs to be provided to this playbook, via `--extra-vars`.
+      Example: `--extra-vars="postgres_db_connection_string=postgresql://username:password@localhost:<port>/database_name"` or `--extra-vars="postgres_connection_string_variable_name=matrix_appservice_discord_database_connString"`
+  when: "postgres_db_connection_string is not defined or not postgres_db_connection_string.startswith('postgresql://')"
+
+
+# Defaults
+
+- name: Set postgres_start_wait_time, if not provided
+  set_fact:
+    postgres_start_wait_time: 15
+  when: "postgres_start_wait_time|default('') == ''"
+
+
+# Actual import work
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: matrix_postgres_service_start_result
+
+- name: Wait a bit, so that Postgres can start
+  wait_for:
+    timeout: "{{ postgres_start_wait_time }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "matrix_postgres_service_start_result.changed|bool"
+
+- name: Import SQLite database from {{ sqlite_database_path }} into Postgres
+  command:
+    cmd: >-
+      {{ matrix_host_command_docker }} run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --network={{ matrix_docker_network }}
+      --mount type=bind,src={{ sqlite_database_path }},dst=/in.db,ro
+      --entrypoint=/bin/sh
+      {{ matrix_postgres_pgloader_docker_image }}
+      -c
+      'pgloader /in.db {{ postgres_db_connection_string }}'
+
+- name: Archive SQLite database ({{ sqlite_database_path }} -> {{ sqlite_database_path }}.backup)
+  command:
+    cmd: "mv {{ sqlite_database_path }} {{ sqlite_database_path }}.backup"
+
+- name: Inject result
+  set_fact:
+    matrix_playbook_runtime_results: |
+      {{
+        matrix_playbook_runtime_results|default([])
+        +
+        [
+          "NOTE: Your SQLite database file has been imported into Postgres. The original file has been moved from `{{ sqlite_database_path }}` to `{{ sqlite_database_path }}.backup`. When you've confirmed that the import went well and everything works, you should be able to safely delete this file."
+        ]
+      }}

roles/matrix-postgres/tasks/import_postgres.yml

@@ -74,8 +74,8 @@
       {{ matrix_postgres_docker_image_latest }}
       -c "cat /{{ server_path_postgres_dump|basename }} |
       {{ 'gunzip |' if server_path_postgres_dump.endswith('.gz') else '' }}
-      grep -vE '^CREATE ROLE {{ matrix_postgres_connection_username }}' |
-      grep -vE '^CREATE DATABASE {{ matrix_postgres_db_name }}' |
+      grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' |
+      grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' |
       psql -v ON_ERROR_STOP=1 -h matrix-postgres"
 
 # This is a hack.

roles/matrix-postgres/tasks/main.yml

@@ -26,6 +26,12 @@
   tags:
     - import-synapse-sqlite-db
 
+# Perhaps we need a new variable here, instead of `run_postgres_import_sqlite_db`.
+- import_tasks: "{{ role_path }}/tasks/import_generic_sqlite_db.yml"
+  when: run_postgres_import_sqlite_db|bool
+  tags:
+    - import-generic-sqlite-db
+
 - import_tasks: "{{ role_path }}/tasks/upgrade_postgres.yml"
   when: run_postgres_upgrade|bool
   tags:

roles/matrix-postgres/tasks/setup_postgres.yml

@@ -113,6 +113,13 @@
     daemon_reload: yes
   when: "matrix_postgres_enabled|bool and matrix_postgres_systemd_service_result.changed"
 
+- include_tasks:
+    file: "{{ role_path }}/tasks/util/create_additional_databases.yml"
+    apply:
+      tags:
+        - always
+  when: "matrix_postgres_enabled|bool and matrix_postgres_additional_databases|length > 0"
+
 #
 # Tasks related to getting rid of the internal postgres server (if it was previously enabled)
 #

roles/matrix-postgres/tasks/upgrade_postgres.yml

@@ -135,8 +135,8 @@
       {{ matrix_postgres_docker_image_latest }}
       -c "cat /in/{{ postgres_dump_name }} |
       {{ 'gunzip |' if postgres_dump_name.endswith('.gz') else '' }}
-      grep -vE '^CREATE ROLE {{ matrix_postgres_connection_username }}' |
-      grep -vE '^CREATE DATABASE {{ matrix_postgres_db_name }}' |
+      grep -vE '{{ matrix_postgres_import_roles_ignore_regex }}' |
+      grep -vE '{{ matrix_postgres_import_databases_ignore_regex }}' |
       psql -v ON_ERROR_STOP=1 -h matrix-postgres"
 
 # This is a hack.

roles/matrix-postgres/tasks/util/create_additional_database.yml

@@ -0,0 +1,40 @@
+---
+
+# It'd be better if this is belonged to `validate_config.yml`, but it would have to be some loop-within-a-loop there,
+# and that's ugly. We also don't expect this to catch errors often. It's more of a defensive last-minute check.
+- name: Fail if additional database data appears invalid
+  fail:
+    msg: "Additional database definition ({{ additional_db }} lacks a required key: {{ item }}"
+  when: "item not in additional_db"
+  with_items: "{{ ['name', 'username', 'password'] }}"
+
+# The SQL statements that we'll run against Postgres are stored in a file that others can't read.
+# This file will be mounted into the container and fed to Postgres.
+# This way, we avoid passing sensitive data around in CLI commands that other users on the system can see.
+- name: Create additional database initialization SQL file for {{ additional_db.name }}
+  template:
+    src: "{{ role_path }}/templates/sql/init-additional-db-user-and-role.sql.j2"
+    dest: "/tmp/matrix-postgres-init-additional-db-user-and-role.sql"
+    mode: 0600
+    owner: "{{ matrix_user_uid }}"
+    group: "{{ matrix_user_gid }}"
+
+- name: Execute Postgres additional database initialization SQL file for {{ additional_db.name }}
+  command:
+    cmd: >-
+      {{ matrix_host_command_docker }} run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
+      --network {{ matrix_docker_network }}
+      --mount type=bind,src=/tmp/matrix-postgres-init-additional-db-user-and-role.sql,dst=/matrix-postgres-init-additional-db-user-and-role.sql,ro
+      --entrypoint=/bin/sh
+      {{ matrix_postgres_docker_image_to_use }}
+      -c
+      'psql -h {{ matrix_postgres_connection_hostname }} --file=/matrix-postgres-init-additional-db-user-and-role.sql'
+
+- name: Delete additional database initialization SQL file for {{ additional_db.name }}
+  file:
+    path: /tmp/matrix-postgres-init-additional-db-user-and-role.sql
+    state: absent

roles/matrix-postgres/tasks/util/create_additional_databases.yml

@@ -0,0 +1,23 @@
+---
+
+- name: Ensure matrix-postgres is started
+  service:
+    name: matrix-postgres
+    state: started
+    daemon_reload: yes
+  register: matrix_postgres_service_start_result
+
+- name: Wait a bit, so that Postgres can start
+  wait_for:
+    timeout: "{{ matrix_postgres_additional_databases_postgres_start_wait_timeout_seconds }}"
+  delegate_to: 127.0.0.1
+  become: false
+  when: "matrix_postgres_service_start_result.changed|bool"
+
+- name: Create additional Postgres user and database
+  include_tasks: "{{ role_path }}/tasks/util/create_additional_database.yml"
+  with_items: "{{ matrix_postgres_additional_databases }}"
+  loop_control:
+    loop_var: additional_db
+  # Suppress logging to avoid dumping the credentials to the shell
+  no_log: true