Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into maubot

5 лет назад · 61e9ed1984
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,39 @@
 # 2020-05-19

 ## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server

 User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database.

 ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc.

 Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**.

 *If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"`


 # 2020-04-28

 ## Newer IRC bridge (with potential breaking change)

 This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0.  Upstream
 made a change to how you define manual mappings.  If you added a
 `mapping` to your configuration, you will need to update it accoring
 to the [upstream
 instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05).
 If you did not include `mappings` in your configuration for IRC, no
 change is necessary.  `mappings` is not part of the default
 configuration.


 # 2020-04-23

 ## Slack bridging support

 Thanks to [Rodrigo Belem](https://github.com/rbelem)'s efforts, the playbook now supports bridging to [Slack](https://slack.com) via the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge.

 See our [Setting up MX Puppet Slack bridging](docs/configuring-playbook-bridge-mx-puppet-slack.md) documentation page for getting started.


 # 2020-04-09

 ## Skype bridging support
--- a/README.md
+++ b/README.md
@@ -146,6 +146,8 @@ This playbook sets up your server using the following Docker images:

 - [sorunome/mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) - the [mx-puppet-skype](https://github.com/Sorunome/mx-puppet-skype) bridge to [Skype](https:/www.skype.com) (optional)

 - [sorunome/mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) - the [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) bridge to [Slack](https:/slack.com) (optional)

 - [turt2live/matrix-dimension](https://hub.docker.com/r/turt2live/matrix-dimension) - the [Dimension](https://dimension.t2bot.io/) integrations manager (optional)

 - [jitsi/web](https://hub.docker.com/r/jitsi/web) - the [Jitsi](https://jitsi.org/) web UI (optional)
--- a/docs/configuring-playbook-bridge-mx-puppet-slack.md
+++ b/docs/configuring-playbook-bridge-mx-puppet-slack.md
@@ -0,0 +1,34 @@
 # Setting up MX Puppet Slack (optional)

 The playbook can install and configure
 [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you.

 See the project page to learn what it does and why it might be useful to you.

 To enable the [Slack](https://slack.com/) bridge just use the following
 playbook configuration:


 ```yaml
 matrix_mx_puppet_slack_enabled: true
 matrix_mx_puppet_slack_client_id: ""
 matrix_mx_puppet_slack_client_secret: ""
 ```


 ## Usage

 Once the bot is enabled you need to start a chat with `Slack Puppet Bridge` with
 the handle `@_slackpuppet_bot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base
 domain, not the `matrix.` domain).

 Three authentication methods are available, Legacy Token, OAuth and xoxc token.
 See mx-puppet-slack [documentation](https://github.com/Sorunome/mx-puppet-slack)
 for more information about how to configure the bridge.

 Once logged in, send `list` to the bot user to list the available rooms.

 Clicking rooms in the list will result in you receiving an invitation to the
 bridged room.

 Also send `help` to the bot to see the commands available.
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@@ -4,11 +4,14 @@
 If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.

 ## Prerequisites
 For an Integration Manager like [Dimension](https://dimension.t2bot.io) to work, your server needs to have federation enabled (`matrix_synapse_federation_enabled: true`). This is the default for this playbook, so unless you've explicitly disabled federation, you're okay.

 This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`.

 Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.


 ## Enable

 [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
@@ -17,23 +20,31 @@ matrix_dimension_enabled: true


 ## Define admin users

 These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon.
 Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
 matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com']
 matrix_dimension_admins:
  - "@user1:{{ matrix_domain }}"
  - "@user2:{{ matrix_domain }}"
 ```


 ## Access token
 You are required to specify an access token for Dimension to work.
 To get an access token, follow these steps:

 We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username).
 Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.

 You are required to specify an access token (belonging to this new user) for Dimension to work.
 To get an access token for the Dimension user, follow these steps:

 1. In a private browsing session (incognito window), open Riot.
 2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password.
 3. Set the display name and avatar, if required.
 4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
 5. Copy the highlighted text to your configuration.
 6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
 2. Log in with the `dimension` user and its password.
 1. Set the display name and avatar, if required.
 2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
 3. Copy the highlighted text to your configuration.
 4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.

 **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**

@@ -45,12 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"

 For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens).


 ## Installation

 After these variables have been set, please run the following command to re-run setup and to restart Dimension:

 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```


 ## Jitsi domain

 By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details.

 In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* &rightarrow; *Settings* &rightarrow; *Widgets* &rightarrow; *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately.


 ## Additional features

 To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it.
--- a/docs/configuring-playbook-email.md
+++ b/docs/configuring-playbook-email.md
@@ -34,7 +34,7 @@ matrix_mailer_relay_auth_password: "some-password"


 ### Configuations for sending emails using Sendgrid
 An easy and free STMP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`.
 An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`.

 The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`.

--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat

 Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services.

 The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet).
 The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here.


 ## Prerequisites
@@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: ""
 ```


 ## (Optional) configure internal Jitsi authentication and guests mode
 ## (Optional) Configure Jitsi authentication and guests mode

 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.

 If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).

 If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room.
 If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.

 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

@@ -49,11 +49,43 @@ matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
 ```

 ### (Optional) LDAP authentication

 The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:

 ```yaml
 matrix_jitsi_enable_auth: true
 matrix_jitsi_auth_type: ldap
 matrix_jitsi_ldap_url: ldap://ldap.DOMAIN  # or ldaps:// if using tls
 matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
 matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
 matrix_jitsi_ldap_use_tls: false
 matrix_jitsi_ldap_start_tls: true
 ```

 For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.


 ## (Optional) Making your Jitsi server work on a LAN

 By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok.

 The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work.

 Here is how to do it in the playbook.

 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
 matrix_jitsi_jvb_container_extra_arguments:
  - '--env "DOCKER_HOST_ADDRESS=<Local IP adress of the host>"'
 ```

 ## Apply changes

 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`

 ## Required if configuring Jitsi with its internal authentication: register new users
 ## Required if configuring Jitsi with internal authentication: register new users

 Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
 Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
@@ -69,9 +101,15 @@ Run this command for each user you would like to create, replacing `<USERNAME>`

 ## Usage

 You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
 You can use the self-hosted Jitsi server in multiple ways:

 - **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.

 - **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default).

 - **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN`

 To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
 **Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support).


 ## Troubleshooting
--- a/docs/configuring-playbook-matrix-corporal.md
+++ b/docs/configuring-playbook-matrix-corporal.md
@@ -26,7 +26,8 @@ matrix_corporal_policy_provider_config: |
    "Uri": "https://intranet.example.com/matrix/policy",
    "AuthorizationBearerToken": "SOME_SECRET",
    "CachePath": "/var/cache/matrix-corporal/last-policy.json",
    "ReloadIntervalSeconds": 1800
    "ReloadIntervalSeconds": 1800,
    "TimeoutMilliseconds": 300
  }

 # If you also want to enable Matrix Corporal's HTTP API..
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@@ -31,3 +31,12 @@ matrix_synapse_turn_uris:
 - turn:HOSTNAME_OR_IP?transport=udp
 - turn:HOSTNAME_OR_IP?transport=tcp
 ```

 If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too.
 If you do not do it, Jitsi will fall back to an upstream service.

 ```yaml
 matrix_jitsi_web_stun_servers:
 - stun:HOSTNAME_OR_IP:PORT
 ```
 You can put multiple host/port combinations if you like.
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -99,4 +99,6 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up MX Puppet Skype bridging](configuring-playbook-bridge-mx-puppet-skype.md) (optional)

 - [Setting up MX Puppet Slack bridging](configuring-playbook-bridge-mx-puppet-slack.md) (optional)

 - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@@ -104,7 +104,7 @@ server {
 </VirtualHost>
 ```

 **For Caddy**, it would be something like this:
 **For Caddy 2**, it would be something like this:

 ```caddy
 reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
@@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
 }
 ```

 **For Caddy 1**, it would be something like this:

 ```caddy
 proxy /.well-known/matrix/ https://matrix.DOMAIN {
    header_upstream Host {http.reverse_proxy.upstream.hostport}
 }
 ```

 **For HAProxy**, it would be something like this:

 ```haproxy
--- a/docs/installing.md
+++ b/docs/installing.md
@@ -10,6 +10,8 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all

 **Note**: if you don't use SSH keys for authentication, but rather a regular password, you may need to add `--ask-pass` to the above (and all other) Ansible commands.

 **Note**: if you **do** use SSH keys for authentication, **and** use a non-root user to *become* root (sudo), you may need to add `-K` (`--ask-become-pass`) to the above (and all other) Ansible commands.

 The above command **doesn't start any services just yet** (another step does this later - below).

 Feel free to **re-run this setup command any time** you think something is off with the server configuration.
--- a/docs/maintenance-migrating.md
+++ b/docs/maintenance-migrating.md
@@ -1,8 +1,10 @@
 # Migrating to new server

 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime
 2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 
 2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*`
 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)!
 4. Make sure your DNS records are adjusted to point to the new server's IP address
 5. Remove old server from the `inventory/hosts` file and add new server.
 6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server
 6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server
 7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`.
 8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services
--- a/docs/maintenance-synapse.md
+++ b/docs/maintenance-synapse.md
@@ -8,11 +8,18 @@ Table of contents:

 - [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api), for when you wish to delete in-use (but old) data from the Synapse database

 - [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state), for when you wish to compress some Synapse state tables using the [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state) tool
 - [Synapse maintenance](#synapse-maintenance)
 	- [Purging unused data with synapse-janitor](#purging-unused-data-with-synapse-janitor)
 		- [Vacuuming Postgres](#vacuuming-postgres)
 	- [Purging old data with the Purge History API](#purging-old-data-with-the-purge-history-api)
 	- [Compressing state with rust-synapse-compress-state](#compressing-state-with-rust-synapse-compress-state)

 - [Browse and manipulate the database](#browse-and-manipulate-the-database), for when you really need to take matters into your own hands

 ## Purging unused data with synapse-janitor

 **NOTE**: There are [reports](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465) that **synapse-janitor is dangerous to use and causes database corruption**. You may wish to refrain from using it.

 When you **leave** and **forget** a room, Synapse can clean up its data, but currently doesn't.
 This **unused and unreachable data** remains in your database forever.

@@ -70,3 +77,23 @@ Don't forget that disk space only ever gets released after a [`FULL` Postgres `V
 Unfortunately, at this time the playbook can't help you run this **experimental tool**.

 Since it's also experimental, you may wish to stay away from it, or at least [make Postgres backups](./maintenance-postgres.md#backing-up-postgresql) first.

 ## Browse and manipulate the database

 When the [matrix admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) and the other tools do not provide a more convenient way, having a look at synapse's postgresql database can satisfy a lot of admins' needs.
 First, set up an SSH tunnel to your matrix server (skip if it is your local machine):

 ```
 # you may replace 1799 with an arbitrary port unbound on both machines
 ssh -L 1799:localhost:1799 matrix.DOMAIN
 ```

 Then start up an ephemeral [adminer](https://www.adminer.org/) container on the Matrix server, connecting it to the `matrix` network and linking the postgresql container:

 ```
 docker run --rm --publish 1799:8080 --link matrix-postgres --net matrix adminer
 ```

 You should then be able to browse the adminer database administration GUI at http://localhost:1799/ after entering your DB credentials (found in the `host_vars` or on the server in `{{matrix_synapse_config_dir_path}}/homeserver.yaml` under `database.args`)

 ⚠️ Be **very careful** with this, there is **no undo** for impromptu DB operations.
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -88,7 +88,7 @@ matrix_appservice_webhooks_enabled: false
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-appservice-webhooks' client-server port to the local host.
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}"
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}"

 matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"

@@ -337,6 +337,37 @@ matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_prov
 ######################################################################


 ######################################################################
 #
 # matrix-bridge-mx-puppet-slack
 #
 ######################################################################

 # We don't enable bridges by default.
 matrix_mx_puppet_slack_enabled: false

 matrix_mx_puppet_slack_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 matrix_mx_puppet_slack_systemd_required_services_list: |
  {{
    ['docker.service']
    +
    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
  }}

 matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"

 matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}"

 matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 ######################################################################
 #
 # /matrix-bridge-mx-puppet-slack
 #
 ######################################################################


 ######################################################################
 #
 # matrix-corporal
@@ -416,6 +447,8 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
 matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
 matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"

 matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}"

 ######################################################################
 #
 # /matrix-dimension
@@ -583,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"

 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
 # Not proxying the user directory search to the identity server by default anymore,
 # because it currently leaks data.
 # See: https://github.com/ma1uta/ma1sd/issues/44
 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"

@@ -739,6 +775,13 @@ matrix_synapse_tls_federation_listener_enabled: false
 matrix_synapse_tls_certificate_path: ~
 matrix_synapse_tls_private_key_path: ~

 matrix_synapse_http_listener_resource_names: |
  {{
    ["client"]
    +
    ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] )
  }}

 matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
 matrix_synapse_email_smtp_host: "matrix-mailer"
 matrix_synapse_email_smtp_port: 8025
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -22,8 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"

 matrix_user_username: "matrix"
 matrix_user_uid: 991
 matrix_user_gid: 991
 matrix_user_groupname: "matrix"

 matrix_base_data_path: "/matrix"
 matrix_base_data_path_mode: "750"
--- a/roles/matrix-base/tasks/main.yml
+++ b/roles/matrix-base/tasks/main.yml
@@ -2,6 +2,11 @@
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool"
  tags:
    - setup-all

 - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml"
  when: run_setup|bool
  tags:
@@ -12,6 +17,14 @@
  tags:
    - setup-all

 # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`,
 # which are required by many other roles.
 - import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
  when: run_setup|bool
  tags:
    - always
    - setup-system-user

 - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
  when: run_setup|bool
  tags:
--- a/roles/matrix-base/tasks/setup_matrix_base.yml
+++ b/roles/matrix-base/tasks/setup_matrix_base.yml
@@ -1,25 +1,12 @@
 ---

 - name: Ensure Matrix group is created
  group:
    name: "{{ matrix_user_username }}"
    gid: "{{ matrix_user_gid }}"
    state: present

 - name: Ensure Matrix user is created
  user:
    name: "{{ matrix_user_username }}"
    uid: "{{ matrix_user_uid }}"
    state: present
    group: "{{ matrix_user_username }}"

 - name: Ensure Matrix base path exists
  file:
    path: "{{ item }}"
    state: directory
    mode: "{{ matrix_base_data_path_mode }}"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_base_data_path }}"

@@ -54,4 +41,3 @@
    src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2"
    dest: "{{ matrix_local_bin_path }}/matrix-remove-all"
    mode: 0750

--- a/roles/matrix-base/tasks/setup_matrix_user.yml
+++ b/roles/matrix-base/tasks/setup_matrix_user.yml
@@ -0,0 +1,22 @@
 ---

 - name: Ensure Matrix group is created
  group:
    name: "{{ matrix_user_groupname }}"
    state: present
  register: matrix_group

 - name: Set Matrix Group GID Variable
  set_fact:
    matrix_user_gid: "{{ matrix_group.gid }}"

 - name: Ensure Matrix user is created
  user:
    name: "{{ matrix_user_username }}"
    state: present
    group: "{{ matrix_user_groupname }}"
  register: matrix_user

 - name: Set Matrix Group UID Variable
  set_fact:
    matrix_user_uid: "{{ matrix_user.uid }}"
--- a/roles/matrix-base/tasks/setup_well_known.yml
+++ b/roles/matrix-base/tasks/setup_well_known.yml
@@ -8,7 +8,7 @@
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

@@ -18,7 +18,7 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix /.well-known/matrix/server file configured
  template:
@@ -26,7 +26,7 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_well_known_matrix_server_enabled|bool

 - name: Ensure Matrix /.well-known/matrix/server file deleted
--- a/roles/matrix-base/tasks/validate_config.yml
+++ b/roles/matrix-base/tasks/validate_config.yml
@@ -0,0 +1,11 @@
 ---

 - name: (Deprecation) Warn about unused user/group variables
  fail:
    msg: >
      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore.
      User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything.
  when: "item in vars"
  with_items:
    - 'matrix_user_uid'
    - 'matrix_user_gid'
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_discord_base_path }}"
    - "{{ matrix_appservice_discord_config_path }}"
@@ -46,7 +46,7 @@
    dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure AppService Discord registration.yaml installed
  copy:
@@ -54,7 +54,7 @@
    dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
 # We intentionally suppress Ansible changes.
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@@ -3,7 +3,7 @@

 matrix_appservice_irc_enabled: true

 matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1"
 matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.17.1"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
@@ -235,7 +235,11 @@ matrix_appservice_irc_ircService_servers: []
 #       # 1:many mappings from IRC channels to room IDs on this IRC server.
 #       # The matrix room must already exist. Your matrix client should expose
 #       # the room ID in a "settings" page for the room.
 #       "#thepub": ["!kieouiJuedJoxtVdaG:localhost"]
 #       "#thepub":
 #         roomIds: ["!kieouiJuedJoxtVdaG:localhost"]
 #         # Channel key/password to use. Optional. If provided, matrix users do
 #         # not need to know the channel key in order to join the channel.
 #         # key: "secret"

 #     # Configuration for virtual matrix users. The following variables are
 #     # exposed:
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_irc_base_path }}"
    - "{{ matrix_appservice_irc_config_path }}"
@@ -50,7 +50,7 @@
    dest: "{{ matrix_appservice_irc_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Check if Appservice IRC passkey exists
  stat:
@@ -70,7 +70,7 @@
    path: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 # Ideally, we'd like to generate the final registration.yaml file by ourselves.
 #
@@ -134,7 +134,7 @@
    dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-irc.service installed
  template:
--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@@ -3,7 +3,7 @@

 matrix_appservice_slack_enabled: true

 matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest"
 matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:cadair"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

 matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
--- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
@@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_slack_base_path }}"
    - "{{ matrix_appservice_slack_config_path }}"
@@ -25,7 +25,7 @@
    dest: "{{ matrix_appservice_slack_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure appservice-slack registration.yaml installed
  copy:
@@ -33,7 +33,7 @@
    dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-slack.service installed
  template:
--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
@@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_webhooks_base_path }}"
    - "{{ matrix_appservice_webhooks_config_path }}"
@@ -25,7 +25,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix Appservice webhooks schema.yml template exists
  template:
@@ -33,7 +33,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix Appservice webhooks database.json template exists
  template:
@@ -41,7 +41,7 @@
    dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure appservice-webhooks registration.yaml installed
  copy:
@@ -49,7 +49,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-webhooks.service installed
  template:
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true }
@@ -73,7 +73,7 @@
    dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-facebook registration.yaml installed
  copy:
@@ -81,7 +81,7 @@
    dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-facebook.service installed
  template:
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true }
@@ -72,7 +72,7 @@
    dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-hangouts registration.yaml installed
  copy:
@@ -80,7 +80,7 @@
    dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-hangouts.service installed
  template:
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -4,7 +4,7 @@
 matrix_mautrix_telegram_enabled: true

 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@@ -21,7 +21,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_mautrix_telegram_base_path }}"
    - "{{ matrix_mautrix_telegram_config_path }}"
@@ -50,7 +50,7 @@
    dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-telegram registration.yaml installed
  copy:
@@ -58,7 +58,7 @@
    dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-telegram.service installed
  template:
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@@ -21,7 +21,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_mautrix_whatsapp_base_path }}"
    - "{{ matrix_mautrix_whatsapp_config_path }}"
@@ -59,7 +59,7 @@
    dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-whatsapp registration.yaml installed
  copy:
@@ -67,7 +67,7 @@
    dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-whatsapp.service installed
  template:
--- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
@@ -16,9 +16,26 @@ matrix_mx_puppet_skype_docker_src_files_path: "{{ matrix_mx_puppet_skype_base_pa
 matrix_mx_puppet_skype_appservice_port: "8438"

 matrix_mx_puppet_skype_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mx_puppet_skype_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_skype_appservice_address: 'http://matrix-mx-puppet-skype:{{ matrix_mx_puppet_skype_appservice_port }}'

 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver
 # "@.*" to allow anyone
 matrix_mx_puppet_skype_provisioning_whitelist:
  - "@.*:{{ matrix_domain|regex_escape }}"

 # Leave empty to disable blacklist
 # "@user:server.com" disallow a specific user
 # "@.*:yourserver.com" disallow users on a specific homeserver
 matrix_mx_puppet_skype_provisioning_blacklist: []

 # Same as provisioning
 matrix_mx_puppet_skype_relay_whitelist:
  - "@.*:{{ matrix_domain|regex_escape }}"

 # Same as provisioning
 matrix_mx_puppet_skype_relay_blacklist: []

 # A list of extra arguments to pass to the container
 matrix_mx_puppet_skype_container_extra_arguments: []

@@ -48,7 +65,7 @@ matrix_mx_puppet_skype_configuration_yaml: |
    # Port to host the bridge on which your homeserver will connect to
    port: {{ matrix_mx_puppet_skype_appservice_port }}
    # Name of your homeserver
    domain: {{ matrix_mx_puppet_skype_homeserver_domain }}
    domain: {{ matrix_domain }}
    # URL where the bridge can connect to your homeserver
    homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }}
    # Optionally specify a different media URL used for the media store
@@ -60,7 +77,7 @@ matrix_mx_puppet_skype_configuration_yaml: |
    #  yourserver.com: supersecretsharedsecret
    {% if matrix_mx_puppet_skype_login_shared_secret != '' %}
    loginSharedSecretMap:
      {{ matrix_mx_puppet_skype_homeserver_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }}
      {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }}
    {% endif %}
    # optionally override the display name of the bridge bot
    #displayname: Protocol Bot
@@ -122,19 +139,21 @@ matrix_mx_puppet_skype_configuration_yaml: |

  provisioning:
    # Regex of Matrix IDs allowed to use the puppet bridge
    whitelist:
    whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }}
      # Allow a specific user
      #- "@user:server\\.com"
      # Allow users on a specific homeserver
      - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}'
      #- "@.*:yourserver\\.com"
      # Allow anyone
      #- ".*"

    # Regex of Matrix IDs forbidden from using the puppet bridge
    #blacklist:
      # Disallow a specific user
      #- "@user:server\\.com"
      # Disallow users on a specific homeserver
      #- "@.*:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }}

  presence:
    # Bridge online/offline status
@@ -150,10 +169,13 @@ matrix_mx_puppet_skype_configuration_yaml: |
  relay:
    # Regex of Matrix IDs to allow to use the relay mode
    # Same format as in provisioning
    whitelist:
      - '@.*:{{ matrix_mx_puppet_skype_homeserver_domain | regex_escape }}'
    #whitelist:
      #- "@.*:yourserver\\.com"
    whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }}

    #blacklist:
      #- "@user:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }}

  # Map certain homeserver URLs to the C-S API endpoint
  # Useful for double-puppeting if .well-known is unavailable for some reason
@@ -196,11 +218,11 @@ matrix_mx_puppet_skype_registration_yaml: |
  namespaces:
    users:
      - exclusive: true
        regex: '@_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}'
        regex: '@_skypepuppet_.*:{{ matrix_domain|regex_escape }}'
    rooms: []
    aliases:
      - exclusive: true
        regex: '#_skypepuppet_.*:{{ matrix_mx_puppet_skype_homeserver_domain|regex_escape }}'
        regex: '#_skypepuppet_.*:{{ matrix_domain|regex_escape }}'
  protocols: []
  rate_limited: false
  sender_localpart: _skypepuppet_bot
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
@@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true }
@@ -42,6 +42,7 @@
  docker_image:
    name: "{{ matrix_mx_puppet_skype_docker_image }}"
    source: build
    force_source: yes
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"
@@ -71,7 +72,7 @@
    dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mx-puppet-skype skype-registration.yaml installed
  copy:
@@ -79,7 +80,7 @@
    dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mx-puppet-skype.service installed
  template:
--- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
@@ -0,0 +1,186 @@
 # Mx Puppet Slack is a Matrix <-> Slack bridge
 # See: https://github.com/Sorunome/mx-puppet-slack

 matrix_mx_puppet_slack_enabled: true

 matrix_mx_puppet_slack_container_image_self_build: false

 # Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_slack_container_http_host_bind_port: ''

 matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest"
 matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"

 matrix_mx_puppet_slack_base_path: "{{ matrix_base_data_path }}/mx-puppet-slack"
 matrix_mx_puppet_slack_config_path: "{{ matrix_mx_puppet_slack_base_path }}/config"
 matrix_mx_puppet_slack_data_path: "{{ matrix_mx_puppet_slack_base_path }}/data"
 matrix_mx_puppet_slack_docker_src_files_path: "{{ matrix_mx_puppet_slack_base_path }}/docker-src"

 matrix_mx_puppet_slack_appservice_port: "8432"

 matrix_mx_puppet_slack_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mx_puppet_slack_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_slack_appservice_address: 'http://matrix-mx-puppet-slack:{{ matrix_mx_puppet_slack_appservice_port }}'

 matrix_mx_puppet_slack_client_id: ''
 matrix_mx_puppet_slack_client_secret: ''
 matrix_mx_puppet_slack_redirect_path: '/slack/oauth'
 matrix_mx_puppet_slack_redirect_uri: 'https://{{ matrix_server_fqn_matrix }}{{ matrix_mx_puppet_slack_redirect_path }}'

 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver
 # "@.*" to allow anyone
 matrix_mx_puppet_slack_provisioning_whitelist:
  - "@.*:{{ matrix_domain|regex_escape }}"

 # Leave empty to disable blacklist
 # "@user:server.com" disallow a specific user
 # "@.*:yourserver.com" disallow users on a specific homeserver
 matrix_mx_puppet_slack_provisioning_blacklist: []

 # A list of extra arguments to pass to the container
 matrix_mx_puppet_slack_container_extra_arguments: []

 # List of systemd services that matrix-puppet-slack.service depends on.
 matrix_mx_puppet_slack_systemd_required_services_list: ['docker.service']

 # List of systemd services that matrix-puppet-slack.service wants
 matrix_mx_puppet_slack_systemd_wanted_services_list: []

 matrix_mx_puppet_slack_appservice_token: ''
 matrix_mx_puppet_slack_homeserver_token: ''

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mx_puppet_slack_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  bridge:
    # Port to host the bridge on
    # Used for communication between the homeserver and the bridge
    port: {{ matrix_mx_puppet_slack_appservice_port }}
    # The host connections to the bridge's webserver are allowed from
    bindAddress: 0.0.0.0
    # Public domain of the homeserver
    domain: {{ matrix_mx_puppet_slack_homeserver_domain }}
    # Reachable URL of the Matrix homeserver
    homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }}


  # Slack OAuth settings. Create a slack app at https://api.slack.com/apps
  oauth:
    enabled: true
    # Slack app credentials.
    # N.B. This must be quoted so YAML wouldn't parse it as a float.
    clientId: "{{ matrix_mx_puppet_slack_client_id }}"
    clientSecret: {{ matrix_mx_puppet_slack_client_secret }}
    # Path where to listen for OAuth redirect callbacks.
    redirectPath: {{ matrix_mx_puppet_slack_redirect_path }}
    # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path,
    # then set this field and the Slack app redirect URI field to the former.
    redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }}

  presence:
    # Bridge Discord online/offline status
    enabled: true
    # How often to send status to the homeserver in milliseconds
    interval: 500

  provisioning:
    # Regex of Matrix IDs allowed to use the puppet bridge
    whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }}
      # Allow a specific user
      #- "@user:server\\.com"
      # Allow users on a specific homeserver
      #- "@.*:yourserver\\.com"
      # Allow anyone
      #- ".*"
    # Regex of Matrix IDs forbidden from using the puppet bridge
    #blacklist:
      # Disallow a specific user
      #- "@user:server\\.com"
      # Disallow users on a specific homeserver
      #- "@.*:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }}

    # Shared secret for the provisioning API for use by integration managers.
    # If this is not set, the provisioning API will not be enabled.
    #sharedSecret: random string
    # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically.
    apiPrefix: /_matrix/provision

  database:
    # Use Postgres as a database backend
    # If set, will be used instead of SQLite3
    # Connection string to connect to the Postgres instance
    # with username "user", password "pass", host "localhost" and database name "dbname".
    # Modify each value as necessary
    #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
    # Use SQLite3 as a database backend
    # The name of the database file
    filename: /data/database.db

  logging:
    # Log level of console output
    # Allowed values starting with most verbose:
    # silly, debug, verbose, info, warn, error
    console: info
    # Date and time formatting
    lineDateFormat: MMM-D HH:mm:ss.SSS
    # Logging files
    # Log files are rotated daily by default
    files:
      # Log file path
      - file: "/data/bridge.log"
        # Log level for this file
        # Allowed values starting with most verbose:
        # silly, debug, verbose, info, warn, error
        level: info
        # Date and time formatting
        datePattern: YYYY-MM-DD
        # Maximum number of logs to keep.
        # This can be a number of files or number of days.
        # If using days, add 'd' as a suffix
        maxFiles: 14d
        # Maximum size of the file after which it will rotate. This can be a
        # number of bytes, or units of kb, mb, and gb. If using the units, add
        # 'k', 'm', or 'g' as the suffix
        maxSize: 50m

 matrix_mx_puppet_slack_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
  # This configuration extends the default starting configuration (`matrix_mx_puppet_slack_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_mx_puppet_slack_configuration_yaml`.

 matrix_mx_puppet_slack_configuration_extension: "{{ matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml if matrix_mx_puppet_slack_configuration_extension_yaml|from_yaml is mapping else {} }}"

 # Holds the final configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_mx_puppet_slack_configuration_yaml`.
 matrix_mx_puppet_slack_configuration: "{{ matrix_mx_puppet_slack_configuration_yaml|from_yaml|combine(matrix_mx_puppet_slack_configuration_extension, recursive=True) }}"

 matrix_mx_puppet_slack_registration_yaml: |
  as_token: "{{ matrix_mx_puppet_slack_appservice_token }}"
  hs_token: "{{ matrix_mx_puppet_slack_homeserver_token }}"
  id: slack-puppet
  namespaces:
    users:
      - exclusive: true
        regex: '@_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}'
    rooms: []
    aliases:
      - exclusive: true
        regex: '#_slackpuppet_.*:{{ matrix_mx_puppet_slack_homeserver_domain|regex_escape }}'
  protocols: []
  rate_limited: false
  sender_localpart: _slackpuppet_bot
  url: {{ matrix_mx_puppet_slack_appservice_address }}

 matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml|from_yaml }}"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@@ -0,0 +1,70 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}"
  when: matrix_mx_puppet_slack_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
 - set_fact:
    matrix_synapse_container_extra_arguments: >
      {{ matrix_synapse_container_extra_arguments|default([]) }}
      +
      ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"]

    matrix_synapse_app_service_config_files: >
      {{ matrix_synapse_app_service_config_files|default([]) }}
      +
      {{ ["/matrix-mx-puppet-slack-registration.yaml"] }}
  when: matrix_mx_puppet_slack_enabled|bool

 - block:
  - name: Fail if matrix-nginx-proxy role already executed
    fail:
      msg: >-
        Trying to append Slack Appservice's reverse-proxying configuration to matrix-nginx-proxy,
        but it's pointless since the matrix-nginx-proxy role had already executed.
        To fix this, please change the order of roles in your plabook,
        so that the matrix-nginx-proxy role would run after the matrix-mx-puppet-slack role.
    when: matrix_nginx_proxy_role_executed|default(False)|bool

  - name: Generate Matrix MX Puppet Slack proxying configuration for matrix-nginx-proxy
    set_fact:
      matrix_mx_puppet_slack_matrix_nginx_proxy_configuration: |
        location {{ matrix_mx_puppet_slack_redirect_path }} {
        {% if matrix_nginx_proxy_enabled|default(False) %}
        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
        	resolver 127.0.0.11 valid=5s;
        	set $backend "{{ matrix_mx_puppet_slack_appservice_address }}";
        	proxy_pass $backend;
        {% else %}
        	{# Generic configuration for use outside of our container setup #}
        	proxy_pass http://127.0.0.1:{{ matrix_mx_puppet_slack_appservice_port }};
        {% endif %}
        }

  - name: Register Slack Appservice proxying configuration with matrix-nginx-proxy
    set_fact:
      matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
        {{
          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
          +
          [matrix_mx_puppet_slack_matrix_nginx_proxy_configuration]
        }}
  tags:
   - always
  when: matrix_mx_puppet_slack_enabled|bool

 - name: Warn about reverse-proxying if matrix-nginx-proxy not used
  debug:
    msg: >-
      NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy
      reverse proxy.
      Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}`
      URL endpoint to the matrix-mx-puppet-slack container.
      You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable.
  when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/main.yml
@@ -0,0 +1,21 @@
 - import_tasks: "{{ role_path }}/tasks/init.yml"
  tags:
    - always

 - import_tasks: "{{ role_path }}/tasks/validate_config.yml"
  when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-slack

 - import_tasks: "{{ role_path }}/tasks/setup_install.yml"
  when: "run_setup|bool and matrix_mx_puppet_slack_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-slack

 - import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  when: "run_setup|bool and not matrix_mx_puppet_slack_enabled|bool"
  tags:
    - setup-all
    - setup-mx-puppet-slack
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
@@ -0,0 +1,93 @@
 ---

 # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
 # We don't want to fail in such cases.
 - name: Fail if matrix-synapse role already executed
  fail:
    msg: >-
      The matrix-bridge-mx-puppet-slack role needs to execute before the matrix-synapse role.
  when: "matrix_synapse_role_executed|default(False)"

 - name: Ensure MX Puppet Slack image is pulled
  docker_image:
    name: "{{ matrix_mx_puppet_slack_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mx_puppet_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_docker_image_force_pull }}"
  when: matrix_mx_puppet_slack_enabled|bool and not matrix_mx_puppet_slack_container_image_self_build

 - name: Ensure MX Puppet Slack paths exist
  file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_slack_data_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}", when: "{{ matrix_mx_puppet_slack_container_image_self_build }}" }
  when: matrix_mx_puppet_slack_enabled|bool and item.when|bool

 - name: Ensure MX Puppet Slack repository is present on self build
  git:
    repo: https://github.com/Sorunome/mx-puppet-slack.git
    dest: "{{ matrix_mx_puppet_slack_docker_src_files_path }}"
    force: "yes"
  when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build"

 - name: Ensure MX Puppet Slack Docker image is built
  docker_image:
    name: "{{ matrix_mx_puppet_slack_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}"
      pull: yes
  when: "matrix_mx_puppet_slack_enabled|bool and matrix_mx_puppet_slack_container_image_self_build"

 - name: Check if an old database file already exists
  stat:
    path: "{{ matrix_mx_puppet_slack_base_path }}/database.db"
  register: matrix_mx_puppet_slack_stat_database

 - name: (Data relocation) Ensure matrix-mx-puppet-slack.service is stopped
  service:
    name: matrix-mx-puppet-slack
    state: stopped
    daemon_reload: yes
  failed_when: false
  when: "matrix_mx_puppet_slack_stat_database.stat.exists"

 - name: (Data relocation) Move mx-puppet-slack database file to ./data directory
  command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db"
  when: "matrix_mx_puppet_slack_stat_database.stat.exists"

 - name: Ensure mx-puppet-slack config.yaml installed
  copy:
    content: "{{ matrix_mx_puppet_slack_configuration|to_nice_yaml }}"
    dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure mx-puppet-slack slack-registration.yaml installed
  copy:
    content: "{{ matrix_mx_puppet_slack_registration|to_nice_yaml }}"
    dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mx-puppet-slack.service installed
  template:
    src: "{{ role_path }}/templates/systemd/matrix-mx-puppet-slack.service.j2"
    dest: "/etc/systemd/system/matrix-mx-puppet-slack.service"
    mode: 0644
  register: matrix_mx_puppet_slack_systemd_service_result

 - name: Ensure systemd reloaded after matrix-mx-puppet-slack.service installation
  service:
    daemon_reload: yes
  when: "matrix_mx_puppet_slack_systemd_service_result.changed"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_uninstall.yml
@@ -0,0 +1,24 @@
 ---

 - name: Check existence of matrix-mx-puppet-slack service
  stat:
    path: "/etc/systemd/system/matrix-mx-puppet-slack.service"
  register: matrix_mx_puppet_slack_service_stat

 - name: Ensure matrix-mx-puppet-slack is stopped
  service:
    name: matrix-mx-puppet-slack
    state: stopped
    daemon_reload: yes
  when: "matrix_mx_puppet_slack_service_stat.stat.exists"

 - name: Ensure matrix-mx-puppet-slack.service doesn't exist
  file:
    path: "/etc/systemd/system/matrix-mx-puppet-slack.service"
    state: absent
  when: "matrix_mx_puppet_slack_service_stat.stat.exists"

 - name: Ensure systemd reloaded after matrix-mx-puppet-slack.service removal
  service:
    daemon_reload: yes
  when: "matrix_mx_puppet_slack_service_stat.stat.exists"
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/validate_config.yml
@@ -0,0 +1,10 @@
 ---

 - name: Fail if required settings not defined
  fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  with_items:
    - "matrix_mx_puppet_slack_appservice_token"
    - "matrix_mx_puppet_slack_homeserver_token"
--- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
@@ -0,0 +1,44 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mx Puppet Slack server
 {% for service in matrix_mx_puppet_slack_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mx_puppet_slack_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack
 ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_mx_puppet_slack_container_http_host_bind_port %}
 			-p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \
 			{% endif %}
 			-e CONFIG_PATH=/config/config.yaml \
 			-e REGISTRATION_PATH=/config/registration.yaml \
 			-v {{ matrix_mx_puppet_slack_config_path }}:/config:z \
 			-v {{ matrix_mx_puppet_slack_data_path }}:/data:z \
 			{% for arg in matrix_mx_puppet_slack_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mx_puppet_slack_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack
 ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mx-puppet-slack

 [Install]
 WantedBy=multi-user.target
--- a/roles/matrix-corporal/tasks/setup_corporal.yml
+++ b/roles/matrix-corporal/tasks/setup_corporal.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_corporal_config_dir_path }}"
    - "{{ matrix_corporal_cache_dir_path }}"
@@ -31,7 +31,7 @@
    dest: "{{ matrix_corporal_config_dir_path }}/config.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_corporal_enabled|bool

 - name: Ensure matrix-corporal.service installed
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -2,7 +2,7 @@ matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false

 matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
 matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

 # The Docker network that Coturn would be put into.
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
  when: matrix_riot_web_enabled|bool and item.when
@@ -47,7 +47,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_coturn_enabled|bool

 - name: Ensure turnserver.conf installed
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@@ -32,6 +32,8 @@ matrix_dimension_integrations_rest_url: "https://{{ matrix_server_fqn_dimension
 matrix_dimension_integrations_widgets_urls: ["https://{{ matrix_server_fqn_dimension }}/widgets"]
 matrix_dimension_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"

 matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048"

 # Default Dimension configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -58,7 +60,7 @@ matrix_dimension_configuration_yaml: |
    # The URL that Dimension should use when trying to communicate with federated APIs on
    # the homeserver. If not supplied or left empty Dimension will try to resolve the address
    # through the normal federation process.
    federationUrl: "http://matrix-synapse:8048"
    federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}"

    # The URL that Dimension will redirect media requests to for downloading media such as
    # stickers. If not supplied or left empty Dimension will use the clientServerUrl.
--- a/roles/matrix-dimension/tasks/validate_config.yml
+++ b/roles/matrix-dimension/tasks/validate_config.yml
@@ -6,14 +6,6 @@
    - "matrix_dimension_access_token"
  when: "matrix_dimension_enabled and vars[item] == ''"

 - name: Fail if Matrix Federation is disabled
  fail:
    msg: >-
      You need to enable Matrix Federation to use Dimension. Set `{{ item }}` to 'true'.
  with_items:
    - "matrix_synapse_federation_enabled"
  when: "matrix_dimension_enabled|bool and not matrix_synapse_federation_enabled|bool"

 - name: (Deprecation) Catch and report renamed Dimension variables
  fail:
    msg: >-
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@@ -9,6 +9,9 @@ Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-dimension
 ExecStartPre=-/usr/bin/docker rm matrix-dimension

 # Fixup database ownership if it got changed somehow (during a server migration, etc.)
 ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db

 ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			--log-driver=none \
 			--user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \
--- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml
+++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_email2matrix_base_path }}"
    - "{{ matrix_email2matrix_config_dir_path }}"
@@ -21,7 +21,7 @@
    src: "{{ role_path }}/templates/config.json.j2"
    dest: "{{ matrix_email2matrix_config_dir_path }}/config.json"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    mode: 0640
  when: matrix_email2matrix_enabled|bool

--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false
 matrix_jitsi_enable_recording: true
 matrix_jitsi_enable_transcriptions: true

 # Authentication type, must be one of internal, jwt or ldap. Currently only
 # internal and ldap are supported by this playbook.
 matrix_jitsi_auth_type: internal

 # Configuration options for LDAP authentication. For details see upstream:
 #   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
 # Defaults are taken from:
 #   https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
 matrix_jitsi_ldap_url: ""
 matrix_jitsi_ldap_base: ""
 matrix_jitsi_ldap_binddn: ""
 matrix_jitsi_ldap_bindpw: ""
 matrix_jitsi_ldap_filter: "uid=%u"
 matrix_jitsi_ldap_auth_method: "bind"
 matrix_jitsi_ldap_version: "3"
 matrix_jitsi_ldap_use_tls: false
 matrix_jitsi_ldap_tls_ciphers: ""
 matrix_jitsi_ldap_tls_check_peer: false
 matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
 matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
 matrix_jitsi_ldap_start_tls: false

 matrix_jitsi_timezone: UTC

 matrix_jitsi_xmpp_domain: matrix-jitsi-web
@@ -28,7 +50,7 @@ matrix_jitsi_jibri_recorder_user: recorder
 matrix_jitsi_jibri_recorder_password: ''


 matrix_jitsi_web_docker_image: "jitsi/web:4384"
 matrix_jitsi_web_docker_image: "jitsi/web:stable-4548-1"
 matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"

 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
@@ -74,11 +96,12 @@ matrix_jitsi_web_interface_config_show_powered_by: false
 matrix_jitsi_web_interface_config_disable_transcription_subtitles: false
 matrix_jisti_web_interface_config_show_deep_linking_image: false

 matrix_jitsi_prosody_docker_image: "jitsi/prosody:4384"
 matrix_jitsi_prosody_docker_image: "jitsi/prosody:stable-4548-1"
 matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"

 matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
 matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
 matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"

 # A list of extra arguments to pass to the container
 matrix_jitsi_prosody_container_extra_arguments: []
@@ -87,7 +110,7 @@ matrix_jitsi_prosody_container_extra_arguments: []
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']


 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:4384"
 matrix_jitsi_jicofo_docker_image: "jitsi/jicofo:stable-4548-1"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"

 matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
@@ -104,7 +127,7 @@ matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: ''


 matrix_jitsi_jvb_docker_image: "jitsi/jvb:4384"
 matrix_jitsi_jvb_docker_image: "jitsi/jvb:stable-4548-1"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

 matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
--- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_base_path }}", when: true }
  when: matrix_jitsi_enabled|bool and item.when
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true }
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true }
--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@@ -10,10 +10,11 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }
    - { path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true }
  when: matrix_jitsi_enabled|bool and item.when

 - name: Ensure jitsi-prosody Docker image is pulled
--- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_web_config_path }}", when: true }
--- a/roles/matrix-jitsi/templates/prosody/env.j2
+++ b/roles/matrix-jitsi/templates/prosody/env.j2
@@ -1,8 +1,22 @@
 AUTH_TYPE=internal
 AUTH_TYPE={{ matrix_jitsi_auth_type }}

 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}

 LDAP_URL={{ matrix_jitsi_ldap_url }}
 LDAP_BASE={{ matrix_jitsi_ldap_base }}
 LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
 LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
 LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
 LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
 LDAP_VERSION={{ matrix_jitsi_ldap_version }}
 LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
 LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
 LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
 LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
 LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
 LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}

 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@@ -16,6 +16,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
 			-v {{ matrix_jitsi_prosody_config_path }}:/config \
 			-v {{ matrix_jitsi_prosody_plugins_path }}:/prosody-plugins-custom \
 			{% for arg in matrix_jitsi_prosody_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@@ -76,6 +76,10 @@ matrix_ma1sd_self_check_validate_certificates: true
 # According to: https://github.com/ma1uta/ma1sd/blob/master/docs/troubleshooting.md#increase-verbosity
 matrix_ma1sd_verbose_logging: false

 # Setting up support for API prefixes
 matrix_ma1sd_v1_enabled: true
 matrix_ma1sd_v2_enabled: true

 # Default ma1sd configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
@@ -85,6 +89,8 @@ matrix_ma1sd_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}
    v1: {{ matrix_ma1sd_v1_enabled|to_json }}
    v2: {{ matrix_ma1sd_v2_enabled|to_json }}

  server:
    name: {{ matrix_server_fqn_matrix }}
--- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
+++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_ma1sd_config_path }}", when: true }
    - { path: "{{ matrix_ma1sd_data_path }}", when: true }
@@ -69,7 +69,7 @@
    dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_ma1sd_enabled|bool

 - name: Ensure custom templates are installed if any
@@ -78,7 +78,7 @@
    dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
--- a/roles/matrix-mailer/tasks/setup_mailer.yml
+++ b/roles/matrix-mailer/tasks/setup_mailer.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_mailer_enabled|bool

 - name: Ensure mailer environment variables file created
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.3.0"
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@@ -16,7 +16,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_nginx_proxy_base_path }}"
    - "{{ matrix_nginx_proxy_data_path }}"
@@ -34,7 +34,7 @@
    src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    mode: 0400
  when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"

@@ -79,7 +79,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_nginx_proxy_base_domain_serving_enabled|bool

 - name: Ensure Matrix nginx-proxy homepage for base domain exists
@@ -88,7 +88,7 @@
    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool

 - name: Ensure Matrix nginx-proxy configuration for base domain exists
--- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml
@@ -11,7 +11,7 @@
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

@@ -21,4 +21,4 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml
@@ -14,7 +14,7 @@
    state: directory
    mode: 0770
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    recurse: true
  with_items:
    - "{{ matrix_ssl_log_dir_path }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
@@ -17,7 +17,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"

 # The proper way to do this is by using a sequence of
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
 matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
 matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"

 matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.12-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.7-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.2-alpine"
 matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.13-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.8-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.3-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@@ -50,7 +50,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-postgres is started
  service:
@@ -79,7 +79,6 @@
    --network={{ matrix_docker_network }}
    --entrypoint=python
    -v {{ matrix_synapse_config_dir_path }}:/data
    -v {{ matrix_synapse_run_path }}:/matrix-run
    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
    {{ matrix_synapse_docker_image }}
    /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml
--- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml
+++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml
@@ -46,7 +46,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: "result_pg_old_data_dir_stat.stat.exists"

 - block:
--- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml
+++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml
@@ -7,6 +7,13 @@
    msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot run synapse-janitor."
  when: "not matrix_postgres_enabled|bool"

 - name: Fail if not aware of the risks
  fail:
    msg: >-
      Using Synapse Janitor is considered dangerous and may break your database.
      See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/465.
      If you'd like to run it anyway, add `--extra-vars='i_know_synapse_janitor_is_dangerous=1'` to your command.
  when: "i_know_synapse_janitor_is_dangerous|default('') == ''"

 # Defaults

@@ -35,7 +42,7 @@
    force: true
    mode: 0550
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-postgres is started
  service:
--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@@ -38,7 +38,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_postgres_base_path }}"
    - "{{ matrix_postgres_data_path }}"
@@ -52,7 +52,7 @@
    path: "{{ matrix_postgres_data_path }}"
    state: directory
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    recurse: yes
  when: matrix_postgres_enabled|bool

--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@@ -2,7 +2,7 @@ matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: false

 matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15"
 matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.2"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
@@ -29,6 +29,7 @@ matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
 matrix_riot_web_integrations_rest_url: "https://scalar.vector.im/api"
 matrix_riot_web_integrations_widgets_urls: ["https://scalar.vector.im/api"]
 matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/widgets/jitsi.html"
 matrix_riot_web_permalinkPrefix: "https://matrix.to"
 # Riot public room directory server(s)
 matrix_riot_web_roomdir_servers: ['matrix.org']
 matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
@@ -75,6 +76,9 @@ matrix_riot_web_enable_presence_by_hs_url: ~
 matrix_riot_web_themes_enabled: false
 matrix_riot_web_themes_repository_url: https://github.com/aaronraimist/riot-web-themes

 # Controls the default riot-web theme
 matrix_riot_web_default_theme: 'light'

 # Controls the `settingsDefault.custom_themes` setting of the riot-web configuration.
 # You can use this setting to define custom themes.
 #
--- a/roles/matrix-riot-web/tasks/setup_riot_web.yml
+++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml
@@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_riot_web_data_path }}", when: true }
    - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" }
@@ -48,7 +48,7 @@
    dest: "{{ matrix_riot_web_data_path }}/config.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_riot_web_enabled|bool

 - name: Ensure Matrix riot-web config files installed
@@ -57,7 +57,7 @@
    dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
    - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"}
--- a/roles/matrix-riot-web/templates/config.json.j2
+++ b/roles/matrix-riot-web/templates/config.json.j2
@@ -11,6 +11,8 @@
 	"settingDefaults": {
 		"custom_themes": {{ matrix_riot_web_settingDefaults_custom_themes|to_json }}
 	},
 	"default_theme": {{ matrix_riot_web_default_theme|string|to_json }},
 	"permalinkPrefix": {{ matrix_riot_web_permalinkPrefix|string|to_json }},
 	"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
 	"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
 	"brand": {{ matrix_riot_web_brand|to_json }},
--- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
+++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
@@ -24,6 +24,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v /dev/null:/etc/nginx/conf.d/default.conf:ro \
 			-v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \
 			-v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \
 			{% if matrix_riot_web_embedded_pages_home_path is not none %}
 			-v {{ matrix_riot_web_data_path }}/home.html:/app/home.html:ro \
 			{% endif %}
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -5,13 +5,12 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.12.3"
 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
 matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
 matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
 matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
@@ -137,6 +136,11 @@ matrix_synapse_tls_federation_listener_enabled: true
 matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt"
 matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key"

 # Resource names used by the unsecure HTTP listener. Here only the Client API
 # is defined, see the homeserver config for a full list of valid resource
 # names.
 matrix_synapse_http_listener_resource_names: ["client"]

 # Enable this to allow Synapse to report utilization statistics about your server to matrix.org
 # (things like number of users, number of messages sent, uptime, load, etc.)
 matrix_synapse_report_stats: false
--- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
@@ -12,7 +12,7 @@
    force: true
    mode: 0440
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - set_fact:
    matrix_synapse_password_providers_enabled: true
--- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
@@ -12,7 +12,7 @@
    force: true
    mode: 0440
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - set_fact:
    matrix_synapse_password_providers_enabled: true
--- a/roles/matrix-synapse/tasks/goofys/setup_install.yml
+++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml
@@ -17,8 +17,8 @@
    path: "{{ matrix_synapse_media_store_path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_uid }}"
    group: "{{ matrix_user_gid }}"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists"

 - name: Ensure goofys environment variables file created
--- a/roles/matrix-synapse/tasks/import_media_store.yml
+++ b/roles/matrix-synapse/tasks/import_media_store.yml
@@ -66,7 +66,7 @@
  file:
    path: "{{ matrix_synapse_media_store_path }}"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    recurse: yes
  when: "not matrix_s3_media_store_enabled|bool"

--- a/roles/matrix-synapse/tasks/register_user.yml
+++ b/roles/matrix-synapse/tasks/register_user.yml
@@ -28,4 +28,4 @@
  when: "start_result.changed"

 - name: Register user
  shell: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username }} {{ password }} {{ '1' if admin == 'yes' else '0' }}"
  command: "{{ matrix_local_bin_path }}/matrix-synapse-register-user {{ username|quote }} {{ password|quote }} {{ '1' if admin == 'yes' else '0' }}"
--- a/roles/matrix-synapse/tasks/setup_synapse.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse.yml
@@ -6,10 +6,9 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_synapse_config_dir_path }}", when: true }
    - { path: "{{ matrix_synapse_run_path }}", when: true }
    - { path: "{{ matrix_synapse_ext_path }}", when: true }
    - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" }
    # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml),
--- a/roles/matrix-synapse/tasks/synapse/setup_install.yml
+++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml
@@ -15,7 +15,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"

 - name: Ensure Synapse repository is present on self-build
@@ -79,7 +79,7 @@
    dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Synapse log config installed
  template:
--- a/roles/matrix-synapse/tasks/update_user_password.yml
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@@ -36,8 +36,8 @@
  when: "start_result.changed or postgres_start_result.changed"

 - name: Generate password hash
  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password }}"
  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
  register: password_hash

 - name: Update user password hash
  shell: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username }} '{{ password_hash.stdout }}'"
  command: "{{ matrix_local_bin_path }}/matrix-postgres-update-user-password-hash {{ username|quote }} {{ password_hash.stdout|quote }}"
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -20,10 +20,15 @@ server_name: "{{ matrix_domain }}"
 #
 pid_file: /homeserver.pid

 # The path to the web client which will be served at /_matrix/client/
 # if 'webclient' is configured under the 'listeners' configuration.
 # The absolute URL to the web client which /_matrix/client will redirect
 # to if 'webclient' is configured under the 'listeners' configuration.
 #
 #web_client_location: "/path/to/web/root"
 # This option can be also set to the filesystem path to the web client
 # which will be served at /_matrix/client/ if 'webclient' is configured
 # under the 'listeners' configuration, however this is a security risk:
 # https://github.com/matrix-org/synapse#security-note
 #
 #web_client_location: https://riot.example.com/

 # The public-facing base URL that clients use to access this HS
 # (not including _matrix/...). This is the same URL a user would
@@ -226,7 +231,7 @@ listeners:
    x_forwarded: true

    resources:
      - names: [client]
      - names: {{ matrix_synapse_http_listener_resource_names|to_json }}
        compress: false

 {% if matrix_synapse_federation_enabled %}
@@ -252,6 +257,19 @@ listeners:
 {% endif %}


 # Forward extremities can build up in a room due to networking delays between
 # homeservers. Once this happens in a large room, calculation of the state of
 # that room can become quite expensive. To mitigate this, once the number of
 # forward extremities reaches a given threshold, Synapse will send an
 # org.matrix.dummy_event event, which will reduce the forward extremities
 # in the room.
 #
 # This setting defines the threshold (i.e. number of forward extremities in the
 # room) at which dummy events are sent. The default value is 10.
 #
 #dummy_events_threshold: 5


 ## Homeserver blocking ##

 # How to reach the server admin, used in ResourceLimitError
@@ -410,6 +428,16 @@ retention:
  #    longest_max_lifetime: 1y
  #    interval: 1d

 # Inhibits the /requestToken endpoints from returning an error that might leak
 # information about whether an e-mail address is in use or not on this
 # homeserver.
 # Note that for some endpoints the error situation is the e-mail already being
 # used, and for others the error is entering the e-mail being unused.
 # If this option is enabled, instead of returning an error, these endpoints will
 # act as if no error happened and return a fake session ID ('sid') to clients.
 #
 #request_token_inhibit_3pid_errors: true


 ## TLS ##

@@ -706,20 +734,15 @@ media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_dire
 #
 #media_storage_providers:
 #  - module: file_system
 #    # Whether to write new local files.
 #    # Whether to store newly uploaded local files
 #    store_local: false
 #    # Whether to write new remote media
 #    # Whether to store newly downloaded remote files
 #    store_remote: false
 #    # Whether to block upload requests waiting for write to this
 #    # provider to complete
 #    # Whether to wait for successful storage for local uploads
 #    store_synchronous: false
 #    config:
 #       directory: /mnt/some/other/directory

 # Directory where in-progress uploads are stored.
 #
 uploads_path: "/matrix-run/uploads"

 # The largest allowed upload size in bytes
 #
 max_upload_size: "{{ matrix_synapse_max_upload_size_mb }}M"
@@ -834,6 +857,31 @@ url_preview_ip_range_blacklist:
 #
 max_spider_size: 10M

 # A list of values for the Accept-Language HTTP header used when
 # downloading webpages during URL preview generation. This allows
 # Synapse to specify the preferred languages that URL previews should
 # be in when communicating with remote servers.
 #
 # Each value is a IETF language tag; a 2-3 letter identifier for a
 # language, optionally followed by subtags separated by '-', specifying
 # a country or region variant.
 #
 # Multiple values can be provided, and a weight can be added to each by
 # using quality value syntax (;q=). '*' translates to any language.
 #
 # Defaults to "en".
 #
 # Example:
 #
 # url_preview_accept_language:
 #   - en-UK
 #   - en-US;q=0.9
 #   - fr;q=0.8
 #   - *;q=0.7
 #
 url_preview_accept_language:
 #   - en


 ## Captcha ##
 # See docs/CAPTCHA_SETUP for full details of configuring this.
@@ -852,10 +900,6 @@ max_spider_size: 10M
 #
 #enable_registration_captcha: false

 # A secret key used to bypass the captcha test entirely.
 #
 #captcha_bypass_secret: "YOUR_SECRET_HERE"

 # The API endpoint to use for verifying m.login.recaptcha responses.
 #
 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
@@ -1066,6 +1110,29 @@ account_threepid_delegates:
    email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
    msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}

 # Whether users are allowed to change their displayname after it has
 # been initially set. Useful when provisioning users based on the
 # contents of a third-party directory.
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
 #enable_set_displayname: false

 # Whether users are allowed to change their avatar after it has been
 # initially set. Useful when provisioning users based on the contents
 # of a third-party directory.
 #
 # Does not apply to server administrators. Defaults to 'true'
 #
 #enable_set_avatar_url: false

 # Whether users can change the 3PIDs associated with their accounts
 # (email address and msisdn).
 #
 # Defaults to 'true'
 #
 #enable_3pid_changes: false

 # Users who register on this homeserver will automatically be joined
 # to these rooms
 #
@@ -1108,7 +1175,7 @@ sentry:
 # enabled by default, either for performance reasons or limited use.
 #
 metrics_flags:
    # Publish synapse_federation_known_servers, a g auge of the number of
    # Publish synapse_federation_known_servers, a gauge of the number of
    # servers this homeserver knows about, including itself. May cause
    # performance problems on large homeservers.
    #
@@ -1272,32 +1339,32 @@ saml2_config:
  #    remote:
  #      - url: https://our_idp/metadata.xml
  #
  #    # By default, the user has to go to our login page first. If you'd like
  #    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
  #    # 'service.sp' section:
  #    #
  #    #service:
  #    #  sp:
  #    #    allow_unsolicited: true
  #
  #    # The examples below are just used to generate our metadata xml, and you
  #    # may well not need them, depending on your setup. Alternatively you
  #    # may need a whole lot more detail - see the pysaml2 docs!
  #
  #    description: ["My awesome SP", "en"]
  #    name: ["Test SP", "en"]
  #
  #    organization:
  #      name: Example com
  #      display_name:
  #        - ["Example co", "en"]
  #      url: "http://example.com"
  #
  #    contact_person:
  #      - given_name: Bob
  #        sur_name: "the Sysadmin"
  #        email_address": ["admin@example.com"]
  #        contact_type": technical
  #  # By default, the user has to go to our login page first. If you'd like
  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
  #  # 'service.sp' section:
  #  #
  #  #service:
  #  #  sp:
  #  #    allow_unsolicited: true
  #
  #  # The examples below are just used to generate our metadata xml, and you
  #  # may well not need them, depending on your setup. Alternatively you
  #  # may need a whole lot more detail - see the pysaml2 docs!
  #
  #  description: ["My awesome SP", "en"]
  #  name: ["Test SP", "en"]
  #
  #  organization:
  #    name: Example com
  #    display_name:
  #      - ["Example co", "en"]
  #    url: "http://example.com"
  #
  #  contact_person:
  #    - given_name: Bob
  #      sur_name: "the Sysadmin"
  #      email_address": ["admin@example.com"]
  #      contact_type": technical

  # Instead of putting the config inline as above, you can specify a
  # separate pysaml2 configuration file:
@@ -1532,8 +1599,19 @@ email:
  #template_dir: "res/templates"
 {% endif %}


 #password_providers:
 # Password providers allow homeserver administrators to integrate
 # their Synapse installation with existing authentication methods
 # ex. LDAP, external tokens, etc.
 #
 # For more information and known implementations, please see
 # https://github.com/matrix-org/synapse/blob/master/docs/password_auth_providers.md
 #
 # Note: instances wishing to use SAML or CAS authentication should
 # instead use the `saml2_config` or `cas_config` options,
 # respectively.
 #
 # password_providers:
 #    # Example config for an LDAP auth provider
 #    - module: "ldap_auth_provider.LdapAuthProvider"
 #      config:
 #        enabled: true
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@@ -45,7 +45,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			-p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \
 			{% endif %}
 			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
 			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \
 			-v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
--- a/setup.yml
+++ b/setup.yml
@@ -17,6 +17,7 @@
    - matrix-bridge-mautrix-telegram
    - matrix-bridge-mautrix-whatsapp
    - matrix-bridge-mx-puppet-skype
    - matrix-bridge-mx-puppet-slack
    - matrix-synapse
    - matrix-riot-web
    - matrix-jitsi