From 38b40242c4eeeef473e05d27802f5dd3b51c5d68 Mon Sep 17 00:00:00 2001
From: Aine <aine@etke.cc>
Date: Tue, 16 Sep 2025 13:29:34 +0100
Subject: [PATCH 1/5] element web v1.11.112

---
 roles/custom/matrix-client-element/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml
index 800394d8e..f8e8517cf 100644
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.111
+matrix_client_element_version: v1.11.112
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

From d8eed6bfd3c2d4dd86be30baf28b9678159782bc Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Tue, 16 Sep 2025 18:17:35 +0300
Subject: [PATCH 2/5] Add some variables for controlling `x_forwarded` settings
 for Synapse listeners

---
 roles/custom/matrix-synapse/defaults/main.yml    | 16 ++++++++++++++++
 .../templates/synapse/homeserver.yaml.j2         |  6 +++---
 .../templates/synapse/worker.yaml.j2             |  2 +-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 7fa79d97e..4b2681ec1 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -135,10 +135,22 @@ matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_stor
 
 matrix_synapse_container_client_api_port: 8008
 
+# Controls the `x_forwarded` setting for the "Insecure HTTP listener (Client API)".
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_container_client_api_x_forwarded: true
+
 matrix_synapse_container_federation_api_tls_port: 8448
 
+# Controls the `x_forwarded` setting for the "TLS-enabled federation listener".
+# We default this to `false`, because TLS-enabled listeners are likely to be exposed directly (instead of being behind a reverse-proxy).
+matrix_synapse_container_federation_api_tls_x_forwarded: false
+
 matrix_synapse_container_federation_api_plain_port: 8048
 
+# Controls the `x_forwarded` setting for the "Insecure federation listener".
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_container_federation_api_plain_x_forwarded: true
+
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_synapse_container_network: ''
 
@@ -838,6 +850,10 @@ matrix_synapse_manhole_enabled: false
 # Enable support for Synapse workers
 matrix_synapse_workers_enabled: false
 
+# Controls the `x_forwarded` setting for the main `http` listener for Synapse workers.
+# We default this to `true`, because such insecure HTTP listeners are most likely behind a reverse-proxy (that handles TLS).
+matrix_synapse_worker_listeners_http_main_x_forwarded: true
+
 # Specifies worker configuration that should be used when workers are enabled.
 #
 # The possible values (as seen in `matrix_synapse_workers_presets`) are:
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
index 0eb99c29c..50a52d3bb 100644
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -298,7 +298,7 @@ listeners:
     tls: true
     bind_addresses: ['::']
     type: http
-    x_forwarded: false
+    x_forwarded: {{ matrix_synapse_container_federation_api_tls_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
@@ -311,7 +311,7 @@ listeners:
     tls: false
     bind_addresses: ['::']
     type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_client_api_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_http_listener_resource_names|to_json }}
@@ -324,7 +324,7 @@ listeners:
     tls: false
     bind_addresses: ['::']
     type: http
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_container_federation_api_plain_x_forwarded | to_json }}
 
     resources:
       - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
diff --git a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
index a8f74b3bc..437b84a36 100644
--- a/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/worker.yaml.j2
@@ -46,7 +46,7 @@ worker_listeners:
 {% if http_resources|length > 0 %}
   - type: http
     bind_addresses: ['::']
-    x_forwarded: true
+    x_forwarded: {{ matrix_synapse_worker_listeners_http_main_x_forwarded | to_json }}
     port: {{ matrix_synapse_worker_details.port }}
     resources:
       - names: {{ http_resources|to_json }}

From 910cdf8a0ac29d0f7dd0429fe96e05948d27c029 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 16 Sep 2025 21:19:04 +0000
Subject: [PATCH 3/5] Update ansible/ansible-lint action to v25.9.0

---
 .github/workflows/matrix.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml
index 219b0debf..e28a7adac 100644
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.8.2
+        uses: ansible/ansible-lint@v25.9.0
         with:
           args: "roles/custom"
           setup_python: "true"

From 84bde915c77912a28e117e7306f796f6468ef9da Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 16 Sep 2025 16:45:12 +0000
Subject: [PATCH 4/5] Update dock.mau.dev/mautrix/signal Docker tag to v0.8.7

---
 roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
index e4a77a5ed..d41f69efd 100644
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.8.6
+matrix_mautrix_signal_version: v0.8.7
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"

From c2e606095c25d58f15d98a4bcbfdd0827955eaf6 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 16 Sep 2025 16:45:16 +0000
Subject: [PATCH 5/5] Update dock.mau.dev/mautrix/whatsapp Docker tag to
 v0.12.5

---
 roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
index 1d9609c08..c8ad09c33 100644
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.12.4
+matrix_mautrix_whatsapp_version: v0.12.5
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"