Merge branch 'spantaleev:master' into master

CHANGELOG.md

@@ -1,3 +1,107 @@
+# 2024-07-06
+
+## matrix-alertmanager-receiver support
+
+For those wishing to more easily integrate [Prometheus](https://prometheus.io/)' alerting service ([Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/)) with Matrix, the playbook can now set up [matrix-alertmanager-receiver](https://github.com/metio/matrix-alertmanager-receiver).
+
+See [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](./docs/configuring-playbook-alertmanager-receiver.md) for more details.
+
+
+## Traefik v3 and HTTP/3 are here now
+
+**TLDR**: Traefik was migrated from v2 to v3. Minor changes were done to the playbook. Mostly everything else worked out of the box. Most people will not have to do any tweaks to their configuration. In addition, [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) support is now auto-enabled for the `web-secure` (port 443) and `matrix-federation` (port `8448`) entrypoints. If you have a firewall in front of your server and you wish to benefit from `HTTP3`, you will need to open the `443` and `8448` UDP ports in it.
+
+### Traefik v3
+
+The reverse-proxy that the playbook uses by default (Traefik) has recently been upgraded to v3 (see [this blog post](https://traefik.io/blog/announcing-traefik-proxy-v3-rc/) to learn about its new features). Version 3 includes some small breaking configuration changes requiring a [migration](https://doc.traefik.io/traefik/migration/v2-to-v3/).
+
+We have **updated the playbook to Traefik v3** (make sure to run `just roles` / `make roles` to get it).
+
+There were **only minor playbook changes required** to adapt to Traefik v3, and only to the Ansible role for [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) where we changed a few [`PathPrefix` instances to `PathRegexp`](https://doc.traefik.io/traefik/routing/routers/#path-pathprefix-and-pathregexp), because these instances were using a regular expression instead of a fixed path. For fixed-path values, `PathPrefix` is still the preferred matcher function to use.
+
+**Most people using the playbook should not have to do any changes**.
+
+If you're using the playbook's Traefik instance to reverse-proxy to some other services of your own (not managed by the playbook), you may wish to review their Traefik labels and make sure they're in line with the [Traefik v2 to v3 migration guide](https://doc.traefik.io/traefik/migration/v2-to-v3/).
+
+If you've tweaked any of this playbook's `_path_prefix` variables and made them use a regular expression, you will now need to make additional adjustments. The playbook makes extensive use of `PathPrefix()` matchers in Traefik rules and `PathPrefix` does not support regular expressions anymore. To work around it, you may now need to override a whole `_traefik_rule` variable and switch it from [`PathPrefix` to `PathRegexp`](https://doc.traefik.io/traefik/routing/routers/#path-pathprefix-and-pathregexp).
+
+If you're not using [matrix-media-repo](./docs/configuring-playbook-matrix-media-repo.md) (the only role we had to tweak to adapt it to Traefik v3), you **may potentially downgrade to Traefik v2** (if necessary) by adding `devture_traefik_verison: v2.11.4` to your configuration. People using `matrix-media-repo` cannot downgrade this way, because `matrix-media-repo` has been adjusted to use `PathRegexp` - a [routing matcher](https://doc.traefik.io/traefik/v2.11/routing/routers/#rule) that Traefik v2 does not understand.
+
+
+### HTTP/3 is enabled by default
+
+In Traefik v3, [HTTP/3](https://en.wikipedia.org/wiki/HTTP/3) support is no longer considered experimental now.
+Due to this, **the playbook auto-enables HTTP3** for the `web-secure` (port 443) and `matrix-federation` (port `8448`) entrypoints.
+
+HTTP3 uses the UDP protocol and **the playbook (together with Docker) will make sure that the appropriate ports** (`443` over UDP & `8448` over UDP) **are exposed and whitelisted in your server's firewall**. However, **if you have another firewall in front of your server** (as is the case for many cloud providers), **you will need to manually open these UDP ports**.
+
+If you do not open the UDP ports correctly or there is some other issue, clients (browsers, mostly) will fall-back to [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2) or even [HTTP/1.1](https://en.wikipedia.org/wiki/HTTP).
+
+Still, if HTTP/3 cannot function correctly in your setup, it's best to disable advertising support for it (and misleading clients into trying to use HTTP/3).
+
+To **disable HTTP/3**, you can use the following configuration:
+
+```yml
+devture_traefik_config_entrypoint_web_secure_http3_enabled: false
+
+# Disabling HTTP/3 for the web-secure entrypoint (above),
+# automatically disables it for the Matrix Federation entrypoint as well,
+# so you do not necessarily need the configuration line below.
+#
+# Feel free to only keep it around if you're keeping HTTP/3 enabled for web-secure (by removing the line above),
+# and would only like to disable HTTP/3 for the Matrix Federation entrypoint.
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false
+```
+
+If you are using [your own webserver](./docs/configuring-playbook-own-webserver.md) (in front of Traefik), port binding on UDP port `8448` by default due to HTTP/3 is either unnecessary or [may get in the way](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3402). If it does, you can disable it:
+
+```yml
+# Disable HTTP/3 for the federation entrypoint.
+# If you'd like HTTP/3, consider configuring it for your other reverse-proxy.
+#
+# Disabling this also sets `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to an empty value.
+# If you'd like to keep HTTP/3 enabled here (for whatever reason), you may wish to explicitly
+# set `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to something like '127.0.0.1:8449'.
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false
+```
+
+
+# 2024-07-01
+
+## synapse-admin is now restricted to your homeserver's URL by default
+
+A new feature introduced in synapse-admin [v0.10.0](https://github.com/Awesome-Technologies/synapse-admin/releases/tag/0.10.0) (released and supported by the playbook since a a few months ago) provides the ability to [restrict its usage to a specific homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) (or multiple homeservers).
+
+The playbook has just started making use of this feature. **From now on, your synapse-admin instance will be restricted to the homeserver you're managing via the playbook**. When configured like this, the *Homeserver URL* field in synapse-admin's web UI changes from a text field to a dropdown having a single value (the URL of your homeserver). This makes usage simpler for most people, as they won't need to manually enter a *Homeserver URL* anymore.
+
+If you'd like **to go back to the old unrestricted behavior**, use the following configuration:
+
+```yml
+# Use this configuration to allow synapse-admin to manage any homeserver instance.
+matrix_synapse_admin_config_restrictBaseUrl: []
+```
+
+
+# 2024-06-25
+
+## The URL-prefix for Hookshot generic webhooks has changed
+
+Until now, generic Hookshot webhook URLs looked like this: `https://matrix.DOMAIN/hookshot/webhooks/:hookId`.
+
+The `/hookshot/webhooks` common prefix gets stripped by Traefik automatically, so Hookshot only sees the part that comes after (`/:hookId`).
+
+[A few years ago](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1681), Hookshot started to prefer to handle webhooks at a `/webhook/:hookId` path (instead of directly at `/:hookId`).
+
+To avoid future problems, we've [reconfigured](https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/4704a60718946fd469aeee7fc3ae8127c633bb6b) our Hookshot configuration to use webhook URLs that include `/webhook` in the URL suffix (e.g. `/hookshot/webhooks/webhook/:hookId`, instead of `/hookshot/webhooks/:hookId`). This means that when we strip the common prefi (`/hookshot/webhooks`), we'll end up sending `/webhook/:hookId` to Hookshot, just like recommended.
+
+When generating new webhooks, you should start seeing the new URLs being used.
+
+**For now**, **both** old URLs (`/hookshot/webhooks/:hookId`) and new URLs (`/hookshot/webhooks/webhook/:hookId`) **continue to work***, so your webhooks will not break just yet.
+
+However, **we recommend that you update all your old webhook URLs** (configured in other systems) to include the new `/webhook` path component, so that future Hookshot changes (whenever they come) will not break your webhooks. You don't need to do anything on the Hookshot side - you merely need to reconfigure the remote systems that use your webhook URLs.
+
+
+
 # 2024-06-22
 
 ## The maubot user is now managed by the playbook

docs/ansible.md

@@ -65,7 +65,7 @@ docker run -it --rm \
 -w /work \
 -v `pwd`:/work \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.16.1-r0-0
+docker.io/devture/ansible:2.17.0-r0-0
 ```
 
 Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
@@ -86,7 +86,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.16.1-r0-0
+docker.io/devture/ansible:2.17.0-r0-0
 ```
 
 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).

docs/configuring-playbook-alertmanager-receiver.md

@@ -0,0 +1,93 @@
+# Setting up matrix-alertmanager-receiver (optional)
+
+The playbook can install and configure the [matrix-alertmanager-receiver](https://github.com/metio/matrix-alertmanager-receiver) service for you. It's a [client](https://prometheus.io/docs/alerting/latest/clients/) for Prometheus' [Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/), allowing you to deliver alerts to Matrix rooms.
+
+See the project's [documentation](https://github.com/metio/matrix-alertmanager-receiver) to learn more about what this component does and why it might be useful to you.
+
+At the moment, **setting up this service's bot requires some manual actions** as described below in [Account and room preparation](#account-and-room-preparation).
+
+This service is meant to be used with an external [Alertmanager](https://prometheus.io/docs/alerting/latest/alertmanager/) instance. It's **not** meant to be integrated with the [Prometheus & Grafana stack](./configuring-playbook-prometheus-grafana.md) installed by this playbook, because the Alertmanager component is not installed by it.
+
+
+## Configuration
+
+```yml
+matrix_alertmanager_receiver_enabled: true
+
+# This exposes matrix-alertmanager-receiver on the `matrix.` domain.
+# Adjust, if necessary.
+matrix_alertmanager_receiver_hostname: "{{ matrix_server_fqn_matrix }}"
+
+# This exposes matrix-alertmanager-receiver under a path prefix containing a random (secret) value.
+# Adjust the `RANDOM_VALUE_HERE` part with a long and secure value.
+matrix_alertmanager_receiver_path_prefix: /matrix-alertmanager-receiver-RANDOM_VALUE_HERE
+
+# If you'd like to change the username for this bot, uncomment and adjust. Otherwise, remove.
+# matrix_alertmanager_receiver_config_matrix_user_id_localpart: "bot.alertmanager.receiver"
+
+# Specify the bot user's access token here.
+# See the "Account and room preparation" section below.
+matrix_alertmanager_receiver_config_matrix_access_token: ''
+
+# Optionally, configure some mappings (URL-friendly room name -> actual Matrix room ID).
+#
+# If you don't configure mappings, you can still deliver alerts using URLs like this:
+# https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/!some-room-id:example.com
+#
+# If a mapping like the one below is configured, you can deliver alerts using friendlier URLs like this:
+# https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/some-room-name
+matrix_alertmanager_receiver_config_matrix_room_mapping:
+  some-room-name: "!some-room-id:{{ matrix_domain }}"
+```
+
+See `roles/custom/matrix-alertmanager-receiver/defaults/main.yml` for additional configuration variables.
+
+
+## Account and room preparation
+
+The playbook can automatically create users, but it cannot automatically obtain access tokens, nor perform any of the other manual actions below.
+
+`matrix-alertmanager-receiver` uses a bot (with a username specified in `matrix_alertmanager_receiver_config_matrix_user_id_localpart` - see above) for delivering messages. You need to **manually register this bot acccount and obtain an access token for it**.
+
+1. [Register a new user](registering-users.md): `ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.alertmanager.receiver password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user`
+2. [Obtain an access token](obtaining-access-tokens.md) for the bot's user account
+3. Invite the bot to a room where you'd like to alerts to be delivered
+4. Log in as the bot using any Matrix client of your choosing, accept the room invitation from the bot's account and log out
+5. (Optionally) Adjust `matrix_alertmanager_receiver_config_matrix_room_mapping` to create a mapping between the new room and its id
+
+Steps 1 and 2 above only need to be done once, while preparing your [configuration](#configuration).
+
+Steps 3 and 4 need to be done for each new room you'd like the bot to deliver alerts to. Step 5 is optional and provides cleaner `/alert/` URLs.
+
+
+## Installation
+
+Now that you've [prepared the bot account and room](#account-and-room-preparation) and have [configured the playbook](#configuration), you can re-run the [installation](./installing.md) process (`just install-all`).
+
+Then, you can proceed to [Usage](#usage).
+
+
+## Usage
+
+Configure your Prometheus Alertmanager with configuration like this:
+
+```yml
+receivers:
+  - name: matrix
+    webhook_configs:
+      - send_resolved: true
+        url: URL_HERE
+route:
+  group_by:
+    - namespace
+  group_interval: 5m
+  group_wait: 30s
+  receiver: "matrix"
+  repeat_interval: 12h
+  routes:
+    - receiver: matrix
+```
+
+.. where `URL_HERE` looks like `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/some-room-name` or `https://matrix.DOMAIN/matrix-alertmanager-receiver-RANDOM_VALUE_HERE/alert/!some-room-id:DOMAIN`.
+
+This bot does **not** accept room invitations automatically (like many other bots do). To deliver messages to rooms, **the bot must be joined to all rooms manually** - see Step 5 of the [Account and room preparation](#account-and-room-preparation) section.

docs/configuring-playbook-bridge-hookshot.md

@@ -50,7 +50,8 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri
 
 | listener | default path | variable | used as |
 |---|---|---|---|
-| webhooks | `/hookshot/webhooks/` | `matrix_hookshot_webhook_endpoint` | generics, GitHub "Webhook URL", GitLab "URL", etc. |
+| - | `/hookshot/webhooks/` | `matrix_hookshot_webhook_endpoint` | Webhook-prefix, which affects all webhook-related URLs below |
+| generic | `/hookshot/webhooks/webhook` | `matrix_hookshot_generic_endpoint` | Generic webhooks |
 | github oauth | `/hookshot/webhooks/oauth` | `matrix_hookshot_github_oauth_endpoint` | GitHub "Callback URL" |
 | jira oauth | `/hookshot/webhooks/jira/oauth` | `matrix_hookshot_jira_oauth_endpoint` | JIRA OAuth |
 | figma endpoint | `/hookshot/webhooks/figma/webhook` | `matrix_hookshot_figma_endpoint` | Figma |

docs/configuring-playbook-own-webserver.md

@@ -171,6 +171,14 @@ devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
 # - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs`
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.0.1:8449'
 
+# Disable HTTP/3 for the federation entrypoint.
+# If you'd like HTTP/3, consider configuring it for your other reverse-proxy.
+#
+# Disabling this also sets `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to an empty value.
+# If you'd like to keep HTTP/3 enabled here (for whatever reason), you may wish to explicitly
+# set `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp` to something like '127.0.0.1:8449'.
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: false
+
 # Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above,
 # this may need to be reconfigured. See the comments above.
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:

docs/configuring-playbook-prometheus-grafana.md

@@ -121,7 +121,7 @@ scrape_configs:
 
 ## More information
 
-- [Understanding Synapse Performance Issues Through Grafana Graphs](https://github.com/element-hq/synapse/wiki/Understanding-Synapse-Performance-Issues-Through-Grafana-Graphs) at the Synapse Github Wiki
+- [Understanding Synapse Performance Issues Through Grafana Graphs](https://element-hq.github.io/synapse/latest/usage/administration/understanding_synapse_through_grafana_graphs.html) at the Synapse Github Wiki
 - [The Prometheus scraping rules](https://github.com/element-hq/synapse/tree/master/contrib/prometheus) (we use v2)
 - [The Synapse Grafana dashboard](https://github.com/element-hq/synapse/tree/master/contrib/grafana)
 - [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs)

docs/configuring-playbook-sliding-sync-proxy.md

@@ -23,7 +23,7 @@ If you'd like to run the Sliding Sync proxy on another hostname or path, use the
 
 ## Adjusting DNS records
 
-If you've changed the default hostame, **you may need to adjust your DNS** records.
+If you've changed the default hostname, **you may need to adjust your DNS** records.
 
 
 ## Adjusting the playbook configuration

docs/configuring-playbook-synapse-admin.md

@@ -20,14 +20,12 @@ matrix_synapse_admin_enabled: true
 - for [Synapse](./configuring-playbook-synapse.md) (our default homeserver implementation): `matrix_synapse_container_labels_public_client_synapse_admin_api_enabled: true`
 - for [Dendrite](./configuring-playbook-dendrite.md): `matrix_dendrite_container_labels_public_client_synapse_admin_api_enabled: true`
 
+By default, synapse-admin installation will be [restricted to only work with one homeserver](https://github.com/Awesome-Technologies/synapse-admin/blob/e21e44362c879ac41f47c580b04210842b6ff3d7/README.md#restricting-available-homeserver) - the one managed by the playbook. To adjust these restrictions, tweak the `matrix_synapse_admin_config_restrictBaseUrl` variable.
+
 
 ## Installing
 
-After configuring the playbook, run the [installation](installing.md) command again:
-
-```
-ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
-```
+After configuring the playbook, run the [installation](installing.md) command again (`just install-all`).
 
 
 ## Usage
@@ -35,5 +33,3 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 After installation, Synapse Admin will be accessible at: `https://matrix.DOMAIN/synapse-admin/`
 
 To use Synapse Admin, you need to have [registered at least one administrator account](registering-users.md) on your server.
-
-The Homeserver URL to use on Synapse Admin's login page is: `https://matrix.DOMAIN`

docs/configuring-playbook.md

@@ -224,3 +224,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 - [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional)
 
 - [Setting up the Rageshake bug report server](configuring-playbook-rageshake.md) (optional)
+
+- [Setting up Prometheus Alertmanager integration via matrix-alertmanager-receiver](configuring-playbook-alertmanager-receiver.md) (optional)

docs/faq.md

@@ -342,7 +342,7 @@ As described in [How is the effective configuration determined?](#how-is-the-eff
 
 Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features).
 
-**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
+**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`) or `just update` (which automatically does `git pull` and `just roles`).
 
 ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it?
 
@@ -356,7 +356,7 @@ Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_con
 
 Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it.
 
-**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
+**Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`) or `just update` (which automatically does `git pull` and `just roles`).
 
 
 ## Installation

docs/installing.md

@@ -2,7 +2,9 @@
 
 If you've [configured your DNS](configuring-dns.md) and have [configured the playbook](configuring-playbook.md), you can start the installation procedure.
 
-**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`.
+**Before installing** and each time you update the playbook in the future, you will need to update the Ansible roles in this playbook by running `just roles`. `just roles` is a shortcut (a `roles` target defined in [`justfile`](../justfile) and executed by the [`just`](https://github.com/casey/just) utility) which ultimately runs [agru](https://gitlab.com/etke.cc/tools/agru) or [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) (depending on what is available in your system) to download Ansible roles. If you don't have `just`, you can also manually run the `roles` commands seen in the `justfile`.
+
+There's another shortcut (`just update`) which updates the playbook (`git pull`) and updates roles (`just update`) at the same time.
 
 
 ## Playbook tags introduction

docs/maintenance-migrating.md

@@ -1,6 +1,6 @@
-> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`). 
-> 
-> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore.
+> **Note**: This migration guide is applicable if you migrate from one server to another server having the same CPU architecture (e.g. both servers being `amd64`).
+>
+> If you're trying to migrate between different architectures (e.g. `amd64` --> `arm64`), simply copying the complete `/matrix` directory is not possible as it would move the raw PostgreSQL data (`/matrix/postgres/data`) between different architectures. In this specific case, you can use the guide below as a reference, but you would also need to avoid syncing `/matrix/postgres/data` to the new host, and also dump the database on your current server and import it properly on the new server. See our [Backing up PostgreSQL](maintenance-postgres.md#backing-up-postgresql) docs for help with PostgreSQL backup/restore.
 
 # Migrating to new server
 

docs/maintenance-upgrading-services.md

@@ -6,12 +6,13 @@ If you want to be notified when new versions of Synapse are released, you should
 
 To upgrade services:
 
-- update your playbook directory (`git pull`), so you'd obtain everything new we've done
+- update your playbook directory and all upstream Ansible roles (defined in the `requirements.yml` file) using:
 
-- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of
+- either: `just update`
+- or: a combination of `git pull` and `just role` (or `make roles`)
 
-- download the upstream Ansible roles used by the playbook by running `just roles`
+- take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of
 
-- re-run the [playbook setup](installing.md) and restart all services: `just setup-all`
+- re-run the [playbook setup](installing.md) and restart all services: `just install-all` or `just setup-all`
 
 **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql).

docs/prerequisites.md

@@ -26,7 +26,7 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
 
 - [`git`](https://git-scm.com/) is the recommended way to download the playbook to your computer. `git` may also be required on the server if you will be [self-building](self-building.md) components.
 
-- [`just`](https://github.com/casey/just) for running `just roles`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually
+- [`just`](https://github.com/casey/just) for running `just roles`, `just update`, etc. (see [`justfile`](../justfile)), although you can also run these commands manually
 
 - An HTTPS-capable web server at the base domain name (`<your-domain>`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).
 

group_vars/matrix_servers

@@ -38,6 +38,9 @@ matrix_playbook_reverse_proxy_hostname: "{{ devture_traefik_identifier if devtur
 # A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}"
 
+# We only enable HTTP/3 on the federation entrypoint if the main web-secure entrypoint has it enabled.
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: "{{ devture_traefik_config_entrypoint_web_secure_http3_enabled }}"
+
 # `devture_traefik_config_entrypoint_web_secure_enabled` is the variable we currently follow to determine if SSL is enabled or not.
 # `matrix_playbook_ssl_enabled` is merely an indicator if (when looked at it publicly), the server supports SSL or not,
 # and affects how services configure their public URLs.
@@ -264,6 +267,8 @@ devture_systemd_service_manager_services_list_auto: |
   {{
     ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else [])
     +
+    ([{'name': 'matrix-alertmanager-receiver.service', 'priority': 2200, 'groups': ['matrix', 'alertmanager-receiver']}] if matrix_alertmanager_receiver_enabled else [])
+    +
     ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else [])
     +
     ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else [])
@@ -555,6 +560,54 @@ matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if m
 ######################################################################
 
 
+######################################################################
+#
+# matrix-alertmanager-receiver
+#
+######################################################################
+
+# We don't enable this by default.
+matrix_alertmanager_receiver_enabled: false
+
+matrix_alertmanager_receiver_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
+matrix_alertmanager_receiver_container_network: "{{ matrix_addons_container_network }}"
+
+matrix_alertmanager_receiver_container_additional_networks_auto: |-
+  {{
+    (
+      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
+      +
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_alertmanager_receiver_container_labels_traefik_enabled) else [])
+    ) | unique
+  }}
+
+matrix_alertmanager_receiver_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_alertmanager_receiver_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_alertmanager_receiver_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+matrix_alertmanager_receiver_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+matrix_alertmanager_receiver_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
+matrix_alertmanager_receiver_systemd_required_services_list_auto: "{{ matrix_addons_homeserver_systemd_services_list }}"
+
+matrix_alertmanager_receiver_config_matrix_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
+
+matrix_alertmanager_receiver_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
+
+matrix_alertmanager_receiver_metrics_proxying_enabled: "{{ matrix_alertmanager_receiver_config_http_metrics_enabled and matrix_metrics_exposure_enabled }}"
+matrix_alertmanager_receiver_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+matrix_alertmanager_receiver_metrics_proxying_path: "{{ matrix_metrics_exposure_path_prefix }}/matrix-alertmanager-receiver"
+
+######################################################################
+#
+# /matrix-alertmanager-receiver
+#
+######################################################################
+
+
+
 ######################################################################
 #
 # matrix-bridge-appservice-discord
@@ -3551,6 +3604,9 @@ matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik
 matrix_media_repo_container_labels_traefik_internal_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_media_repo_container_labels_traefik_internal_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
 matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_media_repo_database_username: matrix_media_repo
 matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}"

justfile

@@ -5,6 +5,7 @@ default:
 # Pulls external Ansible roles
 roles:
     #!/usr/bin/env sh
+    echo "[NOTE] This command just updates the roles, but if you want to update everything at once (playbook, roles, etc.) - use 'just update'"
     if [ -x "$(command -v agru)" ]; then
     	agru
     else
@@ -12,9 +13,25 @@ roles:
     	ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
     fi
 
-# Updates requirements.yml if there are any new tags available. Requires agru
-update:
-    @agru -u
+# Updates the playbook and installs the necessary Ansible roles pinned in requirements.yml. If a -u flag is passed, also updates the requirements.yml file with new role versions (if available)
+update *flags: update-playbook-only
+    #!/usr/bin/env sh
+    if [ -x "$(command -v agru)" ]; then
+        echo {{ if flags == "" { "Installing roles pinned in requirements.yml..." } else if flags == "-u" { "Updating roles and pinning new versions in requirements.yml..." } else { "Unknown flags passed" } }}
+        agru {{ flags }}
+    else
+        echo "[NOTE] You are using the standard ansible-galaxy tool to install roles, which is slow and lacks other features. We recommend installing the 'agru' tool to speed up the process: https://gitlab.com/etke.cc/tools/agru#where-to-get"
+        echo "Installing roles..."
+        rm -rf roles/galaxy
+        ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
+    fi
+
+# Updates the playbook without installing/updating Ansible roles
+update-playbook-only:
+    @echo "Updating playbook..."
+    @git stash -q
+    @git pull -q
+    @-git stash pop -q
 
 # Runs ansible-lint against all roles in the playbook
 lint:

requirements.yml

@@ -4,28 +4,28 @@
   version: v1.0.0-3
   name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.8-1.8.11-1
+  version: v1.2.8-1.8.13-0
   name: backup_borg
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
-  version: v0.1.2-2
+  version: v0.2.0-0
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.2.0
+  version: 7.3.0
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
   version: 129c8590e106b83e6f4c259649a613c6279e937a
   name: docker_sdk_for_python
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
-  version: v2.1.0-1
+  version: v2.1.1-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.97.1-r0-0-2
+  version: v4.98-r0-0-0
   name: exim_relay
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v11.0.0-1
+  version: v11.1.0-0
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v9457-5
+  version: v9584-1
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-keydb.git
   version: v6.3.4-2
@@ -43,22 +43,22 @@
   version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
   name: playbook_state_preserver
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
-  version: v16.3-1
+  version: v16.3-2
   name: postgres
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
   version: 8c3585fb4857dbac026b2974bb6525289240effb
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v2.53.0-0
+  version: v2.53.1-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.8.1-1
+  version: v1.8.2-0
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
   version: v0.14.0-5
   name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
-  version: v7.2.4-1
+  version: v7.2.4-2
   name: redis
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.2.0-0
@@ -70,7 +70,7 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.11.4-0
+  version: v3.0.4-1
   name: traefik
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
   version: v2.8.3-2

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -0,0 +1,241 @@
+---
+
+# matrix-alertmanager-receiver is a service which receives webhook payloads from Prometheus' Alertmanager and forwards them to a Matrix room.
+# Project source code URL: https://github.com/metio/matrix-alertmanager-receiver
+
+matrix_alertmanager_receiver_enabled: true
+
+# renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
+matrix_alertmanager_receiver_version: 2024.7.3
+
+matrix_alertmanager_receiver_scheme: https
+
+# The hostname at which matrix-alertmanager-receiver is served.
+matrix_alertmanager_receiver_hostname: ''
+
+# The path at which matrix-alertmanager-receiver is served.
+# This value must either be `/` or not end with a slash (e.g. `/matrix-alertmanager-receiver`).
+matrix_alertmanager_receiver_path_prefix: /
+
+matrix_alertmanager_receiver_base_path: "{{ matrix_base_data_path }}/alertmanager-receiver"
+matrix_alertmanager_receiver_config_path: "{{ matrix_alertmanager_receiver_base_path }}/config"
+
+matrix_alertmanager_receiver_container_image_self_build: false
+matrix_alertmanager_receiver_container_image_self_build_repo: https://github.com/metio/matrix-alertmanager-receiver
+matrix_alertmanager_receiver_container_image_self_build_repo_version: "{{ 'main' if matrix_alertmanager_receiver_version == 'main' else matrix_alertmanager_receiver_version }}"
+matrix_alertmanager_receiver_container_src_path: "{{ matrix_alertmanager_receiver_base_path }}/container-src"
+
+matrix_alertmanager_receiver_container_image: "{{ matrix_alertmanager_receiver_container_image_name_prefix }}metio/matrix-alertmanager-receiver:{{ matrix_alertmanager_receiver_container_image_tag }}"
+matrix_alertmanager_receiver_container_image_name_prefix: "{{ 'localhost/' if matrix_alertmanager_receiver_container_image_self_build else matrix_alertmanager_receiver_container_image_registry_prefix }}"
+matrix_alertmanager_receiver_container_image_tag: "{{ matrix_alertmanager_receiver_version }}"
+matrix_alertmanager_receiver_container_image_force_pull: "{{ matrix_alertmanager_receiver_container_image.endswith(':main') }}"
+matrix_alertmanager_receiver_container_image_registry_prefix: docker.io/
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_alertmanager_receiver_container_network: ''
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+matrix_alertmanager_receiver_container_additional_networks: "{{ matrix_alertmanager_receiver_container_additional_networks_default + matrix_alertmanager_receiver_container_additional_networks_auto + matrix_alertmanager_receiver_container_additional_networks_custom }}"
+matrix_alertmanager_receiver_container_additional_networks_default: []
+matrix_alertmanager_receiver_container_additional_networks_auto: []
+matrix_alertmanager_receiver_container_additional_networks_custom: []
+
+# Controls whether matrix-alertmanager-receiver metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/matrix-alertmanager-receiver`
+matrix_alertmanager_receiver_metrics_proxying_enabled: false
+matrix_alertmanager_receiver_metrics_proxying_hostname: ''
+matrix_alertmanager_receiver_metrics_proxying_path: /metrics/matrix-alertmanager-receiver
+
+# matrix_alertmanager_receiver_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_alertmanager_receiver_container_labels_additional_labels`.
+matrix_alertmanager_receiver_container_labels_traefik_enabled: true
+matrix_alertmanager_receiver_container_labels_traefik_docker_network: "{{ matrix_alertmanager_receiver_container_network }}"
+matrix_alertmanager_receiver_container_labels_traefik_hostname: "{{ matrix_alertmanager_receiver_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/matrix-alertmanager-receiver`).
+matrix_alertmanager_receiver_container_labels_traefik_path_prefix: "{{ matrix_alertmanager_receiver_path_prefix }}"
+matrix_alertmanager_receiver_container_labels_traefik_rule: "Host(`{{ matrix_alertmanager_receiver_container_labels_traefik_hostname }}`){% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_alertmanager_receiver_container_labels_traefik_priority: 0
+matrix_alertmanager_receiver_container_labels_traefik_entrypoints: web-secure
+matrix_alertmanager_receiver_container_labels_traefik_tls: "{{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints != 'web' }}"
+matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added that expose metrics (see `matrix_alertmanager_receiver_metrics_proxying_enabled`) for matrix-alertmanager-receiver
+matrix_alertmanager_receiver_container_labels_public_metrics_enabled: "{{ matrix_alertmanager_receiver_metrics_enabled and matrix_alertmanager_receiver_metrics_proxying_enabled }}"
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_path: "{{ matrix_alertmanager_receiver_metrics_proxying_path }}"
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_rule: "Host(`{{ matrix_alertmanager_receiver_metrics_proxying_hostname }}`) && Path(`{{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_path }}`)"
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority: 0
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints: "{{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints }}"
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls: "{{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints != 'web' }}"
+matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls_certResolver: "{{ matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_enabled: false
+# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
+matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_users: ''
+
+# matrix_alertmanager_receiver_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_alertmanager_receiver_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_alertmanager_receiver_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_alertmanager_receiver_container_extra_arguments: []
+
+# Controls the `--log-level` argument passed to the container process.
+# Valid values: error, warn, info, debug
+matrix_alertmanager_receiver_container_process_argument_log_level: info
+
+# A list of extra arguments to pass to the container process.
+matrix_alertmanager_receiver_container_process_extra_arguments: []
+
+# List of systemd services that matrix-alertmanager-receiver-proxy.service depends on
+matrix_alertmanager_receiver_systemd_required_services_list: "{{ matrix_alertmanager_receiver_systemd_required_services_list_default + matrix_alertmanager_receiver_systemd_required_services_list_auto + matrix_alertmanager_receiver_systemd_required_services_list_custom }}"
+matrix_alertmanager_receiver_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_alertmanager_receiver_systemd_required_services_list_auto: []
+matrix_alertmanager_receiver_systemd_required_services_list_custom: []
+
+# List of systemd services that matrix-alertmanager-receiver-proxy.service wants
+matrix_alertmanager_receiver_systemd_wanted_services_list: []
+
+# Controls the `http.port` configuration setting.
+matrix_alertmanager_receiver_config_http_port: 12345
+
+# Controls the `http.alerts-path-prefix` configuration setting.
+matrix_alertmanager_receiver_config_http_alerts_path_prefix: /alerts
+
+# Controls the `http.metrics-enabled` configuration setting.
+matrix_alertmanager_receiver_config_http_metrics_enabled: false
+
+# Controls the `http.metrics-path` configuration setting.
+matrix_alertmanager_receiver_config_http_metrics_path: /metrics
+
+# Controls the `matrix.homeserver-url` configuration setting.
+matrix_alertmanager_receiver_config_matrix_homeserver_url: ''
+
+# Controls the `matrix.user-id` configuration setting.
+matrix_alertmanager_receiver_config_matrix_user_id: "@{{ matrix_alertmanager_receiver_config_matrix_user_id_localpart }}:{{ matrix_domain }}"
+matrix_alertmanager_receiver_config_matrix_user_id_localpart: "bot.alertmanager.receiver"
+
+# Controls the `matrix.access-token` configuration setting.
+matrix_alertmanager_receiver_config_matrix_access_token: ''
+
+# Controls the `matrix.room-mapping` configuration setting.
+#
+# Example:
+# matrix_alertmanager_receiver_config_matrix_room:
+#   simple-name: "!qohfwef7qwerf:example.com"
+#   another-name: "!bf3zfio3wbanw:example.com"
+matrix_alertmanager_receiver_config_matrix_room_mapping: {}
+
+# Controls the `templating.external-url-mapping` configuration setting.
+#
+# The key is the original value taken from the Alertmanager payload
+# The value is the mapped value which will be available as '.ExternalURL' in templates
+#
+# Example:
+# matrix_alertmanager_receiver_config_templating_external_url_mapping:
+#   "http://alertmanager:9093": https://alertmanager.example.com
+#   "http://alertmanager:9094": https://another.alertmanager.example.com
+matrix_alertmanager_receiver_config_templating_external_url_mapping: {}
+
+# Controls the `templating.generator-url-mapping` configuration setting.
+#
+# The key is the original value taken from the Alertmanager payload
+# The value is the mapped value which will be available as '.ExternalURL' in templates
+#
+# Example:
+# matrix_alertmanager_receiver_config_templating_generator_url_mapping:
+#   "http://prometheus:8080": https://prometheus.example.com
+#   "http://prometheus:8081": https://another.prometheus.example.com
+matrix_alertmanager_receiver_config_templating_generator_url_mapping: {}
+
+# Controls the `templating.computed-values` configuration setting.
+matrix_alertmanager_receiver_config_templating_computed_values: "{{ matrix_alertmanager_receiver_config_templating_computed_values_default + matrix_alertmanager_receiver_config_templating_computed_values_auto + matrix_alertmanager_receiver_config_templating_computed_values_custom }}"
+matrix_alertmanager_receiver_config_templating_computed_values_default:
+  - values:  # always set 'color' to 'yellow'
+      color: yellow
+  - values:  # set 'color' to 'orange' when alert label 'severity' is 'warning'
+      color: orange
+    when-matching-labels:
+      severity: warning
+  - values:  # set 'color' to 'red' when alert label 'severity' is 'critical'
+      color: red
+    when-matching-labels:
+      severity: critical
+  - values:  # set 'color' to 'green' when alert status is 'resolved'
+      color: green
+    when-matching-status: resolved
+matrix_alertmanager_receiver_config_templating_computed_values_auto: []
+matrix_alertmanager_receiver_config_templating_computed_values_custom: []
+
+# Controls the `templating.firing-template` configuration setting.
+matrix_alertmanager_receiver_config_templating_firing_template: |-
+  {% raw %}
+  <p>
+    <strong><font color="{{ .ComputedValues.color }}">{{ .Alert.Status | ToUpper }}</font></strong>
+    {{ if .Alert.Labels.name }}
+      {{ .Alert.Labels.name }}
+    {{ else if .Alert.Labels.alertname }}
+      {{ .Alert.Labels.alertname }}
+    {{ end }}
+    >>
+    {{ if .Alert.Labels.severity }}
+      {{ .Alert.Labels.severity | ToUpper }}:
+    {{ end }}
+    {{ if .Alert.Annotations.description }}
+      {{ .Alert.Annotations.description }}
+    {{ else if .Alert.Annotations.summary }}
+      {{ .Alert.Annotations.summary }}
+    {{ end }}
+    >>
+    {{ if .Alert.Annotations.runbook_url }}
+      <a href="{{ .Alert.Annotations.runbook_url }}">Runbook</a> |
+    {{ end }}
+    {{ if .Alert.Annotations.dashboard }}
+      <a href="{{ .Alert.Annotations.dashboard }}">Dashboard</a> |
+    {{ end }}
+    <a href="{{ .SilenceURL }}">Silence</a>
+  </p>
+  {% endraw %}
+
+# Controls the `templating.resolved-template` configuration setting.
+matrix_alertmanager_receiver_config_templating_resolved_template: |-
+  {% raw %}
+  <strong><font color="{{ .ComputedValues.color }}">{{ .Alert.Status | ToUpper }}</font></strong>
+  {{ if .Alert.Labels.name }}
+    {{ .Alert.Labels.name }}
+  {{ else if .Alert.Labels.alertname }}
+    {{ .Alert.Labels.alertname }}
+  {{ end }}
+  {% endraw %}
+
+# Default matrix-alertmanager-receiver configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_alertmanager_receiver_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_alertmanager_receiver_configuration_yaml: "{{ lookup('template', 'templates/config.yml.j2') }}"
+
+matrix_alertmanager_receiver_configuration_extension_yaml: |
+  # Your custom YAML configuration for matrix-alertmanager-receiver goes here.
+  # This configuration extends the default starting configuration (`matrix_alertmanager_receiver_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_alertmanager_receiver_configuration_yaml`.
+  #
+  # Example configuration extension follows:
+  #
+  # http:
+  #   address: ''
+
+matrix_alertmanager_receiver_configuration_extension: "{{ matrix_alertmanager_receiver_configuration_extension_yaml | from_yaml if matrix_alertmanager_receiver_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final matrix-alertmanager-receiver configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_alertmanager_receiver_configuration_yaml`.
+matrix_alertmanager_receiver_configuration: "{{ matrix_alertmanager_receiver_configuration_yaml | from_yaml | combine(matrix_alertmanager_receiver_configuration_extension, recursive=True) }}"

roles/custom/matrix-alertmanager-receiver/tasks/install.yml

@@ -0,0 +1,80 @@
+---
+
+- name: Ensure matrix-alertmanager-receiver paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_alertmanager_receiver_base_path }}"
+      when: true
+    - path: "{{ matrix_alertmanager_receiver_config_path }}"
+      when: true
+    - path: "{{ matrix_alertmanager_receiver_container_src_path }}"
+      when: "{{ matrix_alertmanager_receiver_container_image_self_build }}"
+  when: item.when | bool
+
+- name: Ensure matrix-alertmanager-receiver configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_alertmanager_receiver_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_alertmanager_receiver_config_path }}/config.yml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-alertmanager-receiver support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_alertmanager_receiver_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+
+- name: Ensure matrix-alertmanager-receiver container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_alertmanager_receiver_container_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_alertmanager_receiver_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_alertmanager_receiver_container_image_force_pull }}"
+  when: "not matrix_alertmanager_receiver_container_image_self_build | bool"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- when: matrix_alertmanager_receiver_container_image_self_build | bool
+  block:
+    - name: Ensure matrix-alertmanager-receiver repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_alertmanager_receiver_container_image_self_build_repo }}"
+        version: "{{ matrix_alertmanager_receiver_container_image_self_build_repo_version }}"
+        dest: "{{ matrix_alertmanager_receiver_container_src_path }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_alertmanager_receiver_git_pull_results
+
+    - name: Ensure matrix-alertmanager-receiver container image is built
+      ansible.builtin.command:
+        cmd: |-
+          {{ devture_systemd_docker_base_host_command_docker }} buildx build
+          --tag={{ matrix_alertmanager_receiver_container_image }}
+          --file={{ matrix_alertmanager_receiver_container_src_path }}/contrib/Dockerfile
+          {{ matrix_alertmanager_receiver_container_src_path }}
+      changed_when: true
+
+- name: Ensure matrix-alertmanager-receiver container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_alertmanager_receiver_container_network }}"
+    driver: bridge
+
+- name: Ensure matrix-alertmanager-receiver.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-alertmanager-receiver.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service"
+    mode: 0644

roles/custom/matrix-alertmanager-receiver/tasks/main.yml

@@ -0,0 +1,20 @@
+---
+
+- tags:
+    - setup-all
+    - setup-alertmanager-receiver
+    - install-all
+    - install-alertmanager-receiver
+  block:
+    - when: matrix_alertmanager_receiver_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_alertmanager_receiver_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-alertmanager-receiver
+  block:
+    - when: not matrix_alertmanager_receiver_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-alertmanager-receiver/tasks/uninstall.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Check existence of matrix-alertmanager-receiver service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service"
+  register: matrix_alertmanager_receiver_service_stat
+
+- when: matrix_alertmanager_receiver_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-alertmanager-receiver is stopped
+      ansible.builtin.service:
+        name: matrix-alertmanager-receiver
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure matrix-alertmanager-receiver.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-alertmanager-receiver.service"
+        state: absent
+
+    - name: Ensure matrix-alertmanager-receiver paths don't exist
+      ansible.builtin.file:
+        path: "{{ matrix_alertmanager_receiver_base_path }}"
+        state: absent

roles/custom/matrix-alertmanager-receiver/tasks/validate_config.yml

@@ -0,0 +1,14 @@
+---
+- name: Fail if required matrix-alertmanager-receiver settings not defined
+  ansible.builtin.fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_alertmanager_receiver_hostname', when: true}
+    - {'name': 'matrix_alertmanager_receiver_path_prefix', when: true}
+    - {'name': 'matrix_alertmanager_receiver_config_matrix_homeserver_url', when: true}
+    - {'name': 'matrix_alertmanager_receiver_config_matrix_access_token', when: true}
+    - {'name': 'matrix_alertmanager_receiver_container_network', when: true}
+    - {'name': 'matrix_alertmanager_receiver_metrics_proxying_hostname', when: "{{ matrix_alertmanager_receiver_metrics_proxying_enabled }}"}
+    - {'name': 'matrix_alertmanager_receiver_metrics_proxying_path_prefix', when: "{{ matrix_alertmanager_receiver_metrics_proxying_enabled }}"}

roles/custom/matrix-alertmanager-receiver/templates/config.yml.j2

@@ -0,0 +1,37 @@
+#jinja2: lstrip_blocks: "True"
+# configuration of the HTTP server
+http:
+  address: 0.0.0.0 # bind address for this service. Can be left unspecified to bind on all interfaces
+  port: {{ matrix_alertmanager_receiver_config_http_port | to_json }} # port used by this service
+  alerts-path-prefix: {{ matrix_alertmanager_receiver_config_http_alerts_path_prefix | to_json }} # URL path for the webhook receiver called by an Alertmanager. Defaults to /alerts
+  metrics-path: {{ matrix_alertmanager_receiver_config_http_metrics_path | to_json }} # URL path to collect metrics. Defaults to /metrics
+  metrics-enabled: {{ matrix_alertmanager_receiver_config_http_metrics_enabled | to_json }} # Whether to enable metrics or not. Defaults to false
+
+# configuration for the Matrix connection
+matrix:
+  homeserver-url: {{ matrix_alertmanager_receiver_config_matrix_homeserver_url | to_json }} # FQDN of the homeserver
+  user-id: {{ matrix_alertmanager_receiver_config_matrix_user_id | to_json }} # ID of the user used by this service
+  access-token: {{ matrix_alertmanager_receiver_config_matrix_access_token | to_json }} # Access token for the user ID
+  # define short names for Matrix room ID
+  room-mapping: {{ matrix_alertmanager_receiver_config_matrix_room_mapping | to_json }}
+
+# configuration of the templating features
+templating:
+  # mapping of ExternalURL values
+  # key is the original value taken from the Alertmanager payload
+  # value is the mapped value which will be available as '.ExternalURL' in templates
+  external-url-mapping: {{ matrix_alertmanager_receiver_config_templating_external_url_mapping | to_json }}
+  # mapping of GeneratorURL values
+  # key is the original value taken from the Alertmanager payload
+  # value is the mapped value which will be available as '.GeneratorURL' in templates
+  generator-url-mapping: {{ matrix_alertmanager_receiver_config_templating_generator_url_mapping | to_json }}
+
+  # computation of arbitrary values based on matching alert annotations, labels, or status
+  # values will be evaluated top to bottom, last entry wins
+  computed-values: {{ matrix_alertmanager_receiver_config_templating_computed_values | to_json }}
+
+  # template for alerts in status 'firing'
+  firing-template: {{ matrix_alertmanager_receiver_config_templating_firing_template | to_json }}
+
+  # template for alerts in status 'resolved', if not specified will use the firing-template
+  resolved-template: {{ matrix_alertmanager_receiver_config_templating_resolved_template | to_json }}

roles/custom/matrix-alertmanager-receiver/templates/labels.j2

@@ -0,0 +1,69 @@
+{% if matrix_alertmanager_receiver_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_alertmanager_receiver_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_alertmanager_receiver_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-alertmanager-receiver.loadbalancer.server.port={{ matrix_alertmanager_receiver_config_http_port }}
+
+{% set middlewares = [] %}
+
+{% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-alertmanager-receiver-slashless-redirect.redirectregex.regex=({{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-alertmanager-receiver-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-alertmanager-receiver-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_alertmanager_receiver_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-alertmanager-receiver-strip-prefix.stripprefix.prefixes={{ matrix_alertmanager_receiver_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-alertmanager-receiver-strip-prefix'] %}
+{% endif %}
+
+traefik.http.routers.matrix-alertmanager-receiver.rule={{ matrix_alertmanager_receiver_container_labels_traefik_rule }}
+{% if matrix_alertmanager_receiver_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-alertmanager-receiver.priority={{ matrix_alertmanager_receiver_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-alertmanager-receiver.service=matrix-alertmanager-receiver
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-alertmanager-receiver.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-alertmanager-receiver.entrypoints={{ matrix_alertmanager_receiver_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-alertmanager-receiver.tls={{ matrix_alertmanager_receiver_container_labels_traefik_tls | to_json }}
+{% if matrix_alertmanager_receiver_container_labels_traefik_tls %}
+traefik.http.routers.matrix-alertmanager-receiver.tls.certResolver={{ matrix_alertmanager_receiver_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+{% if matrix_alertmanager_receiver_container_labels_public_metrics_enabled %}
+{% set metrics_middlewares = [] %}
+
+{% if matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_enabled %}
+{% set metrics_middlewares = metrics_middlewares + ['matrix-alertmanager-receiver-metrics-basic-auth'] %}
+traefik.http.middlewares.matrix-alertmanager-receiver-metrics-basic-auth.basicauth.users={{ matrix_alertmanager_receiver_container_labels_public_metrics_middleware_basic_auth_users }}
+{% endif %}
+
+{% set metrics_middlewares = metrics_middlewares + ['matrix-alertmanager-receiver-metrics-replacepath'] %}
+traefik.http.middlewares.matrix-alertmanager-receiver-metrics-replacepath.replacepath.path={{ matrix_alertmanager_receiver_config_http_metrics_path }}
+
+traefik.http.routers.matrix-alertmanager-receiver-metrics.rule={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_rule }}
+
+{% if metrics_middlewares | length > 0 %}
+traefik.http.routers.matrix-alertmanager-receiver-metrics.middlewares={{ metrics_middlewares | join(',') }}
+{% endif %}
+
+{% if matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-alertmanager-receiver-metrics.priority={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-alertmanager-receiver-metrics.service=matrix-alertmanager-receiver
+traefik.http.routers.matrix-alertmanager-receiver-metrics.entrypoints={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_entrypoints }}
+
+traefik.http.routers.matrix-alertmanager-receiver-metrics.tls={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls | to_json }}
+{% if matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls %}
+traefik.http.routers.matrix-alertmanager-receiver-metrics.tls.certResolver={{ matrix_alertmanager_receiver_container_labels_public_metrics_traefik_tls_certResolver }}
+{% endif %}
+{% endif %}
+
+{% endif %}
+
+{{ matrix_alertmanager_receiver_container_labels_additional_labels }}

roles/custom/matrix-alertmanager-receiver/templates/systemd/matrix-alertmanager-receiver.service.j2

@@ -0,0 +1,50 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=matrix-alertmanager-receiver
+{% for service in matrix_alertmanager_receiver_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_alertmanager_receiver_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-alertmanager-receiver 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-alertmanager-receiver 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-alertmanager-receiver \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_alertmanager_receiver_container_network }} \
+			--mount type=bind,src={{ matrix_alertmanager_receiver_config_path }},dst=/config,ro \
+			--label-file={{ matrix_alertmanager_receiver_base_path }}/labels \
+			{% for arg in matrix_alertmanager_receiver_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_alertmanager_receiver_container_image }} \
+			--config-path=/config/config.yml {{ matrix_alertmanager_receiver_container_process_extra_arguments | join(' ') }} \
+			--log-level={{ matrix_alertmanager_receiver_container_process_argument_log_level }}
+
+{% for network in matrix_alertmanager_receiver_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-alertmanager-receiver
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-alertmanager-receiver
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-alertmanager-receiver 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-alertmanager-receiver 2>/dev/null || true'
+
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-alertmanager-receiver
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-base/defaults/main.yml

@@ -263,7 +263,16 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint_name }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
-matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"  # noqa var-naming
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: |
+  {{
+    ({'http3': {'advertisedPort': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort | int}})
+    if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled
+    else {}
+  }}
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: {}
 
@@ -271,6 +280,7 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
   name: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name }}"
   port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"
   host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}"
+  host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp }}"
   config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}"
 
 # Controls whether to enable an additional Traefik entrypoint for the purpose of serving the homeserver's Client-Server API internally.

roles/custom/matrix-bot-honoroit/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
 # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/honoroit
-matrix_bot_honoroit_version: v0.9.21
+matrix_bot_honoroit_version: v0.9.22
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@@ -39,15 +39,6 @@ matrix_bot_honoroit_container_network: ""
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_honoroit_container_additional_networks: []
 
-# enable basic auth for metrics
-matrix_bot_honoroit_basicauth_enabled: false
-# temporary file name on the host that runs ansible
-matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd"
-# username
-matrix_bot_honoroit_basicauth_user: ''
-# password
-matrix_bot_honoroit_basicauth_password: ''
-
 # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
@@ -149,8 +140,26 @@ matrix_bot_honoroit_sentry: ''
 # Log level
 matrix_bot_honoroit_loglevel: ''
 
-# Disable encryption
-matrix_bot_honoroit_noencryption: false
+# /metrics basic auth login
+matrix_bot_honoroit_auth_metrics_login: ''
+# /metrics basic auth password
+matrix_bot_honoroit_auth_metrics_password: ''
+# /metrics basic auth allowed IPs
+matrix_bot_honoroit_auth_metrics_ips: []
+
+# Optional healthchecks.io integration
+matrix_bot_honoroit_healthchecks_url: 'https://hc-ping.com'
+matrix_bot_honoroit_healthchecks_uuid: ''
+matrix_bot_honoroit_healthchecks_duration: 60  # in seconds
+
+# Optional Redmine integration
+matrix_bot_honoroit_redmine_host: ''  # e.g. https://redmine.example.com
+matrix_bot_honoroit_redmine_apikey: ''
+matrix_bot_honoroit_redmine_project: ''  # project identifier (e.g. 'myproject')
+matrix_bot_honoroit_redmine_tracker_id: ''  # tracker id (e.g. 1)
+matrix_bot_honoroit_redmine_new_status_id: ''  # new status id (e.g. 1)
+matrix_bot_honoroit_redmine_in_progress_status_id: ''  # in progress status id (e.g. 2)
+matrix_bot_honoroit_redmine_done_status_id: ''  # done status id (e.g. 3)
 
 # A list of whitelisted users allowed to use/invite honoroit
 # If not defined, everyone is allowed.

roles/custom/matrix-bot-honoroit/tasks/setup_install.yml

@@ -40,21 +40,6 @@
     - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true}
   when: "item.when | bool"
 
-- name: Determine basicauth filename
-  ansible.builtin.set_fact:
-    matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}"
-  when: matrix_bot_honoroit_basicauth_enabled | bool
-
-- name: Generate basic auth file
-  community.general.htpasswd:
-    path: "{{ matrix_bot_honoroit_basicauth_file }}"
-    name: "{{ matrix_bot_honoroit_basicauth_user }}"
-    password: "{{ matrix_bot_honoroit_basicauth_password }}"
-    mode: 0640
-  become: false
-  delegate_to: 127.0.0.1
-  when: matrix_bot_honoroit_basicauth_enabled | bool
-
 - name: Ensure honoroit support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
@@ -66,14 +51,6 @@
     - env
     - labels
 
-- name: Ensure temporary basic auth file is removed
-  ansible.builtin.file:
-    path: "{{ matrix_bot_honoroit_basicauth_file }}"
-    state: absent
-  become: false
-  delegate_to: 127.0.0.1
-  when: matrix_bot_honoroit_basicauth_enabled | bool
-
 - name: Ensure honoroit image is pulled
   community.docker.docker_image:
     name: "{{ matrix_bot_honoroit_docker_image }}"

roles/custom/matrix-bot-honoroit/templates/env.j2

@@ -5,10 +5,22 @@ HONOROIT_ROOMID={{ matrix_bot_honoroit_roomid }}
 HONOROIT_DB_DSN={{ matrix_bot_honoroit_database_connection_string }}
 HONOROIT_DB_DIALECT={{ matrix_bot_honoroit_database_dialect }}
 HONOROIT_PREFIX={{ matrix_bot_honoroit_prefix }}
-HONOROIT_SENTRY={{ matrix_bot_honoroit_sentry }}
+HONOROIT_AUTH_METRICS_LOGIN={{ matrix_bot_honoroit_auth_metrics_login }}
+HONOROIT_AUTH_METRICS_PASSWORD={{ matrix_bot_honoroit_auth_metrics_password }}
+HONOROIT_AUTH_METRICS_IPS={{ matrix_bot_honoroit_auth_metrics_ips | default([]) | join(' ') }}
+HONOROIT_REDMINE_HOST={{ matrix_bot_honoroit_redmine_host }}
+HONOROIT_REDMINE_APIKEY={{ matrix_bot_honoroit_redmine_apikey }}
+HONOROIT_REDMINE_PROJECT={{ matrix_bot_honoroit_redmine_project }}
+HONOROIT_REDMINE_TRACKERID={{ matrix_bot_honoroit_redmine_tracker_id }}
+HONOROIT_REDMINE_NEWSTATUSID={{ matrix_bot_honoroit_redmine_new_status_id }}
+HONOROIT_REDMINE_INPROGRESSSTATUSID={{ matrix_bot_honoroit_redmine_in_progress_status_id }}
+HONOROIT_REDMINE_DONESTATUSID={{ matrix_bot_honoroit_redmine_done_status_id }}
+HONOROIT_MONITORING_SENTRY_DSN={{ matrix_bot_honoroit_sentry }}
+HONOROIT_MONITORING_HEALTHCHECKS_URL={{ matrix_bot_honoroit_healthchecks_url }}
+HONOROIT_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_honoroit_healthchecks_uuid }}
+HONOROIT_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_honoroit_healthchecks_duration }}
 HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}
 HONOROIT_CACHESIZE={{ matrix_bot_honoroit_cachesize }}
-HONOROIT_NOENCRYPTION={{ matrix_bot_honoroit_noencryption }}
 HONOROIT_IGNORENOTHREAD={{ matrix_bot_honoroit_ignorenothread }}
 HONOROIT_IGNOREDROOMS={{ matrix_bot_honoroit_ignoredrooms | join(' ') }}
 HONOROIT_ALLOWEDUSERS={{ matrix_bot_honoroit_allowedusers | join(' ') }}

roles/custom/matrix-bot-honoroit/templates/labels.j2

@@ -28,11 +28,6 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh
 {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %}
 {% endif %}
 
-{% if matrix_bot_honoroit_basicauth_enabled %}
-traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }}
-{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
-{% endif %}
-
 {% if middlewares_metrics | length > 0 %}
 traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -34,7 +34,11 @@ matrix_hookshot_public_scheme: https
 matrix_hookshot_public_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_hookshot_public_endpoint: /hookshot
 
-matrix_hookshot_urlprefix: "{{ matrix_hookshot_public_scheme }}://{{ matrix_hookshot_public_hostname }}{{ matrix_hookshot_public_endpoint }}"
+# This is the base URL prefix shared among all endpoints.
+#
+# It intentionally does not include the path prefix (`matrix_hookshot_public_endpoint`),
+# because of how it's used - it's concatenated with paths that already use matrix_hookshot_public_endpoint` within them.
+matrix_hookshot_urlprefix: "{{ matrix_hookshot_public_scheme }}://{{ matrix_hookshot_public_hostname }}"
 
 # There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
 matrix_hookshot_appservice_port: 9993
@@ -121,6 +125,7 @@ matrix_hookshot_gitlab_instances:
 
 # This will be the "Secret token" you have to enter into all GitLab instances for authentication
 matrix_hookshot_gitlab_webhook_secret: ''
+matrix_hookshot_gitlab_webhook_publicUrl: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_webhook_endpoint }}"  # noqa var-naming
 
 
 matrix_hookshot_figma_enabled: false
@@ -150,7 +155,7 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr
 matrix_hookshot_generic_enabled: true
 matrix_hookshot_generic_enableHttpGet: false  # noqa var-naming
 # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks"
-matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}"
+matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}/webhook"
 # urlprefix gets updated with protocol & port in group_vars/matrix_servers
 matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}"  # noqa var-naming
 # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap
@@ -249,7 +254,7 @@ matrix_hookshot_container_labels_webhooks_traefik_entrypoints: "{{ matrix_hooksh
 matrix_hookshot_container_labels_webhooks_traefik_tls: "{{ matrix_hookshot_container_labels_webhooks_traefik_entrypoints != 'web' }}"
 matrix_hookshot_container_labels_webhooks_traefik_tls_certResolver: "{{ matrix_hookshot_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
-# Controls whether labels will be added that expose Hookshot's generic endpoint
+# Controls whether labels will be added that expose Hookshot's appservice endpoint
 matrix_hookshot_container_labels_appservice_enabled: true
 matrix_hookshot_container_labels_appservice_traefik_rule: "Host(`{{ matrix_hookshot_appservice_hostname }}`) && PathPrefix(`{{ matrix_hookshot_appservice_endpoint }}`)"
 matrix_hookshot_container_labels_appservice_traefik_priority: 0

roles/custom/matrix-bridge-hookshot/templates/config.yml.j2

@@ -47,6 +47,7 @@ gitlab:
   instances: {{ matrix_hookshot_gitlab_instances | to_json }}
   webhook:
     secret: {{ matrix_hookshot_gitlab_webhook_secret | to_json }}
+    publicUrl: {{ matrix_hookshot_gitlab_webhook_publicUrl | to_json }}
 {% endif %}
 {% if matrix_hookshot_figma_enabled %}
 figma:

roles/custom/matrix-client-element/defaults/main.yml

@@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=vectorim/element-web
-matrix_client_element_version: v1.11.69
+matrix_client_element_version: v1.11.70
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"

roles/custom/matrix-corporal/defaults/main.yml

@@ -5,7 +5,7 @@
 matrix_corporal_enabled: true
 
 # renovate: datasource=docker depName=devture/matrix-corporal
-matrix_corporal_version: 2.7.0
+matrix_corporal_version: 2.8.0
 
 matrix_corporal_container_image_self_build: false
 matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"

roles/custom/matrix-media-repo/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_media_repo_docker_image_path: "t2bot/matrix-media-repo"
 matrix_media_repo_docker_image: "{{ matrix_media_repo_docker_image_name_prefix }}{{ matrix_media_repo_docker_image_path }}:{{ matrix_media_repo_docker_image_tag }}"
 matrix_media_repo_docker_image_name_prefix: "{{ 'localhost/' if matrix_media_repo_container_image_self_build else 'ghcr.io/' }}"
 # renovate: datasource=docker depName=ghcr.io/t2bot/matrix-media-repo
-matrix_media_repo_docker_image_tag: "v1.3.4"
+matrix_media_repo_docker_image_tag: "v1.3.6"
 matrix_media_repo_docker_image_force_pull: "{{ matrix_media_repo_docker_image.endswith(':latest') }}"
 
 matrix_media_repo_base_path: "{{ matrix_base_data_path }}/{{ matrix_media_repo_identifier }}"
@@ -65,6 +65,9 @@ matrix_media_repo_container_labels_traefik_enabled: true
 matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_media_repo_container_network }}"
 matrix_media_repo_container_labels_traefik_entrypoints: web-secure
 
+# Traefik labels handling the old `/_matrix/media` endpoints on the Client-API (web-secure) entrypoint.
+# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_client_matrix_client_media_*`.
+matrix_media_repo_container_labels_traefik_media_enabled: true
 matrix_media_repo_container_labels_traefik_media_path_prefix: "/_matrix/media"
 matrix_media_repo_container_labels_traefik_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_media_priority: 0
@@ -72,31 +75,58 @@ matrix_media_repo_container_labels_traefik_media_entrypoints: "{{ matrix_media_r
 matrix_media_repo_container_labels_traefik_media_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_media_tls_certResolver: default  # noqa var-naming
 
+# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the Client-API (web-secure) entrypoint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled: true
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp: "/_matrix/client/(?P<version>(v1))/media"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority: 0
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints != 'web' }}"
+matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver: default  # noqa var-naming
+
+# Traefik labels handling the old `/_matrix/media` endpoints on the internal entrypoint.
 # This is like `matrix_media_repo_container_labels_traefik_media_*`, but on an internal Traefik entrypoint.
+# These are being superseded by `/_matrix/client/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_internal_matrix_client_media_*`.
 matrix_media_repo_container_labels_traefik_internal_media_enabled: false
 matrix_media_repo_container_labels_traefik_internal_media_path_prefix: "{{ matrix_media_repo_container_labels_traefik_media_path_prefix }}"
 matrix_media_repo_container_labels_traefik_internal_media_rule: "PathPrefix(`{{ matrix_media_repo_container_labels_traefik_internal_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_internal_media_priority: "{{ matrix_media_repo_container_labels_traefik_media_priority }}"
 matrix_media_repo_container_labels_traefik_internal_media_entrypoints: ""
 
-# /_matrix/client/r0/logout
-# /_matrix/client/r0/logout/all
-matrix_media_repo_container_labels_traefik_logout_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}"
-matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)"
+# Traefik labels handling the new `/_matrix/client/VERSION/media` endpoints on the internal entrypoint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled: false
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_path_regexp }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule: "PathRegexp(`{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority: "{{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}"
+matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints: ""
+
+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/r0/logout
+# - /_matrix/client/r0/logout/all
+matrix_media_repo_container_labels_traefik_logout_enabled: true
+matrix_media_repo_container_labels_traefik_logout_path_regexp: "^/_matrix/client/(?P<version>r0|v1|v3|unstable)/(?P<endpoint>logout|logout/all)"
+matrix_media_repo_container_labels_traefik_logout_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_logout_priority: 0
 matrix_media_repo_container_labels_traefik_logout_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}"
 matrix_media_repo_container_labels_traefik_logout_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_logout_tls_certResolver: default  # noqa var-naming
 
-# /_matrix/client/r0/admin/purge_media_cache
-# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
-matrix_media_repo_container_labels_traefik_admin_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}"
-matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)"
+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/r0/admin/purge_media_cache
+# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
+matrix_media_repo_container_labels_traefik_admin_enabled: true
+matrix_media_repo_container_labels_traefik_admin_path_regexp: "^/_matrix/client/(?P<version>(r0|v1|v3|unstable))/admin/(?P<endpoint>(purge_media_cache|quarantine_media/.*))"
+matrix_media_repo_container_labels_traefik_admin_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_admin_priority: 0
 matrix_media_repo_container_labels_traefik_admin_entrypoints: "{{ matrix_media_repo_container_labels_traefik_entrypoints }}"
 matrix_media_repo_container_labels_traefik_admin_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_admin_tls_certResolver: default  # noqa var-naming
 
+# Traefik labels handling some additional routes on the Client-API (web-secure) entrypoint:
+# - /_matrix/client/unstable/io.t2bot.media
+matrix_media_repo_container_labels_traefik_t2bot_enabled: true
 matrix_media_repo_container_labels_traefik_t2bot_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
 matrix_media_repo_container_labels_traefik_t2bot_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_t2bot_priority: 0
@@ -104,7 +134,9 @@ matrix_media_repo_container_labels_traefik_t2bot_entrypoints: "{{ matrix_media_r
 matrix_media_repo_container_labels_traefik_t2bot_tls: "{{ matrix_media_repo_container_labels_traefik_t2bot_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_t2bot_tls_certResolver: default  # noqa var-naming
 
-# Traefik federation labels
+# Traefik labels handling the old `/_matrix/media` endpoints on the federation entrypint.
+# These are being superseded by `/_matrix/federation/VERSION/media` endpoints - see `matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_*`.
+matrix_media_repo_container_labels_traefik_media_federation_enabled: true
 matrix_media_repo_container_labels_traefik_media_federation_path_prefix: "/_matrix/media"
 matrix_media_repo_container_labels_traefik_media_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_media_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_media_federation_priority: 0
@@ -112,24 +144,41 @@ matrix_media_repo_container_labels_traefik_media_federation_entrypoints: "{{ mat
 matrix_media_repo_container_labels_traefik_media_federation_tls: "{{ matrix_media_repo_container_labels_traefik_media_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_media_federation_tls_certResolver: default  # noqa var-naming
 
-# /_matrix/client/r0/logout
-# /_matrix/client/r0/logout/all
-matrix_media_repo_container_labels_traefik_logout_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/{endpoint:(logout|logout/all)}"
-matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_logout_path_prefix }}`)"
+# Traefik labels handling the new `/_matrix/federation/VERSION/media` endpoints on the federation entrypint.
+# See: https://github.com/matrix-org/matrix-spec-proposals/pull/3916
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled: true
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp: "/_matrix/federation/(?P<version>(v1))/media"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_path_regexp | quote }}`)"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority: 0
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls: "{{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints != 'web' }}"
+matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver: default  # noqa var-naming
+
+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/r0/logout
+# - /_matrix/client/r0/logout/all
+matrix_media_repo_container_labels_traefik_logout_federation_enabled: true
+matrix_media_repo_container_labels_traefik_logout_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_logout_path_regexp }}"
+matrix_media_repo_container_labels_traefik_logout_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_logout_federation_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_logout_federation_priority: 0
 matrix_media_repo_container_labels_traefik_logout_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
 matrix_media_repo_container_labels_traefik_logout_federation_tls: "{{ matrix_media_repo_container_labels_traefik_logout_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_logout_federation_tls_certResolver: default  # noqa var-naming
 
-# /_matrix/client/r0/admin/purge_media_cache
-# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
-matrix_media_repo_container_labels_traefik_admin_federation_path_prefix: "/_matrix/client/{version:(r0|v1|v3|unstable)}/admin/{endpoint:(purge_media_cache|quarantine_media/.*)}"
-matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_admin_path_prefix }}`)"
+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/r0/admin/purge_media_cache
+# - /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
+matrix_media_repo_container_labels_traefik_admin_federation_enabled: true
+matrix_media_repo_container_labels_traefik_admin_federation_path_regexp: "{{ matrix_media_repo_container_labels_traefik_admin_path_regexp }}"
+matrix_media_repo_container_labels_traefik_admin_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathRegexp(`{{ matrix_media_repo_container_labels_traefik_admin_federation_path_regexp }}`)"
 matrix_media_repo_container_labels_traefik_admin_federation_priority: 0
 matrix_media_repo_container_labels_traefik_admin_federation_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
 matrix_media_repo_container_labels_traefik_admin_federation_tls: "{{ matrix_media_repo_container_labels_traefik_admin_entrypoints != 'web' }}"
 matrix_media_repo_container_labels_traefik_admin_federation_tls_certResolver: default  # noqa var-naming
 
+# Traefik labels handling some additional routes on the federation entrypoint:
+# - /_matrix/client/unstable/io.t2bot.media
+matrix_media_repo_container_labels_traefik_t2bot_federation_enabled: true
 matrix_media_repo_container_labels_traefik_t2bot_federation_path_prefix: "/_matrix/client/unstable/io.t2bot.media"
 matrix_media_repo_container_labels_traefik_t2bot_federation_rule: "Host(`{{ matrix_server_fqn_matrix }}`) && PathPrefix(`{{ matrix_media_repo_container_labels_traefik_t2bot_path_prefix | quote }}`)"
 matrix_media_repo_container_labels_traefik_t2bot_federation_priority: 0

roles/custom/matrix-media-repo/tasks/validate_config.yml

@@ -8,6 +8,7 @@
   with_items:
     - {'name': 'matrix_media_repo_database_hostname', when: true}
     - {'name': 'matrix_media_repo_container_labels_traefik_internal_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_media_enabled }}"}
+    - {'name': 'matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints', when: "{{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled }}"}
 
 - name: (Deprecation) Catch and report renamed matrix-media-repo settings
   ansible.builtin.fail:
@@ -29,3 +30,7 @@
     - {'old': 'matrix_media_repo_url_previews', 'new': '<flattened into multiple matrix_media_repo_url_previews_XXX variables - see roles/custom/matrix-media-repo/defaults/main.yml>'}
     - {'old': 'matrix_media_repo_thumbnails', 'new': '<flattened into multiple matrix_media_repo_thumbnails_XXX variables - see roles/custom/matrix-media-repo/defaults/main.yml>'}
     - {'old': 'matrix_media_repo_feature_support', 'new': '<removed>'}
+    - {'old': 'matrix_media_repo_container_labels_traefik_logout_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_logout_path_regexp'}
+    - {'old': 'matrix_media_repo_container_labels_traefik_admin_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_admin_path_regexp'}
+    - {'old': 'matrix_media_repo_container_labels_traefik_logout_federation_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_logout_federation_path_regexp'}
+    - {'old': 'matrix_media_repo_container_labels_traefik_admin_federation_path_prefix', 'new': 'matrix_media_repo_container_labels_traefik_admin_federation_path_regexp'}

roles/custom/matrix-media-repo/templates/media-repo/labels.j2

@@ -18,6 +18,7 @@ traefik.http.middlewares.matrix-media-repo-add-headers.headers.customrequesthead
 
 # Matrix Client
 
+{% if matrix_media_repo_container_labels_traefik_media_enabled %}
 ############################################################
 #                                                          #
 # Public Media (/_matrix/media)                            #
@@ -47,6 +48,40 @@ traefik.http.routers.matrix-media-repo-public-media.tls.certResolver={{ matrix_m
 # /Public Media (/_matrix/media)                           #
 #                                                          #
 ############################################################
+{% endif %}
+
+
+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_enabled %}
+##########################################################################
+#                                                                        #
+# Public Client Media (/_matrix/client/VERSION/media) - MSC3916          #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_priority }}
+{% endif %}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_entrypoints }}
+
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls | to_json }}
+{% if matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls %}
+traefik.http.routers.matrix-media-repo-public-client-matrix-client-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_client_matrix_client_media_tls_certResolver }}
+{% endif %}
+
+##########################################################################
+#                                                                        #
+# /Public Client Media (/_matrix/client/VERSION/media) - MSC3916         #
+#                                                                        #
+##########################################################################
+{% endif %}
 
 
 {% if matrix_media_repo_container_labels_traefik_internal_media_enabled %}
@@ -77,7 +112,35 @@ traefik.http.routers.matrix-media-repo-internal-media.entrypoints={{ matrix_medi
 {% endif %}
 
 
-{% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
+{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_enabled %}
+##########################################################################
+#                                                                        #
+# Internal Client Media (/_matrix/client/VERSION/media) - MSC3916        #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.rule={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.priority={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_priority }}
+{% endif %}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-internal-matrix-client-media.entrypoints={{ matrix_media_repo_container_labels_traefik_internal_matrix_client_media_entrypoints }}
+
+##########################################################################
+#                                                                        #
+# /Internal Client Media (/_matrix/client/VERSION/media) - MSC3916       #
+#                                                                        #
+##########################################################################
+{% endif %}
+
+
+{% if matrix_media_repo_container_labels_traefik_logout_enabled and matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
 ############################################################
 #                                                          #
 # Public Client Logout                                     #
@@ -112,6 +175,7 @@ traefik.http.routers.matrix-media-repo-public-logout.tls.certResolver={{ matrix_
 {% endif %}
 
 
+{% if matrix_media_repo_container_labels_traefik_admin_enabled %}
 ############################################################
 #                                                          #
 # Public Client Admin (/_matrix/client/r0/admin/*)         #
@@ -141,8 +205,10 @@ traefik.http.routers.matrix-media-repo-public-admin-federation.tls.certResolver=
 # /Public Client Admin (/_matrix/client/r0/admin/*)        #
 #                                                          #
 ############################################################
+{% endif %}
 
 
+{% if matrix_media_repo_container_labels_traefik_t2bot_enabled %}
 ############################################################
 #                                                          #
 # Public Client t2bot APIs                                 #
@@ -174,11 +240,14 @@ traefik.http.routers.matrix-media-repo-public-t2bot.tls.certResolver={{ matrix_m
 # (/_matrix/client/unstable/io.t2bot.media)                #
 #                                                          #
 ############################################################
+{% endif %}
+
 
 {% if matrix_media_repo_homeserver_federation_enabled %}
 # Matrix Federation
 
 
+{% if matrix_media_repo_container_labels_traefik_media_federation_enabled %}
 ############################################################
 #                                                          #
 # Public Federation Media (/_matrix/media)                 #
@@ -208,9 +277,43 @@ traefik.http.routers.matrix-media-repo-public-media-federation.tls.certResolver=
 # /Public Federation Media (/_matrix/media)                #
 #                                                          #
 ############################################################
+{% endif %}
+
+
+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_enabled %}
+##########################################################################
+#                                                                        #
+# Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916  #
+#                                                                        #
+##########################################################################
+
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.rule={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_rule }}
+
+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority | int > 0 %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.priority={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_priority }}
+{% endif %}
 
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.service=matrix-media-repo
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.entrypoints={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_entrypoints }}
 
-{% if matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls | to_json }}
+{% if matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls %}
+traefik.http.routers.matrix-media-repo-public-federation-matrix-federation-media.tls.certResolver={{ matrix_media_repo_container_labels_traefik_federation_matrix_federation_media_tls_certResolver }}
+{% endif %}
+
+##########################################################################
+#                                                                        #
+# /Public Federation Media (/_matrix/federation/VERSION/media) - MSC3916 #
+#                                                                        #
+##########################################################################
+{% endif %}
+
+
+{% if matrix_media_repo_container_labels_traefik_logout_federation_enabled and matrix_media_repo_access_tokens_max_cache_time_seconds > 0 %}
 ############################################################
 #                                                          #
 # Public Federation Logout                                 #
@@ -245,6 +348,7 @@ traefik.http.routers.matrix-media-repo-public-logout-federation.tls.certResolver
 {% endif %}
 
 
+{% if matrix_media_repo_container_labels_traefik_admin_federation_enabled %}
 ############################################################
 #                                                          #
 # Public Federation Admin (/_matrix/client/r0/admin/*)     #
@@ -274,8 +378,10 @@ traefik.http.routers.matrix-media-repo-public-admin.tls.certResolver={{ matrix_m
 # /Public Federation Admin (/_matrix/client/r0/admin/*)    #
 #                                                          #
 ############################################################
+{% endif %}
 
 
+{% if matrix_media_repo_container_labels_traefik_t2bot_federation_enabled %}
 ############################################################
 #                                                          #
 # Public Federation t2bot APIs                             #
@@ -307,6 +413,8 @@ traefik.http.routers.matrix-media-repo-public-t2bot-federation.tls.certResolver=
 # (/_matrix/client/unstable/io.t2bot.media)                #
 #                                                          #
 ############################################################
+{% endif %}
+
 
 {% endif %} {# end of matrix_media_repo_homeserver_federation_enabled if-check #}
 

roles/custom/matrix-sliding-sync/defaults/main.yml

@@ -6,7 +6,7 @@
 matrix_sliding_sync_enabled: true
 
 # renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync
-matrix_sliding_sync_version: v0.99.18
+matrix_sliding_sync_version: v0.99.19
 
 matrix_sliding_sync_scheme: https
 

roles/custom/matrix-sygnal/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_sygnal_hostname: ''
 matrix_sygnal_path_prefix: /
 
 # renovate: datasource=docker depName=matrixdotorg/sygnal
-matrix_sygnal_version: v0.14.3
+matrix_sygnal_version: v0.15.0
 
 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
 matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -6,13 +6,14 @@ matrix_synapse_admin_enabled: true
 
 # A path on host where all related files will be saved
 matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin"
+matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config"
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src"
 
 matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/Awesome-Technologies/synapse-admin.git"
 
 # renovate: datasource=docker depName=awesometechnologies/synapse-admin
-matrix_synapse_admin_version: 0.10.1
+matrix_synapse_admin_version: 0.10.2
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"
@@ -135,3 +136,40 @@ matrix_synapse_admin_hostname: "{{ matrix_server_fqn_matrix }}"
 # The path at which Synapse Admin is exposed.
 # This value must either be `/` or not end with a slash (e.g. `/synapse-admin`).
 matrix_synapse_admin_path_prefix: /synapse-admin
+
+# Default synapse-admin configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_synapse_admin_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_synapse_admin_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
+
+# Your custom JSON configuration for synapse-admin should go to `matrix_synapse_admin_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_synapse_admin_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_synapse_admin_configuration_default`.
+#
+# Example configuration extension follows:
+#
+# matrix_synapse_admin_configuration_extension_json: |
+#  {
+#  "some_setting": true,
+#  "another_setting": false
+#  }
+matrix_synapse_admin_configuration_extension_json: '{}'
+
+matrix_synapse_admin_configuration_extension: "{{ matrix_synapse_admin_configuration_extension_json | from_json if matrix_synapse_admin_configuration_extension_json | from_json is mapping else {} }}"
+
+# Holds the final synapse-admin configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_synapse_admin_configuration_default`.
+matrix_synapse_admin_configuration: "{{ matrix_synapse_admin_configuration_default | combine(matrix_synapse_admin_configuration_extension, recursive=True) }}"
+
+# Controls the restrictBaseUrl configuration setting, which, if defined,
+# restricts the homeserver(s), so that the user can no longer define a homeserver manually during login.
+matrix_synapse_admin_config_restrictBaseUrl: "{{ [matrix_homeserver_url] }}"  # noqa var-naming

roles/custom/matrix-synapse-admin/tasks/setup_install.yml

@@ -1,12 +1,17 @@
 ---
 
-- name: Ensure matrix-synapse-admin path exist
+- name: Ensure matrix-synapse-admin paths exists
   ansible.builtin.file:
-    path: "{{ matrix_synapse_admin_base_path }}"
+    path: "{{ item.path }}"
     state: directory
-    mode: 0700
+    mode: 0750
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_synapse_admin_base_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_config_path }}", when: true}
+    - {path: "{{ matrix_synapse_admin_docker_src_files_path }}", when: "{{ matrix_synapse_admin_container_image_self_build }}"}
+  when: "item.when | bool"
 
 - name: Ensure matrix-synapse-admin labels file is created
   ansible.builtin.template:
@@ -16,6 +21,14 @@
     group: "{{ matrix_user_groupname }}"
     mode: 0640
 
+- name: Ensure matrix-synapse-admin configuration installed
+  ansible.builtin.copy:
+    content: "{{ matrix_synapse_admin_configuration | to_nice_json }}"
+    dest: "{{ matrix_synapse_admin_config_path }}/config.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
 - name: Ensure matrix-synapse-admin image is pulled
   community.docker.docker_image:
     name: "{{ matrix_synapse_admin_docker_image }}"

roles/custom/matrix-synapse-admin/templates/config.json.j2

@@ -0,0 +1,3 @@
+{
+	"restrictBaseUrl": {{ matrix_synapse_admin_config_restrictBaseUrl | to_json }}
+}

roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2

@@ -30,6 +30,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			-p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \
 			{% endif %}
 			--label-file={{ matrix_synapse_admin_base_path }}/labels \
+			--mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \
 			{% for arg in matrix_synapse_admin_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.109.0
+matrix_synapse_version: v1.110.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -537,12 +537,18 @@ matrix_synapse_account_threepid_delegates_msisdn: ''
 
 # Users who register on this homeserver will automatically be joined to these rooms.
 # Rooms are to be specified using addresses (e.g. `#address:example.com`)
+# If any auto-join rooms are invite-only, you need to define `matrix_synapse_auto_join_mxid_localpart`.
 matrix_synapse_auto_join_rooms: []
 
 # Controls whether auto-join rooms (`matrix_synapse_auto_join_rooms`) are to be created
 # automatically if they don't already exist.
 matrix_synapse_autocreate_auto_join_rooms: true
 
+# The local part of the user id which is used to create auto-join rooms if `matrix_synapse_autocreate_auto_join_rooms` is true.
+# Defaults to the initial user account that registers.
+# The user id is also used to invite new users to any auto-join rooms which are set to invite-only.
+matrix_synapse_auto_join_mxid_localpart: ''
+
 # Controls whether room invites will be accepted on behalf of users.
 # See: https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#auto-accept-invites
 # This should not be used together with the `synapse_auto_accept_invite` module (see `matrix_synapse_ext_synapse_auto_accept_invite_enabled`).

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1541,7 +1541,7 @@ autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json
 # Note that, if the room already exists, this user must be joined and
 # have the appropriate permissions to invite new members.
 #
-#auto_join_mxid_localpart: system
+auto_join_mxid_localpart: {{ matrix_synapse_auto_join_mxid_localpart | to_json }}
 
 # When auto_join_rooms is specified, setting this flag to false prevents
 # guest accounts from being automatically joined to the rooms.

setup.yml

@@ -51,6 +51,7 @@
     - keydb
     - custom/matrix-corporal
     - custom/matrix-appservice-draupnir-for-all
+    - custom/matrix-alertmanager-receiver
     - custom/matrix-bridge-appservice-discord
     - custom/matrix-bridge-appservice-slack
     - custom/matrix-bridge-appservice-webhooks