merge with upstream

CHANGELOG.md

@@ -1,3 +1,23 @@
+# 2021-05-21
+
+## Hydrogen support
+
+Thanks to [Aaron Raimist](https://github.com/aaronraimist), the playbook now supports [Hydrogen](https://github.com/vector-im/hydrogen-web) - a new lightweight matrix client with legacy and mobile browser support.
+
+By default, we still install Element, as Hydrogen is still not fully-featured. Still, people who'd like to try Hydrogen out can now install it via the playbook.
+
+Additional details are available in [Setting up Hydrogen](docs/configuring-playbook-client-hydrogen.md).
+
+
+# 2021-05-19
+
+## Heisenbridge support
+
+Thanks to [Toni Spets (hifi)](https://github.com/hifi), the playbook now supports bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) using yet another bridge (besides matrix-appservice-irc), called [Heisenbridge](https://github.com/hifi/heisenbridge).
+
+Additional details are available in [Setting up Heisenbridge bouncer-style IRC bridging](docs/configuring-playbook-bridge-heisenbridge.md).
+
+
 # 2021-04-16
 
 ## Disabling TLSv1 and TLSv1.1 for Coturn

README.md

@@ -29,7 +29,7 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional, default) an [Element](https://app.element.io/) ([formerly Riot](https://element.io/previously-riot)) web UI, which is configured to connect to your own Synapse server by default
 
-- (optional, default) an [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
+- (optional, default) a [ma1sd](https://github.com/ma1uta/ma1sd) Matrix Identity server
 
 - (optional, default) an [Exim](https://www.exim.org/) mail server, through which all Matrix services send outgoing email (can be configured to relay through another SMTP server)
 
@@ -47,7 +47,7 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [mautrix-telegram](https://github.com/tulir/mautrix-telegram) bridge for bridging your Matrix server to [Telegram](https://telegram.org/)
 
-- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [Whatsapp](https://www.whatsapp.com/)
+- (optional) the [mautrix-whatsapp](https://github.com/tulir/mautrix-whatsapp) bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/)
 
 - (optional) the [mautrix-facebook](https://github.com/tulir/mautrix-facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/)
 
@@ -67,6 +67,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) for bridging your Matrix server to SMS - see [docs/configuring-playbook-bridge-matrix-bridge-sms.md](docs/configuring-playbook-bridge-matrix-bridge-sms.md) for setup documentation
 
+- (optional) the [Heisenbridge](https://github.com/hifi/heisenbridge) for bridging your Matrix server to IRC bouncer-style - see [docs/configuring-playbook-bridge-heisenbridge.md](docs/configuring-playbook-bridge-heisenbridge.md) for setup documentation
+
 - (optional) the [mx-puppet-skype](https://hub.docker.com/r/sorunome/mx-puppet-skype) for bridging your Matrix server to [Skype](https://www.skype.com) - see [docs/configuring-playbook-bridge-mx-puppet-skype.md](docs/configuring-playbook-bridge-mx-puppet-skype.md) for setup documentation
 
 - (optional) the [mx-puppet-slack](https://hub.docker.com/r/sorunome/mx-puppet-slack) for bridging your Matrix server to [Slack](https://slack.com) - see [docs/configuring-playbook-bridge-mx-puppet-slack.md](docs/configuring-playbook-bridge-mx-puppet-slack.md) for setup documentation
@@ -103,7 +105,9 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [Sygnal](https://github.com/matrix-org/sygnal) push gateway - see [Setting up the Sygnal push gateway](docs/configuring-playbook-sygnal.md) for setup documentation
 
-Basically, this playbook aims to get you up-and-running with all the basic necessities around Matrix, without you having to do anything else.
+- (optional) the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client - see [docs/configuring-playbook-client-hydrogen.md](docs/configuring-playbook-client-hydrogen.md) for setup documentation
+
+Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
 
 **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.
 Sticking with the defaults (which install a subset of the above components) is the best choice, especially for a new installation.
@@ -128,4 +132,11 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
 
 - IRC channel: `#matrix-docker-ansible-deploy` on the [Freenode](https://freenode.net/) IRC network (irc.freenode.net)
 
-- Github issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
+- GitHub issues: [spantaleev/matrix-docker-ansible-deploy/issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues)
+
+
+## Services by the community
+
+- [etke.cc](https://etke.cc) - matrix-docker-ansible-deploy and system stuff "as a service". That service will create your matrix homeserver on your domain and server (doesn't matter if it's cloud provider or on an old laptop in the corner of your room), (optional) maintains it (server's system updates, cleanup, security adjustments, tuning, etc.; matrix homeserver updates & maintenance) and (optional) provide full-featured email service for your domain
+
+- [GoMatrixHosting](https://gomatrixhosting.com) - matrix-docker-ansible-deploy "as a service" with [Ansible AWX](https://github.com/ansible/awx). Members can be assigned a server from DigitalOcean, or they can connect their on-premises server. This AWX system can manage the updates, configuration, import and export, backups, and monitoring on its own. For more information [see our GitLab group](https://gitlab.com/GoMatrixHosting) or come [visit us on Matrix](https://matrix.to/#/#general:gomatrixhosting.com).

docs/configuring-awx-system.md

@@ -8,9 +8,7 @@ Members can be assigned a server from Digitalocean, or they can connect their ow
 
 The AWX system is arranged into 'members' each with their own 'subscriptions'. After creating a subscription the user enters the 'provision stage' where they defined the URLs they will use, the servers location and whether or not there's already a website at the base domain. They then proceed onto the 'deploy stage' where they can configure their Matrix server.
 
-Ideally this system can manage the updates, configuration, backups and monitoring on it's own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
-
-Warning: This project is currently alpha quality and should only be run by the brave.
+This system can manage the updates, configuration, import and export, backups and monitoring on its own. It is an extension of the popular deploy script [spantaleev/matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy).
 
 
 ## Other Required Playbooks
@@ -23,6 +21,7 @@ The following repositories allow you to copy and use this setup:
 
 [Ansible Provision Server](https://gitlab.com/GoMatrixHosting/ansible-provision-server) - Used by AWX members to perform initial configuration of their DigitalOcean or On-Premises server.
 
+
 ## Testing Fork For This Playbook
 
 Updates to this section are trailed here:

docs/configuring-dns.md

@@ -36,6 +36,7 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
 | CNAME | `stats` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `goneb` (*)                  | -        | -      | -    | `matrix.<your-domain>` |
 | CNAME | `sygnal` (*)                 | -        | -      | -    | `matrix.<your-domain>` |
+| CNAME | `hydrogen` (*)               | -        | -      | -    | `matrix.<your-domain>` |
 
 ## Subdomains setup
 
@@ -54,6 +55,8 @@ The `goneb.<your-domain>` subdomain may be necessary, because this playbook coul
 
 The `sygnal.<your-domain>` subdomain may be necessary, because this playbook could install the [Sygnal](https://github.com/matrix-org/sygnal) push gateway. The installation of Sygnal is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Sygnal guide](configuring-playbook-sygnal.md). If you do not wish to set up Sygnal (you probably don't, unless you're also developing/building your own Matrix apps), feel free to skip the `sygnal.<your-domain>` DNS record.
 
+The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
+
 
 ## `_matrix-identity._tcp` SRV record setup
 

docs/configuring-playbook-bridge-appservice-irc.md

@@ -1,6 +1,8 @@
 # Setting up Appservice IRC (optional)
 
-The playbook can install and configure [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) for you.
+**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [Heisenbridge](configuring-playbook-bridge-heisenbridge.md) bridge supported by the playbook.
+
+The playbook can install and configure the [matrix-appservice-irc](https://github.com/matrix-org/matrix-appservice-irc) bridge for you.
 
 See the project's [documentation](https://github.com/matrix-org/matrix-appservice-irc/blob/master/HOWTO.md) to learn what it does and why it might be useful to you.
 

docs/configuring-playbook-bridge-appservice-slack.md

@@ -1,5 +1,7 @@
 # Setting up Appservice Slack (optional)
 
+**Note**: bridging to [Slack](https://slack.com) can also happen via the [mx-puppet-slack](configuring-playbook-bridge-mx-puppet-slack.md) bridge supported by the playbook.
+
 The playbook can install and configure [matrix-appservice-slack](https://github.com/matrix-org/matrix-appservice-slack) for you.
 
 See the project's [documentation](https://github.com/matrix-org/matrix-appservice-slack/blob/master/README.md) to learn what it does and why it might be useful to you.
@@ -106,5 +108,5 @@ Check you logs, if they say something like
 
 `WARN SlackEventHandler Ignoring message from unrecognised slack channel id : %s (%s) <the channel id> <some other id>`
 
-then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link 
+then unlink your room, reinvite the bot and re-link it again. This may particularly hit you, if you tried to unsuccessfully link
 your room multiple times without unlinking it after each failed attempt.

docs/configuring-playbook-bridge-heisenbridge.md

@@ -0,0 +1,36 @@
+# Setting up Heisenbridge (optional)
+
+**Note**: bridging to [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) can also happen via the [matrix-appservice-irc](configuring-playbook-bridge-appservice-irc.md) bridge supported by the playbook.
+
+The playbook can install and configure [Heisenbridge](https://github.com/hifi/heisenbridge) - the bouncer-style [IRC](https://en.wikipedia.org/wiki/Internet_Relay_Chat) bridge for you.
+
+See the project's [README](https://github.com/hifi/heisenbridge/blob/master/README.md) to learn what it does and why it might be useful to you.
+
+## Configuration
+
+Below are the common configuration options that you may want to set, exhaustive list is in [the bridge's defaults var file](../roles/matrix-bridge-heisenbridge/defaults/main.yml).
+
+At a minimum, you only need to enable the bridge to get it up and running (`inventory/host_vars/matrix.DOMAIN/vars.yml`):
+
+```yaml
+matrix_heisenbridge_enabled: true
+
+# set owner (optional)
+matrix_heisenbridge_owner: "@you:your-homeserver"
+
+# to enable identd on host port 113/TCP (optional)
+matrix_heisenbridge_identd_enabled: true
+```
+
+That's it! A registration file is automatically generated during the setup phase.
+
+Setting the owner is optional as the first local user to DM `@heisenbridge:your-homeserver` will be made the owner.
+If you are not using a local user you must set it as otherwise you can't DM it at all.
+
+## Usage
+
+After the bridge is successfully running just DM `@heisenbridge:your-homeserver` to start setting it up.
+Help is available for all commands with the `-h` switch.
+If the bridge ignores you and a DM is not accepted then the owner setting may be wrong.
+
+If you encounter issues or feel lost you can join the project room at [#heisenbridge:vi.fi](https://matrix.to/#/#heisenbridge:vi.fi) for help.

docs/configuring-playbook-bridge-mx-puppet-slack.md

@@ -1,5 +1,7 @@
 # Setting up MX Puppet Slack (optional)
 
+**Note**: bridging to [Slack](https://slack.com) can also happen via the [matrix-appservice-slack](configuring-playbook-bridge-appservice-slack.md) bridge supported by the playbook.
+
 The playbook can install and configure
 [mx-puppet-slack](https://github.com/Sorunome/mx-puppet-slack) for you.
 

docs/configuring-playbook-client-hydrogen.md

@@ -0,0 +1,21 @@
+# Configuring Hydrogen (optional)
+
+This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you.
+Hydrogen is a lightweight web client that supports mobile and legacy web browsers.
+Hydrogen can be installed alongside or instead of Element.
+
+If you'd like Hydrogen to be installed, add the following to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
+
+```yaml
+matrix_client_hydrogen_enabled: true
+```
+
+You will also need to add a DNS record so that Hydrogen can be accessed. 
+By default Hydrogen will use https://hydrogen.DOMAIN so you will need to create an CNAME record
+for `hydrogen`. See [Configuring DNS](configuring-dns.md).
+
+If you would like to use a different domain, add the following to your configuration file (changing it to use your preferred domain):
+
+```yaml
+ matrix_server_fqn_hydrogen: "helium.{{ matrix_domain }}"
+```

docs/configuring-playbook-prometheus-grafana.md

@@ -56,6 +56,7 @@ Name | Description
 `matrix_nginx_proxy_proxy_synapse_metrics`|Set this to `true` to make matrix-nginx-proxy expose the Synapse metrics at `https://matrix.DOMAIN/_synapse/metrics`
 `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled`|Set this to `true` to password-protect (using HTTP Basic Auth) `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus`, the password is defined in `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`)
 `matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_key`|Set this to a password to use for HTTP Basic Auth for protecting `https://matrix.DOMAIN/_synapse/metrics` (the username is always `prometheus` - it's not configurable)
+`matrix_server_fqn_grafana`|Use this variable to override the domain at which the Grafana web user-interface is at (defaults to `stats.DOMAIN`).
 
 
 ## More information

docs/configuring-playbook-ssl-certificates.md

@@ -43,6 +43,7 @@ With such a configuration, the playbook would expect you to drop the SSL certifi
 
 - `<matrix_ssl_config_dir_path>/live/<domain>/fullchain.pem`
 - `<matrix_ssl_config_dir_path>/live/<domain>/privkey.pem`
+- `<matrix_ssl_config_dir_path>/live/<domain>/chain.pem`
 
 where `<domain>` refers to the domains that you need (usually `matrix.<your-domain>` and `element.<your-domain>`).
 

docs/configuring-playbook-synapse-admin.md

@@ -6,8 +6,6 @@ It's a web UI tool you can use to **administrate users and rooms on your Matrix
 
 See the project's [documentation](https://github.com/Awesome-Technologies/synapse-admin) to learn what it does and why it might be useful to you.
 
-**Warning**: Synapse Admin will likely not work with Synapse v1.32 for now. See [this issue](https://github.com/Awesome-Technologies/synapse-admin/issues/132). If you insist on using Synapse Admin before there's a solution to this issue, you may wish to downgrade Synapse (adding `matrix_synapse_version: v1.31.0` or `matrix_synapse_version_arm64: v1.31.0` to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file).
-
 
 ## Adjusting the playbook configuration
 

docs/configuring-playbook.md

@@ -68,6 +68,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Adjusting email-sending settings](configuring-playbook-email.md) (optional)
 
+- [Setting up Hydrogen](configuring-playbook-client-hydrogen.md) - a new lightweight matrix client with legacy and mobile browser support (optional)
+
 
 ### Authentication and user-related
 
@@ -126,6 +128,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional)
 
+- [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md) (optional)
+
 
 ### Bots
 

docs/self-building.md

@@ -14,6 +14,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-synapse`
 - `matrix-synapse-admin`
 - `matrix-client-element`
+- `matrix-client-hydrogen`
 - `matrix-registration`
 - `matrix-coturn`
 - `matrix-corporal`

examples/caddy2/Caddyfile

@@ -38,7 +38,6 @@ matrix.DOMAIN.tld {
         X-Frame-Options "DENY"
         # X-Robots-Tag
         X-Robots-Tag "noindex, noarchive, nofollow"
-                                                                                                                                                                                                                      167,9         79%
   }
 
   # Cache

examples/caddy2/README.md

@@ -8,5 +8,5 @@ This directory contains sample files that show you how to do reverse-proxying us
 | ------------------ | -------- |
 | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
 | tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
-| Dimnension         | To enable Dimension support uncomment the lines for Dimension and set your data |
-| Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |
+| Dimension         | To enable Dimension support uncomment the lines for Dimension and set your data |
+| Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |

group_vars/matrix_servers

@@ -488,6 +488,32 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas
 #
 ######################################################################
 
+######################################################################
+#
+# matrix-bridge-heisenbridge
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_heisenbridge_enabled: false
+
+matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}"
+
+matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}"
+
+matrix_heisenbridge_systemd_wanted_services_list: |
+  {{
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+  }}
+
+######################################################################
+#
+# /matrix-bridge-heisenbridge
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mx-puppet-skype
@@ -1027,6 +1053,8 @@ matrix_jitsi_web_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
 
 matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:13090' }}"
 
+matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}"
+
 matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
 matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
 matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
@@ -1113,7 +1141,9 @@ matrix_ma1sd_synapsesql_connection: //{{ matrix_synapse_database_host }}/{{ matr
 
 matrix_ma1sd_dns_overwrite_enabled: true
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
-matrix_ma1sd_dns_overwrite_homeserver_client_value: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"
+# The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
+# but may be inaccurate if matrix-corporal is enabled.
+matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ ('http://' + matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container) if matrix_nginx_proxy_enabled else matrix_homeserver_container_url }}"
 
 # By default, we send mail through the `matrix-mailer` service.
 matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
@@ -1170,6 +1200,7 @@ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain: "{{ matrix_s
 
 matrix_nginx_proxy_proxy_matrix_enabled: true
 matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled }}"
+matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled }}"
 matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
@@ -1211,6 +1242,11 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ m
 
 matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
 
+# OCSP stapling does not make sense when self-signed certificates are used.
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
+matrix_nginx_proxy_ocsp_stapling_enabled: "{{ matrix_ssl_retrieval_method != 'self-signed' }}"
+
 matrix_nginx_proxy_synapse_presence_disabled: "{{ not matrix_synapse_presence_enabled }}"
 
 matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }}"
@@ -1240,6 +1276,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
     +
     ([matrix_nginx_proxy_proxy_riot_compat_redirect_hostname] if matrix_nginx_proxy_proxy_riot_compat_redirect_enabled else [])
     +
+    ([matrix_server_fqn_hydrogen] if matrix_client_hydrogen_enabled else [])
+    +
     ([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
     +
     ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
@@ -1543,6 +1581,31 @@ matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matr
 
 
 
+######################################################################
+#
+# matrix-client-hydrogen
+#
+######################################################################
+
+matrix_client_hydrogen_enabled: false
+
+# Normally, matrix-nginx-proxy is enabled and nginx can reach Hydrogen over the container network.
+# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+# the HTTP port to the local host.
+matrix_client_hydrogen_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8768' }}"
+
+matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
+
+matrix_client_hydrogen_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
+
+######################################################################
+#
+# /matrix-client-hydrogen
+#
+######################################################################
+
+
+
 ######################################################################
 #
 # matrix-synapse

roles/matrix-awx/scripts/matrix_build_room_list.py

@@ -0,0 +1,28 @@
+
+import sys
+import requests
+import json
+
+janitor_token = sys.argv[1]
+synapse_container_ip = sys.argv[2]
+
+# collect total amount of rooms
+
+rooms_raw_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms'
+rooms_raw_header = {'Authorization': 'Bearer ' + janitor_token}
+rooms_raw = requests.get(rooms_raw_url, headers=rooms_raw_header)
+rooms_raw_python = json.loads(rooms_raw.text)
+total_rooms = rooms_raw_python["total_rooms"]
+
+# build complete room list file
+
+room_list_file = open("/tmp/room_list_complete.json", "w")
+
+for i in range(0, total_rooms, 100):
+  rooms_inc_url = 'http://' + synapse_container_ip + ':8008/_synapse/admin/v1/rooms?from=' + str(i)
+  rooms_inc = requests.get(rooms_inc_url, headers=rooms_raw_header)
+  room_list_file.write(rooms_inc.text)
+
+room_list_file.close()
+
+print(total_rooms)

roles/matrix-awx/tasks/purge_database_main.yml

@@ -17,136 +17,132 @@
     file: '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/matrix_vars.yml'
   no_log: True
 
-- name: Collect size of Synapse database
+- name: Collect before shrink size of Synapse database
   shell: du -sh /matrix/postgres/data
   register: db_size_before_stat
+  when: (purge_mode.find("Perform final shrink") != -1)
   no_log: True
 
-- name: Print before size of Synapse database
-  debug:
-    msg: "{{ db_size_before_stat.stdout.split('\n') }}"
-  when: db_size_before_stat is defined
-
 - name: Collect the internal IP of the matrix-synapse container
   shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
   register: synapse_container_ip
 
 - name: Collect access token for janitor user
   shell: |
     curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ matrix_awx_janitor_user_password }}"}' "{{ synapse_container_ip.stdout }}:8008/_matrix/client/r0/login" | jq '.access_token'
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
   register: janitors_token
   no_log: True
 
-- name: Collect total number of rooms
+- name: Copy build_room_list.py script to target machine
+  copy:
+    src: ./roles/matrix-awx/scripts/matrix_build_room_list.py
+    dest: /usr/local/bin/matrix_build_room_list.py
+    owner: matrix
+    group: matrix
+    mode: '0755'
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
+
+- name: Run build_room_list.py script
   shell: |
-    curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:8008/_synapse/admin/v1/rooms' | jq '.total_rooms'
-  when: purge_rooms|bool
+    runuser -u matrix -- python3 /usr/local/bin/matrix_build_room_list.py {{ janitors_token.stdout[1:-1] }} {{ synapse_container_ip.stdout }}
   register: rooms_total
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
-- name: Print total number of rooms
-  debug:
-    msg: '{{ rooms_total.stdout }}'
-  when: purge_rooms|bool
-
-- name: Calculate every 100 values for total number of rooms
-  delegate_to: 127.0.0.1
-  shell: |
-    seq 0 100 {{ rooms_total.stdout }}
-  when: purge_rooms|bool
-  register: every_100_rooms
+- name: Fetch complete room list from target machine
+  fetch:
+    src: /tmp/room_list_complete.json
+    dest: "/tmp/{{ subscription_id }}_room_list_complete.json"
+    flat: yes
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
-- name: Ensure room_list_complete.json file exists
-  delegate_to: 127.0.0.1
+- name: Remove complete room list from target machine
   file:
-    path: /tmp/{{ subscription_id }}_room_list_complete.json
-    state: touch
-  when: purge_rooms|bool
-
-- name: Build file with total room list
-  include_tasks: purge_database_build_list.yml 
-  loop: "{{ every_100_rooms.stdout_lines | flatten(levels=1) }}"
-  when: purge_rooms|bool
+    path: /tmp/room_list_complete.json
+    state: absent
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Generate list of rooms with no local users
   delegate_to: 127.0.0.1
   shell: |
     jq 'try .rooms[] | select(.joined_local_members == 0) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_no_local_users.txt
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
   
 - name: Count number of rooms with no local users
   delegate_to: 127.0.0.1
   shell: |
     wc -l /tmp/{{ subscription_id }}_room_list_no_local_users.txt | awk '{ print $1 }'
   register: rooms_no_local_total
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Setting host fact room_list_no_local_users
   set_fact:
     room_list_no_local_users: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_no_local_users.txt') }}"
   no_log: True
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Purge all rooms with no local users
   include_tasks: purge_database_no_local.yml 
   loop: "{{ room_list_no_local_users.splitlines() | flatten(levels=1) }}"
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Collect epoche time from date
   delegate_to: 127.0.0.1
   shell: |
     date -d '{{ purge_date }}' +"%s"
-  when: purge_rooms|bool
+  when: (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
   register: purge_epoche_time
 
 - name: Generate list of rooms with more then N users
   delegate_to: 127.0.0.1
   shell: |
     jq 'try .rooms[] | select(.joined_members > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_joined_members.txt
-  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of users [slower]") != -1
 
 - name: Count number of rooms with more then N users
   delegate_to: 127.0.0.1
   shell: |
     wc -l /tmp/{{ subscription_id }}_room_list_joined_members.txt | awk '{ print $1 }'
   register: rooms_join_members_total
-  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of users [slower]") != -1
 
 - name: Setting host fact room_list_joined_members
   delegate_to: 127.0.0.1
   set_fact:
     room_list_joined_members: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_joined_members.txt') }}"
-  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of users [slower]") != -1
   no_log: True
 
 - name: Purge all rooms with more then N users
   include_tasks: purge_database_users.yml 
   loop: "{{ room_list_joined_members.splitlines() | flatten(levels=1) }}"
-  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of users [slower]") != -1
 
 - name: Generate list of rooms with more then N events
   delegate_to: 127.0.0.1
   shell: |
     jq 'try .rooms[] | select(.state_events > {{ purge_metric_value }}) | .room_id' < /tmp/{{ subscription_id }}_room_list_complete.json > /tmp/{{ subscription_id }}_room_list_state_events.txt
-  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of events [slower]") != -1
 
-- name: Count number of rooms with more then N users
+- name: Count number of rooms with more then N events
   delegate_to: 127.0.0.1
   shell: |
     wc -l /tmp/{{ subscription_id }}_room_list_state_events.txt | awk '{ print $1 }'
   register: rooms_state_events_total
-  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of events [slower]") != -1
 
 - name: Setting host fact room_list_state_events
   delegate_to: 127.0.0.1
   set_fact:
     room_list_state_events: "{{ lookup('file', '/tmp/{{ subscription_id }}_room_list_state_events.txt') }}"
-  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of events [slower]") != -1
   no_log: True
 
 - name: Purge all rooms with more then N events
   include_tasks: purge_database_events.yml 
   loop: "{{ room_list_state_events.splitlines() | flatten(levels=1) }}"
-  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of events [slower]") != -1
 
 - name: Collect AWX admin token the hard way!
   delegate_to: 127.0.0.1
@@ -155,75 +151,162 @@
   register: tower_token
   no_log: True
 
+- name: Adjust 'Deploy/Update a Server' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    description: "Creates a new matrix service with Spantaleev's playbooks"
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "rust-synapse-compress-state"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
+
 - name: Execute rust-synapse-compress-state job template
   delegate_to: 127.0.0.1
   awx.awx.tower_job_launch:
     job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
-    tags: "rust-synapse-compress-state"
     wait: yes
     tower_host: "https://{{ tower_host }}"
     tower_oauthtoken: "{{ tower_token.stdout }}"
     validate_certs: yes 
-  register: job
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
 
-- name: Stop Synapse service
-  shell: systemctl stop matrix-synapse.service
+- name: Revert 'Deploy/Update a Server' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    description: "Creates a new matrix service with Spantaleev's playbooks"
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "setup-all,start"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1) or (purge_mode.find("Skip purging rooms [faster]") != -1)
+
+- name: Ensure matrix-synapse is stopped
+  service:
+    name: matrix-synapse
+    state: stopped
+    daemon_reload: yes
+  when: (purge_mode.find("Perform final shrink") != -1)
 
 - name: Re-index Synapse database
   shell: docker exec -i matrix-postgres psql "host=127.0.0.1 port=5432 dbname=synapse user=synapse password={{ matrix_synapse_connection_password }}" -c 'REINDEX (VERBOSE) DATABASE synapse'
+  when: (purge_mode.find("Perform final shrink") != -1)
+
+- name: Ensure matrix-synapse is started
+  service:
+    name: matrix-synapse
+    state: started
+    daemon_reload: yes
+  when: (purge_mode.find("Perform final shrink") != -1)
+
+- name: Adjust 'Deploy/Update a Server' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    description: "Creates a new matrix service with Spantaleev's playbooks"
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "run-postgres-vacuum,start"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+  when: (purge_mode.find("Perform final shrink") != -1)
 
 - name: Execute run-postgres-vacuum job template
   delegate_to: 127.0.0.1
   awx.awx.tower_job_launch:
     job_template: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
-    tags: "run-postgres-vacuum,start"
     wait: yes
     tower_host: "https://{{ tower_host }}"
     tower_oauthtoken: "{{ tower_token.stdout }}"
     validate_certs: yes 
-  register: job
+  when: (purge_mode.find("Perform final shrink") != -1)
+
+- name: Revert 'Deploy/Update a Server' job template
+  delegate_to: 127.0.0.1
+  awx.awx.tower_job_template:
+    name: "{{ matrix_domain }} - 0 - Deploy/Update a Server"
+    description: "Creates a new matrix service with Spantaleev's playbooks"
+    extra_vars: "{{ lookup('file', '/var/lib/awx/projects/clients/{{ member_id }}/{{ subscription_id }}/extra_vars.json') }}"
+    job_type: run
+    job_tags: "setup-all,start"
+    inventory: "{{ member_id }}"
+    project: "{{ member_id }} - Matrix Docker Ansible Deploy"
+    playbook: setup.yml
+    credential: "{{ member_id }} - AWX SSH Key"
+    state: present
+    verbosity: 1
+    tower_host: "https://{{ tower_host }}"
+    tower_oauthtoken: "{{ tower_token.stdout }}"
+    validate_certs: yes
+  when: (purge_mode.find("Perform final shrink") != -1)
 
 - name: Cleanup room_list files
   delegate_to: 127.0.0.1
   shell: |
     rm /tmp/{{ subscription_id }}_room_list*
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
   ignore_errors: yes
 
-- name: Collect size of Synapse database
+- name: Collect after shrink size of Synapse database
   shell: du -sh /matrix/postgres/data
   register: db_size_after_stat
+  when: (purge_mode.find("Perform final shrink") != -1)
   no_log: True
 
 - name: Print total number of rooms processed 
   debug:
     msg: '{{ rooms_total.stdout }}'
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Print the number of rooms purged with no local users
   debug:
     msg: '{{ rooms_no_local_total.stdout }}'
-  when: purge_rooms|bool
+  when: (purge_mode.find("No local users [recommended]") != -1) or (purge_mode.find("Number of users [slower]") != -1) or (purge_mode.find("Number of events [slower]") != -1)
 
 - name: Print the number of rooms purged with more then N users
   debug:
     msg: '{{ rooms_join_members_total.stdout }}'
-  when: (purge_metric.find("Number of users") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of users") != -1
 
 - name: Print the number of rooms purged with more then N events
   debug:
     msg: '{{ rooms_state_events_total.stdout }}'
-  when: (purge_metric.find("Number of events") != -1) and (purge_rooms|bool)
+  when: purge_mode.find("Number of events") != -1
 
 - name: Print before purge size of Synapse database
   debug:
     msg: "{{ db_size_before_stat.stdout.split('\n') }}"
-  when: db_size_before_stat is defined
+  when: (db_size_before_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
 
 - name: Print after purge size of Synapse database
   debug:
     msg: "{{ db_size_after_stat.stdout.split('\n') }}"
-  when: db_size_after_stat is defined
+  when: (db_size_after_stat is defined) and (purge_mode.find("Perform final shrink") != -1)
 
 - name: Set boolean value to exit playbook
   set_fact:

roles/matrix-base/defaults/main.yml

@@ -15,6 +15,9 @@ matrix_server_fqn_matrix: "matrix.{{ matrix_domain }}"
 # This and the Matrix FQN (see above) are expected to be on the same server.
 matrix_server_fqn_element: "element.{{ matrix_domain }}"
 
+# This is where you access the Hydrogen web client from (if enabled via matrix_client_hydrogen_enabled; disabled by default).
+matrix_server_fqn_hydrogen: "hydrogen.{{ matrix_domain }}"
+
 # This is where you access the Dimension.
 matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 

roles/matrix-bridge-appservice-irc/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_irc_container_self_build"
+
 # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
 # We don't want to fail in such cases.
 - name: Fail if matrix-synapse role already executed

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -71,11 +71,12 @@
   register: matrix_appservice_irc_git_pull_results
   when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool"
 
-- name: Ensure matrix-appservice-irc Docker image is build
+- name: Ensure matrix-appservice-irc Docker image is built
   docker_image:
     name: "{{ matrix_appservice_irc_docker_image }}"
     source: build
-    force_source: yes
+    force_source: "{{ matrix_appservice_irc_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_appservice_irc_docker_src_files_path }}"

roles/matrix-bridge-appservice-slack/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_appservice_slack_container_self_build"
+
 # If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
 # We don't want to fail in such cases.
 - name: Fail if matrix-synapse role already executed

roles/matrix-bridge-appservice-slack/tasks/setup_install.yml

@@ -51,7 +51,8 @@
   docker_image:
     name: "{{ matrix_appservice_slack_docker_image }}"
     source: build
-    force_source: yes
+    force_source: "{{ matrix_appservice_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_appservice_slack_docker_src_files_path }}"

roles/matrix-bridge-heisenbridge/defaults/main.yml

@@ -0,0 +1,47 @@
+# heisenbridge is a bouncer-style Matrix IRC bridge
+# See: https://github.com/hifi/heisenbridge
+
+matrix_heisenbridge_enabled: true
+
+matrix_heisenbridge_version: latest
+matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
+matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
+
+# Set this to your Matrix ID if you want to enforce the owner, otherwise first _local_ user becomes one
+matrix_heisenbridge_owner: ""
+
+# Enabling identd will bind to host port 113/TCP
+matrix_heisenbridge_identd_enabled: false
+
+matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge"
+
+# A list of extra arguments to pass to the container
+matrix_heisenbridge_container_extra_arguments: []
+
+# List of systemd services that service depends on.
+matrix_heisenbridge_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that service wants
+matrix_heisenbridge_systemd_wanted_services_list: []
+
+matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}"
+
+matrix_heisenbridge_appservice_token: ''
+matrix_heisenbridge_homeserver_token: ''
+
+# Default registration file
+matrix_heisenbridge_registration_yaml:
+  id: heisenbridge
+  url: http://matrix-heisenbridge:9898
+  as_token: "{{ matrix_heisenbridge_appservice_token }}"
+  hs_token: "{{ matrix_heisenbridge_homeserver_token }}" 
+  rate_limited: false
+  sender_localpart: heisenbridge
+  namespaces:
+    users:
+    - regex: '@hbirc_.*'
+      exclusive: true
+    aliases: []
+    rooms: []
+
+matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml|from_yaml }}"

roles/matrix-bridge-heisenbridge/tasks/init.yml

@@ -0,0 +1,24 @@
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-heisenbridge role needs to execute before the matrix-synapse role.
+  when: "matrix_heisenbridge_enabled and matrix_synapse_role_executed|default(False)"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-heisenbridge.service'] }}"
+  when: matrix_heisenbridge_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/heisenbridge-registration.yaml"] }}
+  when: matrix_heisenbridge_enabled|bool

roles/matrix-bridge-heisenbridge/tasks/main.yml

@@ -0,0 +1,15 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_heisenbridge_enabled|bool"
+  tags:
+    - setup-all
+    - setup-heisenbridge
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_heisenbridge_enabled|bool"
+  tags:
+    - setup-all
+    - setup-heisenbridge

roles/matrix-bridge-heisenbridge/tasks/setup_install.yml

@@ -0,0 +1,38 @@
+---
+
+- name: Ensure heisenbridge image is pulled
+  docker_image:
+    name: "{{ matrix_heisenbridge_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_heisenbridge_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" 
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_heisenbridge_docker_image_force_pull }}" 
+
+- name: Ensure heisenbridge paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_heisenbridge_base_path }}"
+
+- name: Ensure heisenbridge registration.yaml installed if provided
+  copy:
+    content: "{{ matrix_heisenbridge_registration|to_nice_yaml }}"
+    dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-heisenbridge.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-heisenbridge.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
+    mode: 0644
+  register: matrix_heisenbridge_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-heisenbridge.service installation
+  service:
+    daemon_reload: yes
+  when: matrix_heisenbridge_systemd_service_result.changed

roles/matrix-bridge-heisenbridge/tasks/setup_uninstall.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Check existence of matrix-heisenbridge service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
+  register: matrix_heisenbridge_service_stat
+
+- name: Ensure matrix-heisenbridge is stopped
+  service:
+    name: heisenbridge
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_heisenbridge_service_stat.stat.exists"
+
+- name: Ensure matrix-heisenbridge.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-heisenbridge.service"
+    state: absent
+  when: "matrix_heisenbridge_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-heisenbridge.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_heisenbridge_service_stat.stat.exists"

roles/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2

@@ -0,0 +1,50 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=a bouncer-style Matrix IRC bridge
+{% for service in matrix_heisenbridge_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_heisenbridge_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-heisenbridge
+ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-heisenbridge
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-heisenbridge \
+          --log-driver=none \
+          --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+          --cap-drop=ALL \
+          --network={{ matrix_docker_network }} \
+          {% if matrix_heisenbridge_identd_enabled %}
+          -p 113:113 \
+          {% endif %}
+          -v {{ matrix_heisenbridge_base_path }}:/config:z \
+          {% for arg in matrix_heisenbridge_container_extra_arguments %}
+          {{ arg }} \
+          {% endfor %}
+          {{ matrix_heisenbridge_docker_image }} \
+          {% if matrix_heisenbridge_identd_enabled %}
+          --identd \
+          {% endif %}
+          {% if matrix_heisenbridge_owner %}
+          -o {{ matrix_heisenbridge_owner }} \
+          {% endif %}
+          --config /config/registration.yaml \
+          --listen-address 0.0.0.0 \
+          --listen-port 9898 \
+          {{ matrix_heisenbridge_homeserver_url }}
+
+ExecStop=-{{ matrix_host_command_docker }} kill matrix-heisenbridge
+ExecStop=-{{ matrix_host_command_docker }} rm matrix-heisenbridge
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-heisenbridge
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-facebook/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}"
   when: matrix_mautrix_facebook_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mautrix_facebook_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml

@@ -69,7 +69,8 @@
   docker_image:
     name: "{{ matrix_mautrix_facebook_docker_image }}"
     source: build
-    force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed }}"
+    force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_facebook_docker_src_files_path }}"

roles/matrix-bridge-mautrix-hangouts/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}"
   when: matrix_mautrix_hangouts_enabled|bool
@@ -62,7 +69,7 @@
   when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)"
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml

@@ -68,7 +68,8 @@
   docker_image:
     name: "{{ matrix_mautrix_hangouts_docker_image }}"
     source: build
-    force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed }}"
+    force_source: "{{ matrix_mautrix_hangouts_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"

roles/matrix-bridge-mautrix-instagram/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_instagram_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-instagram.service'] }}"
   when: matrix_mautrix_instagram_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mautrix_instagram_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Mautrix instagram image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mautrix-instagram/tasks/setup_install.yml

@@ -44,7 +44,8 @@
   docker_image:
     name: "{{ matrix_mautrix_instagram_docker_image }}"
     source: build
-    force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed }}"
+    force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_instagram_docker_src_files_path }}"

roles/matrix-bridge-mautrix-telegram/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_telegram_container_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}"
   when: matrix_mautrix_telegram_enabled|bool

roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml

@@ -64,11 +64,12 @@
   register: matrix_mautrix_telegram_git_pull_results
   when: "matrix_mautrix_telegram_container_self_build|bool"
 
-- name: Ensure matrix-mautrix-telegram Docker image is build
+- name: Ensure matrix-mautrix-telegram Docker image is built
   docker_image:
     name: "{{ matrix_mautrix_telegram_docker_image }}"
     source: build
-    force_source: yes
+    force_source: "{{ matrix_mautrix_telegram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mautrix_telegram_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-discord/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_discord_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}"
   when: matrix_mx_puppet_discord_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mx_puppet_discord_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-discord/tasks/setup_install.yml

@@ -85,7 +85,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_discord_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_discord_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_discord_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_discord_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_groupme_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-groupme.service'] }}"
   when: matrix_mx_puppet_groupme_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mx_puppet_groupme_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml

@@ -85,7 +85,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_groupme_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_groupme_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_groupme_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_groupme_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_instagram_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}"
   when: matrix_mx_puppet_instagram_enabled|bool

roles/matrix-bridge-mx-puppet-instagram/tasks/setup_install.yml

@@ -69,7 +69,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_instagram_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_instagram_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_instagram_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-skype/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_skype_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}"
   when: matrix_mx_puppet_skype_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mx_puppet_skype_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Skype image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml

@@ -85,7 +85,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_skype_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_skype_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_skype_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-slack/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_slack_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}"
   when: matrix_mx_puppet_slack_enabled|bool
@@ -63,7 +70,7 @@
   when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml

@@ -81,7 +81,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_slack_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_slack_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_slack_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_slack_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-steam/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_steam_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}"
   when: matrix_mx_puppet_steam_enabled|bool
@@ -16,7 +23,7 @@
   when: matrix_mx_puppet_steam_enabled|bool
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Slack image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml

@@ -85,7 +85,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_steam_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_steam_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_steam_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_steam_docker_src_files_path }}"

roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mx_puppet_twitter_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}"
   when: matrix_mx_puppet_twitter_enabled|bool
@@ -63,7 +70,7 @@
   when: "matrix_mx_puppet_twitter_enabled|bool and matrix_nginx_proxy_enabled is not defined"
 
 # ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
+# for self building it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
   fail:
     msg: "To self build Puppet Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."

roles/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml

@@ -85,7 +85,8 @@
   docker_image:
     name: "{{ matrix_mx_puppet_twitter_docker_image }}"
     source: build
-    force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed }}"
+    force_source: "{{ matrix_mx_puppet_twitter_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mx_puppet_twitter_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_twitter_docker_src_files_path }}"

roles/matrix-client-element/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"
 
-matrix_client_element_version: v1.7.26
+matrix_client_element_version: v1.7.29
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/matrix-client-element/tasks/init.yml

@@ -2,9 +2,9 @@
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}"
   when: matrix_client_element_enabled|bool
 
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
   fail:
-    msg: "To self build the Element image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
   when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_element_container_image_self_build"

roles/matrix-client-element/tasks/setup.yml

@@ -37,7 +37,8 @@
   docker_image:
     name: "{{ matrix_client_element_docker_image }}"
     source: build
-    force_source: "{{ matrix_client_element_git_pull_results.changed }}"
+    force_source: "{{ matrix_client_element_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_element_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_client_element_docker_src_files_path }}"

roles/matrix-client-hydrogen/defaults/main.yml

@@ -0,0 +1,68 @@
+matrix_client_hydrogen_enabled: true
+
+# Self building is used by default because the `config.json` file is only read at build time.
+# The pre-built images also were not functional as of 2021-05-15.
+matrix_client_hydrogen_container_image_self_build: true
+matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"
+
+matrix_client_hydrogen_version: v0.1.53
+matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vectorim/hydrogen-web:{{ matrix_client_hydrogen_version }}"
+matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build }}"
+matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
+
+matrix_client_hydrogen_data_path: "{{ matrix_base_data_path }}/client-hydrogen"
+matrix_client_hydrogen_docker_src_files_path: "{{ matrix_client_hydrogen_data_path }}/docker-src"
+
+# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8768"), or empty string to not expose.
+matrix_client_hydrogen_container_http_host_bind_port: ''
+
+# A list of extra arguments to pass to the container
+matrix_client_hydrogen_container_extra_arguments: []
+
+# List of systemd services that matrix-client-hydrogen.service depends on
+matrix_client_hydrogen_systemd_required_services_list: ['docker.service']
+
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_client_hydrogen_self_check_validate_certificates: true
+
+# config.json
+matrix_client_hydrogen_default_hs_url: ""
+
+# Default Hydrogen configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_client_hydrogen_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_client_hydrogen_configuration_default: "{{ lookup('template', 'templates/config.json.j2') }}"
+
+# Your custom JSON configuration for Hydrogen should go to `matrix_client_hydrogen_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_client_hydrogen_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_client_hydrogen_configuration_default`.
+#
+# Example configuration extension follows:
+#
+# matrix_client_hydrogen_configuration_extension_json: |
+#  {
+#    "push": {
+#      "appId": "io.element.hydrogen.web",
+#      "gatewayUrl": "https://matrix.org",
+#      "applicationServerKey": "BC-gpSdVHEXhvHSHS0AzzWrQoukv2BE7KzpoPO_FfPacqOo3l1pdqz7rSgmB04pZCWaHPz7XRe6fjLaC-WPDopM"
+#    },
+#    "defaultHomeServer": "matrix.org"
+#  }
+matrix_client_hydrogen_configuration_extension_json: '{}'
+
+matrix_client_hydrogen_configuration_extension: "{{ matrix_client_hydrogen_configuration_extension_json|from_json if matrix_client_hydrogen_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final Hydrogen configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_client_hydrogen_configuration_default`.
+matrix_client_hydrogen_configuration: "{{ matrix_client_hydrogen_configuration_default|combine(matrix_client_hydrogen_configuration_extension, recursive=True) }}"

roles/matrix-client-hydrogen/tasks/init.yml

@@ -0,0 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Hydrogen image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_client_hydrogen_container_image_self_build"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-hydrogen.service'] }}"
+  when: matrix_client_hydrogen_enabled|bool

roles/matrix-client-hydrogen/tasks/main.yml

@@ -0,0 +1,15 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_client_hydrogen_enabled|bool"
+  tags:
+    - setup-all
+    - setup-client-hydrogen
+
+- import_tasks: "{{ role_path }}/tasks/setup.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-client-hydrogen

roles/matrix-client-hydrogen/tasks/self_check.yml

@@ -0,0 +1,22 @@
+---
+
+- set_fact:
+    matrix_client_hydrogen_url_endpoint_public: "https://{{ matrix_server_fqn_hydrogen }}"
+
+- name: Check Hydrogen
+  uri:
+    url: "{{ matrix_client_hydrogen_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_client_hydrogen_self_check_validate_certificates }}"
+  register: matrix_client_hydrogen_self_check_result
+  check_mode: no
+  ignore_errors: true
+
+- name: Fail if Hydrogen not working
+  fail:
+    msg: "Failed checking Hydrogen is up at `{{ matrix_server_fqn_hydrogen }}` (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`). Is Hydrogen running? Is port 443 open in your firewall? Full error: {{ matrix_client_hydrogen_self_check_result }}"
+  when: "matrix_client_hydrogen_self_check_result.failed or 'json' not in matrix_client_hydrogen_self_check_result"
+
+- name: Report working Hydrogen
+  debug:
+    msg: "Hydrogen at `{{ matrix_server_fqn_hydrogen }}` is working (checked endpoint: `{{ matrix_client_hydrogen_url_endpoint_public }}`)"

roles/matrix-client-hydrogen/tasks/setup.yml

@@ -0,0 +1,119 @@
+---
+
+#
+# Tasks related to setting up Hydrogen
+#
+
+- name: Ensure Hydrogen paths exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_client_hydrogen_data_path }}", when: true }
+    - { path: "{{ matrix_client_hydrogen_docker_src_files_path }}", when: "{{ matrix_client_hydrogen_container_image_self_build }}" }
+  when: matrix_client_hydrogen_enabled|bool and item.when
+
+- name: Ensure Hydrogen Docker image is pulled
+  docker_image:
+   name: "{{ matrix_client_hydrogen_docker_image }}"
+   source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+   force_source: "{{ matrix_client_hydrogen_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+   force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_client_hydrogen_docker_image_force_pull }}"
+  when: matrix_client_hydrogen_enabled|bool and not matrix_client_hydrogen_container_image_self_build
+
+- name: Ensure Hydrogen repository is present on self-build
+  git:
+    repo: "{{ matrix_client_hydrogen_container_image_self_build_repo }}"
+    dest: "{{ matrix_client_hydrogen_docker_src_files_path }}"
+    version: "{{ matrix_client_hydrogen_docker_image.split(':')[1] }}"
+    force: "yes"
+  register: matrix_client_hydrogen_git_pull_results
+  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+
+- name: Ensure Hydrogen configuration installed
+  copy:
+    content: "{{ matrix_client_hydrogen_configuration|to_nice_json }}"
+    dest: "{{ matrix_client_hydrogen_docker_src_files_path }}/assets/config.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+
+- name: Ensure Hydrogen additional config files installed
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_hydrogen_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
+  when: "matrix_client_hydrogen_enabled|bool and item.src is not none"
+
+- name: Ensure Hydrogen Docker image is built
+  docker_image:
+    name: "{{ matrix_client_hydrogen_docker_image }}"
+    source: build
+    force_source: "{{ matrix_client_hydrogen_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_client_hydrogen_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_container_image_self_build|bool"
+
+- name: Ensure matrix-client-hydrogen.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-client-hydrogen.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
+    mode: 0644
+  register: matrix_client_hydrogen_systemd_service_result
+  when: matrix_client_hydrogen_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-client-hydrogen.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_client_hydrogen_enabled and matrix_client_hydrogen_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of Hydrogen (if it was previously enabled)
+#
+
+- name: Check existence of matrix-client-hydrogen.service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
+  register: matrix_client_hydrogen_service_stat
+  when: "not matrix_client_hydrogen_enabled|bool"
+
+- name: Ensure matrix-client-hydrogen is stopped
+  service:
+    name: matrix-client-hydrogen
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
+
+- name: Ensure matrix-client-hydrogen.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-client-hydrogen.service"
+    state: absent
+  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-client-hydrogen.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_client_hydrogen_enabled|bool and matrix_client_hydrogen_service_stat.stat.exists"
+
+- name: Ensure Hydrogen paths doesn't exist
+  file:
+    path: "{{ matrix_client_hydrogen_data_path }}"
+    state: absent
+  when: "not matrix_client_hydrogen_enabled|bool"
+
+- name: Ensure Hydrogen Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_client_hydrogen_docker_image }}"
+    state: absent
+  when: "not matrix_client_hydrogen_enabled|bool"

roles/matrix-client-hydrogen/tasks/validate_config.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Fail if required Hydrogen settings not defined
+  fail:
+    msg: >
+      You need to define a required configuration setting (`{{ item }}`) to use Hydrogen.
+  when: "(vars[item] == '' or vars[item] is none) and matrix_client_hydrogen_container_image_self_build|bool"
+  with_items:
+    - "matrix_client_hydrogen_default_hs_url"

roles/matrix-client-hydrogen/templates/config.json.j2

@@ -0,0 +1,3 @@
+{
+	"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url|string|to_json }}
+}

roles/matrix-client-hydrogen/templates/nginx.conf.j2

@@ -0,0 +1,66 @@
+#jinja2: lstrip_blocks: "True"
+# This is a custom nginx configuration file that we use in the container (instead of the default one),
+# because it allows us to run nginx with a non-root user.
+#
+# For this to work, the default vhost file (`/etc/nginx/conf.d/default.conf`) also needs to be removed.
+# (mounting `/dev/null` over `/etc/nginx/conf.d/default.conf` works well)
+#
+# The following changes have been done compared to a default nginx configuration file:
+# - default server port is changed (80 -> 8080), so that a non-root user can bind it
+# - various temp paths are changed to `/tmp`, so that a non-root user can write to them
+# - the `user` directive was removed, as we don't want nginx to switch users
+
+worker_processes 1;
+
+error_log /var/log/nginx/error.log warn;
+pid /tmp/nginx.pid;
+
+
+events {
+	worker_connections 1024;
+}
+
+
+http {
+	proxy_temp_path /tmp/proxy_temp;
+	client_body_temp_path /tmp/client_temp;
+	fastcgi_temp_path /tmp/fastcgi_temp;
+	uwsgi_temp_path /tmp/uwsgi_temp;
+	scgi_temp_path /tmp/scgi_temp;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+					'$status $body_bytes_sent "$http_referer" '
+					'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log main;
+
+	sendfile on;
+	#tcp_nopush on;
+
+	keepalive_timeout 65;
+
+	#gzip on;
+
+	server {
+		listen 8080;
+		server_name localhost;
+
+		root /usr/share/nginx/html;
+
+		location / {
+			index index.html index.htm;
+		}
+
+		location ~* ^/(config(.+)?\.json$|(.+)\.html$|i18n) {
+			expires -1;
+		}
+
+		error_page 500 502 503 504 /50x.html;
+		location = /50x.html {
+			root /usr/share/nginx/html;
+		}
+	}
+}

roles/matrix-client-hydrogen/templates/systemd/matrix-client-hydrogen.service.j2

@@ -0,0 +1,39 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Hydrogen Client
+{% for service in matrix_client_hydrogen_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-client-hydrogen \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_client_hydrogen_container_http_host_bind_port %}
+			-p {{ matrix_client_hydrogen_container_http_host_bind_port }}:8080 \
+			{% endif %}
+			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
+			--mount type=bind,src={{ matrix_client_hydrogen_data_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \
+			{% for arg in matrix_client_hydrogen_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_client_hydrogen_docker_image }}
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-client-hydrogen 2>/dev/null'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-client-hydrogen 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-client-hydrogen
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-common-after/defaults/main.yml

@@ -0,0 +1,16 @@
+# Specifies how long to wait between starting systemd services and checking if they're started.
+#
+# A too low value may lead to a failure, as services may not have enough time to start and potentially fail.
+#
+# A value higher than 30 seconds (or any multiple of that) may also not work well, because a failing systemd service
+# auto-restarts after 30 seconds (`RestartSec=30` in systemd service files).
+# Checking if a service is running right after it had potentially restarted in such a way will lead us to
+# thinking it's running, while it's merely starting again (and likely to fail again, given that it already did once).
+#
+# All of the services we manage are also started sequentially, which in itself can take a long time.
+# There may be a ~10 second (or even larger) interval between starting the first service and starting the last one.
+# This makes it even harder to pick a correct value. Such a 10 second gap and a waiting time of 20 seconds will
+# put us right at the "dangerous" 30-second mark.
+#
+# We can try to measure this gap and adjust our waiting time accordingly, but we currently don't.
+matrix_common_after_systemd_service_start_wait_for_timeout_seconds: 15

roles/matrix-common-after/tasks/start.yml

@@ -30,7 +30,7 @@
 # as we may run into systemd's automatic restart logic retrying the service.
 - name: Wait a bit, so that services can start (or fail)
   wait_for:
-    timeout: 15
+    timeout: "{{ matrix_common_after_systemd_service_start_wait_for_timeout_seconds }}"
   delegate_to: 127.0.0.1
   become: false
 
@@ -44,6 +44,9 @@
         {{ item }} was not detected to be running.
         It's possible that there's a configuration problem or another service on your server interferes with it (uses the same ports, etc.).
         Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
+        If you're on a slow or overloaded server, it may be that services take a longer time to start and that this error is a false-positive.
+        You can consider raising the value of the `matrix_common_after_systemd_service_start_wait_for_timeout_seconds` variable.
+        See `roles/matrix-common-after/defaults/main.yml` for more details about that.
     with_items: "{{ matrix_systemd_services_list }}"
     when:
       - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')"

roles/matrix-corporal/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_corporal_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}"
   when: matrix_corporal_enabled|bool

roles/matrix-corporal/tasks/setup_corporal.yml

@@ -30,7 +30,8 @@
   docker_image:
     name: "{{ matrix_corporal_docker_image }}"
     source: build
-    force_source: "{{ matrix_corporal_git_pull_results.changed }}"
+    force_source: "{{ matrix_corporal_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_git_pull_results.changed }}"
     build:
       dockerfile: etc/docker/Dockerfile
       path: "{{ matrix_corporal_container_src_files_path }}"

roles/matrix-coturn/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}"
   when: matrix_coturn_enabled|bool
@@ -5,10 +12,3 @@
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}"
   when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build"

roles/matrix-coturn/tasks/setup_install.yml

@@ -38,7 +38,8 @@
       docker_image:
         name: "{{ matrix_coturn_docker_image }}"
         source: build
-        force_source: "{{ matrix_coturn_git_pull_results.changed }}"
+        force_source: "{{ matrix_coturn_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_git_pull_results.changed }}"
         build:
           dockerfile: "{{ matrix_coturn_container_image_self_build_repo_dockerfile_path }}"
           path: "{{ matrix_coturn_docker_src_files_path }}"

roles/matrix-dynamic-dns/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_dynamic_dns_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
   when: "matrix_dynamic_dns_enabled|bool"

roles/matrix-dynamic-dns/tasks/install.yml

@@ -33,7 +33,8 @@
   docker_image:
     name: "{{ matrix_dynamic_dns_docker_image }}"
     source: build
-    force_source: "{{ matrix_dynamic_dns_git_pull_results.changed }}"
+    force_source: "{{ matrix_dynamic_dns_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dynamic_dns_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_dynamic_dns_docker_src_files_path }}"

roles/matrix-grafana/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 7.5.5
+matrix_grafana_version: 7.5.7
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 

roles/matrix-grafana/templates/grafana.ini.j2

@@ -1,3 +1,6 @@
+[server]
+root_url = "https://{{ matrix_server_fqn_grafana }}"
+
 [security]
 # default admin user, created on startup
 admin_user = "{{ matrix_grafana_default_admin_user }}"

roles/matrix-jitsi/defaults/main.yml

@@ -176,6 +176,8 @@ matrix_jitsi_prosody_container_extra_arguments: []
 # List of systemd services that matrix-jitsi-prosody.service depends on
 matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
 
+# Neccessary Port binding for those disabling the integrated nginx proxy
+matrix_jitsi_prosody_container_http_host_bind_port: ''
 
 matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}"
 matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"

roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2

@@ -16,6 +16,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
+			{% if matrix_jitsi_prosody_container_http_host_bind_port %}
+			-p {{ matrix_jitsi_prosody_container_http_host_bind_port }}:5280 \
+			{% endif %}
 			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
 			--mount type=bind,src={{ matrix_jitsi_prosody_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_jitsi_prosody_plugins_path }},dst=/prosody-plugins-custom \

roles/matrix-ma1sd/tasks/init.yml

@@ -1,10 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
   when: matrix_ma1sd_enabled|bool
-
-# ansible lower than 2.8, does not support docker_image build parameters
-# for self buildig it is explicitly needed, so we rather fail here
-- name: Fail if running on Ansible lower than 2.8 and trying self building
-  fail:
-    msg: "To self build ma1sd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
-  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_ma1sd_container_image_self_build"

roles/matrix-mailer/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
 
-matrix_mailer_version: 4.94.2-r0
+matrix_mailer_version: 4.94.2-r0-1
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

roles/matrix-mailer/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mailer_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
   when: matrix_mailer_enabled|bool

roles/matrix-mailer/tasks/setup_mailer.yml

@@ -36,7 +36,8 @@
   docker_image:
     name: "{{ matrix_mailer_docker_image }}"
     source: build
-    force_source: "{{ matrix_mailer_git_pull_results.changed }}"
+    force_source: "{{ matrix_mailer_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mailer_container_image_self_build_src_files_path }}"

roles/matrix-nginx-proxy/defaults/main.yml

@@ -113,6 +113,10 @@ matrix_nginx_proxy_proxy_synapse_federation_api_addr_sans_container: "localhost:
 matrix_nginx_proxy_proxy_element_enabled: false
 matrix_nginx_proxy_proxy_element_hostname: "{{ matrix_server_fqn_element }}"
 
+# Controls whether proxying the Hydrogen domain should be done.
+matrix_nginx_proxy_proxy_hydrogen_enabled: false
+matrix_nginx_proxy_proxy_hydrogen_hostname: "{{ matrix_server_fqn_hydrogen }}"
+
 # Controls whether proxying the matrix domain should be done.
 matrix_nginx_proxy_proxy_matrix_enabled: false
 matrix_nginx_proxy_proxy_matrix_hostname: "{{ matrix_server_fqn_matrix }}"
@@ -223,6 +227,7 @@ matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "localhost:1
 matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_client_api_client_max_body_size_mb | int) * 3 }}"
 matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem"
 matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem"
+matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate: "{{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem"
 
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
@@ -251,6 +256,9 @@ matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
 matrix_nginx_proxy_proxy_element_additional_server_configuration_blocks: []
 
+# A list of strings containing additional configuration blocks to add to Element's server configuration (matrix-client-element.conf).
+matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks: []
+
 # A list of strings containing additional configuration blocks to add to Dimension's server configuration (matrix-dimension.conf).
 matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
 
@@ -385,6 +393,47 @@ matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
 matrix_ssl_pre_obtaining_required_service_name: ~
 matrix_ssl_pre_obtaining_required_service_start_wait_time_seconds: 60
 
+# Nginx Optimize SSL Session
+#
+# ssl_session_cache:
+# - Creating a cache of TLS connection parameters reduces the number of handshakes 
+#   and thus can improve the performance of application.
+# - Default session cache is not optimal as it can be used by only one worker process
+#   and can cause memory fragmentation. It is much better to use shared cache.
+# - Learn More: https://nginx.org/en/docs/http/ngx_http_ssl_module.html
+#
+# ssl_session_timeout:
+# - Nginx by default it is set to 5 minutes which is very low.
+#   should be like 4h or 1d but will require you to increase the size of cache.
+# - Learn More: 
+#     https://github.com/certbot/certbot/issues/6903
+#     https://github.com/mozilla/server-side-tls/issues/198
+#
+# ssl_session_tickets:
+# - In case of session tickets, information about session is given to the client.
+#   Enabling this improve performance also make Perfect Forward Secrecy useless.
+# - If you would instead like to use ssl_session_tickets by yourself, you can set
+#   matrix_nginx_proxy_ssl_session_tickets_off false.
+# - Learn More: https://github.com/mozilla/server-side-tls/issues/135
+#
+# Presets are taken from Mozilla's Server Side TLS Recommended configurations
+matrix_nginx_proxy_ssl_session_cache: "shared:MozSSL:10m"
+matrix_nginx_proxy_ssl_session_timeout: "1d"
+matrix_nginx_proxy_ssl_session_tickets_off: true
+
+# OCSP Stapling eliminating the need for clients to contact the CA, with the aim of improving both security and performance.
+# OCSP stapling can provide a performance boost of up to 30%
+# nginx web server supports OCSP stapling since version 1.3.7.
+#
+# *warning* Nginx is lazy loading OCSP responses, which means that for the first few web requests it is unable to add the OCSP response.
+# set matrix_nginx_proxy_ocsp_stapling_enabled false to disable OCSP Stapling
+#
+# Learn more about what it is here:
+# - https://en.wikipedia.org/wiki/OCSP_stapling
+# - https://blog.cloudflare.com/high-reliability-ocsp-stapling/
+# - https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+matrix_nginx_proxy_ocsp_stapling_enabled: true
+
 # nginx status page configurations.
 matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
 matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -72,6 +72,13 @@
     mode: 0644
   when: matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool
 
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain exists
+  template:
+    src: "{{ role_path }}/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    mode: 0644
+  when: matrix_nginx_proxy_proxy_hydrogen_enabled|bool
+
 - name: Ensure Matrix nginx-proxy configuration for dimension domain exists
   template:
     src: "{{ role_path }}/templates/nginx/conf.d/matrix-dimension.conf.j2"
@@ -204,6 +211,12 @@
     state: absent
   when: "not matrix_nginx_proxy_proxy_riot_compat_redirect_enabled|bool"
 
+- name: Ensure Matrix nginx-proxy configuration for Hydrogen domain deleted
+  file:
+    path: "{{ matrix_nginx_proxy_confd_path }}/matrix-client-hydrogen.conf"
+    state: absent
+  when: "not matrix_nginx_proxy_proxy_hydrogen_enabled|bool"
+
 - name: Ensure Matrix nginx-proxy configuration for dimension domain deleted
   file:
     path: "{{ matrix_nginx_proxy_confd_path }}/matrix-dimension.conf"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2

@@ -69,6 +69,18 @@ server {
 	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+	
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_base_domain_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
 
 	{{ render_vhost_directives() }}
 }

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -74,6 +74,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_bot_go_neb_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -79,6 +79,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
+	{% endif %}
+
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2

@@ -0,0 +1,98 @@
+#jinja2: lstrip_blocks: "True"
+
+{% macro render_vhost_directives() %}
+	gzip on;
+	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+
+	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+	add_header X-Content-Type-Options nosniff;
+	add_header X-Frame-Options SAMEORIGIN;
+	add_header X-XSS-Protection "1; mode=block";
+	add_header Content-Security-Policy "frame-ancestors 'none'";
+	{% if matrix_nginx_proxy_floc_optout_enabled %}
+		add_header Permissions-Policy interest-cohort=() always;
+	{% endif %}
+
+	{% for configuration_block in matrix_nginx_proxy_proxy_hydrogen_additional_server_configuration_blocks %}
+		{{- configuration_block }}
+	{% endfor %}
+
+	location / {
+		{% if matrix_nginx_proxy_enabled %}
+			{# Use the embedded DNS resolver in Docker containers to discover the service #}
+			resolver 127.0.0.11 valid=5s;
+			set $backend "matrix-client-hydrogen:8080";
+			proxy_pass http://$backend;
+		{% else %}
+			{# Generic configuration for use outside of our container setup #}
+			proxy_pass http://127.0.0.1:8768;
+		{% endif %}
+
+		proxy_set_header Host $host;
+		proxy_set_header X-Forwarded-For $remote_addr;
+	}
+{% endmacro %}
+
+server {
+	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
+
+	server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	{% if matrix_nginx_proxy_https_enabled %}
+		location /.well-known/acme-challenge {
+			{% if matrix_nginx_proxy_enabled %}
+				{# Use the embedded DNS resolver in Docker containers to discover the service #}
+				resolver 127.0.0.11 valid=5s;
+				set $backend "matrix-certbot:8080";
+				proxy_pass http://$backend;
+			{% else %}
+				{# Generic configuration for use outside of our container setup #}
+				proxy_pass http://127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }};
+			{% endif %}
+		}
+
+		location / {
+			return 301 https://$http_host$request_uri;
+		}
+	{% else %}
+		{{ render_vhost_directives() }}
+	{% endif %}
+}
+
+{% if matrix_nginx_proxy_https_enabled %}
+server {
+	listen {{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+	listen [::]:{{ 8443 if matrix_nginx_proxy_enabled else 443 }} ssl http2;
+
+	server_name {{ matrix_nginx_proxy_proxy_hydrogen_hostname }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/fullchain.pem;
+	ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_hydrogen_hostname }}/privkey.pem;
+
+	ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
+	{% if matrix_nginx_proxy_ssl_ciphers != "" %}
+	ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
+	{% endif %}
+	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_element_hostname }}/chain.pem;
+	{% endif %}
+
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
+	{{ render_vhost_directives() }}
+}
+{% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -77,6 +77,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_dimension_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -136,7 +136,13 @@
 		proxy_max_temp_file_size 0;
 	}
 
-	location / {
+	{#
+		We only handle the root URI for this redirect or homepage serving.
+		Unhandled URIs (mostly by `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_prefix_regexes` above) should result in a 404,
+		instead of causing a redirect.
+		See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058
+	#}
+	location ~* ^/$ {
 		{% if matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain %}
 			return 302 $scheme://{{ matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain }}$request_uri;
 		{% else %}
@@ -196,6 +202,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};	
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}
@@ -230,6 +248,18 @@ server {
 			ssl_ciphers {{ matrix_nginx_proxy_ssl_ciphers }};
 		{% endif %}
 		ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
+
+		{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+			ssl_stapling on;
+			ssl_stapling_verify on;
+			ssl_trusted_certificate {{ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_trusted_certificate }};
+		{% endif %}
+		
+		{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+			ssl_session_tickets off;
+		{% endif %}
+		ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+		ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
 	{% endif %}
 
 	location / {

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2

@@ -10,6 +10,7 @@
 	# add_header X-Content-Type-Options nosniff;
 	# add_header X-Frame-Options SAMEORIGIN;
 	add_header Referrer-Policy "strict-origin-when-cross-origin";
+
 	{% if matrix_nginx_proxy_floc_optout_enabled %}
 		add_header Permissions-Policy interest-cohort=() always;
 	{% endif %}
@@ -84,6 +85,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_grafana_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};	
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -119,6 +119,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_jitsi_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2

@@ -62,6 +62,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_compat_redirect_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -76,6 +76,18 @@ server {
 	{% endif %}
 	ssl_prefer_server_ciphers {{ matrix_nginx_proxy_ssl_prefer_server_ciphers }};
 
+	{% if matrix_nginx_proxy_ocsp_stapling_enabled %}
+		ssl_stapling on;
+		ssl_stapling_verify on;
+		ssl_trusted_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_sygnal_hostname }}/chain.pem;
+	{% endif %}
+	
+	{% if matrix_nginx_proxy_ssl_session_tickets_off %}
+		ssl_session_tickets off;
+	{% endif %}
+	ssl_session_cache {{ matrix_nginx_proxy_ssl_session_cache }};
+	ssl_session_timeout {{ matrix_nginx_proxy_ssl_session_timeout }};
+
 	{{ render_vhost_directives() }}
 }
 {% endif %}

roles/matrix-postgres/tasks/util/migrate_db_to_postgres.yml

@@ -61,7 +61,8 @@
       docker_image:
         name: "{{ matrix_postgres_pgloader_docker_image }}"
         source: build
-        force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed }}"
+        force_source: "{{ matrix_postgres_pgloader_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_postgres_pgloader_git_pull_results.changed }}"
         build:
           dockerfile: Dockerfile
           path: "{{ matrix_postgres_pgloader_container_image_self_build_src_path }}"

roles/matrix-prometheus/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_prometheus_enabled: false
 
-matrix_prometheus_version: v2.26.0
+matrix_prometheus_version: v2.27.0
 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"
 

roles/matrix-registration/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_registration_container_image_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-registration.service'] }}"
   when: matrix_registration_enabled|bool

roles/matrix-registration/tasks/setup_install.yml

@@ -66,7 +66,8 @@
   docker_image:
     name: "{{ matrix_registration_docker_image }}"
     source: build
-    force_source: "{{ matrix_registration_git_pull_results.changed }}"
+    force_source: "{{ matrix_registration_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_registration_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_registration_docker_src_files_path }}"

roles/matrix-synapse-admin/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 
-matrix_synapse_admin_version: 0.8.0
+matrix_synapse_admin_version: latest
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

roles/matrix-synapse-admin/tasks/init.yml

@@ -1,3 +1,10 @@
+# See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1070
+# and https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/1ab507349c752042d26def3e95884f6df8886b74#commitcomment-51108407
+- name: Fail if trying to self-build on Ansible < 2.8
+  fail:
+    msg: "To self-build the Element image, you should use Ansible 2.8 or higher. See docs/ansible.md"
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_admin_container_self_build"
+
 - set_fact:
     matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-synapse-admin.service'] }}"
   when: matrix_synapse_admin_enabled|bool

roles/matrix-synapse-admin/tasks/setup.yml

@@ -24,7 +24,8 @@
   docker_image:
     name: "{{ matrix_synapse_admin_docker_image }}"
     source: build
-    force_source: "{{ matrix_synapse_admin_git_pull_results.changed }}"
+    force_source: "{{ matrix_synapse_admin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_admin_git_pull_results.changed }}"
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_synapse_admin_docker_src_files_path }}"

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.33.1
-matrix_synapse_version_arm64: v1.33.1
+matrix_synapse_version: v1.34.0
+matrix_synapse_version_arm64: v1.34.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -454,6 +454,7 @@ matrix_synapse_sentry_dsn: ""
 
 # Postgres database information
 matrix_synapse_database_host: "matrix-postgres"
+matrix_synapse_database_port: 5432
 matrix_synapse_database_user: "synapse"
 matrix_synapse_database_password: ""
 matrix_synapse_database_database: "synapse"
@@ -586,3 +587,4 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi
 # Holds the final Synapse configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`.
 matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}"
+