Add conditional restart support to remaining services

Add change-tracking and restart_necessary computation for:
- matrix-authentication-service (custom role in this repo)
- container-socket-proxy, traefik-certs-dumper, postgres, exim-relay,
  cinny, livekit-server (external roles, bumped in requirements.yml)

Wire all 7 services in group_vars to use their _restart_necessary variable
instead of hardcoded true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

group_vars/matrix_servers

@@ -297,7 +297,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-authentication-service.service',
       'priority': 2200,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_authentication_service_restart_necessary | bool),
       'groups': ['matrix', 'matrix-authentication-service'],
     }] if matrix_authentication_service_enabled else [])
     +
@@ -584,7 +584,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (cinny_identifier + '.service'),
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (cinny_restart_necessary | bool),
       'groups': ['matrix', 'clients', 'cinny', 'client-cinny'],
     }] if cinny_enabled else [])
     +
@@ -724,7 +724,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (exim_relay_identifier ~ '.service'),
       'priority': 800,
-      'restart_necessary': true,
+      'restart_necessary': (exim_relay_restart_necessary | bool),
       'groups': ['matrix', 'mailer', 'exim-relay'],
     }] if exim_relay_enabled else [])
     +
@@ -738,7 +738,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (postgres_identifier + '.service'),
       'priority': 500,
-      'restart_necessary': true,
+      'restart_necessary': (postgres_restart_necessary | bool),
       'groups': ['matrix', 'postgres'],
     }] if postgres_enabled else [])
     +
@@ -815,7 +815,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (livekit_server_identifier + '.service'),
       'priority': 3000,
-      'restart_necessary': true,
+      'restart_necessary': (livekit_server_restart_necessary | bool),
       'groups': ['matrix', 'livekit-server'],
     }] if livekit_server_enabled else [])
     +
@@ -892,7 +892,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (container_socket_proxy_identifier + '.service'),
       'priority': 200,
-      'restart_necessary': true,
+      'restart_necessary': (container_socket_proxy_restart_necessary | bool),
       'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy'],
     }] if container_socket_proxy_enabled else [])
     +
@@ -906,7 +906,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (traefik_certs_dumper_identifier + '.service'),
       'priority': 300,
-      'restart_necessary': true,
+      'restart_necessary': (traefik_certs_dumper_restart_necessary | bool),
       'groups': ['matrix', 'traefik-certs-dumper'],
     }] if traefik_certs_dumper_enabled else [])
   }}

requirements.yml

@@ -7,10 +7,10 @@
   version: v1.4.3-2.1.1-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.10.2-1
+  version: v4.10.2-2
   name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-1
+  version: v0.4.2-2
   name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
   version: v4.8.0-1
@@ -30,7 +30,7 @@
   version: v2.6.1-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.98.1-r0-2-2
+  version: v4.98.1-r0-2-3
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
   version: v11.6.5-6
@@ -42,7 +42,7 @@
   version: v10741-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.11-0
+  version: v1.9.11-1
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.17.0-0
@@ -57,7 +57,7 @@
   version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.2-0
+  version: v18.2-1
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
   version: v18-0
@@ -84,7 +84,7 @@
   version: v3.6.8-3
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-4
+  version: v2.10.0-5
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
   version: v9.0.2-0

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -654,6 +654,16 @@ matrix_authentication_service_migration_in_progress: false
 # Ref: https://element-hq.github.io/matrix-authentication-service/topics/admin-api.html#enabling-the-api
 matrix_authentication_service_admin_api_enabled: false
 
+# matrix_authentication_service_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_authentication_service_restart_necessary: false
+
 ########################################################################################
 #                                                                                      #
 # /Misc                                                                                #

roles/custom/matrix-authentication-service/tasks/install.yml

@@ -40,6 +40,7 @@
     mode: 0644
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_authentication_service_config_result
 
 - name: Ensure Matrix Authentication Service support files created
   ansible.builtin.template:
@@ -61,6 +62,7 @@
     - src: "{{ role_path }}/templates/bin/mas-cli.j2"
       dest: "{{ matrix_authentication_service_bin_path }}/mas-cli"
       mode: '0755'
+  register: matrix_authentication_service_support_files_result
 
 - name: Ensure Matrix Authentication Service container image is pulled
   community.docker.docker_image:
@@ -69,10 +71,10 @@
     force_source: "{{ matrix_authentication_service_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_container_image_force_pull }}"
   when: "not matrix_authentication_service_container_image_self_build | bool"
-  register: result
+  register: matrix_authentication_service_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_authentication_service_container_image_pull_result is not failed
 
 - when: "matrix_authentication_service_container_image_self_build | bool"
   block:
@@ -105,3 +107,14 @@
     src: "{{ role_path }}/templates/systemd/matrix-authentication-service.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-authentication-service.service"
     mode: 0644
+  register: matrix_authentication_service_systemd_service_result
+
+- name: Determine whether Matrix Authentication Service needs a restart
+  ansible.builtin.set_fact:
+    matrix_authentication_service_restart_necessary: >-
+      {{
+        matrix_authentication_service_config_result.changed | default(false)
+        or matrix_authentication_service_support_files_result.changed | default(false)
+        or matrix_authentication_service_systemd_service_result.changed | default(false)
+        or matrix_authentication_service_container_image_pull_result.changed | default(false)
+      }}