Merge remote-tracking branch 'github/master'

5 лет назад · 99639d7d7a
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,12 @@
 # 2020-06-05

 ## SMS bridging support

 Thanks to [benkuly](https://github.com/benkuly)'s efforts, the playbook now supports bridging to SMS (with one telephone number only) via [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge).

 See our [Setting up Matrix SMS bridging](docs/configuring-playbook-matrix-bridge-sms.md) documentation page for getting started.


 # 2020-05-19

 ## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server
--- a/docs/alternative-architectures.md
+++ b/docs/alternative-architectures.md
@@ -1,24 +1,29 @@
 # Alternative architectures

 As stated in the [Prerequisites](prerequisites.md), currently only x86_64 is supported. However, it is possible to set the target architecture, and some tools can be built on the host or other measures can be used.

 To that end add the following variable to your `vars.yaml` file:

 ```yaml
 matrix_architecture: <your-matrix-server-architecture>
 ```
 matrix_architecture = <your-matrix-server-architecture>
 ```

 Currently supported architectures are the following:
 - `amd64` (the default)
 - `arm64`
 - `arm32`

 so for the Raspberry Pi the following should be in your `vars.yaml` file:
 ```
 matrix_architecture = "arm32"
 so for the Raspberry Pi, the following should be in your `vars.yaml` file:

 ```yaml
 matrix_architecture: "arm32"
 ```

 ## Implementation details
 This subsection is used for a reminder, how the different roles implement architecture differenes. This is **not** aimed at the users, so one does not have to do anything based on this subsection.

 This subsection is used for a reminder, how the different roles implement architecture differences. This is **not** aimed at the users, so one does not have to do anything based on this subsection.

 On most roles [self-building](self-building.md) is used if the architecture is not `amd64`, however there are some special cases:
 - matrix-bridge-mautrix-facebook: there is built docker image for arm64 as well,
 - matrix-bridge-mautrix-hangouts: there is built docker image for arm64 as well,
 - matrix-nginx-proxy: Certbot has docker image for both arm32 and arm64, however tagging is used, which requires special handling.
 - `matrix-bridge-mautrix-facebook`: there is a pre-built Docker image for `arm64` as well
 - `matrix-bridge-mautrix-hangouts`: there is a pre-built Docker image for `arm64` as well
 - `matrix-nginx-proxy`: Certbot has a pre-built Docker image for both `arm32` and `arm64`, however tagging is used, which requires special handling.
--- a/docs/ansible.md
+++ b/docs/ansible.md
@@ -49,7 +49,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
 devture/ansible:2.8.1-r0
 devture/ansible:2.9.9-r0
 ```

 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
@@ -60,7 +60,7 @@ The `/work` directory contains the playbook's code.

 You can execute `ansible-playbook` commands as per normal now.

 ### If you don't use SSH keys for authentication 
 ### If you don't use SSH keys for authentication

 If you don't use SSH keys for authentication, simply remove that whole line (`-v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro`).
 To authenticate at your server using a password, you need to add a package. So, when you are in the shell of the ansible docker container (the previously used `docker run -it ...` command), run:
--- a/docs/configuring-playbook-bridge-appservice-discord.md
+++ b/docs/configuring-playbook-bridge-appservice-discord.md
@@ -23,7 +23,7 @@ matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
 4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
 5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`)
 6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
 7. Join the rooms by following this syntax `#_discord_guildid_channelid` - can be easily retrieved by logging into Discord in a browser and opening the desired channel. URL will have this format: `discordapp.com/channels/guild_id/channel_id`
 7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.

 Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.

--- a/docs/configuring-playbook-shared-secret-auth.md
+++ b/docs/configuring-playbook-shared-secret-auth.md
@@ -11,6 +11,8 @@ matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE
 ```

 You can generate a strong shared secret with a command like this: `pwgen -s 64 1`


 ## Authenticating only using a password provider

--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@@ -136,7 +136,7 @@ backend matrix-backend
 	reqirep ^(GET|POST|HEAD)\ /.well-known/matrix/(.*) \1\ /\2
 	# Rewrite redirects as ProxyPassReverse does
 	acl response-is-redirect res.hdr(Location) -m found
 	rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.exapmle.com/.well-known/matrix/\2 if response-is-redirect
 	rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.example.com/.well-known/matrix/\2 if response-is-redirect
 ```

 Make sure to:
--- a/docs/maintenance-upgrading-services.md
+++ b/docs/maintenance-upgrading-services.md
@@ -4,14 +4,14 @@ This playbook not only installs the various Matrix services for you, but can als

 If you want to be notified when new versions of Synapse are released, you should join the Synapse Homeowners room: [#homeowners:matrix.org](https://matrix.to/#/#homeowners:matrix.org).

 To upgrade the services:
 To upgrade services:

 - update your playbook directory (`git pull`), so you'd obtain everything new we've done

 - take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incomptabile changes that you need to take care of
 - take a look at [the changelog](../CHANGELOG.md) to see if there have been any backward-incompatible changes that you need to take care of

 - re-run the [playbook setup](installing.md): `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all`

 - restart the services: `ansible-playbook -i inventory/hosts setup.yml --tags=start`

 **Note**: major version upgrades are not done to the internal PostgreSQL database. To upgrade that one, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql).
 **Note**: major version upgrades to the internal PostgreSQL database are not done automatically. To upgrade it, refer to the [upgrading PostgreSQL guide](maintenance-postgres.md#upgrading-postgresql).
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -6,16 +6,16 @@

 - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`).

 - a `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.*
 - A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.*

 - the [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
 - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.

 - either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature.
 - Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature.

 - an HTTPS-capable web server at the base domain name (`<your-domain>`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).
 - An HTTPS-capable web server at the base domain name (`<your-domain>`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).

 - properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md))
 - Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).

 - some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP)
 - Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).

 When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
--- a/docs/self-building.md
+++ b/docs/self-building.md
@@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-riot-web`
 - `matrix-coturn`
 - `matrix-ma1sd`
 - `matrix-mailer`
 - `matrix-mautrix-facebook`
 - `matrix-mautrix-hangouts`
 - `matrix-mx-puppet-skype`
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -537,11 +537,13 @@ matrix_jitsi_web_stun_servers: |
 #
 ######################################################################

 # By default, this playbook sets up a postfix mailer server (running in a container).
 # By default, this playbook sets up an exim mailer server (running in a container).
 # This is so that Synapse can send email reminders for unread messages.
 # Other services (like ma1sd), also use the mailer.
 matrix_mailer_enabled: true

 matrix_mailer_container_image_self_build: "{{ matrix_architecture != 'amd64'}}"

 ######################################################################
 #
 # /matrix-mailer
@@ -636,6 +638,8 @@ matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048"

 matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_public_port }}"

 matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
 matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"
@@ -673,7 +677,13 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
  }}

 matrix_ssl_architecture: "{{ matrix_architecture }}"
 matrix_ssl_architecture: "{{
 	{
 		'amd64': 'amd64',
 		'arm32': 'arm32v6',
 		'arm64': 'arm64v8',
 	}[matrix_architecture]
 }}"

 ######################################################################
 #
@@ -780,7 +790,7 @@ matrix_synapse_container_client_api_host_bind_port: "{{ '' if matrix_nginx_proxy
 matrix_synapse_container_federation_api_plain_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:8048' }}"
 #
 # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
 matrix_synapse_container_federation_api_tls_host_bind_port: "{{ '8448' if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
 matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
 #
 # For exposing the Synapse Metrics API's port (plain HTTP) to the local host.
 matrix_synapse_container_metrics_api_host_bind_port: "{{ '127.0.0.1:9100' if (matrix_synapse_metrics_enabled and not matrix_nginx_proxy_enabled) else '' }}"
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -21,6 +21,8 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 # This is where you access Jitsi.
 matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"

 matrix_federation_public_port: 8448

 matrix_user_username: "matrix"
 matrix_user_groupname: "matrix"

@@ -32,6 +34,13 @@ matrix_systemd_path: "/etc/systemd/system"
 matrix_cron_path: "/etc/cron.d"
 matrix_local_bin_path: "/usr/local/bin"

 matrix_host_command_docker: "/usr/bin/env docker"
 matrix_host_command_sleep: "/usr/bin/env sleep"
 matrix_host_command_chown: "/usr/bin/env chown"
 matrix_host_command_fusermount: "/usr/bin/env fusermount"
 matrix_host_command_openssl: "/usr/bin/env openssl"
 matrix_host_command_systemctl: "/usr/bin/env systemctl"

 matrix_ntpd_package: "ntp"
 matrix_ntpd_service: "{{ 'ntpd' if ansible_os_family == 'RedHat' or ansible_distribution == 'Archlinux' else 'ntp' }}"

--- a/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
+++ b/roles/matrix-base/templates/static-files/well-known/matrix-server.j2
@@ -1,4 +1,4 @@
 #jinja2: lstrip_blocks: "True"
 {
 	"m.server": "{{ matrix_server_fqn_matrix }}:8448"
 	"m.server": "{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}"
 }
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@@ -39,100 +39,7 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
 matrix_appservice_discord_bridge_disablePresence: false
 matrix_appservice_discord_bridge_enableSelfServiceBridging: false

 matrix_appservice_discord_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  bridge:
    # Domain part of the bridge, e.g. matrix.org
    domain: {{ matrix_appservice_discord_bridge_domain }}
    # This should be your publically facing URL because Discord may use it to
    # fetch media from the media store.
    homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }}
    # Interval at which to process users in the 'presence queue'. If you have
    # 5 users, one user will be processed every 500 milliseconds according to the
    # value below. This has a minimum value of 250.
    # WARNING: This has a high chance of spamming the homeserver with presence
    # updates since it will send one each time somebody changes state or is online.
    presenceInterval: 500
    # Disable setting presence for 'ghost users' which means Discord users on Matrix
    # will not be shown as away or online.
    disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }}
    # Disable sending typing notifications when somebody on Discord types.
    disableTypingNotifications: false
    # Disable deleting messages on Discord if a message is redacted on Matrix.
    disableDeletionForwarding: false
    # Enable users to bridge rooms using !discord commands. See
    # https://t2bot.io/discord for instructions.
    enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }}
    # Disable sending of read receipts for Matrix events which have been
    # successfully bridged to Discord.
    disableReadReceipts: false
    # Disable Join Leave echos from matrix
    disableJoinLeaveNotifications: false
  # Authentication configuration for the discord bot.
  auth:
    clientID: {{ matrix_appservice_discord_client_id|string|to_json }}
    botToken: {{ matrix_appservice_discord_bot_token }}
  logging:
    # What level should the logger output to the console at.
    console: "warn" #silly, verbose, info, http, warn, error, silent
    lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
    # files:
    #   - file: "debug.log"
    #     disable:
    #       - "PresenceHandler" # Will not capture presence logging
    #   - file: "warn.log" # Will capture warnings
    #     level: "warn"
    #   - file: "botlogs.log" # Will capture logs from DiscordBot
    #     level: "info"
    #     enable:
    #       - "DiscordBot"
  database:
    userStorePath: "/data/user-store.db"
    roomStorePath: "/data/room-store.db"
    # You may either use SQLite or Postgresql for the bridge database, which contains
    # important mappings for events and user puppeting configurations.
    # Use the filename option for SQLite, or connString for Postgresql.
    # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
    # WARNING: You will almost certainly be fine with sqlite unless your bridge
    # is in heavy demand and you suffer from IO slowness.
    filename: "/data/discord.db"
    # connString: "postgresql://user:password@localhost/database_name"
  room:
    # Set the default visibility of alias rooms, defaults to "public".
    # One of: "public", "private"
    defaultVisibility: "public"
  channel:
      # Pattern of the name given to bridged rooms.
      # Can use :guild for the guild name and :name for the channel name.
      namePattern: "[Discord] :guild :name"
      # Changes made to rooms when a channel is deleted.
      deleteOptions:
        # Prefix the room name with a string.
        #namePrefix: "[Deleted]"
        # Prefix the room topic with a string.
        #topicPrefix: "This room has been deleted"
        # Disable people from talking in the room by raising the event PL to 50
        disableMessaging: false
        # Remove the discord alias from the room.
        unsetRoomAlias: true
        # Remove the room from the directory.
        unlistFromDirectory: true
        # Set the room to be unavaliable for joining without an invite.
        setInviteOnly: true
        # Make all the discord users leave the room.
        ghostsLeave: true
  limits:
      # Delay in milliseconds between discord users joining a room.
      roomGhostJoinDelay: 6000
      # Delay in milliseconds before sending messages to discord to avoid echos.
      # (Copies of a sent message may arrive from discord before we've
      # fininished handling it, causing us to echo it back to the room)
      discordSendDelay: 750
  ghosts:
      # Pattern for the ghosts nick, available is :nick, :username, :tag and :id
      nickPattern: ":nick"
      # Pattern for the ghosts username, available is :username, :tag and :id
      usernamePattern: ":username#:tag"
 matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_appservice_discord_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@@ -60,7 +60,7 @@
 # We intentionally suppress Ansible changes.
 - name: Generate AppService Discord invite link
  shell: >-
    /usr/bin/docker run --rm --name matrix-appservice-discord-link-gen
    {{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord-link-gen
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    -v {{ matrix_appservice_discord_config_path }}:/cfg
--- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2
@@ -0,0 +1,93 @@
 #jinja2: lstrip_blocks: "True"
 bridge:
  # Domain part of the bridge, e.g. matrix.org
  domain: {{ matrix_appservice_discord_bridge_domain }}
  # This should be your publically facing URL because Discord may use it to
  # fetch media from the media store.
  homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl }}
  # Interval at which to process users in the 'presence queue'. If you have
  # 5 users, one user will be processed every 500 milliseconds according to the
  # value below. This has a minimum value of 250.
  # WARNING: This has a high chance of spamming the homeserver with presence
  # updates since it will send one each time somebody changes state or is online.
  presenceInterval: 500
  # Disable setting presence for 'ghost users' which means Discord users on Matrix
  # will not be shown as away or online.
  disablePresence: {{ matrix_appservice_discord_bridge_disablePresence|to_json }}
  # Disable sending typing notifications when somebody on Discord types.
  disableTypingNotifications: false
  # Disable deleting messages on Discord if a message is redacted on Matrix.
  disableDeletionForwarding: false
  # Enable users to bridge rooms using !discord commands. See
  # https://t2bot.io/discord for instructions.
  enableSelfServiceBridging: {{ matrix_appservice_discord_bridge_enableSelfServiceBridging|to_json }}
  # Disable sending of read receipts for Matrix events which have been
  # successfully bridged to Discord.
  disableReadReceipts: false
  # Disable Join Leave echos from matrix
  disableJoinLeaveNotifications: false
 # Authentication configuration for the discord bot.
 auth:
  clientID: {{ matrix_appservice_discord_client_id|string|to_json }}
  botToken: {{ matrix_appservice_discord_bot_token }}
 logging:
  # What level should the logger output to the console at.
  console: "warn" #silly, verbose, info, http, warn, error, silent
  lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format
  # files:
  #   - file: "debug.log"
  #     disable:
  #       - "PresenceHandler" # Will not capture presence logging
  #   - file: "warn.log" # Will capture warnings
  #     level: "warn"
  #   - file: "botlogs.log" # Will capture logs from DiscordBot
  #     level: "info"
  #     enable:
  #       - "DiscordBot"
 database:
  userStorePath: "/data/user-store.db"
  roomStorePath: "/data/room-store.db"
  # You may either use SQLite or Postgresql for the bridge database, which contains
  # important mappings for events and user puppeting configurations.
  # Use the filename option for SQLite, or connString for Postgresql.
  # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite
  # WARNING: You will almost certainly be fine with sqlite unless your bridge
  # is in heavy demand and you suffer from IO slowness.
  filename: "/data/discord.db"
  # connString: "postgresql://user:password@localhost/database_name"
 room:
  # Set the default visibility of alias rooms, defaults to "public".
  # One of: "public", "private"
  defaultVisibility: "public"
 channel:
    # Pattern of the name given to bridged rooms.
    # Can use :guild for the guild name and :name for the channel name.
    namePattern: "[Discord] :guild :name"
    # Changes made to rooms when a channel is deleted.
    deleteOptions:
      # Prefix the room name with a string.
      #namePrefix: "[Deleted]"
      # Prefix the room topic with a string.
      #topicPrefix: "This room has been deleted"
      # Disable people from talking in the room by raising the event PL to 50
      disableMessaging: false
      # Remove the discord alias from the room.
      unsetRoomAlias: true
      # Remove the room from the directory.
      unlistFromDirectory: true
      # Set the room to be unavaliable for joining without an invite.
      setInviteOnly: true
      # Make all the discord users leave the room.
      ghostsLeave: true
 limits:
    # Delay in milliseconds between discord users joining a room.
    roomGhostJoinDelay: 6000
    # Delay in milliseconds before sending messages to discord to avoid echos.
    # (Copies of a sent message may arrive from discord before we've
    # fininished handling it, causing us to echo it back to the room)
    discordSendDelay: 750
 ghosts:
    # Pattern for the ghosts nick, available is :nick, :username, :tag and :id
    nickPattern: ":nick"
    # Pattern for the ghosts username, available is :username, :tag and :id
    usernamePattern: ":username#:tag"
--- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-appservice-discord
 ExecStartPre=-/usr/bin/docker rm matrix-appservice-discord
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-discord \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-discord \
 			{{ matrix_appservice_discord_docker_image }} \
 			node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml

 ExecStop=-/usr/bin/docker kill matrix-appservice-discord
 ExecStop=-/usr/bin/docker rm matrix-appservice-discord
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-discord
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-discord
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-appservice-discord
--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@@ -346,141 +346,7 @@ matrix_appservice_irc_systemd_wanted_services_list: []
 matrix_appservice_irc_appservice_token: ''
 matrix_appservice_irc_homeserver_token: ''

 matrix_appservice_irc_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  homeserver:
    # The URL to the home server for client-server API calls, also used to form the
    # media URLs as displayed in bridged IRC channels:
    url: {{ matrix_appservice_irc_homeserver_url }}
    #
    # The URL of the homeserver hosting media files. This is only used to transform
    # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
    # default, this is the homeserver URL, specified above.
    #
    media_url: {{ matrix_appservice_irc_homeserver_media_url }}

    # Drop Matrix messages which are older than this number of seconds, according to
    # the event's origin_server_ts.
    # If the bridge is down for a while, the homeserver will attempt to send all missed
    # events on reconnection. These events may be hours old, which can be confusing to
    # IRC users if they are then bridged. This option allows these old messages to be
    # dropped.
    # CAUTION: This is a very coarse heuristic. Federated homeservers may have different
    # clock times and hence produce different origin_server_ts values, which may be old
    # enough to cause *all* events from the homeserver to be dropped.
    # Default: 0 (don't ever drop)
    # dropMatrixMessagesAfterSecs: 300 # 5 minutes

    # The 'domain' part for user IDs on this home server. Usually (but not always)
    # is the "domain name" part of the HS URL.
    domain: {{ matrix_appservice_irc_homeserver_domain }}

    # Should presence be enabled for matrix clients on this bridge. If disabled on the
    # homeserver then it should also be disabled here to avoid excess traffic.
    # Default: true
    enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}

  ircService:
    # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
    # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
    # the database.
    #
    # To generate a .pem file:
    # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
    #
    # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
    # for storage in the database. Passwords are stored by using the admin room command
    # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
    # the Matrix user, this password will be sent as the server password (PASS command).
    passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification

    # Config for Matrix -> IRC bridging
    matrixHandler:
      # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
      eventCacheSize: 4096

    servers: {{ matrix_appservice_irc_ircService_servers|to_json }}

    # Configuration for an ident server. If you are running a public bridge it is
    # advised you setup an ident server so IRC mods can ban specific matrix users
    # rather than the application service itself.
    ident:
      # True to listen for Ident requests and respond with the
      # matrix user's user_id (converted to ASCII, respecting RFC 1413).
      # Default: false.
      enabled: false
      # The port to listen on for incoming ident requests.
      # Ports below 1024 require root to listen on, and you may not want this to
      # run as root. Instead, you can get something like an Apache to yank up
      # incoming requests to 113 to a high numbered port. Set the port to listen
      # on instead of 113 here.
      # Default: 113.
      port: 1113
      # The address to listen on for incoming ident requests.
      # Default: 0.0.0.0
      address: "::"

    # Configuration for logging. Optional. Default: console debug level logging
    # only.
    logging:
      # Level to log on console/logfile. One of error|warn|info|debug
      level: "debug"
      # The file location to log to. This is relative to the project directory.
      #logfile: "debug.log"
      # The file location to log errors to. This is relative to the project
      # directory.
      #errfile: "errors.log"
      # Whether to log to the console or not.
      toConsole: true
      # The max number of files to keep. Files will be overwritten eventually due
      # to rotations.
      maxFiles: 5

    # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
    #   $ npm install prom-client@6.3.0
    # Metrics will then be available via GET /metrics on the bridge listening port (-p).
    metrics:
      # Whether to actually enable the metric endpoint. Default: false
      enabled: true
      # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
      # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
      remoteUserAgeBuckets:
        - "1h"
        - "1d"
        - "1w"

    # Configuration for the provisioning API.
    #
    # GET /_matrix/provision/link
    # GET /_matrix/provision/unlink
    # GET /_matrix/provision/listlinks
    #
    provisioning:
      # True to enable the provisioning HTTP endpoint. Default: false.
      enabled: false
      # The number of seconds to wait before giving up on getting a response from
      # an IRC channel operator. If the channel operator does not respond within the
      # allotted time period, the provisioning request will fail.
      # Default: 300 seconds (5 mins)
      requestTimeoutSeconds: 300

  # Options here are generally only applicable to large-scale bridges and may have
  # consequences greater than other options in this configuration file.
  advanced:
    # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited
    # however for large bridges it is important to rate limit the bridge to avoid
    # accidentally overloading the homeserver. Defaults to 1000, which should be
    # enough for the vast majority of use cases.
    maxHttpSockets: 1000

  # Use an external database to store bridge state.
  database:
    # database engine (must be 'postgres' or 'nedb'). Default: nedb
    engine: "nedb"
    # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
    # For postgres, it must start with postgres://
    # For NeDB, it must start with nedb://. The path is relative to the project directory.
    connectionString: "nedb:///data"
 matrix_appservice_irc_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_appservice_irc_configuration_extension_yaml: |
  # Your custom YAML configuration for Appservice IRC servers goes here.
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@@ -58,7 +58,7 @@
  register: irc_passkey_file

 - name: Generate Appservice IRC passkey if it doesn't exist
  shell: /usr/bin/openssl genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
  shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
  become: true
  become_user: "{{ matrix_user_username }}"
  when: "not irc_passkey_file.stat.exists"
@@ -93,7 +93,7 @@
 # to produce a final registration.yaml file, as we desire.
 - name: Generate Appservice IRC registration-template.yaml
  shell: >-
    /usr/bin/docker run --rm --name matrix-appservice-irc-gen
    {{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc-gen
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --cap-drop=ALL
    -v {{ matrix_appservice_irc_config_path }}:/config:z
--- a/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/config.yaml.j2
@@ -0,0 +1,134 @@
 #jinja2: lstrip_blocks: True
 homeserver:
  # The URL to the home server for client-server API calls, also used to form the
  # media URLs as displayed in bridged IRC channels:
  url: {{ matrix_appservice_irc_homeserver_url }}
  #
  # The URL of the homeserver hosting media files. This is only used to transform
  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
  # default, this is the homeserver URL, specified above.
  #
  media_url: {{ matrix_appservice_irc_homeserver_media_url }}

  # Drop Matrix messages which are older than this number of seconds, according to
  # the event's origin_server_ts.
  # If the bridge is down for a while, the homeserver will attempt to send all missed
  # events on reconnection. These events may be hours old, which can be confusing to
  # IRC users if they are then bridged. This option allows these old messages to be
  # dropped.
  # CAUTION: This is a very coarse heuristic. Federated homeservers may have different
  # clock times and hence produce different origin_server_ts values, which may be old
  # enough to cause *all* events from the homeserver to be dropped.
  # Default: 0 (don't ever drop)
  # dropMatrixMessagesAfterSecs: 300 # 5 minutes

  # The 'domain' part for user IDs on this home server. Usually (but not always)
  # is the "domain name" part of the HS URL.
  domain: {{ matrix_appservice_irc_homeserver_domain }}

  # Should presence be enabled for matrix clients on this bridge. If disabled on the
  # homeserver then it should also be disabled here to avoid excess traffic.
  # Default: true
  enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}

 ircService:
  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
  # the database.
  #
  # To generate a .pem file:
  # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048
  #
  # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords
  # for storage in the database. Passwords are stored by using the admin room command
  # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of
  # the Matrix user, this password will be sent as the server password (PASS command).
  passwordEncryptionKeyPath: "/data/passkey.pem" # does not typically need modification

  # Config for Matrix -> IRC bridging
  matrixHandler:
    # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies).
    eventCacheSize: 4096

  servers: {{ matrix_appservice_irc_ircService_servers|to_json }}

  # Configuration for an ident server. If you are running a public bridge it is
  # advised you setup an ident server so IRC mods can ban specific matrix users
  # rather than the application service itself.
  ident:
    # True to listen for Ident requests and respond with the
    # matrix user's user_id (converted to ASCII, respecting RFC 1413).
    # Default: false.
    enabled: false
    # The port to listen on for incoming ident requests.
    # Ports below 1024 require root to listen on, and you may not want this to
    # run as root. Instead, you can get something like an Apache to yank up
    # incoming requests to 113 to a high numbered port. Set the port to listen
    # on instead of 113 here.
    # Default: 113.
    port: 1113
    # The address to listen on for incoming ident requests.
    # Default: 0.0.0.0
    address: "::"

  # Configuration for logging. Optional. Default: console debug level logging
  # only.
  logging:
    # Level to log on console/logfile. One of error|warn|info|debug
    level: "debug"
    # The file location to log to. This is relative to the project directory.
    #logfile: "debug.log"
    # The file location to log errors to. This is relative to the project
    # directory.
    #errfile: "errors.log"
    # Whether to log to the console or not.
    toConsole: true
    # The max number of files to keep. Files will be overwritten eventually due
    # to rotations.
    maxFiles: 5

  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
  #   $ npm install prom-client@6.3.0
  # Metrics will then be available via GET /metrics on the bridge listening port (-p).
  metrics:
    # Whether to actually enable the metric endpoint. Default: false
    enabled: true
    # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
    # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
    remoteUserAgeBuckets:
      - "1h"
      - "1d"
      - "1w"

  # Configuration for the provisioning API.
  #
  # GET /_matrix/provision/link
  # GET /_matrix/provision/unlink
  # GET /_matrix/provision/listlinks
  #
  provisioning:
    # True to enable the provisioning HTTP endpoint. Default: false.
    enabled: false
    # The number of seconds to wait before giving up on getting a response from
    # an IRC channel operator. If the channel operator does not respond within the
    # allotted time period, the provisioning request will fail.
    # Default: 300 seconds (5 mins)
    requestTimeoutSeconds: 300

 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.
 advanced:
  # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited
  # however for large bridges it is important to rate limit the bridge to avoid
  # accidentally overloading the homeserver. Defaults to 1000, which should be
  # enough for the vast majority of use cases.
  maxHttpSockets: 1000

 # Use an external database to store bridge state.
 database:
  # database engine (must be 'postgres' or 'nedb'). Default: nedb
  engine: "nedb"
  # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
  # For postgres, it must start with postgres://
  # For NeDB, it must start with nedb://. The path is relative to the project directory.
  connectionString: "nedb:///data"
--- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-appservice-irc
 ExecStartPre=-/usr/bin/docker rm matrix-appservice-irc
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-irc \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -34,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 			{{ matrix_appservice_irc_docker_image }} \
 			-c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999'

 ExecStop=-/usr/bin/docker kill matrix-appservice-irc
 ExecStop=-/usr/bin/docker rm matrix-appservice-irc
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-irc
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-irc
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-appservice-irc
--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@@ -45,21 +45,7 @@ matrix_appservice_slack_appservice_token: ''
 matrix_appservice_slack_homeserver_token: ''
 matrix_appservice_slack_id_token: ''

 matrix_appservice_slack_configuration_yaml: |
    slack_hook_port: {{ matrix_appservice_slack_slack_port }}
    inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}"
    bot_username: "{{ matrix_appservice_slack_bot_name }}"
    username_prefix: {{ matrix_appservice_slack_user_prefix }}

    homeserver:
        media_url: "{{ matrix_appservice_slack_homeserver_media_url }}"
        url: "{{ matrix_appservice_slack_homeserver_url }}"
        server_name: "{{ matrix_domain }}"

    dbdir: "/data"

    matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}"

 matrix_appservice_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_appservice_slack_configuration_extension_yaml: |
    #slack_hook_port: 9898
--- a/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2
+++ b/roles/matrix-bridge-appservice-slack/templates/config.yaml.j2
@@ -0,0 +1,14 @@
 #jinja2: lstrip_blocks: True
 slack_hook_port: {{ matrix_appservice_slack_slack_port }}
 inbound_uri_prefix: "{{ matrix_appservice_slack_inbound_uri_prefix }}"
 bot_username: "{{ matrix_appservice_slack_bot_name }}"
 username_prefix: {{ matrix_appservice_slack_user_prefix }}

 homeserver:
    media_url: "{{ matrix_appservice_slack_homeserver_media_url }}"
    url: "{{ matrix_appservice_slack_homeserver_url }}"
    server_name: "{{ matrix_domain }}"

 dbdir: "/data"

 matrix_admin_room: "{{ matrix_appservice_slack_control_room_id }}"
--- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
+++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-appservice-slack
 ExecStartPre=-/usr/bin/docker rm matrix-appservice-slack
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-slack \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-slack \
 			{{ matrix_appservice_slack_docker_image }} \
 			node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml

 ExecStop=-/usr/bin/docker kill matrix-appservice-slack
 ExecStop=-/usr/bin/docker rm matrix-appservice-slack
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-slack
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-slack
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-appservice-slack
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@@ -49,35 +49,7 @@ matrix_appservice_webhooks_api_secret: ''
 # Logging information (info and verbose is available) default is: info
 matrix_appservice_webhooks_log_level: 'info'

 matrix_appservice_webhooks_configuration_yaml: |

  # Configuration specific to the application service. All fields (unless otherwise marked) are required.
  homeserver:
    # The domain for the client-server API calls.
    url: "{{ matrix_appservice_webhooks_homeserver_url }}"

    # The domain part for user IDs on this home server. Usually, but not always, this is the same as the
    # home server's URL.
    domain: "{{ matrix_domain }}"

  # Configuration specific to the bridge. All fields (unless otherwise marked) are required.
  webhookBot:
    # The localpart to use for the bot. May require re-registering the application service.
    localpart: "_webhook"

  # Provisioning API options
  provisioning:
    # Your secret for the API. Required for all provisioning API requests.
    secret: '{{ matrix_appservice_webhooks_api_secret }}'

  # Configuration related to the web portion of the bridge. Handles the inbound webhooks
  web:
    hookUrlBase:  "{{ matrix_appservice_webhooks_inbound_uri_prefix }}"

  logging:
    console: true
    consoleLevel: {{ matrix_appservice_webhooks_log_level }}
    writeFiles: false
 matrix_appservice_webhooks_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_appservice_webhooks_configuration_extension_yaml: |
  #
--- a/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/config.yaml.j2
@@ -0,0 +1,28 @@
 #jinja2: lstrip_blocks: True
 # Configuration specific to the application service. All fields (unless otherwise marked) are required.
 homeserver:
  # The domain for the client-server API calls.
  url: "{{ matrix_appservice_webhooks_homeserver_url }}"

  # The domain part for user IDs on this home server. Usually, but not always, this is the same as the
  # home server's URL.
  domain: "{{ matrix_domain }}"

 # Configuration specific to the bridge. All fields (unless otherwise marked) are required.
 webhookBot:
  # The localpart to use for the bot. May require re-registering the application service.
  localpart: "_webhook"

 # Provisioning API options
 provisioning:
  # Your secret for the API. Required for all provisioning API requests.
  secret: '{{ matrix_appservice_webhooks_api_secret }}'

 # Configuration related to the web portion of the bridge. Handles the inbound webhooks
 web:
  hookUrlBase:  "{{ matrix_appservice_webhooks_inbound_uri_prefix }}"

 logging:
  console: true
  consoleLevel: {{ matrix_appservice_webhooks_log_level }}
  writeFiles: false
--- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks
 ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-appservice-webhooks \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -33,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \
 			{{ matrix_appservice_webhooks_docker_image }} \
 			node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml

 ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks
 ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-appservice-webhooks
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -38,160 +38,7 @@ matrix_mautrix_facebook_login_shared_secret: ''
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_facebook_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  # Homeserver details
  homeserver:
      # The address that this appservice can use to connect to the homeserver.
      address: {{ matrix_mautrix_facebook_homeserver_address }}
      # The domain of the homeserver (for MXIDs, etc).
      domain: {{ matrix_mautrix_facebook_homeserver_domain }}
      # Whether or not to verify the SSL certificate of the homeserver.
      # Only applies if address starts with https://
      verify_ssl: true

  # Application service host/registration related details
  # Changing these values requires regeneration of the registration.
  appservice:
      # The address that the homeserver can use to connect to this appservice.
      address: {{ matrix_mautrix_facebook_appservice_address }}

      # The hostname and port where this appservice should listen.
      hostname: 0.0.0.0
      port: 29319
      # The maximum body size of appservice API requests (from the homeserver) in mebibytes
      # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
      max_body_size: 1

      # The full URI to the database. SQLite and Postgres are fully supported.
      # Other DBMSes supported by SQLAlchemy may or may not work.
      # Format examples:
      #   SQLite:   sqlite:///filename.db
      #   Postgres: postgres://username:password@hostname/dbname
      database: sqlite:////data/mautrix-facebook.db

      # Public part of web server for out-of-Matrix interaction with the bridge.
      public:
          # Whether or not the public-facing endpoints should be enabled.
          enabled: false
          # The prefix to use in the public-facing endpoints.
          prefix: /public
          # The base URL where the public-facing endpoints are available. The prefix is not added
          # implicitly.
          external: https://example.com/public

      # The unique ID of this appservice.
      id: facebook
      # Username of the appservice bot.
      bot_username: facebookbot
      # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
      # to leave display name/avatar as-is.
      bot_displayname: Facebook bridge bot
      bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv

      # Authentication tokens for AS <-> HS communication.
      as_token: "{{ matrix_mautrix_facebook_appservice_token }}"
      hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}"

  # Bridge config
  bridge:
      # Localpart template of MXIDs for Facebook users.
      # {userid} is replaced with the user ID of the Facebook user.
      username_template: "facebook_{userid}"
      # Localpart template for per-user room grouping community IDs.
      # The bridge will create these communities and add all of the specific user's portals to the community.
      # {localpart} is the MXID localpart and {server} is the MXID server part of the user.
      #
      # `facebook_{localpart}={server}` is a good value.
      community_template: null
      # Displayname template for Facebook users.
      # {displayname} is replaced with the display name of the Facebook user
      #               as defined below in displayname_preference.
      # Keys available for displayname_preference are also available here.
      displayname_template: '{displayname} (FB)'
      # Available keys:
      # "name" (full name)
      # "first_name"
      # "last_name"
      # "nickname"
      # "own_nickname" (user-specific!)
      displayname_preference:
      - name

      # The prefix for commands. Only required in non-management rooms.
      command_prefix: "!fb"

      # Number of chats to sync (and create portals for) on startup/login.
      # Maximum 20, set 0 to disable automatic syncing.
      initial_chat_sync: 10
      # Whether or not the Facebook users of logged in Matrix users should be
      # invited to private chats when the user sends a message from another client.
      invite_own_puppet_to_pm: false
      # Whether or not to use /sync to get presence, read receipts and typing notifications when using
      # your own Matrix account as the Matrix puppet for your Facebook account.
      sync_with_custom_puppets: true
      # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
      #
      # If set, custom puppets will be enabled automatically for local users
      # instead of users having to find an access token and run `login-matrix`
      # manually.
      login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }}
      # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
      # presence, but then it won't send other users' presence to the client.
      presence: true
      # Whether or not to update avatars when syncing all contacts at startup.
      update_avatar_initial_sync: true
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Permissions for using the bridge.
      # Permitted values:
      #       user - Use the bridge with puppeting.
      #      admin - Use and administrate the bridge.
      # Permitted keys:
      #        * - All Matrix users
      #   domain - All users on that homeserver
      #     mxid - Specific user
      permissions:
        '{{ matrix_mautrix_facebook_homeserver_domain }}': user

  # Python logging configuration.
  #
  # See section 16.7.2 of the Python documentation for more info:
  # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
  logging:
      version: 1
      formatters:
          colored:
              (): mautrix_facebook.util.ColorFormatter
              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
          normal:
              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
      handlers:
          console:
              class: logging.StreamHandler
              formatter: colored
      loggers:
          mau:
              level: DEBUG
          fbchat:
              level: DEBUG
          hbmqtt:
              level: INFO
          aiohttp:
              level: INFO
      root:
          level: DEBUG
          handlers: [console]
 matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_facebook_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@@ -0,0 +1,194 @@
 #jinja2: lstrip_blocks: "True"
 # Homeserver details
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: {{ matrix_mautrix_facebook_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_facebook_homeserver_domain }}
    # Whether or not to verify the SSL certificate of the homeserver.
    # Only applies if address starts with https://
    verify_ssl: true

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_facebook_appservice_address }}

    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 29319
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

    # The full URI to the database. SQLite and Postgres are fully supported.
    # Other DBMSes supported by SQLAlchemy may or may not work.
    # Format examples:
    #   SQLite:   sqlite:///filename.db
    #   Postgres: postgres://username:password@hostname/dbname
    database: sqlite:////data/mautrix-facebook.db

    # Public part of web server for out-of-Matrix interaction with the bridge.
    public:
        # Whether or not the public-facing endpoints should be enabled.
        enabled: false
        # The prefix to use in the public-facing endpoints.
        prefix: /public
        # The base URL where the public-facing endpoints are available. The prefix is not added
        # implicitly.
        external: https://example.com/public

    # The unique ID of this appservice.
    id: facebook
    # Username of the appservice bot.
    bot_username: facebookbot
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Facebook bridge bot
    bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv

    # Authentication tokens for AS <-> HS communication.
    as_token: "{{ matrix_mautrix_facebook_appservice_token }}"
    hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}"

 # Bridge config
 bridge:
    # Localpart template of MXIDs for Facebook users.
    # {userid} is replaced with the user ID of the Facebook user.
    username_template: "facebook_{userid}"
    # Localpart template for per-user room grouping community IDs.
    # The bridge will create these communities and add all of the specific user's portals to the community.
    # {localpart} is the MXID localpart and {server} is the MXID server part of the user.
    #
    # `facebook_{localpart}={server}` is a good value.
    community_template: null
    # Displayname template for Facebook users.
    # {displayname} is replaced with the display name of the Facebook user
    #               as defined below in displayname_preference.
    # Keys available for displayname_preference are also available here.
    displayname_template: '{displayname} (FB)'
    # Available keys:
    # "name" (full name)
    # "first_name"
    # "last_name"
    # "nickname"
    # "own_nickname" (user-specific!)
    displayname_preference:
    - name

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!fb"

    # Number of chats to sync (and create portals for) on startup/login.
    # Maximum 20, set 0 to disable automatic syncing.
    initial_chat_sync: 10
    # Whether or not the Facebook users of logged in Matrix users should be
    # invited to private chats when the user sends a message from another client.
    invite_own_puppet_to_pm: false
    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
    # your own Matrix account as the Matrix puppet for your Facebook account.
    sync_with_custom_puppets: true
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }}
    # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
    # presence, but then it won't send other users' presence to the client.
    presence: true
    # Whether or not to update avatars when syncing all contacts at startup.
    update_avatar_initial_sync: true
    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
    # and login_shared_secret to be configured in order to get a device for the bridge bot.
    #
    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: false
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: false
    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
    # been sent to Facebook.
    delivery_receipts: false
    # Whether to allow inviting arbitrary mxids to portal rooms
    allow_invites: false
    # Settings for backfilling messages from Facebook.
    backfill:
        # Whether or not the Facebook users of logged in Matrix users should be
        # invited to private chats when backfilling history from Facebook. This is
        # usually needed to prevent rate limits and to allow timestamp massaging.
        invite_own_puppet: true
        # Maximum number of messages to backfill initially.
        # Set to 0 to disable backfilling when creating portal.
        initial_limit: 0
        # Maximum number of messages to backfill if messages were missed while
        # the bridge was disconnected.
        # Set to 0 to disable backfilling missed messages.
        missed_limit: 1000
        # If using double puppeting, should notifications be disabled
        # while the initial backfill is in progress?
        disable_notifications: false
    periodic_reconnect:
        # Interval in seconds in which to automatically reconnect all users.
        # This can be used to automatically mitigate the bug where Facebook stops sending messages.
        # Set to -1 to disable periodic reconnections entirely.
        interval: -1
        # What to do in periodic reconnects. Either "refresh" or "reconnect"
        mode: refresh
        # Should even disconnected users be reconnected?
        always: false
    # The number of seconds that a disconnection can last without triggering an automatic re-sync
    # and missed message backfilling when reconnecting.
    # Set to 0 to always re-sync, or -1 to never re-sync automatically.
    resync_max_disconnected_time: 5
    # Whether or not temporary disconnections should send notices to the notice room.
    # If this is false, disconnections will never send messages and connections will only send
    # messages if it was disconnected for more than resync_max_disconnected_time seconds.
    temporary_disconnect_notices: true
    # Whether or not the bridge should try to "refresh" the connection if a normal reconnection
    # attempt fails.
    refresh_on_reconnection_fail: false

    # Permissions for using the bridge.
    # Permitted values:
    #       user - Use the bridge with puppeting.
    #      admin - Use and administrate the bridge.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
      '{{ matrix_mautrix_facebook_homeserver_domain }}': user

 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
    version: 1
    formatters:
        colored:
            (): mautrix_facebook.util.ColorFormatter
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
        normal:
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
    handlers:
        console:
            class: logging.StreamHandler
            formatter: colored
    loggers:
        mau:
            level: DEBUG
        fbchat:
            level: DEBUG
        hbmqtt:
            level: INFO
        aiohttp:
            level: INFO
    root:
        level: DEBUG
        handlers: [console]
--- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
@@ -11,9 +11,9 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mautrix-facebook
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-facebook
 ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-facebook-db \
 			alembic -x config=/config/config.yaml upgrade head

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-facebook \
 			{{ matrix_mautrix_facebook_docker_image }} \
 			python3 -m mautrix_facebook -c /config/config.yaml

 ExecStop=-/usr/bin/docker kill matrix-mautrix-facebook
 ExecStop=-/usr/bin/docker rm matrix-mautrix-facebook
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-facebook
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@@ -40,152 +40,7 @@ matrix_mautrix_hangouts_login_shared_secret: ''
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_hangouts_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_hangouts_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  # Homeserver details
  homeserver:
      # The address that this appservice can use to connect to the homeserver.
      address: {{ matrix_mautrix_hangouts_homeserver_address }}
      # The domain of the homeserver (for MXIDs, etc).
      domain: {{ matrix_mautrix_hangouts_homeserver_domain }}
      # Whether or not to verify the SSL certificate of the homeserver.
      # Only applies if address starts with https://
      verify_ssl: true

  # Application service host/registration related details
  # Changing these values requires regeneration of the registration.
  appservice:
      # The address that the homeserver can use to connect to this appservice.
      address: {{ matrix_mautrix_hangouts_appservice_address }}

      # The hostname and port where this appservice should listen.
      hostname: 0.0.0.0
      port: 8080
      # The maximum body size of appservice API requests (from the homeserver) in mebibytes
      # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
      max_body_size: 1

      # The full URI to the database. SQLite and Postgres are fully supported.
      # Other DBMSes supported by SQLAlchemy may or may not work.
      # Format examples:
      #   SQLite:   sqlite:///filename.db
      #   Postgres: postgres://username:password@hostname/dbname
      database: sqlite:////data/mautrix-hangouts.db

      # The unique ID of this appservice.
      id: hangouts
      # Username of the appservice bot.
      bot_username: hangoutsbot
      # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
      # to leave display name/avatar as-is.
      bot_displayname: Hangouts bridge bot
      bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy

      # Authentication tokens for AS <-> HS communication.
      as_token: "{{ matrix_mautrix_hangouts_appservice_token }}"
      hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}"

  # Bridge config
  bridge:
      # Localpart template of MXIDs for Hangouts users.
      # {userid} is replaced with the user ID of the Hangouts user.
      username_template: "hangouts_{userid}"
      # Displayname template for Hangouts users.
      # {displayname} is replaced with the display name of the Hangouts user
      #               as defined below in displayname_preference.
      # Keys available for displayname_preference are also available here.
      displayname_template: '{full_name} (Hangouts)'
      # Available keys:
      # "name" (full name)
      # "first_name"
      # "last_name"
      # "nickname"
      # "own_nickname" (user-specific!)
      displayname_preference:
      - name

      # The prefix for commands. Only required in non-management rooms.
      command_prefix: "!HO"

      # Number of chats to sync (and create portals for) on startup/login.
      # Maximum 20, set 0 to disable automatic syncing.
      initial_chat_sync: 20
      # Whether or not the Hangouts users of logged in Matrix users should be
      # invited to private chats when the user sends a message from another client.
      invite_own_puppet_to_pm: false
      # Whether or not to use /sync to get presence, read receipts and typing notifications when using
      # your own Matrix account as the Matrix puppet for your Hangouts account.
      sync_with_custom_puppets: true
      # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
      #
      # If set, custom puppets will be enabled automatically for local users
      # instead of users having to find an access token and run `login-matrix`
      # manually.
      login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }}
      # Whether or not to update avatars when syncing all contacts at startup.
      update_avatar_initial_sync: true
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Public website and API configs
      web:
          # Auth server config
          auth:
              # Publicly accessible base URL for the login endpoints.
              # The prefix below is not implicitly added. This URL and all subpaths should be proxied
              # or otherwise pointed to the appservice's webserver to the path specified below (prefix).
              # This path should usually include a trailing slash.
              # Internal prefix in the appservice web server for the login endpoints.
              public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login"
              prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login"


      # Permissions for using the bridge.
      # Permitted values:
      #       user - Use the bridge with puppeting.
      #      admin - Use and administrate the bridge.
      # Permitted keys:
      #        * - All Matrix users
      #   domain - All users on that homeserver
      #     mxid - Specific user
      permissions:
        '{{ matrix_mautrix_hangouts_homeserver_domain }}': user

  # Python logging configuration.
  #
  # See section 16.7.2 of the Python documentation for more info:
  # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
  logging:
      version: 1
      formatters:
          colored:
              (): mautrix_hangouts.util.ColorFormatter
              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
          normal:
              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
      handlers:
          console:
              class: logging.StreamHandler
              formatter: colored
      loggers:
          mau:
              level: DEBUG
          hangups:
              level: DEBUG
          aiohttp:
              level: INFO
      root:
          level: DEBUG
          handlers: [console]
 matrix_mautrix_hangouts_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_hangouts_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
@@ -0,0 +1,145 @@
 #jinja2: lstrip_blocks: "True"
 # Homeserver details
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: {{ matrix_mautrix_hangouts_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_hangouts_homeserver_domain }}
    # Whether or not to verify the SSL certificate of the homeserver.
    # Only applies if address starts with https://
    verify_ssl: true

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_hangouts_appservice_address }}

    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 8080
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

    # The full URI to the database. SQLite and Postgres are fully supported.
    # Other DBMSes supported by SQLAlchemy may or may not work.
    # Format examples:
    #   SQLite:   sqlite:///filename.db
    #   Postgres: postgres://username:password@hostname/dbname
    database: sqlite:////data/mautrix-hangouts.db

    # The unique ID of this appservice.
    id: hangouts
    # Username of the appservice bot.
    bot_username: hangoutsbot
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Hangouts bridge bot
    bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy

    # Authentication tokens for AS <-> HS communication.
    as_token: "{{ matrix_mautrix_hangouts_appservice_token }}"
    hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}"

 # Bridge config
 bridge:
    # Localpart template of MXIDs for Hangouts users.
    # {userid} is replaced with the user ID of the Hangouts user.
    username_template: "hangouts_{userid}"
    # Displayname template for Hangouts users.
    # {displayname} is replaced with the display name of the Hangouts user
    #               as defined below in displayname_preference.
    # Keys available for displayname_preference are also available here.
    displayname_template: '{full_name} (Hangouts)'
    # Available keys:
    # "name" (full name)
    # "first_name"
    # "last_name"
    # "nickname"
    # "own_nickname" (user-specific!)
    displayname_preference:
    - name

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!HO"

    # Number of chats to sync (and create portals for) on startup/login.
    # Maximum 20, set 0 to disable automatic syncing.
    initial_chat_sync: 20
    # Whether or not the Hangouts users of logged in Matrix users should be
    # invited to private chats when the user sends a message from another client.
    invite_own_puppet_to_pm: false
    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
    # your own Matrix account as the Matrix puppet for your Hangouts account.
    sync_with_custom_puppets: true
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret: {{ matrix_mautrix_hangouts_login_shared_secret|to_json }}
    # Whether or not to update avatars when syncing all contacts at startup.
    update_avatar_initial_sync: true
    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
    # and login_shared_secret to be configured in order to get a device for the bridge bot.
    #
    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: false
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: false

    # Public website and API configs
    web:
        # Auth server config
        auth:
            # Publicly accessible base URL for the login endpoints.
            # The prefix below is not implicitly added. This URL and all subpaths should be proxied
            # or otherwise pointed to the appservice's webserver to the path specified below (prefix).
            # This path should usually include a trailing slash.
            # Internal prefix in the appservice web server for the login endpoints.
            public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login"
            prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login"


    # Permissions for using the bridge.
    # Permitted values:
    #       user - Use the bridge with puppeting.
    #      admin - Use and administrate the bridge.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
      '{{ matrix_mautrix_hangouts_homeserver_domain }}': user

 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
    version: 1
    formatters:
        colored:
            (): mautrix_hangouts.util.ColorFormatter
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
        normal:
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
    handlers:
        console:
            class: logging.StreamHandler
            formatter: colored
    loggers:
        mau:
            level: DEBUG
        hangups:
            level: DEBUG
        aiohttp:
            level: INFO
    root:
        level: DEBUG
        handlers: [console]
--- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
+++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
@@ -11,9 +11,9 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -23,9 +23,9 @@ ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \
 			alembic -x config=/config/config.yaml upgrade head

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -38,8 +38,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \
 			{{ matrix_mautrix_hangouts_docker_image }} \
 			python3 -m mautrix_hangouts -c /config/config.yaml

 ExecStop=-/usr/bin/docker kill matrix-mautrix-hangouts
 ExecStop=-/usr/bin/docker rm matrix-mautrix-hangouts
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-hangouts
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -4,7 +4,7 @@
 matrix_mautrix_telegram_enabled: true

 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.2"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"

 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"
@@ -51,405 +51,7 @@ matrix_mautrix_telegram_login_shared_secret: ''
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_telegram_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_telegram_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  # Homeserver details
  homeserver:
      # The address that this appservice can use to connect to the homeserver.
      address: {{ matrix_mautrix_telegram_homeserver_address }}
      # The domain of the homeserver (for MXIDs, etc).
      domain: {{ matrix_mautrix_telegram_homeserver_domain }}
      # Whether or not to verify the SSL certificate of the homeserver.
      # Only applies if address starts with https://
      verify_ssl: true

  # Application service host/registration related details
  # Changing these values requires regeneration of the registration.
  appservice:
      # The address that the homeserver can use to connect to this appservice.
      address: {{ matrix_mautrix_telegram_appservice_address }}

      # The hostname and port where this appservice should listen.
      hostname: 0.0.0.0
      port: 8080
      # The maximum body size of appservice API requests (from the homeserver) in mebibytes
      # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
      max_body_size: 1

      # The full URI to the database. SQLite and Postgres are fully supported.
      # Other DBMSes supported by SQLAlchemy may or may not work.
      # Format examples:
      #   SQLite:   sqlite:///filename.db
      #   Postgres: postgres://username:password@hostname/dbname
      database: sqlite:////data/mautrix-telegram.db

      # Public part of web server for out-of-Matrix interaction with the bridge.
      # Used for things like login if the user wants to make sure the 2FA password isn't stored in
      # the HS database.
      public:
          # Whether or not the public-facing endpoints should be enabled.
          enabled: true
          # The prefix to use in the public-facing endpoints.
          prefix: {{ matrix_mautrix_telegram_public_endpoint }}
          # The base URL where the public-facing endpoints are available. The prefix is not added
          # implicitly.
          external: {{ matrix_mautrix_telegram_appservice_public_external }}

      # Provisioning API part of the web server for automated portal creation and fetching information.
      # Used by things like Dimension (https://dimension.t2bot.io/).
      provisioning:
          # Whether or not the provisioning API should be enabled.
          enabled: false
          # The prefix to use in the provisioning API endpoints.
          prefix: /_matrix/provision/v1
          # The shared secret to authorize users of the API.
          # Set to "generate" to generate and save a new token.
          shared_secret: generate

      # The unique ID of this appservice.
      id: telegram
      # Username of the appservice bot.
      bot_username: telegrambot
      # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
      # to leave display name/avatar as-is.
      bot_displayname: Telegram bridge bot
      bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX

      # Authentication tokens for AS <-> HS communication.
      as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
      hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}"

  # Bridge config
  bridge:
      # Localpart template of MXIDs for Telegram users.
      # {userid} is replaced with the user ID of the Telegram user.
      username_template: "telegram_{userid}"
      # Localpart template of room aliases for Telegram portal rooms.
      # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
      alias_template: "telegram_{groupname}"
      # Displayname template for Telegram users.
      # {displayname} is replaced with the display name of the Telegram user.
      displayname_template: "{displayname} (Telegram)"

      # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
      # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
      # ID is used.
      #
      # If the bridge is working properly, a phone number or an username should always be known, but
      # the other one can very well be empty.
      #
      # Valid keys:
      #   "full name"          (First and/or last name)
      #   "full name reversed" (Last and/or first name)
      #   "first name"
      #   "last name"
      #   "username"
      #   "phone number"
      displayname_preference:
      - full name
      - username
      - phone number
      # Maximum length of displayname
      displayname_max_length: 100

      # Maximum number of members to sync per portal when starting up. Other members will be
      # synced when they send messages. The maximum is 10000, after which the Telegram server
      # will not send any more members.
      # Defaults to no local limit (-> limited to 10000 by server)
      max_initial_member_sync: -1
      # Whether or not to sync the member list in channels.
      # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
      # list regardless of this setting.
      sync_channel_members: true
      # Whether or not to skip deleted members when syncing members.
      skip_deleted_members: true
      # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
      # their Telegram account at startup.
      startup_sync: true
      # Number of most recently active dialogs to check when syncing chats.
      # Dialogs include groups and private chats, but only groups are synced.
      # Set to 0 to remove limit.
      sync_dialog_limit: 30
      # Whether or not to sync and create portals for direct chats at startup.
      sync_direct_chats: false
      # The maximum number of simultaneous Telegram deletions to handle.
      # A large number of simultaneous redactions could put strain on your homeserver.
      max_telegram_delete: 10
      # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
      # at startup and when creating a bridge.
      sync_matrix_state: true
      # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix
      # login website (see appservice.public config section)
      allow_matrix_login: true
      # Whether or not to bridge plaintext highlights.
      # Only enable this if your displayname_template has some static part that the bridge can use to
      # reliably identify what is a plaintext highlight.
      plaintext_highlights: false
      # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
      public_portals: true
      # Whether or not to use /sync to get presence, read receipts and typing notifications when using
      # your own Matrix account as the Matrix puppet for your Telegram account.
      sync_with_custom_puppets: true
      # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
      #
      # If set, custom puppets will be enabled automatically for local users
      # instead of users having to find an access token and run `login-matrix`
      # manually.
      login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }}
      # Set to false to disable link previews in messages sent to Telegram.
      telegram_link_preview: true
      # Use inline images instead of a separate message for the caption.
      # N.B. Inline images are not supported on all clients (e.g. Riot iOS).
      inline_images: false
      # Maximum size of image in megabytes before sending to Telegram as a document.
      image_as_file_size: 10
      # Maximum size of Telegram documents in megabytes to bridge.
      max_document_size: 100
      # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
      # streaming from/to Matrix and using many connections for Telegram.
      # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
      parallel_file_transfer: false
      # Whether or not created rooms should have federation enabled.
      # If false, created portal rooms will never be federated.
      federate_rooms: true
      # Settings for converting animated stickers.
      animated_sticker:
          # Format to which animated stickers should be converted.
          # disable - No conversion, send as-is (gzipped lottie)
          # png - converts to non-animated png (fastest),
          # gif - converts to animated gif, but loses transparency
          # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
          target: gif
          # Arguments for converter. All converters take width and height.
          # GIF converter takes background as a hex color.
          args:
              width: 256
              height: 256
              background: "020202"  # only for gif
              fps: 30               # only for webm
      # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
      # and login_shared_secret to be configured in order to get a device for the bridge bot.
      #
      # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
      # application service.
      encryption:
          # Allow encryption, work in group chat rooms with e2ee enabled
          allow: false
          # Default to encryption, force-enable encryption in all portals the bridge creates
          # This will cause the bridge bot to be in private chats for the encryption to work properly.
          default: false

      # Overrides for base power levels.
      initial_power_level_overrides:
          user: {}
          group: {}

      # Whether to bridge Telegram bot messages as m.notices or m.texts.
      bot_messages_as_notices: true
      bridge_notices:
          # Whether or not Matrix bot messages (type m.notice) should be bridged.
          default: false
          # List of user IDs for whom the previous flag is flipped.
          # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
          #      notices from users listed here will be bridged.
          exceptions: []

      # Some config options related to Telegram message deduplication.
      # The default values are usually fine, but some debug messages/warnings might recommend you
      # change these.
      deduplication:
          # Whether or not to check the database if the message about to be sent is a duplicate.
          pre_db_check: false
          # The number of latest events to keep when checking for duplicates.
          # You might need to increase this on high-traffic bridge instances.
          cache_queue_length: 20


      # The formats to use when sending messages to Telegram via the relay bot.
      #
      # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users.
      #
      # Available variables:
      #   $sender_displayname    - The display name of the sender (e.g. Example User)
      #   $sender_username       - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
      #   $sender_mxid           - The Matrix ID of the sender (e.g. @exampleuser:example.com)
      #   $message               - The message content as HTML
      message_formats:
          m.text: "<b>$sender_displayname</b>: $message"
          m.notice: "<b>$sender_displayname</b>: $message"
          m.emote: "* <b>$sender_displayname</b> $message"
          m.file: "<b>$sender_displayname</b> sent a file: $message"
          m.image: "<b>$sender_displayname</b> sent an image: $message"
          m.audio: "<b>$sender_displayname</b> sent an audio file: $message"
          m.video: "<b>$sender_displayname</b> sent a video: $message"
          m.location: "<b>$sender_displayname</b> sent a location: $message"
      # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
      # users are sent to telegram. All fields in message_formats are supported. Additionally, the
      # Telegram user info is available in the following variables:
      #    $displayname - Telegram displayname
      #    $username    - Telegram username (may not exist)
      #    $mention     - Telegram @username or displayname mention (depending on which exists)
      emote_format: "* $mention $formatted_body"

      # The formats to use when sending state events to Telegram via the relay bot.
      #
      # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
      # In name_change events, `$prev_displayname` is the previous displayname.
      #
      # Set format to an empty string to disable the messages for that event.
      state_event_formats:
          join: "<b>$displayname</b> joined the room."
          leave: "<b>$displayname</b> left the room."
          name_change: "<b>$prev_displayname</b> changed their name to <b>$displayname</b>"

      # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
      # `filter-mode` management commands.
      #
      # Filters do not affect direct chats.
      # An empty blacklist will essentially disable the filter.
      filter:
          # Filter mode to use. Either "blacklist" or "whitelist".
          # If the mode is "blacklist", the listed chats will never be bridged.
          # If the mode is "whitelist", only the listed chats can be bridged.
          mode: blacklist
          # The list of group/channel IDs to filter.
          list: []

      # The prefix for commands. Only required in non-management rooms.
      command_prefix: "!tg"

      # Permissions for using the bridge.
      # Permitted values:
      #   relaybot - Only use the bridge via the relaybot, no access to commands.
      #       user - Relaybot level + access to commands to create bridges.
      #  puppeting - User level + logging in with a Telegram account.
      #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
      #      admin - Full access to use the bridge and some extra administration commands.
      # Permitted keys:
      #        * - All Matrix users
      #   domain - All users on that homeserver
      #     mxid - Specific user
      permissions:
        '{{ matrix_mautrix_telegram_homeserver_domain }}': full

      # Options related to the message relay Telegram bot.
      relaybot:
          private_chat:
              # List of users to invite to the portal when someone starts a private chat with the bot.
              # If empty, private chats with the bot won't create a portal.
              invite: []
              # Whether or not to bridge state change messages in relaybot private chats.
              state_changes: true
              # When private_chat_invite is empty, this message is sent to users /starting the
              # relaybot. Telegram's "markdown" is supported.
              message: This is a Matrix bridge relaybot and does not support direct chats
          # List of users to invite to all group chat portals created by the bridge.
          group_chat_invite: []
          # Whether or not the relaybot should not bridge events in unbridged group chats.
          # If false, portals will be created when the relaybot receives messages, just like normal
          # users. This behavior is usually not desirable, as it interferes with manually bridging
          # the chat to another room.
          ignore_unbridged_group_chat: true
          # Whether or not to allow creating portals from Telegram.
          authless_portals: true
          # Whether or not to allow Telegram group admins to use the bot commands.
          whitelist_group_admins: true
          # Whether or not to ignore incoming events sent by the relay bot.
          ignore_own_incoming_events: true
          # List of usernames/user IDs who are also allowed to use the bot commands.
          whitelist: []

  # Telegram config
  telegram:
      # Get your own API keys at https://my.telegram.org/apps
      api_id: {{ matrix_mautrix_telegram_api_id }}
      api_hash: {{ matrix_mautrix_telegram_api_hash }}
      # (Optional) Create your own bot at https://t.me/BotFather
      bot_token: {{ matrix_mautrix_telegram_bot_token }}

      # Telethon connection options.
      connection:
          # The timeout in seconds to be used when connecting.
          timeout: 120
          # How many times the reconnection should retry, either on the initial connection or when
          # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
          # this is not recommended, since the program can get stuck in an infinite loop.
          retries: 5
          # The delay in seconds to sleep between automatic reconnections.
          retry_delay: 1
          # The threshold below which the library should automatically sleep on flood wait errors
          # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
          # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
          # the error instead. Values larger than a day (86400) will be changed to a day.
          flood_sleep_threshold: 60
          # How many times a request should be retried. Request are retried when Telegram is having
          # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
          # there's a migrate error. May take a negative or null value for infinite retries, but this
          # is not recommended, since some requests can always trigger a call fail (such as searching
          # for messages).
          request_retries: 5

      # Device info sent to Telegram.
      device_info:
          # "auto" = OS name+version.
          device_model: auto
          # "auto" = Telethon version.
          system_version: auto
          # "auto" = mautrix-telegram version.
          app_version: auto
          lang_code: en
          system_lang_code: en

      # Custom server to connect to.
      server:
          # Set to true to use these server settings. If false, will automatically
          # use production server assigned by Telegram. Set to false in production.
          enabled: false
          # The DC ID to connect to.
          dc: 2
          # The IP to connect to.
          ip: 149.154.167.40
          # The port to connect to. 443 may not work, 80 is better and both are equally secure.
          port: 80

      # Telethon proxy configuration.
      # You must install PySocks from pip for proxies to work.
      proxy:
          # Allowed types: disabled, socks4, socks5, http
          type: disabled
          # Proxy IP address and port.
          address: 127.0.0.1
          port: 1080
          # Whether or not to perform DNS resolving remotely.
          rdns: true
          # Proxy authentication (optional).
          username: ""
          password: ""

  # Python logging configuration.
  #
  # See section 16.7.2 of the Python documentation for more info:
  # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
  logging:
      version: 1
      formatters:
          precise:
              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
      handlers:
          console:
              class: logging.StreamHandler
              formatter: precise
      loggers:
          mau:
              level: DEBUG
          telethon:
              level: DEBUG
          aiohttp:
              level: INFO
      root:
          level: DEBUG
          handlers: [console]

 matrix_mautrix_telegram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_telegram_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2
@@ -0,0 +1,397 @@
 #jinja2: lstrip_blocks: "True"
 # Homeserver details
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: {{ matrix_mautrix_telegram_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_telegram_homeserver_domain }}
    # Whether or not to verify the SSL certificate of the homeserver.
    # Only applies if address starts with https://
    verify_ssl: true

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_telegram_appservice_address }}

    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 8080
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

    # The full URI to the database. SQLite and Postgres are fully supported.
    # Other DBMSes supported by SQLAlchemy may or may not work.
    # Format examples:
    #   SQLite:   sqlite:///filename.db
    #   Postgres: postgres://username:password@hostname/dbname
    database: sqlite:////data/mautrix-telegram.db

    # Public part of web server for out-of-Matrix interaction with the bridge.
    # Used for things like login if the user wants to make sure the 2FA password isn't stored in
    # the HS database.
    public:
        # Whether or not the public-facing endpoints should be enabled.
        enabled: true
        # The prefix to use in the public-facing endpoints.
        prefix: {{ matrix_mautrix_telegram_public_endpoint }}
        # The base URL where the public-facing endpoints are available. The prefix is not added
        # implicitly.
        external: {{ matrix_mautrix_telegram_appservice_public_external }}

    # Provisioning API part of the web server for automated portal creation and fetching information.
    # Used by things like Dimension (https://dimension.t2bot.io/).
    provisioning:
        # Whether or not the provisioning API should be enabled.
        enabled: false
        # The prefix to use in the provisioning API endpoints.
        prefix: /_matrix/provision/v1
        # The shared secret to authorize users of the API.
        # Set to "generate" to generate and save a new token.
        shared_secret: generate

    # The unique ID of this appservice.
    id: telegram
    # Username of the appservice bot.
    bot_username: telegrambot
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Telegram bridge bot
    bot_avatar: mxc://maunium.net/tJCRmUyJDsgRNgqhOgoiHWbX

    # Authentication tokens for AS <-> HS communication.
    as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
    hs_token: "{{ matrix_mautrix_telegram_homeserver_token }}"

 # Bridge config
 bridge:
    # Localpart template of MXIDs for Telegram users.
    # {userid} is replaced with the user ID of the Telegram user.
    username_template: "telegram_{userid}"
    # Localpart template of room aliases for Telegram portal rooms.
    # {groupname} is replaced with the name part of the public channel/group invite link ( https://t.me/{} )
    alias_template: "telegram_{groupname}"
    # Displayname template for Telegram users.
    # {displayname} is replaced with the display name of the Telegram user.
    displayname_template: "{displayname} (Telegram)"

    # Set the preferred order of user identifiers which to use in the Matrix puppet display name.
    # In the (hopefully unlikely) scenario that none of the given keys are found, the numeric user
    # ID is used.
    #
    # If the bridge is working properly, a phone number or an username should always be known, but
    # the other one can very well be empty.
    #
    # Valid keys:
    #   "full name"          (First and/or last name)
    #   "full name reversed" (Last and/or first name)
    #   "first name"
    #   "last name"
    #   "username"
    #   "phone number"
    displayname_preference:
    - full name
    - username
    - phone number
    # Maximum length of displayname
    displayname_max_length: 100

    # Maximum number of members to sync per portal when starting up. Other members will be
    # synced when they send messages. The maximum is 10000, after which the Telegram server
    # will not send any more members.
    # Defaults to no local limit (-> limited to 10000 by server)
    max_initial_member_sync: -1
    # Whether or not to sync the member list in channels.
    # If no channel admins have logged into the bridge, the bridge won't be able to sync the member
    # list regardless of this setting.
    sync_channel_members: true
    # Whether or not to skip deleted members when syncing members.
    skip_deleted_members: true
    # Whether or not to automatically synchronize contacts and chats of Matrix users logged into
    # their Telegram account at startup.
    startup_sync: true
    # Number of most recently active dialogs to check when syncing chats.
    # Dialogs include groups and private chats, but only groups are synced.
    # Set to 0 to remove limit.
    sync_dialog_limit: 30
    # Whether or not to sync and create portals for direct chats at startup.
    sync_direct_chats: false
    # The maximum number of simultaneous Telegram deletions to handle.
    # A large number of simultaneous redactions could put strain on your homeserver.
    max_telegram_delete: 10
    # Whether or not to automatically sync the Matrix room state (mostly unpuppeted displaynames)
    # at startup and when creating a bridge.
    sync_matrix_state: true
    # Allow logging in within Matrix. If false, the only way to log in is using the out-of-Matrix
    # login website (see appservice.public config section)
    allow_matrix_login: true
    # Whether or not to bridge plaintext highlights.
    # Only enable this if your displayname_template has some static part that the bridge can use to
    # reliably identify what is a plaintext highlight.
    plaintext_highlights: false
    # Whether or not to make portals of publicly joinable channels/supergroups publicly joinable on Matrix.
    public_portals: true
    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
    # your own Matrix account as the Matrix puppet for your Telegram account.
    sync_with_custom_puppets: true
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret: {{ matrix_mautrix_telegram_login_shared_secret|to_json }}
    # Set to false to disable link previews in messages sent to Telegram.
    telegram_link_preview: true
    # Use inline images instead of a separate message for the caption.
    # N.B. Inline images are not supported on all clients (e.g. Riot iOS).
    inline_images: false
    # Maximum size of image in megabytes before sending to Telegram as a document.
    image_as_file_size: 10
    # Maximum size of Telegram documents in megabytes to bridge.
    max_document_size: 100
    # Enable experimental parallel file transfer, which makes uploads/downloads much faster by
    # streaming from/to Matrix and using many connections for Telegram.
    # Note that generating HQ thumbnails for videos is not possible with streamed transfers.
    parallel_file_transfer: false
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: true
    # Settings for converting animated stickers.
    animated_sticker:
        # Format to which animated stickers should be converted.
        # disable - No conversion, send as-is (gzipped lottie)
        # png - converts to non-animated png (fastest),
        # gif - converts to animated gif, but loses transparency
        # webm - converts to webm video, requires ffmpeg executable with vp9 codec and webm container support
        target: gif
        # Arguments for converter. All converters take width and height.
        # GIF converter takes background as a hex color.
        args:
            width: 256
            height: 256
            background: "020202"  # only for gif
            fps: 30               # only for webm
    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
    # and login_shared_secret to be configured in order to get a device for the bridge bot.
    #
    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: false
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: false

    # Overrides for base power levels.
    initial_power_level_overrides:
        user: {}
        group: {}

    # Whether to bridge Telegram bot messages as m.notices or m.texts.
    bot_messages_as_notices: true
    bridge_notices:
        # Whether or not Matrix bot messages (type m.notice) should be bridged.
        default: false
        # List of user IDs for whom the previous flag is flipped.
        # e.g. if bridge_notices.default is false, notices from other users will not be bridged, but
        #      notices from users listed here will be bridged.
        exceptions: []

    # Some config options related to Telegram message deduplication.
    # The default values are usually fine, but some debug messages/warnings might recommend you
    # change these.
    deduplication:
        # Whether or not to check the database if the message about to be sent is a duplicate.
        pre_db_check: false
        # The number of latest events to keep when checking for duplicates.
        # You might need to increase this on high-traffic bridge instances.
        cache_queue_length: 20


    # The formats to use when sending messages to Telegram via the relay bot.
    #
    # Telegram doesn't have built-in emotes, so the m.emote format is also used for non-relaybot users.
    #
    # Available variables:
    #   $sender_displayname    - The display name of the sender (e.g. Example User)
    #   $sender_username       - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
    #   $sender_mxid           - The Matrix ID of the sender (e.g. @exampleuser:example.com)
    #   $message               - The message content as HTML
    message_formats:
        m.text: "<b>$sender_displayname</b>: $message"
        m.notice: "<b>$sender_displayname</b>: $message"
        m.emote: "* <b>$sender_displayname</b> $message"
        m.file: "<b>$sender_displayname</b> sent a file: $message"
        m.image: "<b>$sender_displayname</b> sent an image: $message"
        m.audio: "<b>$sender_displayname</b> sent an audio file: $message"
        m.video: "<b>$sender_displayname</b> sent a video: $message"
        m.location: "<b>$sender_displayname</b> sent a location: $message"
    # Telegram doesn't have built-in emotes, this field specifies how m.emote's from authenticated
    # users are sent to telegram. All fields in message_formats are supported. Additionally, the
    # Telegram user info is available in the following variables:
    #    $displayname - Telegram displayname
    #    $username    - Telegram username (may not exist)
    #    $mention     - Telegram @username or displayname mention (depending on which exists)
    emote_format: "* $mention $formatted_body"

    # The formats to use when sending state events to Telegram via the relay bot.
    #
    # Variables from `message_formats` that have the `sender_` prefix are available without the prefix.
    # In name_change events, `$prev_displayname` is the previous displayname.
    #
    # Set format to an empty string to disable the messages for that event.
    state_event_formats:
        join: "<b>$displayname</b> joined the room."
        leave: "<b>$displayname</b> left the room."
        name_change: "<b>$prev_displayname</b> changed their name to <b>$displayname</b>"

    # Filter rooms that can/can't be bridged. Can also be managed using the `filter` and
    # `filter-mode` management commands.
    #
    # Filters do not affect direct chats.
    # An empty blacklist will essentially disable the filter.
    filter:
        # Filter mode to use. Either "blacklist" or "whitelist".
        # If the mode is "blacklist", the listed chats will never be bridged.
        # If the mode is "whitelist", only the listed chats can be bridged.
        mode: blacklist
        # The list of group/channel IDs to filter.
        list: []

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!tg"

    # Permissions for using the bridge.
    # Permitted values:
    #   relaybot - Only use the bridge via the relaybot, no access to commands.
    #       user - Relaybot level + access to commands to create bridges.
    #  puppeting - User level + logging in with a Telegram account.
    #       full - Full access to use the bridge, i.e. previous levels + Matrix login.
    #      admin - Full access to use the bridge and some extra administration commands.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
      '{{ matrix_mautrix_telegram_homeserver_domain }}': full

    # Options related to the message relay Telegram bot.
    relaybot:
        private_chat:
            # List of users to invite to the portal when someone starts a private chat with the bot.
            # If empty, private chats with the bot won't create a portal.
            invite: []
            # Whether or not to bridge state change messages in relaybot private chats.
            state_changes: true
            # When private_chat_invite is empty, this message is sent to users /starting the
            # relaybot. Telegram's "markdown" is supported.
            message: This is a Matrix bridge relaybot and does not support direct chats
        # List of users to invite to all group chat portals created by the bridge.
        group_chat_invite: []
        # Whether or not the relaybot should not bridge events in unbridged group chats.
        # If false, portals will be created when the relaybot receives messages, just like normal
        # users. This behavior is usually not desirable, as it interferes with manually bridging
        # the chat to another room.
        ignore_unbridged_group_chat: true
        # Whether or not to allow creating portals from Telegram.
        authless_portals: true
        # Whether or not to allow Telegram group admins to use the bot commands.
        whitelist_group_admins: true
        # Whether or not to ignore incoming events sent by the relay bot.
        ignore_own_incoming_events: true
        # List of usernames/user IDs who are also allowed to use the bot commands.
        whitelist: []

 # Telegram config
 telegram:
    # Get your own API keys at https://my.telegram.org/apps
    api_id: {{ matrix_mautrix_telegram_api_id }}
    api_hash: {{ matrix_mautrix_telegram_api_hash }}
    # (Optional) Create your own bot at https://t.me/BotFather
    bot_token: {{ matrix_mautrix_telegram_bot_token }}

    # Telethon connection options.
    connection:
        # The timeout in seconds to be used when connecting.
        timeout: 120
        # How many times the reconnection should retry, either on the initial connection or when
        # Telegram disconnects us. May be set to a negative or null value for infinite retries, but
        # this is not recommended, since the program can get stuck in an infinite loop.
        retries: 5
        # The delay in seconds to sleep between automatic reconnections.
        retry_delay: 1
        # The threshold below which the library should automatically sleep on flood wait errors
        # (inclusive). For instance, if a FloodWaitError for 17s occurs and flood_sleep_threshold
        # is 20s, the library will sleep automatically. If the error was for 21s, it would raise
        # the error instead. Values larger than a day (86400) will be changed to a day.
        flood_sleep_threshold: 60
        # How many times a request should be retried. Request are retried when Telegram is having
        # internal issues, when there is a FloodWaitError less than flood_sleep_threshold, or when
        # there's a migrate error. May take a negative or null value for infinite retries, but this
        # is not recommended, since some requests can always trigger a call fail (such as searching
        # for messages).
        request_retries: 5

    # Device info sent to Telegram.
    device_info:
        # "auto" = OS name+version.
        device_model: auto
        # "auto" = Telethon version.
        system_version: auto
        # "auto" = mautrix-telegram version.
        app_version: auto
        lang_code: en
        system_lang_code: en

    # Custom server to connect to.
    server:
        # Set to true to use these server settings. If false, will automatically
        # use production server assigned by Telegram. Set to false in production.
        enabled: false
        # The DC ID to connect to.
        dc: 2
        # The IP to connect to.
        ip: 149.154.167.40
        # The port to connect to. 443 may not work, 80 is better and both are equally secure.
        port: 80

    # Telethon proxy configuration.
    # You must install PySocks from pip for proxies to work.
    proxy:
        # Allowed types: disabled, socks4, socks5, http
        type: disabled
        # Proxy IP address and port.
        address: 127.0.0.1
        port: 1080
        # Whether or not to perform DNS resolving remotely.
        rdns: true
        # Proxy authentication (optional).
        username: ""
        password: ""

 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
    version: 1
    formatters:
        precise:
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
    handlers:
        console:
            class: logging.StreamHandler
            formatter: precise
    loggers:
        mau:
            level: DEBUG
        telethon:
            level: DEBUG
        aiohttp:
            level: INFO
    root:
        level: DEBUG
        handlers: [console]
--- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
@@ -11,21 +11,22 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mautrix-telegram
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-telegram
 ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-telegram-db \
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_telegram_config_path }}:/config:z \
 			-v {{ matrix_mautrix_telegram_data_path }}:/data:z \
 			{{ matrix_mautrix_telegram_docker_image }} \
 			alembic -x config=/config/config.yaml upgrade head

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -41,8 +42,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-telegram \
 			{{ matrix_mautrix_telegram_docker_image }} \
 			python3 -m mautrix_telegram -c /config/config.yaml

 ExecStop=-/usr/bin/docker kill matrix-mautrix-telegram
 ExecStop=-/usr/bin/docker rm matrix-mautrix-telegram
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-telegram
--- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -35,175 +35,7 @@ matrix_mautrix_whatsapp_login_shared_secret: ''
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_whatsapp_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_whatsapp_configuration_yaml: |
  # Homeserver details.
  homeserver:
      # The address that this appservice can use to connect to the homeserver.
      address: {{ matrix_mautrix_whatsapp_homeserver_address }}
      # The domain of the homeserver (for MXIDs, etc).
      domain: {{ matrix_mautrix_whatsapp_homeserver_domain }}
  # Application service host/registration related details.
  # Changing these values requires regeneration of the registration.

  appservice:
      # The address that the homeserver can use to connect to this appservice.
      address: {{ matrix_mautrix_whatsapp_appservice_address }}

      # The hostname and port where this appservice should listen.
      hostname: 0.0.0.0
      port: 8080

      # Database config.
      database:
          # The database type. "sqlite3" and "postgres" are supported.
          type: sqlite3
          # The database URI.
          #   SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
          #   Postgres: Connection string. For example, postgres://user:password@host/database
          uri: mautrix-whatsapp.db
          # Maximum number of connections. Mostly relevant for Postgres.
          max_open_conns: 20
          max_idle_conns: 2

      # Path to the Matrix room state store.
      state_store_path: ./mx-state.json

      # The unique ID of this appservice.
      id: whatsapp
      # Appservice bot details.
      bot:
          # Username of the appservice bot.
          username: whatsappbot
          # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
          # to leave display name/avatar as-is.
          displayname: WhatsApp bridge bot
          avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr

      # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
      as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}"
      hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}"

  # Bridge config
  bridge:
      # Localpart template of MXIDs for WhatsApp users.
      # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user.
      username_template: "{{ 'whatsapp_{{.}}' }}"
      # Displayname template for WhatsApp users.
      # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user
      # {{ '{{.Jid}}' }}    - phone number (international format)
      # The following variables are also available, but will cause problems on multi-user instances:
      # {{ '{{.Name}}' }}   - display name from contact list
      # {{ '{{.Short}}' }}  - short display name from contact list
      displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}"
      # WhatsApp connection timeout in seconds.
      connection_timeout: 20
      # Maximum number of times to retry connecting on connection error.
      max_connection_attempts: 3
      # Number of seconds to wait between connection attempts.
      # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts
      connection_retry_delay: -1
      # Whether or not the bridge should send a notice to the user's management room when it retries connecting.
      # If false, it will only report when it stops retrying.
      report_connection_retry: true
      # Maximum number of seconds to wait for chats to be sent at startup.
      # If this is too low and you have lots of chats, it could cause backfilling to fail.
      chat_list_wait: 30
      # Maximum number of seconds to wait to sync portals before force unlocking message processing.
      # If this is too low and you have lots of chats, it could cause backfilling to fail.
      portal_sync_wait: 600

      # Whether or not to send call start/end notices to Matrix.
      call_notices:
          start: true
          end: true

      # Number of chats to sync for new users.
      initial_chat_sync_count: 10
      # Number of old messages to fill when creating new portal rooms.
      initial_history_fill_count: 20
      # Maximum number of chats to sync when recovering from downtime.
      # Set to -1 to sync all new chats during downtime.
      recovery_chat_sync_limit: -1
      # Whether or not to sync history when recovering from downtime.
      recovery_history_backfill: true
      # Maximum number of seconds since last message in chat to skip
      # syncing the chat in any case. This setting will take priority
      # over both recovery_chat_sync_limit and initial_chat_sync_count.
      # Default is 3 days = 259200 seconds
      sync_max_chat_age: 259200

      # Whether or not to sync with custom puppets to receive EDUs that
      # are not normally sent to appservices.
      sync_with_custom_puppets: true
      # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
      #
      # If set, custom puppets will be enabled automatically for local users
      # instead of users having to find an access token and run `login-matrix`
      # manually.
      login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }}

      # Whether or not to invite own WhatsApp user's Matrix puppet into private
      # chat portals when backfilling if needed.
      # This always uses the default puppet instead of custom puppets due to
      # rate limits and timestamp massaging.
      invite_own_puppet_for_backfilling: true
      # Whether or not to explicitly set the avatar and room name for private
      # chat portal rooms. This can be useful if the previous field works fine,
      # but causes room avatar/name bugs.
      private_chat_portal_meta: false

      # Allow invite permission for user. User can invite any bots to room with whatsapp
      # users (private chat and groups)
      allow_user_invite: false

      # The prefix for commands. Only required in non-management rooms.
      command_prefix: "!wa"

      # Permissions for using the bridge.
      # Permitted values:
      #     user - Access to use the bridge to chat with a WhatsApp account.
      #    admin - User level and some additional administration tools
      # Permitted keys:
      #        * - All Matrix users
      #   domain - All users on that homeserver
      #     mxid - Specific user
      permissions:
          "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user

      relaybot:
          # Whether or not relaybot support is enabled.
          enabled: false
          # The management room for the bot. This is where all status notifications are posted and
          # in this room, you can use `!wa <command>` instead of `!wa relaybot <command>`. Omitting
          # the command prefix completely like in user management rooms is not possible.
          management: '!foo:example.com'
          # List of users to invite to all created rooms that include the relaybot.
          invites: []
          # The formats to use when sending messages to WhatsApp via the relaybot.
          message_formats:
              m.text: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
              m.notice: "<b>{{ '{{ .Sender.Displayname }}' }}</b>:: {{ '{{ .Message }}' }}"
              m.emote: "* <b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
              m.file: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a file"
              m.image: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an image"
              m.audio: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an audio file"
              m.video: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a video"
              m.location: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a location"
  # Logging config.
  logging:
      # The directory for log files. Will be created if not found.
      directory: ./logs
      # Available variables: .Date for the file date and .Index for different log files on the same day.
      file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}"
      # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants
      file_date_format: "2006-01-02"
      # Log file permissions.
      file_mode: 0600
      # Timestamp format for log entries in the Go time format.
      timestamp_format: "Jan _2, 2006 15:04:05"
      # Minimum severity for log messages.
      # Options: debug, info, warn, error, fatal
      print_level: debug
 matrix_mautrix_whatsapp_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_whatsapp_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2
@@ -0,0 +1,169 @@
 #jinja2: lstrip_blocks: "True"
 # Homeserver details.
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: {{ matrix_mautrix_whatsapp_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_whatsapp_homeserver_domain }}
 # Application service host/registration related details.
 # Changing these values requires regeneration of the registration.

 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_whatsapp_appservice_address }}

    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 8080

    # Database config.
    database:
        # The database type. "sqlite3" and "postgres" are supported.
        type: sqlite3
        # The database URI.
        #   SQLite: File name is enough. https://github.com/mattn/go-sqlite3#connection-string
        #   Postgres: Connection string. For example, postgres://user:password@host/database
        uri: mautrix-whatsapp.db
        # Maximum number of connections. Mostly relevant for Postgres.
        max_open_conns: 20
        max_idle_conns: 2

    # Path to the Matrix room state store.
    state_store_path: ./mx-state.json

    # The unique ID of this appservice.
    id: whatsapp
    # Appservice bot details.
    bot:
        # Username of the appservice bot.
        username: whatsappbot
        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
        # to leave display name/avatar as-is.
        displayname: WhatsApp bridge bot
        avatar: mxc://maunium.net/NeXNQarUbrlYBiPCpprYsRqr

    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}"
    hs_token: "{{ matrix_mautrix_whatsapp_homeserver_token }}"

 # Bridge config
 bridge:
    # Localpart template of MXIDs for WhatsApp users.
    # {{ '{{.}}' }} is replaced with the phone number of the WhatsApp user.
    username_template: "{{ 'whatsapp_{{.}}' }}"
    # Displayname template for WhatsApp users.
    # {{ '{{.Notify'}}' }} - nickname set by the WhatsApp user
    # {{ '{{.Jid}}' }}    - phone number (international format)
    # The following variables are also available, but will cause problems on multi-user instances:
    # {{ '{{.Name}}' }}   - display name from contact list
    # {{ '{{.Short}}' }}  - short display name from contact list
    displayname_template: "{{ '{{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}} (WA)' }}"
    # WhatsApp connection timeout in seconds.
    connection_timeout: 20
    # Maximum number of times to retry connecting on connection error.
    max_connection_attempts: 3
    # Number of seconds to wait between connection attempts.
    # Negative numbers are exponential backoff: -connection_retry_delay + 1 + 2^attempts
    connection_retry_delay: -1
    # Whether or not the bridge should send a notice to the user's management room when it retries connecting.
    # If false, it will only report when it stops retrying.
    report_connection_retry: true
    # Maximum number of seconds to wait for chats to be sent at startup.
    # If this is too low and you have lots of chats, it could cause backfilling to fail.
    chat_list_wait: 30
    # Maximum number of seconds to wait to sync portals before force unlocking message processing.
    # If this is too low and you have lots of chats, it could cause backfilling to fail.
    portal_sync_wait: 600

    # Whether or not to send call start/end notices to Matrix.
    call_notices:
        start: true
        end: true

    # Number of chats to sync for new users.
    initial_chat_sync_count: 10
    # Number of old messages to fill when creating new portal rooms.
    initial_history_fill_count: 20
    # Maximum number of chats to sync when recovering from downtime.
    # Set to -1 to sync all new chats during downtime.
    recovery_chat_sync_limit: -1
    # Whether or not to sync history when recovering from downtime.
    recovery_history_backfill: true
    # Maximum number of seconds since last message in chat to skip
    # syncing the chat in any case. This setting will take priority
    # over both recovery_chat_sync_limit and initial_chat_sync_count.
    # Default is 3 days = 259200 seconds
    sync_max_chat_age: 259200

    # Whether or not to sync with custom puppets to receive EDUs that
    # are not normally sent to appservices.
    sync_with_custom_puppets: true
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    login_shared_secret: {{ matrix_mautrix_whatsapp_login_shared_secret|to_json }}

    # Whether or not to invite own WhatsApp user's Matrix puppet into private
    # chat portals when backfilling if needed.
    # This always uses the default puppet instead of custom puppets due to
    # rate limits and timestamp massaging.
    invite_own_puppet_for_backfilling: true
    # Whether or not to explicitly set the avatar and room name for private
    # chat portal rooms. This can be useful if the previous field works fine,
    # but causes room avatar/name bugs.
    private_chat_portal_meta: false

    # Allow invite permission for user. User can invite any bots to room with whatsapp
    # users (private chat and groups)
    allow_user_invite: false

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!wa"

    # Permissions for using the bridge.
    # Permitted values:
    #     user - Access to use the bridge to chat with a WhatsApp account.
    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions:
        "{{ matrix_mautrix_whatsapp_homeserver_domain }}": user

    relaybot:
        # Whether or not relaybot support is enabled.
        enabled: false
        # The management room for the bot. This is where all status notifications are posted and
        # in this room, you can use `!wa <command>` instead of `!wa relaybot <command>`. Omitting
        # the command prefix completely like in user management rooms is not possible.
        management: '!foo:example.com'
        # List of users to invite to all created rooms that include the relaybot.
        invites: []
        # The formats to use when sending messages to WhatsApp via the relaybot.
        message_formats:
            m.text: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
            m.notice: "<b>{{ '{{ .Sender.Displayname }}' }}</b>:: {{ '{{ .Message }}' }}"
            m.emote: "* <b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
            m.file: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a file"
            m.image: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an image"
            m.audio: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an audio file"
            m.video: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a video"
            m.location: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a location"
 # Logging config.
 logging:
    # The directory for log files. Will be created if not found.
    directory: ./logs
    # Available variables: .Date for the file date and .Index for different log files on the same day.
    file_name_format: "{{ '{{.Date}}-{{.Index}}.log' }}"
    # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants
    file_date_format: "2006-01-02"
    # Log file permissions.
    file_mode: 0600
    # Timestamp format for log entries in the Go time format.
    timestamp_format: "Jan _2, 2006 15:04:05"
    # Minimum severity for log messages.
    # Options: debug, info, warn, error, fatal
    print_level: debug
--- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-whatsapp \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \
 			{{ matrix_mautrix_whatsapp_docker_image }} \
 			/usr/bin/mautrix-whatsapp -c /config/config.yaml -r /config/registration.yaml

 ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp
 ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-whatsapp
--- a/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/defaults/main.yml
@@ -56,145 +56,7 @@ matrix_mx_puppet_skype_login_shared_secret: ''
 #
 # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_skype_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mx_puppet_skype_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  bridge:
    # Address for the bridge to bind to; if running as a Docker container, you
    # probably want 0.0.0.0 here
    bindAddress: 0.0.0.0
    # Port to host the bridge on which your homeserver will connect to
    port: {{ matrix_mx_puppet_skype_appservice_port }}
    # Name of your homeserver
    domain: {{ matrix_domain }}
    # URL where the bridge can connect to your homeserver
    homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }}
    # Optionally specify a different media URL used for the media store
    mediaURL: https://{{ matrix_server_fqn_matrix }}
    # This enabled automatic double-puppeting:
    # A map for shared secrets of the homeserver URL to the shared secret
    # See https://github.com/devture/matrix-synapse-shared-secret-auth
    #loginSharedSecretMap:
    #  yourserver.com: supersecretsharedsecret
    {% if matrix_mx_puppet_skype_login_shared_secret != '' %}
    loginSharedSecretMap:
      {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }}
    {% endif %}
    # optionally override the display name of the bridge bot
    #displayname: Protocol Bot
    # optionally set the avatar of the bridge bot
    #avatarUrl: mxc://yourserver.com/somefile

  logging:
    # Log level of console output
    # Allowed values starting with most verbose:
    # silly, debug, verbose, info, warn, error
    console: info
    # Optionally, you can apply filters to the console logging
    #console:
    #  level: info
    #  enabled:
    #    - Store
    #  disabled:
    #    - PresenceHandler

    # Date and time formatting
    lineDateFormat: MMM-D HH:mm:ss.SSS
    # Logging files
    # Log files are rotated daily by default
    files:
      # Log file path
      - file: "/data/bridge.log"
        # Log level for this file
        # Allowed values starting with most verbose:
        # silly, debug, verbose, info, warn, error
        level: info
        # Date and time formatting
        datePattern: YYYY-MM-DD
        # Maximum number of logs to keep.
        # This can be a number of files or number of days.
        # If using days, add 'd' as a suffix
        maxFiles: 14d
        # Maximum size of the file after which it will rotate. This can be a
        # number of bytes, or units of kb, mb, and gb. If using the units, add
        # 'k', 'm', or 'g' as the suffix
        maxSize: 50m
        # Optionally enable/disable logging for certain modules
        #disabled:
        #  - PresenceHandler
        #  - module: bot-sdk-MatrixLiteClient
        #    regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log
        #enabled:
        #  - Store

  database:
    # Use Postgres as a database backend
    # If set, will be used instead of SQLite3
    # Connection string to connect to the Postgres instance
    # with username "user", password "pass", host "localhost" and database name "dbname".
    # Modify each value as necessary
    #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
    # Use SQLite3 as a database backend
    # The name of the database file
    filename: /data/database.db

  provisioning:
    # Regex of Matrix IDs allowed to use the puppet bridge
    whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }}
      # Allow a specific user
      #- "@user:server\\.com"
      # Allow users on a specific homeserver
      #- "@.*:yourserver\\.com"
      # Allow anyone
      #- ".*"

    # Regex of Matrix IDs forbidden from using the puppet bridge
    #blacklist:
      # Disallow a specific user
      #- "@user:server\\.com"
      # Disallow users on a specific homeserver
      #- "@.*:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }}

  presence:
    # Bridge online/offline status
    enabled: true
    # How often to send status to the homeserver in milliseconds
    interval: 500
    # if the im.vector.user_status state setting should be diabled
    #disableStatusState: false
    # A blacklist of remote user IDs for the im.vector.user_status state setting
    #statusStateBlacklist:
    # - baduser

  relay:
    # Regex of Matrix IDs to allow to use the relay mode
    # Same format as in provisioning
    #whitelist:
      #- "@.*:yourserver\\.com"
    whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }}

    #blacklist:
      #- "@user:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }}

  # Map certain homeserver URLs to the C-S API endpoint
  # Useful for double-puppeting if .well-known is unavailable for some reason
  #homeserverUrlMap:
  #  yourserver.com: http://localhost:1234

  namePatterns:
    # Override the protocols set default name patterns
    # Which variables are available depends on protocol implementation
    user: :name
    room: :name

  limits:
    # Up to how many users should be auto-joined on room creation? -1 to disable
    # Defaults to 200
    maxAutojoinUsers: 200
    # How long the delay between two autojoin users should be, in millisectonds.
    # Defaults to 5000
    roomUserAutojoinDelay: 5000
 matrix_mx_puppet_skype_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mx_puppet_skype_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2
@@ -0,0 +1,138 @@
 #jinja2: lstrip_blocks: "True"
 bridge:
  # Address for the bridge to bind to; if running as a Docker container, you
  # probably want 0.0.0.0 here
  bindAddress: 0.0.0.0
  # Port to host the bridge on which your homeserver will connect to
  port: {{ matrix_mx_puppet_skype_appservice_port }}
  # Name of your homeserver
  domain: {{ matrix_domain }}
  # URL where the bridge can connect to your homeserver
  homeserverUrl: {{ matrix_mx_puppet_skype_homeserver_address }}
  # Optionally specify a different media URL used for the media store
  mediaURL: https://{{ matrix_server_fqn_matrix }}
  # This enabled automatic double-puppeting:
  # A map for shared secrets of the homeserver URL to the shared secret
  # See https://github.com/devture/matrix-synapse-shared-secret-auth
  #loginSharedSecretMap:
  #  yourserver.com: supersecretsharedsecret
  {% if matrix_mx_puppet_skype_login_shared_secret != '' %}
  loginSharedSecretMap:
    {{ matrix_domain }}: {{ matrix_mx_puppet_skype_login_shared_secret }}
  {% endif %}
  # optionally override the display name of the bridge bot
  #displayname: Protocol Bot
  # optionally set the avatar of the bridge bot
  #avatarUrl: mxc://yourserver.com/somefile

 logging:
  # Log level of console output
  # Allowed values starting with most verbose:
  # silly, debug, verbose, info, warn, error
  console: info
  # Optionally, you can apply filters to the console logging
  #console:
  #  level: info
  #  enabled:
  #    - Store
  #  disabled:
  #    - PresenceHandler

  # Date and time formatting
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
  files:
    # Log file path
    - file: "/data/bridge.log"
      # Log level for this file
      # Allowed values starting with most verbose:
      # silly, debug, verbose, info, warn, error
      level: info
      # Date and time formatting
      datePattern: YYYY-MM-DD
      # Maximum number of logs to keep.
      # This can be a number of files or number of days.
      # If using days, add 'd' as a suffix
      maxFiles: 14d
      # Maximum size of the file after which it will rotate. This can be a
      # number of bytes, or units of kb, mb, and gb. If using the units, add
      # 'k', 'm', or 'g' as the suffix
      maxSize: 50m
      # Optionally enable/disable logging for certain modules
      #disabled:
      #  - PresenceHandler
      #  - module: bot-sdk-MatrixLiteClient
      #    regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log
      #enabled:
      #  - Store

 database:
  # Use Postgres as a database backend
  # If set, will be used instead of SQLite3
  # Connection string to connect to the Postgres instance
  # with username "user", password "pass", host "localhost" and database name "dbname".
  # Modify each value as necessary
  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
  # Use SQLite3 as a database backend
  # The name of the database file
  filename: /data/database.db

 provisioning:
  # Regex of Matrix IDs allowed to use the puppet bridge
  whitelist: {{ matrix_mx_puppet_skype_provisioning_whitelist|to_json }}
    # Allow a specific user
    #- "@user:server\\.com"
    # Allow users on a specific homeserver
    #- "@.*:yourserver\\.com"
    # Allow anyone
    #- ".*"

  # Regex of Matrix IDs forbidden from using the puppet bridge
  #blacklist:
    # Disallow a specific user
    #- "@user:server\\.com"
    # Disallow users on a specific homeserver
    #- "@.*:yourserver\\.com"
  blacklist: {{ matrix_mx_puppet_skype_provisioning_blacklist|to_json }}

 presence:
  # Bridge online/offline status
  enabled: true
  # How often to send status to the homeserver in milliseconds
  interval: 500
  # if the im.vector.user_status state setting should be diabled
  #disableStatusState: false
  # A blacklist of remote user IDs for the im.vector.user_status state setting
  #statusStateBlacklist:
  # - baduser

 relay:
  # Regex of Matrix IDs to allow to use the relay mode
  # Same format as in provisioning
  #whitelist:
    #- "@.*:yourserver\\.com"
  whitelist: {{ matrix_mx_puppet_skype_relay_whitelist|to_json }}

  #blacklist:
    #- "@user:yourserver\\.com"
  blacklist: {{ matrix_mx_puppet_skype_relay_blacklist|to_json }}

 # Map certain homeserver URLs to the C-S API endpoint
 # Useful for double-puppeting if .well-known is unavailable for some reason
 #homeserverUrlMap:
 #  yourserver.com: http://localhost:1234

 namePatterns:
  # Override the protocols set default name patterns
  # Which variables are available depends on protocol implementation
  user: :name
  room: :name

 limits:
  # Up to how many users should be auto-joined on room creation? -1 to disable
  # Defaults to 200
  maxAutojoinUsers: 200
  # How long the delay between two autojoin users should be, in millisectonds.
  # Defaults to 5000
  roomUserAutojoinDelay: 5000
--- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
@@ -11,13 +11,13 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-skype
 ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-skype
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-skype \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -31,8 +31,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-skype \
 			{% endfor %}
 			{{ matrix_mx_puppet_skype_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mx-puppet-skype
 ExecStop=-/usr/bin/docker rm matrix-mx-puppet-skype
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mx-puppet-skype
--- a/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/defaults/main.yml
@@ -5,6 +5,11 @@ matrix_mx_puppet_slack_enabled: true

 matrix_mx_puppet_slack_container_image_self_build: false

 # Controls whether the mx-puppet-slack container exposes its HTTP port (tcp/8432 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8432"), or empty string to not expose.
 matrix_mx_puppet_slack_container_http_host_bind_port: ''

 matrix_mx_puppet_slack_docker_image: "sorunome/mx-puppet-slack:latest"
 matrix_mx_puppet_slack_docker_image_force_pull: "{{ matrix_mx_puppet_slack_docker_image.endswith(':latest') }}"

@@ -47,104 +52,15 @@ matrix_mx_puppet_slack_systemd_wanted_services_list: []
 matrix_mx_puppet_slack_appservice_token: ''
 matrix_mx_puppet_slack_homeserver_token: ''

 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mx_puppet_slack_login_shared_secret: ''

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mx_puppet_slack_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mx_puppet_slack_configuration_yaml: |
  #jinja2: lstrip_blocks: "True"
  bridge:
    # Port to host the bridge on
    # Used for communication between the homeserver and the bridge
    port: {{ matrix_mx_puppet_slack_appservice_port }}
    # The host connections to the bridge's webserver are allowed from
    bindAddress: 0.0.0.0
    # Public domain of the homeserver
    domain: {{ matrix_mx_puppet_slack_homeserver_domain }}
    # Reachable URL of the Matrix homeserver
    homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }}


  # Slack OAuth settings. Create a slack app at https://api.slack.com/apps
  oauth:
    enabled: false
    # Slack app credentials.
    # N.B. This must be quoted so YAML wouldn't parse it as a float.
    clientId: "{{ matrix_mx_puppet_slack_client_id }}"
    clientSecret: {{ matrix_mx_puppet_slack_client_secret }}
    # Path where to listen for OAuth redirect callbacks.
    redirectPath: {{ matrix_mx_puppet_slack_redirect_path }}
    # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path,
    # then set this field and the Slack app redirect URI field to the former.
    redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }}

  presence:
    # Bridge Discord online/offline status
    enabled: true
    # How often to send status to the homeserver in milliseconds
    interval: 500

  provisioning:
    # Regex of Matrix IDs allowed to use the puppet bridge
    whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }}
      # Allow a specific user
      #- "@user:server\\.com"
      # Allow users on a specific homeserver
      #- "@.*:yourserver\\.com"
      # Allow anyone
      #- ".*"
    # Regex of Matrix IDs forbidden from using the puppet bridge
    #blacklist:
      # Disallow a specific user
      #- "@user:server\\.com"
      # Disallow users on a specific homeserver
      #- "@.*:yourserver\\.com"
    blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }}

    # Shared secret for the provisioning API for use by integration managers.
    # If this is not set, the provisioning API will not be enabled.
    #sharedSecret: random string
    # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically.
    apiPrefix: /_matrix/provision

  database:
    # Use Postgres as a database backend
    # If set, will be used instead of SQLite3
    # Connection string to connect to the Postgres instance
    # with username "user", password "pass", host "localhost" and database name "dbname".
    # Modify each value as necessary
    #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
    # Use SQLite3 as a database backend
    # The name of the database file
    filename: /data/database.db

  logging:
    # Log level of console output
    # Allowed values starting with most verbose:
    # silly, debug, verbose, info, warn, error
    console: info
    # Date and time formatting
    lineDateFormat: MMM-D HH:mm:ss.SSS
    # Logging files
    # Log files are rotated daily by default
    files:
      # Log file path
      - file: "/data/bridge.log"
        # Log level for this file
        # Allowed values starting with most verbose:
        # silly, debug, verbose, info, warn, error
        level: info
        # Date and time formatting
        datePattern: YYYY-MM-DD
        # Maximum number of logs to keep.
        # This can be a number of files or number of days.
        # If using days, add 'd' as a suffix
        maxFiles: 14d
        # Maximum size of the file after which it will rotate. This can be a
        # number of bytes, or units of kb, mb, and gb. If using the units, add
        # 'k', 'm', or 'g' as the suffix
        maxSize: 50m
 matrix_mx_puppet_slack_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mx_puppet_slack_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@@ -50,17 +50,17 @@
        }}
  tags:
   - always
  when: matrix_appservice_slack_enabled|bool
  when: matrix_mx_puppet_slack_enabled|bool

 - name: Warn about reverse-proxying if matrix-nginx-proxy not used
  debug:
    msg: >-
      NOTE: You've enabled the Matrix Slack bridge but are not using the matrix-nginx-proxy
      reverse proxy.
      Please make sure that you're proxying the `{{ something }}`
      URL endpoint to the matrix-appservice-slack container.
      Please make sure that you're proxying the `{{ matrix_mx_puppet_slack_redirect_path }}`
      URL endpoint to the matrix-mx-puppet-slack container.
      You can expose the container's port using the `matrix_appservice_slack_container_http_host_bind_port` variable.
  when: "matrix_appservice_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"
  when: "matrix_mx_puppet_slack_enabled|bool and matrix_nginx_proxy_enabled is not defined"

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
--- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2
@@ -0,0 +1,96 @@
 #jinja2: lstrip_blocks: "True"
 bridge:
  # Port to host the bridge on
  # Used for communication between the homeserver and the bridge
  port: {{ matrix_mx_puppet_slack_appservice_port }}
  # The host connections to the bridge's webserver are allowed from
  bindAddress: 0.0.0.0
  # Public domain of the homeserver
  domain: {{ matrix_mx_puppet_slack_homeserver_domain }}
  # Reachable URL of the Matrix homeserver
  homeserverUrl: {{ matrix_mx_puppet_slack_homeserver_address }}
  {% if matrix_mx_puppet_slack_login_shared_secret != '' %}
  loginSharedSecretMap:
    {{ matrix_domain }}: {{ matrix_mx_puppet_slack_login_shared_secret }}
  {% endif %}


 # Slack OAuth settings. Create a slack app at https://api.slack.com/apps
 oauth:
  enabled: true
  # Slack app credentials.
  # N.B. This must be quoted so YAML wouldn't parse it as a float.
  clientId: "{{ matrix_mx_puppet_slack_client_id }}"
  clientSecret: {{ matrix_mx_puppet_slack_client_secret }}
  # Path where to listen for OAuth redirect callbacks.
  redirectPath: {{ matrix_mx_puppet_slack_redirect_path }}
  # Set up proxying from https://your.domain/redirect_path to http://bindAddress:port/redirect_path,
  # then set this field and the Slack app redirect URI field to the former.
  redirectUri: {{ matrix_mx_puppet_slack_redirect_uri }}

 presence:
  # Bridge Discord online/offline status
  enabled: true
  # How often to send status to the homeserver in milliseconds
  interval: 500

 provisioning:
  # Regex of Matrix IDs allowed to use the puppet bridge
  whitelist: {{ matrix_mx_puppet_slack_provisioning_whitelist|to_json }}
    # Allow a specific user
    #- "@user:server\\.com"
    # Allow users on a specific homeserver
    #- "@.*:yourserver\\.com"
    # Allow anyone
    #- ".*"
  # Regex of Matrix IDs forbidden from using the puppet bridge
  #blacklist:
    # Disallow a specific user
    #- "@user:server\\.com"
    # Disallow users on a specific homeserver
    #- "@.*:yourserver\\.com"
  blacklist: {{ matrix_mx_puppet_slack_provisioning_blacklist|to_json }}

  # Shared secret for the provisioning API for use by integration managers.
  # If this is not set, the provisioning API will not be enabled.
  #sharedSecret: random string
  # Path prefix for the provisioning API. /v1 will be appended to the prefix automatically.
  apiPrefix: /_matrix/provision

 database:
  # Use Postgres as a database backend
  # If set, will be used instead of SQLite3
  # Connection string to connect to the Postgres instance
  # with username "user", password "pass", host "localhost" and database name "dbname".
  # Modify each value as necessary
  #connString: "postgres://user:pass@localhost/dbname?sslmode=disable"
  # Use SQLite3 as a database backend
  # The name of the database file
  filename: /data/database.db

 logging:
  # Log level of console output
  # Allowed values starting with most verbose:
  # silly, debug, verbose, info, warn, error
  console: info
  # Date and time formatting
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
  files:
    # Log file path
    - file: "/data/bridge.log"
      # Log level for this file
      # Allowed values starting with most verbose:
      # silly, debug, verbose, info, warn, error
      level: info
      # Date and time formatting
      datePattern: YYYY-MM-DD
      # Maximum number of logs to keep.
      # This can be a number of files or number of days.
      # If using days, add 'd' as a suffix
      maxFiles: 14d
      # Maximum size of the file after which it will rotate. This can be a
      # number of bytes, or units of kb, mb, and gb. If using the units, add
      # 'k', 'm', or 'g' as the suffix
      maxSize: 50m
--- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
@@ -11,17 +11,20 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mx-puppet-slack
 ExecStartPre=-/usr/bin/docker rm matrix-mx-puppet-slack
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack

 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre=/bin/sleep 5
 ExecStartPre={{ matrix_host_command_sleep }} 5

 ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mx-puppet-slack \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_mx_puppet_slack_container_http_host_bind_port %}
 			-p {{ matrix_mx_puppet_slack_container_http_host_bind_port }}:{{ matrix_mx_puppet_slack_appservice_port }} \
 			{% endif %}
 			-e CONFIG_PATH=/config/config.yaml \
 			-e REGISTRATION_PATH=/config/registration.yaml \
 			-v {{ matrix_mx_puppet_slack_config_path }}:/config:z \
@@ -31,8 +34,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mx-puppet-slack \
 			{% endfor %}
 			{{ matrix_mx_puppet_slack_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mx-puppet-slack
 ExecStop=-/usr/bin/docker rm matrix-mx-puppet-slack
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mx-puppet-slack
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-corporal
 ExecStartPre=-/usr/bin/docker rm matrix-corporal
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal

 ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-corporal \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -32,8 +32,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
 			{{ matrix_corporal_docker_image }} \
 			/matrix-corporal -config=/etc/matrix-corporal/config.json

 ExecStop=-/usr/bin/docker kill matrix-corporal
 ExecStop=-/usr/bin/docker rm matrix-corporal
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-corporal
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-corporal
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-corporal
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@@ -99,7 +99,7 @@
    hour: "4"
    minute: "20"
    day: "*/5"
    job: /bin/systemctl reload matrix-coturn.service
    job: "{{ matrix_host_command_systemctl }} reload matrix-coturn.service"
  when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"


--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-coturn
 ExecStartPre=-/usr/bin/docker rm matrix-coturn
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn

 ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-coturn \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -40,12 +40,12 @@ ExecStart=/usr/bin/docker run --rm --name matrix-coturn \
 			{{ matrix_coturn_docker_image }} \
 			-c /turnserver.conf

 ExecStop=-/usr/bin/docker kill matrix-coturn
 ExecStop=-/usr/bin/docker rm matrix-coturn
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-coturn
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-coturn

 # This only reloads certificates (not other configuration).
 # See: https://github.com/coturn/coturn/pull/236
 ExecReload=/usr/bin/docker exec matrix-coturn kill -USR2 1
 ExecReload={{ matrix_host_command_docker }} exec matrix-coturn kill -USR2 1

 Restart=always
 RestartSec=30
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@@ -39,89 +39,7 @@ matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:8048"
 #
 # For a more advanced customization, you can extend the default (see `matrix_dimension_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_dimension_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  # The web settings for the service (API and UI).
  # It is best to have this run on localhost and use a reverse proxy to access Dimension.
  web:
    port: 8184
    address: '0.0.0.0'

  # Homeserver configuration
  homeserver:
    # The domain name of the homeserver. This is used in many places, such as with go-neb
    # setups, to identify the homeserver.
    name: "{{ matrix_domain }}"

    # The URL that Dimension, go-neb, and other services provisioned by Dimension should
    # use to access the homeserver with.
    clientServerUrl: "http://matrix-synapse:8008"

    # The URL that Dimension should use when trying to communicate with federated APIs on
    # the homeserver. If not supplied or left empty Dimension will try to resolve the address
    # through the normal federation process.
    federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}"

    # The URL that Dimension will redirect media requests to for downloading media such as
    # stickers. If not supplied or left empty Dimension will use the clientServerUrl.
    mediaUrl: "https://{{ matrix_server_fqn_matrix }}"

    # The access token Dimension should use for miscellaneous access to the homeserver. This
    # should be for a user on the configured homeserver: any user will do, however it is
    # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on
    # how to acquire an access token, visit https://t2bot.io/docs/access_tokens
    accessToken: "{{ matrix_dimension_access_token }}"

  # These users can modify the integrations this Dimension supports.
  # To access the admin interface, open Dimension in Riot and click the settings icon.
  admins: {{ matrix_dimension_admins|to_json }}

  # IPs and CIDR ranges listed here will be blocked from being widgets.
  # Note: Widgets may still be embedded with restricted content, although not through Dimension directly.
  widgetBlacklist:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 127.0.0.0/8

  # Where the database for Dimension is
  database:
    file: "dimension.db"

  # Display settings that apply to self-hosted go-neb instances
  goneb:
    # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver
    # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot,
    # make the bot's avatar an empty string.
    avatars:
      giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27"
      imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513"
      github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1"
      wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1"
      travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8"
      rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3"
      google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142"
      guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526"
      echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13"
      circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee"
      jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329"

  # Settings for how Dimension is represented to the public
  dimension:
    # This is where Dimension is accessible from clients. Be sure to set this
    # to your own Dimension instance.
    publicUrl: "https://{{ matrix_server_fqn_dimension }}"

  # Settings for controlling how logging works
  logging:
    file: /dev/null
    console: true
    consoleLevel: verbose
    fileLevel: info
    rotate:
      size: 52428800 # bytes, default is 50mb
      count: 5

 matrix_dimension_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_dimension_configuration_extension_yaml: |
  # Your custom YAML configuration for Dimension goes here.
--- a/roles/matrix-dimension/templates/config.yaml.j2
+++ b/roles/matrix-dimension/templates/config.yaml.j2
@@ -0,0 +1,81 @@
 #jinja2: lstrip_blocks: True
 # The web settings for the service (API and UI).
 # It is best to have this run on localhost and use a reverse proxy to access Dimension.
 web:
  port: 8184
  address: '0.0.0.0'

 # Homeserver configuration
 homeserver:
  # The domain name of the homeserver. This is used in many places, such as with go-neb
  # setups, to identify the homeserver.
  name: "{{ matrix_domain }}"

  # The URL that Dimension, go-neb, and other services provisioned by Dimension should
  # use to access the homeserver with.
  clientServerUrl: "http://matrix-synapse:8008"

  # The URL that Dimension should use when trying to communicate with federated APIs on
  # the homeserver. If not supplied or left empty Dimension will try to resolve the address
  # through the normal federation process.
  federationUrl: "{{ matrix_dimension_homeserver_federationUrl }}"

  # The URL that Dimension will redirect media requests to for downloading media such as
  # stickers. If not supplied or left empty Dimension will use the clientServerUrl.
  mediaUrl: "https://{{ matrix_server_fqn_matrix }}"

  # The access token Dimension should use for miscellaneous access to the homeserver. This
  # should be for a user on the configured homeserver: any user will do, however it is
  # recommended to use a dedicated user (such as @dimension:t2bot.io). For information on
  # how to acquire an access token, visit https://t2bot.io/docs/access_tokens
  accessToken: "{{ matrix_dimension_access_token }}"

 # These users can modify the integrations this Dimension supports.
 # To access the admin interface, open Dimension in Riot and click the settings icon.
 admins: {{ matrix_dimension_admins|to_json }}

 # IPs and CIDR ranges listed here will be blocked from being widgets.
 # Note: Widgets may still be embedded with restricted content, although not through Dimension directly.
 widgetBlacklist:
  - 10.0.0.0/8
  - 172.16.0.0/12
  - 192.168.0.0/16
  - 127.0.0.0/8

 # Where the database for Dimension is
 database:
  file: "dimension.db"

 # Display settings that apply to self-hosted go-neb instances
 goneb:
  # The avatars to set for each bot. Usually these don't need to be changed, however if your homeserver
  # is not able to reach t2bot.io then you should specify your own here. To not use an avatar for a bot,
  # make the bot's avatar an empty string.
  avatars:
    giphy: "mxc://t2bot.io/c5eaab3ef0133c1a61d3c849026deb27"
    imgur: "mxc://t2bot.io/6749eaf2b302bb2188ae931b2eeb1513"
    github: "mxc://t2bot.io/905b64b3cd8e2347f91a60c5eb0832e1"
    wikipedia: "mxc://t2bot.io/7edfb54e9ad9e13fec0df22636feedf1"
    travisci: "mxc://t2bot.io/7f4703126906fab8bb27df34a17707a8"
    rss: "mxc://t2bot.io/aace4fcbd045f30afc1b4e5f0928f2f3"
    google: "mxc://t2bot.io/636ad10742b66c4729bf89881a505142"
    guggy: "mxc://t2bot.io/e7ef0ed0ba651aaf907655704f9a7526"
    echo: "mxc://t2bot.io/3407ff2db96b4e954fcbf2c6c0415a13"
    circleci: "mxc://t2bot.io/cf7d875845a82a6b21f5f66de78f6bee"
    jira: "mxc://t2bot.io/f4a38ebcc4280ba5b950163ca3e7c329"

 # Settings for how Dimension is represented to the public
 dimension:
  # This is where Dimension is accessible from clients. Be sure to set this
  # to your own Dimension instance.
  publicUrl: "https://{{ matrix_server_fqn_dimension }}"

 # Settings for controlling how logging works
 logging:
  file: /dev/null
  console: true
  consoleLevel: verbose
  fileLevel: info
  rotate:
    size: 52428800 # bytes, default is 50mb
    count: 5
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@@ -6,13 +6,13 @@ Requires=docker.service

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-dimension
 ExecStartPre=-/usr/bin/docker rm matrix-dimension
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension

 # Fixup database ownership if it got changed somehow (during a server migration, etc.)
 ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db
 ExecStartPre=-{{ matrix_host_command_chown }} {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db

 ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dimension \
 			--log-driver=none \
 			--user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \
 			--cap-drop=ALL \
@@ -29,8 +29,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			{% endfor %}
 			{{ matrix_dimension_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-dimension
 ExecStop=-/usr/bin/docker rm matrix-dimension
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-dimension
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-dimension
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-dimension
--- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
+++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
@@ -6,10 +6,10 @@ Requires=docker.service

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-email2matrix
 ExecStartPre=-/usr/bin/docker rm matrix-email2matrix
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix

 ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-email2matrix \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \
 			{% endfor %}
 			{{ matrix_email2matrix_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-email2matrix
 ExecStop=-/usr/bin/docker rm matrix-email2matrix
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-email2matrix
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-email2matrix
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-email2matrix
--- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
+++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jicofo
 ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jicofo
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo

 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jicofo \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_jicofo_base_path }}/env \
@@ -21,8 +21,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jicofo \
 			{% endfor %}
 			{{ matrix_jitsi_jicofo_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-jitsi-jicofo
 ExecStop=-/usr/bin/docker rm matrix-jitsi-jicofo
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-jitsi-jicofo
--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-jitsi-jvb
 ExecStartPre=-/usr/bin/docker rm matrix-jitsi-jvb
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb

 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-jvb \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_jvb_base_path }}/env \
@@ -27,8 +27,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-jvb \
 			{% endfor %}
 			{{ matrix_jitsi_jvb_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-jitsi-jvb
 ExecStop=-/usr/bin/docker rm matrix-jitsi-jvb
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-jitsi-jvb
--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-jitsi-prosody
 ExecStartPre=-/usr/bin/docker rm matrix-jitsi-prosody
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody

 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-prosody \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_prosody_base_path }}/env \
@@ -22,8 +22,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-prosody \
 			{% endfor %}
 			{{ matrix_jitsi_prosody_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-jitsi-prosody
 ExecStop=-/usr/bin/docker rm matrix-jitsi-prosody
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-jitsi-prosody
--- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
+++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-jitsi-web
 ExecStartPre=-/usr/bin/docker rm matrix-jitsi-web
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web

 ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--env-file={{ matrix_jitsi_web_base_path }}/env \
@@ -25,8 +25,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-jitsi-web \
 			{% endfor %}
 			{{ matrix_jitsi_web_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-jitsi-web
 ExecStop=-/usr/bin/docker rm matrix-jitsi-web
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-jitsi-web
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-jitsi-web
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-jitsi-web
--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@@ -85,76 +85,7 @@ matrix_ma1sd_v2_enabled: true
 #
 # For a more advanced customization, you can extend the default (see `matrix_ma1sd_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_ma1sd_configuration_yaml: |
  #jinja2: lstrip_blocks: True
  matrix:
    domain: {{ matrix_domain }}
    v1: {{ matrix_ma1sd_v1_enabled|to_json }}
    v2: {{ matrix_ma1sd_v2_enabled|to_json }}

  server:
    name: {{ matrix_server_fqn_matrix }}

  key:
    path: /var/ma1sd/sign.key

  storage:
    provider:
      sqlite:
        database: /var/ma1sd/ma1sd.db

  {% if matrix_ma1sd_dns_overwrite_enabled %}
  dns:
    overwrite:
      homeserver:
        client:
          - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
            value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
  {% endif %}

  {% if matrix_ma1sd_matrixorg_forwarding_enabled %}
  forward:
    servers: ['matrix-org']
  {% endif %}

  threepid:
    medium:
      email:
        identity:
          from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
        connectors:
          smtp:
            host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
            port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
            tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
            login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
            password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
  {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
        generators:
          template:
            {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
            invite: '/var/ma1sd/invite-template.eml'
            {% endif %}
            {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
            session:
              {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
              validation: '/var/ma1sd/validate-template.eml'
              {% endif %}
              {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
              unbind:
                frandulent: '/var/ma1sd/unbind-fraudulent.eml'
              {% endif %}
            {% endif %}
            {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
            generic:
              matrixId: '/var/ma1sd/mxid-template.eml'
            {% endif %}
  {% endif %}

  synapseSql:
    enabled: {{ matrix_ma1sd_synapsesql_enabled }}
    type: {{ matrix_ma1sd_synapsesql_type }}
    connection: {{ matrix_ma1sd_synapsesql_connection }}
 matrix_ma1sd_configuration_yaml: "{{ lookup('template', 'templates/ma1sd.yaml.j2') }}"

 matrix_ma1sd_configuration_extension_yaml: |
  # Your custom YAML configuration for ma1sd goes here.
--- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2
+++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2
@@ -0,0 +1,69 @@
 #jinja2: lstrip_blocks: True
 matrix:
  domain: {{ matrix_domain }}
  v1: {{ matrix_ma1sd_v1_enabled|to_json }}
  v2: {{ matrix_ma1sd_v2_enabled|to_json }}

 server:
  name: {{ matrix_server_fqn_matrix }}

 key:
  path: /var/ma1sd/sign.key

 storage:
  provider:
    sqlite:
      database: /var/ma1sd/ma1sd.db

 {% if matrix_ma1sd_dns_overwrite_enabled %}
 dns:
  overwrite:
    homeserver:
      client:
        - name: {{ matrix_ma1sd_dns_overwrite_homeserver_client_name }}
          value: {{ matrix_ma1sd_dns_overwrite_homeserver_client_value }}
 {% endif %}

 {% if matrix_ma1sd_matrixorg_forwarding_enabled %}
 forward:
  servers: ['matrix-org']
 {% endif %}

 threepid:
  medium:
    email:
      identity:
        from: {{ matrix_ma1sd_threepid_medium_email_identity_from }}
      connectors:
        smtp:
          host: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_host }}
          port: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_port }}
          tls: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_tls }}
          login: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_login }}
          password: {{ matrix_ma1sd_threepid_medium_email_connectors_smtp_password }}
 {% if matrix_ma1sd_threepid_medium_email_custom_templates_enabled %}
      generators:
        template:
          {% if matrix_ma1sd_threepid_medium_email_custom_invite_template %}
          invite: '/var/ma1sd/invite-template.eml'
          {% endif %}
          {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template or matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
          session:
            {% if matrix_ma1sd_threepid_medium_email_custom_session_validation_template %}
            validation: '/var/ma1sd/validate-template.eml'
            {% endif %}
            {% if matrix_ma1sd_threepid_medium_email_custom_unbind_fraudulent_template %}
            unbind:
              frandulent: '/var/ma1sd/unbind-fraudulent.eml'
            {% endif %}
          {% endif %}
          {% if matrix_ma1sd_threepid_medium_email_custom_matrixid_template %}
          generic:
            matrixId: '/var/ma1sd/mxid-template.eml'
          {% endif %}
 {% endif %}

 synapseSql:
  enabled: {{ matrix_ma1sd_synapsesql_enabled }}
  type: {{ matrix_ma1sd_synapsesql_type }}
  connection: {{ matrix_ma1sd_synapsesql_connection }}
--- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@@ -11,12 +11,12 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-ma1sd
 ExecStartPre=-/usr/bin/docker rm matrix-ma1sd
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd

 # ma1sd writes an SQLite shared library (libsqlitejdbc.so) to /tmp and executes it from there,
 # so /tmp needs to be mounted with an exec option.
 ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-ma1sd \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -36,8 +36,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-ma1sd \
 			{% endfor %}
 			{{ matrix_ma1sd_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-ma1sd
 ExecStop=-/usr/bin/docker rm matrix-ma1sd
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-ma1sd
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-ma1sd
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-ma1sd
--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@@ -2,7 +2,12 @@ matrix_mailer_enabled: true

 matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"

 matrix_mailer_docker_image: "devture/exim-relay:4.92.2-r0-0"
 matrix_mailer_container_image_self_build: false
 matrix_mailer_container_image_self_build_repository_url: "https://github.com/devture/exim-relay"
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"

 matrix_mailer_docker_image: "devture/exim-relay:4.93.1-r0"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

 # The user/group that the container runs with.
--- a/roles/matrix-mailer/tasks/setup_mailer.yml
+++ b/roles/matrix-mailer/tasks/setup_mailer.yml
@@ -6,12 +6,15 @@

 - name: Ensure mailer base path exists
  file:
    path: "{{ matrix_mailer_base_path }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  when: matrix_mailer_enabled|bool
  with_items:
    - { path: "{{ matrix_mailer_base_path }}", when: true }
    - { path: "{{ matrix_mailer_container_image_self_build_src_files_path }}", when: "{{ matrix_mailer_container_image_self_build }}" }
  when: "matrix_mailer_enabled|bool and item.when"

 - name: Ensure mailer environment variables file created
  template:
@@ -20,13 +23,31 @@
    mode: 0640
  when: matrix_mailer_enabled|bool

 - name: Ensure mailer image is pulled
 - name: Ensure exim-relay repository is present on self-build
  git:
    repo: "{{ matrix_mailer_container_image_self_build_repository_url }}"
    dest: "{{ matrix_mailer_container_image_self_build_src_files_path }}"
    version: "{{ matrix_mailer_container_image_self_build_version }}"
    force: "yes"
  when: "matrix_mailer_container_image_self_build|bool"

 - name: Ensure exim-relay Docker image is built
  docker_image:
    name: "{{ matrix_mailer_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mailer_container_image_self_build_src_files_path }}"
      pull: yes
  when: "matrix_mailer_enabled|bool and matrix_mailer_container_image_self_build|bool"

 - name: Ensure exim-relay image is pulled
  docker_image:
    name: "{{ matrix_mailer_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mailer_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_docker_image_force_pull }}"
  when: matrix_mailer_enabled|bool
  when: "matrix_mailer_enabled|bool and not matrix_mailer_container_image_self_build|bool"

 - name: Ensure matrix-mailer.service installed
  template:
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@@ -6,10 +6,10 @@ Requires=docker.service

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-mailer
 ExecStartPre=-/usr/bin/docker rm matrix-mailer
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer

 ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
 			--log-driver=none \
 			--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
 			--cap-drop=ALL \
@@ -24,8 +24,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
 			{% endfor %}
 			{{ matrix_mailer_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-mailer
 ExecStop=-/usr/bin/docker rm matrix-mailer
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mailer
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mailer
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mailer
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
 matrix_nginx_proxy_docker_image: "nginx:1.17.10-alpine"
 matrix_nginx_proxy_docker_image: "nginx:1.19.0-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@@ -220,7 +220,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.4.0"
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:{{ matrix_ssl_architecture }}-v1.5.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@@ -84,7 +84,7 @@
      hour: "5"
      minute: "20"
      day: "*"
      job: /bin/systemctl reload matrix-nginx-proxy.service
      job: "{{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service"
    when: matrix_nginx_proxy_enabled|bool
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -16,7 +16,7 @@
 # We suppress the error, as we'll try another method below.
 - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
  shell: >-
    /usr/bin/docker run
    {{ matrix_host_command_docker }} run
    --rm
    --name=matrix-certbot
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
@@ -43,7 +43,7 @@
 # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
 - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
  shell: >-
    /usr/bin/docker run
    {{ matrix_host_command_docker }} run
    --rm
    --name=matrix-certbot
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2
@@ -150,7 +150,7 @@
 	}
 	{% endif %}

 	location /_synapse/admin {
 	location /_synapse {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver 127.0.0.11 valid=5s;
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -11,10 +11,10 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy

 ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-nginx-proxy \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -43,9 +43,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
 			{% endfor %}
 			{{ matrix_nginx_proxy_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
 ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
 ExecReload=/usr/bin/docker exec matrix-nginx-proxy /usr/sbin/nginx -s reload
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy
 ExecReload={{ matrix_host_command_docker }} exec matrix-nginx-proxy /usr/sbin/nginx -s reload
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-nginx-proxy
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
 matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
 matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"

 matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.12-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.7-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.2-alpine"
 matrix_postgres_docker_image_v9: "postgres:9.6.18-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.13-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.8-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.3-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
--- a/roles/matrix-postgres/tasks/import_postgres.yml
+++ b/roles/matrix-postgres/tasks/import_postgres.yml
@@ -63,7 +63,7 @@
 - name: Generate Postgres database import command
  set_fact:
    matrix_postgres_import_command: >-
      /usr/bin/docker run --rm --name matrix-postgres-import
      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --network={{ matrix_docker_network }}
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@@ -79,6 +79,7 @@
    --network={{ matrix_docker_network }}
    --entrypoint=python
    -v {{ matrix_synapse_config_dir_path }}:/data
    -v {{ matrix_synapse_config_dir_path }}:/matrix-media-store-parent/media-store
    -v {{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro
    {{ matrix_synapse_docker_image }}
    /usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml
--- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml
+++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml
@@ -66,7 +66,7 @@
 - name: Generate Postgres database synapse-janitor command
  set_fact:
    matrix_postgres_synapse_janitor_command: >-
      /usr/bin/docker run --rm --name matrix-postgres-synapse-janitor
      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-janitor
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --network={{ matrix_docker_network }}
--- a/roles/matrix-postgres/tasks/run_vacuum.yml
+++ b/roles/matrix-postgres/tasks/run_vacuum.yml
@@ -45,7 +45,7 @@
 - name: Generate Postgres database vacuum command
  set_fact:
    matrix_postgres_vacuum_command: >-
      /usr/bin/docker run --rm --name matrix-postgres-synapse-vacuum
      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-synapse-vacuum
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --network={{ matrix_docker_network }}
--- a/roles/matrix-postgres/tasks/upgrade_postgres.yml
+++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml
@@ -79,7 +79,7 @@
 # we need to remove these from the dump, or we'll get errors saying these already exist.
 - name: Perform Postgres database dump
  command: >-
    /usr/bin/docker run --rm --name matrix-postgres-dump
    {{ matrix_host_command_docker }} run --rm --name matrix-postgres-dump
    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
    --network={{ matrix_docker_network }}
    --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
@@ -123,7 +123,7 @@
 - name: Generate Postgres database import command
  set_fact:
    matrix_postgres_import_command: >-
      /usr/bin/docker run --rm --name matrix-postgres-import
      {{ matrix_host_command_docker }} run --rm --name matrix-postgres-import
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --network={{ matrix_docker_network }}
--- a/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
+++ b/roles/matrix-postgres/templates/systemd/matrix-postgres.service.j2
@@ -6,10 +6,10 @@ Requires=docker.service

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker stop matrix-postgres
 ExecStartPre=-/usr/bin/docker rm matrix-postgres
 ExecStartPre=-{{ matrix_host_command_docker }} stop matrix-postgres
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-postgres

 ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-postgres \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -28,8 +28,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
 			{% endfor %}
 			{{ matrix_postgres_docker_image_to_use }}

 ExecStop=-/usr/bin/docker stop matrix-postgres
 ExecStop=-/usr/bin/docker rm matrix-postgres
 ExecStop=-{{ matrix_host_command_docker }} stop matrix-postgres
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-postgres
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-postgres
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@@ -2,7 +2,7 @@ matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: false

 matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.1"
 matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.4"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
--- a/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
+++ b/roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
@@ -8,10 +8,10 @@ After={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-riot-web
 ExecStartPre=-/usr/bin/docker rm matrix-riot-web
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-riot-web
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-riot-web

 ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-riot-web \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -22,7 +22,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			{% endif %}
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \
 			-v {{ matrix_riot_web_data_path }}/nginx.conf:/etc/nginx/nginx.conf:ro \
 			-v /dev/null:/etc/nginx/conf.d/default.conf:ro \
 			-v {{ matrix_riot_web_data_path }}/config.json:/app/config.json:ro \
 			-v {{ matrix_riot_web_data_path }}/config.json:/app/config.{{ matrix_server_fqn_riot }}.json:ro \
 			{% if matrix_riot_web_embedded_pages_home_path is not none %}
@@ -34,8 +33,8 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
 			{% endfor %}
 			{{ matrix_riot_web_docker_image }}

 ExecStop=-/usr/bin/docker kill matrix-riot-web
 ExecStop=-/usr/bin/docker rm matrix-riot-web
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-riot-web
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-riot-web
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-riot-web
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -5,7 +5,7 @@ matrix_synapse_enabled: true

 matrix_synapse_container_image_self_build: false

 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.13.0"
 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.15.0"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@@ -202,12 +202,12 @@ matrix_synapse_password_config_localdb_enabled: true
 # Controls the number of events that Synapse caches in memory.
 matrix_synapse_event_cache_size: "100K"

 # Controls cache sizes for Synapse via the SYNAPSE_CACHE_FACTOR environment variable.
 # Controls cache sizes for Synapse.
 # Raise this to increase cache sizes or lower it to potentially lower memory use.
 # To learn more, see:
 # - https://github.com/matrix-org/synapse#help-synapse-eats-all-my-ram
 # - https://github.com/matrix-org/synapse/issues/3939
 matrix_synapse_cache_factor: 0.5
 matrix_synapse_caches_global_factor: 0.5

 # Controls whether Synapse will federate at all.
 # Disable this to completely isolate your server from the rest of the Matrix network.
@@ -299,7 +299,7 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals
 # Enable this to activate the Shared Secret Auth password provider module.
 # See: https://github.com/devture/matrix-synapse-shared-secret-auth
 matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
 matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.1/shared_secret_authenticator.py"
 matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/1.0.2/shared_secret_authenticator.py"
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""

 # Enable this to activate LDAP password provider
@@ -357,7 +357,7 @@ matrix_synapse_default_room_version: "5"
 #
 # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime.
 # If not, you can also control its value manually.
 matrix_synapse_spam_checker: ~
 matrix_synapse_spam_checker: []

 matrix_synapse_trusted_key_servers:
  - server_name: "matrix.org"
--- a/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/synapse-simple-antispam/setup_install.yml
@@ -38,10 +38,15 @@
  become_user: "{{ matrix_user_username }}"

 - set_fact:
    matrix_synapse_spam_checker:
      module: "synapse_simple_antispam.AntiSpamInvites"
      config:
        blocked_homeservers: "{{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }}"
    matrix_synapse_spam_checker: >
      {{ matrix_synapse_spam_checker }}
      +
      [{
        "module": "synapse_simple_antispam.AntiSpamInvites",
        "config": {
          "blocked_homeservers": {{ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeservers }}
        }
      }]

    matrix_synapse_container_extra_arguments: >
      {{ matrix_synapse_container_extra_arguments|default([]) }}
--- a/roles/matrix-synapse/tasks/self_check_federation_api.yml
+++ b/roles/matrix-synapse/tasks/self_check_federation_api.yml
@@ -11,7 +11,7 @@

 - name: Fail if Matrix Federation API not working
  fail:
    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
  when: "matrix_synapse_enabled|bool and matrix_synapse_federation_enabled|bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"

 - name: Fail if Matrix Federation API unexpectedly enabled
--- a/roles/matrix-synapse/tasks/update_user_password.yml
+++ b/roles/matrix-synapse/tasks/update_user_password.yml
@@ -36,7 +36,7 @@
  when: "start_result.changed or postgres_start_result.changed"

 - name: Generate password hash
  shell: "/usr/bin/docker exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
  shell: "{{ matrix_host_command_docker }} exec matrix-synapse /usr/local/bin/hash_password -c /data/homeserver.yaml -p {{ password|quote }}"
  register: password_hash

 - name: Update user password hash
--- a/roles/matrix-synapse/tasks/validate_config.yml
+++ b/roles/matrix-synapse/tasks/validate_config.yml
@@ -31,3 +31,4 @@
    - {'old': 'matrix_synapse_container_expose_client_api_port', 'new': '<superseded by matrix_synapse_container_client_api_host_bind_port>'}
    - {'old': 'matrix_synapse_container_expose_federation_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
    - {'old': 'matrix_synapse_container_expose_metrics_port', 'new': '<superseded by matrix_synapse_container_metrics_api_host_bind_port>'}
    - {'old': 'matrix_synapse_cache_factor', 'new': 'matrix_synapse_caches_global_factor'}
--- a/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
+++ b/roles/matrix-synapse/templates/goofys/systemd/matrix-goofys.service.j2
@@ -6,10 +6,10 @@ Requires=docker.service

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill %n
 ExecStartPre=-/usr/bin/docker rm %n
 ExecStartPre=-{{ matrix_host_command_docker }} kill %n
 ExecStartPre=-{{ matrix_host_command_docker }} rm %n

 ExecStart=/usr/bin/docker run --rm --name %n \
 ExecStart={{ matrix_host_command_docker }} run --rm --name %n \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			-v /etc/passwd:/etc/passwd:ro \
@@ -25,10 +25,10 @@ ExecStart=/usr/bin/docker run --rm --name %n \
 			-c 'goofys -f{% if not matrix_s3_media_store_custom_endpoint_enabled %} --storage-class=STANDARD_IA{% endif %}{% if matrix_s3_media_store_custom_endpoint_enabled %} --endpoint={{ matrix_s3_media_store_custom_endpoint }}{% endif %} --region {{ matrix_s3_media_store_region }} --stat-cache-ttl 60m0s --type-cache-ttl 60m0s --dir-mode 0700 --file-mode 0700 {{ matrix_s3_media_store_bucket_name }} /s3'

 TimeoutStartSec=5min
 ExecStop=-/usr/bin/docker stop %n
 ExecStop=-/usr/bin/docker kill %n
 ExecStop=-/usr/bin/docker rm %n
 ExecStop=-/bin/fusermount -u {{ matrix_synapse_media_store_path }}
 ExecStop=-{{ matrix_host_command_docker }} stop %n
 ExecStop=-{{ matrix_host_command_docker }} kill %n
 ExecStop=-{{ matrix_host_command_docker }} rm %n
 ExecStop=-{{ matrix_host_command_fusermount }} -u {{ matrix_synapse_media_store_path }}
 Restart=always
 RestartSec=5
 SyslogIdentifier=matrix-goofys
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -320,22 +320,27 @@ listeners:
 # Used by phonehome stats to group together related servers.
 #server_context: context

 # Resource-constrained homeserver Settings
 # Resource-constrained homeserver settings
 #
 # If limit_remote_rooms.enabled is True, the room complexity will be
 # checked before a user joins a new remote room. If it is above
 # limit_remote_rooms.complexity, it will disallow joining or
 # instantly leave.
 # When this is enabled, the room "complexity" will be checked before a user
 # joins a new remote room. If it is above the complexity limit, the server will
 # disallow joining, or will instantly leave.
 #
 # limit_remote_rooms.complexity_error can be set to customise the text
 # displayed to the user when a room above the complexity threshold has
 # its join cancelled.
 # Room complexity is an arbitrary measure based on factors such as the number of
 # users in the room.
 #
 # Uncomment the below lines to enable:
 #limit_remote_rooms:
 #  enabled: True
 #  complexity: 1.0
 #  complexity_error: "This room is too complex."
 limit_remote_rooms:
  # Uncomment to enable room complexity checking.
  #
  #enabled: true

  # the limit above which rooms cannot be joined. The default is 1.0.
  #
  #complexity: 0.5

  # override the error which is returned when the room is too complex.
  #
  #complexity_error: "This room is too complex."

 # Whether to require a user to be in the room to add an alias to it.
 # Defaults to 'true'.
@@ -605,6 +610,50 @@ acme:



 ## Caching ##

 # Caching can be configured through the following options.
 #
 # A cache 'factor' is a multiplier that can be applied to each of
 # Synapse's caches in order to increase or decrease the maximum
 # number of entries that can be stored.

 # The number of events to cache in memory. Not affected by
 # caches.global_factor.
 #
 event_cache_size: "{{ matrix_synapse_event_cache_size }}"

 caches:
   # Controls the global cache factor, which is the default cache factor
   # for all caches if a specific factor for that cache is not otherwise
   # set.
   #
   # This can also be set by the "SYNAPSE_CACHE_FACTOR" environment
   # variable. Setting by environment variable takes priority over
   # setting through the config file.
   #
   # Defaults to 0.5, which will half the size of all caches.
   #
   global_factor: {{ matrix_synapse_caches_global_factor }}

   # A dictionary of cache name to cache factor for that individual
   # cache. Overrides the global cache factor for a given cache.
   #
   # These can also be set through environment variables comprised
   # of "SYNAPSE_CACHE_FACTOR_" + the name of the cache in capital
   # letters and underscores. Setting by environment variable
   # takes priority over setting through the config file.
   # Ex. SYNAPSE_CACHE_FACTOR_GET_USERS_WHO_SHARE_ROOM_WITH_USER=2.0
   #
   # Some caches have '*' and other characters that are not
   # alphanumeric or underscores. These caches can be named with or
   # without the special characters stripped. For example, to specify
   # the cache factor for `*stateGroupCache*` via an environment
   # variable would be `SYNAPSE_CACHE_FACTOR_STATEGROUPCACHE=2.0`.
   #
   per_cache_factors:
     #get_users_who_share_room_with_user: 2.0

 ## Database ##

 database:
@@ -618,10 +667,6 @@ database:
    cp_min: 5
    cp_max: 10

 # Number of events to cache in memory.
 #
 event_cache_size: "{{ matrix_synapse_event_cache_size }}"


 ## Logging ##

@@ -884,25 +929,28 @@ url_preview_accept_language:


 ## Captcha ##
 # See docs/CAPTCHA_SETUP for full details of configuring this.
 # See docs/CAPTCHA_SETUP.md for full details of configuring this.

 # This homeserver's ReCAPTCHA public key.
 # This homeserver's ReCAPTCHA public key. Must be specified if
 # enable_registration_captcha is enabled.
 #
 #recaptcha_public_key: "YOUR_PUBLIC_KEY"

 # This homeserver's ReCAPTCHA private key.
 # This homeserver's ReCAPTCHA private key. Must be specified if
 # enable_registration_captcha is enabled.
 #
 #recaptcha_private_key: "YOUR_PRIVATE_KEY"

 # Enables ReCaptcha checks when registering, preventing signup
 # Uncomment to enable ReCaptcha checks when registering, preventing signup
 # unless a captcha is answered. Requires a valid ReCaptcha
 # public/private key.
 # public/private key. Defaults to 'false'.
 #
 #enable_registration_captcha: false
 #enable_registration_captcha: true

 # The API endpoint to use for verifying m.login.recaptcha responses.
 # Defaults to "https://www.recaptcha.net/recaptcha/api/siteverify".
 #
 #recaptcha_siteverify_api: "https://www.recaptcha.net/recaptcha/api/siteverify"
 #recaptcha_siteverify_api: "https://my.recaptcha.site"


 ## TURN ##
@@ -1151,6 +1199,13 @@ auto_join_rooms:
 #
 autocreate_auto_join_rooms: {{ matrix_synapse_autocreate_auto_join_rooms|to_json }}

 # When auto_join_rooms is specified, setting this flag to false prevents
 # guest accounts from being automatically joined to the rooms.
 #
 # Defaults to true.
 #
 #auto_join_rooms_for_guests: false


 ## Metrics ###

@@ -1182,6 +1237,7 @@ metrics_flags:
    #known_servers: true

 # Whether or not to report anonymized homeserver usage statistics.
 #
 report_stats: {{ matrix_synapse_report_stats|to_json }}

 # The endpoint to report the anonymized homeserver usage statistics to.
@@ -1307,6 +1363,8 @@ trusted_key_servers: {{ matrix_synapse_trusted_key_servers|to_json }}
 #key_server_signing_keys_path: "key_server_signing_keys.key"


 ## Single sign-on integration ##

 # Enable SAML2 for registration and login. Uses pysaml2.
 #
 # At least one of `sp_config` or `config_path` must be set in this section to
@@ -1440,7 +1498,13 @@ saml2_config:
  # * HTML page to display to users if something goes wrong during the
  #   authentication process: 'saml_error.html'.
  #
  #   This template doesn't currently need any variable to render.
  #   When rendering, this template is given the following variables:
  #     * code: an HTML error code corresponding to the error that is being
  #       returned (typically 400 or 500)
  #
  #     * msg: a textual message describing the error.
  #
  #   The variables will automatically be HTML-escaped.
  #
  # You can see the default templates at:
  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
@@ -1448,6 +1512,121 @@ saml2_config:
  #template_dir: "res/templates"


 # OpenID Connect integration. The following settings can be used to make Synapse
 # use an OpenID Connect Provider for authentication, instead of its internal
 # password database.
 #
 # See https://github.com/matrix-org/synapse/blob/master/openid.md.
 #
 oidc_config:
  # Uncomment the following to enable authorization against an OpenID Connect
  # server. Defaults to false.
  #
  #enabled: true

  # Uncomment the following to disable use of the OIDC discovery mechanism to
  # discover endpoints. Defaults to true.
  #
  #discover: false

  # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
  # discover the provider's endpoints.
  #
  # Required if 'enabled' is true.
  #
  #issuer: "https://accounts.example.com/"

  # oauth2 client id to use.
  #
  # Required if 'enabled' is true.
  #
  #client_id: "provided-by-your-issuer"

  # oauth2 client secret to use.
  #
  # Required if 'enabled' is true.
  #
  #client_secret: "provided-by-your-issuer"

  # auth method to use when exchanging the token.
  # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
  # 'none'.
  #
  #client_auth_method: client_secret_post

  # list of scopes to request. This should normally include the "openid" scope.
  # Defaults to ["openid"].
  #
  #scopes: ["openid", "profile"]

  # the oauth2 authorization endpoint. Required if provider discovery is disabled.
  #
  #authorization_endpoint: "https://accounts.example.com/oauth2/auth"

  # the oauth2 token endpoint. Required if provider discovery is disabled.
  #
  #token_endpoint: "https://accounts.example.com/oauth2/token"

  # the OIDC userinfo endpoint. Required if discovery is disabled and the
  # "openid" scope is not requested.
  #
  #userinfo_endpoint: "https://accounts.example.com/userinfo"

  # URI where to fetch the JWKS. Required if discovery is disabled and the
  # "openid" scope is used.
  #
  #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"

  # Uncomment to skip metadata verification. Defaults to false.
  #
  # Use this if you are connecting to a provider that is not OpenID Connect
  # compliant.
  # Avoid this in production.
  #
  #skip_verification: true

  # An external module can be provided here as a custom solution to mapping
  # attributes returned from a OIDC provider onto a matrix user.
  #
  user_mapping_provider:
    # The custom module's class. Uncomment to use a custom module.
    # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
    #
    # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
    # for information on implementing a custom mapping provider.
    #
    #module: mapping_provider.OidcMappingProvider

    # Custom configuration values for the module. This section will be passed as
    # a Python dictionary to the user mapping provider module's `parse_config`
    # method.
    #
    # The examples below are intended for the default provider: they should be
    # changed if using a custom provider.
    #
    config:
      # name of the claim containing a unique identifier for the user.
      # Defaults to `sub`, which OpenID Connect compliant providers should provide.
      #
      #subject_claim: "sub"

      # Jinja2 template for the localpart of the MXID.
      #
      # When rendering, this template is given the following variables:
      #   * user: The claims returned by the UserInfo Endpoint and/or in the ID
      #     Token
      #
      # This must be configured if using the default mapping provider.
      #
      localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"

      # Jinja2 template for the display name to set on first login.
      #
      # If unset, no displayname will be set.
      #
      #display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}"



 # Enable CAS for registration and login.
 #
@@ -1455,10 +1634,97 @@ saml2_config:
 #   enabled: true
 #   server_url: "https://cas-server.com"
 #   service_url: "https://homeserver.domain.com:8448"
 #   #displayname_attribute: name
 #   #required_attributes:
 #   #    name: value


 # Additional settings to use with single-sign on systems such as OpenID Connect,
 # SAML2 and CAS.
 #
 sso:
    # A list of client URLs which are whitelisted so that the user does not
    # have to confirm giving access to their account to the URL. Any client
    # whose URL starts with an entry in the following list will not be subject
    # to an additional confirmation step after the SSO login is completed.
    #
    # WARNING: An entry such as "https://my.client" is insecure, because it
    # will also match "https://my.client.evil.site", exposing your users to
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
    # If public_baseurl is set, then the login fallback page (used by clients
    # that don't natively support the required login flows) is whitelisted in
    # addition to any URLs in this list.
    #
    # By default, this list is empty.
    #
    #client_whitelist:
    #  - https://riot.im/develop
    #  - https://my.custom.client/

    # Directory in which Synapse will try to find the template files below.
    # If not set, default templates from within the Synapse package will be used.
    #
    # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
    # If you *do* uncomment it, you will need to make sure that all the templates
    # below are in the directory.
    #
    # Synapse will look for the following templates in this directory:
    #
    # * HTML page for a confirmation step before redirecting back to the client
    #   with the login token: 'sso_redirect_confirm.html'.
    #
    #   When rendering, this template is given three variables:
    #     * redirect_url: the URL the user is about to be redirected to. Needs
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * display_url: the same as `redirect_url`, but with the query
    #                    parameters stripped. The intention is to have a
    #                    human-readable URL to show to users, not to use it as
    #                    the final address to redirect to. Needs manual escaping
    #                    (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * server_name: the homeserver's name.
    #
    # * HTML page which notifies the user that they are authenticating to confirm
    #   an operation on their account during the user interactive authentication
    #   process: 'sso_auth_confirm.html'.
    #
    #   When rendering, this template is given the following variables:
    #     * redirect_url: the URL the user is about to be redirected to. Needs
    #                     manual escaping (see
    #                     https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
    #
    #     * description: the operation which the user is being asked to confirm
    #
    # * HTML page shown after a successful user interactive authentication session:
    #   'sso_auth_success.html'.
    #
    #   Note that this page must include the JavaScript which notifies of a successful authentication
    #   (see https://matrix.org/docs/spec/client_server/r0.6.0#fallback).
    #
    #   This template has no additional variables.
    #
    # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
    #   attempts to login: 'sso_account_deactivated.html'.
    #
    #   This template has no additional variables.
    #
    # * HTML page to display to users if something goes wrong during the
    #   OpenID Connect authentication process: 'sso_error.html'.
    #
    #   When rendering, this template is given two variables:
    #     * error: the technical name of the error
    #     * error_description: a human-readable message for the error
    #
    # You can see the default templates at:
    # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
    #
    #template_dir: "res/templates"


 # The JWT needs to contain a globally unique "sub" (subject) claim.
 #
 #jwt_config:
@@ -1501,8 +1767,8 @@ email:
  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
  #
  # smtp_user: "exampleusername"
  # smtp_pass: "examplepassword"
  #smtp_user: "exampleusername"
  #smtp_pass: "examplepassword"

  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
@@ -1681,10 +1947,17 @@ push:
   include_content: {{ matrix_synapse_push_include_content|to_json }}


 #spam_checker:
 #  module: "my_custom_project.SuperSpamChecker"
 #  config:
 #    example_option: 'things'
 # Spam checkers are third-party modules that can block specific actions
 # of local users, such as creating rooms and registering undesirable
 # usernames, as well as remote users by redacting incoming events.
 #
 # spam_checker:
   #- module: "my_custom_project.SuperSpamChecker"
   #  config:
   #    example_option: 'things'
   #- module: "some_other_project.BadEventStopper"
   #  config:
   #    example_stop_events_from: ['@bad:example.com']
 spam_checker: {{ matrix_synapse_spam_checker|to_json }}

 # Uncomment to allow non-server-admin users to create groups on this server
--- a/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
+++ b/roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
@@ -11,16 +11,16 @@ Wants={{ service }}

 [Service]
 Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-synapse
 ExecStartPre=-/usr/bin/docker rm matrix-synapse
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-synapse
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-synapse
 {% if matrix_s3_media_store_enabled %}
 # Allow for some time before starting, so that media store can mount.
 # Mounting can happen later too, but if we start writing,
 # we'd write files to the local filesystem and fusermount will complain.
 ExecStartPre=/bin/sleep 3
 ExecStartPre={{ matrix_host_command_sleep }} 3
 {% endif %}

 ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
@@ -28,7 +28,6 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			-e SYNAPSE_CACHE_FACTOR={{ matrix_synapse_cache_factor }} \
 			{% if matrix_synapse_container_client_api_host_bind_port %}
 			-p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \
 			{% endif %}
@@ -55,9 +54,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{{ matrix_synapse_docker_image }} \
 			-m synapse.app.homeserver -c /data/homeserver.yaml

 ExecStop=-/usr/bin/docker kill matrix-synapse
 ExecStop=-/usr/bin/docker rm matrix-synapse
 ExecReload=/usr/bin/docker exec matrix-synapse kill -HUP 1
 ExecStop=-{{ matrix_host_command_docker }} kill matrix-synapse
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-synapse
 ExecReload={{ matrix_host_command_docker }} exec matrix-synapse kill -HUP 1
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-synapse
--- a/roles/matrix-synapse/vars/main.yml
+++ b/roles/matrix-synapse/vars/main.yml
@@ -3,7 +3,7 @@
 matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']

 matrix_synapse_client_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/client/versions"
 matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:8448/_matrix/federation/v1/version"
 matrix_synapse_federation_api_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

 # Tells whether this role had executed or not. Toggled to `true` during runtime.
 matrix_synapse_role_executed: false