Move matrix-ma1sd to its own container network and add native Traefik support

2 лет назад · aea66442a1
--- a/docs/configuring-playbook-ma1sd.md
+++ b/docs/configuring-playbook-ma1sd.md
@@ -44,9 +44,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu

 - `matrix_synapse_enable_registration_captcha` - to validate registering users using reCAPTCHA, as described in the [enabling reCAPTCHA](configuring_captcha.md) documentation.

 - `matrix_synapse_registrations_require_3pid` - to control the types of 3pid (`'email'`, `'msisdn'`) required by the Synapse server for registering
 - `matrix_synapse_registrations_require_3pid` - a list of 3pid types (among `'email'`, `'msisdn'`) required by the Synapse server for registering

 - variables prefixed with `matrix_nginx_proxy_proxy_matrix_3pid_registration_` (e.g. `matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled`) - to configure the integrated nginx webserver to send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality
 - variables prefixed with `matrix_ma1sd_container_labels_` (e.g. `matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled`) - to configure the Traefik reverse-proxy to capture and send registration requests to ma1sd (instead of Synapse), so it can apply its additional functionality

 - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -3131,6 +3131,9 @@ exim_relay_sender_address: "matrix@{{ matrix_domain }}"
 # we can stop installing ma1sd.
 matrix_ma1sd_enabled: false

 matrix_ma1sd_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_ma1sd_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach ma1sd over the container network.
@@ -3138,12 +3141,25 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 # ma1sd's web-server port.
 matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"

 matrix_ma1sd_container_additional_networks: |
 {{
  (
    ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
  ) | unique
 }}
 matrix_ma1sd_container_network: "{{ matrix_addons_container_network }}"

 matrix_ma1sd_container_additional_networks_auto: |
  {{
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([devture_postgres_container_network] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname and matrix_ma1sd_container_network != devture_postgres_container_network) else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_ma1sd_container_labels_traefik_enabled) else [])
    ) | unique
  }}

 matrix_ma1sd_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_ma1sd_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_ma1sd_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"

 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
@@ -3156,7 +3172,7 @@ matrix_ma1sd_dns_overwrite_enabled: true
 matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix }}"
 # The `matrix_ma1sd_dns_overwrite_homeserver_client_value` value when matrix_nginx_proxy_enabled is false covers the general case,
 # but may be inaccurate if matrix-corporal is enabled.
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}"
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_addons_homeserver_client_api_url }}"

 # By default, we send mail through the exim relay service.
 matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}"
@@ -3168,13 +3184,13 @@ matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_

 matrix_ma1sd_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else [])
  }}

 matrix_ma1sd_systemd_wanted_services_list_auto: |
  {{
    (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service'])
    +
    ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else [])
  }}

@@ -3304,10 +3320,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enable
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

 # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
 matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
@@ -3349,10 +3361,6 @@ matrix_nginx_proxy_proxy_conduit_federation_api_addr_sans_container: "127.0.0.1:
 # When matrix-nginx-proxy is disabled, the actual port number that the vhost uses may begin to matter.
 matrix_nginx_proxy_proxy_matrix_federation_port: "{{ matrix_federation_public_port }}"

 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"

 # OCSP stapling does not make sense when self-signed certificates are used.
 # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
@@ -3368,8 +3376,6 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-corporal.service'] if matrix_corporal_enabled else [])
    +
    (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
    +
    ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else [])
    +
    (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
@@ -3498,9 +3504,7 @@ matrix_homeserver_proxy_client_api_client_max_body_size_mb: |-

 matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_federation_api_endpoint }}"

 # matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }}"
 # matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 # matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
 # TODO - connect this to the identity server, if enabled

 # # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
 # # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
@@ -3508,10 +3512,7 @@ matrix_homeserver_proxy_federation_api_addr: "{{ matrix_homeserver_container_fed
 # matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}"
 # matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"

 # matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"
 # matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 # matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"

 # TODO - adjust ma1sd stuff below, if necessary
 matrix_homeserver_proxy_systemd_wanted_services_list_auto: |
  {{
    matrix_homeserver_systemd_services_list
@@ -4142,8 +4143,10 @@ matrix_synapse_gid: "{{ matrix_user_gid }}"

 matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"

 matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url: "{{ ('http://matrix-ma1sd:' + matrix_ma1sd_container_port| string) }}"

 # When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
 matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
 matrix_synapse_account_threepid_delegates_msisdn: "{{ matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url if matrix_ma1sd_enabled else '' }}"

 # For exposing the Matrix Federation API's TLS port (HTTPS) to the internet on all network interfaces.
 matrix_synapse_container_federation_api_tls_host_bind_port: "{{ matrix_federation_public_port if (matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled) else '' }}"
@@ -4166,6 +4169,8 @@ matrix_synapse_container_additional_networks: |
      ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
      +
      ([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
    ) | unique
  }}

--- a/roles/custom/matrix-ma1sd/defaults/main.yml
+++ b/roles/custom/matrix-ma1sd/defaults/main.yml
@@ -4,6 +4,9 @@

 matrix_ma1sd_enabled: true

 matrix_ma1sd_scheme: https
 matrix_ma1sd_hostname: ''

 matrix_ma1sd_container_image_self_build: false
 matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
 matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"
@@ -43,14 +46,65 @@ matrix_ma1sd_systemd_wanted_services_list_auto: []
 matrix_ma1sd_systemd_wanted_services_list_custom: []

 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_ma1sd_container_network: "{{ matrix_docker_network }}"
 matrix_ma1sd_container_network: ""

 # A list of additional container networks that matrix-ma1sd would be connected to.
 # The playbook does not create these networks, so make sure they already exist.
 #
 # Use this to expose matrix-ma1sd to another docker network, that matrix-ma1sd might have to reach for authentication (e.g. an ldap instance)
 matrix_ma1sd_container_additional_networks: "{{ matrix_ma1sd_container_additional_networks_auto + matrix_ma1sd_container_additional_networks_custom }}"
 matrix_ma1sd_container_additional_networks_auto: []
 matrix_ma1sd_container_additional_networks_custom: []

 # matrix_ma1sd_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 matrix_ma1sd_container_additional_networks: []
 # To inject your own other container labels, see `matrix_ma1sd_container_labels_additional_labels`.
 matrix_ma1sd_container_labels_traefik_enabled: true
 matrix_ma1sd_container_labels_traefik_docker_network: "{{ matrix_ma1sd_container_network }}"
 matrix_ma1sd_container_labels_traefik_entrypoints: web-secure
 matrix_ma1sd_container_labels_traefik_tls_certResolver: default  # noqa var-naming

 # Controls whether labels will be added that expose ma1sd's /_matrix/identity endpoints
 matrix_ma1sd_container_labels_matrix_identity_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
 matrix_ma1sd_container_labels_matrix_identity_hostname: "{{ matrix_ma1sd_hostname }}"
 matrix_ma1sd_container_labels_matrix_identity_path_prefix: "/_matrix/identity"
 matrix_ma1sd_container_labels_matrix_identity_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_identity_hostname }}`) && PathPrefix(`{{ matrix_ma1sd_container_labels_matrix_identity_path_prefix }}`)"
 matrix_ma1sd_container_labels_matrix_identity_traefik_priority: 0
 matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
 matrix_ma1sd_container_labels_matrix_identity_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints != 'web' }}"
 matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

 # Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/user_directory/search endpoint
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled: "{{ matrix_ma1sd_container_labels_traefik_enabled }}"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname: "{{ matrix_ma1sd_hostname }}"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_path: "/_matrix/client/{version:(r0|v3)}/user_directory/search"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_path }}`)"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority: 0
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints != 'web' }}"
 matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

 # Controls whether labels will be added that expose ma1sd's /_matrix/client/VERSION/register/TYPE/requestToken endpoints
 # This allows another service to control registrations involving 3PIDs.
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled: false
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname: "{{ matrix_ma1sd_hostname }}"
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_path: "/_matrix/client/{version:(r0|v3)}/register/{type:(email|msisdn)}/requestToken"
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule: "Host(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_hostname }}`) && Path(`{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_path }}`)"
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority: 0
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints: "{{ matrix_ma1sd_container_labels_traefik_entrypoints }}"
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls: "{{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints != 'web' }}"
 matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver: "{{ matrix_ma1sd_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

 # matrix_ma1sd_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_ma1sd_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_ma1sd_container_labels_additional_labels: ''

 # Your identity server is private by default.
 # To ensure maximum discovery, you can make your identity server
@@ -59,7 +113,6 @@ matrix_ma1sd_container_additional_networks: []
 # Enabling this is discouraged. Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/features/identity.md#lookups
 matrix_ma1sd_matrixorg_forwarding_enabled: false


 # Database-related configuration fields.
 #
 # To use SQLite, stick to these defaults.
@@ -130,6 +183,7 @@ matrix_ma1sd_threepid_medium_email_custom_session_unbind_notification_template:
 # Defaults to: https://github.com/ma1uta/ma1sd/blob/master/src/main/resources/threepids/email/mxid-template.eml
 matrix_ma1sd_threepid_medium_email_custom_matrixid_template: ""

 matrix_ma1sd_self_check_endpoint_url: "{{ matrix_ma1sd_scheme }}://{{ matrix_ma1sd_hostname }}/_matrix/identity/api/v1"
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_ma1sd_self_check_validate_certificates: true

--- a/roles/custom/matrix-ma1sd/tasks/main.yml
+++ b/roles/custom/matrix-ma1sd/tasks/main.yml
@@ -20,6 +20,7 @@

 - tags:
    - self-check
    - self-check-ma1sd
  block:
    - when: matrix_ma1sd_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
--- a/roles/custom/matrix-ma1sd/tasks/self_check.yml
+++ b/roles/custom/matrix-ma1sd/tasks/self_check.yml
@@ -1,11 +1,8 @@
 ---

 - ansible.builtin.set_fact:
    ma1sd_url_endpoint_public: "https://{{ matrix_server_fqn_matrix }}/_matrix/identity/api/v1"

 - name: Check ma1sd Identity Service
  ansible.builtin.uri:
    url: "{{ ma1sd_url_endpoint_public }}"
    url: "{{ matrix_ma1sd_self_check_endpoint_url }}"
    follow_redirects: none
    validate_certs: "{{ matrix_ma1sd_self_check_validate_certificates }}"
  check_mode: false
@@ -16,9 +13,9 @@

 - name: Fail if ma1sd Identity Service not working
  ansible.builtin.fail:
    msg: "Failed checking ma1sd is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ ma1sd_url_endpoint_public }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
    msg: "Failed checking ma1sd is up at `{{ matrix_ma1sd_hostname }}` (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`). Is ma1sd running? Is port 443 open in your firewall? Full error: {{ result_ma1sd }}"
  when: "result_ma1sd.failed or 'json' not in result_ma1sd"

 - name: Report working ma1sd Identity Service
  ansible.builtin.debug:
    msg: "ma1sd at `{{ matrix_server_fqn_matrix }}` is working (checked endpoint: `{{ ma1sd_url_endpoint_public }}`)"
    msg: "ma1sd at `{{ matrix_ma1sd_hostname }}` is working (checked endpoint: `{{ matrix_ma1sd_self_check_endpoint_url }}`)"
--- a/roles/custom/matrix-ma1sd/tasks/setup_install.yml
+++ b/roles/custom/matrix-ma1sd/tasks/setup_install.yml
@@ -122,6 +122,21 @@
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_matrixid_template }}", location: 'mxid-template.eml'}
  when: "matrix_ma1sd_threepid_medium_email_custom_templates_enabled | bool and item.value"

 - name: Ensure ma1sd support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
    dest: "{{ matrix_ma1sd_base_path }}/{{ item }}"
    mode: 0640
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - labels

 - name: Ensure ma1sd container network is created
  community.general.docker_network:
    name: "{{ matrix_ma1sd_container_network }}"
    driver: bridge

 - name: Ensure matrix-ma1sd.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-ma1sd.service.j2"
--- a/roles/custom/matrix-ma1sd/tasks/validate_config.yml
+++ b/roles/custom/matrix-ma1sd/tasks/validate_config.yml
@@ -45,9 +45,15 @@
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and vars[item.name] == ''"
  with_items:
    - {'name': 'matrix_ma1sd_hostname', when: true}
    - {'name': 'matrix_ma1sd_threepid_medium_email_connectors_smtp_host', when: true}
    - {'name': 'matrix_ma1sd_dns_overwrite_homeserver_client_value', when: true}
    - {'name': 'matrix_ma1sd_database_hostname', when: "{{ matrix_ma1sd_database_engine == 'postgres' }}"}
    - {'name': 'matrix_ma1sd_container_network', when: true}
    - {'name': 'matrix_ma1sd_container_labels_matrix_identity_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
    - {'name': 'matrix_ma1sd_container_labels_matrix_identity_path_prefix', when: "{{ matrix_ma1sd_container_labels_matrix_identity_enabled }}"}
    - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_hostname', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}
    - {'name': 'matrix_ma1sd_container_labels_matrix_client_user_directory_search_path', when: "{{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled }}"}

 - name: (Deprecation) Catch and report renamed ma1sd variables
  ansible.builtin.fail:
--- a/roles/custom/matrix-ma1sd/templates/labels.j2
+++ b/roles/custom/matrix-ma1sd/templates/labels.j2
@@ -0,0 +1,99 @@
 {% if matrix_ma1sd_container_labels_traefik_enabled %}
 traefik.enable=true

 {% if matrix_ma1sd_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_ma1sd_container_labels_traefik_docker_network }}
 {% endif %}

 traefik.http.services.matrix-ma1sd.loadbalancer.server.port={{ matrix_ma1sd_container_port }}

 {#
 	Matrix Identity APIs (/_matrix/identity)
 #}
 {% if matrix_ma1sd_container_labels_matrix_identity_enabled %}
 traefik.http.routers.matrix-ma1sd-matrix-identity.rule={{ matrix_ma1sd_container_labels_matrix_identity_traefik_rule }}

 {% if matrix_ma1sd_container_labels_matrix_identity_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-ma1sd-matrix-identity.priority={{ matrix_ma1sd_container_labels_matrix_identity_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-ma1sd-matrix-identity.service=matrix-ma1sd
 traefik.http.routers.matrix-ma1sd-matrix-identity.entrypoints={{ matrix_ma1sd_container_labels_matrix_identity_traefik_entrypoints }}

 traefik.http.routers.matrix-ma1sd-matrix-identity.tls={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls | to_json }}
 {% if matrix_ma1sd_container_labels_matrix_identity_traefik_tls %}
 traefik.http.routers.matrix-ma1sd-matrix-identity.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_identity_traefik_tls_certResolver }}
 {% endif %}
 {% endif %}
 {#
 	/Matrix Identity APIs (/_matrix/identity)
 #}


 {#
 	Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
 #}
 {% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
 {#
 	ma1sd only supports /_matrix/client/r0/user_directory/search,
 	while we potentially handle /_matrix/client/v3/user_directory/search as well,
 	so we need to transparently reroute.
 #}
 traefik.http.middlewares.matrix-ma1sd-matrix-client-user-directory-search-replacepath.replacepath.path=/_matrix/client/r0/user_directory/search

 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.rule={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_rule }}

 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.middlewares=matrix-ma1sd-matrix-client-user-directory-search-replacepath

 {% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.priority={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.service=matrix-ma1sd
 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_entrypoints }}

 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls | to_json }}
 {% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls %}
 traefik.http.routers.matrix-ma1sd-matrix-client-user-directory-search.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_user_directory_search_traefik_tls_certResolver }}
 {% endif %}
 {% endif %}
 {#
 	/Matrix Client user-directory search API endpoint (/_matrix/client/VERSION/user_directory/search)
 #}


 {#
 	Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
 #}
 {% if matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled %}
 {#
 	ma1sd only supports /_matrix/client/r0/user_directory/search,
 	while we potentially handle /_matrix/client/v3/user_directory/search as well,
 	so we need to transparently reroute.
 #}
 traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.regex=^/_matrix/client/([^/]+)/register/([^/]+)/requestToken
 traefik.http.middlewares.matrix-ma1sd-matrix-client-3pid-registration-replacepathregex.replacepathregex.replacement=/_matrix/client/r0/register/${2}/requestToken

 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.rule={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_rule }}

 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.middlewares=matrix-ma1sd-matrix-client-3pid-registration-replacepathregex

 {% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.priority={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.service=matrix-ma1sd
 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.entrypoints={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_entrypoints }}

 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls | to_json }}
 {% if matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls %}
 traefik.http.routers.matrix-ma1sd-matrix-client-3pid-registration.tls.certResolver={{ matrix_ma1sd_container_labels_matrix_client_3pid_registration_traefik_tls_certResolver }}
 {% endif %}
 {% endif %}
 {#
 	/Matrix Client 3pid registration API endpoint (/_matrix/client/VERSION/register/TYPE/requestToken)
 #}

 {% endif %}

 {{ matrix_ma1sd_container_labels_additional_labels }}
--- a/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/custom/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@@ -35,6 +35,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--mount type=bind,src={{ matrix_ma1sd_config_path }},dst=/etc/ma1sd,ro \
 			--mount type=bind,src={{ matrix_ma1sd_data_path }},dst=/var/ma1sd \
 			--label-file={{ matrix_ma1sd_base_path }}/labels \
 			{% for arg in matrix_ma1sd_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -228,37 +228,6 @@ matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"

 # Controls whether proxying for the User Directory Search API (`/_matrix/client/r0/user_directory/search`) should be done (on the matrix domain).
 # This can be used to forward the API endpoint to another service, augmenting the functionality of Synapse's own User Directory Search.
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/directory.md
 matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

 # Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
 # This is to assist identity servers which only handle the r0 endpoints.
 # The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
 # If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
 matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true

 # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
 # This allows another service to control registrations involving 3PIDs.
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
 matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

 # Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
 # This is to assist identity servers which only handle the r0 endpoints.
 # The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
 # If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
 matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true

 # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

 # Controls whether proxying for the media repo (`/_matrix/media`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_media_repo_enabled: false
 matrix_nginx_proxy_proxy_media_repo_addr_with_container: "matrix-media-repo:{{ matrix_media_repo_port }}"
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -51,24 +51,6 @@
 	}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_identity_api_enabled %}
 	location ^~ /_matrix/identity {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}";
 			proxy_pass http://$backend;
 		{% else %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }};
 		{% endif %}

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_media_repo_enabled %}
 	# Redirect all media endpoints to the media-repo
 	location ^~ /_matrix/media {
@@ -162,53 +144,6 @@
 	}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
 	location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
 			{% endif %}
 			proxy_pass http://$backend;
 		{% else %}
 			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
 			{% endif %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
 		{% endif %}

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
 	location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
 			{% endif %}
 			proxy_pass http://$backend;
 		{% else %}
 			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
 			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
 			{% endif %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
 		{% endif %}

 		proxy_set_header Host $host;
 		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}

 	{% for configuration_block in matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -94,6 +94,17 @@
    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_client_api_enabled'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_oidc_api_enabled'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_client_synapse_admin_api_enabled'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_client_user_directory_search_enabled>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_user_directory_search_path>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled', 'new': 'matrix_ma1sd_container_labels_matrix_client_3pid_registration_enabled'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container', 'new': '<removed>'}
    - {'old': 'matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_matrix_client_3pid_registration_path>'}

 - name: (Deprecation) Catch and report matrix_postgres variables
  ansible.builtin.fail: