Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into mrb

3 лет назад · ba64aa3fe0
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -13,7 +13,7 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run yamllint
        uses: frenck/action-yamllint@v1.4.0
        uses: frenck/action-yamllint@v1.4.1
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,20 @@ The matrix registration bot got some updates and supports password-based login.

 **For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password`. If previously only used `matrix_bot_matrix_registration_bot_bot_access_token` this was also used as `matrix_bot_matrix_registration_bot_api_token`. You now need to define the `api_token` explicitly while the `bot_access_token` is depreacted. You can therefore rename `matrix_bot_matrix_registration_bot_bot_access_token` -> `matrix_bot_matrix_registration_bot_api_token`.

 # 2023-05-25

 ## Enabling `forget_rooms_on_leave` by default for Synapse

 With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`.
 This way, **when you leave a room, Synapse will now forget it automatically**.

 The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving.

 **We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing.

 If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false`


 # 2023-04-03

 ## The matrix-jitsi role lives independently now
--- a/docs/configuring-playbook-bot-chatgpt.md
+++ b/docs/configuring-playbook-bot-chatgpt.md
@@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt
 ```


 ## 2. Get an access token
 ## 2. Get an access token and create encryption keys

 Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).

 To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6).


 ## 3. Adjusting the playbook configuration

--- a/docs/configuring-playbook-bot-honoroit.md
+++ b/docs/configuring-playbook-bot-honoroit.md
@@ -14,6 +14,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 ```yaml
 matrix_bot_honoroit_enabled: true

 # Uncomment and adjust if you'd like to change the hostname or path
 # matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"
 # matrix_bot_honoroit_path_prefix: /honoroit

 # Uncomment and adjust this part if you'd like to use a username different than the default
 # matrix_bot_honoroit_login: honoroit

--- a/docs/configuring-playbook-bot-postmoogle.md
+++ b/docs/configuring-playbook-bot-postmoogle.md
@@ -4,12 +4,26 @@

 The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you.

 It's a bot/bridge you can use to forward emails to Matrix rooms
 It's a bot/bridge you can use to forward emails to Matrix rooms. 
 Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms.

 See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you.

 ## Prerequisites

 ## Adjusting the playbook configuration
 ### Networking

 Open the following ports on your server to be able to receive incoming emails:

  - `25/tcp`: SMTP
  - `587/tcp`: Submission (TLS-encrypted SMTP)

 If you don't open these ports, you will still be able to send emails, but not receive any.

 These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use.


 ### Adjusting the playbook configuration

 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:

@@ -21,9 +35,20 @@ matrix_bot_postmoogle_enabled: true

 # Generate a strong password here. Consider generating it with `pwgen -s 64 1`
 matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT

 # Uncomment to add one or more admins to this bridge:
 #
 # matrix_bot_postmoogle_admins:
 #  - '@yourAdminAccount:domain.com'
 #
 # .. unless you've made yourself an admin of all bridges like this:
 #
 # matrix_admin: '@yourAdminAccount:domain.com'
 ```

 You will also need to add several DNS records so that postmoogle can send emails.
 ### DNS

 You will also need to add several DNS records so that Postmoogle can send emails.
 See [Configuring DNS](configuring-dns.md).


@@ -51,3 +76,13 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema
 Send `!pm help` to the room to see the bot's help menu for additional commands.

 You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle).

 ### Debug/Logs

 As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle`

 The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: 

 ```yaml
 matrix_bot_postmoogle_loglevel: 'DEBUG'
 ```
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@@ -160,7 +160,7 @@ devture_traefik_additional_entrypoints_auto:
    #     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```

 For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
 For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).


 ### Using no reverse-proxy on the Matrix side at all
--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@@ -1,112 +1,10 @@
 (cors) {
 	@cors_preflight method OPTIONS

 	handle @cors_preflight {
 		header Access-Control-Allow-Origin "{args.0}"
 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
 		header Access-Control-Allow-Headers "Content-Type, Authorization"
 		header Access-Control-Max-Age "3600"
 	}
 }


 matrix.DOMAIN.tld {

  # creates letsencrypt certificate
  # tls your@email.com

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  @wellknown {
        path /.well-known/matrix/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  
  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
  #handle @wellknown {
  #  # .well-known is handled by base domain
  #  reverse_proxy https://DOMAIN.tld {
  #  header_up Host {http.reverse_proxy.upstream.hostport}
  #}
 matrix.example.tld {

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
        reverse_proxy localhost:81  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@@ -114,13 +12,12 @@ matrix.DOMAIN.tld {
  }
 }

 matrix.DOMAIN.tld:8448 {
 matrix.example.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
        reverse_proxy 127.0.0.1:8449 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 {
    }
 }

 element.DOMAIN.tld {

      # creates letsencrypt certificate
      # tls your@email.com

      import cors https://*.DOMAIN.tld

      header {
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
                # Content-Security-Policy frame-src https://*.DOMAIN.tld
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }

        handle {
              encode zstd gzip
 example.tld {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
    @wellknown {
        path /.well-known/matrix/*
    }

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
    handle @wellknown {
        reverse_proxy https://matrix.example.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }
    }
 }

 #dimension.DOMAIN.tld {
 #
 #      # creates letsencrypt certificate
 #      # tls your@email.com
 #
 #      import cors https://*.DOMAIN.tld
 #
 #      header {
 #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #          # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #          X-XSS-Protection "1; mode=block"
 #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #          X-Content-Type-Options "nosniff"
 #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
 #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #          # X-Robots-Tag
 #          X-Robots-Tag "noindex, noarchive, nofollow"
 #    }
 #
 #      handle {
 #          encode zstd gzip
 #
 #          reverse_proxy localhost:8184  {
 #                  header_up X-Forwarded-Port {http.request.port}
 #                  header_up X-Forwarded-Proto {http.request.scheme}
 #                  header_up X-Forwarded-TlsProto {tls_protocol}
 #                  header_up X-Forwarded-TlsCipher {tls_cipher}
 #                  header_up X-Forwarded-HttpsProto {proto}
 #          }
 #    }
 #}


 #jitsi.DOMAIN.tld {
 #
 #  creates letsencrypt certificate
 #  tls your@email.com
 #
 #  import cors https://*.DOMAIN.tld
 #
 #  header {
 #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #
 #        # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #        X-XSS-Protection "1; mode=block"
 #
 #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #        X-Content-Type-Options "nosniff"

 #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
 #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #
 #        # Disable some features
 #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 #
 #        # Referer
 #        Referrer-Policy "no-referrer"
 #
 #        # X-Robots-Tag
 #        X-Robots-Tag "none"
 #
 #        # Remove Server header
 #        -Server
 #  }
 #
 #  handle {
 #        encode zstd gzip
 #
 #        reverse_proxy 127.0.0.1:13080 {
 #               header_up X-Forwarded-Port {http.request.port}
 #               header_up X-Forwarded-Proto {http.request.scheme}
 #               header_up X-Forwarded-TlsProto {tls_protocol}
 #               header_up X-Forwarded-TlsCipher {tls_cipher}
 #               header_up X-Forwarded-HttpsProto {proto}
 #        }
 #  }
 #}
 #DOMAIN.com {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
 #    @wellknown {
 #        path /.well-known/matrix/*
 #    }
 #
 #    handle @wellknown {
 #        reverse_proxy https://matrix.DOMAIN.com {
 #            header_up Host {http.reverse_proxy.upstream.hostport}
 #        }
 #    }
 #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
 #      # handle /.well-known/* {
 #	#	encode zstd gzip
 #	#	header Cache-Control max-age=14400
 #	#	header Content-Type application/json
 #	#	header Access-Control-Allow-Origin *
 #	#}
 #
 #    # Configration for the base domain goes here
 #   # handle {
 #   #    header -Server
 #   #     encode zstd gzip
 #   #    reverse_proxy localhost:4020
 #   # }
 #}
--- a/examples/caddy2/Caddyfile.deprecated
+++ b/examples/caddy2/Caddyfile.deprecated
@@ -0,0 +1,269 @@
 (cors) {
 	@cors_preflight method OPTIONS

 	handle @cors_preflight {
 		header Access-Control-Allow-Origin "{args.0}"
 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
 		header Access-Control-Allow-Headers "Content-Type, Authorization"
 		header Access-Control-Max-Age "3600"
 	}
 }


 matrix.DOMAIN.tld {

  # creates letsencrypt certificate
  # tls your@email.com

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  @wellknown {
        path /.well-known/matrix/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  
  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
  #handle @wellknown {
  #  # .well-known is handled by base domain
  #  reverse_proxy https://DOMAIN.tld {
  #  header_up Host {http.reverse_proxy.upstream.hostport}
  #}

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
 }

 matrix.DOMAIN.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
    }
 }

 element.DOMAIN.tld {

      # creates letsencrypt certificate
      # tls your@email.com

      import cors https://*.DOMAIN.tld

      header {
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
                # Content-Security-Policy frame-src https://*.DOMAIN.tld
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }

        handle {
              encode zstd gzip

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
        }
 }

 #dimension.DOMAIN.tld {
 #
 #      # creates letsencrypt certificate
 #      # tls your@email.com
 #
 #      import cors https://*.DOMAIN.tld
 #
 #      header {
 #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #          # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #          X-XSS-Protection "1; mode=block"
 #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #          X-Content-Type-Options "nosniff"
 #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
 #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #          # X-Robots-Tag
 #          X-Robots-Tag "noindex, noarchive, nofollow"
 #    }
 #
 #      handle {
 #          encode zstd gzip
 #
 #          reverse_proxy localhost:8184  {
 #                  header_up X-Forwarded-Port {http.request.port}
 #                  header_up X-Forwarded-Proto {http.request.scheme}
 #                  header_up X-Forwarded-TlsProto {tls_protocol}
 #                  header_up X-Forwarded-TlsCipher {tls_cipher}
 #                  header_up X-Forwarded-HttpsProto {proto}
 #          }
 #    }
 #}


 #jitsi.DOMAIN.tld {
 #
 #  creates letsencrypt certificate
 #  tls your@email.com
 #
 #  import cors https://*.DOMAIN.tld
 #
 #  header {
 #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #
 #        # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #        X-XSS-Protection "1; mode=block"
 #
 #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #        X-Content-Type-Options "nosniff"

 #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
 #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #
 #        # Disable some features
 #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 #
 #        # Referer
 #        Referrer-Policy "no-referrer"
 #
 #        # X-Robots-Tag
 #        X-Robots-Tag "none"
 #
 #        # Remove Server header
 #        -Server
 #  }
 #
 #  handle {
 #        encode zstd gzip
 #
 #        reverse_proxy 127.0.0.1:13080 {
 #               header_up X-Forwarded-Port {http.request.port}
 #               header_up X-Forwarded-Proto {http.request.scheme}
 #               header_up X-Forwarded-TlsProto {tls_protocol}
 #               header_up X-Forwarded-TlsCipher {tls_cipher}
 #               header_up X-Forwarded-HttpsProto {proto}
 #        }
 #  }
 #}
 #DOMAIN.com {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
 #    @wellknown {
 #        path /.well-known/matrix/*
 #    }
 #
 #    handle @wellknown {
 #        reverse_proxy https://matrix.DOMAIN.com {
 #            header_up Host {http.reverse_proxy.upstream.hostport}
 #        }
 #    }
 #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
 #      # handle /.well-known/* {
 #	#	encode zstd gzip
 #	#	header Cache-Control max-age=14400
 #	#	header Content-Type application/json
 #	#	header Access-Control-Allow-Origin *
 #	#}
 #
 #    # Configration for the base domain goes here
 #   # handle {
 #   #    header -Server
 #   #     encode zstd gzip
 #   #    reverse_proxy localhost:4020
 #   # }
 #}
--- a/examples/caddy2/README.md
+++ b/examples/caddy2/README.md
@@ -1,12 +1,20 @@
 # Caddyfile
 # Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

 This directory contains sample files that show you how to do reverse-proxying using Caddy2.
 This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy.

 ## Config

 | Variable           | Function |
 | ------------------ | -------- |
 | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
 | tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
 | Dimension         | To enable Dimension support uncomment the lines for Dimension and set your data |
 | Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |
 ## Prerequisite configuration

 To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).


 ## Using the Caddyfile

 You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
 In both cases make sure to replace all the `example.tld` domains with your own domain.

 This example does  not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.

 # Caddyfile.deprecated

 This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
--- a/examples/nginx/README.md
+++ b/examples/nginx/README.md
@@ -1,6 +1,6 @@
 # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

 This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
 This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.


 ## Prerequisite configuration
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: |
  {{
    ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else [])
    +
    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else [])
    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else [])
    +
    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else [])
    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else [])
    +
    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else [])
    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else [])
    +
    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
    +
    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
    +
    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else [])
    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else [])
    +
    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else [])
    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else [])
    +
    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else [])
    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else [])
    +
    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else [])
    +
    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else [])
    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else [])
    +
    ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else [])
    +
@@ -1653,8 +1653,15 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic

 # We don't enable bots by default.
 matrix_bot_honoroit_enabled: false

 matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_bot_honoroit_path_prefix: /honoroit

 # For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint
 # so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`).
 matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit

 matrix_bot_honoroit_systemd_required_services_list: |
  {{
    ['docker.service']
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,7 +1,7 @@
 ---

 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-0
  version: v1.0.0-1
  name: aux
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
  version: v1.2.4-1.7.13-0
@@ -26,7 +26,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.9.10-2
  version: v2.10.1-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
@@ -40,13 +40,14 @@
  version: v8615-0
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.4.0-0
  version: v2.5.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v2.44.0-0
  name: prometheus
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
  version: v1.5.0-7
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
  version: v1.6.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
  version: v0.12.0-0
  name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
  version: v7.0.10-0
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_bot_chatgpt_enabled: true

 matrix_bot_chatgpt_version: 3.1.0
 matrix_bot_chatgpt_version: 3.1.2

 matrix_bot_chatgpt_container_image_self_build: false
 matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_bot_draupnir_enabled: true

 matrix_bot_draupnir_version: "v1.80.1"
 matrix_bot_draupnir_version: "v1.83.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -56,8 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono
 matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
 matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
 matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}"
 matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}"
 matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)"
 matrix_bot_honoroit_container_labels_traefik_priority: 0
 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
--- a/roles/custom/matrix-bot-honoroit/templates/labels.j2
+++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2
@@ -31,27 +31,12 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans
 {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
 {% endif %}

 traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit
 {% if middlewares | length > 0 %}
 traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
 {% if matrix_bot_honoroit_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
 {% endif %}
 traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080

 {% if middlewares_metrics | length > 0 %}
 traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit
 traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics
 traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }}
 traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024'
 # A list of admins
 # Example set of rules:
 # matrix_bot_postmoogle_admins:
 # - @someone:example.com
 # - @another:example.com
 # - @bot.*:example.com
 # - @*:another.com
 # - '@someone:example.com'
 # - '@another:example.com'
 # - '@bot.*:example.com'
 # - '@*:another.com'
 matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"

 # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

 matrix_hookshot_version: 4.0.0
 matrix_hookshot_version: 4.1.0

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
@@ -81,7 +81,7 @@
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml
      {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml
      {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml
  register: hookshot_config_validation_result
  changed_when: false

--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true
 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"

 matrix_mautrix_facebook_version: v0.4.1
 matrix_mautrix_facebook_version: v0.5.0
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
 matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"

 matrix_mautrix_instagram_version: v0.2.3
 matrix_mautrix_instagram_version: v0.3.0
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
 matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"

 matrix_mautrix_signal_version: v0.4.2
 matrix_mautrix_signal_version: v0.4.3
 matrix_mautrix_signal_daemon_version: 0.23.2
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}"
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

 matrix_mautrix_telegram_version: v0.13.0
 matrix_mautrix_telegram_version: v0.14.0
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false
 matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git"
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"

 matrix_mautrix_twitter_version: v0.1.5
 matrix_mautrix_twitter_version: v0.1.6
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2
+++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2
@@ -3,7 +3,7 @@
 	"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
 	"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
 	"themeManifests": [
 		"{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json"
 		"{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json"
 	],
 	"defaultTheme": {
 		"light": "element-light",
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_synapse_enabled: true

 matrix_synapse_version: v1.83.0
 matrix_synapse_version: v1.84.1

 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -334,6 +334,11 @@ matrix_synapse_limit_profile_requests_to_users_who_share_rooms: false
 # Defaults to 'true'.
 matrix_synapse_include_profile_data_on_invite: true


 # User search behaviour
 matrix_synapse_user_directory_search_all_users: false
 matrix_synapse_user_directory_prefer_local_users: false

 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false
 # Controls whether people with access to the homeserver can register by themselves without verification (email/msisdn/token)
@@ -928,6 +933,10 @@ matrix_synapse_room_list_publication_rules:

 matrix_synapse_default_room_version: "10"

 # Controls whether leaving a room will automatically forget it.
 # The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently.
 matrix_synapse_forget_rooms_on_leave: true

 # Controls the Synapse `spam_checker` setting.
 #
 # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime.
--- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml
+++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml
@@ -21,7 +21,7 @@
  ansible.builtin.set_fact:
    worker:
      id: "stream-writer-{{ idx }}-{{ item.stream }}"
      # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up.
      # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up.
      name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}"
      type: 'stream_writer'
      app: "generic_worker"
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe
 #
 default_room_version: {{ matrix_synapse_default_room_version|to_json }}

 # Set to true to automatically forget rooms for users when they leave them, either
 # normally or via a kick or ban. Defaults to false.
 forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }}

 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 #
 #gc_thresholds: [700, 10, 10]
@@ -2626,7 +2630,7 @@ user_directory:
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
    #
    #search_all_users: true
    search_all_users: {{ matrix_synapse_user_directory_search_all_users | to_json }}

    # Defines whether to prefer local users in search query results.
    # If True, local users are more likely to appear above remote users
@@ -2635,7 +2639,7 @@ user_directory:
    # Uncomment to prefer local over remote users in user directory search
    # results.
    #
    #prefer_local_users: true
    prefer_local_users: {{ matrix_synapse_user_directory_prefer_local_users | to_json }}


 # User Consent configuration
--- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
@@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_synapse_container_network }} \
 			{% if matrix_synapse_worker_details.port != 0 %}
 			{% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %}
 			--health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \
 			{% else %}
 			--no-healthcheck \