Merge branch 'master' of github.com:spantaleev/matrix-docker-ansible-deploy

3 лет назад · c9b4872fc7
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -13,7 +13,7 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run yamllint
        uses: frenck/action-yamllint@v1.4.0
        uses: frenck/action-yamllint@v1.4.1
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
@@ -21,6 +21,6 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run ansible-lint
        uses: ansible-community/ansible-lint-action@v6.15.0
        uses: ansible-community/ansible-lint-action@v6.16.0
        with:
          path: roles/custom
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,17 @@
 # 2023-05-25

 ## Enabling `forget_rooms_on_leave` by default for Synapse

 With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`.
 This way, **when you leave a room, Synapse will now forget it automatically**.

 The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving.

 **We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing.

 If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false`


 # 2023-04-03

 ## The matrix-jitsi role lives independently now
--- a/docs/configuring-playbook-bot-chatgpt.md
+++ b/docs/configuring-playbook-bot-chatgpt.md
@@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt
 ```


 ## 2. Get an access token
 ## 2. Get an access token and create encryption keys

 Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).

 To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6).


 ## 3. Adjusting the playbook configuration

--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@@ -30,30 +30,12 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t

 ## 3. Make sure the account is free from rate limiting

 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.

 1. Copy the statement below into a text editor.
 If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 

 	```
 	INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0);
 	```
 The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.

 1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.

 1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)

 1. Connect to Synapse's database by typing `\connect synapse` into the database terminal

 1. Paste in the `INSERT INTO` command that you edited and press enter.

 You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:

 ```
      user_id          | messages_per_second | burst_count
 -----------------------+---------------------+-------------
 @bot.draupnir:raim.ist |                   0 |           0`
 ```
 then you did it correctly.


 ## 4. Create a management room
--- a/docs/configuring-playbook-bot-honoroit.md
+++ b/docs/configuring-playbook-bot-honoroit.md
@@ -14,6 +14,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 ```yaml
 matrix_bot_honoroit_enabled: true

 # Uncomment and adjust if you'd like to change the hostname or path
 # matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"
 # matrix_bot_honoroit_path_prefix: /honoroit

 # Uncomment and adjust this part if you'd like to use a username different than the default
 # matrix_bot_honoroit_login: honoroit

--- a/docs/configuring-playbook-bot-mjolnir.md
+++ b/docs/configuring-playbook-bot-mjolnir.md
@@ -29,31 +29,11 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t

 ## 3. Make sure the account is free from rate limiting

 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.

 1. Copy the statement below into a text editor. 

 	```
 	INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0);
 	```

 1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.

 1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)

 1. Connect to Synapse's database by typing `\connect synapse` into the database terminal

 1. Paste in the `INSERT INTO` command that you edited and press enter.

 You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:

 ```
      user_id          | messages_per_second | burst_count
 -----------------------+---------------------+-------------
 @bot.mjolnir:raim.ist |                   0 |           0`
 ```
 then you did it correctly.
 If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 

 The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.

 ## 4. Create a management room

--- a/docs/configuring-playbook-bot-postmoogle.md
+++ b/docs/configuring-playbook-bot-postmoogle.md
@@ -4,12 +4,26 @@

 The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you.

 It's a bot/bridge you can use to forward emails to Matrix rooms
 It's a bot/bridge you can use to forward emails to Matrix rooms. 
 Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms.

 See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you.

 ## Prerequisites

 ## Adjusting the playbook configuration
 ### Networking

 Open the following ports on your server to be able to receive incoming emails:

  - `25/tcp`: SMTP
  - `587/tcp`: Submission (TLS-encrypted SMTP)

 If you don't open these ports, you will still be able to send emails, but not receive any.

 These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use.


 ### Adjusting the playbook configuration

 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:

@@ -21,9 +35,20 @@ matrix_bot_postmoogle_enabled: true

 # Generate a strong password here. Consider generating it with `pwgen -s 64 1`
 matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT

 # Uncomment to add one or more admins to this bridge:
 #
 # matrix_bot_postmoogle_admins:
 #  - '@yourAdminAccount:domain.com'
 #
 # .. unless you've made yourself an admin of all bridges like this:
 #
 # matrix_admin: '@yourAdminAccount:domain.com'
 ```

 You will also need to add several DNS records so that postmoogle can send emails.
 ### DNS

 You will also need to add several DNS records so that Postmoogle can send emails.
 See [Configuring DNS](configuring-dns.md).


@@ -51,3 +76,13 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema
 Send `!pm help` to the room to see the bot's help menu for additional commands.

 You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle).

 ### Debug/Logs

 As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle`

 The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: 

 ```yaml
 matrix_bot_postmoogle_loglevel: 'DEBUG'
 ```
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho
 1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file
 2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required.
 3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma).
 4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below.
 4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below.
 5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`.

 Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them.
@@ -58,23 +58,23 @@ See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles

 The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info.

 ### Manage GitHub Private Key with matrix-aux role
 ### Manage GitHub Private Key with aux role

 The GitHub bridge requires you to install a private key file. This can be done in multiple ways:
 - copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)).
 - somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually.
 - use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server.
 - use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server.

 To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this:
 To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration:
 ```yaml
 matrix_aux_file_definitions:
 aux_file_definitions:
  - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
    content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
    mode: '0400'
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 ```
 For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml).
 For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml).

 ### Provisioning API

--- a/docs/configuring-playbook-matrix-corporal.md
+++ b/docs/configuring-playbook-matrix-corporal.md
@@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: |
  }

 # Modify the policy below as you see fit
 matrix_aux_file_definitions:
 aux_file_definitions:
  - dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
    content: |
      {
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@@ -153,14 +153,14 @@ devture_traefik_additional_entrypoints_auto:
    port: 8449
    host_bind_port: '127.0.0.1:8449'
    config: {}
 	# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
 	# config:
 	#   forwardedHeaders:
 	#     insecure: true
 	#     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
    # If your reverse-proxy runs on another machine, remove the config above and use this config instead:
    # config:
    #   forwardedHeaders:
    #     insecure: true
    #     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```

 For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
 For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).


 ### Using no reverse-proxy on the Matrix side at all
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@@ -40,9 +40,9 @@ If you'd like to use your own SSL certificates, instead of the default (SSL cert
 To use your own SSL certificates with Traefik, you need to:

 - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
 - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
 - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
 - put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
 - put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually

 ```yaml
 # Disable ACME / Let's Encrypt support.
@@ -53,7 +53,7 @@ devture_traefik_config_certificatesResolvers_acme_enabled: false
 devture_traefik_ssl_dir_enabled: true

 # Tell Traefik to load our custom configuration file (certificates.yml).
 # The file is created below, in `matrix_aux_file_definitions`.
 # The file is created below, in `aux_file_definitions`.
 # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
 devture_traefik_configuration_extension_yaml: |
  providers:
@@ -61,9 +61,9 @@ devture_traefik_configuration_extension_yaml: |
      filename: /config/certificates.yml
      watch: true

 # Use the matrix-aux role to create our custom files on the server.
 # If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
 matrix_aux_file_definitions:
 # Use the aux role to create our custom files on the server.
 # If you'd like to do this manually, you remove this `aux_file_definitions` variable.
 aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
--- a/docs/configuring-playbook-sygnal.md
+++ b/docs/configuring-playbook-sygnal.md
@@ -55,7 +55,7 @@ matrix_sygnal_apps:
    api_key: your_api_key_for_gcm
    # .. more configuration ..

 matrix_aux_file_definitions:
 aux_file_definitions:
  - dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
    content: |
      some
@@ -73,7 +73,7 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi
 To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
 To do that, the above example configuration:

 - makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.
 - makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`.

 - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)

--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@@ -1,112 +1,10 @@
 (cors) {
 	@cors_preflight method OPTIONS

 	handle @cors_preflight {
 		header Access-Control-Allow-Origin "{args.0}"
 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
 		header Access-Control-Allow-Headers "Content-Type, Authorization"
 		header Access-Control-Max-Age "3600"
 	}
 }


 matrix.DOMAIN.tld {

  # creates letsencrypt certificate
  # tls your@email.com

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  @wellknown {
        path /.well-known/matrix/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  
  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
  #handle @wellknown {
  #  # .well-known is handled by base domain
  #  reverse_proxy https://DOMAIN.tld {
  #  header_up Host {http.reverse_proxy.upstream.hostport}
  #}
 matrix.example.tld {

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
        reverse_proxy localhost:81  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@@ -114,13 +12,12 @@ matrix.DOMAIN.tld {
  }
 }

 matrix.DOMAIN.tld:8448 {
 matrix.example.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
        reverse_proxy 127.0.0.1:8449 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 {
    }
 }

 element.DOMAIN.tld {

      # creates letsencrypt certificate
      # tls your@email.com

      import cors https://*.DOMAIN.tld

      header {
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
                # Content-Security-Policy frame-src https://*.DOMAIN.tld
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }

        handle {
              encode zstd gzip
 example.tld {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
    @wellknown {
        path /.well-known/matrix/*
    }

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
    handle @wellknown {
        reverse_proxy https://matrix.example.tld {
            header_up Host {http.reverse_proxy.upstream.hostport}
        }
    }
 }

 #dimension.DOMAIN.tld {
 #
 #      # creates letsencrypt certificate
 #      # tls your@email.com
 #
 #      import cors https://*.DOMAIN.tld
 #
 #      header {
 #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #          # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #          X-XSS-Protection "1; mode=block"
 #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #          X-Content-Type-Options "nosniff"
 #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
 #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #          # X-Robots-Tag
 #          X-Robots-Tag "noindex, noarchive, nofollow"
 #    }
 #
 #      handle {
 #          encode zstd gzip
 #
 #          reverse_proxy localhost:8184  {
 #                  header_up X-Forwarded-Port {http.request.port}
 #                  header_up X-Forwarded-Proto {http.request.scheme}
 #                  header_up X-Forwarded-TlsProto {tls_protocol}
 #                  header_up X-Forwarded-TlsCipher {tls_cipher}
 #                  header_up X-Forwarded-HttpsProto {proto}
 #          }
 #    }
 #}


 #jitsi.DOMAIN.tld {
 #
 #  creates letsencrypt certificate
 #  tls your@email.com
 #
 #  import cors https://*.DOMAIN.tld
 #
 #  header {
 #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #
 #        # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #        X-XSS-Protection "1; mode=block"
 #
 #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #        X-Content-Type-Options "nosniff"

 #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
 #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #
 #        # Disable some features
 #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 #
 #        # Referer
 #        Referrer-Policy "no-referrer"
 #
 #        # X-Robots-Tag
 #        X-Robots-Tag "none"
 #
 #        # Remove Server header
 #        -Server
 #  }
 #
 #  handle {
 #        encode zstd gzip
 #
 #        reverse_proxy 127.0.0.1:13080 {
 #               header_up X-Forwarded-Port {http.request.port}
 #               header_up X-Forwarded-Proto {http.request.scheme}
 #               header_up X-Forwarded-TlsProto {tls_protocol}
 #               header_up X-Forwarded-TlsCipher {tls_cipher}
 #               header_up X-Forwarded-HttpsProto {proto}
 #        }
 #  }
 #}
 #DOMAIN.com {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
 #    @wellknown {
 #        path /.well-known/matrix/*
 #    }
 #
 #    handle @wellknown {
 #        reverse_proxy https://matrix.DOMAIN.com {
 #            header_up Host {http.reverse_proxy.upstream.hostport}
 #        }
 #    }
 #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
 #      # handle /.well-known/* {
 #	#	encode zstd gzip
 #	#	header Cache-Control max-age=14400
 #	#	header Content-Type application/json
 #	#	header Access-Control-Allow-Origin *
 #	#}
 #
 #    # Configration for the base domain goes here
 #   # handle {
 #   #    header -Server
 #   #     encode zstd gzip
 #   #    reverse_proxy localhost:4020
 #   # }
 #}
--- a/examples/caddy2/Caddyfile.deprecated
+++ b/examples/caddy2/Caddyfile.deprecated
@@ -0,0 +1,269 @@
 (cors) {
 	@cors_preflight method OPTIONS

 	handle @cors_preflight {
 		header Access-Control-Allow-Origin "{args.0}"
 		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
 		header Access-Control-Allow-Headers "Content-Type, Authorization"
 		header Access-Control-Max-Age "3600"
 	}
 }


 matrix.DOMAIN.tld {

  # creates letsencrypt certificate
  # tls your@email.com

  @identity {
        path /_matrix/identity/*
  }

  @noidentity {
        not path /_matrix/identity/*
  }

  @search {
        path /_matrix/client/r0/user_directory/search/*
  }

  @nosearch {
        not path /_matrix/client/r0/user_directory/search/*
  }

  @static {
        path /matrix/static-files/*
  }

  @nostatic {
        not path /matrix/static-files/*
  }

  @wellknown {
        path /.well-known/matrix/*
  }

  header {
        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
        # Enable cross-site filter (XSS) and tell browser to block detected attacks
        X-XSS-Protection "1; mode=block"
        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
        X-Content-Type-Options "nosniff"
        # Disallow the site to be rendered within a frame (clickjacking protection)
        X-Frame-Options "DENY"
        # X-Robots-Tag
        X-Robots-Tag "noindex, noarchive, nofollow"
  }

  # Cache
  header @static {
        # Cache
    Cache-Control "public, max-age=31536000"
    defer
  }

  # identity
  handle @identity {
        reverse_proxy localhost:8090  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  # search
  handle @search {
        reverse_proxy localhost:8090   {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }

  handle @wellknown {
        encode zstd gzip
        root * /matrix/static-files
 	header Cache-Control max-age=14400
        header Content-Type application/json
        header Access-Control-Allow-Origin *
        file_server
  }
  
  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
  #handle @wellknown {
  #  # .well-known is handled by base domain
  #  reverse_proxy https://DOMAIN.tld {
  #  header_up Host {http.reverse_proxy.upstream.hostport}
  #}

  handle {
        encode zstd gzip

        reverse_proxy localhost:8008  {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
  }
 }

 matrix.DOMAIN.tld:8448 {
    handle {
        encode zstd gzip

        reverse_proxy 127.0.0.1:8048 {
               header_up X-Forwarded-Port {http.request.port}
               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
        }
    }
 }

 element.DOMAIN.tld {

      # creates letsencrypt certificate
      # tls your@email.com

      import cors https://*.DOMAIN.tld

      header {
                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
                X-Content-Type-Options "nosniff"
                # Disallow the site to be rendered within a frame (clickjacking protection)
                X-Frame-Options "DENY"
                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
                # Content-Security-Policy frame-src https://*.DOMAIN.tld
                # X-Robots-Tag
                X-Robots-Tag "noindex, noarchive, nofollow"
        }

        handle {
              encode zstd gzip

              reverse_proxy localhost:8765 {
                     header_up X-Forwarded-Port {http.request.port}
                     header_up X-Forwarded-Proto {http.request.scheme}
                     header_up X-Forwarded-TlsProto {tls_protocol}
                     header_up X-Forwarded-TlsCipher {tls_cipher}
                     header_up X-Forwarded-HttpsProto {proto}
        }
 }

 #dimension.DOMAIN.tld {
 #
 #      # creates letsencrypt certificate
 #      # tls your@email.com
 #
 #      import cors https://*.DOMAIN.tld
 #
 #      header {
 #          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #          # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #          X-XSS-Protection "1; mode=block"
 #          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #          X-Content-Type-Options "nosniff"
 #          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
 #          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #          # X-Robots-Tag
 #          X-Robots-Tag "noindex, noarchive, nofollow"
 #    }
 #
 #      handle {
 #          encode zstd gzip
 #
 #          reverse_proxy localhost:8184  {
 #                  header_up X-Forwarded-Port {http.request.port}
 #                  header_up X-Forwarded-Proto {http.request.scheme}
 #                  header_up X-Forwarded-TlsProto {tls_protocol}
 #                  header_up X-Forwarded-TlsCipher {tls_cipher}
 #                  header_up X-Forwarded-HttpsProto {proto}
 #          }
 #    }
 #}


 #jitsi.DOMAIN.tld {
 #
 #  creates letsencrypt certificate
 #  tls your@email.com
 #
 #  import cors https://*.DOMAIN.tld
 #
 #  header {
 #        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
 #        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 #
 #        # Enable cross-site filter (XSS) and tell browser to block detected attacks
 #        X-XSS-Protection "1; mode=block"
 #
 #        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
 #        X-Content-Type-Options "nosniff"

 #        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
 #        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
 #
 #        # Disable some features
 #        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
 #
 #        # Referer
 #        Referrer-Policy "no-referrer"
 #
 #        # X-Robots-Tag
 #        X-Robots-Tag "none"
 #
 #        # Remove Server header
 #        -Server
 #  }
 #
 #  handle {
 #        encode zstd gzip
 #
 #        reverse_proxy 127.0.0.1:13080 {
 #               header_up X-Forwarded-Port {http.request.port}
 #               header_up X-Forwarded-Proto {http.request.scheme}
 #               header_up X-Forwarded-TlsProto {tls_protocol}
 #               header_up X-Forwarded-TlsCipher {tls_cipher}
 #               header_up X-Forwarded-HttpsProto {proto}
 #        }
 #  }
 #}
 #DOMAIN.com {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
 #    @wellknown {
 #        path /.well-known/matrix/*
 #    }
 #
 #    handle @wellknown {
 #        reverse_proxy https://matrix.DOMAIN.com {
 #            header_up Host {http.reverse_proxy.upstream.hostport}
 #        }
 #    }
 #    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
 #      # handle /.well-known/* {
 #	#	encode zstd gzip
 #	#	header Cache-Control max-age=14400
 #	#	header Content-Type application/json
 #	#	header Access-Control-Allow-Origin *
 #	#}
 #
 #    # Configration for the base domain goes here
 #   # handle {
 #   #    header -Server
 #   #     encode zstd gzip
 #   #    reverse_proxy localhost:4020
 #   # }
 #}
--- a/examples/caddy2/README.md
+++ b/examples/caddy2/README.md
@@ -1,12 +1,20 @@
 # Caddyfile
 # Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

 This directory contains sample files that show you how to do reverse-proxying using Caddy2.
 This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy.

 ## Config

 | Variable           | Function |
 | ------------------ | -------- |
 | tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
 | tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
 | Dimension         | To enable Dimension support uncomment the lines for Dimension and set your data |
 | Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |
 ## Prerequisite configuration

 To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).


 ## Using the Caddyfile

 You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
 In both cases make sure to replace all the `example.tld` domains with your own domain.

 This example does  not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.

 # Caddyfile.deprecated

 This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
--- a/examples/nginx/README.md
+++ b/examples/nginx/README.md
@@ -1,6 +1,6 @@
 # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

 This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
 This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.


 ## Prerequisite configuration
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: |
  {{
    ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else [])
    +
    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else [])
    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else [])
    +
    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else [])
    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else [])
    +
    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else [])
    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else [])
    +
    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
    +
    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
    +
    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else [])
    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else [])
    +
    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else [])
    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else [])
    +
    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else [])
    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else [])
    +
    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else [])
    +
    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else [])
    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else [])
    +
    ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else [])
    +
@@ -1653,8 +1653,15 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic

 # We don't enable bots by default.
 matrix_bot_honoroit_enabled: false

 matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_bot_honoroit_path_prefix: /honoroit

 # For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint
 # so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`).
 matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit

 matrix_bot_honoroit_systemd_required_services_list: |
  {{
    ['docker.service']
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,10 +1,10 @@
 ---

 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-0
  version: v1.0.0-1
  name: aux
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
  version: v1.2.4-1.7.12-2
  version: v1.2.4-1.7.13-0
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
  version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@@ -16,7 +16,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: 38764398bf82b06a1736c3bfedc71dfd229e4b52
  version: v15.3-0
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
  version: 8e9ec48a09284c84704d7a2dce17da35f181574d
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
@@ -26,7 +26,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.9.10-2
  version: v2.10.1-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
@@ -40,13 +40,14 @@
  version: v8615-0
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.4.0-0
  version: v2.5.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v2.43.0-0
  version: v2.44.0-0
  name: prometheus
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
  version: v1.5.0-7
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
  version: v1.6.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
  version: v0.12.0-0
  name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
  version: v7.0.10-0
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_bot_chatgpt_enabled: true

 matrix_bot_chatgpt_version: 3.1.0
 matrix_bot_chatgpt_version: 3.1.2

 matrix_bot_chatgpt_container_image_self_build: false
 matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_bot_draupnir_enabled: true

 matrix_bot_draupnir_version: "v1.80.1"
 matrix_bot_draupnir_version: "v1.83.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@@ -56,8 +56,7 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono
 matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
 matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
 matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ matrix_bot_honoroit_metrics_path }}"
 matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}"
 matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)"
 matrix_bot_honoroit_container_labels_traefik_priority: 0
 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
--- a/roles/custom/matrix-bot-honoroit/templates/labels.j2
+++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2
@@ -31,27 +31,12 @@ traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ans
 {% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
 {% endif %}

 traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit
 {% if middlewares | length > 0 %}
 traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
 {% if matrix_bot_honoroit_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
 {% endif %}
 traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080

 {% if middlewares_metrics | length > 0 %}
 traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
 {% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit
 traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics
 traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }}
 traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024'
 # A list of admins
 # Example set of rules:
 # matrix_bot_postmoogle_admins:
 # - @someone:example.com
 # - @another:example.com
 # - @bot.*:example.com
 # - @*:another.com
 # - '@someone:example.com'
 # - '@another:example.com'
 # - '@bot.*:example.com'
 # - '@*:another.com'
 matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"

 # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

 matrix_hookshot_version: 4.0.0
 matrix_hookshot_version: 4.1.0

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
 matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
 matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"

 matrix_mautrix_discord_version: v0.3.0
 matrix_mautrix_discord_version: v0.4.0
 # See: https://mau.dev/mautrix/discord/container_registry
 matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
 matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true
 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"

 matrix_mautrix_facebook_version: v0.4.1
 matrix_mautrix_facebook_version: v0.5.0
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
 matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"

 matrix_mautrix_instagram_version: v0.2.3
 matrix_mautrix_instagram_version: v0.3.0
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -9,7 +9,7 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
 matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"

 matrix_mautrix_signal_version: v0.4.2
 matrix_mautrix_signal_version: v0.4.3
 matrix_mautrix_signal_daemon_version: 0.23.2
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}"
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

 matrix_mautrix_telegram_version: v0.13.0
 matrix_mautrix_telegram_version: v0.14.0
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false
 matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git"
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"

 matrix_mautrix_twitter_version: v0.1.5
 matrix_mautrix_twitter_version: v0.1.6
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
 matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

 matrix_mautrix_whatsapp_version: v0.8.4
 matrix_mautrix_whatsapp_version: v0.8.5
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2
+++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2
@@ -3,7 +3,7 @@
 	"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
 	"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
 	"themeManifests": [
 		"{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json"
 		"{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json"
 	],
 	"defaultTheme": {
 		"light": "element-light",
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_synapse_enabled: true

 matrix_synapse_version: v1.83.0
 matrix_synapse_version: v1.84.1

 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -711,9 +711,18 @@ matrix_synapse_run_background_tasks_on: "{{ (matrix_synapse_workers_enabled_list
 #   - { 'id': 'media-repository-0', 'name': 'matrix-synapse-worker-media-repository-0', 'type': 'media_repository', 'port': 18551, 'metrics_port': 19551, 'webserving': true }
 matrix_synapse_workers_enabled_list: []

 # matrix_synapse_instance_map holds the instance map used for mapping worker names (for certain generic workers only!) to where they live (host, port which handles replication traffic).
 # This is populated automatically based on `matrix_synapse_workers_enabled_list` during runtime, so you're not required to tweak it manually.
 matrix_synapse_instance_map: {}
 # matrix_synapse_instance_map holds the instance map used for mapping worker names (for the main process and certain generic workers only!) to where they live (host, port which handles replication traffic).
 # This map starts off being populated with the Synapse main (master) process,
 # but will be populated with workers automatically during runtime, based on `matrix_synapse_workers_enabled_list`.
 matrix_synapse_instance_map: |
  {{
    {
      'main': {
        'host': 'matrix-synapse',
        'port': matrix_synapse_replication_http_port,
      },
    } if matrix_synapse_workers_enabled else {}
  }}

 # Redis information
 matrix_synapse_redis_enabled: false
@@ -919,6 +928,10 @@ matrix_synapse_room_list_publication_rules:

 matrix_synapse_default_room_version: "10"

 # Controls whether leaving a room will automatically forget it.
 # The upstream default is `false`, but we try to make Synapse less wasteful of resources, so we do things differently.
 matrix_synapse_forget_rooms_on_leave: true

 # Controls the Synapse `spam_checker` setting.
 #
 # If a spam-checker extension is enabled, this variable's value is set automatically by the playbook during runtime.
--- a/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml
+++ b/roles/custom/matrix-synapse/tasks/synapse/workers/init.yml
@@ -21,7 +21,7 @@
  ansible.builtin.set_fact:
    worker:
      id: "stream-writer-{{ idx }}-{{ item.stream }}"
      # Names must not include understores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up.
      # Names must not include underscores. Certain stream writer streams (to_device, account_data, ..) do, so we fix them up.
      name: "matrix-synapse-worker-stream-writer-{{ idx }}-{{ item.stream | replace('_', '-') }}"
      type: 'stream_writer'
      app: "generic_worker"
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -141,6 +141,10 @@ allow_public_rooms_over_federation: {{ matrix_synapse_allow_public_rooms_over_fe
 #
 default_room_version: {{ matrix_synapse_default_room_version|to_json }}

 # Set to true to automatically forget rooms for users when they leave them, either
 # normally or via a kick or ban. Defaults to false.
 forget_rooms_on_leave: {{ matrix_synapse_forget_rooms_on_leave | to_json }}

 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 #
 #gc_thresholds: [700, 10, 10]
--- a/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2
@@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_synapse_container_network }} \
 			{% if matrix_synapse_worker_details.port != 0 %}
 			{% if matrix_synapse_worker_details.port != 0 and matrix_synapse_worker_details.webserving %}
 			--health-cmd 'curl -fSs http://localhost:{{ matrix_synapse_worker_details.port }}/health || exit 1' \
 			{% else %}
 			--no-healthcheck \