Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy into maubot

6 лет назад · ce3b8425c6
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 /inventory/*
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
 /roles/*/files/scratchpad
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,39 @@
 # 2020-03-15

 ## Raspberry Pi support

 Thanks to [Gergely Horváth](https://github.com/hooger)'s effort, the playbook supports installing to a Raspberry Pi server, for at least some of the services.

 Since most ready-made container images do not support that architecture, we achieve this by building images locally on the device itself.
 See our [Self-building documentation page](docs/self-building.md) for how to get started.


 # 2020-02-26

 ## Riot-web themes are here

 The playbook now makes it easy to install custom riot-web themes.

 To learn more, take a look at our [riot-web documentation on Themes](docs/configuring-playbook-riot-web.md#themes).


 # 2020-02-24

 ## Customize the server name in Riot's login page

 You can now customize the server name string that Riot-web displays in its login page.

 These playbook variables, with these default values, have been added:

 ```
 matrix_riot_web_default_server_name: "{{ matrix_domain }}"
 ```

 The login page previously said "Sign in to your Matrix account on matrix.example.org" (the homeserver's domain name). It will now say "Sign in ... on example.org" (the server name) by default, or "Sign in ... on Our Server" if you set the variable to "Our Server".

 To support this, the config.json template is changed to use the configuration key `default_server_config` for setting the default HS/IS, and the new configuration key `server_name` is added in there.


 # 2020-01-30

 ## Disabling TLSv1.1
--- a/docs/configuring-playbook-bridge-appservice-webhooks.md
+++ b/docs/configuring-playbook-bridge-appservice-webhooks.md
@@ -26,18 +26,20 @@ matrix_appservice_webhooks_log_level: '<log_level>'

 3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.

 4. Invite the bridge bot user to your room:
 4. If you're using the [Dimension Integration Manager](configuring-playbook-dimension.md), you can configure the Webhooks bridge by opening the Dimension integration manager -> Settings -> Bridges and selecting edit action for "Webhook Bridge". Press "Add self-hosted Bridge" button and populate "Provisioning URL"  & "Shared Secret" values from `/matrix/appservice-webhooks/config/config.yaml` file's homeserver URL value and provisioning secret value, respectively. 

 5. Invite the bridge bot user to your room:

    - either with `/invite @_webhook:<domain.name>` (*Note*: Make sure you have administration permissions in your room)

    - or simply add the bridge bot to a private channel (personal channels imply you being an administrator)

 5. Send a message to the bridge bot in order to receive a private message including the webhook link.
 6. Send a message to the bridge bot in order to receive a private message including the webhook link.
 ```
 !webhook
 ```

 6. The JSON body for posting messages will have to look like this:
 7. The JSON body for posting messages will have to look like this:
 ```json
 {
    "text": "Hello world!",
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@@ -45,6 +45,12 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"

 For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens).

 After these variables have been set, please run the following command to re-run setup and to restart Dimension:

 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

 ## Additional features

 To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it.
--- a/docs/configuring-playbook-riot-web.md
+++ b/docs/configuring-playbook-riot-web.md
@@ -27,3 +27,14 @@ Alternatively, **if there is no pre-defined variable** for a riot-web setting yo
 - or, you can **extend and override the default configuration** ([`config.json.j2`](../roles/matrix-riot-web/templates/config.json.j2)) by making use of the `matrix_riot_web_configuration_extension_json_` variable. You can find information about this in [`roles/matrix-riot-web/defaults/main.yml`](../roles/matrix-riot-web/defaults/main.yml).

 - or, if extending the configuration is still not powerful enough for your needs, you can **override the configuration completely** using `matrix_riot_web_configuration_default` (or `matrix_riot_web_configuration`). You can find information about this in [`roles/matrix-riot-web/defaults/main.yml`](../roles/matrix-riot-web/defaults/main.yml).


 ## Themes

 To change the look of riot-web, you can define your own themes manually by using the `matrix_riot_web_settingDefaults_custom_themes` setting.

 Or better yet, you can automatically pull it all themes provided by the [aaronraimist/riot-web-themes](https://github.com/aaronraimist/riot-web-themes) project by simply flipping a flag (`matrix_riot_web_themes_enabled: true`).

 If you make your own theme, we encourage you to submit it to the **aaronraimist/riot-web-themes** project, so that the whole community could easily enjoy it.

 Note that for a custom theme to work well, all riot-web/riot-desktop instances that you use must have the same theme installed.
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -1,6 +1,8 @@
 # Prerequisites

 - An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM so it won't work on a Raspberry Pi. We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
 - An x86 server running **CentOS** (7 only for now; [8 is not yet supported](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/300)), **Debian** (9/Stretch+) or **Ubuntu** (16.04+). This playbook doesn't support running on ARM ([see](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Self-Building](self-building.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.

 - `root` access to your server (or a user capable of elevating to `root` via `sudo`).

 - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python`).

--- a/docs/self-building.md
+++ b/docs/self-building.md
@@ -0,0 +1,19 @@
 # Self-building

 The playbook supports the self-building of some of its components. This may be useful for architectures besides x86_64, which have no Docker images right now (e g. the armv7 for the Raspberry Pi). Some playbook roles have been updated, so they build the necessary image on the host. It needs more space, as some build tools need to be present (like Java, for mxisd).

 To use these modification there is a variable that needs to be switched to enable this functionality. Add this to your `vars.yaml` file:
 ```yaml
 matrix_container_images_self_build = true
 ```
 Setting that variable will self-build every role which supports self-building. Self-building can be set on a per-role basis as well.

 List of roles where self-building the docker image is currently possible:
 - synapse
 - riot-web
 - coturn
 - mxisd
 - matrix-bridge-mautrix-facebook
 - matrix-bridge-mautrix-hangouts

 Adding self-building support to other roles is welcome. Feel free to contribute!
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -72,7 +72,7 @@ matrix_appservice_webhooks_enabled: false
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-webhooks over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-appservice-webhooks' client-server port to the local host.
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_webhooks_port }}' }}"
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}' }}"

 matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"

@@ -106,7 +106,7 @@ matrix_appservice_slack_enabled: false
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-appservice-slack's client-server port to the local host.
 matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:{{ matrix_appservice_slack_slack_port }}' }}"
 matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}"

 matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"

@@ -172,6 +172,8 @@ matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key |
 # We don't enable bridges by default.
 matrix_mautrix_facebook_enabled: false

 matrix_mautrix_facebook_container_image_self_build: "{{ matrix_container_images_self_build }}"

 matrix_mautrix_facebook_systemd_required_services_list: |
  {{
    ['docker.service']
@@ -201,6 +203,8 @@ matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 # We don't enable bridges by default.
 matrix_mautrix_hangouts_enabled: false

 matrix_mautrix_hangouts_container_image_self_build: "{{ matrix_container_images_self_build }}"

 matrix_mautrix_hangouts_systemd_required_services_list: |
  {{
    ['docker.service']
@@ -329,6 +333,8 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati

 matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: "{{ matrix_container_images_self_build }}"

 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"

 matrix_coturn_tls_enabled: true
@@ -415,6 +421,8 @@ matrix_mailer_enabled: true
 # If you wish to use the public identity servers (matrix.org, vector.im) instead of your own you may wish to disable this.
 matrix_mxisd_enabled: true

 matrix_mxisd_container_image_self_build: "{{ matrix_container_images_self_build }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # mxisd's web-server port.
@@ -559,6 +567,8 @@ matrix_postgres_db_name: "homeserver"
 # If you wish to connect to your Matrix server by other means, you may wish to disable this.
 matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: "{{ matrix_container_images_self_build }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach riot-web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the riot-web HTTP port to the local host.
@@ -600,6 +610,8 @@ matrix_riot_web_welcome_user_id: ~
 #
 ######################################################################

 matrix_synapse_container_image_self_build: "{{ matrix_container_images_self_build }}"

 # When mxisd is enabled, we can use it instead of the default public Identity servers.
 matrix_synapse_trusted_third_party_id_servers: "{{ [matrix_server_fqn_matrix] if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"

--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@@ -66,3 +66,7 @@ run_setup: true
 run_self_check: true
 run_start: true
 run_stop: true

 # Building every docker image from source on the target host
 # Controlling docker image build is possible on a per unit base
 matrix_container_images_self_build: false
--- a/roles/matrix-base/tasks/server_base/setup.yml
+++ b/roles/matrix-base/tasks/server_base/setup.yml
@@ -4,7 +4,10 @@
  when: ansible_distribution == 'CentOS'

 - include_tasks: "{{ role_path }}/tasks/server_base/setup_debian.yml"
  when: ansible_os_family == 'Debian'
  when: (ansible_os_family == 'Debian') and (ansible_lsb.id != 'Raspbian') 

 - include_tasks: "{{ role_path }}/tasks/server_base/setup_raspbian.yml"
  when: (ansible_os_family == 'Debian') and (ansible_lsb.id == 'Raspbian') 

 - name: Ensure Docker is started and autoruns
  service:
--- a/roles/matrix-base/tasks/server_base/setup_raspbian.yml
+++ b/roles/matrix-base/tasks/server_base/setup_raspbian.yml
@@ -0,0 +1,42 @@
 ---

 - name: Ensure APT usage dependencies are installed
  apt:
    name:
      - apt-transport-https
      - ca-certificates
    state: present
    update_cache: yes

 - name: Ensure Docker's APT key is trusted
  apt_key:
    url: https://download.docker.com/linux/raspbian/gpg
    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
    state: present
  register: add_repository_key
  ignore_errors: true
  when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'

 - name: Ensure Docker repository is enabled
  apt_repository:
    repo: "deb [arch=armhf] https://download.docker.com/linux/raspbian {{ ansible_distribution_release }} stable"
    state: present
    update_cache: yes
  when: matrix_docker_installation_enabled|bool and matrix_docker_package_name == 'docker-ce'

 - name: Ensure APT packages are installed
  apt:
    name:
      - bash-completion
      - python-docker
      - ntp
      - fuse
    state: latest
    update_cache: yes

 - name: Ensure Docker is installed
  apt:
    name:
      - "{{ matrix_docker_package_name }}"
    state: latest
  when: matrix_docker_installation_enabled|bool
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@@ -21,9 +21,8 @@ matrix_appservice_webhooks_user_prefix: '_webhook'

 # Controls the webhooks_PORT and MATRIX_PORT of the installation
 matrix_appservice_webhooks_matrix_port: 6789
 matrix_appservice_webhooks_webhooks_port: 6788

 # Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container).
 # Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6789 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
 matrix_appservice_webhooks_container_http_host_bind_port: ''
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -3,6 +3,8 @@

 matrix_mautrix_facebook_enabled: true

 matrix_mautrix_facebook_container_image_self_build: false

 # See: https://mau.dev/tulir/mautrix-facebook/container_registry
 matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
@@ -10,6 +12,7 @@ matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_doc
 matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
 matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config"
 matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data"
 matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src"

 matrix_mautrix_facebook_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
--- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
@@ -14,3 +14,10 @@
      +
      {{ ["/matrix-mautrix-facebook-registration.yaml"] }}
  when: matrix_mautrix_facebook_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Mautrix Facebook image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_facebook_container_image_self_build"
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@@ -14,18 +14,39 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}"
  when: matrix_mautrix_facebook_enabled|bool and not matrix_mautrix_facebook_container_image_self_build

 - name: Ensure Mautrix Facebook paths exist
  file:
    path: "{{ item }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - "{{ matrix_mautrix_facebook_base_path }}"
    - "{{ matrix_mautrix_facebook_config_path }}"
    - "{{ matrix_mautrix_facebook_data_path }}"
    - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true }
    - { path: "{{ matrix_mautrix_facebook_data_path }}", when: true }
    - { path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}" }
  when: item.when|bool

 - name: Ensure Mautrix Facebook repository is present on self-build
  git:
    repo: https://github.com/tulir/mautrix-facebook.git
    dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
 #    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
    force: "yes"
  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"

 - name: Ensure Mautrix Facebook Docker image is built
  docker_image:
    name: "{{ matrix_mautrix_facebook_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
      pull: yes
  when: "matrix_mautrix_facebook_enabled|bool and matrix_mautrix_facebook_container_image_self_build"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@@ -3,6 +3,8 @@

 matrix_mautrix_hangouts_enabled: true

 matrix_mautrix_hangouts_container_image_self_build: false

 # See: https://mau.dev/tulir/mautrix-hangouts/container_registry
 matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest"
 matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}"
@@ -10,6 +12,7 @@ matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_doc
 matrix_mautrix_hangouts_base_path: "{{ matrix_base_data_path }}/mautrix-hangouts"
 matrix_mautrix_hangouts_config_path: "{{ matrix_mautrix_hangouts_base_path }}/config"
 matrix_mautrix_hangouts_data_path: "{{ matrix_mautrix_hangouts_base_path }}/data"
 matrix_mautrix_hangouts_docker_src_files_path: "{{ matrix_mautrix_hangouts_base_path }}/docker-src"

 matrix_mautrix_hangouts_public_endpoint: '/mautrix-hangouts'

--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@@ -59,4 +59,11 @@
      Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}`
      URL endpoint to the matrix-mautrix-hangouts container.
      You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable.
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_nginx_proxy_enabled is not defined"
  when: "matrix_mautrix_hangouts_enabled|bool and (matrix_nginx_proxy_enabled is not defined or matrix_nginx_proxy_enabled|bool == false)"

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Mautrix Hangouts image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_hangouts_container_image_self_build"
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@@ -14,18 +14,38 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}"
  when: matrix_mautrix_hangouts_enabled|bool and not matrix_mautrix_hangouts_container_image_self_build

 - name: Ensure Mautrix Hangouts paths exist
  file:
    path: "{{ item }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - "{{ matrix_mautrix_hangouts_base_path }}"
    - "{{ matrix_mautrix_hangouts_config_path }}"
    - "{{ matrix_mautrix_hangouts_data_path }}"
    - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true }
    - { path: "{{ matrix_mautrix_hangouts_data_path }}", when: true }
    - { path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}", when: "{{ matrix_mautrix_hangouts_container_image_self_build }}" }
  when: matrix_mautrix_hangouts_enabled|bool and item.when|bool

 - name: Ensure Mautrix Hangots repository is present on self build
  git:
    repo: https://github.com/tulir/mautrix-hangouts.git
    dest: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
    force: "yes"
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"

 - name: Ensure Mautrix Hangouts Docker image is built
  docker_image:
    name: "{{ matrix_mautrix_hangouts_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_hangouts_docker_src_files_path }}"
      pull: yes
  when: "matrix_mautrix_hangouts_enabled|bool and matrix_mautrix_hangouts_container_image_self_build"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@@ -1,5 +1,7 @@
 matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false

 matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

@@ -13,6 +15,7 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
 matrix_coturn_docker_network: "matrix-coturn"

 matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
 matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
 matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"

 # List of systemd services that matrix-coturn.service depends on
--- a/roles/matrix-coturn/tasks/init.yml
+++ b/roles/matrix-coturn/tasks/init.yml
@@ -1,3 +1,10 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"
  when: matrix_coturn_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Coturn image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_coturn_container_image_self_build"
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@@ -4,13 +4,42 @@
 # Tasks related to setting up Coturn
 #

 - name: Ensure Matrix Coturn path exists
  file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
  when: matrix_riot_web_enabled|bool and item.when

 - name: Ensure Coturn image is pulled
  docker_image:
    name: "{{ matrix_coturn_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
  when: matrix_coturn_enabled|bool
  when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build

 - name: Ensure Coturn repository is present on self-build
  git:
    repo: https://github.com/instrumentisto/coturn-docker-image.git
    dest: "{{ matrix_coturn_docker_src_files_path }}"
    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
    force: "yes"
  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build"

 - name: Ensure Coturn Docker image is built
  docker_image:
    name: "{{ matrix_coturn_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_coturn_docker_src_files_path }}"
      pull: yes
  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build"

 - name: Ensure Coturn configuration path exists
  file:
--- a/roles/matrix-mxisd/defaults/main.yml
+++ b/roles/matrix-mxisd/defaults/main.yml
@@ -3,10 +3,13 @@

 matrix_mxisd_enabled: true

 matrix_mxisd_container_image_self_build: false

 matrix_mxisd_docker_image: "kamax/mxisd:1.4.6"
 matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}"

 matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
 matrix_mxisd_docker_src_files_path: "{{ matrix_mxisd_base_path }}/docker-src"
 matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
 matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"

--- a/roles/matrix-mxisd/tasks/init.yml
+++ b/roles/matrix-mxisd/tasks/init.yml
@@ -1,3 +1,10 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mxisd'] }}"
  when: matrix_mxisd_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Mxisd image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mxisd_container_image_self_build"
--- a/roles/matrix-mxisd/tasks/setup_mxisd.yml
+++ b/roles/matrix-mxisd/tasks/setup_mxisd.yml
@@ -6,15 +6,16 @@

 - name: Ensure mxisd paths exist
  file:
    path: "{{ item }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - "{{ matrix_mxisd_config_path }}"
    - "{{ matrix_mxisd_data_path }}"
  when: matrix_mxisd_enabled|bool
    - { path: "{{ matrix_mxisd_config_path }}", when: true }
    - { path: "{{ matrix_mxisd_data_path }}", when: true }
    - { path: "{{ matrix_mxisd_docker_src_files_path }}", when: "{{ matrix_mxisd_container_image_self_build }}"}
  when: matrix_mxisd_enabled|bool and item.when

 - name: Ensure mxisd image is pulled
  docker_image:
@@ -22,7 +23,34 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mxisd_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mxisd_docker_image_force_pull }}"
  when: matrix_mxisd_enabled|bool
  when: matrix_mxisd_enabled|bool and not matrix_mxisd_container_image_self_build

 - block:
  - name: Ensure gradle is installed for self-building
    apt:
      name:
        - gradle
      state: present
      update_cache: yes
    when: (ansible_os_family == 'Debian')

  - name: Ensure gradle is installed for self-building
    fail:
      msg: "Installing gradle on CentOS is currently not supported, so self-building mxisd cannot happen at this time"
    when: ansible_distribution == 'CentOS'

  - name: Ensure mxisd repository is present on self-build
    git:
      repo: https://github.com/kamax-matrix/mxisd.git
      dest: "{{ matrix_mxisd_docker_src_files_path }}"
      version: "v{{ matrix_mxisd_docker_image.split(':')[1] }}"
      force: "yes"

  - name: Ensure mxisd Docker image is built
    shell: "./gradlew dockerBuild"
    args:
      chdir: "{{ matrix_mxisd_docker_src_files_path }}"
  when: "matrix_mxisd_enabled|bool and matrix_mxisd_container_image_self_build"

 - name: Ensure mxisd config installed
  copy:
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
 matrix_nginx_proxy_docker_image: "nginx:1.17.8-alpine"
 matrix_nginx_proxy_docker_image: "nginx:1.17.9-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@@ -205,7 +205,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.2.0"
 matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v1.3.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-postgres/defaults/main.yml
+++ b/roles/matrix-postgres/defaults/main.yml
@@ -8,10 +8,10 @@ matrix_postgres_db_name: ""
 matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
 matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"

 matrix_postgres_docker_image_v9: "postgres:9.6.16-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.11-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.6-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.1-alpine"
 matrix_postgres_docker_image_v9: "postgres:9.6.17-alpine"
 matrix_postgres_docker_image_v10: "postgres:10.12-alpine"
 matrix_postgres_docker_image_v11: "postgres:11.7-alpine"
 matrix_postgres_docker_image_v12: "postgres:12.2-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v12 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
@@ -30,4 +30,4 @@ matrix_postgres_container_extra_arguments: []
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:5432"), or empty string to not expose.
 matrix_postgres_container_postgres_bind_port: ""

 matrix_postgres_tool_synapse_janitor: "https://raw.githubusercontent.com/xwiki-labs/synapse_scripts/0b3f035951932ceb396631de3fc701043b9723bc/synapse_janitor.sql"
 matrix_postgres_tool_synapse_janitor: "https://raw.githubusercontent.com/xwiki-labs/synapse_scripts/a9188ff175ae581610f92d58ea6eac9a114d854b/synapse_janitor.sql"
--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@@ -1,9 +1,12 @@
 matrix_riot_web_enabled: true

 matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.9"
 matrix_riot_web_container_image_self_build: false

 matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.13"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
 matrix_riot_web_docker_src_files_path: "{{ matrix_riot_web_data_path }}/docker-src"

 # Controls whether the matrix-riot-web container exposes its HTTP port (tcp/8080 in the container).
 #
@@ -17,6 +20,7 @@ matrix_riot_web_container_extra_arguments: []
 matrix_riot_web_systemd_required_services_list: ['docker.service']

 # Riot config.json customizations
 matrix_riot_web_default_server_name: "{{ matrix_domain }}"
 matrix_riot_web_default_hs_url: ""
 matrix_riot_web_default_is_url: ~
 matrix_riot_web_disable_custom_urls: true
@@ -31,6 +35,25 @@ matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
 # Branding of riot web
 matrix_riot_web_brand: "Riot"

 # URL to Logo on welcome page
 matrix_riot_web_welcome_logo: "welcome/images/logo.svg"

 # URL of link on welcome image
 matrix_riot_web_welcome_logo_link: "https://riot.im"

 matrix_riot_web_welcome_headline: "_t('Welcome to Riot.im')"
 matrix_riot_web_welcome_text: "_t('Decentralised, encrypted chat &amp; collaboration powered by [matrix]')"

 # Links, shown in footer of welcome page:
 # [{"text": "Link text", "url": "https://link.target"}, {"text": "Other link"}]
 matrix_riot_web_branding_authFooterLinks: ~

 # URL to image, shown during Login
 matrix_riot_web_branding_authHeaderLogoUrl: "{{ matrix_riot_web_welcome_logo }}"

 # URL to Wallpaper, shown in background of welcome page
 matrix_riot_web_branding_welcomeBackgroundUrl: ~

 # By default, there's no Riot homepage (when logged in). If you wish to have one,
 # point this to a `home.html` template file on your local filesystem.
 matrix_riot_web_embedded_pages_home_path: ~
@@ -44,6 +67,21 @@ matrix_riot_web_registration_enabled: false
 # Controls whether Riot shows the presence features
 matrix_riot_web_enable_presence_by_hs_url: ~

 # Controls whether custom riot-web themes will be installed.
 # When enabled, all themes found in the `matrix_riot_web_themes_repository_url` repository
 # will be installed and enabled automatically.
 matrix_riot_web_themes_enabled: false
 matrix_riot_web_themes_repository_url: https://github.com/aaronraimist/riot-web-themes

 # Controls the `settingsDefault.custom_themes` setting of the riot-web configuration.
 # You can use this setting to define custom themes.
 #
 # Also, look at `matrix_riot_web_themes_enabled` for a way to pull in a bunch of custom themes automatically.
 # If you define your own themes here and set `matrix_riot_web_themes_enabled: true`, your themes will be preserved as well.
 #
 # Note that for a custom theme to work well, all riot-web/riot-desktop instances that you use must have the same theme installed.
 matrix_riot_web_settingDefaults_custom_themes: []

 # Default riot-web configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
--- a/roles/matrix-riot-web/tasks/init.yml
+++ b/roles/matrix-riot-web/tasks/init.yml
@@ -1,3 +1,10 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-riot-web'] }}"
  when: matrix_riot_web_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Riot Web image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_riot_web_container_image_self_build"
--- a/roles/matrix-riot-web/tasks/main.yml
+++ b/roles/matrix-riot-web/tasks/main.yml
@@ -8,6 +8,12 @@
    - setup-all
    - setup-riot-web

 - import_tasks: "{{ role_path }}/tasks/prepare_riot_web_themes.yml"
  when: run_setup|bool
  tags:
    - setup-all
    - setup-riot-web

 - import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
  when: run_setup|bool
  tags:
--- a/roles/matrix-riot-web/tasks/prepare_riot_web_themes.yml
+++ b/roles/matrix-riot-web/tasks/prepare_riot_web_themes.yml
@@ -0,0 +1,48 @@
 ---

 #
 # Tasks related to setting up riot-web themes
 #

 - block:
  - name: Ensure riot-web themes repository is pulled
    git:
      repo: "{{ matrix_riot_web_themes_repository_url }}"
      dest: "{{ role_path }}/files/scratchpad/riot-web-themes"

  - name: Find all riot-web theme files
    find:
      paths: "{{ role_path }}/files/scratchpad/riot-web-themes"
      patterns: "*.json"
      recurse: true
    register: matrix_riot_web_theme_file_list

  - name: Read riot-web theme
    slurp:
      path: "{{ item.path }}"
    register: "matrix_riot_web_theme_file_contents"
    with_items: "{{ matrix_riot_web_theme_file_list.files }}"

  - name: Load riot-web theme
    set_fact:
     matrix_riot_web_settingDefaults_custom_themes: "{{ matrix_riot_web_settingDefaults_custom_themes + [item['content'] | b64decode | from_json] }}"
    with_items: "{{ matrix_riot_web_theme_file_contents.results }}"

  run_once: true
  delegate_to: 127.0.0.1
  become: false
  when: matrix_riot_web_themes_enabled|bool


 # #
 # # Tasks related to getting rid of riot-web themes (if it was previously enabled)
 # #

 - name: Ensure riot-web themes repository is removed
  file:
    path: "{{ role_path }}/files/scratchpad/riot-web-themes"
    state: absent
  run_once: true
  delegate_to: 127.0.0.1
  become: false
  when: "not matrix_riot_web_themes_enabled|bool"
--- a/roles/matrix-riot-web/tasks/setup_riot_web.yml
+++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml
@@ -6,12 +6,15 @@

 - name: Ensure Matrix riot-web path exists
  file:
    path: "{{ matrix_riot_web_data_path }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  when: matrix_riot_web_enabled|bool
  with_items:
    - { path: "{{ matrix_riot_web_data_path }}", when: true }
    - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" }
  when: matrix_riot_web_enabled|bool and item.when

 - name: Ensure riot-web Docker image is pulled
  docker_image:
@@ -19,7 +22,25 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_riot_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_riot_web_docker_image_force_pull }}"
  when: matrix_riot_web_enabled|bool
  when: matrix_riot_web_enabled|bool and not matrix_riot_web_container_image_self_build

 - name: Ensure Riot Web repository is present on self-build
  git:
    repo: https://github.com/vector-im/riot-web.git
    dest: "{{ matrix_riot_web_docker_src_files_path }}"
    version: "{{ matrix_riot_web_docker_image.split(':')[1] }}"
    force: "yes"
  when: "matrix_riot_web_enabled|bool and matrix_riot_web_container_image_self_build"

 - name: Ensure Riot Web Docker image is built
  docker_image:
    name: "{{ matrix_riot_web_docker_image }}"
    source: build
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_riot_web_docker_src_files_path }}"
      pull: yes
  when: "matrix_riot_web_enabled|bool and matrix_riot_web_container_image_self_build"

 - name: Ensure Matrix riot-web configuration installed
  copy:
--- a/roles/matrix-riot-web/templates/config.json.j2
+++ b/roles/matrix-riot-web/templates/config.json.j2
@@ -1,6 +1,16 @@
 {
 	"default_hs_url": {{ matrix_riot_web_default_hs_url|string|to_json }},
 	"default_is_url": {{ matrix_riot_web_default_is_url|string|to_json }},
 	"default_server_config": {
 		"m.homeserver": {
 			"base_url": {{ matrix_riot_web_default_hs_url|string|to_json }},
 			"server_name": {{ matrix_riot_web_default_server_name|string|to_json }}
 		},
 		"m.identity_server": {
 			"base_url": {{ matrix_riot_web_default_is_url|string|to_json }}
 		}
 	},
 	"settingDefaults": {
 		"custom_themes": {{ matrix_riot_web_settingDefaults_custom_themes|to_json }}
 	},
 	"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
 	"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
 	"brand": {{ matrix_riot_web_brand|to_json }},
@@ -19,5 +29,10 @@
 	{% endif %}
 	"embeddedPages": {
 		"homeUrl": {{ matrix_riot_web_embedded_pages_home_url|string|to_json }}
 	},
 	"branding": {
 		"authFooterLinks": {{ matrix_riot_web_branding_authFooterLinks|to_json }},
 		"authHeaderLogoUrl": {{ matrix_riot_web_branding_authHeaderLogoUrl|to_json }},
 		"welcomeBackgroundUrl": {{ matrix_riot_web_branding_welcomeBackgroundUrl|to_json }}
 	}
 }
--- a/roles/matrix-riot-web/templates/welcome.html.j2
+++ b/roles/matrix-riot-web/templates/welcome.html.j2
@@ -153,11 +153,11 @@ h1::after {
 </style>

 <div class="mx_Parent">
    <a href="https://riot.im" target="_blank" rel="noopener">
        <img src="welcome/images/logo.svg" alt="" class="mx_Logo"/>
    <a href="{{ matrix_riot_web_welcome_logo_link }}" target="_blank" rel="noopener">
        <img src="{{ matrix_riot_web_welcome_logo }}" alt="" class="mx_Logo"/>
    </a>
    <h1 class="mx_Header_title">_t("Welcome to Riot.im")</h1>
    <h4 class="mx_Header_subtitle">_t("Decentralised, encrypted chat &amp; collaboration powered by [matrix]")</h4>
    <h1 class="mx_Header_title">{{ matrix_riot_web_welcome_headline }}</h1>
    <h4 class="mx_Header_subtitle">{{ matrix_riot_web_welcome_text }}</h4>
    <div class="mx_ButtonGroup">
        <div class="mx_ButtonRow">
            <a href="#/login" class="mx_ButtonParent mx_ButtonSignIn mx_Button_iconSignIn">
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -3,10 +3,13 @@

 matrix_synapse_enabled: true

 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.10.0"
 matrix_synapse_container_image_self_build: false

 matrix_synapse_docker_image: "matrixdotorg/synapse:v1.11.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
 matrix_synapse_docker_src_files_path: "{{ matrix_synapse_base_path }}/docker-src"
 matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"
 matrix_synapse_run_path: "{{ matrix_synapse_base_path }}/run"
 matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
@@ -155,6 +158,9 @@ matrix_synapse_allow_public_rooms_over_federation: false
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_synapse_enable_registration: false

 # Allows non-server-admin users to create groups on this server
 matrix_synapse_enable_group_creation: false

 # A list of 3PID types which users must supply when registering (possible values: email, msisdn).
 matrix_synapse_registrations_require_3pid: []

--- a/roles/matrix-synapse/tasks/init.yml
+++ b/roles/matrix-synapse/tasks/init.yml
@@ -5,3 +5,10 @@
 - set_fact:
    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-goofys'] }}"
  when: matrix_s3_media_store_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
  fail:
    msg: "To self build Synapse image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_synapse_container_image_self_build"
--- a/roles/matrix-synapse/tasks/setup_synapse.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse.yml
@@ -2,19 +2,20 @@

 - name: Ensure Synapse paths exist
  file:
    path: "{{ item }}"
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_username }}"
  with_items:
    - "{{ matrix_synapse_config_dir_path }}"
    - "{{ matrix_synapse_run_path }}"
    - "{{ matrix_synapse_ext_path }}"
    - { path: "{{ matrix_synapse_config_dir_path }}", when: true }
    - { path: "{{ matrix_synapse_run_path }}", when: true }
    - { path: "{{ matrix_synapse_ext_path }}", when: true }
    - { path: "{{ matrix_synapse_docker_src_files_path }}", when: "{{ matrix_synapse_container_image_self_build }}" }
    # We handle matrix_synapse_media_store_path elsewhere (in ./synapse/setup_install.yml),
    # because if it's using Goofys and it's already mounted (from before),
    # trying to chown/chmod it here will cause trouble.
  when: "matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool"
  when: "(matrix_synapse_enabled|bool or matrix_s3_media_store_enabled|bool) and item.when"

 - import_tasks: "{{ role_path }}/tasks/ext/setup.yml"

--- a/roles/matrix-synapse/tasks/synapse/setup_install.yml
+++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml
@@ -18,12 +18,31 @@
    group: "{{ matrix_user_username }}"
  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"

 - name: Ensure Synapse repository is present on self-build
  git:
    repo: https://github.com/matrix-org/synapse.git
    dest: "{{ matrix_synapse_docker_src_files_path }}"
    version: "{{ matrix_synapse_docker_image.split(':')[1] }}"
    force: "yes"
  when: "matrix_synapse_container_image_self_build"

 - name: Ensure Synapse Docker image is built
  docker_image:
    name: "{{ matrix_synapse_docker_image }}"
    source: build
    build:
      dockerfile: docker/Dockerfile
      path: "{{ matrix_synapse_docker_src_files_path }}"
      pull: yes
  when: "matrix_synapse_container_image_self_build"

 - name: Ensure Synapse Docker image is pulled
  docker_image:
    name: "{{ matrix_synapse_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_synapse_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_synapse_docker_image_force_pull }}"
  when: "not matrix_synapse_container_image_self_build"

 - name: Check if a Synapse signing key exists
  stat:
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1,5 +1,11 @@
 #jinja2: lstrip_blocks: "True"
 # vim:ft=yaml
 # Configuration file for Synapse.
 #
 # This is a YAML file: see [1] for a quick introduction. Note in particular
 # that *indentation is important*: all the elements of a list or dictionary
 # should have the same indentation.
 #
 # [1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

 ## Server ##

@@ -471,6 +477,11 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 # ACME support: This will configure Synapse to request a valid TLS certificate
 # for your configured `server_name` via Let's Encrypt.
 #
 # Note that ACME v1 is now deprecated, and Synapse currently doesn't support
 # ACME v2. This means that this feature currently won't work with installs set
 # up after November 2019. For more info, and alternative solutions, see
 # https://github.com/matrix-org/synapse/blob/master/docs/ACME.md#deprecation-of-acme-v1
 #
 # Note that provisioning a certificate in this way requires port 80 to be
 # routed to Synapse so that it can complete the http-01 ACME challenge.
 # By default, if you enable ACME support, Synapse will attempt to listen on
@@ -1582,7 +1593,7 @@ spam_checker: {{ matrix_synapse_spam_checker|to_json }}

 # Uncomment to allow non-server-admin users to create groups on this server
 #
 #enable_group_creation: true
 enable_group_creation: {{ matrix_synapse_enable_group_creation|to_json }}

 # If enabled, non server admins can only create groups with local parts
 # starting with this prefix
@@ -1817,3 +1828,6 @@ opentracing:
    #
    #  logging:
    #    false


 # vim:ft=yaml