Merge remote-tracking branch 'origin/master' into mrb

3年前 · d85b966549
--- a/README.md
+++ b/README.md
@@ -79,7 +79,7 @@ Extend and modify how users are authenticated on your homeserver.
 | ---- | -------- | ----------- | ------------- |
 | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) |
 |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) |
 | [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) |
 | [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) |
 | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) |
 | [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) |

--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value
 By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts.

 There is an ansible playbook that can be run with the following tag:
 ` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`
 `ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`

 For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example:
 ```
@@ -208,6 +208,16 @@ However, it can also be set the ip address of the matrix server. This can be use
 jitsi_xmpp_server: "192.168.0.1"
 ```

 For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the
 port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but
 the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this:

 ```yaml
 jitsi_prosody_container_jvb_host_bind_port: 5222
 ```

 (The default is empty; if it's set then docker forwards the port.)

 The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable
 `matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses.

--- a/docs/configuring-playbook-synapse-s3-storage-provider.md
+++ b/docs/configuring-playbook-synapse-s3-storage-provider.md
@@ -30,13 +30,23 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc

 ```yaml
 matrix_synapse_ext_synapse_s3_storage_provider_enabled: true

 matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name
 matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this
 matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
 matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc.

 # Authentication Method 1 - (access key id + secret)
 # This works on all providers (AWS and other compatible systems).
 # Uncomment the variables below to use it.
 # matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
 # matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here

 # Authentication Method 2 - EC2 instance profile which grants permission to access S3
 # This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set.
 # Uncomment the variable below to use it.
 # matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true

 # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml`
 ```

@@ -103,9 +113,17 @@ docker.io/amazon/aws-cli:2.9.16 \
 -c 'aws s3 sync /work/. s3://$BUCKET/'
 ```

 #### Copying data to an S3 alternative using the aws-s3 tool

 To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument.

 Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command.

 #### Copying data to Backblaze B2

 To copy to Backblaze B2, start a container on the Matrix server like this:
 You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below.

 To copy the data using the `b2` tool, start a container on the Matrix server like this:

 ```sh
 docker run -it --rm \
--- a/docs/howto-server-delegation.md
+++ b/docs/howto-server-delegation.md
@@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to:

 - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `<your-domain>` (not `matrix.<your-domain>`!). Getting this certificate to the `matrix.<your-domain>` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below.

 For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md)

 ### Obtaining certificates

--- a/docs/howto-srv-server-delegation.md
+++ b/docs/howto-srv-server-delegation.md
@@ -0,0 +1,206 @@
 # Server Delegation via a DNS SRV record (advanced)

 **Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. 

 This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required.

 ## Prerequisites

 SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate.

 To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge).

 This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate.

 The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers)

 ## The changes

 ### Federation Endpoint

 ```yaml
 # To serve the federation from any domain, as long as the path match
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
 ```

 This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint.

 ### Tell Traefik which certificate to serve for the federation endpoint

 Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.

 This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.

 ```yaml
 # To let Traefik know which domains' certificates to serve
 matrix_nginx_proxy_container_labels_additional_labels: |
  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
 ```

 ### Configure the DNS-01 challenge for let's encrypt

 Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge.

 This will need 3 changes:
 1. Add a new certificate resolver that works with DNS-01
 2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set)
 3. Tell the playbook to use the new resolver as default

 We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook.

 ```yaml
 # 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
 devture_traefik_configuration_extension_yaml: |
  certificatesResolvers:
    dns:
      acme:
        # To use a staging endpoint for testing purposes, uncomment the line below.
        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
        dnsChallenge:
          provider: cloudflare
          resolvers: 
            - "1.1.1.1:53"
            - "8.8.8.8:53"
        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}

 # 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
 devture_traefik_environment_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
  LEGO_DISABLE_CNAME_SUPPORT=true

 # 3. Instruct the playbook to use the new ACME configuration
 devture_traefik_certResolver_primary: dns
 ```

 ## Adjust Coturn's configuration

 The last step is to alter the generated Coturn configuration.

 By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting.

 We also need to indicate to Coturn where the wildcard certificate is.

 **⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`).

 This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically.

 ```yaml
 # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
 matrix_coturn_systemd_required_services_list: ['docker.service']

 # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
 matrix_coturn_container_additional_volumes: |
  {{
    (
      [
       {
         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
         'dst': '/fullchain.pem',
         'options': 'ro',
       },
       {
         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
         'dst': '/privkey.pem',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
    )
    +
    (
      [
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}
 ```

 ## Full example of a working configuration

 ```yaml
 # Choosing the reverse proxy implementation
 matrix_playbook_reverse_proxy_type: playbook-managed-traefik
 devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com

 # To serve the federation from any domain, as long as the path match
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)

 # To let Traefik know which domains' certificates to serve
 matrix_nginx_proxy_container_labels_additional_labels: |
  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"

 # Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
 devture_traefik_configuration_extension_yaml: |
  certificatesResolvers:
    dns:
      acme:
        # To use a staging endpoint for testing purposes, uncomment the line below.
        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
        dnsChallenge:
          provider: cloudflare
          resolvers: 
            - "1.1.1.1:53"
            - "8.8.8.8:53"
        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}

 # Instruct thep laybook to use the new ACME configuration
 devture_traefik_certResolver_primary: "dns"

 # Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
 devture_traefik_environment_variables: |
  CF_API_EMAIL=redacted
  CF_ZONE_API_TOKEN=redacted
  CF_DNS_API_TOKEN=redacted
  LEGO_DISABLE_CNAME_SUPPORT=true

 # Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
 matrix_coturn_systemd_required_services_list: ['docker.service']

 # This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
 matrix_coturn_container_additional_volumes: |
  {{
    (
      [
       {
         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
         'dst': '/fullchain.pem',
         'options': 'ro',
       },
       {
         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
         'dst': '/privkey.pem',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
    )
    +
    (
      [
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}
 ```
--- a/examples/hosts
+++ b/examples/hosts
@@ -2,7 +2,9 @@
 # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
 #
 # To connect using a non-root user (and elevate to root with sudo later),
 # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
 # replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`.
 # If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line
 # or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands.
 #
 # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
 # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
--- a/group_vars/jitsi_jvb_servers
+++ b/group_vars/jitsi_jvb_servers
@@ -0,0 +1,11 @@
 jitsi_architecture: "{{ matrix_architecture }}"
 jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
 jitsi_uid: "{{ matrix_user_uid }}"
 jitsi_gid: "{{ matrix_user_gid }}"

 devture_systemd_service_manager_services_list_auto: |
  {{
    ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
  }}

 matrix_playbook_docker_installation_enabled: true
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: |

 # This list is not exhaustive and final.
 # Synapse workers are still injected into the list at runtime.
 # Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
 # Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
 #
 # Priority levels are like this:
 # - core services (the homeserver) get a level of ~1000
--- a/jitsi_jvb.yml
+++ b/jitsi_jvb.yml
@@ -0,0 +1,35 @@
 ---
 - name: "Set up additional Jitsi JVB servers"
  hosts: "jitsi_jvb_servers"
  become: true

  roles:
    - role: galaxy/com.devture.ansible.role.playbook_help
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - when: matrix_playbook_docker_installation_enabled | bool
      role: galaxy/geerlingguy.docker
      vars:
        docker_install_compose: false
      tags:
        - setup-docker
        - setup-all
        - setup-additional-jitsi-jvb
        - install-docker
        - install-all

    - when: devture_docker_sdk_for_python_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
      tags:
        - setup-docker
        - setup-all
        - setup-additional-jitsi-jvb
        - install-docker
        - install-all

    - custom/matrix-base
    - galaxy/jitsi
    - custom/matrix-common-after

    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager
--- a/playbooks/jitsi_jvb.yml
+++ b/playbooks/jitsi_jvb.yml
@@ -1,12 +0,0 @@
 ---
 - name: "Set up additional Jitsi JVB servers"
  hosts: "jitsi_jvb_servers"
  become: true

  roles:
    - role: galaxy/com.devture.ansible.role.playbook_help
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - custom/matrix-base
    - galaxy/jitsi
    - custom/matrix-common-after
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@@ -1,143 +0,0 @@
 ---
 - name: "Set up a Matrix server"
  hosts: "{{ target if target is defined else 'matrix_servers' }}"
  become: true

  roles:
    # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
    - role: galaxy/com.devture.ansible.role.playbook_help

    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - role: custom/matrix_playbook_migration

    - when: matrix_playbook_docker_installation_enabled | bool
      role: galaxy/geerlingguy.docker
      vars:
        docker_install_compose: false
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_docker_sdk_for_python_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_timesync_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.timesync
      tags:
        - setup-timesync
        - setup-all
        - install-timesync
        - install-all

    - custom/matrix-base
    - custom/matrix-dynamic-dns
    - custom/matrix-mailer

    - role: galaxy/com.devture.ansible.role.postgres

    - galaxy/redis
    - custom/matrix-corporal
    - custom/matrix-bridge-appservice-discord
    - custom/matrix-bridge-appservice-slack
    - custom/matrix-bridge-appservice-webhooks
    - custom/matrix-bridge-appservice-irc
    - custom/matrix-bridge-appservice-kakaotalk
    - custom/matrix-bridge-beeper-linkedin
    - custom/matrix-bridge-go-skype-bridge
    - custom/matrix-bridge-mautrix-facebook
    - custom/matrix-bridge-mautrix-twitter
    - custom/matrix-bridge-mautrix-hangouts
    - custom/matrix-bridge-mautrix-googlechat
    - custom/matrix-bridge-mautrix-instagram
    - custom/matrix-bridge-mautrix-signal
    - custom/matrix-bridge-mautrix-telegram
    - custom/matrix-bridge-mautrix-whatsapp
    - custom/matrix-bridge-mautrix-discord
    - custom/matrix-bridge-mautrix-slack
    - custom/matrix-bridge-mx-puppet-discord
    - custom/matrix-bridge-mx-puppet-groupme
    - custom/matrix-bridge-mx-puppet-steam
    - custom/matrix-bridge-mx-puppet-slack
    - custom/matrix-bridge-mx-puppet-twitter
    - custom/matrix-bridge-mx-puppet-instagram
    - custom/matrix-bridge-sms
    - custom/matrix-bridge-heisenbridge
    - custom/matrix-bridge-hookshot
    - custom/matrix-bot-matrix-reminder-bot
    - custom/matrix-bot-matrix-registration-bot
    - custom/matrix-bot-maubot
    - custom/matrix-bot-buscarron
    - custom/matrix-bot-honoroit
    - custom/matrix-bot-postmoogle
    - custom/matrix-bot-go-neb
    - custom/matrix-bot-mjolnir
    - custom/matrix-bot-draupnir
    - custom/matrix-bot-chatgpt
    - custom/matrix-cactus-comments
    - custom/matrix-rageshake
    - custom/matrix-synapse
    - custom/matrix-synapse-auto-compressor
    - custom/matrix-synapse-reverse-proxy-companion
    - custom/matrix-dendrite
    - custom/matrix-conduit
    - custom/matrix-synapse-admin
    - galaxy/prometheus_node_exporter
    - galaxy/prometheus_postgres_exporter
    - custom/matrix-prometheus-nginxlog-exporter
    - galaxy/prometheus
    - galaxy/grafana
    - custom/matrix-prometheus-services-connect
    - custom/matrix-prometheus-services-proxy-connect
    - custom/matrix-registration
    - custom/matrix-client-element
    - custom/matrix-client-hydrogen
    - custom/matrix-client-cinny
    - galaxy/jitsi
    - custom/matrix-user-verification-service
    - custom/matrix-ldap-registration-proxy
    - custom/matrix-ma1sd
    - custom/matrix-dimension
    - galaxy/etherpad
    - custom/etherpad-proxy-connect
    - custom/matrix-sliding-sync
    - custom/matrix-email2matrix
    - custom/matrix-sygnal
    - galaxy/ntfy
    - custom/matrix-nginx-proxy
    - custom/matrix-coturn

    - role: galaxy/aux

    - role: galaxy/com.devture.ansible.role.postgres_backup

    - role: galaxy/backup_borg

    - custom/matrix-user-creator
    - custom/matrix-common-after

    - role: galaxy/com.devture.ansible.role.container_socket_proxy

    - role: galaxy/com.devture.ansible.role.traefik

    - role: galaxy/com.devture.ansible.role.traefik_certs_dumper

    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager

    # This is pretty much last, because we want it to better serve as a "last known good configuration".
    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
    - when: devture_playbook_state_preserver_enabled | bool
      role: galaxy/com.devture.ansible.role.playbook_state_preserver
      tags:
        - setup-all
        - install-all

    - role: galaxy/com.devture.ansible.role.playbook_runtime_messages
--- a/requirements.yml
+++ b/requirements.yml
@@ -2,9 +2,9 @@

 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-1
  name: aux
  name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
  version: v1.2.4-1.7.13-0
  version: v1.2.4-1.7.15-0
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
  version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@@ -26,28 +26,28 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.10.1-1
  version: v2.10.3-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
  version: v1.8.18-2
  version: v1.9.0-0
 - src: git+https://github.com/geerlingguy/ansible-role-docker
  version: 6.1.0
  name: geerlingguy.docker
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
  version: v9.5.2-0
  version: v10.0.1-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
  version: v8615-0
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.5.0-0
  version: v2.6.2-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v2.44.0-0
  version: v2.45.0-0
  name: prometheus
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
  version: v1.6.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
  version: v0.12.0-0
  version: v0.13.1-0
  name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
  version: v7.0.10-0
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@@ -111,7 +111,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi
 matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}"

 matrix_beeper_linkedin_registration_yaml: |
  id: linkedin
  id: beeper_linkedin
  url: {{ matrix_beeper_linkedin_appservice_address }}
  as_token: "{{ matrix_beeper_linkedin_appservice_token }}"
  hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}"
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

 matrix_hookshot_version: 4.1.0
 matrix_hookshot_version: 4.4.0

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
 matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
 matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"

 matrix_mautrix_discord_version: v0.4.0
 matrix_mautrix_discord_version: v0.5.0
 # See: https://mau.dev/mautrix/discord/container_registry
 matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
 matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false
 matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git"
 matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}"

 matrix_mautrix_googlechat_version: v0.4.0
 matrix_mautrix_googlechat_version: v0.5.0
 # See: https://mau.dev/mautrix/googlechat/container_registry
 matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}"
 matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
@@ -143,15 +143,15 @@ bridge:
  # application service.
  encryption:
    # Allow encryption, work in group chat rooms with e2ee enabled
    allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }}
    allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }}
    # Default to encryption, force-enable encryption in all portals the bridge creates
    # This will cause the bridge bot to be in private chats for the encryption to work properly.
    default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }}
    default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }}
    # Options for automatic key sharing.
    key_sharing:
      # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
      # You must use a client that supports requesting keys from other users to use this feature.
      allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }}
      allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }}
      # Require the requesting device to have a valid cross-signing signature?
      # This doesn't require that the bridge has verified the device, only that the user has verified it.
      # Not yet implemented.
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

 matrix_mautrix_telegram_version: v0.14.0
 matrix_mautrix_telegram_version: v0.14.1
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
 matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

 matrix_mautrix_whatsapp_version: v0.8.5
 matrix_mautrix_whatsapp_version: v0.8.6
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"

 matrix_client_element_version: v1.11.31
 matrix_client_element_version: v1.11.35
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-client-hydrogen/defaults/main.yml
+++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml
@@ -6,7 +6,7 @@ matrix_client_hydrogen_enabled: true
 matrix_client_hydrogen_container_image_self_build: false
 matrix_client_hydrogen_container_image_self_build_repo: "https://github.com/vector-im/hydrogen-web.git"

 matrix_client_hydrogen_version: v0.3.8
 matrix_client_hydrogen_version: v0.4.0
 matrix_client_hydrogen_docker_image: "{{ matrix_client_hydrogen_docker_image_name_prefix }}vector-im/hydrogen-web:{{ matrix_client_hydrogen_version }}"
 matrix_client_hydrogen_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_hydrogen_container_image_self_build else 'ghcr.io/' }}"
 matrix_client_hydrogen_docker_image_force_pull: "{{ matrix_client_hydrogen_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 matrix_coturn_version: 4.6.1-r3
 matrix_coturn_version: 4.6.2-r4
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/
 matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
 matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
 matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_dendrite_docker_image_tag: "v0.12.0"
 matrix_dendrite_docker_image_tag: "v0.13.0"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"

 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
--- a/roles/custom/matrix-dynamic-dns/defaults/main.yml
+++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml
@@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true
 # The dynamic dns daemon interval
 matrix_dynamic_dns_daemon_interval: '300'

 matrix_dynamic_dns_version: v3.10.0-ls111
 matrix_dynamic_dns_version: v3.10.0-ls126

 # The docker container to use when in mode
 matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 # Project source code URL: https://github.com/nginx/nginx
 matrix_nginx_proxy_enabled: true
 matrix_nginx_proxy_version: 1.23.3-alpine
 matrix_nginx_proxy_version: 1.25.1-alpine

 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
@@ -25,7 +25,7 @@

 matrix_synapse_reverse_proxy_companion_enabled: true

 matrix_synapse_reverse_proxy_companion_version: 1.23.3-alpine
 matrix_synapse_reverse_proxy_companion_version: 1.25.1-alpine

 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -4,7 +4,7 @@

 matrix_synapse_enabled: true

 matrix_synapse_version: v1.84.1
 matrix_synapse_version: v1.87.0

 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -789,11 +789,10 @@ matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: fals
 # Enable this to activate the Shared Secret Auth password provider module.
 # See: https://github.com/devture/matrix-synapse-shared-secret-auth
 matrix_synapse_ext_password_provider_shared_secret_auth_enabled: false
 matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.2/shared_secret_authenticator.py"
 matrix_synapse_ext_password_provider_shared_secret_auth_download_url: "https://raw.githubusercontent.com/devture/matrix-synapse-shared-secret-auth/2.0.3/shared_secret_authenticator.py"
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: ""
 matrix_synapse_ext_password_provider_shared_secret_auth_m_login_password_support_enabled: true
 # We'd like to enable this, but it causes trouble for Element: https://github.com/vector-im/element-web/issues/19605
 matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: false
 matrix_synapse_ext_password_provider_shared_secret_auth_com_devture_shared_secret_auth_support_enabled: true
 matrix_synapse_ext_password_provider_shared_secret_config: "{{ matrix_synapse_ext_password_provider_shared_secret_config_yaml | from_yaml }}"
 matrix_synapse_ext_password_provider_shared_secret_config_yaml: |
  shared_secret: {{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret | string | to_json }}
@@ -886,6 +885,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: ''
 # Enable this to use EC2 instance profile metadata to grab IAM credentials instead of passing credentials directly
 # via matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id and matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key
 matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: false
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256'
--- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml
@@ -1,5 +1,4 @@
 ---

 - name: Fail if required s3-storage-provider settings not defined
  ansible.builtin.fail:
    msg: >-
@@ -8,9 +7,16 @@
  with_items:
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"

 - name: Fail if required s3-storage-provider auth settings not defined when not using an EC2 profile
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
  when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''"
  with_items:
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id"
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key"
    - "matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url"

 - name: Fail if required matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url looks invalid
  ansible.builtin.fail:
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
@@ -1,5 +1,7 @@
 {% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %}
 AWS_ACCESS_KEY_ID={{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id }}
 AWS_SECRET_ACCESS_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key }}
 {% endif %}
 AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name }}

 ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }}
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
@@ -6,8 +6,10 @@ config:
  bucket: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket | to_json }}
  region_name: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name | to_json }}
  endpoint_url: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url | to_json }}
 {% if not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool %}
  access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }}
  secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }}
 {% endif %}

 {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
  sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }}
--- a/roles/custom/matrix-synapse/vars/main.yml
+++ b/roles/custom/matrix-synapse/vars/main.yml
@@ -153,7 +153,6 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/client/v1/rooms/.*/hierarchy$
  - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/
  - ^/_matrix/client/v1/rooms/.*/threads$
  - ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$
  - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
  - ^/_matrix/client/(r0|v3|unstable)/account/3pid$
  - ^/_matrix/client/(r0|v3|unstable)/account/whoami$
--- a/setup.yml
+++ b/setup.yml
@@ -1 +0,0 @@
 playbooks/matrix.yml
--- a/setup.yml
+++ b/setup.yml
@@ -0,0 +1,143 @@
 ---
 - name: "Set up a Matrix server"
  hosts: "{{ target if target is defined else 'matrix_servers' }}"
  become: true

  roles:
    # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
    - role: galaxy/com.devture.ansible.role.playbook_help

    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - role: custom/matrix_playbook_migration

    - when: matrix_playbook_docker_installation_enabled | bool
      role: galaxy/geerlingguy.docker
      vars:
        docker_install_compose: false
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_docker_sdk_for_python_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
      tags:
        - setup-docker
        - setup-all
        - install-docker
        - install-all

    - when: devture_timesync_installation_enabled | bool
      role: galaxy/com.devture.ansible.role.timesync
      tags:
        - setup-timesync
        - setup-all
        - install-timesync
        - install-all

    - custom/matrix-base
    - custom/matrix-dynamic-dns
    - custom/matrix-mailer

    - role: galaxy/com.devture.ansible.role.postgres

    - galaxy/redis
    - custom/matrix-corporal
    - custom/matrix-bridge-appservice-discord
    - custom/matrix-bridge-appservice-slack
    - custom/matrix-bridge-appservice-webhooks
    - custom/matrix-bridge-appservice-irc
    - custom/matrix-bridge-appservice-kakaotalk
    - custom/matrix-bridge-beeper-linkedin
    - custom/matrix-bridge-go-skype-bridge
    - custom/matrix-bridge-mautrix-facebook
    - custom/matrix-bridge-mautrix-twitter
    - custom/matrix-bridge-mautrix-hangouts
    - custom/matrix-bridge-mautrix-googlechat
    - custom/matrix-bridge-mautrix-instagram
    - custom/matrix-bridge-mautrix-signal
    - custom/matrix-bridge-mautrix-telegram
    - custom/matrix-bridge-mautrix-whatsapp
    - custom/matrix-bridge-mautrix-discord
    - custom/matrix-bridge-mautrix-slack
    - custom/matrix-bridge-mx-puppet-discord
    - custom/matrix-bridge-mx-puppet-groupme
    - custom/matrix-bridge-mx-puppet-steam
    - custom/matrix-bridge-mx-puppet-slack
    - custom/matrix-bridge-mx-puppet-twitter
    - custom/matrix-bridge-mx-puppet-instagram
    - custom/matrix-bridge-sms
    - custom/matrix-bridge-heisenbridge
    - custom/matrix-bridge-hookshot
    - custom/matrix-bot-matrix-reminder-bot
    - custom/matrix-bot-matrix-registration-bot
    - custom/matrix-bot-maubot
    - custom/matrix-bot-buscarron
    - custom/matrix-bot-honoroit
    - custom/matrix-bot-postmoogle
    - custom/matrix-bot-go-neb
    - custom/matrix-bot-mjolnir
    - custom/matrix-bot-draupnir
    - custom/matrix-bot-chatgpt
    - custom/matrix-cactus-comments
    - custom/matrix-rageshake
    - custom/matrix-synapse
    - custom/matrix-synapse-auto-compressor
    - custom/matrix-synapse-reverse-proxy-companion
    - custom/matrix-dendrite
    - custom/matrix-conduit
    - custom/matrix-synapse-admin
    - galaxy/prometheus_node_exporter
    - galaxy/prometheus_postgres_exporter
    - custom/matrix-prometheus-nginxlog-exporter
    - galaxy/prometheus
    - galaxy/grafana
    - custom/matrix-prometheus-services-connect
    - custom/matrix-prometheus-services-proxy-connect
    - custom/matrix-registration
    - custom/matrix-client-element
    - custom/matrix-client-hydrogen
    - custom/matrix-client-cinny
    - galaxy/jitsi
    - custom/matrix-user-verification-service
    - custom/matrix-ldap-registration-proxy
    - custom/matrix-ma1sd
    - custom/matrix-dimension
    - galaxy/etherpad
    - custom/etherpad-proxy-connect
    - custom/matrix-sliding-sync
    - custom/matrix-email2matrix
    - custom/matrix-sygnal
    - galaxy/ntfy
    - custom/matrix-nginx-proxy
    - custom/matrix-coturn

    - role: galaxy/auxiliary

    - role: galaxy/com.devture.ansible.role.postgres_backup

    - role: galaxy/backup_borg

    - custom/matrix-user-creator
    - custom/matrix-common-after

    - role: galaxy/com.devture.ansible.role.container_socket_proxy

    - role: galaxy/com.devture.ansible.role.traefik

    - role: galaxy/com.devture.ansible.role.traefik_certs_dumper

    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager

    # This is pretty much last, because we want it to better serve as a "last known good configuration".
    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
    - when: devture_playbook_state_preserver_enabled | bool
      role: galaxy/com.devture.ansible.role.playbook_state_preserver
      tags:
        - setup-all
        - install-all

    - role: galaxy/com.devture.ansible.role.playbook_runtime_messages