Merge remote-tracking branch 'upstream/master' into remove-sliding-sync-proxy

3 недель назад · d99ec94e14
--- a/.github/workflows/lock-threads.yml
+++ b/.github/workflows/lock-threads.yml
@@ -23,7 +23,7 @@ jobs:
    if: github.repository == 'spantaleev/matrix-docker-ansible-deploy'
    runs-on: ubuntu-latest
    steps:
      - uses: dessant/lock-threads@v5
      - uses: dessant/lock-threads@v6
        with:
          add-issue-labels: 'outdated'
          process-only: 'issues, prs'
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@@ -15,7 +15,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out
        uses: actions/checkout@v5
        uses: actions/checkout@v6
      - name: Run yamllint
        uses: frenck/action-yamllint@v1.5.0
  ansible-lint:
@@ -23,10 +23,10 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out
        uses: actions/checkout@v5
        uses: actions/checkout@v6

      - name: Run ansible-lint
        uses: ansible/ansible-lint@v25.9.2
        uses: ansible/ansible-lint@v26.1.1
        with:
          args: "roles/custom"
          setup_python: "true"
@@ -37,6 +37,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v5
        uses: actions/checkout@v6
      - name: Run pre-commit
        uses: pre-commit/action@v3.0.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,59 @@
 # 2026-02-04

 ## baibot now supports OpenAI's built-in tools (Web Search and Code Interpreter)

 **TLDR**: if you're using the [OpenAI provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#openai) with [baibot](docs/configuring-playbook-bot-baibot.md), you can now enable [built-in tools](https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only) (`web_search` and `code_interpreter`) to extend the model's capabilities.

 These tools are **disabled by default** and can be enabled via Ansible variables for static agent configurations:

 ```yaml
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true
 ```

 Users who define agents dynamically at runtime will need to [update their agents](https://github.com/etkecc/baibot/blob/61d18b2/docs/agents.md#updating-agents) to enable these tools. See the [baibot v1.14.0 changelog](https://github.com/etkecc/baibot/blob/61d18b2/CHANGELOG.md) for details.

 ## Whoami-based sync worker routing for improved sticky sessions for Synapse

 Deployments using [Synapse workers](./docs/configuring-playbook-synapse.md#load-balancing-with-workers) now benefit from improved sync worker routing via a new whoami-based mechanism (making use of the [whoami Matrix Client-Server API](https://spec.matrix.org/v1.17/client-server-api/#get_matrixclientv3accountwhoami)).

 Previously, sticky routing for sync workers relied on parsing usernames from access tokens, which only worked with native Synapse tokens (`syt_<base64 username>_...`). This approach failed for [Matrix Authentication Service](docs/configuring-playbook-matrix-authentication-service.md) (MAS) deployments, where tokens are opaque and don't contain username information. This resulted in device-level stickiness (same token → same worker) rather than user-level stickiness (same user → same worker regardless of device), leading to suboptimal cache utilization on sync workers.

 The new implementation calls Synapse's `/whoami` endpoint to resolve access tokens to usernames, enabling proper user-level sticky routing regardless of the authentication system in use (native Synapse auth, MAS, etc.). Results are cached to minimize overhead.

 This change:
 - **Automatically enables** when sync workers are configured (no action required)
 - **Works universally** with any authentication system
 - **Replaces the old implementation** entirely to keep the codebase simple
 - **Adds minimal overhead** (one cached internal subrequest per sync request) for non-MAS deployments

 For debugging, you can enable verbose logging and/or response headers showing routing decisions:

 ```yaml
 # Logs cache hits/misses and routing decisions to the container's stderr
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: true

 # Adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers to sync responses
 matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: true
 ```


 # 2025-12-09

 ## Traefik Cert Dumper upgrade

 The variable `traefik_certs_dumper_ssl_dir_path` was renamed to `traefik_certs_dumper_ssl_path`. Users who use [their own webserver with Traefik](docs/configuring-playbook-own-webserver.md) may need to adjust their configuration.

 The variable `traefik_certs_dumper_dumped_certificates_dir_path` was renamed to `traefik_certs_dumper_dumped_certificates_path`. Users who use [SRV Server Delegation](docs/howto-srv-server-delegation.md) may need to adjust their configuration.

 # 2025-11-23

 ## Matrix.to support

 The playbook now supports [Matrix.to](https://github.com/matrix-org/matrix.to) — a simple URL redirection service which powers [matrix.to](https://matrix.to).

 To learn more, see our [Setting up Matrix.to](docs/configuring-playbook-matrixto.md) documentation page.

 # 2025-11-09

 ## matrix-appservice-webhooks has been removed from the playbook
@@ -6,6 +62,20 @@

 The playbook will let you know if you're using any `matrix_appservice_webhooks_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the bridge manually](./docs/configuring-playbook-bridge-appservice-webhooks.md#uninstalling-the-bridge-manually).

 ## mautrix-facebook and mautrix-instagram have been removed from the playbook

 [mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md) and [mautrix-instagram](./docs/configuring-playbook-bridge-mautrix-instagram.md) have been removed from the playbook, as they have been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, integrated to the playbook at [2024-02-19](#2024-02-19).

 The playbook will let you know if you're using any variables for those bridges:

 - `matrix_mautrix_facebook_*`
 - `matrix_mautrix_instagram_*`

 You'll need to remove them from `vars.yml` and potentially uninstall them manually. Consult pages below for details:

 - [Instruction for mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md#uninstalling-the-bridge-manually)
 - [Instruction for mautrix-instagram](./docs/configuring-playbook-bridge-mautrix-instagram.md#uninstalling-the-bridge-manually)

 # 2025-11-08

 ## MatrixZulipBridge support
--- a/README.md
+++ b/README.md
@@ -178,6 +178,7 @@ Various services that don't fit any other categories.
 | [synapse_auto_accept_invite](https://github.com/matrix-org/synapse-auto-accept-invite) | ❌ | Synapse module to automatically accept invites | [Link](docs/configuring-playbook-synapse-auto-accept-invite.md) |
 | [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | ❌ | Cli tool that automatically compresses `state_groups` database table in background | [Link](docs/configuring-playbook-synapse-auto-compressor.md) |
 | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | ❌ | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) |
 | [Matrix.to](https://github.com/matrix-org/matrix.to) | ❌ | Simple URL redirection service for the Matrix ecosystem | [Link](docs/configuring-playbook-matrixto.md) |
 | [Etherpad](https://etherpad.org) | ❌ | Open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) |
 | [Jitsi](https://jitsi.org/) | ❌ | Open source video-conferencing platform | [Link](docs/configuring-playbook-jitsi.md) |
 | [Cactus Comments](https://cactus.chat) | ❌ | Federated comment system built on Matrix | [Link](docs/configuring-playbook-cactus-comments.md) |
--- a/docs/configuring-playbook-bot-baibot.md
+++ b/docs/configuring-playbook-bot-baibot.md
@@ -243,6 +243,12 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "YOUR_

 # If you'd like to use another text-generation agent, uncomment and adjust:
 # matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4.1

 # Uncomment below to enable OpenAI's built-in tools.
 # These tools are disabled by default. Enabling them may incur additional costs.
 # See: https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only
 # matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true
 # matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true
 ```

 Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/openai`.
--- a/docs/configuring-playbook-bridge-mautrix-bridges.md
+++ b/docs/configuring-playbook-bridge-mautrix-bridges.md
@@ -24,7 +24,7 @@ To enable the bridge, add the following configuration to your `inventory/host_va
 matrix_mautrix_SERVICENAME_enabled: true
 ```

 **Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively. **`matrix_mautrix_facebook_*` and `matrix_mautrix_instagram_*` variables belong to the deprecated components and do not control the new bridge** ([mautrix-meta](https://github.com/mautrix/meta)), which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md).
 **Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively.

 There are some additional things you may wish to configure about the bridge before you continue. Each bridge may have additional requirements besides `_enabled: true`. For example, the mautrix-telegram bridge (our documentation page about it is [here](configuring-playbook-bridge-mautrix-telegram.md)) requires the `matrix_mautrix_telegram_api_id` and `matrix_mautrix_telegram_api_hash` variables to be defined. Refer to each bridge's individual documentation page for details about enabling bridges.

--- a/docs/configuring-playbook-bridge-mautrix-facebook.md
+++ b/docs/configuring-playbook-bridge-mautrix-facebook.md
@@ -1,100 +1,32 @@
 <!--
 SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Eduardo Beltrame
 SPDX-FileCopyrightText: 2019 Hugues Morisset
 SPDX-FileCopyrightText: 2020 Tulir Asokan
 SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2021 Aaron Raimist
 SPDX-FileCopyrightText: 2022 Dennis Ciba
 SPDX-FileCopyrightText: 2022 László Várady
 SPDX-FileCopyrightText: 2024 Suguru Hirahara
 SPDX-FileCopyrightText: 2022 Vladimir Panteleev
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
 -->

 # Setting up Mautrix Facebook bridging (optional, deprecated)
 # Setting up Mautrix Facebook bridging (optional, removed)

 <sup>Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md)</sup>
 🪦 The playbook used to be able to install and configure [mautrix-facebook](https://github.com/mautrix/facebook), but no longer includes this component, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge.

 **Note**: This bridge has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). Consider using that bridge instead of this one.
 The mautrix-meta bridge can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md).

 The playbook can install and configure [mautrix-facebook](https://github.com/mautrix/facebook) for you.
 ## Uninstalling the bridge manually

 See the project's [documentation](https://github.com/mautrix/facebook/blob/master/README.md) to learn what it does and why it might be useful to you.
 If you still have the bridge installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:

 ## Prerequisite (optional)

 ### Enable Shared Secret Auth

 If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.

 See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting.

 **Note**: double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future.

 ## Adjusting the playbook configuration

 To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:

 ```yaml
 matrix_mautrix_facebook_enabled: true
 ```

 ### Extending the configuration

 There are some additional things you may wish to configure about the bridge.

 See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.

 ## Installing

 After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:

 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`

 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.

 ## Usage
 systemctl disable --now matrix-mautrix-facebook.service

 To use the bridge, you need to start a chat with `@facebookbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).
 rm -rf /matrix/mautrix-facebook

 You then need to send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account.

 If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.

 ## Troubleshooting

 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-facebook`.

 ### Increase logging verbosity

 The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:

 ```yaml
 matrix_mautrix_facebook_logging_level: DEBUG
 ```

 ### Facebook rejecting login attempts and forcing you to change password

 If your Matrix server is in a wildly different location than where you usually use your Facebook account from, the bridge's login attempts may be outright rejected by Facebook. Along with that, Facebook may even force you to change the account's password.

 If you happen to run into this problem while [setting up bridging](#usage), try to first get a successful session up by logging in to Facebook through the Matrix server's IP address.

 The easiest way to do this may be to use [sshuttle](https://sshuttle.readthedocs.io/) to proxy your traffic through the Matrix server.

 Example command for proxying your traffic through the Matrix server:

 ```sh
 sshuttle -r root@matrix.example.com:22 0/0
 /matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_facebook;'
 ```

 Once connected, you should be able to verify that you're browsing the web through the Matrix server's IP by checking [icanhazip](https://icanhazip.com/).

 Then proceed to log in to [Facebook/Messenger](https://www.facebook.com/).

 Once logged in, proceed to [set up bridging](#usage).

 If that doesn't work, enable 2FA (see: [Facebook help page on enabling 2FA](https://www.facebook.com/help/148233965247823)) and try to login again with a new password, and entering the 2FA code when prompted, it may take more then one try, in between attempts, check facebook.com to see if they are requiring another password change
--- a/docs/configuring-playbook-bridge-mautrix-instagram.md
+++ b/docs/configuring-playbook-bridge-mautrix-instagram.md
@@ -1,63 +1,33 @@
 <!--
 SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Eduardo Beltrame
 SPDX-FileCopyrightText: 2019 Hugues Morisset
 SPDX-FileCopyrightText: 2020 Tulir Asokan
 SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2021 Aaron Raimist
 SPDX-FileCopyrightText: 2021 Marcus Proest
 SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2022 Dennis Ciba
 SPDX-FileCopyrightText: 2022 László Várady
 SPDX-FileCopyrightText: 2022 Vladimir Panteleev
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
 -->

 # Setting up Mautrix Instagram bridging (optional, deprecated)
 # Setting up Mautrix Instagram bridging (optional, removed)

 <sup>Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md)</sup>
 🪦 The playbook used to be able to install and configure [mautrix-instagram](https://github.com/mautrix/instagram), but no longer includes this component, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge.

 **Note**: This bridge has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-instagram.md). Consider using that bridge instead of this one.
 The mautrix-meta bridge can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md).

 The playbook can install and configure [mautrix-instagram](https://github.com/mautrix/instagram) for you.
 ## Uninstalling the bridge manually

 See the project's [documentation](https://github.com/mautrix/instagram/blob/master/README.md) to learn what it does and why it might be useful to you.
 If you still have the bridge installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server:

 ## Adjusting the playbook configuration

 To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:

 ```yaml
 matrix_mautrix_instagram_enabled: true
 ```

 ### Extending the configuration

 There are some additional things you may wish to configure about the bridge.

 See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc.

 ## Installing

 After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below:

 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`

 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.

 ## Usage

 To use the bridge, you need to start a chat with `@instagrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain).

 You then need to send `login YOUR_INSTAGRAM_EMAIL_ADDRESS YOUR_INSTAGRAM_PASSWORD` to the bridge bot to enable bridging for your instagram/Messenger account.

 ## Troubleshooting

 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-instagram`.

 ### Increase logging verbosity
 systemctl disable --now matrix-mautrix-instagram.service

 The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook:
 rm -rf /matrix/mautrix-instagram

 ```yaml
 matrix_mautrix_instagram_logging_level: DEBUG
 /matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_instagram;'
 ```
--- a/docs/configuring-playbook-client-fluffychat-web.md
+++ b/docs/configuring-playbook-client-fluffychat-web.md
@@ -13,7 +13,7 @@ FluffyChat Web is a cute cross-platform (web, iOS, Android) messenger for Matrix

 💡 **Note**: the latest version of FluffyChat Web is also available on the web, hosted by 3rd parties. If you trust giving your credentials to the following 3rd party Single Page Application, you can consider using it from there:

 - [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffychat.im/) developers
 - [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffy.chat/) developers

 ## Adjusting DNS records

--- a/docs/configuring-playbook-matrix-authentication-service.md
+++ b/docs/configuring-playbook-matrix-authentication-service.md
@@ -57,6 +57,10 @@ This section details what you can expect when switching to the Matrix Authentica

  - [Reminder bot](configuring-playbook-bot-matrix-reminder-bot.md) seems to be losing some of its state on each restart and may reschedule old reminders once again

  - [Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first time around, but it consistently fails after restarting:

    > cannot initialize matrix bot error="olm account is marked as shared, keys seem to have disappeared from the server"

 - ❌ **Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting).

 - ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
--- a/docs/configuring-playbook-matrixto.md
+++ b/docs/configuring-playbook-matrixto.md
@@ -0,0 +1,68 @@
 <!--
 SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
 -->

 # Setting up Matrix.to (optional)

 The playbook can install and configure the [Matrix.to](https://github.com/matrix-org/matrix.to) URL redirection service for you.

 See the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) to learn what it does and why it might be useful to you.

 ## Adjusting DNS records

 By default, this playbook installs Matrix.to on the `mt.` subdomain (`mt.example.com`) and requires you to create a CNAME record for `mt`, which targets `matrix.example.com`.

 When setting, replace `example.com` with your own.

 ## Adjusting the playbook configuration

 To enable Matrix.to, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:

 ```yaml
 matrix_matrixto_enabled: true
 ```

 ### Adjusting the Matrix.to URL (optional)

 By tweaking the `matrix_matrixto_hostname` variable, you can easily make the service available at a **different hostname** than the default one.

 Example additional configuration for your `vars.yml` file:

 ```yaml
 # Change the default hostname
 matrix_matrixto_hostname: t.example.com
 ```

 After changing the domain, **you may need to adjust your DNS** records to point the Matrix.to domain to the Matrix server.

 ### Extending the configuration

 There are some additional things you may wish to configure about the server.

 Take a look at:

 - `roles/custom/matrix-matrixto/defaults/main.yml` for some variables that you can customize via your `vars.yml` file

 ## Installing

 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:

 <!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
 ```sh
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

 The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`

 `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.

 ## Usage

 Refer to the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) for available parameters, etc.

 ## Troubleshooting

 As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-matrixto`.
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@@ -51,7 +51,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
 # Adjust to point to your Traefik container
 matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container

 traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
 traefik_certs_dumper_ssl_path: "/path/to/your/traefiks/acme.json/directory"

 # Uncomment and adjust the variable below if the name of your federation entrypoint is different
 # than the default value (matrix-federation).
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@@ -49,6 +49,23 @@ Regardless of the selected authentication method, the playbook generates secrets

 If [Jitsi](configuring-playbook-jitsi.md) is installed, note that switching to `lt-cred-mech` will disable the integration between Jitsi and your coturn server, as Jitsi seems to support the `auth-secret` authentication method only.

 ### Customize the Coturn hostname (optional)

 By default, Coturn uses the same hostname as your Matrix homeserver (the value of `matrix_server_fqn_matrix`, which is typically `matrix.example.com`).

 If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:

 ```yaml
 matrix_coturn_hostname: turn.example.com
 ```

 The playbook will automatically:
 - Configure Coturn to use this hostname
 - Obtain an SSL certificate for the custom domain via Traefik
 - Update all TURN URIs to point to the custom domain

 **Note**: Make sure the custom hostname resolves to your server's IP address via DNS before running the playbook.

 ### Use your own external coturn server (optional)

 If you'd like to use another TURN server (be it coturn or some other one), add the following configuration to your `vars.yml` file. Make sure to replace `HOSTNAME_OR_IP` with your own.
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@@ -247,6 +247,8 @@ Various services that don't fit any other categories.

 - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced)

 - [Setting up Matrix.to](configuring-playbook-matrixto.md)

 - [Setting up Etherpad](configuring-playbook-etherpad.md)

 - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md)
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -440,6 +440,19 @@ To prevent double-logging, Docker logging is disabled by explicitly passing `--l

 See [this section](maintenance-and-troubleshooting.md#how-to-see-the-logs) on the page for maintenance and troubleshooting for more details to see the logs.

 ### The server fails to start due to the `Unable to start service matrix-coturn.service` error. Why and how to solve it?

 The error is most likely because Traefik cannot obtain SSL certificates due to certain reasons such as wrong domain name configuration or port 80 being unavailable due to other services.

 If Traefik fails to obtain an SSL certificate for domain names such as `matrix.`, Traefik Certs Dumper cannot extract the SSL certificate out of there, and coturn cannot be started and the error occurs. Refer to these comments for details:

 - <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3957#issuecomment-2599590441>
 - <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4570#issuecomment-3364111466>

 If you are not sure what the problem is, at first make sure that you have set the "base domain" (`example.com`, **not `matrix.example.com`**) to `matrix_domain`. You should be able to find it at the top of your `vars.yml`.

 If it is correctly specified, look Traefik's logs (`journalctl -fu matrix-traefik.service`) for errors by Let's Encrypt for troubleshooting.

 ## Miscellaneous

 ### I would like to see this favorite service of mine integrated and become available on my Matrix server. How can I request it?
--- a/docs/howto-srv-server-delegation.md
+++ b/docs/howto-srv-server-delegation.md
@@ -112,12 +112,12 @@ matrix_coturn_container_additional_volumes: |
    (
      [
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
@@ -173,12 +173,12 @@ matrix_coturn_container_additional_volumes: |
    (
      [
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
--- a/docs/registering-users.md
+++ b/docs/registering-users.md
@@ -161,6 +161,6 @@ You can then proceed to run the query above.

 ### Adding/Removing Administrator privileges to an existing user in Matrix Authentication Service

 Promoting/demoting a user in Matrix Authentication Service cannot currently (2024-10-19) be done via the [`mas-cli` Management tool](./configuring-playbook-matrix-authentication-service.md#management).
 Promoting/demoting a user in Matrix Authentication Service can be done using the [`mas-cli`](./configuring-playbook-matrix-authentication-service.md#management) management tool's [`manage promote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-promote-admin) and [`manage demote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-demote-admin) commands. For example: `/matrix/matrix-authentication-service/bin/mas-cli manage promote-admin some.username`.

 You can do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint.
 You can also do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint.
--- a/docs/self-building.md
+++ b/docs/self-building.md
@@ -40,7 +40,6 @@ Possibly outdated list of roles where self-building the Docker image is currentl
 - `matrix-bridge-appservice-irc`
 - `matrix-bridge-appservice-slack`
 - `matrix-bridge-beeper-linkedin`
 - `matrix-bridge-mautrix-facebook`
 - `matrix-bridge-mautrix-googlechat`
 - `matrix-bridge-mautrix-telegram`
 - `matrix-bridge-mautrix-signal`
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -122,12 +122,8 @@ matrix_homeserver_container_extra_arguments_auto: |
    +
    (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mautrix_meta_messenger_config_path + '/registration.yaml,dst=/matrix-mautrix-meta-messenger-registration.yaml,ro'] if matrix_mautrix_meta_messenger_enabled else [])
@@ -187,12 +183,8 @@ matrix_homeserver_app_service_config_files_auto: |
    +
    (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else [])
    +
    (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else [])
    +
    (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else [])
    +
    (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else [])
    +
    (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else [])
    +
    (['/matrix-mautrix-meta-messenger-registration.yaml'] if matrix_mautrix_meta_messenger_enabled else [])
@@ -318,12 +310,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-mautrix-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-slack']}] if matrix_mautrix_slack_enabled else [])
    +
    ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-facebook']}] if matrix_mautrix_facebook_enabled else [])
    +
    ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else [])
    +
    ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else [])
    +
    ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else [])
    +
    ([{'name': (matrix_mautrix_meta_messenger_identifier + '.service'), 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-meta', 'mautrix-meta-messenger']}] if matrix_mautrix_meta_messenger_enabled else [])
@@ -372,6 +360,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
    +
    ([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
    +
    ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
    +
    ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else [])
@@ -848,6 +838,8 @@ matrix_appservice_irc_container_additional_networks_auto: |-
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else [])
      +
      [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []
    ) | unique
  }}

@@ -865,6 +857,13 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos
 matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}"
 matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}"

 matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"  # noqa var-naming

 matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"  # noqa var-naming

 ######################################################################
 #
 # /matrix-bridge-appservice-irc
@@ -1078,7 +1077,7 @@ matrix_mautrix_discord_container_additional_networks_auto: |-
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname else [])
      ([postgres_container_network] if postgres_enabled and matrix_mautrix_discord_database_hostname == postgres_connection_hostname else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_discord_container_labels_traefik_enabled) else [])
    ) | unique
@@ -1194,85 +1193,6 @@ matrix_mautrix_slack_public_media_signing_key: "{{ '%s' | format(matrix_homeserv
 #
 ######################################################################


 ######################################################################
 #
 # matrix-bridge-mautrix-facebook
 #
 ######################################################################

 # We don't enable bridges by default.
 matrix_mautrix_facebook_enabled: false

 matrix_mautrix_facebook_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else [])
  }}

 matrix_mautrix_facebook_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default }}"

 matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

 matrix_mautrix_facebook_container_network: "{{ matrix_addons_container_network }}"

 matrix_mautrix_facebook_container_additional_networks_auto: |-
  {{
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname and matrix_mautrix_facebook_container_network != postgres_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_facebook_container_labels_traefik_enabled) else [])
    ) | unique
  }}

 matrix_mautrix_facebook_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_mautrix_facebook_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_mautrix_facebook_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_mautrix_facebook_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"

 matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"

 matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token', rounds=655555) | to_uuid }}"

 matrix_mautrix_facebook_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"

 matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}"

 matrix_mautrix_facebook_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}"

 matrix_mautrix_facebook_appservice_public_enabled: true
 matrix_mautrix_facebook_appservice_public_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_facebook_appservice_public_prefix: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}"

 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_mautrix_facebook_bridge_presence: "{{ (matrix_synapse_presence_enabled if matrix_synapse_enabled else true) if matrix_homeserver_implementation == 'synapse' else true }}"

 matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"

 matrix_mautrix_facebook_metrics_proxying_enabled: "{{ matrix_mautrix_facebook_metrics_enabled and matrix_metrics_exposure_enabled }}"
 matrix_mautrix_facebook_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_facebook_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-facebook"

 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_facebook_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_facebook_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}"

 ######################################################################
 #
 # /matrix-bridge-mautrix-facebook
 #
 ######################################################################


 ######################################################################
 #
 # matrix-bridge-mautrix-googlechat
@@ -1351,76 +1271,6 @@ matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver
 #
 ######################################################################



 ######################################################################
 #
 # matrix-bridge-mautrix-instagram
 #
 ######################################################################

 # We don't enable bridges by default.
 matrix_mautrix_instagram_enabled: false

 matrix_mautrix_instagram_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname) else [])
  }}

 matrix_mautrix_instagram_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default }}"

 matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_mautrix_instagram_container_network: "{{ matrix_addons_container_network }}"

 matrix_mautrix_instagram_container_additional_networks_auto: |-
  {{
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname and matrix_mautrix_instagram_container_network != postgres_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_instagram_container_labels_traefik_enabled else [])
    ) | unique
  }}

 matrix_mautrix_instagram_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_mautrix_instagram_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_mautrix_instagram_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_mautrix_instagram_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"

 matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"

 matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token', rounds=655555) | to_uuid }}"

 matrix_mautrix_instagram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}"
 matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token', rounds=655555) | to_uuid }}"

 matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 matrix_mautrix_instagram_bridge_presence: "{{ (matrix_synapse_presence_enabled if matrix_synapse_enabled else true) if matrix_homeserver_implementation == 'synapse' else true }}"

 matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"

 matrix_mautrix_instagram_metrics_proxying_enabled: "{{ matrix_mautrix_instagram_metrics_enabled and matrix_metrics_exposure_enabled }}"
 matrix_mautrix_instagram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
 matrix_mautrix_instagram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-instagram"

 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_instagram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}"
 matrix_mautrix_instagram_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
 matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}"

 ######################################################################
 #
 # /matrix-bridge-mautrix-instagram
 #
 ######################################################################

 ######################################################################
 #
 # matrix-bridge-mautrix-signal
@@ -1830,7 +1680,7 @@ matrix_mautrix_gmessages_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else [])
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_gmessages_database_hostname == postgres_connection_hostname) else [])
  }}

 matrix_mautrix_gmessages_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_gmessages_docker_image_registry_prefix_upstream_default }}"
@@ -2086,8 +1936,6 @@ matrix_sms_bridge_enabled: false
 matrix_sms_bridge_systemd_required_services_list_auto: |
  {{
    matrix_addons_homeserver_systemd_services_list
    +
    ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else [])
  }}

 matrix_sms_bridge_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_sms_bridge_docker_image_registry_prefix_upstream_default }}"
@@ -2398,8 +2246,8 @@ matrix_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['a
 matrix_postmoogle_ssl_path: |-
  {{
    {
      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
      'none': '',
    }[matrix_playbook_reverse_proxy_type]
  }}
@@ -3235,6 +3083,38 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
 #
 ######################################################################

 ######################################################################
 #
 # matrix-matrixto
 #
 ######################################################################

 # We don't enable matrixto by default.
 matrix_matrixto_enabled: false

 matrix_matrixto_base_path: "{{ matrix_base_data_path }}/matrixto"

 # The container image is not provided at https://github.com/matrix-org/matrix.to
 matrix_matrixto_container_image_self_build: true

 matrix_matrixto_hostname: "{{ matrix_server_fqn_matrixto }}"

 matrix_matrixto_container_network: matrix-matrixto

 matrix_matrixto_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"

 matrix_matrixto_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5000') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

 matrix_matrixto_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_matrixto_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_matrixto_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_matrixto_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"

 ######################################################################
 #
 # /matrix-matrixto
 #
 ######################################################################

 ######################################################################
 #
@@ -3276,6 +3156,8 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso

 matrix_coturn_enabled: true

 matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}"

 matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
@@ -3315,12 +3197,12 @@ matrix_coturn_container_additional_volumes: |
    (
      [
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/certificate.crt'),
         'dst': '/certificate.crt',
         'options': 'ro',
       },
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/privatekey.key'),
         'dst': '/privatekey.key',
         'options': 'ro',
       },
@@ -3330,7 +3212,7 @@ matrix_coturn_container_additional_volumes: |

 matrix_coturn_systemd_required_services_list_auto: |
  {{
    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
  }}

 ######################################################################
@@ -3770,6 +3652,8 @@ matrix_media_repo_container_additional_networks: |
      ([postgres_container_network] if (postgres_enabled and matrix_media_repo_database_hostname == postgres_connection_hostname and postgres_container_network != matrix_media_repo_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_media_repo_container_labels_traefik_enabled) else [])
      +
      ([valkey_container_network] if valkey_enabled and matrix_media_repo_redis_enabled else [])
    ) | unique
  }}

@@ -3835,6 +3719,21 @@ matrix_media_repo_homeservers_auto:

 matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}"

 matrix_media_repo_redis_enabled: "{{ valkey_enabled }}"

 # Use next redis index since Synapse is on 0. You can chose between index 0 and 15.
 matrix_media_repo_redis_database_number: 1

 matrix_media_repo_redis_shards: |
  {{
    ([{
          'name': 'valkey',
          'addr': (valkey_identifier + ':' + valkey_container_tcp_port | string),
    }])
    if valkey_enabled and matrix_media_repo_redis_enabled
    else []
  }}

 ######################################################################
 #
 # /matrix-media-repo
@@ -4014,24 +3913,12 @@ postgres_managed_databases_auto: |
      'password': matrix_mautrix_bluesky_database_password,
    }] if (matrix_mautrix_bluesky_enabled and matrix_mautrix_bluesky_database_engine == 'postgres' and matrix_mautrix_bluesky_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_mautrix_facebook_database_name,
      'username': matrix_mautrix_facebook_database_username,
      'password': matrix_mautrix_facebook_database_password,
    }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_mautrix_googlechat_database_name,
      'username': matrix_mautrix_googlechat_database_username,
      'password': matrix_mautrix_googlechat_database_password,
    }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_mautrix_instagram_database_name,
      'username': matrix_mautrix_instagram_database_username,
      'password': matrix_mautrix_instagram_database_password,
    }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_mautrix_signal_database_name,
      'username': matrix_mautrix_signal_database_username,
@@ -4825,6 +4712,9 @@ matrix_synapse_admin_enabled: false

 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"

 matrix_synapse_admin_container_uid: "{{ matrix_user_uid }}"
 matrix_synapse_admin_container_gid: "{{ matrix_user_gid }}"

 matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

 matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
@@ -4924,11 +4814,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
      '^@discord_[0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_discord_enabled else [])
    +
    ([
      '^@'+(matrix_mautrix_facebook_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@facebook_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_facebook_enabled else [])
    +
    ([
      '^@'+(matrix_mautrix_gmessages_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@gmessages_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
@@ -4939,11 +4824,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: |
      '^@googlechat_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_googlechat_enabled else [])
    +
    ([
      '^@'+(matrix_mautrix_instagram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@instagram_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
    ] if matrix_mautrix_instagram_enabled else [])
    +
    ([
      '^@'+(matrix_mautrix_meta_instagram_appservice_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$',
      '^@'+(matrix_mautrix_meta_instagram_bridge_username_prefix | default('') | regex_escape)+'[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$',
@@ -5401,7 +5281,7 @@ matrix_registration_container_additional_networks_auto: |-
    (
      ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
      +
      ([postgres_container_network] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname and matrix_mautrix_facebook_container_network != postgres_container_network) else [])
      ([postgres_container_network] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname and matrix_registration_container_network != postgres_container_network) else [])
      +
      ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_registration_container_labels_traefik_enabled) else [])
    ) | unique
@@ -5930,6 +5810,11 @@ traefik_systemd_required_services_list: |
    ([container_socket_proxy_identifier + '.service'] if container_socket_proxy_enabled else [])
  }}

 traefik_additional_domains_to_obtain_certificates_for_auto: |
  {{
    ([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else [])
  }}

 ########################################################################
 #                                                                      #
 # /traefik                                                             #
@@ -5952,7 +5837,7 @@ traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumpe
 traefik_certs_dumper_uid: "{{ matrix_user_uid }}"
 traefik_certs_dumper_gid: "{{ matrix_user_gid }}"

 traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
 traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"

 traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"

@@ -6061,12 +5946,12 @@ livekit_server_container_additional_volumes_auto: |
    (
      [
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
         'dst': livekit_server_config_turn_cert_file,
         'options': 'ro',
       },
       {
         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
         'dst': livekit_server_config_turn_key_file,
         'options': 'ro',
       },
--- a/i18n/requirements.txt
+++ b/i18n/requirements.txt
@@ -1,9 +1,9 @@
 alabaster==1.0.0
 babel==2.17.0
 certifi==2025.10.5
 babel==2.18.0
 certifi==2026.1.4
 charset-normalizer==3.4.4
 click==8.3.0
 docutils==0.22.3
 click==8.3.1
 docutils==0.22.4
 idna==3.11
 imagesize==1.4.1
 Jinja2==3.1.6
@@ -12,16 +12,16 @@ markdown-it-py==4.0.0
 MarkupSafe==3.0.3
 mdit-py-plugins==0.5.0
 mdurl==0.1.2
 myst-parser==4.0.1
 packaging==25.0
 myst-parser==5.0.0
 packaging==26.0
 Pygments==2.19.2
 PyYAML==6.0.3
 requests==2.32.5
 setuptools==80.9.0
 setuptools==80.10.2
 snowballstemmer==3.0.1
 Sphinx==8.2.3
 Sphinx==9.1.0
 sphinx-intl==2.3.2
 sphinx-markdown-builder==0.6.8
 sphinx-markdown-builder==0.6.9
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
 urllib3==2.5.0
 urllib3==2.6.3
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,61 +1,61 @@
 ---

 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-5
  version: v1.0.0-6
  name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
  version: v1.4.2-2.0.11-0
  version: v1.4.3-2.1.1-0
  name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
  version: v0.4.1-2
  version: v0.4.2-1
  name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
  version: 7.8.0
  version: 8.0.0
  name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
  version: 129c8590e106b83e6f4c259649a613c6279e937a
  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
  name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
  version: v2.5.2-1
  version: v2.6.1-0
  name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
  version: v4.98.1-r0-2-2
  name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
  version: v11.6.5-4
  version: v11.6.5-6
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
  version: v10590-0
  version: v10741-0
  name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
  version: v1.9.3-0
  version: v1.9.11-0
  name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
  version: v2.14.0-3
  version: v2.16.0-1
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: 7663e3114513e56f28d3ed762059b445c678a71a
  version: 8630e4f1749bcb659c412820f754473f09055052
  name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
  name: playbook_runtime_messages
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
  version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
  name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
  version: v18.0-1
  version: v18.1-3
  name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
  version: v18-0
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
  version: v3.7.3-1
  version: v3.9.1-0
  name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
  version: v1.9.1-12
  version: v1.9.1-13
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
  version: v0.18.1-1
  version: v0.19.0-0
  name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.4.1-0
@@ -64,14 +64,14 @@
  version: v1.0.0-4
  name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.1.0-0
  version: v1.1.0-1
  name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
  version: v3.5.4-1
  version: v3.6.7-1
  name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
  version: v2.10.0-2
  version: v2.10.0-4
  name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
  version: v9-0
  version: v9.0.2-0
  name: valkey
--- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
+++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml
@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true

 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
 matrix_alertmanager_receiver_version: 2025.11.5
 matrix_alertmanager_receiver_version: 2026.2.4

 matrix_alertmanager_receiver_scheme: https

--- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true

 # renovate: datasource=docker depName=gnuxie/draupnir
 matrix_appservice_draupnir_for_all_version: "v2.7.1"
 matrix_appservice_draupnir_for_all_version: "v2.9.0"

 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
--- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
+++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml
@@ -13,7 +13,7 @@
  with_items:
    - "matrix_appservice_draupnir_for_all_config_adminRoom"
    - "matrix_bot_draupnir_container_network"
  when: "vars[item] == '' or vars[item] is none"
  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"

 - name: (Deprecation) Catch and report renamed matrix-appservice-draupnir-for-all settings
  ansible.builtin.fail:
--- a/roles/custom/matrix-authentication-service/defaults/main.yml
+++ b/roles/custom/matrix-authentication-service/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"

 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
 matrix_authentication_service_version: 1.5.0
 matrix_authentication_service_version: 1.10.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
--- a/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
+++ b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml
@@ -19,7 +19,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and vars[item.name] | string | length == 0"
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_authentication_service_syn2mas_synapse_homeserver_config_path', when: true}

--- a/roles/custom/matrix-authentication-service/tasks/validate_config.yml
+++ b/roles/custom/matrix-authentication-service/tasks/validate_config.yml
@@ -9,7 +9,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and vars[item.name] | string | length == 0"
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_authentication_service_hostname', when: true}
    - {'name': 'matrix_authentication_service_config_database_username', when: true}
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@@ -148,6 +148,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
 # This is where you access rageshake.
 matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"

 # This is where you access Matrix.to.
 matrix_server_fqn_matrixto: "mt.{{ matrix_domain }}"

 matrix_federation_public_port: 8448

 # The name of the Traefik entrypoint for handling Matrix Federation
@@ -264,7 +267,7 @@ matrix_metrics_exposure_http_basic_auth_users: ''
 #     - nevertheless, the playbook expects that you would install Traefik yourself via other means
 #     - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
 #     - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
 #     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_dir_path`)
 #     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_path`)
 #
 # - `none`
 #     - no reverse-proxy will be installed
@@ -382,7 +385,8 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matri
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}

--- a/roles/custom/matrix-base/tasks/validate_config.yml
+++ b/roles/custom/matrix-base/tasks/validate_config.yml
@@ -36,6 +36,11 @@
    - {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
    - {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
    - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}


 # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
 - name: Fail if matrix_homeserver_generic_secret_key is undefined
@@ -100,15 +105,3 @@
      To clean up your server from mx-puppet-skype's presence, see this changelog entry: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#mx-puppet-skype-removal.
      If you still need bridging to Skype, consider switching to the go-skype bridge instead. See `docs/configuring-playbook-bridge-go-skype-bridge.md`.
  when: "lookup('ansible.builtin.varnames', '^matrix_mx_puppet_skype_enabled$', wantlist=True) | length > 0"

 - name: Fail if mautrix-instagram and mautrix-meta-instagram are in conflict
  ansible.builtin.fail:
    msg: >-
      Your configuration enables both the old mautrix-instagram bridge and the new mautrix-meta-instagram bridge.
      By default, both bridges are configured to use the same bridge bot username (`@{{ matrix_mautrix_meta_instagram_appservice_username }}:{{ matrix_domain }}`) which is a conflict.
      We recommend that you disable at least one of the bridges (preferably the old mautrix-instagram bridge), or to resolve the conflict in another way.
      To resolve the conflict without disabling a bridge, consider adjusting one of `matrix_mautrix_instagram_appservice_bot_username` or `matrix_mautrix_meta_instagram_appservice_username` - they both have a value of {{ matrix_mautrix_meta_instagram_appservice_username }} right now.
  when:
    - matrix_mautrix_instagram_enabled | bool
    - matrix_mautrix_meta_instagram_enabled | bool
    - matrix_mautrix_instagram_appservice_bot_username == matrix_mautrix_meta_instagram_appservice_username
--- a/roles/custom/matrix-bot-baibot/defaults/main.yml
+++ b/roles/custom/matrix-bot-baibot/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"

 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
 matrix_bot_baibot_version: v1.8.1
 matrix_bot_baibot_version: v1.14.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -70,6 +70,23 @@ matrix_bot_baibot_config_user_password: ''
 # Also see: `matrix_bot_baibot_config_user_mxid_localpart`
 matrix_bot_baibot_config_user_name: baibot

 # Controls the `user.avatar` configuration setting.
 #
 # An optional path to an image file to be used as a custom avatar image.
 # This path should be an in-container path (e.g., `/data/avatar.png`).
 # Any type of content type is supported, but stick to common image formats (PNG, JPG, ..) for better compatibility with various Matrix clients.
 #
 # To use a custom avatar:
 # - Use the auxiliary role (`aux_` variables) to upload your avatar file to the server (e.g. to {{ matrix_bot_baibot_data_path }}/avatar.png on the host),
 #   or do it any other way (without Ansible) you prefer
 # - Set this variable to something like `/data/avatar.png` (the in-container path)
 #
 # Possible values:
 # - null or empty string: use the default baibot avatar
 # - "keep": don't touch the avatar, keep whatever is already set (useful if you manage the avatar via other means)
 # - any other value: path to a custom avatar image file (must be an in-container path like `/data/avatar.png`)
 matrix_bot_baibot_config_user_avatar: null

 # Controls the `user.encryption.recovery_passphrase` configuration setting.
 #
 # An optional passphrase to use for backing up and recovering the bot's encryption keys.
@@ -204,8 +221,8 @@ matrix_bot_baibot_config_agents_static_definitions_anthropic_config_base_url: ht
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_api_key: ""

 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.anthropic.com/docs/models
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-3-7-sonnet-20250219
 # For valid model choices, see: https://docs.claude.com/en/docs/about-claude/models/overview
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-sonnet-4-5-20250929
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
@@ -368,7 +385,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""

 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
@@ -378,6 +395,11 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_response_tokens: ~
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens: 128000
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens: 400000
 # Built-in tools configuration (OpenAI only).
 # These tools extend the model's capabilities but are disabled by default following upstream defaults.
 # See: https://github.com/etkecc/baibot/blob/main/docs/features.md#%EF%B8%8F-built-in-tools-openai-only
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: false
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: false

 matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled: true
 matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_model_id: whisper-1
@@ -389,7 +411,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_response_format: opus

 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_enabled: true
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1.5
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style: null
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size: null
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_quality: null
--- a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2
@@ -21,6 +21,12 @@ user:
  # Leave empty to use the default (baibot).
  name: {{ matrix_bot_baibot_config_user_name | to_json }}

  # An optional path to an image file to be used as a custom avatar image.
  # - null or empty string: use the default avatar
  # - "keep": don't touch the avatar, keep whatever is already set
  # - any other value: path to a custom avatar image file
  avatar: {{ matrix_bot_baibot_config_user_avatar | to_json }}

  encryption:
    # An optional passphrase to use for backing up and recovering the bot's encryption keys.
    # You can use any string here.
--- a/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2
+++ b/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2
@@ -15,6 +15,9 @@ text_generation:
  max_completion_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens | int | to_json }}
  {% endif %}
  max_context_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens | int | to_json }}
  tools:
    web_search: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search | to_json }}
    code_interpreter: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter | to_json }}
 {% endif %}

 {% if matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled %}
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true

 # renovate: datasource=docker depName=gnuxie/draupnir
 matrix_bot_draupnir_version: "v2.7.1"
 matrix_bot_draupnir_version: "v2.9.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -101,7 +101,7 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # Controls if we activate the config block for Pantalaimon for now. Its name will
 # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase.
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
 matrix_bot_draupnir_login_native: ""
 matrix_bot_draupnir_login_native: false

 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!
--- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml
@@ -44,7 +44,7 @@
    - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
    - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail if Draupnir room hijacking enabled without enabling the Synapse Admin API
  ansible.builtin.fail:
@@ -57,7 +57,7 @@
  with_items:
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use
  ansible.builtin.fail:
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml
@@ -10,7 +10,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_bot_matrix_registration_bot_bot_password"
    - "matrix_bot_matrix_registration_bot_api_base_url"
--- a/roles/custom/matrix-bot-maubot/defaults/main.yml
+++ b/roles/custom/matrix-bot-maubot/defaults/main.yml
@@ -30,7 +30,7 @@ matrix_bot_maubot_docker_repo: "https://mau.dev/maubot/maubot.git"
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/maubot/maubot
 matrix_bot_maubot_version: v0.5.2
 matrix_bot_maubot_version: v0.6.0
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_registry_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else matrix_bot_maubot_docker_image_registry_prefix_upstream }}"
 matrix_bot_maubot_docker_image_registry_prefix_upstream: "{{ matrix_bot_maubot_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml
@@ -18,14 +18,14 @@
    - {'name': 'matrix_bot_mjolnir_raw_homeserver_url', when: true}
    - {'name': 'matrix_bot_mjolnir_pantalaimon_username', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
    - {'name': 'matrix_bot_mjolnir_pantalaimon_password', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: Fail if inappropriate variables are defined
  ansible.builtin.fail:
    msg: "The `{{ item.name }}` variable must be undefined or have a null value."
  with_items:
    - {'name': 'matrix_bot_mjolnir_access_token', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"

 - name: (Deprecation) Catch and report renamed Mjolnir settings
  ansible.builtin.fail:
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@@ -8,7 +8,7 @@
 # SPDX-FileCopyrightText: 2019 Lyubomir Popov
 # SPDX-FileCopyrightText: 2019 Sylvia van Os
 # SPDX-FileCopyrightText: 2020 John Goerzen
 # SPDX-FileCopyrightText: 2021 - 2023 Thom Wiggers
 # SPDX-FileCopyrightText: 2021 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2021 Ahmad Haghighi
 # SPDX-FileCopyrightText: 2021 Joseph Walton-Rivers
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
 matrix_appservice_irc_version: 1.0.1
 matrix_appservice_irc_version: 4.0.0
 matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}"
 matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}"
@@ -46,8 +46,15 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config
 matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data"

 matrix_appservice_irc_homeserver_url: ""
 matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}'
 matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}'

 # ircService.mediaProxy configuration for serving publicly accessible URLs to authenticated Matrix media
 matrix_appservice_irc_ircService_mediaProxy_bindPort: 11111  # noqa var-naming
 matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: https  # noqa var-naming
 matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname: '{{ matrix_server_fqn_matrix }}'  # noqa var-naming
 matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix: '/irc/'  # noqa var-naming
 matrix_appservice_irc_ircService_mediaProxy_publicUrl: "{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme }}://{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}"  # noqa var-naming

 matrix_appservice_irc_homeserver_enablePresence: true  # noqa var-naming
 matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999'

@@ -89,20 +96,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # It is also used in the Third Party Lookup API as the instance `desc`
 #     # property, where each server is an instance.
 #     name: "ExampleNet"

 #     # Additional addresses to connect to, used for load balancing between IRCDs.
 #     additionalAddresses: [ "irc2.example.com" ]
 #     # Typically additionalAddresses would be in addition to the address key given above,
 #     # but some configurations wish to exclusively use additional addresses while reserving
 #     # the top key for identification purposes. Set this to true to exclusively use the
 #     # additionalAddresses array when connecting to servers.
 #     onlyAdditionalAddresses: false
 #     #
 #     # [DEPRECATED] Use `name`, above, instead.
 #     # A human-readable description string
 #     # description: "Example.com IRC network"

 #
 #     # An ID for uniquely identifying this server amongst other servers being bridged.
 #     # networkId: "example"

 #     # URL to an icon used as the network icon whenever this network appear in
 #     # a network list. (Like in the Riot room directory, for instance.)
 #     # icon: https://example.com/images/hash.png

 #
 #     # MXC URL to an icon used as the network icon whenever this network appear in
 #     # a network list. (Like in the Element room directory, for instance.)
 #     # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
 #
 #     # The port to connect to. Optional.
 #     port: 6697
 #     # Whether to use SSL or not. Default: false.
@@ -115,19 +127,26 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # Whether to allow expired certs when connecting to the IRC server.
 #     # Usually this should be off. Default: false.
 #     allowExpiredCerts: false
 #     # A specific CA to trust instead of the default CAs. Optional.
 #     #ca: |
 #     #  -----BEGIN CERTIFICATE-----
 #     #  …
 #     #  -----END CERTIFICATE-----

 #
 #     # Set additional TLS options for the connections to the IRC server.
 #     #tlsOptions:
 #       # A specific CA to trust instead of the default CAs. Optional.
 #       #ca: |
 #       #  -----BEGIN CERTIFICATE-----
 #       #  ...
 #       #  -----END CERTIFICATE-----
 #       # Server name for the SNI (Server Name Indication) TLS extension. If the address you
 #       # are using does not report the correct certificate name, you can override it here.
 #       # servername: real.server.name
 #       # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
 #
 #     #
 #     # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
 #     # password: 'pa$$w0rd'
 #     #
 #     # Whether or not to send connection/error notices to real Matrix users. Default: true.
 #     sendConnectionMessages: true

 #
 #     quitDebounce:
 #       # Whether parts due to net-splits are debounced for delayMs, to allow
 #       # time for the netsplit to resolve itself. A netsplit is detected as being
@@ -147,13 +166,13 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       delayMinMs: 3600000 # 1h
 #       # Default: 7200000, = 2h
 #       delayMaxMs: 7200000 # 2h

 #
 #     # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
 #     # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
 #     # been given multiple modes, the one that maps to the highest power level will be used.
 #     modePowerMap:
 #       o: 50

 #       v: 1
 #     botConfig:
 #       # Enable the presence of the bot in IRC channels. The bot serves as the entity
 #       # which maps from IRC -> Matrix. You can disable the bot entirely which
@@ -176,6 +195,8 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       enabled: true
 #       # The nickname to give the AS bot.
 #       nick: "MatrixBot"
 #       # The username to give to the AS bot. Defaults to "matrixbot"
 #       username: "matrixbot"
 #       # The password to give to NickServ or IRC Server for this nick. Optional.
 #       # password: "helloworld"
 #       #
@@ -184,7 +205,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # real Matrix users in them, even if there is a mapping for the channel.
 #       # Default: true
 #       joinChannelsIfNoUsers: true

 #
 #     # Configuration for PMs / private 1:1 communications between users.
 #     privateMessages:
 #       # Enable the ability for PMs to be sent to/from IRC/Matrix.
@@ -193,12 +214,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent Matrix users from sending PMs to the following IRC nicks.
 #       # Optional. Default: [].
 #       # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED

 #
 #       # Should created Matrix PM rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Optional. Default: true.
 #       federate: true

 #
 #     # Configuration for mappings not explicitly listed in the 'mappings'
 #     # section.
 #     dynamicChannels:
@@ -212,27 +233,34 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Should the AS publish the new Matrix room to the public room list so
 #       # anyone can see it? Default: true.
 #       published: true
 #       # Publish the rooms to the homeserver directory, as oppose to the appservice
 #       # room directory. Only used if `published` is on.
 #       # Default: false
 #       useHomeserverDirectory: true
 #       # What should the join_rule be for the new Matrix room? If 'public',
 #       # anyone can join the room. If 'invite', only users with an invite can
 #       # join the room. Note that if an IRC channel has +k or +i set on it,
 #       # join_rules will be set to 'invite' until these modes are removed.
 #       # Default: "public".
 #       joinRule: public
 #       # This will set the m.room.related_groups state event in newly created rooms
 #       # with the given groupId. This means flares will show up on IRC users in those rooms.
 #       # This should be set to the same thing as namespaces.users.group_id in irc_registration.
 #       # This does not alter existing rooms.
 #       # Leaving this option empty will not set the event.
 #       groupId: +myircnetwork:localhost
 #       # Should created Matrix rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Default: true.
 #       federate: true
 #       # Force this room version when creating IRC channels. Beware if the homeserver doesn't
 #       # support the room version then the request will fail. By default, no version is requested.
 #       # roomVersion: "1"
 #       # The room alias template to apply when creating new aliases. This only
 #       # applies if createAlias is 'true'. The following variables are exposed:
 #       # $SERVER => The IRC server address (e.g. "irc.example.com")
 #       # $CHANNEL => The IRC channel (e.g. "#python")
 #       # This MUST have $CHANNEL somewhere in it.
 #       #
 #       # In certain circumstances you might want to bridge your whole IRC network as a
 #       # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
 #       # template to just be $CHANNEL. Doing so will preclude you from supporting
 #       # other prefix characters though.
 #       #
 #       # Default: '#irc_$SERVER_$CHANNEL'
 #       aliasTemplate: "#irc_$CHANNEL"
 #       # A list of user IDs which the AS bot will send invites to in response
@@ -244,7 +272,11 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent the given list of channels from being mapped under any
 #       # circumstances.
 #       # exclude: ["#foo", "#bar"]

 #
 #     # excludedUsers:
 #     #   - regex: "@.*:evilcorp.com"
 #     #     kickReason: "We don't like Evilcorp"
 #
 #     # Configuration for controlling how Matrix and IRC membership lists are
 #     # synced.
 #     membershipLists:
@@ -253,12 +285,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # synced. This must be enabled for anything else in this section to take
 #       # effect. Default: false.
 #       enabled: false

 #
 #       # Syncing membership lists at startup can result in hundreds of members to
 #       # process all at once. This timer drip feeds membership entries at the
 #       # specified rate. Default: 10000. (10s)
 #       floodDelayMs: 10000

 #
 #       global:
 #         ircToMatrix:
 #           # Get a snapshot of all real IRC users on a channel (via NAMES) and
@@ -267,7 +299,14 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # Make virtual Matrix clients join and leave rooms as their real IRC
 #           # counterparts join/part channels. Default: false.
 #           incremental: false

 #           # Should the bridge check if all Matrix users are connected to IRC and
 #           # joined to the channel before relaying messages into the room.
 #           #
 #           # This is considered a safety net to avoid any leakages by the bridge to
 #           # unconnected users, but given it ignores all IRC messages while users
 #           # are still connecting it may be overkill.
 #           requireMatrixJoined: false
 #
 #         matrixToIrc:
 #           # Get a snapshot of all real Matrix users in the room and join all of
 #           # them to the mapped IRC channel on startup. Default: false.
@@ -276,21 +315,32 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # counterparts join/leave rooms. Make sure your 'maxClients' value is
 #           # high enough! Default: false.
 #           incremental: false

 #
 #       # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
 #       rooms:
 #         - room: "!qporfwt:localhost"
 #           matrixToIrc:
 #             initial: false
 #             incremental: false

 #
 #       # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
 #       channels:
 #         - channel: "#foo"
 #           ircToMatrix:
 #             initial: false
 #             incremental: false

 #             requireMatrixJoined: false
 #
 #       # Should the bridge ignore users which are not considered active on the bridge
 #       # during startup
 #       ignoreIdleUsersOnStartup:
 #         enabled: true
 #         # How many hours can a user be considered idle for before they are considered
 #         # ignoreable
 #         idleForHours: 720
 #         # A regex which will exclude matching MXIDs from this check.
 #         exclude: "foobar"
 #
 #     mappings:
 #       # 1:many mappings from IRC channels to room IDs on this IRC server.
 #       # The Matrix room must already exist. Your Matrix client should expose
@@ -300,27 +350,27 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # Channel key/password to use. Optional. If provided, Matrix users do
 #         # not need to know the channel key in order to join the channel.
 #         # key: "secret"

 #
 #     # Configuration for virtual Matrix users. The following variables are
 #     # exposed:
 #     # $NICK => The IRC nick
 #     # $SERVER => The IRC server address (e.g. "irc.example.com")
 #     matrixClients:
 #       # The user ID template to use when creating virtual Matrix users. This
 #       # MUST have $NICK somewhere in it.
 #       # MUST start with an @ and have $NICK somewhere in it.
 #       # Optional. Default: "@$SERVER_$NICK".
 #       # Example: "@irc.example.com_Alice:example.com"
 #       userTemplate: "@irc_$NICK"
 #       # The display name to use for created Matrix clients. This should have
 #       # $NICK somewhere in it if it is specified. Can also use $SERVER to
 #       # insert the IRC domain.
 #       # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
 #       displayName: "$NICK (IRC)"
 #       # Optional. Default: "$NICK". Example: "Alice"
 #       displayName: "$NICK"
 #       # Number of tries a client can attempt to join a room before the request
 #       # is discarded. You can also use -1 to never retry or 0 to never give up.
 #       # Optional. Default: -1
 #       joinAttempts: -1

 #
 #     # Configuration for virtual IRC users. The following variables are exposed:
 #     # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
 #     # $USERID => The user ID
@@ -349,9 +399,20 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # connected user. If not specified, all users will connect from the same
 #         # (default) address. This may require additional OS-specific work to allow
 #         # for the node process to bind to multiple different source addresses
 #         # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
 #         # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
 #         # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
 #         # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
 #         # prefix: "2001:0db8:85a3::"  # modify appropriately
 #
 #         # Optional. Define blocks of IPv6 addresses for different homeservers
 #         # which can be used to restrict users of those homeservers to a given
 #         # IP. These blocks should be considered immutable once set, as changing
 #         # the startFrom value will NOT adjust existing IP addresses.
 #         # Changing the startFrom value to a lower value may conflict with existing clients.
 #         # Multiple homeservers may NOT share blocks.
 #         blocks:
 #           - homeserver: another-server.org
 #             startFrom: '10:0000'
 #       #
 #       # The maximum amount of time in seconds that the client can exist
 #       # without sending another message before being disconnected. Use 0 to
@@ -388,12 +449,36 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # through the bridge e.g. caller ID as there is no way to /ACCEPT.
 #       # Default: "" (no user modes)
 #       # userModes: "R"

 # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
 #       # The format of the realname defined for users, either mxid or reverse-mxid
 #       realnameFormat: "mxid"
 #       # The minimum time to wait between connection attempts if we were disconnected
 #       # due to throttling.
 #       # pingTimeoutMs: 600000
 #       # The rate at which to send pings to the IRCd if the client is being quiet for a while.
 #       # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
 #       # that sometimes they don't get around to it and end up ping timing us out.
 #       # pingRateMs: 60000
 #       # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
 #       # defaults should be taken with care as it may dishonestly represent Matrix users on the IRC
 #       # network, and cause your bridge to be banned.
 #       kickOn:
 #         # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
 #         channelJoinFailure: true
 #         # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
 #         ircConnectionFailure: true
 #         # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
 #         userQuit: true

 # Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
 matrix_appservice_irc_container_http_host_bind_port: ''

 # Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:11111"), or empty string to not expose.
 matrix_appservice_irc_container_media_proxy_host_bind_port: ''

 matrix_appservice_irc_container_network: ""

 matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}"
@@ -403,6 +488,26 @@ matrix_appservice_irc_container_additional_networks_custom: []
 # A list of extra arguments to pass to the container
 matrix_appservice_irc_container_extra_arguments: []

 # matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`.
 matrix_appservice_irc_container_labels_traefik_enabled: true
 matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_appservice_irc_container_network }}"
 matrix_appservice_irc_container_labels_traefik_entrypoints: web-secure
 matrix_appservice_irc_container_labels_traefik_tls_certResolver: default  # noqa var-naming

 # Controls whether Traefik labels for the media proxy will be applied
 matrix_appservice_irc_container_labels_media_proxy_enabled: true
 # Derived from publicUrl_pathPrefix, stripping any trailing slash (unless it's just "/")
 matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix: "{{ '/' if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix == '/' else matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix.rstrip('/') }}"
 matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`)"
 matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000
 matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}"
 matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}"
 matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

 # matrix-appservice-irc container additional labels
 matrix_appservice_irc_container_labels_additional_labels: ''

 # List of systemd services that matrix-appservice-irc.service depends on.
 matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}"
 matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
--- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml
@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
 # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -121,6 +122,14 @@
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure Matrix Appservice IRC labels file installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/labels.j2"
    dest: "{{ matrix_appservice_irc_base_path }}/labels"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Generate Appservice IRC passkey if it doesn't exist
  ansible.builtin.shell:
    cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
@@ -128,6 +137,41 @@
  become: true
  become_user: "{{ matrix_user_name }}"

 - name: Check if an authenticated media signing key exists
  ansible.builtin.stat:
    path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
  register: matrix_appservice_irc_stat_auth_media_key

 - when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
  block:
    - name: Generate IRC appservice signing key for authenticated media
      community.docker.docker_container:
        name: "create-auth-media-jwk-key"
        image: "{{ matrix_appservice_irc_docker_image }}"
        cleanup: true
        network_mode: none
        entrypoint: "/usr/local/bin/node"
        command: >
          -e "const webcrypto = require('node:crypto');
          async function main() {
              const key = await webcrypto.subtle.generateKey({
                  name: 'HMAC',
                  hash: 'SHA-512',
              }, true, ['sign', 'verify']);
              console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
          }
          main().then(() => process.exit(0)).catch(err => { throw err });"
        detach: false
      register: matrix_appservice_irc_jwk_result

    - name: Write auth media signing key to file
      ansible.builtin.copy:
        content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
        dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
        mode: "0644"
        owner: "{{ matrix_user_name }}"
        group: "{{ matrix_group_name }}"

 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
 - name: (Migration) Ensure Appservice IRC passkey permissions are okay
--- a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml
@@ -44,3 +44,27 @@
    - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
    - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'}
    - {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'}
    - {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': '<removed; media proxying now uses matrix_appservice_irc_ircService_mediaProxy_publicUrl>'}

 - name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash
  ansible.builtin.fail:
    msg: >-
      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`).
  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'"

 - name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash
  ansible.builtin.fail:
    msg: >-
      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`).
  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'"

 - when: matrix_appservice_irc_container_labels_traefik_enabled | bool
  block:
    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
    # Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up
    # without having to do "does it end with a slash" checks elsewhere.
    - name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash
      ansible.builtin.fail:
        msg: >-
          matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`).
      when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'"
--- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2
@@ -1,14 +1,13 @@
 #jinja2: lstrip_blocks: True
 #
 # Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml
 #
 # Configuration specific to AS registration. Unless other marked, all fields
 # are *REQUIRED*.
 # Unless otherwise specified, these keys CANNOT be hot-reloaded.
 homeserver:
  # The URL to the home server for client-server API calls, also used to form the
  # media URLs as displayed in bridged IRC channels:
  url: {{ matrix_appservice_irc_homeserver_url }}
  #
  # The URL of the homeserver hosting media files. This is only used to transform
  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
  # default, this is the homeserver URL, specified above.
  #
  media_url: {{ matrix_appservice_irc_homeserver_media_url }}
  # The URL to the home server for client-server API calls
  url: "{{ matrix_appservice_irc_homeserver_url }}"

  # Drop Matrix messages which are older than this number of seconds, according to
  # the event's origin_server_ts.
@@ -20,18 +19,29 @@ homeserver:
  # clock times and hence produce different origin_server_ts values, which may be old
  # enough to cause *all* events from the homeserver to be dropped.
  # Default: 0 (don't ever drop)
  # This key CAN be hot-reloaded.
  # dropMatrixMessagesAfterSecs: 300 # 5 minutes

  # The 'domain' part for user IDs on this home server. Usually (but not always)
  # is the "domain name" part of the HS URL.
  domain: {{ matrix_appservice_irc_homeserver_domain }}
  domain: "{{ matrix_appservice_irc_homeserver_domain }}"

  # Should presence be enabled for Matrix clients on this bridge. If disabled on the
  # homeserver then it should also be disabled here to avoid excess traffic.
  # Default: true
  enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}

  # Which port should the appservice bind to. Can be overridden by the one provided in the
  # command line! Optional.
  # bindPort: 8090

  # Use this option to force the appservice to listen on another hostname for transactions.
  # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
  # bindHostname: 0.0.0.0

 # Configuration specific to the IRC service
 ircService:

  # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
  # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
  # the database.
@@ -50,11 +60,18 @@ ircService:
    # Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies).
    eventCacheSize: 4096

  # All server keys can be hot-reloaded, however existing IRC connections
  # will not have changes applied to them.
  servers: {{ matrix_appservice_irc_ircService_servers|to_json }}

  # present relevant UI to the user. MSC2346
  bridgeInfoState:
    enabled: false
    initial: false
  # Configuration for an ident server. If you are running a public bridge it is
  # advised you setup an ident server so IRC mods can ban specific Matrix users
  # rather than the application service itself.
  # This key CANNOT be hot-reloaded
  ident:
    # True to listen for Ident requests and respond with the
    # Matrix user's user_id (converted to ASCII, respecting RFC 1413).
@@ -71,6 +88,10 @@ ircService:
    # Default: 0.0.0.0
    address: "::"

  # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
  # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
  # encodingFallback: "ISO-8859-15"

  # Configuration for logging. Optional. Default: console debug level logging
  # only.
  logging:
@@ -87,33 +108,42 @@ ircService:
    # to rotations.
    maxFiles: 5

  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
  #   $ npm install prom-client@6.3.0
  # Metrics will then be available via GET /metrics on the bridge listening port (-p).
  # This key CANNOT be hot-reloaded
  metrics:
    # Whether to actually enable the metric endpoint. Default: false
    enabled: true
    # Which port to listen on (omit to listen on the bindPort)
    #port: 7001
    # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
    host: 127.0.0.1
    # When determining activeness of remote and matrix users, cut off at this number of hours.
    userActivityThresholdHours: 72 # 3 days
    # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
    # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
    remoteUserAgeBuckets:
      - "1h"
      - "1d"
      - "1w"

  # Configuration for the provisioning API.
  #
  # GET /_matrix/provision/link
  # GET /_matrix/provision/unlink
  # GET /_matrix/provision/listlinks
  #
  # This key CANNOT be hot-reloaded
  provisioning:
    # True to enable the provisioning HTTP endpoint. Default: false.
    enabled: false
    # The number of seconds to wait before giving up on getting a response from
    # an IRC channel operator. If the channel operator does not respond within the
    # allotted time period, the provisioning request will fail.
    # Default: 300 seconds (5 mins)
    requestTimeoutSeconds: 300
    # Whether to enable hosting the setup widget page. Default: false.
    widget: false

  # Config for the media proxy, required to serve publicly accessible URLs to authenticated Matrix media
  mediaProxy:
    # To generate a .jwk file:
    # $ node src/generate-signing-key.js > signingkey.jwk
    signingKeyPath: "/data/auth-media.jwk"
    # How long should the generated URLs be valid for
    ttlSeconds: 604800
    # The port for the media proxy to listen on
    bindPort: {{ matrix_appservice_irc_ircService_mediaProxy_bindPort | to_json }}
    # The publicly accessible URL to the media proxy
    publicUrl: {{ matrix_appservice_irc_ircService_mediaProxy_publicUrl | to_json }}

 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.
@@ -122,13 +152,18 @@ advanced:
  # however for large bridges it is important to rate limit the bridge to avoid
  # accidentally overloading the homeserver. Defaults to 1000, which should be
  # enough for the vast majority of use cases.
  # This key CAN be hot-reloaded
  maxHttpSockets: 1000
  # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
  # This key CANNOT be hot-reloaded.
  maxTxnSize: 10000000

 # Use an external database to store bridge state.
 # This key CANNOT be hot-reloaded.
 database:
  # database engine (must be 'postgres' or 'nedb'). Default: nedb
  engine: {{ matrix_appservice_irc_database_engine|to_json }}
  # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
  # For postgres, it must start with postgres://
  # For NeDB, it must start with nedb://. The path is relative to the project directory.
  connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }}
  connectionString: {{ matrix_appservice_irc_database_connectionString | to_json }}
--- a/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2
+++ b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2
@@ -0,0 +1,63 @@
 {#
 SPDX-FileCopyrightText: 2025 Jade Ellis
 SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
 SPDX-FileCopyrightText: 2026 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 {% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %}
 traefik.enable=true

 {% if matrix_appservice_irc_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }}
 {% endif %}

 traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_ircService_mediaProxy_bindPort }}

 ############################################################
 #                                                          #
 # IRC Bridge Media Proxy                                   #
 #                                                          #
 ############################################################

 {% set middlewares = [] %}

 traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }}

 {% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix | quote }})$
 traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/
 {% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %}
 {% endif %}

 {% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}
 {% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %}
 {% endif %}


 {% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy
 traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }}

 {% if middlewares | length > 0 %}
 traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }}
 {% endif %}

 traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }}
 {% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %}
 traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }}
 {% endif %}

 ############################################################
 #                                                          #
 # /IRC Bridge Media Proxy                                  #
 #                                                          #
 ############################################################
 {% endif %}

 {{ matrix_appservice_irc_container_labels_additional_labels }}
--- a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% if matrix_appservice_irc_container_http_host_bind_port %}
 			-p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
 			{% endif %}
 			{% if matrix_appservice_irc_container_media_proxy_host_bind_port %}
 			-p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} \
 			{% endif %}
 			--mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \
 			--label-file={{ matrix_appservice_irc_base_path }}/labels \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []

 # renovate: datasource=docker depName=halfshot/matrix-hookshot
 matrix_hookshot_version: 7.2.0
 matrix_hookshot_version: 7.3.2

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -72,8 +72,9 @@ matrix_hookshot_cache_redisUri: "{{ ('redis://' + matrix_hookshot_cache_redis_ho
 # Controls whether the end-to-bridge encryption support is enabled.
 # This requires that:
 # - support to also be enabled in the homeserver, see the documentation of Hookshot.
 # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables.
 # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables. Note that this is configured automatically by the playbook when encryption is enabled.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
 # NOTE: Encryption is not currently (2025-12-30) supported when using MAS (https://github.com/matrix-org/matrix-hookshot/issues/1084)
 matrix_hookshot_encryption_enabled: "{{ matrix_bridges_encryption_enabled }}"

 # Controls whether metrics are enabled in the bridge configuration.
@@ -241,6 +242,18 @@ matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration"   # noqa
 #         level: admin
 matrix_hookshot_permissions: []

 # Static connections that can be configured by an administrator, as documented here:
 # https://matrix-org.github.io/matrix-hookshot/latest/usage/static_connections.html
 # Currently only generic webhooks are supported.
 # Example:
 # matrix_hookshot_connections:
 #   - connectionType: uk.half-shot.matrix-hookshot.generic.hook
 #     stateKey: my-unique-webhook-id
 #     roomId: "!room-id"
 #     state:
 #       name: My Static Webhook
 matrix_hookshot_connections: []

 matrix_hookshot_bot_displayname: Hookshot Bot
 matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d'

--- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
@@ -51,7 +51,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_hookshot_appservice_token"
    - "matrix_hookshot_homeserver_address"
@@ -62,7 +62,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) to enable GitHub.
  when: "matrix_hookshot_github_enabled and vars[item] == ''"
  when: "matrix_hookshot_github_enabled and lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_hookshot_github_auth_id"
    - "matrix_hookshot_github_webhook_secret"
@@ -71,7 +71,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth.
  when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''"
  when: "matrix_hookshot_github_oauth_enabled and lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_hookshot_github_oauth_client_id"
    - "matrix_hookshot_github_oauth_client_secret"
@@ -80,7 +80,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) to enable Jira.
  when: "matrix_hookshot_jira_enabled and vars[item] == ''"
  when: "matrix_hookshot_jira_enabled and lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_hookshot_jira_webhook_secret"

@@ -88,7 +88,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth.
  when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''"
  when: "matrix_hookshot_jira_oauth_enabled and lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_hookshot_jira_oauth_client_id"
    - "matrix_hookshot_jira_oauth_client_secret"
--- a/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2
@@ -137,6 +137,7 @@ widgets:
 {% if matrix_hookshot_permissions %}
 permissions: {{ matrix_hookshot_permissions | to_json }}
 {% endif %}
 connections: {{ matrix_hookshot_connections | to_json }}
 listeners:
  # (Optional) HTTP Listener configuration.
  # Bind resource endpoints to ports and addresses.
--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@@ -1,227 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2020 Horvath Gergely
 # SPDX-FileCopyrightText: 2020 Marcel Partap
 # SPDX-FileCopyrightText: 2021 - 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2021 Aaron Raimist
 # SPDX-FileCopyrightText: 2021 Arthur Brugière
 # SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 László Várady
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2023 Adrien le Maire
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 # mautrix-facebook is a Matrix <-> Facebook bridge
 # Project source code URL: https://github.com/mautrix/facebook

 matrix_mautrix_facebook_enabled: true

 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/facebook
 matrix_mautrix_facebook_version: v0.5.1
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_registry_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else matrix_mautrix_facebook_docker_image_registry_prefix_upstream }}"
 matrix_mautrix_facebook_docker_image_registry_prefix_upstream: "{{ matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default }}"
 matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default: "dock.mau.dev/"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"

 matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
 matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config"
 matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data"
 matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src"

 matrix_mautrix_facebook_command_prefix: "!fb"

 matrix_mautrix_facebook_homeserver_address: ""
 # Whether asynchronous uploads via MSC2246 should be enabled for media.
 # Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246).
 matrix_mautrix_facebook_homeserver_async_media: false
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'

 # Whether or not the public-facing endpoints should be enabled (web-based login)
 matrix_mautrix_facebook_appservice_public_enabled: false
 # Mautrix Facebook public endpoint to log in to Facebook
 matrix_mautrix_facebook_appservice_public_prefix: ''
 matrix_mautrix_facebook_appservice_public_hostname: ''
 matrix_mautrix_facebook_appservice_public_external: "{{ ('https://' + matrix_mautrix_facebook_appservice_public_hostname + matrix_mautrix_facebook_appservice_public_prefix) if matrix_mautrix_facebook_appservice_public_enabled else '' }}"

 matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319'

 matrix_mautrix_facebook_container_network: ""

 matrix_mautrix_facebook_container_additional_networks: "{{ matrix_mautrix_facebook_container_additional_networks_auto + matrix_mautrix_facebook_container_additional_networks_custom }}"
 matrix_mautrix_facebook_container_additional_networks_auto: []
 matrix_mautrix_facebook_container_additional_networks_custom: []

 # matrix_mautrix_facebook_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `matrix_mautrix_facebook_container_labels_additional_labels`.
 matrix_mautrix_facebook_container_labels_traefik_enabled: true
 matrix_mautrix_facebook_container_labels_traefik_docker_network: "{{ matrix_mautrix_facebook_container_network }}"
 matrix_mautrix_facebook_container_labels_traefik_entrypoints: web-secure
 matrix_mautrix_facebook_container_labels_traefik_tls_certResolver: default  # noqa var-naming

 # Controls whether labels will be added that expose mautrix-facebook's public endpoint
 matrix_mautrix_facebook_container_labels_public_endpoint_enabled: "{{ matrix_mautrix_facebook_appservice_public_enabled }}"
 matrix_mautrix_facebook_container_labels_public_endpoint_traefik_rule: "Host(`{{ matrix_mautrix_facebook_appservice_public_hostname }}`) && PathPrefix(`{{ matrix_mautrix_facebook_appservice_public_prefix }}`)"
 matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority: 0
 matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints: "{{ matrix_mautrix_facebook_container_labels_traefik_entrypoints }}"
 matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls: "{{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints != 'web' }}"
 matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls_certResolver: "{{ matrix_mautrix_facebook_container_labels_traefik_tls_certResolver }}"  # noqa var-naming

 # Controls whether labels will be added that expose mautrix-facebook's metrics
 matrix_mautrix_facebook_container_labels_metrics_enabled: "{{ matrix_mautrix_facebook_metrics_enabled and matrix_mautrix_facebook_metrics_proxying_enabled }}"
 matrix_mautrix_facebook_container_labels_metrics_traefik_rule: "Host(`{{ matrix_mautrix_facebook_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_mautrix_facebook_metrics_proxying_path_prefix }}`)"
 matrix_mautrix_facebook_container_labels_metrics_traefik_priority: 0
 matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints: "{{ matrix_mautrix_facebook_container_labels_traefik_entrypoints }}"
 matrix_mautrix_facebook_container_labels_metrics_traefik_tls: "{{ matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints != 'web' }}"
 matrix_mautrix_facebook_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_mautrix_facebook_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled: false
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users: ''

 # matrix_mautrix_facebook_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_mautrix_facebook_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_mautrix_facebook_container_labels_additional_labels: ''

 # A list of extra arguments to pass to the container
 matrix_mautrix_facebook_container_extra_arguments: []

 # List of systemd services that matrix-mautrix-facebook.service depends on.
 matrix_mautrix_facebook_systemd_required_services_list: "{{ matrix_mautrix_facebook_systemd_required_services_list_default + matrix_mautrix_facebook_systemd_required_services_list_auto + matrix_mautrix_facebook_systemd_required_services_list_custom }}"
 matrix_mautrix_facebook_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_mautrix_facebook_systemd_required_services_list_auto: []
 matrix_mautrix_facebook_systemd_required_services_list_custom: []

 # List of systemd services that matrix-mautrix-facebook.service wants
 matrix_mautrix_facebook_systemd_wanted_services_list: []

 matrix_mautrix_facebook_appservice_token: ''
 matrix_mautrix_facebook_homeserver_token: ''

 # Whether or not created rooms should have federation enabled.
 # If false, created portal rooms will never be federated.
 matrix_mautrix_facebook_federate_rooms: true

 # Whether or not metrics endpoint should be enabled.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`.
 matrix_mautrix_facebook_metrics_enabled: false

 # Controls whether metrics should be exposed on a public URL.
 matrix_mautrix_facebook_metrics_proxying_enabled: false
 matrix_mautrix_facebook_metrics_proxying_hostname: ''
 matrix_mautrix_facebook_metrics_proxying_path_prefix: ''

 matrix_mautrix_facebook_bridge_permissions: |
  {{
    {'*': 'relay', matrix_mautrix_facebook_homeserver_domain: 'user'}
    | combine({matrix_admin: 'admin'} if matrix_admin else {})
  }}

 # Controls whether the matrix-mautrix-facebook container exposes its HTTP port.
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9008"), or empty string to not expose.
 matrix_mautrix_facebook_container_http_host_bind_port: ''

 # Database-related configuration fields.
 #
 # To use SQLite:
 # - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`)
 # - change to the last bridge version that supported SQLite:
 #   `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"`
 # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future).
 #
 # To use Postgres:
 # - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables
 matrix_mautrix_facebook_database_engine: 'postgres'

 matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
 matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db"

 matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook'
 matrix_mautrix_facebook_database_password: 'some-password'
 matrix_mautrix_facebook_database_hostname: ''
 matrix_mautrix_facebook_database_port: 5432
 matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook'

 matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}'

 matrix_mautrix_facebook_appservice_database: "{{
 	{
 		'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container),
 		'postgres': matrix_mautrix_facebook_database_connection_string,
 	}[matrix_mautrix_facebook_database_engine]
 }}"


 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_facebook_login_shared_secret: ''

 matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}"

 # Enable bridge relay bot functionality
 matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}"

 matrix_mautrix_facebook_appservice_bot_username: facebookbot

 matrix_mautrix_facebook_bridge_presence: true

 # Specifies the default log level for all bridge loggers.
 matrix_mautrix_facebook_logging_level: WARNING

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_facebook_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
  # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_mautrix_facebook_configuration_yaml`.

 matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml | from_yaml if matrix_mautrix_facebook_configuration_extension_yaml | from_yaml is mapping else {} }}"

 # Holds the final configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`.
 matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml | from_yaml | combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}"

 matrix_mautrix_facebook_registration_yaml: |
  id: facebook
  as_token: "{{ matrix_mautrix_facebook_appservice_token }}"
  hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}"
  namespaces:
    users:
    - exclusive: true
      regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain | regex_escape }}$'
    - exclusive: true
      regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain | regex_escape }}$'
  url: {{ matrix_mautrix_facebook_appservice_address }}
  # See https://github.com/mautrix/signal/issues/43
  sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }}
  rate_limited: false
  de.sorunome.msc2409.push_ephemeral: true
  receive_ephemeral: true

 matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}"

 # Enable End-to-bridge encryption
 matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
 matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml
@@ -1,27 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2019 Jason Locklin
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - tags:
    - setup-all
    - setup-mautrix-facebook
    - install-all
    - install-mautrix-facebook
  block:
    - when: matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

    - when: matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

 - tags:
    - setup-all
    - setup-mautrix-facebook
  block:
    - when: not matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@@ -1,159 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2020 Horvath Gergely
 # SPDX-FileCopyrightText: 2020 MDAD project contributors
 # SPDX-FileCopyrightText: 2020 Stuart Mumford
 # SPDX-FileCopyrightText: 2021 Aaron Raimist
 # SPDX-FileCopyrightText: 2022 Jim Myhrberg
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2022 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Sebastian Gumprich
 # SPDX-FileCopyrightText: 2024 David Mehren
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - ansible.builtin.set_fact:
    matrix_mautrix_facebook_requires_restart: false

 - when: "matrix_mautrix_facebook_database_engine == 'postgres'"
  block:
    - name: Check if an SQLite database already exists
      ansible.builtin.stat:
        path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}"
      register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result

    - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists | bool"
      block:
        - ansible.builtin.include_role:
            name: galaxy/postgres
            tasks_from: migrate_db_to_postgres
          vars:
            postgres_db_migration_request:
              src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}"
              dst: "{{ matrix_mautrix_facebook_database_connection_string }}"
              caller: "{{ role_path | basename }}"
              engine_variable_name: 'matrix_mautrix_facebook_database_engine'
              engine_old: 'sqlite'
              systemd_services_to_stop: ['matrix-mautrix-facebook.service']

        - ansible.builtin.set_fact:
            matrix_mautrix_facebook_requires_restart: true

 - name: Ensure Mautrix Facebook image is pulled
  community.docker.docker_image:
    name: "{{ matrix_mautrix_facebook_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}"
  when: not matrix_mautrix_facebook_container_image_self_build
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed

 - name: Ensure Mautrix Facebook paths exist
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ matrix_mautrix_facebook_base_path }}", when: true}
    - {path: "{{ matrix_mautrix_facebook_config_path }}", when: true}
    - {path: "{{ matrix_mautrix_facebook_data_path }}", when: true}
    - {path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}"}
  when: item.when | bool

 - name: Ensure Mautrix Facebook repository is present on self-build
  ansible.builtin.git:
    repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}"
    dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
    version: "{{ matrix_mautrix_facebook_docker_image.split(':')[1] }}"
    force: "yes"
  become: true
  become_user: "{{ matrix_user_name }}"
  register: matrix_mautrix_facebook_git_pull_results
  when: "matrix_mautrix_facebook_container_image_self_build | bool"

 - name: Ensure Mautrix Facebook Docker image is built
  community.docker.docker_image:
    name: "{{ matrix_mautrix_facebook_docker_image }}"
    source: build
    force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_facebook_docker_src_files_path }}"
      pull: true
  when: "matrix_mautrix_facebook_container_image_self_build | bool"

 - name: Check if an old database file already exists
  ansible.builtin.stat:
    path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db"
  register: matrix_mautrix_facebook_stat_database

 - name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped
  ansible.builtin.service:
    name: matrix-mautrix-facebook
    state: stopped
    enabled: false
    daemon_reload: true
  failed_when: false
  when: "matrix_mautrix_facebook_stat_database.stat.exists"

 - name: (Data relocation) Move mautrix-facebook database file to ./data directory
  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
    creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
    removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db"
  when: "matrix_mautrix_facebook_stat_database.stat.exists"

 - name: Ensure mautrix-facebook config.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_mautrix_facebook_configuration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure mautrix-facebook registration.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_mautrix_facebook_registration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure mautrix-facebook support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
    dest: "{{ matrix_mautrix_facebook_base_path }}/{{ item }}"
    mode: 0640
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - labels

 - name: Ensure matrix-mautrix-facebook container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ matrix_mautrix_facebook_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"

 - name: Ensure matrix-mautrix-facebook.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service"
    mode: 0644

 - name: Ensure matrix-mautrix-facebook.service restarted, if necessary
  ansible.builtin.service:
    name: "matrix-mautrix-facebook.service"
    state: restarted
    daemon_reload: true
  when: "matrix_mautrix_facebook_requires_restart | bool"
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml
@@ -1,26 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2020 MDAD project contributors
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: Check existence of matrix-mautrix-facebook service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service"
  register: matrix_mautrix_facebook_service_stat

 - when: matrix_mautrix_facebook_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-mautrix-facebook is stopped
      ansible.builtin.service:
        name: matrix-mautrix-facebook
        state: stopped
        enabled: false
        daemon_reload: true

    - name: Ensure matrix-mautrix-facebook.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service"
        state: absent
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
@@ -1,47 +0,0 @@
 # SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2019 Jason Locklin
 # SPDX-FileCopyrightText: 2022 László Várady
 # SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: (Deprecation) Catch and report renamed mautrix-facebook settings
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_mautrix_facebook_public_endpoint', 'new': 'matrix_mautrix_facebook_appservice_public_prefix'}
    - {'old': 'matrix_mautrix_facebook_docker_image_name_prefix', 'new': 'matrix_mautrix_facebook_docker_image_registry_prefix'}

 - name: Fail if required mautrix-facebook settings not defined
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_mautrix_facebook_appservice_public_hostname', when: "{{ matrix_mautrix_facebook_appservice_public_enabled }}"}
    - {'name': 'matrix_mautrix_facebook_appservice_public_prefix', when: "{{ matrix_mautrix_facebook_appservice_public_enabled }}"}
    - {'name': 'matrix_mautrix_facebook_metrics_proxying_hostname', when: "{{ matrix_mautrix_facebook_metrics_proxying_enabled }}"}
    - {'name': 'matrix_mautrix_facebook_metrics_proxying_path_prefix', when: "{{ matrix_mautrix_facebook_metrics_proxying_enabled }}"}
    - {'name': 'matrix_mautrix_facebook_appservice_token', when: true}
    - {'name': 'matrix_mautrix_facebook_homeserver_token', when: true}
    - {'name': 'matrix_mautrix_facebook_container_network', when: true}
    - {'name': 'matrix_mautrix_facebook_homeserver_address', when: true}
    - {'name': 'matrix_mautrix_facebook_database_hostname', when: "{{ matrix_mautrix_facebook_database_engine == 'postgres' }}"}

 - when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')"
  block:
    - name: Inject warning if on an old SQLite-supporting version
      ansible.builtin.set_fact:
        devture_playbook_runtime_messages_list: |
          {{
            devture_playbook_runtime_messages_list | default([])
            +
            [
              "Note: Your mautrix-facebook bridge is still on SQLite and on the last version that supported it, before support was dropped. Support has been subsequently re-added in v0.3.2, so we advise you to upgrade (by removing your `matrix_mautrix_facebook_docker_image` definition from vars.yml)"
            ]
          }}
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@@ -1,259 +0,0 @@
 #jinja2: lstrip_blocks: True
 # Homeserver details
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: {{ matrix_mautrix_facebook_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_facebook_homeserver_domain }}
    # Whether or not to verify the SSL certificate of the homeserver.
    # Only applies if address starts with https://
    verify_ssl: true
    # Whether or not the homeserver supports asmux-specific endpoints,
    # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically
    # updating m.direct.
    asmux: false
    # Whether asynchronous uploads via MSC2246 should be enabled for media.
    # Requires a media repo that supports MSC2246.
    async_media: {{ matrix_mautrix_facebook_homeserver_async_media | to_json }}

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
    address: {{ matrix_mautrix_facebook_appservice_address }}

    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
    port: 29319
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

    # The full URI to the database. Only Postgres is currently supported.
    database: {{ matrix_mautrix_facebook_appservice_database|to_json }}

    # Public part of web server for out-of-Matrix interaction with the bridge.
    public:
        # Whether or not the public-facing endpoints should be enabled.
        enabled: {{ matrix_mautrix_facebook_appservice_public_enabled|to_json }}
        # The prefix to use in the public-facing endpoints.
        prefix: {{ matrix_mautrix_facebook_appservice_public_prefix|to_json }}
        # The base URL where the public-facing endpoints are available. The prefix is not added
        # implicitly.
        external: {{ matrix_mautrix_facebook_appservice_public_external|to_json }}
        # Allow logging in within Matrix. If false, users can only log in using the web interface.
        allow_matrix_login: true
        # Segment API key to enable analytics tracking for web server endpoints. Set to null to disable.
        # Currently the only events are login start, success and fail.
        segment_key: null

    # The unique ID of this appservice.
    id: facebook
    # Username of the appservice bot.
    bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }}
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Facebook bridge bot
    bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak

    # Authentication tokens for AS <-> HS communication.
    as_token: "{{ matrix_mautrix_facebook_appservice_token }}"
    hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}"

 # Prometheus telemetry config. Requires prometheus-client to be installed.
 metrics:
    enabled: {{ matrix_mautrix_facebook_metrics_enabled | to_json }}
    listen_port: 8000

 # Bridge config
 bridge:
    # Localpart template of MXIDs for Facebook users.
    # {userid} is replaced with the user ID of the Facebook user.
    username_template: "facebook_{userid}"
    # Displayname template for Facebook users.
    # {displayname} is replaced with the display name of the Facebook user
    #               as defined below in displayname_preference.
    # Keys available for displayname_preference are also available here.
    displayname_template: '{displayname} (FB)'
    # Available keys:
    # "name" (full name)
    # "first_name"
    # "last_name"
    # "nickname"
    # "own_nickname" (user-specific!)
    displayname_preference:
    - name
    - first_name

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "{{ matrix_mautrix_facebook_command_prefix }}"

    # Number of chats to sync (and create portals for) on startup/login.
    # Set 0 to disable automatic syncing.
    initial_chat_sync: 10
    # Whether or not the Facebook users of logged in Matrix users should be
    # invited to private chats when the user sends a message from another client.
    invite_own_puppet_to_pm: false
    # Whether or not to use /sync to get presence, read receipts and typing notifications
    # when double puppeting is enabled
    sync_with_custom_puppets: true
    # Whether or not to update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
    # and is therefore prone to race conditions.
    sync_direct_chat_list: false
    # Servers to always allow double puppeting from
    double_puppet_server_map: {}
    #    example.com: https://example.com
    # Allow using double puppeting from any server with a valid client .well-known file.
    double_puppet_allow_discovery: false
    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }}
    # Should presence from Facebook be bridged? This doesn't use the same API as the Android app,
    # so it might be more suspicious to Facebook.
    presence_from_facebook: {{ matrix_mautrix_facebook_bridge_presence|to_json }}
    # Whether or not to update avatars when syncing all contacts at startup.
    update_avatar_initial_sync: true
    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
    # and login_shared_secret to be configured in order to get a device for the bridge bot.
    #
    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }}
        # Options for automatic key sharing.
        key_sharing:
            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
            # You must use a client that supports requesting keys from other users to use this feature.
            allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }}
            # Require the requesting device to have a valid cross-signing signature?
            # This doesn't require that the bridge has verified the device, only that the user has verified it.
            # Not yet implemented.
            require_cross_signing: false
            # Require devices to be verified by the bridge?
            # Verification by the bridge is not yet implemented.
            require_verification: true
    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
    # been sent to Facebook.
    delivery_receipts: false
    # Whether to allow inviting arbitrary mxids to portal rooms
    allow_invites: false
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: {{ matrix_mautrix_facebook_federate_rooms|to_json }}
    # Settings for backfilling messages from Facebook.
    backfill:
        # Whether or not the Facebook users of logged in Matrix users should be
        # invited to private chats when backfilling history from Facebook. This is
        # usually needed to prevent rate limits and to allow timestamp massaging.
        invite_own_puppet: true
        # Maximum number of messages to backfill initially.
        # Set to 0 to disable backfilling when creating portal.
        initial_limit: 0
        # Maximum number of messages to backfill if messages were missed while
        # the bridge was disconnected.
        # Set to 0 to disable backfilling missed messages.
        missed_limit: 1000
        # If using double puppeting, should notifications be disabled
        # while the initial backfill is in progress?
        disable_notifications: false
    periodic_reconnect:
        # Interval in seconds in which to automatically reconnect all users.
        # This can be used to automatically mitigate the bug where Facebook stops sending messages.
        # Set to -1 to disable periodic reconnections entirely.
        interval: -1
        # What to do in periodic reconnects. Either "refresh" or "reconnect"
        mode: refresh
        # Should even disconnected users be reconnected?
        always: false
    # The number of seconds that a disconnection can last without triggering an automatic re-sync
    # and missed message backfilling when reconnecting.
    # Set to 0 to always re-sync, or -1 to never re-sync automatically.
    resync_max_disconnected_time: 5
    # Should the bridge do a resync on startup?
    sync_on_startup: true
    # Whether or not temporary disconnections should send notices to the notice room.
    # If this is false, disconnections will never send messages and connections will only send
    # messages if it was disconnected for more than resync_max_disconnected_time seconds.
    temporary_disconnect_notices: false
    # Whether or not the bridge should try to "refresh" the connection if a normal reconnection
    # attempt fails.
    refresh_on_reconnection_fail: false
    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
    # This field will automatically be changed back to false after it,
    # except if the config file is not writable.
    resend_bridge_info: false

    # Permissions for using the bridge.
    # Permitted values:
    #       user - Use the bridge with puppeting.
    #      admin - Use and administrate the bridge.
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_facebook_bridge_permissions|to_json }}

    relay:
        # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
        enabled: {{ matrix_mautrix_facebook_relay_enabled }}
        # The formats to use when sending messages to Messenger via a relay user.
        #
        # Available variables:
        #   $sender_displayname - The display name of the sender (e.g. Example User)
        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. alice)
        #   $sender_mxid        - The Matrix ID of the sender (e.g. @alice:example.com)
        #   $message            - The message content
        message_formats:
            m.text: '<b>$sender_displayname</b>: $message'
            m.notice: '<b>$sender_displayname</b>: $message'
            m.emote: '* <b>$sender_displayname</b> $message'
            m.file: '<b>$sender_displayname</b> sent a file'
            m.image: '<b>$sender_displayname</b> sent an image'
            m.audio: '<b>$sender_displayname</b> sent an audio file'
            m.video: '<b>$sender_displayname</b> sent a video'
            m.location: '<b>$sender_displayname</b> sent a location'

 facebook:
    device_seed: generate
    default_region_hint: ODN
    connection_type: WIFI
    carrier: Verizon
    hni: 311390

 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
    version: 1
    formatters:
        colored:
            (): mautrix_facebook.util.ColorFormatter
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
        normal:
            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
    handlers:
        console:
            class: logging.StreamHandler
            formatter: colored
    loggers:
        mau:
            level: {{ matrix_mautrix_facebook_logging_level|to_json }}
        paho:
            level: {{ matrix_mautrix_facebook_logging_level|to_json }}
        aiohttp:
            level: {{ matrix_mautrix_facebook_logging_level|to_json }}
    root:
        level: {{ matrix_mautrix_facebook_logging_level|to_json }}
        handlers: [console]
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license
@@ -1,9 +0,0 @@
 SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Hugues Morisset
 SPDX-FileCopyrightText: 2020 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
 SPDX-FileCopyrightText: 2022 László Várady
 SPDX-FileCopyrightText: 2022 Olivér Falvai
 SPDX-FileCopyrightText: 2023 Adrien le Maire

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2
@@ -1,82 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 {% if matrix_mautrix_facebook_container_labels_traefik_enabled %}
 traefik.enable=true

 {% if matrix_mautrix_facebook_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_mautrix_facebook_container_labels_traefik_docker_network }}
 {% endif %}

 traefik.http.services.matrix-mautrix-facebook-appservice.loadbalancer.server.port=29319
 traefik.http.services.matrix-mautrix-facebook-metrics.loadbalancer.server.port=8000

 {% if matrix_mautrix_facebook_container_labels_public_endpoint_enabled %}
 ############################################################
 #                                                          #
 # Public                                                   #
 #                                                          #
 ############################################################

 traefik.http.routers.matrix-mautrix-facebook-public.rule={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_rule }}

 {% if matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-mautrix-facebook-public.priority={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-mautrix-facebook-public.service=matrix-mautrix-facebook-appservice
 traefik.http.routers.matrix-mautrix-facebook-public.entrypoints={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints }}

 traefik.http.routers.matrix-mautrix-facebook-public.tls={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls | to_json }}
 {% if matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls %}
 traefik.http.routers.matrix-mautrix-facebook-public.tls.certResolver={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls_certResolver }}
 {% endif %}

 ############################################################
 #                                                          #
 # /Public                                                  #
 #                                                          #
 ############################################################
 {% endif %}


 {% if matrix_mautrix_facebook_container_labels_metrics_enabled %}
 ############################################################
 #                                                          #
 # Metrics                                                  #
 #                                                          #
 ############################################################

 {% if matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled %}
 traefik.http.middlewares.matrix-mautrix-facebook-metrics-basic-auth.basicauth.users={{ matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users }}
 traefik.http.routers.matrix-mautrix-facebook-metrics.middlewares=matrix-mautrix-facebook-metrics-basic-auth
 {% endif %}

 traefik.http.routers.matrix-mautrix-facebook-metrics.rule={{ matrix_mautrix_facebook_container_labels_metrics_traefik_rule }}

 {% if matrix_mautrix_facebook_container_labels_metrics_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-mautrix-facebook-metrics.priority={{ matrix_mautrix_facebook_container_labels_metrics_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-mautrix-facebook-metrics.service=matrix-mautrix-facebook-metrics
 traefik.http.routers.matrix-mautrix-facebook-metrics.entrypoints={{ matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints }}

 traefik.http.routers.matrix-mautrix-facebook-metrics.tls={{ matrix_mautrix_facebook_container_labels_metrics_traefik_tls | to_json }}
 {% if matrix_mautrix_facebook_container_labels_metrics_traefik_tls %}
 traefik.http.routers.matrix-mautrix-facebook-metrics.tls.certResolver={{ matrix_mautrix_facebook_container_labels_metrics_traefik_tls_certResolver }}
 {% endif %}

 ############################################################
 #                                                          #
 # /Metrics                                                 #
 #                                                          #
 ############################################################
 {% endif %}


 {% endif %}

 {{ matrix_mautrix_facebook_container_labels_additional_labels }}
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
@@ -1,51 +0,0 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix Mautrix Facebook bridge
 {% for service in matrix_mautrix_facebook_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mautrix_facebook_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no

 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-facebook 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null || true'

 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-mautrix-facebook \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_mautrix_facebook_container_network }} \
 			{% if matrix_mautrix_facebook_appservice_public_enabled and matrix_mautrix_facebook_container_http_host_bind_port %}
 			-p {{ matrix_mautrix_facebook_container_http_host_bind_port }}:29319 \
 			{% endif %}
 			--mount type=bind,src={{ matrix_mautrix_facebook_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_mautrix_facebook_data_path }},dst=/data \
 			--label-file={{ matrix_mautrix_facebook_base_path }}/labels \
 			{% for arg in matrix_mautrix_facebook_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_facebook_docker_image }} \
 			python3 -m mautrix_facebook -c /config/config.yaml --no-update

 {% for network in matrix_mautrix_facebook_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-facebook
 {% endfor %}

 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-facebook

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-facebook 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-facebook

 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license
@@ -1,7 +0,0 @@
 SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev
 SPDX-FileCopyrightText: 2019 Hugues Morisset
 SPDX-FileCopyrightText: 2020 Chris van Dijk
 SPDX-FileCopyrightText: 2020 Scott Crossen
 SPDX-FileCopyrightText: 2022 László Várady

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
 matrix_mautrix_gmessages_version: v0.2510.0
 matrix_mautrix_gmessages_version: v0.2601.0

 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
@@ -1,193 +0,0 @@
 # SPDX-FileCopyrightText: 2021 - 2024 MDAD project contributors
 # SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2021 Aaron Raimist
 # SPDX-FileCopyrightText: 2021 Marcus Proest
 # SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 László Várady
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2023 Adrien le Maire
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 # mautrix-instagram is a Matrix <-> Instagram bridge
 # Project source code URL: https://github.com/mautrix/instagram

 matrix_mautrix_instagram_enabled: true

 matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
 matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/instagram
 matrix_mautrix_instagram_version: v0.3.1
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_registry_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else matrix_mautrix_instagram_docker_image_registry_prefix_upstream }}"
 matrix_mautrix_instagram_docker_image_registry_prefix_upstream: "{{ matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default }}"
 matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default: "dock.mau.dev/"
 matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}"

 matrix_mautrix_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-instagram"
 matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/config"
 matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data"
 matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src"

 matrix_mautrix_instagram_homeserver_address: ""
 matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330'

 matrix_mautrix_instagram_command_prefix: "!ig"

 matrix_mautrix_instagram_bridge_permissions: |
  {{
    {'*': 'relay', matrix_mautrix_instagram_homeserver_domain: 'user'}
    | combine({matrix_admin: 'admin'} if matrix_admin else {})
  }}

 matrix_mautrix_instagram_container_network: ""

 matrix_mautrix_instagram_container_additional_networks: "{{ matrix_mautrix_instagram_container_additional_networks_auto + matrix_mautrix_instagram_container_additional_networks_custom }}"
 matrix_mautrix_instagram_container_additional_networks_auto: []
 matrix_mautrix_instagram_container_additional_networks_custom: []

 # matrix_mautrix_instagram_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `matrix_mautrix_instagram_container_labels_additional_labels`.
 matrix_mautrix_instagram_container_labels_traefik_enabled: true
 matrix_mautrix_instagram_container_labels_traefik_docker_network: "{{ matrix_mautrix_instagram_container_network }}"
 matrix_mautrix_instagram_container_labels_traefik_entrypoints: web-secure
 matrix_mautrix_instagram_container_labels_traefik_tls_certResolver: default  # noqa var-naming

 # Controls whether labels will be added that expose mautrix-instagram's metrics
 matrix_mautrix_instagram_container_labels_metrics_enabled: "{{ matrix_mautrix_instagram_metrics_enabled and matrix_mautrix_instagram_metrics_proxying_enabled }}"
 matrix_mautrix_instagram_container_labels_metrics_traefik_rule: "Host(`{{ matrix_mautrix_instagram_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_mautrix_instagram_metrics_proxying_path_prefix }}`)"
 matrix_mautrix_instagram_container_labels_metrics_traefik_priority: 0
 matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints: "{{ matrix_mautrix_instagram_container_labels_traefik_entrypoints }}"
 matrix_mautrix_instagram_container_labels_metrics_traefik_tls: "{{ matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints != 'web' }}"
 matrix_mautrix_instagram_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_mautrix_instagram_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled: false
 # See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users
 matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users: ''

 # matrix_mautrix_instagram_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_mautrix_instagram_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_mautrix_instagram_container_labels_additional_labels: ''

 # A list of extra arguments to pass to the container
 matrix_mautrix_instagram_container_extra_arguments: []

 # List of systemd services that matrix-mautrix-instagram.service depends on.
 matrix_mautrix_instagram_systemd_required_services_list: "{{ matrix_mautrix_instagram_systemd_required_services_list_default + matrix_mautrix_instagram_systemd_required_services_list_auto + matrix_mautrix_instagram_systemd_required_services_list_custom }}"
 matrix_mautrix_instagram_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
 matrix_mautrix_instagram_systemd_required_services_list_auto: []
 matrix_mautrix_instagram_systemd_required_services_list_custom: []

 # List of systemd services that matrix-mautrix-instagram.service wants
 matrix_mautrix_instagram_systemd_wanted_services_list: []

 matrix_mautrix_instagram_appservice_token: ''
 matrix_mautrix_instagram_homeserver_token: ''

 # Whether or not created rooms should have federation enabled.
 # If false, created portal rooms will never be federated.
 matrix_mautrix_instagram_federate_rooms: true

 # Whether or not metrics endpoint should be enabled.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_instagram_metrics_proxying_enabled`.
 matrix_mautrix_instagram_metrics_enabled: false

 # Controls whether metrics should be exposed on a public URL.
 matrix_mautrix_instagram_metrics_proxying_enabled: false
 matrix_mautrix_instagram_metrics_proxying_hostname: ''
 matrix_mautrix_instagram_metrics_proxying_path_prefix: ''

 # Database-related configuration fields.
 #
 # To use Postgres:
 # - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables
 matrix_mautrix_instagram_database_engine: 'postgres'

 matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram'
 matrix_mautrix_instagram_database_password: 'some-password'
 matrix_mautrix_instagram_database_hostname: ''
 matrix_mautrix_instagram_database_port: 5432
 matrix_mautrix_instagram_database_name: 'matrix_mautrix_instagram'

 matrix_mautrix_instagram_database_connection_string: 'postgres://{{ matrix_mautrix_instagram_database_username }}:{{ matrix_mautrix_instagram_database_password }}@{{ matrix_mautrix_instagram_database_hostname }}:{{ matrix_mautrix_instagram_database_port }}/{{ matrix_mautrix_instagram_database_name }}'

 matrix_mautrix_instagram_appservice_database: "{{
 	{
 		'postgres': matrix_mautrix_instagram_database_connection_string,
 	}[matrix_mautrix_instagram_database_engine]
 }}"


 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_instagram_login_shared_secret: ''

 matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}"

 # Enable bridge relay bot functionality
 matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}"

 matrix_mautrix_instagram_appservice_bot_username: instagrambot

 matrix_mautrix_instagram_bridge_presence: true

 # Specifies the default log level for all bridge loggers.
 matrix_mautrix_instagram_logging_level: WARNING

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_instagram_configuration_extension_yaml`)
 # or completely replace this variable with your own template.
 matrix_mautrix_instagram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_mautrix_instagram_configuration_extension_yaml: |
  # Your custom YAML configuration goes here.
  # This configuration extends the default starting configuration (`matrix_mautrix_instagram_configuration_yaml`).
  #
  # You can override individual variables from the default configuration, or introduce new ones.
  #
  # If you need something more special, you can take full control by
  # completely redefining `matrix_mautrix_instagram_configuration_yaml`.

 matrix_mautrix_instagram_configuration_extension: "{{ matrix_mautrix_instagram_configuration_extension_yaml | from_yaml if matrix_mautrix_instagram_configuration_extension_yaml | from_yaml is mapping else {} }}"

 # Holds the final configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_instagram_configuration_yaml`.
 matrix_mautrix_instagram_configuration: "{{ matrix_mautrix_instagram_configuration_yaml | from_yaml | combine(matrix_mautrix_instagram_configuration_extension, recursive=True) }}"

 matrix_mautrix_instagram_registration_yaml: |
  id: instagram
  as_token: "{{ matrix_mautrix_instagram_appservice_token }}"
  hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}"
  namespaces:
    users:
    - exclusive: true
      regex: '^@instagram_.+:{{ matrix_mautrix_instagram_homeserver_domain | regex_escape }}$'
    - exclusive: true
      regex: '^@{{ matrix_mautrix_instagram_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_instagram_homeserver_domain | regex_escape }}$'
  url: {{ matrix_mautrix_instagram_appservice_address }}
  # See https://github.com/mautrix/signal/issues/43
  sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }}
  rate_limited: false
  de.sorunome.msc2409.push_ephemeral: true
  receive_ephemeral: true

 matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}"

 # Enable End-to-bridge encryption
 matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"
 matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml
@@ -1,27 +0,0 @@
 # SPDX-FileCopyrightText: 2021 Marcus Proest
 # SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2023 Adrien le Maire
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - tags:
    - setup-all
    - setup-mautrix-instagram
    - install-all
    - install-mautrix-instagram
  block:
    - when: matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"

    - when: matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"

 - tags:
    - setup-all
    - setup-mautrix-instagram
  block:
    - when: not matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml
@@ -1,99 +0,0 @@
 # SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2021 Marcus Proest
 # SPDX-FileCopyrightText: 2022 Jim Myhrberg
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 # SPDX-FileCopyrightText: 2022 Nikita Chernyi
 # SPDX-FileCopyrightText: 2022 Sebastian Gumprich
 # SPDX-FileCopyrightText: 2024 David Mehren
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---

 - name: Ensure Mautrix instagram image is pulled
  community.docker.docker_image:
    name: "{{ matrix_mautrix_instagram_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_docker_image_force_pull }}"
  when: not matrix_mautrix_instagram_container_image_self_build
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed

 - name: Ensure Mautrix instagram paths exist
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - {path: "{{ matrix_mautrix_instagram_base_path }}", when: true}
    - {path: "{{ matrix_mautrix_instagram_config_path }}", when: true}
    - {path: "{{ matrix_mautrix_instagram_data_path }}", when: true}
    - {path: "{{ matrix_mautrix_instagram_docker_src_files_path }}", when: "{{ matrix_mautrix_instagram_container_image_self_build }}"}
  when: item.when | bool

 - name: Ensure Mautrix instagram repository is present on self-build
  ansible.builtin.git:
    repo: "{{ matrix_mautrix_instagram_container_image_self_build_repo }}"
    version: "{{ matrix_mautrix_instagram_container_image_self_build_repo_version }}"
    dest: "{{ matrix_mautrix_instagram_docker_src_files_path }}"
    force: "yes"
  become: true
  become_user: "{{ matrix_user_name }}"
  register: matrix_mautrix_instagram_git_pull_results
  when: "matrix_mautrix_instagram_container_image_self_build | bool"

 - name: Ensure Mautrix instagram Docker image is built
  community.docker.docker_image:
    name: "{{ matrix_mautrix_instagram_docker_image }}"
    source: build
    force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mautrix_instagram_docker_src_files_path }}"
      pull: true
  when: "matrix_mautrix_instagram_container_image_self_build | bool"

 - name: Ensure mautrix-instagram config.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_mautrix_instagram_configuration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_mautrix_instagram_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure mautrix-instagram registration.yaml installed
  ansible.builtin.copy:
    content: "{{ matrix_mautrix_instagram_registration | to_nice_yaml(indent=2, width=999999) }}"
    dest: "{{ matrix_mautrix_instagram_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"

 - name: Ensure mautrix-instagram support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
    dest: "{{ matrix_mautrix_instagram_base_path }}/{{ item }}"
    mode: 0640
    owner: "{{ matrix_user_name }}"
    group: "{{ matrix_group_name }}"
  with_items:
    - labels

 - name: Ensure matrix-mautrix-instagram container network is created
  community.general.docker_network:
    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
    name: "{{ matrix_mautrix_instagram_container_network }}"
    driver: bridge
    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"

 - name: Ensure matrix-mautrix-instagram.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-mautrix-instagram.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service"
    mode: 0644
--- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml
@@ -1,25 +0,0 @@
 # SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2021 Marcus Proest
 # SPDX-FileCopyrightText: 2022 Marko Weltzer
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 - name: Check existence of matrix-mautrix-instagram service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service"
  register: matrix_mautrix_instagram_service_stat

 - when: matrix_mautrix_instagram_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-mautrix-instagram is stopped
      ansible.builtin.service:
        name: matrix-mautrix-instagram
        state: stopped
        enabled: false
        daemon_reload: true

    - name: Ensure matrix-mautrix-instagram.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service"
        state: absent
--- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml
@@ -1,29 +0,0 @@
 # SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2021 Marcus Proest
 # SPDX-FileCopyrightText: 2025 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later

 ---
 - name: Fail if required mautrix-instagram settings not defined
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_mautrix_instagram_appservice_token', when: true}
    - {'name': 'matrix_mautrix_instagram_homeserver_address', when: true}
    - {'name': 'matrix_mautrix_instagram_homeserver_token', when: true}
    - {'name': 'matrix_mautrix_instagram_container_network', when: true}
    - {'name': 'matrix_mautrix_instagram_database_hostname', when: "{{ matrix_mautrix_instagram_database_engine == 'postgres' }}"}
    - {'name': 'matrix_mautrix_instagram_metrics_proxying_hostname', when: "{{ matrix_mautrix_instagram_metrics_proxying_enabled }}"}
    - {'name': 'matrix_mautrix_instagram_metrics_proxying_path_prefix', when: "{{ matrix_mautrix_instagram_metrics_proxying_enabled }}"}

 - name: (Deprecation) Catch and report renamed mautrix-instagram variables
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
  with_items:
    - {'old': 'matrix_mautrix_instagram_docker_image_name_prefix', 'new': 'matrix_mautrix_instagram_docker_image_registry_prefix'}
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
@@ -1,244 +0,0 @@
 #jinja2: lstrip_blocks: True
 # Homeserver details
 homeserver:
  # The address that this appservice can use to connect to the homeserver.
  address: {{ matrix_mautrix_instagram_homeserver_address }}
  # The domain of the homeserver (for MXIDs, etc).
  domain: {{ matrix_mautrix_instagram_homeserver_domain }}
  # Whether or not to verify the SSL certificate of the homeserver.
  # Only applies if address starts with https://
  verify_ssl: true
  # Whether or not the homeserver supports asmux-specific endpoints,
  # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically
  # updating m.direct.
  asmux: false

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
 appservice:
  # The address that the homeserver can use to connect to this appservice.
  address: {{ matrix_mautrix_instagram_appservice_address }}
  # When using https:// the TLS certificate and key files for the address.
  tls_cert: false
  tls_key: false

  # The hostname and port where this appservice should listen.
  hostname: 0.0.0.0
  port: 29330
  # The maximum body size of appservice API requests (from the homeserver) in mebibytes
  # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
  max_body_size: 1

  # The full URI to the database. Only Postgres is currently supported.
  database: {{ matrix_mautrix_instagram_appservice_database|to_json }}
  # Additional arguments for asyncpg.create_pool()
  # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
  database_opts:
    min_size: 5
    max_size: 10

  # The unique ID of this appservice.
  id: instagram
  # Username of the appservice bot.
  bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }}
  # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
  # to leave display name/avatar as-is.
  bot_displayname: Instagram bridge bot
  bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv

  # Whether or not to receive ephemeral events via appservice transactions.
  # Requires MSC2409 support (i.e. Synapse 1.22+).
  # You should disable bridge -> sync_with_custom_puppets when this is enabled.
  ephemeral_events: false

  # Authentication tokens for AS <-> HS communication.
  as_token: "{{ matrix_mautrix_instagram_appservice_token }}"
  hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}"

 # Prometheus telemetry config. Requires prometheus-client to be installed.
 metrics:
  enabled: {{ matrix_mautrix_instagram_metrics_enabled | to_json }}
  listen_port: 8000

 instagram:
  # Seed for generating devices. This is secret because the seed is used to generate
  # device IDs, which can apparently be used to bypass two-factor authentication after
  # logging out, because Instagram is insecure.
  device_seed: generate

 # Bridge config
 bridge:
  # Localpart template of MXIDs for Instagram users.
  # {userid} is replaced with the user ID of the Instagram user.
  username_template: "instagram_{userid}"
  # Displayname template for Instagram users.
  # {displayname} is replaced with the display name of the Instagram user.
  # {username} is replaced with the username of the Instagram user.
  displayname_template: "{username} (Instagram)"

  # Maximum length of displayname
  displayname_max_length: 100

  # Maximum number of seconds since the last activity in a chat to automatically create portals.
  portal_create_max_age: 86400
  # Maximum number of chats to fetch for startup sync
  chat_sync_limit: 100
  # Whether or not to use /sync to get read receipts and typing notifications
  # when double puppeting is enabled
  sync_with_custom_puppets: true
  # Whether or not to update the m.direct account data event when double puppeting is enabled.
  # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
  # and is therefore prone to race conditions.
  sync_direct_chat_list: false
  # Allow using double puppeting from any server with a valid client .well-known file.
  double_puppet_allow_discovery: false
  # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
  double_puppet_server_map: {}
  #    example.com: https://example.com
  # Allow using double puppeting from any server with a valid client .well-known file.
  double_puppet_allow_discovery: false
  # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
  #
  # If set, custom puppets will be enabled automatically for local users
  # instead of users having to find an access token and run `login-matrix`
  # manually.
  # If using this for other servers than the bridge's server,
  # you must also set the URL in the double_puppet_server_map.
  login_shared_secret_map:
    {{ matrix_mautrix_instagram_bridge_login_shared_secret_map|to_json }}
  # Whether or not to update avatars when syncing all contacts at startup.
  update_avatar_initial_sync: true
  # Whether or not created rooms should have federation enabled.
  # If false, created portal rooms will never be federated.
  federate_rooms: {{ matrix_mautrix_instagram_federate_rooms|to_json }}
  # Settings for backfilling messages from Instagram.
  backfill:
    # Whether or not the Instagram users of logged in Matrix users should be
    # invited to private chats when backfilling history from Instagram. This is
    # usually needed to prevent rate limits and to allow timestamp massaging.
    invite_own_puppet: true
    # Maximum number of messages to backfill initially.
    # Set to 0 to disable backfilling when creating portal.
    initial_limit: 0
    # Maximum number of messages to backfill if messages were missed while
    # the bridge was disconnected.
    # Set to 0 to disable backfilling missed messages.
    missed_limit: 1000
    # If using double puppeting, should notifications be disabled
    # while the initial backfill is in progress?
    disable_notifications: false
  periodic_reconnect:
    # Interval in seconds in which to automatically reconnect all users.
    # This can be used to automatically mitigate the bug where Instagram stops sending messages.
    # Set to -1 to disable periodic reconnections entirely.
    interval: -1
    # Whether or not the bridge should backfill chats when reconnecting.
    resync: true
    # Should even disconnected users be reconnected?
    always: false
  # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
  # and login_shared_secret to be configured in order to get a device for the bridge bot.
  #
  # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
  # application service.
  encryption:
    # Allow encryption, work in group chat rooms with e2ee enabled
    allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }}
    # Default to encryption, force-enable encryption in all portals the bridge creates
    # This will cause the bridge bot to be in private chats for the encryption to work properly.
    default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }}
    # Options for automatic key sharing.
    key_sharing:
      # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
      # You must use a client that supports requesting keys from other users to use this feature.
      allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }}
      # Require the requesting device to have a valid cross-signing signature?
      # This doesn't require that the bridge has verified the device, only that the user has verified it.
      # Not yet implemented.
      require_cross_signing: false
      # Require devices to be verified by the bridge?
      # Verification by the bridge is not yet implemented.
      require_verification: true
  # Whether or not to explicitly set the avatar and room name for private
  # chat portal rooms. This will be implicitly enabled if encryption.default is true.
  private_chat_portal_meta: false
  # Whether or not the bridge should send a read receipt from the bridge bot when a message has
  # been sent to Instagram.
  delivery_receipts: false
  # Whether or not delivery errors should be reported as messages in the Matrix room.
  delivery_error_reports: true
  # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
  # This field will automatically be changed back to false after it,
  # except if the config file is not writable.
  resend_bridge_info: false
  # Whether or not unimportant bridge notices should be sent to the user.
  # (e.g. connected, disconnected but will retry)
  unimportant_bridge_notices: true

  # The prefix for commands. Only required in non-management rooms.
  command_prefix: "{{ matrix_mautrix_instagram_command_prefix }}"
  # Permissions for using the bridge.
  # Permitted values:
  #       user - Use the bridge with puppeting.
  #      admin - Use and administrate the bridge.
  # Permitted keys:
  #        * - All Matrix users
  #   domain - All users on that homeserver
  #     mxid - Specific user
  permissions: {{ matrix_mautrix_instagram_bridge_permissions|to_json }}
  # Provisioning API part of the web server for automated portal creation and fetching information.
  # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
  provisioning:
    # Whether or not the provisioning API should be enabled.
    enabled: true
    # The prefix to use in the provisioning API endpoints.
    prefix: /_matrix/provision/v1
    # The shared secret to authorize users of the API.
    # Set to "generate" to generate and save a new token.
    shared_secret: generate
  relay:
    # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any
    # authenticated user into a relaybot for that chat.
    enabled: {{ matrix_mautrix_instagram_relay_enabled }}
    # The formats to use when sending messages to Instagram via a relay user.
    #
    # Available variables:
    #   $sender_displayname - The display name of the sender (e.g. Example User)
    #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. alice)
    #   $sender_mxid        - The Matrix ID of the sender (e.g. @alice:example.com)
    #   $message            - The message content
    #
    # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed.
    message_formats:
      m.text: '$sender_displayname: $message'
      m.notice: '$sender_displayname: $message'
      m.emote: '* $sender_displayname $message'

 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
  version: 1
  formatters:
    colored:
      (): mautrix_instagram.util.ColorFormatter
      format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
    normal:
      format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
  handlers:
    console:
      class: logging.StreamHandler
      formatter: colored
  loggers:
    mau:
      level: {{ matrix_mautrix_instagram_logging_level|to_json }}
    mauigpapi:
      level: {{ matrix_mautrix_instagram_logging_level|to_json }}
    paho:
      level: {{ matrix_mautrix_instagram_logging_level|to_json }}
    aiohttp:
      level: {{ matrix_mautrix_instagram_logging_level|to_json }}
  root:
    level: {{ matrix_mautrix_instagram_logging_level|to_json }}
    handlers: [console]
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license
@@ -1,10 +0,0 @@
 SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors
 SPDX-FileCopyrightText: 2021 Marcus Proest
 SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi
 SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev
 SPDX-FileCopyrightText: 2022 László Várady
 SPDX-FileCopyrightText: 2023 Adrien le Maire
 SPDX-FileCopyrightText: 2023 Kevin Kengen
 SPDX-FileCopyrightText: 2024 Suguru Hirahara

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2
@@ -1,52 +0,0 @@
 {#
 SPDX-FileCopyrightText: 2024 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
 #}

 {% if matrix_mautrix_instagram_container_labels_traefik_enabled %}
 traefik.enable=true

 {% if matrix_mautrix_instagram_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_mautrix_instagram_container_labels_traefik_docker_network }}
 {% endif %}

 traefik.http.services.matrix-mautrix-instagram-metrics.loadbalancer.server.port=8000

 {% if matrix_mautrix_instagram_container_labels_metrics_enabled %}
 ############################################################
 #                                                          #
 # Metrics                                                  #
 #                                                          #
 ############################################################

 {% if matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled %}
 traefik.http.middlewares.matrix-mautrix-instagram-metrics-basic-auth.basicauth.users={{ matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users }}
 traefik.http.routers.matrix-mautrix-instagram-metrics.middlewares=matrix-mautrix-instagram-metrics-basic-auth
 {% endif %}

 traefik.http.routers.matrix-mautrix-instagram-metrics.rule={{ matrix_mautrix_instagram_container_labels_metrics_traefik_rule }}

 {% if matrix_mautrix_instagram_container_labels_metrics_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-mautrix-instagram-metrics.priority={{ matrix_mautrix_instagram_container_labels_metrics_traefik_priority }}
 {% endif %}

 traefik.http.routers.matrix-mautrix-instagram-metrics.service=matrix-mautrix-instagram-metrics
 traefik.http.routers.matrix-mautrix-instagram-metrics.entrypoints={{ matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints }}

 traefik.http.routers.matrix-mautrix-instagram-metrics.tls={{ matrix_mautrix_instagram_container_labels_metrics_traefik_tls | to_json }}
 {% if matrix_mautrix_instagram_container_labels_metrics_traefik_tls %}
 traefik.http.routers.matrix-mautrix-instagram-metrics.tls.certResolver={{ matrix_mautrix_instagram_container_labels_metrics_traefik_tls_certResolver }}
 {% endif %}

 ############################################################
 #                                                          #
 # /Metrics                                                 #
 #                                                          #
 ############################################################
 {% endif %}


 {% endif %}

 {{ matrix_mautrix_instagram_container_labels_additional_labels }}
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2
@@ -1,48 +0,0 @@
 #jinja2: lstrip_blocks: True
 [Unit]
 Description=Matrix Mautrix Instagram bridge
 {% for service in matrix_mautrix_instagram_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mautrix_instagram_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no

 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-instagram 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null || true'

 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-mautrix-instagram \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_mautrix_instagram_container_network }} \
 			--mount type=bind,src={{ matrix_mautrix_instagram_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_mautrix_instagram_data_path }},dst=/data \
 			--label-file={{ matrix_mautrix_instagram_base_path }}/labels \
 			{% for arg in matrix_mautrix_instagram_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_instagram_docker_image }} \
 			python3 -m mautrix_instagram -c /config/config.yaml --no-update

 {% for network in matrix_mautrix_instagram_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-instagram
 {% endfor %}

 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-instagram

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-instagram 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-instagram

 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license
@@ -1,4 +0,0 @@
 SPDX-FileCopyrightText: 2021 Marcus Proest
 SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev

 SPDX-License-Identifier: AGPL-3.0-or-later
--- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
 matrix_mautrix_meta_instagram_version: v0.2510.0
 matrix_mautrix_meta_instagram_version: v0.2512.0

 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
--- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml
@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
 matrix_mautrix_meta_messenger_version: v0.2510.0
 matrix_mautrix_meta_messenger_version: v0.2512.0

 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
 matrix_mautrix_signal_version: v0.2510.0
 matrix_mautrix_signal_version: v0.2601.0

 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -50,11 +50,14 @@ matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_signal_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"

 matrix_mautrix_signal_extev_polls: false

 matrix_mautrix_signal_command_prefix: "!signal"

 # Displayname template for Signal users.
 # {{.ProfileName}} - The Signal profile name set by the user.
 # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
 # {{.Nickname}} - The nickname set for the user in the native Signal app. This is not safe on multi-user instances.
 # {{.PhoneNumber}} - The phone number of the user.
 # {{.UUID}} - The UUID of the Signal user.
 # {{.AboutEmoji}} - The emoji set by the user in their profile.
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@@ -19,6 +19,8 @@ network:
    # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
    # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
    location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
    # Should polls be sent using unstable MSC3381 event types?
    extev_polls: {{ matrix_mautrix_signal_extev_polls | to_json }}

 # Config options that affect the central bridge module.
 bridge:
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
 matrix_mautrix_slack_version: v0.2510.0
 matrix_mautrix_slack_version: v0.2511.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
 matrix_mautrix_twitter_version: v0.2510.0
 matrix_mautrix_twitter_version: v0.2511.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
 matrix_mautrix_whatsapp_version: v0.2510.0
 matrix_mautrix_whatsapp_version: v0.2601.0

 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml
@@ -9,7 +9,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_mautrix_androidsms_appservice_token"
    - "matrix_mautrix_androidsms_homeserver_token"
--- a/roles/custom/matrix-bridge-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bridge-postmoogle/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_postmoogle_docker_repo_version: "{{ 'main' if matrix_postmoogle_version =
 matrix_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"

 # renovate: datasource=docker depName=ghcr.io/etkecc/postmoogle
 matrix_postmoogle_version: v0.9.27
 matrix_postmoogle_version: v0.9.28
 matrix_postmoogle_docker_image: "{{ matrix_postmoogle_docker_image_registry_prefix }}etkecc/postmoogle:{{ matrix_postmoogle_version }}"
 matrix_postmoogle_docker_image_registry_prefix: "{{ 'localhost/' if matrix_postmoogle_container_image_self_build else matrix_postmoogle_docker_image_registry_prefix_upstream }}"
 matrix_postmoogle_docker_image_registry_prefix_upstream: "{{ matrix_postmoogle_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bridge-sms/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-sms/tasks/validate_config.yml
@@ -11,7 +11,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_sms_bridge_appservice_token"
    - "matrix_sms_bridge_homeserver_hostname"
--- a/roles/custom/matrix-bridge-steam/defaults/main.yml
+++ b/roles/custom/matrix-bridge-steam/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonla
 matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}"

 # renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge
 matrix_steam_bridge_version: 1.0.8
 matrix_steam_bridge_version: 1.1.0
 matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}"
 matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}"
 matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml
@@ -15,7 +15,7 @@
  block:
    - name: Ensure matrix-bridge-zulip is stopped
      ansible.builtin.service:
        name: matrix-bridge-zulip
        name: matrix-zulip-bridge
        state: stopped
        enabled: false
        daemon_reload: true
--- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml
+++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml
@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"

 # renovate: datasource=docker depName=joseluisq/static-web-server
 matrix_cactus_comments_client_version: 2.39.0
 matrix_cactus_comments_client_version: 2.40.1

 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml
+++ b/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml
@@ -8,7 +8,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - matrix_cactus_comments_client_hostname
    - matrix_cactus_comments_client_path_prefix
--- a/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2
+++ b/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2
@@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--env-file={{ matrix_cactus_comments_client_base_path }}/env \
 			--label-file={{ matrix_cactus_comments_client_base_path }}/labels \
 			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/public,ro \
 			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/var/public,ro \
 			{{ matrix_cactus_comments_client_container_image }}

 {% for network in matrix_cactus_comments_client_container_additional_networks %}
--- a/roles/custom/matrix-cactus-comments/tasks/validate_config.yml
+++ b/roles/custom/matrix-cactus-comments/tasks/validate_config.yml
@@ -24,7 +24,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_cactus_comments_as_token"
    - "matrix_cactus_comments_hs_token"
--- a/roles/custom/matrix-client-cinny/tasks/validate_config.yml
+++ b/roles/custom/matrix-client-cinny/tasks/validate_config.yml
@@ -36,7 +36,7 @@
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "vars[item] == ''"
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_client_cinny_container_labels_traefik_hostname
        - matrix_client_cinny_container_labels_traefik_path_prefix
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@@ -26,10 +26,10 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 # Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM):
 # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
 # - https://github.com/element-hq/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"

 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
 matrix_client_element_version: v1.12.3
 matrix_client_element_version: v1.12.9

 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
--- a/roles/custom/matrix-client-fluffychat/defaults/main.yml
+++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml
@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"

 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
 matrix_client_fluffychat_version: v2.2.0
 matrix_client_fluffychat_version: v2.4.0
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"
--- a/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml
+++ b/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml
@@ -9,7 +9,7 @@
  ansible.builtin.fail:
    msg: >
      You need to define a required configuration setting (`{{ item }}`) for using FluffyChat Web.
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - matrix_client_fluffychat_container_network

@@ -27,7 +27,7 @@
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "vars[item] == ''"
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_client_fluffychat_container_labels_traefik_hostname
        - matrix_client_fluffychat_container_labels_traefik_path_prefix
--- a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml
+++ b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml
@@ -30,7 +30,7 @@
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "vars[item] == ''"
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_client_hydrogen_container_labels_traefik_hostname
        - matrix_client_hydrogen_container_labels_traefik_path_prefix
--- a/roles/custom/matrix-client-schildichat/tasks/validate_config.yml
+++ b/roles/custom/matrix-client-schildichat/tasks/validate_config.yml
@@ -20,7 +20,7 @@
  ansible.builtin.fail:
    msg: >
      You need to define a required configuration setting (`{{ item }}`) for using SchildiChat Web.
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - matrix_client_schildichat_default_hs_url
    - matrix_client_schildichat_container_network
@@ -39,7 +39,7 @@
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "vars[item] == ''"
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_client_schildichat_container_labels_traefik_hostname
        - matrix_client_schildichat_container_labels_traefik_path_prefix
--- a/roles/custom/matrix-conduit/defaults/main.yml
+++ b/roles/custom/matrix-conduit/defaults/main.yml
@@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg
 matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}"
 matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixconduit/matrix-conduit
 matrix_conduit_docker_image_tag: "v0.10.9"
 matrix_conduit_docker_image_tag: "v0.10.11"
 matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}"

 matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit"
--- a/roles/custom/matrix-corporal/tasks/validate_config.yml
+++ b/roles/custom/matrix-corporal/tasks/validate_config.yml
@@ -10,7 +10,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_corporal_container_network"
    - "matrix_corporal_matrix_homeserver_api_endpoint"
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@@ -18,13 +18,15 @@

 matrix_coturn_enabled: true

 matrix_coturn_hostname: ""

 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

 # renovate: datasource=docker depName=coturn/coturn
 matrix_coturn_version: 4.6.2-r11
 # renovate: datasource=docker depName=coturn/coturn versioning=loose
 matrix_coturn_version: 4.8.0
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
@@ -111,6 +113,9 @@ matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_con
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172

 # Controls the `realm` configuration option
 matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"

 # Controls which authentication method to enable.
 #
 # lt-cred-mech likely provides better compatibility,
@@ -134,7 +139,7 @@ matrix_coturn_lt_cred_mech_password: ""
 # The external IP address of the machine where coturn is.
 # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
 matrix_coturn_turn_external_ip_address: ''
 matrix_coturn_turn_external_ip_address: ""
 matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"

 # Controls whether external IP address auto-detection should be attempted.
@@ -213,7 +218,7 @@ matrix_coturn_response_origin_only_with_rfc5780_enabled: true
 #   simple-log
 #   aux-server=1.2.3.4
 #   relay-ip=4.3.2.1
 matrix_coturn_additional_configuration: ''
 matrix_coturn_additional_configuration: ""

 # To enable TLS, you need to provide paths to certificates.
 # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.
--- a/roles/custom/matrix-coturn/tasks/validate_config.yml
+++ b/roles/custom/matrix-coturn/tasks/validate_config.yml
@@ -29,6 +29,7 @@
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_coturn_hostname', when: true}
    - {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
    - {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
    - {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
--- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2
+++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2
@@ -11,7 +11,7 @@ lt-cred-mech
 user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
 {% endif %}

 realm=turn.{{ matrix_server_fqn_matrix }}
 realm={{ matrix_coturn_realm }}

 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}
--- a/roles/custom/matrix-coturn/vars/main.yml
+++ b/roles/custom/matrix-coturn/vars/main.yml
@@ -7,15 +7,15 @@
 matrix_coturn_turn_uris: |-
  {{
    ([
      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
      'turns:' + matrix_coturn_hostname + '?transport=udp',
      'turns:' + matrix_coturn_hostname + '?transport=tcp',
    ] if matrix_coturn_tls_enabled else [])
    +
    ([
      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
      'turn:' + matrix_coturn_hostname + '?transport=udp',
    ] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host')  else [])
    +
    ([
      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
      'turn:' + matrix_coturn_hostname + '?transport=tcp',
    ] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host')  else [])
  }}
--- a/roles/custom/matrix-dimension/tasks/validate_config.yml
+++ b/roles/custom/matrix-dimension/tasks/validate_config.yml
@@ -39,7 +39,7 @@
      ansible.builtin.fail:
        msg: >-
          You need to define a required configuration setting (`{{ item }}`).
      when: "vars[item] == ''"
      when: "lookup('vars', item, default='') == ''"
      with_items:
        - matrix_dimension_container_labels_traefik_hostname
        - matrix_dimension_container_labels_traefik_path_prefix
--- a/roles/custom/matrix-element-admin/defaults/main.yml
+++ b/roles/custom/matrix-element-admin/defaults/main.yml
@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true

 # renovate: datasource=docker depName=oci.element.io/element-admin
 matrix_element_admin_version: 0.1.8
 matrix_element_admin_version: 0.1.10

 matrix_element_admin_scheme: https

--- a/roles/custom/matrix-element-call/defaults/main.yml
+++ b/roles/custom/matrix-element-call/defaults/main.yml
@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"

 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
 matrix_element_call_version: v0.16.1
 matrix_element_call_version: v0.16.3

 matrix_element_call_scheme: https

--- a/roles/custom/matrix-element-call/tasks/validate_config.yml
+++ b/roles/custom/matrix-element-call/tasks/validate_config.yml
@@ -17,7 +17,7 @@
  ansible.builtin.fail:
    msg: >
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and vars[item.name] | string | length == 0"
  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
  with_items:
    - {'name': 'matrix_element_call_container_network', when: true}
    - {'name': 'matrix_element_call_hostname', when: true}
--- a/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml
+++ b/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml
@@ -11,7 +11,7 @@
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
  when: "lookup('vars', item, default='') == ''"
  with_items:
    - "matrix_ldap_registration_proxy_hostname"
    - "matrix_ldap_registration_proxy_ldap_uri"