From cb769f0939485579b17aca1698f16b74089e3e56 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 9 Nov 2025 08:35:05 +0000 Subject: [PATCH 001/209] chore(deps): update dependency traefik to v3.6.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8f0bd3ee8..d4703d326 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-0 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.5.4-1 + version: v3.6.0-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-2 From 20104ad5a98ad52377e78e19134c3f7ba78cd33f Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sun, 9 Nov 2025 22:03:50 +0900 Subject: [PATCH 002/209] Remove mautrix-facebook Reuse: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/1861faf31d5490c6604efdd34d83073ec3850d88/docs/configuring-playbook-bridge-mx-puppet-twitter.md - 2b7a0453eb33d7026dfdcb20619d4a73a9727f5b Signed-off-by: Suguru Hirahara --- CHANGELOG.md | 6 + ...iguring-playbook-bridge-mautrix-bridges.md | 2 +- ...guring-playbook-bridge-mautrix-facebook.md | 94 +------ docs/self-building.md | 1 - group_vars/matrix_servers | 96 ------- .../defaults/main.yml | 227 --------------- .../tasks/main.yml | 27 -- .../tasks/setup_install.yml | 159 ----------- .../tasks/setup_uninstall.yml | 26 -- .../tasks/validate_config.yml | 47 ---- .../templates/config.yaml.j2 | 259 ------------------ .../templates/config.yaml.j2.license | 9 - .../templates/labels.j2 | 82 ------ .../matrix-mautrix-facebook.service.j2 | 51 ---- ...matrix-mautrix-facebook.service.j2.license | 7 - .../tasks/validate_config.yml | 12 + setup.yml | 1 - 17 files changed, 32 insertions(+), 1074 deletions(-) delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license diff --git a/CHANGELOG.md b/CHANGELOG.md index e960fd870..997574d5f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,12 @@ The playbook will let you know if you're using any `matrix_appservice_webhooks_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the bridge manually](./docs/configuring-playbook-bridge-appservice-webhooks.md#uninstalling-the-bridge-manually). +## mautrix-facebook has been removed from the playbook + +[mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md) has been removed from the playbook, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge. + +The playbook will let you know if you're using any `matrix_mautrix_facebook_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the bridge manually](./docs/configuring-playbook-bridge-mautrix-facebook.md#uninstalling-the-bridge-manually). + # 2025-11-08 ## MatrixZulipBridge support diff --git a/docs/configuring-playbook-bridge-mautrix-bridges.md b/docs/configuring-playbook-bridge-mautrix-bridges.md index 7c2e15e80..54a9116c8 100644 --- a/docs/configuring-playbook-bridge-mautrix-bridges.md +++ b/docs/configuring-playbook-bridge-mautrix-bridges.md @@ -24,7 +24,7 @@ To enable the bridge, add the following configuration to your `inventory/host_va matrix_mautrix_SERVICENAME_enabled: true ``` -**Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively. **`matrix_mautrix_facebook_*` and `matrix_mautrix_instagram_*` variables belong to the deprecated components and do not control the new bridge** ([mautrix-meta](https://github.com/mautrix/meta)), which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). +**Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively. **`matrix_mautrix_instagram_*` variables belong to the deprecated component and do not control the new bridge** ([mautrix-meta](https://github.com/mautrix/meta)), which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). There are some additional things you may wish to configure about the bridge before you continue. Each bridge may have additional requirements besides `_enabled: true`. For example, the mautrix-telegram bridge (our documentation page about it is [here](configuring-playbook-bridge-mautrix-telegram.md)) requires the `matrix_mautrix_telegram_api_id` and `matrix_mautrix_telegram_api_hash` variables to be defined. Refer to each bridge's individual documentation page for details about enabling bridges. diff --git a/docs/configuring-playbook-bridge-mautrix-facebook.md b/docs/configuring-playbook-bridge-mautrix-facebook.md index d79977a7c..02ffa57c4 100644 --- a/docs/configuring-playbook-bridge-mautrix-facebook.md +++ b/docs/configuring-playbook-bridge-mautrix-facebook.md @@ -1,100 +1,32 @@ -# Setting up Mautrix Facebook bridging (optional, deprecated) +# Setting up Mautrix Facebook bridging (optional, removed) -Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md) +🪦 The playbook used to be able to install and configure [mautrix-facebook](https://github.com/mautrix/facebook), but no longer includes this component, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge. -**Note**: This bridge has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). Consider using that bridge instead of this one. +The mautrix-meta bridge can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). -The playbook can install and configure [mautrix-facebook](https://github.com/mautrix/facebook) for you. +## Uninstalling the bridge manually -See the project's [documentation](https://github.com/mautrix/facebook/blob/master/README.md) to learn what it does and why it might be useful to you. +If you still have the bridge installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server: -## Prerequisite (optional) - -### Enable Shared Secret Auth - -If you want to set up [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do) for this bridge automatically, you need to have enabled [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook. - -See [this section](configuring-playbook-bridge-mautrix-bridges.md#set-up-double-puppeting-optional) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about setting up Double Puppeting. - -**Note**: double puppeting with the Shared Secret Auth works at the time of writing, but is deprecated and will stop working in the future. - -## Adjusting the playbook configuration - -To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: - -```yaml -matrix_mautrix_facebook_enabled: true -``` - -### Extending the configuration - -There are some additional things you may wish to configure about the bridge. - -See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc. - -## Installing - -After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below: - - ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` - -The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` - -`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too. - -## Usage +systemctl disable --now matrix-mautrix-facebook.service -To use the bridge, you need to start a chat with `@facebookbot:example.com` (where `example.com` is your base domain, not the `matrix.` domain). +rm -rf /matrix/mautrix-facebook -You then need to send `login YOUR_FACEBOOK_EMAIL_ADDRESS` to the bridge bot to enable bridging for your Facebook Messenger account. - -If you run into trouble, check the [Troubleshooting](#troubleshooting) section below. - -## Troubleshooting - -As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-facebook`. - -### Increase logging verbosity - -The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook: - -```yaml -matrix_mautrix_facebook_logging_level: DEBUG -``` - -### Facebook rejecting login attempts and forcing you to change password - -If your Matrix server is in a wildly different location than where you usually use your Facebook account from, the bridge's login attempts may be outright rejected by Facebook. Along with that, Facebook may even force you to change the account's password. - -If you happen to run into this problem while [setting up bridging](#usage), try to first get a successful session up by logging in to Facebook through the Matrix server's IP address. - -The easiest way to do this may be to use [sshuttle](https://sshuttle.readthedocs.io/) to proxy your traffic through the Matrix server. - -Example command for proxying your traffic through the Matrix server: - -```sh -sshuttle -r root@matrix.example.com:22 0/0 +/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_facebook;' ``` - -Once connected, you should be able to verify that you're browsing the web through the Matrix server's IP by checking [icanhazip](https://icanhazip.com/). - -Then proceed to log in to [Facebook/Messenger](https://www.facebook.com/). - -Once logged in, proceed to [set up bridging](#usage). - -If that doesn't work, enable 2FA (see: [Facebook help page on enabling 2FA](https://www.facebook.com/help/148233965247823)) and try to login again with a new password, and entering the 2FA code when prompted, it may take more then one try, in between attempts, check facebook.com to see if they are requiring another password change diff --git a/docs/self-building.md b/docs/self-building.md index 997f91adb..74252dbb2 100644 --- a/docs/self-building.md +++ b/docs/self-building.md @@ -40,7 +40,6 @@ Possibly outdated list of roles where self-building the Docker image is currentl - `matrix-bridge-appservice-irc` - `matrix-bridge-appservice-slack` - `matrix-bridge-beeper-linkedin` -- `matrix-bridge-mautrix-facebook` - `matrix-bridge-mautrix-googlechat` - `matrix-bridge-mautrix-telegram` - `matrix-bridge-mautrix-signal` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index a1c11cfde..332182073 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -122,8 +122,6 @@ matrix_homeserver_container_extra_arguments_auto: | + (['--mount type=bind,src=' + matrix_mautrix_slack_config_path + '/registration.yaml,dst=/matrix-mautrix-slack-registration.yaml,ro'] if matrix_mautrix_slack_enabled else []) + - (['--mount type=bind,src=' + matrix_mautrix_facebook_config_path + '/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro'] if matrix_mautrix_facebook_enabled else []) - + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) + (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) @@ -187,8 +185,6 @@ matrix_homeserver_app_service_config_files_auto: | + (['/matrix-mautrix-slack-registration.yaml'] if matrix_mautrix_slack_enabled else []) + - (['/matrix-mautrix-facebook-registration.yaml'] if matrix_mautrix_facebook_enabled else []) - + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) + (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) @@ -321,8 +317,6 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-mautrix-slack.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-slack']}] if matrix_mautrix_slack_enabled else []) + - ([{'name': 'matrix-mautrix-facebook.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-facebook']}] if matrix_mautrix_facebook_enabled else []) - + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else []) + ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else []) @@ -1199,85 +1193,6 @@ matrix_mautrix_slack_public_media_signing_key: "{{ '%s' | format(matrix_homeserv # ###################################################################### - -###################################################################### -# -# matrix-bridge-mautrix-facebook -# -###################################################################### - -# We don't enable bridges by default. -matrix_mautrix_facebook_enabled: false - -matrix_mautrix_facebook_systemd_required_services_list_auto: | - {{ - matrix_addons_homeserver_systemd_services_list - + - ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else []) - }} - -matrix_mautrix_facebook_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default }}" - -matrix_mautrix_facebook_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" - -matrix_mautrix_facebook_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9008') if matrix_playbook_service_host_bind_interface_prefix else '' }}" - -matrix_mautrix_facebook_container_network: "{{ matrix_addons_container_network }}" - -matrix_mautrix_facebook_container_additional_networks_auto: |- - {{ - ( - ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) - + - ([postgres_container_network] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname and matrix_mautrix_facebook_container_network != postgres_container_network) else []) - + - ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_facebook_container_labels_traefik_enabled) else []) - ) | unique - }} - -matrix_mautrix_facebook_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_mautrix_facebook_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_mautrix_facebook_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" -matrix_mautrix_facebook_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" - -matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" -matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" - -matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.as.token', rounds=655555) | to_uuid }}" - -matrix_mautrix_facebook_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" - -matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'fb.hs.token', rounds=655555) | to_uuid }}" - -matrix_mautrix_facebook_homeserver_async_media: "{{ matrix_homeserver_implementation in ['synapse'] }}" - -matrix_mautrix_facebook_appservice_public_enabled: true -matrix_mautrix_facebook_appservice_public_hostname: "{{ matrix_server_fqn_matrix }}" -matrix_mautrix_facebook_appservice_public_prefix: "/{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'facebook', rounds=655555) | to_uuid }}" - -matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" - -matrix_mautrix_facebook_bridge_presence: "{{ (matrix_synapse_presence_enabled if matrix_synapse_enabled else true) if matrix_homeserver_implementation == 'synapse' else true }}" - -matrix_mautrix_facebook_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" - -matrix_mautrix_facebook_metrics_proxying_enabled: "{{ matrix_mautrix_facebook_metrics_enabled and matrix_metrics_exposure_enabled }}" -matrix_mautrix_facebook_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" -matrix_mautrix_facebook_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-facebook" - -# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain -# and point them to a migration path. -matrix_mautrix_facebook_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}" -matrix_mautrix_facebook_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}" -matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.fb.db', rounds=655555) | to_uuid }}" - -###################################################################### -# -# /matrix-bridge-mautrix-facebook -# -###################################################################### - - ###################################################################### # # matrix-bridge-mautrix-googlechat @@ -4025,12 +3940,6 @@ postgres_managed_databases_auto: | 'password': matrix_mautrix_bluesky_database_password, }] if (matrix_mautrix_bluesky_enabled and matrix_mautrix_bluesky_database_engine == 'postgres' and matrix_mautrix_bluesky_database_hostname == postgres_connection_hostname) else []) + - ([{ - 'name': matrix_mautrix_facebook_database_name, - 'username': matrix_mautrix_facebook_database_username, - 'password': matrix_mautrix_facebook_database_password, - }] if (matrix_mautrix_facebook_enabled and matrix_mautrix_facebook_database_engine == 'postgres' and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else []) - + ([{ 'name': matrix_mautrix_googlechat_database_name, 'username': matrix_mautrix_googlechat_database_username, @@ -4935,11 +4844,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: | '^@discord_[0-9]+:'+(matrix_domain | regex_escape)+'$', ] if matrix_mautrix_discord_enabled else []) + - ([ - '^@'+(matrix_mautrix_facebook_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$', - '^@facebook_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$', - ] if matrix_mautrix_facebook_enabled else []) - + ([ '^@'+(matrix_mautrix_gmessages_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$', '^@gmessages_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$', diff --git a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml deleted file mode 100644 index 0468d92d5..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml +++ /dev/null @@ -1,227 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2020 Horvath Gergely -# SPDX-FileCopyrightText: 2020 Marcel Partap -# SPDX-FileCopyrightText: 2021 - 2024 MDAD project contributors -# SPDX-FileCopyrightText: 2021 Aaron Raimist -# SPDX-FileCopyrightText: 2021 Arthur Brugière -# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 László Várady -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2023 Adrien le Maire -# SPDX-FileCopyrightText: 2023 Samuel Meenzen -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -# mautrix-facebook is a Matrix <-> Facebook bridge -# Project source code URL: https://github.com/mautrix/facebook - -matrix_mautrix_facebook_enabled: true - -matrix_mautrix_facebook_container_image_self_build: false -matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git" - -# renovate: datasource=docker depName=dock.mau.dev/mautrix/facebook -matrix_mautrix_facebook_version: v0.5.1 -matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_registry_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}" -matrix_mautrix_facebook_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else matrix_mautrix_facebook_docker_image_registry_prefix_upstream }}" -matrix_mautrix_facebook_docker_image_registry_prefix_upstream: "{{ matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default }}" -matrix_mautrix_facebook_docker_image_registry_prefix_upstream_default: "dock.mau.dev/" -matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}" - -matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook" -matrix_mautrix_facebook_config_path: "{{ matrix_mautrix_facebook_base_path }}/config" -matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data" -matrix_mautrix_facebook_docker_src_files_path: "{{ matrix_mautrix_facebook_base_path }}/docker-src" - -matrix_mautrix_facebook_command_prefix: "!fb" - -matrix_mautrix_facebook_homeserver_address: "" -# Whether asynchronous uploads via MSC2246 should be enabled for media. -# Requires a homeserver that supports MSC2246 (https://github.com/matrix-org/matrix-spec-proposals/pull/2246). -matrix_mautrix_facebook_homeserver_async_media: false -matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}' - -# Whether or not the public-facing endpoints should be enabled (web-based login) -matrix_mautrix_facebook_appservice_public_enabled: false -# Mautrix Facebook public endpoint to log in to Facebook -matrix_mautrix_facebook_appservice_public_prefix: '' -matrix_mautrix_facebook_appservice_public_hostname: '' -matrix_mautrix_facebook_appservice_public_external: "{{ ('https://' + matrix_mautrix_facebook_appservice_public_hostname + matrix_mautrix_facebook_appservice_public_prefix) if matrix_mautrix_facebook_appservice_public_enabled else '' }}" - -matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319' - -matrix_mautrix_facebook_container_network: "" - -matrix_mautrix_facebook_container_additional_networks: "{{ matrix_mautrix_facebook_container_additional_networks_auto + matrix_mautrix_facebook_container_additional_networks_custom }}" -matrix_mautrix_facebook_container_additional_networks_auto: [] -matrix_mautrix_facebook_container_additional_networks_custom: [] - -# matrix_mautrix_facebook_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. -# See `../templates/labels.j2` for details. -# -# To inject your own other container labels, see `matrix_mautrix_facebook_container_labels_additional_labels`. -matrix_mautrix_facebook_container_labels_traefik_enabled: true -matrix_mautrix_facebook_container_labels_traefik_docker_network: "{{ matrix_mautrix_facebook_container_network }}" -matrix_mautrix_facebook_container_labels_traefik_entrypoints: web-secure -matrix_mautrix_facebook_container_labels_traefik_tls_certResolver: default # noqa var-naming - -# Controls whether labels will be added that expose mautrix-facebook's public endpoint -matrix_mautrix_facebook_container_labels_public_endpoint_enabled: "{{ matrix_mautrix_facebook_appservice_public_enabled }}" -matrix_mautrix_facebook_container_labels_public_endpoint_traefik_rule: "Host(`{{ matrix_mautrix_facebook_appservice_public_hostname }}`) && PathPrefix(`{{ matrix_mautrix_facebook_appservice_public_prefix }}`)" -matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority: 0 -matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints: "{{ matrix_mautrix_facebook_container_labels_traefik_entrypoints }}" -matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls: "{{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints != 'web' }}" -matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls_certResolver: "{{ matrix_mautrix_facebook_container_labels_traefik_tls_certResolver }}" # noqa var-naming - -# Controls whether labels will be added that expose mautrix-facebook's metrics -matrix_mautrix_facebook_container_labels_metrics_enabled: "{{ matrix_mautrix_facebook_metrics_enabled and matrix_mautrix_facebook_metrics_proxying_enabled }}" -matrix_mautrix_facebook_container_labels_metrics_traefik_rule: "Host(`{{ matrix_mautrix_facebook_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_mautrix_facebook_metrics_proxying_path_prefix }}`)" -matrix_mautrix_facebook_container_labels_metrics_traefik_priority: 0 -matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints: "{{ matrix_mautrix_facebook_container_labels_traefik_entrypoints }}" -matrix_mautrix_facebook_container_labels_metrics_traefik_tls: "{{ matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints != 'web' }}" -matrix_mautrix_facebook_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_mautrix_facebook_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled: false -# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users -matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users: '' - -# matrix_mautrix_facebook_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_mautrix_facebook_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_mautrix_facebook_container_labels_additional_labels: '' - -# A list of extra arguments to pass to the container -matrix_mautrix_facebook_container_extra_arguments: [] - -# List of systemd services that matrix-mautrix-facebook.service depends on. -matrix_mautrix_facebook_systemd_required_services_list: "{{ matrix_mautrix_facebook_systemd_required_services_list_default + matrix_mautrix_facebook_systemd_required_services_list_auto + matrix_mautrix_facebook_systemd_required_services_list_custom }}" -matrix_mautrix_facebook_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -matrix_mautrix_facebook_systemd_required_services_list_auto: [] -matrix_mautrix_facebook_systemd_required_services_list_custom: [] - -# List of systemd services that matrix-mautrix-facebook.service wants -matrix_mautrix_facebook_systemd_wanted_services_list: [] - -matrix_mautrix_facebook_appservice_token: '' -matrix_mautrix_facebook_homeserver_token: '' - -# Whether or not created rooms should have federation enabled. -# If false, created portal rooms will never be federated. -matrix_mautrix_facebook_federate_rooms: true - -# Whether or not metrics endpoint should be enabled. -# Enabling them is usually enough for a local (in-container) Prometheus to consume them. -# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_facebook_metrics_proxying_enabled`. -matrix_mautrix_facebook_metrics_enabled: false - -# Controls whether metrics should be exposed on a public URL. -matrix_mautrix_facebook_metrics_proxying_enabled: false -matrix_mautrix_facebook_metrics_proxying_hostname: '' -matrix_mautrix_facebook_metrics_proxying_path_prefix: '' - -matrix_mautrix_facebook_bridge_permissions: | - {{ - {'*': 'relay', matrix_mautrix_facebook_homeserver_domain: 'user'} - | combine({matrix_admin: 'admin'} if matrix_admin else {}) - }} - -# Controls whether the matrix-mautrix-facebook container exposes its HTTP port. -# -# Takes an ":" or "" value (e.g. "127.0.0.1:9008"), or empty string to not expose. -matrix_mautrix_facebook_container_http_host_bind_port: '' - -# Database-related configuration fields. -# -# To use SQLite: -# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`) -# - change to the last bridge version that supported SQLite: -# `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"` -# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future). -# -# To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables -matrix_mautrix_facebook_database_engine: 'postgres' - -matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" -matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db" - -matrix_mautrix_facebook_database_username: 'matrix_mautrix_facebook' -matrix_mautrix_facebook_database_password: 'some-password' -matrix_mautrix_facebook_database_hostname: '' -matrix_mautrix_facebook_database_port: 5432 -matrix_mautrix_facebook_database_name: 'matrix_mautrix_facebook' - -matrix_mautrix_facebook_database_connection_string: 'postgres://{{ matrix_mautrix_facebook_database_username }}:{{ matrix_mautrix_facebook_database_password }}@{{ matrix_mautrix_facebook_database_hostname }}:{{ matrix_mautrix_facebook_database_port }}/{{ matrix_mautrix_facebook_database_name }}' - -matrix_mautrix_facebook_appservice_database: "{{ - { - 'sqlite': ('sqlite:///' + matrix_mautrix_facebook_sqlite_database_path_in_container), - 'postgres': matrix_mautrix_facebook_database_connection_string, - }[matrix_mautrix_facebook_database_engine] -}}" - - -# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). -matrix_mautrix_facebook_login_shared_secret: '' - -matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}" - -# Enable bridge relay bot functionality -matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}" - -matrix_mautrix_facebook_appservice_bot_username: facebookbot - -matrix_mautrix_facebook_bridge_presence: true - -# Specifies the default log level for all bridge loggers. -matrix_mautrix_facebook_logging_level: WARNING - -# Default configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mautrix_facebook_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mautrix_facebook_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_mautrix_facebook_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_mautrix_facebook_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mautrix_facebook_configuration_yaml`. - -matrix_mautrix_facebook_configuration_extension: "{{ matrix_mautrix_facebook_configuration_extension_yaml | from_yaml if matrix_mautrix_facebook_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_facebook_configuration_yaml`. -matrix_mautrix_facebook_configuration: "{{ matrix_mautrix_facebook_configuration_yaml | from_yaml | combine(matrix_mautrix_facebook_configuration_extension, recursive=True) }}" - -matrix_mautrix_facebook_registration_yaml: | - id: facebook - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" - namespaces: - users: - - exclusive: true - regex: '^@facebook_.+:{{ matrix_mautrix_facebook_homeserver_domain | regex_escape }}$' - - exclusive: true - regex: '^@{{ matrix_mautrix_facebook_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_facebook_homeserver_domain | regex_escape }}$' - url: {{ matrix_mautrix_facebook_appservice_address }} - # See https://github.com/mautrix/signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }} - rate_limited: false - de.sorunome.msc2409.push_ephemeral: true - receive_ephemeral: true - -matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}" - -# Enable End-to-bridge encryption -matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" -matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}" -matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml deleted file mode 100644 index c5cf1123e..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 Dan Arnfield -# SPDX-FileCopyrightText: 2019 Jason Locklin -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- tags: - - setup-all - - setup-mautrix-facebook - - install-all - - install-mautrix-facebook - block: - - when: matrix_mautrix_facebook_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_mautrix_facebook_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - -- tags: - - setup-all - - setup-mautrix-facebook - block: - - when: not matrix_mautrix_facebook_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml deleted file mode 100644 index b3b8aeabc..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml +++ /dev/null @@ -1,159 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 Dan Arnfield -# SPDX-FileCopyrightText: 2020 Chris van Dijk -# SPDX-FileCopyrightText: 2020 Horvath Gergely -# SPDX-FileCopyrightText: 2020 MDAD project contributors -# SPDX-FileCopyrightText: 2020 Stuart Mumford -# SPDX-FileCopyrightText: 2021 Aaron Raimist -# SPDX-FileCopyrightText: 2022 Jim Myhrberg -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2022 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 Sebastian Gumprich -# SPDX-FileCopyrightText: 2024 David Mehren -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- ansible.builtin.set_fact: - matrix_mautrix_facebook_requires_restart: false - -- when: "matrix_mautrix_facebook_database_engine == 'postgres'" - block: - - name: Check if an SQLite database already exists - ansible.builtin.stat: - path: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - register: matrix_mautrix_facebook_sqlite_database_path_local_stat_result - - - when: "matrix_mautrix_facebook_sqlite_database_path_local_stat_result.stat.exists | bool" - block: - - ansible.builtin.include_role: - name: galaxy/postgres - tasks_from: migrate_db_to_postgres - vars: - postgres_db_migration_request: - src: "{{ matrix_mautrix_facebook_sqlite_database_path_local }}" - dst: "{{ matrix_mautrix_facebook_database_connection_string }}" - caller: "{{ role_path | basename }}" - engine_variable_name: 'matrix_mautrix_facebook_database_engine' - engine_old: 'sqlite' - systemd_services_to_stop: ['matrix-mautrix-facebook.service'] - - - ansible.builtin.set_fact: - matrix_mautrix_facebook_requires_restart: true - -- name: Ensure Mautrix Facebook image is pulled - community.docker.docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_facebook_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_docker_image_force_pull }}" - when: not matrix_mautrix_facebook_container_image_self_build - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Mautrix Facebook paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - {path: "{{ matrix_mautrix_facebook_base_path }}", when: true} - - {path: "{{ matrix_mautrix_facebook_config_path }}", when: true} - - {path: "{{ matrix_mautrix_facebook_data_path }}", when: true} - - {path: "{{ matrix_mautrix_facebook_docker_src_files_path }}", when: "{{ matrix_mautrix_facebook_container_image_self_build }}"} - when: item.when | bool - -- name: Ensure Mautrix Facebook repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_mautrix_facebook_container_image_self_build_repo }}" - dest: "{{ matrix_mautrix_facebook_docker_src_files_path }}" - version: "{{ matrix_mautrix_facebook_docker_image.split(':')[1] }}" - force: "yes" - become: true - become_user: "{{ matrix_user_name }}" - register: matrix_mautrix_facebook_git_pull_results - when: "matrix_mautrix_facebook_container_image_self_build | bool" - -- name: Ensure Mautrix Facebook Docker image is built - community.docker.docker_image: - name: "{{ matrix_mautrix_facebook_docker_image }}" - source: build - force_source: "{{ matrix_mautrix_facebook_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_facebook_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_mautrix_facebook_docker_src_files_path }}" - pull: true - when: "matrix_mautrix_facebook_container_image_self_build | bool" - -- name: Check if an old database file already exists - ansible.builtin.stat: - path: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" - register: matrix_mautrix_facebook_stat_database - -- name: (Data relocation) Ensure matrix-mautrix-facebook.service is stopped - ansible.builtin.service: - name: matrix-mautrix-facebook - state: stopped - enabled: false - daemon_reload: true - failed_when: false - when: "matrix_mautrix_facebook_stat_database.stat.exists" - -- name: (Data relocation) Move mautrix-facebook database file to ./data directory - ansible.builtin.command: - cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" - creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db" - removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db" - when: "matrix_mautrix_facebook_stat_database.stat.exists" - -- name: Ensure mautrix-facebook config.yaml installed - ansible.builtin.copy: - content: "{{ matrix_mautrix_facebook_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure mautrix-facebook registration.yaml installed - ansible.builtin.copy: - content: "{{ matrix_mautrix_facebook_registration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure mautrix-facebook support files installed - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_mautrix_facebook_base_path }}/{{ item }}" - mode: 0640 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - labels - -- name: Ensure matrix-mautrix-facebook container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_mautrix_facebook_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - -- name: Ensure matrix-mautrix-facebook.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-facebook.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" - mode: 0644 - -- name: Ensure matrix-mautrix-facebook.service restarted, if necessary - ansible.builtin.service: - name: "matrix-mautrix-facebook.service" - state: restarted - daemon_reload: true - when: "matrix_mautrix_facebook_requires_restart | bool" diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml deleted file mode 100644 index d88c98feb..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_uninstall.yml +++ /dev/null @@ -1,26 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2022 Slavi Pantaleev -# SPDX-FileCopyrightText: 2020 MDAD project contributors -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Check existence of matrix-mautrix-facebook service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" - register: matrix_mautrix_facebook_service_stat - -- when: matrix_mautrix_facebook_service_stat.stat.exists | bool - block: - - name: Ensure matrix-mautrix-facebook is stopped - ansible.builtin.service: - name: matrix-mautrix-facebook - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-mautrix-facebook.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-facebook.service" - state: absent diff --git a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml deleted file mode 100644 index 8d141ec08..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/validate_config.yml +++ /dev/null @@ -1,47 +0,0 @@ -# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2019 Jason Locklin -# SPDX-FileCopyrightText: 2022 László Várady -# SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: (Deprecation) Catch and report renamed mautrix-facebook settings - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml). - when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0" - with_items: - - {'old': 'matrix_mautrix_facebook_public_endpoint', 'new': 'matrix_mautrix_facebook_appservice_public_prefix'} - - {'old': 'matrix_mautrix_facebook_docker_image_name_prefix', 'new': 'matrix_mautrix_facebook_docker_image_registry_prefix'} - -- name: Fail if required mautrix-facebook settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" - with_items: - - {'name': 'matrix_mautrix_facebook_appservice_public_hostname', when: "{{ matrix_mautrix_facebook_appservice_public_enabled }}"} - - {'name': 'matrix_mautrix_facebook_appservice_public_prefix', when: "{{ matrix_mautrix_facebook_appservice_public_enabled }}"} - - {'name': 'matrix_mautrix_facebook_metrics_proxying_hostname', when: "{{ matrix_mautrix_facebook_metrics_proxying_enabled }}"} - - {'name': 'matrix_mautrix_facebook_metrics_proxying_path_prefix', when: "{{ matrix_mautrix_facebook_metrics_proxying_enabled }}"} - - {'name': 'matrix_mautrix_facebook_appservice_token', when: true} - - {'name': 'matrix_mautrix_facebook_homeserver_token', when: true} - - {'name': 'matrix_mautrix_facebook_container_network', when: true} - - {'name': 'matrix_mautrix_facebook_homeserver_address', when: true} - - {'name': 'matrix_mautrix_facebook_database_hostname', when: "{{ matrix_mautrix_facebook_database_engine == 'postgres' }}"} - -- when: "matrix_mautrix_facebook_database_engine == 'sqlite' and matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')" - block: - - name: Inject warning if on an old SQLite-supporting version - ansible.builtin.set_fact: - devture_playbook_runtime_messages_list: | - {{ - devture_playbook_runtime_messages_list | default([]) - + - [ - "Note: Your mautrix-facebook bridge is still on SQLite and on the last version that supported it, before support was dropped. Support has been subsequently re-added in v0.3.2, so we advise you to upgrade (by removing your `matrix_mautrix_facebook_docker_image` definition from vars.yml)" - ] - }} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 deleted file mode 100644 index 8e3a6f2db..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2 +++ /dev/null @@ -1,259 +0,0 @@ -#jinja2: lstrip_blocks: True -# Homeserver details -homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_facebook_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_facebook_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - # Whether or not the homeserver supports asmux-specific endpoints, - # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically - # updating m.direct. - asmux: false - # Whether asynchronous uploads via MSC2246 should be enabled for media. - # Requires a media repo that supports MSC2246. - async_media: {{ matrix_mautrix_facebook_homeserver_async_media | to_json }} - -# Application service host/registration related details -# Changing these values requires regeneration of the registration. -appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_facebook_appservice_address }} - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29319 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_facebook_appservice_database|to_json }} - - # Public part of web server for out-of-Matrix interaction with the bridge. - public: - # Whether or not the public-facing endpoints should be enabled. - enabled: {{ matrix_mautrix_facebook_appservice_public_enabled|to_json }} - # The prefix to use in the public-facing endpoints. - prefix: {{ matrix_mautrix_facebook_appservice_public_prefix|to_json }} - # The base URL where the public-facing endpoints are available. The prefix is not added - # implicitly. - external: {{ matrix_mautrix_facebook_appservice_public_external|to_json }} - # Allow logging in within Matrix. If false, users can only log in using the web interface. - allow_matrix_login: true - # Segment API key to enable analytics tracking for web server endpoints. Set to null to disable. - # Currently the only events are login start, success and fail. - segment_key: null - - # The unique ID of this appservice. - id: facebook - # Username of the appservice bot. - bot_username: {{ matrix_mautrix_facebook_appservice_bot_username|to_json }} - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Facebook bridge bot - bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_facebook_appservice_token }}" - hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}" - -# Prometheus telemetry config. Requires prometheus-client to be installed. -metrics: - enabled: {{ matrix_mautrix_facebook_metrics_enabled | to_json }} - listen_port: 8000 - -# Bridge config -bridge: - # Localpart template of MXIDs for Facebook users. - # {userid} is replaced with the user ID of the Facebook user. - username_template: "facebook_{userid}" - # Displayname template for Facebook users. - # {displayname} is replaced with the display name of the Facebook user - # as defined below in displayname_preference. - # Keys available for displayname_preference are also available here. - displayname_template: '{displayname} (FB)' - # Available keys: - # "name" (full name) - # "first_name" - # "last_name" - # "nickname" - # "own_nickname" (user-specific!) - displayname_preference: - - name - - first_name - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "{{ matrix_mautrix_facebook_command_prefix }}" - - # Number of chats to sync (and create portals for) on startup/login. - # Set 0 to disable automatic syncing. - initial_chat_sync: 10 - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when the user sends a message from another client. - invite_own_puppet_to_pm: false - # Whether or not to use /sync to get presence, read receipts and typing notifications - # when double puppeting is enabled - sync_with_custom_puppets: true - # Whether or not to update the m.direct account data event when double puppeting is enabled. - # Note that updating the m.direct event is not atomic (except with mautrix-asmux) - # and is therefore prone to race conditions. - sync_direct_chat_list: false - # Servers to always allow double puppeting from - double_puppet_server_map: {} - # example.com: https://example.com - # Allow using double puppeting from any server with a valid client .well-known file. - double_puppet_allow_discovery: false - # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - # If using this for other servers than the bridge's server, - # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }} - # Should presence from Facebook be bridged? This doesn't use the same API as the Android app, - # so it might be more suspicious to Facebook. - presence_from_facebook: {{ matrix_mautrix_facebook_bridge_presence|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }} - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }} - # Options for automatic key sharing. - key_sharing: - # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. - # You must use a client that supports requesting keys from other users to use this feature. - allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }} - # Require the requesting device to have a valid cross-signing signature? - # This doesn't require that the bridge has verified the device, only that the user has verified it. - # Not yet implemented. - require_cross_signing: false - # Require devices to be verified by the bridge? - # Verification by the bridge is not yet implemented. - require_verification: true - # Whether or not the bridge should send a read receipt from the bridge bot when a message has - # been sent to Facebook. - delivery_receipts: false - # Whether to allow inviting arbitrary mxids to portal rooms - allow_invites: false - # Whether or not created rooms should have federation enabled. - # If false, created portal rooms will never be federated. - federate_rooms: {{ matrix_mautrix_facebook_federate_rooms|to_json }} - # Settings for backfilling messages from Facebook. - backfill: - # Whether or not the Facebook users of logged in Matrix users should be - # invited to private chats when backfilling history from Facebook. This is - # usually needed to prevent rate limits and to allow timestamp massaging. - invite_own_puppet: true - # Maximum number of messages to backfill initially. - # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 - # Maximum number of messages to backfill if messages were missed while - # the bridge was disconnected. - # Set to 0 to disable backfilling missed messages. - missed_limit: 1000 - # If using double puppeting, should notifications be disabled - # while the initial backfill is in progress? - disable_notifications: false - periodic_reconnect: - # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Facebook stops sending messages. - # Set to -1 to disable periodic reconnections entirely. - interval: -1 - # What to do in periodic reconnects. Either "refresh" or "reconnect" - mode: refresh - # Should even disconnected users be reconnected? - always: false - # The number of seconds that a disconnection can last without triggering an automatic re-sync - # and missed message backfilling when reconnecting. - # Set to 0 to always re-sync, or -1 to never re-sync automatically. - resync_max_disconnected_time: 5 - # Should the bridge do a resync on startup? - sync_on_startup: true - # Whether or not temporary disconnections should send notices to the notice room. - # If this is false, disconnections will never send messages and connections will only send - # messages if it was disconnected for more than resync_max_disconnected_time seconds. - temporary_disconnect_notices: false - # Whether or not the bridge should try to "refresh" the connection if a normal reconnection - # attempt fails. - refresh_on_reconnection_fail: false - # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. - # This field will automatically be changed back to false after it, - # except if the config file is not writable. - resend_bridge_info: false - - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: {{ matrix_mautrix_facebook_bridge_permissions|to_json }} - - relay: - # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any - # authenticated user into a relaybot for that chat. - enabled: {{ matrix_mautrix_facebook_relay_enabled }} - # The formats to use when sending messages to Messenger via a relay user. - # - # Available variables: - # $sender_displayname - The display name of the sender (e.g. Example User) - # $sender_username - The username (Matrix ID localpart) of the sender (e.g. alice) - # $sender_mxid - The Matrix ID of the sender (e.g. @alice:example.com) - # $message - The message content - message_formats: - m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' - m.file: '$sender_displayname sent a file' - m.image: '$sender_displayname sent an image' - m.audio: '$sender_displayname sent an audio file' - m.video: '$sender_displayname sent a video' - m.location: '$sender_displayname sent a location' - -facebook: - device_seed: generate - default_region_hint: ODN - connection_type: WIFI - carrier: Verizon - hni: 311390 - -# Python logging configuration. -# -# See section 16.7.2 of the Python documentation for more info: -# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema -logging: - version: 1 - formatters: - colored: - (): mautrix_facebook.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: {{ matrix_mautrix_facebook_logging_level|to_json }} - paho: - level: {{ matrix_mautrix_facebook_logging_level|to_json }} - aiohttp: - level: {{ matrix_mautrix_facebook_logging_level|to_json }} - root: - level: {{ matrix_mautrix_facebook_logging_level|to_json }} - handlers: [console] diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license deleted file mode 100644 index aa26685bf..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2.license +++ /dev/null @@ -1,9 +0,0 @@ -SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev -SPDX-FileCopyrightText: 2019 Hugues Morisset -SPDX-FileCopyrightText: 2020 - 2022 MDAD project contributors -SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi -SPDX-FileCopyrightText: 2022 László Várady -SPDX-FileCopyrightText: 2022 Olivér Falvai -SPDX-FileCopyrightText: 2023 Adrien le Maire - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 deleted file mode 100644 index d7eecb2ec..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/labels.j2 +++ /dev/null @@ -1,82 +0,0 @@ -{# -SPDX-FileCopyrightText: 2024 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if matrix_mautrix_facebook_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_mautrix_facebook_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_mautrix_facebook_container_labels_traefik_docker_network }} -{% endif %} - -traefik.http.services.matrix-mautrix-facebook-appservice.loadbalancer.server.port=29319 -traefik.http.services.matrix-mautrix-facebook-metrics.loadbalancer.server.port=8000 - -{% if matrix_mautrix_facebook_container_labels_public_endpoint_enabled %} -############################################################ -# # -# Public # -# # -############################################################ - -traefik.http.routers.matrix-mautrix-facebook-public.rule={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_rule }} - -{% if matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority | int > 0 %} -traefik.http.routers.matrix-mautrix-facebook-public.priority={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-mautrix-facebook-public.service=matrix-mautrix-facebook-appservice -traefik.http.routers.matrix-mautrix-facebook-public.entrypoints={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_entrypoints }} - -traefik.http.routers.matrix-mautrix-facebook-public.tls={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls | to_json }} -{% if matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls %} -traefik.http.routers.matrix-mautrix-facebook-public.tls.certResolver={{ matrix_mautrix_facebook_container_labels_public_endpoint_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Public # -# # -############################################################ -{% endif %} - - -{% if matrix_mautrix_facebook_container_labels_metrics_enabled %} -############################################################ -# # -# Metrics # -# # -############################################################ - -{% if matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_enabled %} -traefik.http.middlewares.matrix-mautrix-facebook-metrics-basic-auth.basicauth.users={{ matrix_mautrix_facebook_container_labels_metrics_middleware_basic_auth_users }} -traefik.http.routers.matrix-mautrix-facebook-metrics.middlewares=matrix-mautrix-facebook-metrics-basic-auth -{% endif %} - -traefik.http.routers.matrix-mautrix-facebook-metrics.rule={{ matrix_mautrix_facebook_container_labels_metrics_traefik_rule }} - -{% if matrix_mautrix_facebook_container_labels_metrics_traefik_priority | int > 0 %} -traefik.http.routers.matrix-mautrix-facebook-metrics.priority={{ matrix_mautrix_facebook_container_labels_metrics_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-mautrix-facebook-metrics.service=matrix-mautrix-facebook-metrics -traefik.http.routers.matrix-mautrix-facebook-metrics.entrypoints={{ matrix_mautrix_facebook_container_labels_metrics_traefik_entrypoints }} - -traefik.http.routers.matrix-mautrix-facebook-metrics.tls={{ matrix_mautrix_facebook_container_labels_metrics_traefik_tls | to_json }} -{% if matrix_mautrix_facebook_container_labels_metrics_traefik_tls %} -traefik.http.routers.matrix-mautrix-facebook-metrics.tls.certResolver={{ matrix_mautrix_facebook_container_labels_metrics_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Metrics # -# # -############################################################ -{% endif %} - - -{% endif %} - -{{ matrix_mautrix_facebook_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 b/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 deleted file mode 100644 index 441848a08..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2 +++ /dev/null @@ -1,51 +0,0 @@ -#jinja2: lstrip_blocks: True -[Unit] -Description=Matrix Mautrix Facebook bridge -{% for service in matrix_mautrix_facebook_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mautrix_facebook_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-facebook 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-mautrix-facebook \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_mautrix_facebook_container_network }} \ - {% if matrix_mautrix_facebook_appservice_public_enabled and matrix_mautrix_facebook_container_http_host_bind_port %} - -p {{ matrix_mautrix_facebook_container_http_host_bind_port }}:29319 \ - {% endif %} - --mount type=bind,src={{ matrix_mautrix_facebook_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_mautrix_facebook_data_path }},dst=/data \ - --label-file={{ matrix_mautrix_facebook_base_path }}/labels \ - {% for arg in matrix_mautrix_facebook_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mautrix_facebook_docker_image }} \ - python3 -m mautrix_facebook -c /config/config.yaml --no-update - -{% for network in matrix_mautrix_facebook_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-facebook -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-facebook - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-facebook 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-facebook 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mautrix-facebook - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license b/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license deleted file mode 100644 index f74c84d94..000000000 --- a/roles/custom/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2.license +++ /dev/null @@ -1,7 +0,0 @@ -SPDX-FileCopyrightText: 2019 - 2025 Slavi Pantaleev -SPDX-FileCopyrightText: 2019 Hugues Morisset -SPDX-FileCopyrightText: 2020 Chris van Dijk -SPDX-FileCopyrightText: 2020 Scott Crossen -SPDX-FileCopyrightText: 2022 László Várady - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index bee7e89e4..5cff3f708 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -558,6 +558,18 @@ The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_bot_chatgpt_.+', wantlist=True) | join(', ') }} when: "lookup('ansible.builtin.varnames', '^matrix_bot_chatgpt_.+', wantlist=True) | length > 0" +- name: (Deprecation) Catch and report mautrix-facebook variables + ansible.builtin.fail: + msg: |- + mautrix-facebook was completely removed from the playbook in November 2025. + + Please remove all `matrix_mautrix_facebook_*` variables from your configuration file (vars.yml). + + You may also wish to uninstall the bridge manually. See `docs/configuring-playbook-bridge-mautrix-facebook.md` for more information. + + The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_mautrix_facebook_.+', wantlist=True) | join(', ') }} + when: "lookup('ansible.builtin.varnames', '^matrix_mautrix_facebook_.+', wantlist=True) | length > 0" + - name: (Deprecation) Catch and report mautrix-hangouts variables ansible.builtin.fail: msg: |- diff --git a/setup.yml b/setup.yml index e89b40ef3..486a60607 100644 --- a/setup.yml +++ b/setup.yml @@ -60,7 +60,6 @@ - custom/matrix-bridge-appservice-kakaotalk - custom/matrix-bridge-beeper-linkedin - custom/matrix-bridge-wechat - - custom/matrix-bridge-mautrix-facebook - custom/matrix-bridge-mautrix-twitter - custom/matrix-bridge-mautrix-googlechat - custom/matrix-bridge-mautrix-instagram From 77d2b43fb5a1c5f8dc52ee06e4ce426e4fb8a5af Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sun, 9 Nov 2025 22:11:28 +0900 Subject: [PATCH 003/209] Fix configurations to avoid using `matrix_mautrix_facebook_*` matrix-sms-bridge does not seem to use Postgres in the first place. Signed-off-by: Suguru Hirahara --- group_vars/matrix_servers | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 332182073..610628fa7 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -1077,7 +1077,7 @@ matrix_mautrix_discord_container_additional_networks_auto: |- ( ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + - ([postgres_container_network] if postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname else []) + ([postgres_container_network] if postgres_enabled and matrix_mautrix_discord_database_hostname == postgres_connection_hostname else []) + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_discord_container_labels_traefik_enabled) else []) ) | unique @@ -1750,7 +1750,7 @@ matrix_mautrix_gmessages_systemd_required_services_list_auto: | {{ matrix_addons_homeserver_systemd_services_list + - ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else []) + ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_gmessages_database_hostname == postgres_connection_hostname) else []) }} matrix_mautrix_gmessages_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_gmessages_docker_image_registry_prefix_upstream_default }}" @@ -2006,8 +2006,6 @@ matrix_sms_bridge_enabled: false matrix_sms_bridge_systemd_required_services_list_auto: | {{ matrix_addons_homeserver_systemd_services_list - + - ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_facebook_database_hostname == postgres_connection_hostname) else []) }} matrix_sms_bridge_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_sms_bridge_docker_image_registry_prefix_upstream_default }}" @@ -5316,7 +5314,7 @@ matrix_registration_container_additional_networks_auto: |- ( ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + - ([postgres_container_network] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname and matrix_mautrix_facebook_container_network != postgres_container_network) else []) + ([postgres_container_network] if (postgres_enabled and matrix_registration_database_hostname == postgres_connection_hostname and matrix_registration_container_network != postgres_container_network) else []) + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_registration_container_labels_traefik_enabled) else []) ) | unique From 934e560b0d6fa13e9bd5b6785c95e3e6dc9bda61 Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sun, 9 Nov 2025 22:45:41 +0900 Subject: [PATCH 004/209] Remove mautrix-instagram Reuse: - https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/1861faf31d5490c6604efdd34d83073ec3850d88/docs/configuring-playbook-bridge-mx-puppet-twitter.md - 2b7a0453eb33d7026dfdcb20619d4a73a9727f5b Signed-off-by: Suguru Hirahara --- CHANGELOG.md | 14 +- ...iguring-playbook-bridge-mautrix-bridges.md | 2 +- ...uring-playbook-bridge-mautrix-instagram.md | 62 ++--- group_vars/matrix_servers | 87 ------- .../matrix-base/tasks/validate_config.yml | 12 - .../defaults/main.yml | 193 -------------- .../tasks/main.yml | 27 -- .../tasks/setup_install.yml | 99 ------- .../tasks/setup_uninstall.yml | 25 -- .../tasks/validate_config.yml | 29 --- .../templates/config.yaml.j2 | 244 ------------------ .../templates/config.yaml.j2.license | 10 - .../templates/labels.j2 | 52 ---- .../matrix-mautrix-instagram.service.j2 | 48 ---- ...atrix-mautrix-instagram.service.j2.license | 4 - .../tasks/validate_config.yml | 12 + setup.yml | 1 - 17 files changed, 40 insertions(+), 881 deletions(-) delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 delete mode 100644 roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license diff --git a/CHANGELOG.md b/CHANGELOG.md index 997574d5f..e164369d3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,11 +6,19 @@ The playbook will let you know if you're using any `matrix_appservice_webhooks_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the bridge manually](./docs/configuring-playbook-bridge-appservice-webhooks.md#uninstalling-the-bridge-manually). -## mautrix-facebook has been removed from the playbook +## mautrix-facebook and mautrix-instagram have been removed from the playbook -[mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md) has been removed from the playbook, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge. +[mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md) and [mautrix-instagram](./docs/configuring-playbook-bridge-mautrix-instagram.md) have been removed from the playbook, as they have been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, integrated to the playbook at [2024-02-19](#2024-02-19). -The playbook will let you know if you're using any `matrix_mautrix_facebook_*` variables. You'll need to remove them from `vars.yml` and potentially [uninstall the bridge manually](./docs/configuring-playbook-bridge-mautrix-facebook.md#uninstalling-the-bridge-manually). +The playbook will let you know if you're using any variables for those bridges: + +- `matrix_mautrix_facebook_*` +- `matrix_mautrix_instagram_*` + +You'll need to remove them from `vars.yml` and potentially uninstall them manually. Consult pages below for details: + +- [Instruction for mautrix-facebook](./docs/configuring-playbook-bridge-mautrix-facebook.md#uninstalling-the-bridge-manually) +- [Instruction for mautrix-instagram](./docs/configuring-playbook-bridge-mautrix-instagram.md#uninstalling-the-bridge-manually) # 2025-11-08 diff --git a/docs/configuring-playbook-bridge-mautrix-bridges.md b/docs/configuring-playbook-bridge-mautrix-bridges.md index 54a9116c8..26ea8f778 100644 --- a/docs/configuring-playbook-bridge-mautrix-bridges.md +++ b/docs/configuring-playbook-bridge-mautrix-bridges.md @@ -24,7 +24,7 @@ To enable the bridge, add the following configuration to your `inventory/host_va matrix_mautrix_SERVICENAME_enabled: true ``` -**Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively. **`matrix_mautrix_instagram_*` variables belong to the deprecated component and do not control the new bridge** ([mautrix-meta](https://github.com/mautrix/meta)), which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). +**Note**: for bridging to Meta's Messenger or Instagram, you would need to add `meta` with an underscore symbol (`_`) or hyphen (`-`) based on the context as prefix to each `SERVICENAME`; add `_` to variables (as in `matrix_mautrix_meta_messenger_configuration_extension_yaml` for example) and `-` to paths of the configuration files (as in `roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2`), respectively. There are some additional things you may wish to configure about the bridge before you continue. Each bridge may have additional requirements besides `_enabled: true`. For example, the mautrix-telegram bridge (our documentation page about it is [here](configuring-playbook-bridge-mautrix-telegram.md)) requires the `matrix_mautrix_telegram_api_id` and `matrix_mautrix_telegram_api_hash` variables to be defined. Refer to each bridge's individual documentation page for details about enabling bridges. diff --git a/docs/configuring-playbook-bridge-mautrix-instagram.md b/docs/configuring-playbook-bridge-mautrix-instagram.md index c5fdd50fe..6828dedd1 100644 --- a/docs/configuring-playbook-bridge-mautrix-instagram.md +++ b/docs/configuring-playbook-bridge-mautrix-instagram.md @@ -1,63 +1,33 @@ -# Setting up Mautrix Instagram bridging (optional, deprecated) +# Setting up Mautrix Instagram bridging (optional, removed) -Refer the common guide for configuring mautrix bridges: [Setting up a Generic Mautrix Bridge](configuring-playbook-bridge-mautrix-bridges.md) +🪦 The playbook used to be able to install and configure [mautrix-instagram](https://github.com/mautrix/instagram), but no longer includes this component, as it has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge. -**Note**: This bridge has been deprecated in favor of the [mautrix-meta](https://github.com/mautrix/meta) Messenger/Instagram bridge, which can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-instagram.md). Consider using that bridge instead of this one. +The mautrix-meta bridge can be [installed using this playbook](configuring-playbook-bridge-mautrix-meta-messenger.md). -The playbook can install and configure [mautrix-instagram](https://github.com/mautrix/instagram) for you. +## Uninstalling the bridge manually -See the project's [documentation](https://github.com/mautrix/instagram/blob/master/README.md) to learn what it does and why it might be useful to you. +If you still have the bridge installed on your Matrix server, the playbook can no longer help you uninstall it and you will need to do it manually. To uninstall manually, run these commands on the server: -## Adjusting the playbook configuration - -To enable the bridge, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: - -```yaml -matrix_mautrix_instagram_enabled: true -``` - -### Extending the configuration - -There are some additional things you may wish to configure about the bridge. - -See [this section](configuring-playbook-bridge-mautrix-bridges.md#extending-the-configuration) on the [common guide for configuring mautrix bridges](configuring-playbook-bridge-mautrix-bridges.md) for details about variables that you can customize and the bridge's default configuration, including [bridge permissions](configuring-playbook-bridge-mautrix-bridges.md#configure-bridge-permissions-optional), [encryption support](configuring-playbook-bridge-mautrix-bridges.md#enable-encryption-optional), [relay mode](configuring-playbook-bridge-mautrix-bridges.md#enable-relay-mode-optional), [bot's username](configuring-playbook-bridge-mautrix-bridges.md#set-the-bots-username-optional), etc. - -## Installing - -After configuring the playbook, run it with [playbook tags](playbook-tags.md) as below: - - ```sh -ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start -``` - -The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` - -`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too. - -## Usage - -To use the bridge, you need to start a chat with `@instagrambot:example.com` (where `example.com` is your base domain, not the `matrix.` domain). - -You then need to send `login YOUR_INSTAGRAM_EMAIL_ADDRESS YOUR_INSTAGRAM_PASSWORD` to the bridge bot to enable bridging for your instagram/Messenger account. - -## Troubleshooting - -As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-mautrix-instagram`. - -### Increase logging verbosity +systemctl disable --now matrix-mautrix-instagram.service -The default logging level for this component is `WARNING`. If you want to increase the verbosity, add the following configuration to your `vars.yml` file and re-run the playbook: +rm -rf /matrix/mautrix-instagram -```yaml -matrix_mautrix_instagram_logging_level: DEBUG +/matrix/postgres/bin/cli-non-interactive 'DROP DATABASE matrix_mautrix_instagram;' ``` diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 610628fa7..2d9457f29 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -124,8 +124,6 @@ matrix_homeserver_container_extra_arguments_auto: | + (['--mount type=bind,src=' + matrix_mautrix_googlechat_config_path + '/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro'] if matrix_mautrix_googlechat_enabled else []) + - (['--mount type=bind,src=' + matrix_mautrix_instagram_config_path + '/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro'] if matrix_mautrix_instagram_enabled else []) - + (['--mount type=bind,src=' + matrix_mautrix_signal_config_path + '/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro'] if matrix_mautrix_signal_enabled else []) + (['--mount type=bind,src=' + matrix_mautrix_meta_messenger_config_path + '/registration.yaml,dst=/matrix-mautrix-meta-messenger-registration.yaml,ro'] if matrix_mautrix_meta_messenger_enabled else []) @@ -187,8 +185,6 @@ matrix_homeserver_app_service_config_files_auto: | + (['/matrix-mautrix-googlechat-registration.yaml'] if matrix_mautrix_googlechat_enabled else []) + - (['/matrix-mautrix-instagram-registration.yaml'] if matrix_mautrix_instagram_enabled else []) - + (['/matrix-mautrix-signal-registration.yaml'] if matrix_mautrix_signal_enabled else []) + (['/matrix-mautrix-meta-messenger-registration.yaml'] if matrix_mautrix_meta_messenger_enabled else []) @@ -319,8 +315,6 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-mautrix-googlechat.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-googlechat']}] if matrix_mautrix_googlechat_enabled else []) + - ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else []) - + ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else []) + ([{'name': (matrix_mautrix_meta_messenger_identifier + '.service'), 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-meta', 'mautrix-meta-messenger']}] if matrix_mautrix_meta_messenger_enabled else []) @@ -1271,76 +1265,6 @@ matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_homeserver # ###################################################################### - - -###################################################################### -# -# matrix-bridge-mautrix-instagram -# -###################################################################### - -# We don't enable bridges by default. -matrix_mautrix_instagram_enabled: false - -matrix_mautrix_instagram_systemd_required_services_list_auto: | - {{ - matrix_addons_homeserver_systemd_services_list - + - ([postgres_identifier ~ '.service'] if (postgres_enabled and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname) else []) - }} - -matrix_mautrix_instagram_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default }}" - -matrix_mautrix_instagram_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}" - -matrix_mautrix_instagram_container_network: "{{ matrix_addons_container_network }}" - -matrix_mautrix_instagram_container_additional_networks_auto: |- - {{ - ( - ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) - + - ([postgres_container_network] if (postgres_enabled and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname and matrix_mautrix_instagram_container_network != postgres_container_network) else []) - + - ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and matrix_mautrix_instagram_container_labels_traefik_enabled else []) - ) | unique - }} - -matrix_mautrix_instagram_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" -matrix_mautrix_instagram_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" -matrix_mautrix_instagram_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" -matrix_mautrix_instagram_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" - -matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}" -matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}" - -matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.as.token', rounds=655555) | to_uuid }}" - -matrix_mautrix_instagram_homeserver_address: "{{ matrix_addons_homeserver_client_api_url }}" -matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ig.hs.token', rounds=655555) | to_uuid }}" - -matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}" - -matrix_mautrix_instagram_bridge_presence: "{{ (matrix_synapse_presence_enabled if matrix_synapse_enabled else true) if matrix_homeserver_implementation == 'synapse' else true }}" - -matrix_mautrix_instagram_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}" - -matrix_mautrix_instagram_metrics_proxying_enabled: "{{ matrix_mautrix_instagram_metrics_enabled and matrix_metrics_exposure_enabled }}" -matrix_mautrix_instagram_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}" -matrix_mautrix_instagram_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/mautrix-instagram" - -# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain -# and point them to a migration path. -matrix_mautrix_instagram_database_engine: "{{ 'postgres' if postgres_enabled else 'sqlite' }}" -matrix_mautrix_instagram_database_hostname: "{{ postgres_connection_hostname if postgres_enabled else '' }}" -matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.ig.db', rounds=655555) | to_uuid }}" - -###################################################################### -# -# /matrix-bridge-mautrix-instagram -# -###################################################################### - ###################################################################### # # matrix-bridge-mautrix-signal @@ -3944,12 +3868,6 @@ postgres_managed_databases_auto: | 'password': matrix_mautrix_googlechat_database_password, }] if (matrix_mautrix_googlechat_enabled and matrix_mautrix_googlechat_database_engine == 'postgres' and matrix_mautrix_googlechat_database_hostname == postgres_connection_hostname) else []) + - ([{ - 'name': matrix_mautrix_instagram_database_name, - 'username': matrix_mautrix_instagram_database_username, - 'password': matrix_mautrix_instagram_database_password, - }] if (matrix_mautrix_instagram_enabled and matrix_mautrix_instagram_database_engine == 'postgres' and matrix_mautrix_instagram_database_hostname == postgres_connection_hostname) else []) - + ([{ 'name': matrix_mautrix_signal_database_name, 'username': matrix_mautrix_signal_database_username, @@ -4852,11 +4770,6 @@ matrix_synapse_admin_config_asManagedUsers_auto: | '^@googlechat_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$', ] if matrix_mautrix_googlechat_enabled else []) + - ([ - '^@'+(matrix_mautrix_instagram_appservice_bot_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$', - '^@instagram_[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$', - ] if matrix_mautrix_instagram_enabled else []) - + ([ '^@'+(matrix_mautrix_meta_instagram_appservice_username | default('') | regex_escape)+':'+(matrix_domain | regex_escape)+'$', '^@'+(matrix_mautrix_meta_instagram_bridge_username_prefix | default('') | regex_escape)+'[a-zA-Z0-9]+:'+(matrix_domain | regex_escape)+'$', diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 332f252f9..360c995b5 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -100,15 +100,3 @@ To clean up your server from mx-puppet-skype's presence, see this changelog entry: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#mx-puppet-skype-removal. If you still need bridging to Skype, consider switching to the go-skype bridge instead. See `docs/configuring-playbook-bridge-go-skype-bridge.md`. when: "lookup('ansible.builtin.varnames', '^matrix_mx_puppet_skype_enabled$', wantlist=True) | length > 0" - -- name: Fail if mautrix-instagram and mautrix-meta-instagram are in conflict - ansible.builtin.fail: - msg: >- - Your configuration enables both the old mautrix-instagram bridge and the new mautrix-meta-instagram bridge. - By default, both bridges are configured to use the same bridge bot username (`@{{ matrix_mautrix_meta_instagram_appservice_username }}:{{ matrix_domain }}`) which is a conflict. - We recommend that you disable at least one of the bridges (preferably the old mautrix-instagram bridge), or to resolve the conflict in another way. - To resolve the conflict without disabling a bridge, consider adjusting one of `matrix_mautrix_instagram_appservice_bot_username` or `matrix_mautrix_meta_instagram_appservice_username` - they both have a value of {{ matrix_mautrix_meta_instagram_appservice_username }} right now. - when: - - matrix_mautrix_instagram_enabled | bool - - matrix_mautrix_meta_instagram_enabled | bool - - matrix_mautrix_instagram_appservice_bot_username == matrix_mautrix_meta_instagram_appservice_username diff --git a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml deleted file mode 100644 index 23c2c85eb..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml +++ /dev/null @@ -1,193 +0,0 @@ -# SPDX-FileCopyrightText: 2021 - 2024 MDAD project contributors -# SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2021 Aaron Raimist -# SPDX-FileCopyrightText: 2021 Marcus Proest -# SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 László Várady -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2023 Adrien le Maire -# SPDX-FileCopyrightText: 2023 Samuel Meenzen -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -# mautrix-instagram is a Matrix <-> Instagram bridge -# Project source code URL: https://github.com/mautrix/instagram - -matrix_mautrix_instagram_enabled: true - -matrix_mautrix_instagram_container_image_self_build: false -matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git" -matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}" - -# renovate: datasource=docker depName=dock.mau.dev/mautrix/instagram -matrix_mautrix_instagram_version: v0.3.1 -# See: https://mau.dev/tulir/mautrix-instagram/container_registry -matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_registry_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}" -matrix_mautrix_instagram_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else matrix_mautrix_instagram_docker_image_registry_prefix_upstream }}" -matrix_mautrix_instagram_docker_image_registry_prefix_upstream: "{{ matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default }}" -matrix_mautrix_instagram_docker_image_registry_prefix_upstream_default: "dock.mau.dev/" -matrix_mautrix_instagram_docker_image_force_pull: "{{ matrix_mautrix_instagram_docker_image.endswith(':latest') }}" - -matrix_mautrix_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-instagram" -matrix_mautrix_instagram_config_path: "{{ matrix_mautrix_instagram_base_path }}/config" -matrix_mautrix_instagram_data_path: "{{ matrix_mautrix_instagram_base_path }}/data" -matrix_mautrix_instagram_docker_src_files_path: "{{ matrix_mautrix_instagram_base_path }}/docker-src" - -matrix_mautrix_instagram_homeserver_address: "" -matrix_mautrix_instagram_homeserver_domain: '{{ matrix_domain }}' -matrix_mautrix_instagram_appservice_address: 'http://matrix-mautrix-instagram:29330' - -matrix_mautrix_instagram_command_prefix: "!ig" - -matrix_mautrix_instagram_bridge_permissions: | - {{ - {'*': 'relay', matrix_mautrix_instagram_homeserver_domain: 'user'} - | combine({matrix_admin: 'admin'} if matrix_admin else {}) - }} - -matrix_mautrix_instagram_container_network: "" - -matrix_mautrix_instagram_container_additional_networks: "{{ matrix_mautrix_instagram_container_additional_networks_auto + matrix_mautrix_instagram_container_additional_networks_custom }}" -matrix_mautrix_instagram_container_additional_networks_auto: [] -matrix_mautrix_instagram_container_additional_networks_custom: [] - -# matrix_mautrix_instagram_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. -# See `../templates/labels.j2` for details. -# -# To inject your own other container labels, see `matrix_mautrix_instagram_container_labels_additional_labels`. -matrix_mautrix_instagram_container_labels_traefik_enabled: true -matrix_mautrix_instagram_container_labels_traefik_docker_network: "{{ matrix_mautrix_instagram_container_network }}" -matrix_mautrix_instagram_container_labels_traefik_entrypoints: web-secure -matrix_mautrix_instagram_container_labels_traefik_tls_certResolver: default # noqa var-naming - -# Controls whether labels will be added that expose mautrix-instagram's metrics -matrix_mautrix_instagram_container_labels_metrics_enabled: "{{ matrix_mautrix_instagram_metrics_enabled and matrix_mautrix_instagram_metrics_proxying_enabled }}" -matrix_mautrix_instagram_container_labels_metrics_traefik_rule: "Host(`{{ matrix_mautrix_instagram_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_mautrix_instagram_metrics_proxying_path_prefix }}`)" -matrix_mautrix_instagram_container_labels_metrics_traefik_priority: 0 -matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints: "{{ matrix_mautrix_instagram_container_labels_traefik_entrypoints }}" -matrix_mautrix_instagram_container_labels_metrics_traefik_tls: "{{ matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints != 'web' }}" -matrix_mautrix_instagram_container_labels_metrics_traefik_tls_certResolver: "{{ matrix_mautrix_instagram_container_labels_traefik_tls_certResolver }}" # noqa var-naming -matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled: false -# See: https://doc.traefik.io/traefik/middlewares/http/basicauth/#users -matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users: '' - -# matrix_mautrix_instagram_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. -# See `../templates/labels.j2` for details. -# -# Example: -# matrix_mautrix_instagram_container_labels_additional_labels: | -# my.label=1 -# another.label="here" -matrix_mautrix_instagram_container_labels_additional_labels: '' - -# A list of extra arguments to pass to the container -matrix_mautrix_instagram_container_extra_arguments: [] - -# List of systemd services that matrix-mautrix-instagram.service depends on. -matrix_mautrix_instagram_systemd_required_services_list: "{{ matrix_mautrix_instagram_systemd_required_services_list_default + matrix_mautrix_instagram_systemd_required_services_list_auto + matrix_mautrix_instagram_systemd_required_services_list_custom }}" -matrix_mautrix_instagram_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" -matrix_mautrix_instagram_systemd_required_services_list_auto: [] -matrix_mautrix_instagram_systemd_required_services_list_custom: [] - -# List of systemd services that matrix-mautrix-instagram.service wants -matrix_mautrix_instagram_systemd_wanted_services_list: [] - -matrix_mautrix_instagram_appservice_token: '' -matrix_mautrix_instagram_homeserver_token: '' - -# Whether or not created rooms should have federation enabled. -# If false, created portal rooms will never be federated. -matrix_mautrix_instagram_federate_rooms: true - -# Whether or not metrics endpoint should be enabled. -# Enabling them is usually enough for a local (in-container) Prometheus to consume them. -# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_instagram_metrics_proxying_enabled`. -matrix_mautrix_instagram_metrics_enabled: false - -# Controls whether metrics should be exposed on a public URL. -matrix_mautrix_instagram_metrics_proxying_enabled: false -matrix_mautrix_instagram_metrics_proxying_hostname: '' -matrix_mautrix_instagram_metrics_proxying_path_prefix: '' - -# Database-related configuration fields. -# -# To use Postgres: -# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables -matrix_mautrix_instagram_database_engine: 'postgres' - -matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram' -matrix_mautrix_instagram_database_password: 'some-password' -matrix_mautrix_instagram_database_hostname: '' -matrix_mautrix_instagram_database_port: 5432 -matrix_mautrix_instagram_database_name: 'matrix_mautrix_instagram' - -matrix_mautrix_instagram_database_connection_string: 'postgres://{{ matrix_mautrix_instagram_database_username }}:{{ matrix_mautrix_instagram_database_password }}@{{ matrix_mautrix_instagram_database_hostname }}:{{ matrix_mautrix_instagram_database_port }}/{{ matrix_mautrix_instagram_database_name }}' - -matrix_mautrix_instagram_appservice_database: "{{ - { - 'postgres': matrix_mautrix_instagram_database_connection_string, - }[matrix_mautrix_instagram_database_engine] -}}" - - -# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth). -matrix_mautrix_instagram_login_shared_secret: '' - -matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}" - -# Enable bridge relay bot functionality -matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}" - -matrix_mautrix_instagram_appservice_bot_username: instagrambot - -matrix_mautrix_instagram_bridge_presence: true - -# Specifies the default log level for all bridge loggers. -matrix_mautrix_instagram_logging_level: WARNING - -# Default configuration template which covers the generic use case. -# You can customize it by controlling the various variables inside it. -# -# For a more advanced customization, you can extend the default (see `matrix_mautrix_instagram_configuration_extension_yaml`) -# or completely replace this variable with your own template. -matrix_mautrix_instagram_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}" - -matrix_mautrix_instagram_configuration_extension_yaml: | - # Your custom YAML configuration goes here. - # This configuration extends the default starting configuration (`matrix_mautrix_instagram_configuration_yaml`). - # - # You can override individual variables from the default configuration, or introduce new ones. - # - # If you need something more special, you can take full control by - # completely redefining `matrix_mautrix_instagram_configuration_yaml`. - -matrix_mautrix_instagram_configuration_extension: "{{ matrix_mautrix_instagram_configuration_extension_yaml | from_yaml if matrix_mautrix_instagram_configuration_extension_yaml | from_yaml is mapping else {} }}" - -# Holds the final configuration (a combination of the default and its extension). -# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_instagram_configuration_yaml`. -matrix_mautrix_instagram_configuration: "{{ matrix_mautrix_instagram_configuration_yaml | from_yaml | combine(matrix_mautrix_instagram_configuration_extension, recursive=True) }}" - -matrix_mautrix_instagram_registration_yaml: | - id: instagram - as_token: "{{ matrix_mautrix_instagram_appservice_token }}" - hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}" - namespaces: - users: - - exclusive: true - regex: '^@instagram_.+:{{ matrix_mautrix_instagram_homeserver_domain | regex_escape }}$' - - exclusive: true - regex: '^@{{ matrix_mautrix_instagram_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_instagram_homeserver_domain | regex_escape }}$' - url: {{ matrix_mautrix_instagram_appservice_address }} - # See https://github.com/mautrix/signal/issues/43 - sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }} - rate_limited: false - de.sorunome.msc2409.push_ephemeral: true - receive_ephemeral: true - -matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}" - -# Enable End-to-bridge encryption -matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}" -matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}" -matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml deleted file mode 100644 index 1dcc341fb..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml +++ /dev/null @@ -1,27 +0,0 @@ -# SPDX-FileCopyrightText: 2021 Marcus Proest -# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2023 Adrien le Maire -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- tags: - - setup-all - - setup-mautrix-instagram - - install-all - - install-mautrix-instagram - block: - - when: matrix_mautrix_instagram_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" - - - when: matrix_mautrix_instagram_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml" - -- tags: - - setup-all - - setup-mautrix-instagram - block: - - when: not matrix_mautrix_instagram_enabled | bool - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml" diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml deleted file mode 100644 index 2058e9b61..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_install.yml +++ /dev/null @@ -1,99 +0,0 @@ -# SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2021 Marcus Proest -# SPDX-FileCopyrightText: 2022 Jim Myhrberg -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# SPDX-FileCopyrightText: 2022 Nikita Chernyi -# SPDX-FileCopyrightText: 2022 Sebastian Gumprich -# SPDX-FileCopyrightText: 2024 David Mehren -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- - -- name: Ensure Mautrix instagram image is pulled - community.docker.docker_image: - name: "{{ matrix_mautrix_instagram_docker_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_mautrix_instagram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_docker_image_force_pull }}" - when: not matrix_mautrix_instagram_container_image_self_build - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - -- name: Ensure Mautrix instagram paths exist - ansible.builtin.file: - path: "{{ item.path }}" - state: directory - mode: 0750 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - {path: "{{ matrix_mautrix_instagram_base_path }}", when: true} - - {path: "{{ matrix_mautrix_instagram_config_path }}", when: true} - - {path: "{{ matrix_mautrix_instagram_data_path }}", when: true} - - {path: "{{ matrix_mautrix_instagram_docker_src_files_path }}", when: "{{ matrix_mautrix_instagram_container_image_self_build }}"} - when: item.when | bool - -- name: Ensure Mautrix instagram repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_mautrix_instagram_container_image_self_build_repo }}" - version: "{{ matrix_mautrix_instagram_container_image_self_build_repo_version }}" - dest: "{{ matrix_mautrix_instagram_docker_src_files_path }}" - force: "yes" - become: true - become_user: "{{ matrix_user_name }}" - register: matrix_mautrix_instagram_git_pull_results - when: "matrix_mautrix_instagram_container_image_self_build | bool" - -- name: Ensure Mautrix instagram Docker image is built - community.docker.docker_image: - name: "{{ matrix_mautrix_instagram_docker_image }}" - source: build - force_source: "{{ matrix_mautrix_instagram_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_instagram_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_mautrix_instagram_docker_src_files_path }}" - pull: true - when: "matrix_mautrix_instagram_container_image_self_build | bool" - -- name: Ensure mautrix-instagram config.yaml installed - ansible.builtin.copy: - content: "{{ matrix_mautrix_instagram_configuration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_mautrix_instagram_config_path }}/config.yaml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure mautrix-instagram registration.yaml installed - ansible.builtin.copy: - content: "{{ matrix_mautrix_instagram_registration | to_nice_yaml(indent=2, width=999999) }}" - dest: "{{ matrix_mautrix_instagram_config_path }}/registration.yaml" - mode: 0644 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - -- name: Ensure mautrix-instagram support files installed - ansible.builtin.template: - src: "{{ role_path }}/templates/{{ item }}.j2" - dest: "{{ matrix_mautrix_instagram_base_path }}/{{ item }}" - mode: 0640 - owner: "{{ matrix_user_name }}" - group: "{{ matrix_group_name }}" - with_items: - - labels - -- name: Ensure matrix-mautrix-instagram container network is created - community.general.docker_network: - enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" - name: "{{ matrix_mautrix_instagram_container_network }}" - driver: bridge - driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" - -- name: Ensure matrix-mautrix-instagram.service installed - ansible.builtin.template: - src: "{{ role_path }}/templates/systemd/matrix-mautrix-instagram.service.j2" - dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" - mode: 0644 diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml deleted file mode 100644 index de533aa7c..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/setup_uninstall.yml +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-FileCopyrightText: 2021 - 2022 Slavi Pantaleev -# SPDX-FileCopyrightText: 2021 Marcus Proest -# SPDX-FileCopyrightText: 2022 Marko Weltzer -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -- name: Check existence of matrix-mautrix-instagram service - ansible.builtin.stat: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" - register: matrix_mautrix_instagram_service_stat - -- when: matrix_mautrix_instagram_service_stat.stat.exists | bool - block: - - name: Ensure matrix-mautrix-instagram is stopped - ansible.builtin.service: - name: matrix-mautrix-instagram - state: stopped - enabled: false - daemon_reload: true - - - name: Ensure matrix-mautrix-instagram.service doesn't exist - ansible.builtin.file: - path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-instagram.service" - state: absent diff --git a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml deleted file mode 100644 index 80259cbda..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/validate_config.yml +++ /dev/null @@ -1,29 +0,0 @@ -# SPDX-FileCopyrightText: 2021 - 2024 Slavi Pantaleev -# SPDX-FileCopyrightText: 2021 Marcus Proest -# SPDX-FileCopyrightText: 2025 Suguru Hirahara -# -# SPDX-License-Identifier: AGPL-3.0-or-later - ---- -- name: Fail if required mautrix-instagram settings not defined - ansible.builtin.fail: - msg: >- - You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" - with_items: - - {'name': 'matrix_mautrix_instagram_appservice_token', when: true} - - {'name': 'matrix_mautrix_instagram_homeserver_address', when: true} - - {'name': 'matrix_mautrix_instagram_homeserver_token', when: true} - - {'name': 'matrix_mautrix_instagram_container_network', when: true} - - {'name': 'matrix_mautrix_instagram_database_hostname', when: "{{ matrix_mautrix_instagram_database_engine == 'postgres' }}"} - - {'name': 'matrix_mautrix_instagram_metrics_proxying_hostname', when: "{{ matrix_mautrix_instagram_metrics_proxying_enabled }}"} - - {'name': 'matrix_mautrix_instagram_metrics_proxying_path_prefix', when: "{{ matrix_mautrix_instagram_metrics_proxying_enabled }}"} - -- name: (Deprecation) Catch and report renamed mautrix-instagram variables - ansible.builtin.fail: - msg: >- - Your configuration contains a variable, which now has a different name. - Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml). - when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0" - with_items: - - {'old': 'matrix_mautrix_instagram_docker_image_name_prefix', 'new': 'matrix_mautrix_instagram_docker_image_registry_prefix'} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 deleted file mode 100644 index 428bae149..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2 +++ /dev/null @@ -1,244 +0,0 @@ -#jinja2: lstrip_blocks: True -# Homeserver details -homeserver: - # The address that this appservice can use to connect to the homeserver. - address: {{ matrix_mautrix_instagram_homeserver_address }} - # The domain of the homeserver (for MXIDs, etc). - domain: {{ matrix_mautrix_instagram_homeserver_domain }} - # Whether or not to verify the SSL certificate of the homeserver. - # Only applies if address starts with https:// - verify_ssl: true - # Whether or not the homeserver supports asmux-specific endpoints, - # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically - # updating m.direct. - asmux: false - -# Application service host/registration related details -# Changing these values requires regeneration of the registration. -appservice: - # The address that the homeserver can use to connect to this appservice. - address: {{ matrix_mautrix_instagram_appservice_address }} - # When using https:// the TLS certificate and key files for the address. - tls_cert: false - tls_key: false - - # The hostname and port where this appservice should listen. - hostname: 0.0.0.0 - port: 29330 - # The maximum body size of appservice API requests (from the homeserver) in mebibytes - # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s - max_body_size: 1 - - # The full URI to the database. Only Postgres is currently supported. - database: {{ matrix_mautrix_instagram_appservice_database|to_json }} - # Additional arguments for asyncpg.create_pool() - # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool - database_opts: - min_size: 5 - max_size: 10 - - # The unique ID of this appservice. - id: instagram - # Username of the appservice bot. - bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }} - # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty - # to leave display name/avatar as-is. - bot_displayname: Instagram bridge bot - bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv - - # Whether or not to receive ephemeral events via appservice transactions. - # Requires MSC2409 support (i.e. Synapse 1.22+). - # You should disable bridge -> sync_with_custom_puppets when this is enabled. - ephemeral_events: false - - # Authentication tokens for AS <-> HS communication. - as_token: "{{ matrix_mautrix_instagram_appservice_token }}" - hs_token: "{{ matrix_mautrix_instagram_homeserver_token }}" - -# Prometheus telemetry config. Requires prometheus-client to be installed. -metrics: - enabled: {{ matrix_mautrix_instagram_metrics_enabled | to_json }} - listen_port: 8000 - -instagram: - # Seed for generating devices. This is secret because the seed is used to generate - # device IDs, which can apparently be used to bypass two-factor authentication after - # logging out, because Instagram is insecure. - device_seed: generate - -# Bridge config -bridge: - # Localpart template of MXIDs for Instagram users. - # {userid} is replaced with the user ID of the Instagram user. - username_template: "instagram_{userid}" - # Displayname template for Instagram users. - # {displayname} is replaced with the display name of the Instagram user. - # {username} is replaced with the username of the Instagram user. - displayname_template: "{username} (Instagram)" - - # Maximum length of displayname - displayname_max_length: 100 - - # Maximum number of seconds since the last activity in a chat to automatically create portals. - portal_create_max_age: 86400 - # Maximum number of chats to fetch for startup sync - chat_sync_limit: 100 - # Whether or not to use /sync to get read receipts and typing notifications - # when double puppeting is enabled - sync_with_custom_puppets: true - # Whether or not to update the m.direct account data event when double puppeting is enabled. - # Note that updating the m.direct event is not atomic (except with mautrix-asmux) - # and is therefore prone to race conditions. - sync_direct_chat_list: false - # Allow using double puppeting from any server with a valid client .well-known file. - double_puppet_allow_discovery: false - # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false. - double_puppet_server_map: {} - # example.com: https://example.com - # Allow using double puppeting from any server with a valid client .well-known file. - double_puppet_allow_discovery: false - # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth - # - # If set, custom puppets will be enabled automatically for local users - # instead of users having to find an access token and run `login-matrix` - # manually. - # If using this for other servers than the bridge's server, - # you must also set the URL in the double_puppet_server_map. - login_shared_secret_map: - {{ matrix_mautrix_instagram_bridge_login_shared_secret_map|to_json }} - # Whether or not to update avatars when syncing all contacts at startup. - update_avatar_initial_sync: true - # Whether or not created rooms should have federation enabled. - # If false, created portal rooms will never be federated. - federate_rooms: {{ matrix_mautrix_instagram_federate_rooms|to_json }} - # Settings for backfilling messages from Instagram. - backfill: - # Whether or not the Instagram users of logged in Matrix users should be - # invited to private chats when backfilling history from Instagram. This is - # usually needed to prevent rate limits and to allow timestamp massaging. - invite_own_puppet: true - # Maximum number of messages to backfill initially. - # Set to 0 to disable backfilling when creating portal. - initial_limit: 0 - # Maximum number of messages to backfill if messages were missed while - # the bridge was disconnected. - # Set to 0 to disable backfilling missed messages. - missed_limit: 1000 - # If using double puppeting, should notifications be disabled - # while the initial backfill is in progress? - disable_notifications: false - periodic_reconnect: - # Interval in seconds in which to automatically reconnect all users. - # This can be used to automatically mitigate the bug where Instagram stops sending messages. - # Set to -1 to disable periodic reconnections entirely. - interval: -1 - # Whether or not the bridge should backfill chats when reconnecting. - resync: true - # Should even disconnected users be reconnected? - always: false - # End-to-bridge encryption support options. These require matrix-nio to be installed with pip - # and login_shared_secret to be configured in order to get a device for the bridge bot. - # - # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal - # application service. - encryption: - # Allow encryption, work in group chat rooms with e2ee enabled - allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }} - # Default to encryption, force-enable encryption in all portals the bridge creates - # This will cause the bridge bot to be in private chats for the encryption to work properly. - default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }} - # Options for automatic key sharing. - key_sharing: - # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled. - # You must use a client that supports requesting keys from other users to use this feature. - allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }} - # Require the requesting device to have a valid cross-signing signature? - # This doesn't require that the bridge has verified the device, only that the user has verified it. - # Not yet implemented. - require_cross_signing: false - # Require devices to be verified by the bridge? - # Verification by the bridge is not yet implemented. - require_verification: true - # Whether or not to explicitly set the avatar and room name for private - # chat portal rooms. This will be implicitly enabled if encryption.default is true. - private_chat_portal_meta: false - # Whether or not the bridge should send a read receipt from the bridge bot when a message has - # been sent to Instagram. - delivery_receipts: false - # Whether or not delivery errors should be reported as messages in the Matrix room. - delivery_error_reports: true - # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run. - # This field will automatically be changed back to false after it, - # except if the config file is not writable. - resend_bridge_info: false - # Whether or not unimportant bridge notices should be sent to the user. - # (e.g. connected, disconnected but will retry) - unimportant_bridge_notices: true - - # The prefix for commands. Only required in non-management rooms. - command_prefix: "{{ matrix_mautrix_instagram_command_prefix }}" - # Permissions for using the bridge. - # Permitted values: - # user - Use the bridge with puppeting. - # admin - Use and administrate the bridge. - # Permitted keys: - # * - All Matrix users - # domain - All users on that homeserver - # mxid - Specific user - permissions: {{ matrix_mautrix_instagram_bridge_permissions|to_json }} - # Provisioning API part of the web server for automated portal creation and fetching information. - # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager). - provisioning: - # Whether or not the provisioning API should be enabled. - enabled: true - # The prefix to use in the provisioning API endpoints. - prefix: /_matrix/provision/v1 - # The shared secret to authorize users of the API. - # Set to "generate" to generate and save a new token. - shared_secret: generate - relay: - # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any - # authenticated user into a relaybot for that chat. - enabled: {{ matrix_mautrix_instagram_relay_enabled }} - # The formats to use when sending messages to Instagram via a relay user. - # - # Available variables: - # $sender_displayname - The display name of the sender (e.g. Example User) - # $sender_username - The username (Matrix ID localpart) of the sender (e.g. alice) - # $sender_mxid - The Matrix ID of the sender (e.g. @alice:example.com) - # $message - The message content - # - # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed. - message_formats: - m.text: '$sender_displayname: $message' - m.notice: '$sender_displayname: $message' - m.emote: '* $sender_displayname $message' - -# Python logging configuration. -# -# See section 16.7.2 of the Python documentation for more info: -# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema -logging: - version: 1 - formatters: - colored: - (): mautrix_instagram.util.ColorFormatter - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - normal: - format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s" - handlers: - console: - class: logging.StreamHandler - formatter: colored - loggers: - mau: - level: {{ matrix_mautrix_instagram_logging_level|to_json }} - mauigpapi: - level: {{ matrix_mautrix_instagram_logging_level|to_json }} - paho: - level: {{ matrix_mautrix_instagram_logging_level|to_json }} - aiohttp: - level: {{ matrix_mautrix_instagram_logging_level|to_json }} - root: - level: {{ matrix_mautrix_instagram_logging_level|to_json }} - handlers: [console] diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license deleted file mode 100644 index 89b223f9b..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2.license +++ /dev/null @@ -1,10 +0,0 @@ -SPDX-FileCopyrightText: 2021 - 2022 MDAD project contributors -SPDX-FileCopyrightText: 2021 Marcus Proest -SPDX-FileCopyrightText: 2022 - 2023 Nikita Chernyi -SPDX-FileCopyrightText: 2022 - 2023 Slavi Pantaleev -SPDX-FileCopyrightText: 2022 László Várady -SPDX-FileCopyrightText: 2023 Adrien le Maire -SPDX-FileCopyrightText: 2023 Kevin Kengen -SPDX-FileCopyrightText: 2024 Suguru Hirahara - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 deleted file mode 100644 index e5b9154ab..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/labels.j2 +++ /dev/null @@ -1,52 +0,0 @@ -{# -SPDX-FileCopyrightText: 2024 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later -#} - -{% if matrix_mautrix_instagram_container_labels_traefik_enabled %} -traefik.enable=true - -{% if matrix_mautrix_instagram_container_labels_traefik_docker_network %} -traefik.docker.network={{ matrix_mautrix_instagram_container_labels_traefik_docker_network }} -{% endif %} - -traefik.http.services.matrix-mautrix-instagram-metrics.loadbalancer.server.port=8000 - -{% if matrix_mautrix_instagram_container_labels_metrics_enabled %} -############################################################ -# # -# Metrics # -# # -############################################################ - -{% if matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_enabled %} -traefik.http.middlewares.matrix-mautrix-instagram-metrics-basic-auth.basicauth.users={{ matrix_mautrix_instagram_container_labels_metrics_middleware_basic_auth_users }} -traefik.http.routers.matrix-mautrix-instagram-metrics.middlewares=matrix-mautrix-instagram-metrics-basic-auth -{% endif %} - -traefik.http.routers.matrix-mautrix-instagram-metrics.rule={{ matrix_mautrix_instagram_container_labels_metrics_traefik_rule }} - -{% if matrix_mautrix_instagram_container_labels_metrics_traefik_priority | int > 0 %} -traefik.http.routers.matrix-mautrix-instagram-metrics.priority={{ matrix_mautrix_instagram_container_labels_metrics_traefik_priority }} -{% endif %} - -traefik.http.routers.matrix-mautrix-instagram-metrics.service=matrix-mautrix-instagram-metrics -traefik.http.routers.matrix-mautrix-instagram-metrics.entrypoints={{ matrix_mautrix_instagram_container_labels_metrics_traefik_entrypoints }} - -traefik.http.routers.matrix-mautrix-instagram-metrics.tls={{ matrix_mautrix_instagram_container_labels_metrics_traefik_tls | to_json }} -{% if matrix_mautrix_instagram_container_labels_metrics_traefik_tls %} -traefik.http.routers.matrix-mautrix-instagram-metrics.tls.certResolver={{ matrix_mautrix_instagram_container_labels_metrics_traefik_tls_certResolver }} -{% endif %} - -############################################################ -# # -# /Metrics # -# # -############################################################ -{% endif %} - - -{% endif %} - -{{ matrix_mautrix_instagram_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 b/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 deleted file mode 100644 index 55356d443..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2 +++ /dev/null @@ -1,48 +0,0 @@ -#jinja2: lstrip_blocks: True -[Unit] -Description=Matrix Mautrix Instagram bridge -{% for service in matrix_mautrix_instagram_systemd_required_services_list %} -Requires={{ service }} -After={{ service }} -{% endfor %} -{% for service in matrix_mautrix_instagram_systemd_wanted_services_list %} -Wants={{ service }} -{% endfor %} -DefaultDependencies=no - -[Service] -Type=simple -Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-instagram 2>/dev/null || true' -ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null || true' - -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ - --rm \ - --name=matrix-mautrix-instagram \ - --log-driver=none \ - --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ - --cap-drop=ALL \ - --network={{ matrix_mautrix_instagram_container_network }} \ - --mount type=bind,src={{ matrix_mautrix_instagram_config_path }},dst=/config \ - --mount type=bind,src={{ matrix_mautrix_instagram_data_path }},dst=/data \ - --label-file={{ matrix_mautrix_instagram_base_path }}/labels \ - {% for arg in matrix_mautrix_instagram_container_extra_arguments %} - {{ arg }} \ - {% endfor %} - {{ matrix_mautrix_instagram_docker_image }} \ - python3 -m mautrix_instagram -c /config/config.yaml --no-update - -{% for network in matrix_mautrix_instagram_container_additional_networks %} -ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-instagram -{% endfor %} - -ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-instagram - -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-instagram 2>/dev/null || true' -ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-instagram 2>/dev/null || true' -Restart=always -RestartSec=30 -SyslogIdentifier=matrix-mautrix-instagram - -[Install] -WantedBy=multi-user.target diff --git a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license b/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license deleted file mode 100644 index 41f4c833d..000000000 --- a/roles/custom/matrix-bridge-mautrix-instagram/templates/systemd/matrix-mautrix-instagram.service.j2.license +++ /dev/null @@ -1,4 +0,0 @@ -SPDX-FileCopyrightText: 2021 Marcus Proest -SPDX-FileCopyrightText: 2022 - 2025 Slavi Pantaleev - -SPDX-License-Identifier: AGPL-3.0-or-later diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 5cff3f708..604c8d9ba 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -583,6 +583,18 @@ The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_mautrix_hangouts_.+', wantlist=True) | join(', ') }} when: "lookup('ansible.builtin.varnames', '^matrix_mautrix_hangouts_.+', wantlist=True) | length > 0" +- name: (Deprecation) Catch and report mautrix-instagram variables + ansible.builtin.fail: + msg: |- + mautrix-instagram was completely removed from the playbook in November 2025. + + Please remove all `matrix_mautrix_instagram_*` variables from your configuration file (vars.yml). + + You may also wish to uninstall the bridge manually. See `docs/configuring-playbook-bridge-mautrix-instagram.md` for more information. + + The following variables in your configuration need to be removed: {{ lookup('ansible.builtin.varnames', '^matrix_mautrix_instagram_.+', wantlist=True) | join(', ') }} + when: "lookup('ansible.builtin.varnames', '^matrix_mautrix_instagram_.+', wantlist=True) | length > 0" + - name: (Deprecation) Catch and report mx-puppet-discord variables ansible.builtin.fail: msg: |- diff --git a/setup.yml b/setup.yml index 486a60607..1fec3de10 100644 --- a/setup.yml +++ b/setup.yml @@ -62,7 +62,6 @@ - custom/matrix-bridge-wechat - custom/matrix-bridge-mautrix-twitter - custom/matrix-bridge-mautrix-googlechat - - custom/matrix-bridge-mautrix-instagram - custom/matrix-bridge-mautrix-meta-messenger - custom/matrix-bridge-mautrix-meta-instagram - custom/matrix-bridge-mautrix-telegram From 7f6c23f91d6ef954b187bd455f90acea6d8fdfa9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 10 Nov 2025 16:43:44 +0000 Subject: [PATCH 005/209] Bump ansible/ansible-lint from 25.9.2 to 25.11.0 Bumps [ansible/ansible-lint](https://github.com/ansible/ansible-lint) from 25.9.2 to 25.11.0. - [Release notes](https://github.com/ansible/ansible-lint/releases) - [Commits](https://github.com/ansible/ansible-lint/compare/v25.9.2...v25.11.0) --- updated-dependencies: - dependency-name: ansible/ansible-lint dependency-version: 25.11.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 301bcd488..6865c4304 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v5 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.9.2 + uses: ansible/ansible-lint@v25.11.0 with: args: "roles/custom" setup_python: "true" From 272c03892c85a89253a5d25d71012b0013d000f8 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 11 Nov 2025 11:02:02 +0000 Subject: [PATCH 006/209] borgbackup: postgres v18 support --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d4703d326..5bceedc9f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-5 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git - version: v1.4.2-2.0.11-0 + version: v1.4.2-2.0.11-1 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git version: v0.4.1-2 From c8c6a83eccc3a6ca34df453b67edc4a018601289 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 11 Nov 2025 11:02:40 +0000 Subject: [PATCH 007/209] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.142.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a21a85b4d..3125ac0ff 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.141.0 +matrix_synapse_version: v1.142.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 4b19196a759df0f36f972b16f556cfa85d188680 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 11 Nov 2025 13:25:59 +0000 Subject: [PATCH 008/209] chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.6.0 --- roles/custom/matrix-authentication-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index 3b1a46236..24827bb69 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 1.5.0 +matrix_authentication_service_version: 1.6.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" From 56629103c63236407739c1aeee4c9f6890d6e1a2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 11 Nov 2025 16:18:28 +0200 Subject: [PATCH 009/209] Revert "chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.142.0" This reverts commit c8c6a83eccc3a6ca34df453b67edc4a018601289. Synapse v1.142.0 is broken for Matrix Authentication Service deployments that use a path-prefix (e.g. `/auth`) such as ours. For such deployments, Synapse fails to contact MAS at the correct introspection endpoint (it keeps hitting `/oauth2/introspect`, instead of `/auth/oauth2/introspect`) and is not usable. Related to https://github.com/element-hq/synapse/commit/3595ff921f876ee6ccb03623ae93e21f723bd444 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 3125ac0ff..a21a85b4d 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.142.0 +matrix_synapse_version: v1.141.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 86f9cdfe2cd83aa3100d7258f80fb617a8cc1c64 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 12 Nov 2025 08:52:11 +0000 Subject: [PATCH 010/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2025.11.12 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index e12544194..934898c1a 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2025.11.5 +matrix_alertmanager_receiver_version: 2025.11.12 matrix_alertmanager_receiver_scheme: https From 42e6c8d989fed573fdb7fe4f69e4290219683ee7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 12 Nov 2025 08:52:17 +0000 Subject: [PATCH 011/209] chore(deps): update dependency certifi to v2025.11.12 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index c4ea959be..032006e89 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -1,6 +1,6 @@ alabaster==1.0.0 babel==2.17.0 -certifi==2025.10.5 +certifi==2025.11.12 charset-normalizer==3.4.4 click==8.3.0 docutils==0.22.3 From fe34e6c61d6a89fa6725566c1da4b08406798423 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Nov 2025 06:54:31 +0200 Subject: [PATCH 012/209] Upgrade Traefik (v3.6.0-0 -> v3.6.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5bceedc9f..509ec1abe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-0 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.0-0 + version: v3.6.1-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-2 From 99d68c4e5194120529c79a41f96527bf4d4e4327 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 13 Nov 2025 18:49:22 +0000 Subject: [PATCH 013/209] chore(deps): update ghcr.io/matrix-org/rageshake docker tag to v1.17.0 --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 0cba1cfea..96f5b3ed7 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: / # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake -matrix_rageshake_version: 1.16.3 +matrix_rageshake_version: 1.17.0 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" From 45ed9cc226c2e27b5e3bc5355b53fcdbb1f2f8e6 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 14 Nov 2025 07:01:48 +0200 Subject: [PATCH 014/209] Upgrade Postgres (v18.0-1 -> v18.1-0) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 509ec1abe..89d6791fe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git - version: v18.0-1 + version: v18.1-0 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git version: v18-0 From f276b204a7e8823957690b882ddadfef3c4dfbfa Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 15 Nov 2025 21:32:24 +0000 Subject: [PATCH 015/209] chore(deps): update dependency click to v8.3.1 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 032006e89..6428447a7 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -2,7 +2,7 @@ alabaster==1.0.0 babel==2.17.0 certifi==2025.11.12 charset-normalizer==3.4.4 -click==8.3.0 +click==8.3.1 docutils==0.22.3 idna==3.11 imagesize==1.4.1 From 1e3e722f8f21ee18428c16298b7aa8d522f08bf7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 15 Nov 2025 21:32:27 +0000 Subject: [PATCH 016/209] chore(deps): update dependency livekit_server to v1.9.4-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 89d6791fe..32f5b321c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10590-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.3-0 + version: v1.9.4-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.14.0-3 From f3020a8ce6def23d88fa81a6ea5162f54751de2d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:04:22 +0000 Subject: [PATCH 017/209] chore(deps): update dock.mau.dev/mautrix/gmessages docker tag to v0.2511.0 --- roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml index 95b581456..cc266a5df 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages -matrix_mautrix_gmessages_version: v0.2510.0 +matrix_mautrix_gmessages_version: v0.2511.0 # See: https://mau.dev/mautrix/gmessages/container_registry matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}" From 46f00c89ccdf489883eecd68d2b0172d5a2160dd Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:04:17 +0000 Subject: [PATCH 018/209] chore(deps): update dependency etherpad to v2.5.2-2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 32f5b321c..8ed08da55 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 129c8590e106b83e6f4c259649a613c6279e937a name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git - version: v2.5.2-1 + version: v2.5.2-2 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.98.1-r0-2-2 From 4b93bbde98e19f11762c3dd336b0cb801f502137 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:08:35 +0000 Subject: [PATCH 019/209] chore(deps): update dock.mau.dev/mautrix/meta docker tag to v0.2511.0 --- .../matrix-bridge-mautrix-meta-instagram/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-meta-messenger/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml index 84a63d17b..693c869fc 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml @@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta -matrix_mautrix_meta_instagram_version: v0.2510.0 +matrix_mautrix_meta_instagram_version: v0.2511.0 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram" matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config" diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml index 0ebd90d4d..08303f45d 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml @@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta -matrix_mautrix_meta_messenger_version: v0.2510.0 +matrix_mautrix_meta_messenger_version: v0.2511.0 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger" matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config" From ff884f5b4b2fff88b8633582fedafd98740d66ea Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:08:38 +0000 Subject: [PATCH 020/209] chore(deps): update dock.mau.dev/mautrix/signal docker tag to v0.2511.0 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index e133bf9a3..149f16e8a 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/ matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal -matrix_mautrix_signal_version: v0.2510.0 +matrix_mautrix_signal_version: v0.2511.0 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}" From 4e3dd04b17dd139eef8fb7c712bc3b868af8647e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:08:42 +0000 Subject: [PATCH 021/209] chore(deps): update dock.mau.dev/mautrix/slack docker tag to v0.2511.0 --- roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml index 74945204b..6a455935d 100644 --- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml @@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack -matrix_mautrix_slack_version: v0.2510.0 +matrix_mautrix_slack_version: v0.2511.0 # See: https://mau.dev/mautrix/slack/container_registry matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}" matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}" From dfa38bec2cde50b0222f3a99baa36892f881ac67 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:08:45 +0000 Subject: [PATCH 022/209] chore(deps): update dock.mau.dev/mautrix/twitter docker tag to v0.2511.0 --- roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml index ca941c484..8f1000712 100644 --- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml @@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter -matrix_mautrix_twitter_version: v0.2510.0 +matrix_mautrix_twitter_version: v0.2511.0 # See: https://mau.dev/tulir/mautrix-twitter/container_registry matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}" matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}" From 8405bbdb94d30f0a3dfcd2599267f17e8262987f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 16 Nov 2025 13:08:48 +0000 Subject: [PATCH 023/209] chore(deps): update dock.mau.dev/mautrix/whatsapp docker tag to v0.2511.0 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index c5b4f1a6f..ff55d4073 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp -matrix_mautrix_whatsapp_version: v0.2510.0 +matrix_mautrix_whatsapp_version: v0.2511.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" From 7520469644c394f2a5a6a0dd97894a57d63c7c02 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 04:59:00 +0000 Subject: [PATCH 024/209] chore(deps): update dependency ntfy to v2.15.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8ed08da55..99e159cdb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: v1.9.4-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git - version: v2.14.0-3 + version: v2.15.0-0 name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: 7663e3114513e56f28d3ed762059b445c678a71a From 346dfbbc07eae9feb20788819c809f843f4f9f01 Mon Sep 17 00:00:00 2001 From: Benjamin Blacher Date: Mon, 17 Nov 2025 16:27:25 +0100 Subject: [PATCH 025/209] Add support for signal polls --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 ++ .../matrix-bridge-mautrix-signal/templates/config.yaml.j2 | 2 ++ 2 files changed, 4 insertions(+) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 149f16e8a..978fa99fa 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -50,6 +50,8 @@ matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080" matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}" matrix_mautrix_signal_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}" +matrix_mautrix_signal_extev_polls: false + matrix_mautrix_signal_command_prefix: "!signal" # Displayname template for Signal users. diff --git a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 index f2feecb3a..be9e4bbe1 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2 @@ -19,6 +19,8 @@ network: # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s' # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s' location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s' + # Should polls be sent using unstable MSC3381 event types? + extev_polls: {{ matrix_mautrix_signal_extev_polls | to_json }} # Config options that affect the central bridge module. bridge: From 97a1562942d4a80b0e3298c3ecb4f194a7dd87a0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 17 Nov 2025 16:19:16 +0000 Subject: [PATCH 026/209] chore(deps): update dock.mau.dev/maubot/maubot docker tag to v0.6.0 --- roles/custom/matrix-bot-maubot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-maubot/defaults/main.yml b/roles/custom/matrix-bot-maubot/defaults/main.yml index e6e6694e9..a7ea31e90 100644 --- a/roles/custom/matrix-bot-maubot/defaults/main.yml +++ b/roles/custom/matrix-bot-maubot/defaults/main.yml @@ -30,7 +30,7 @@ matrix_bot_maubot_docker_repo: "https://mau.dev/maubot/maubot.git" matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}" # renovate: datasource=docker depName=dock.mau.dev/maubot/maubot -matrix_bot_maubot_version: v0.5.2 +matrix_bot_maubot_version: v0.6.0 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_registry_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}" matrix_bot_maubot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else matrix_bot_maubot_docker_image_registry_prefix_upstream }}" matrix_bot_maubot_docker_image_registry_prefix_upstream: "{{ matrix_bot_maubot_docker_image_registry_prefix_upstream_default }}" From d05c83d0d500d1d04655c8730b0688928afaae4b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Nov 2025 06:23:43 +0200 Subject: [PATCH 027/209] Bump Anthropic text-generation model for baibot (`claude-3-7-sonnet-20250219` -> `claude-sonnet-4-5-20250929`) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index e46882f9b..b8cab0f2f 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -204,8 +204,8 @@ matrix_bot_baibot_config_agents_static_definitions_anthropic_config_base_url: ht matrix_bot_baibot_config_agents_static_definitions_anthropic_config_api_key: "" matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_enabled: true -# For valid model choices, see: https://platform.anthropic.com/docs/models -matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-3-7-sonnet-20250219 +# For valid model choices, see: https://docs.claude.com/en/docs/about-claude/models/overview +matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-sonnet-4-5-20250929 # The prompt text to use (can be null or empty to not use a prompt). # See: https://huggingface.co/docs/transformers/en/tasks/prompting matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}" From 4b2919b5385a527b0da7920095bedb18fb26b1f8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 18 Nov 2025 06:24:08 +0200 Subject: [PATCH 028/209] Bump OpenAI text-generation model for baibot (`gpt-5` -> `gpt-5.1`) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index b8cab0f2f..d925f6419 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -368,7 +368,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "" matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true # For valid model choices, see: https://platform.openai.com/docs/models -matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5 +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.1 # The prompt text to use (can be null or empty to not use a prompt). # See: https://huggingface.co/docs/transformers/en/tasks/prompting matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}" From 9582f6a56596a19562192238b2e66c11be46c660 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 18 Nov 2025 15:02:42 +0000 Subject: [PATCH 029/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.4 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 318fdf99b..ee096431b 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.3 +matrix_client_element_version: v1.12.4 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From 0ab40bbd9c70f2e67ab10d0976efe5537e0161f4 Mon Sep 17 00:00:00 2001 From: Richard Meyer Date: Tue, 18 Nov 2025 18:14:25 -0600 Subject: [PATCH 030/209] Update synapse to v1.142.1 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a21a85b4d..636259a31 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.141.0 +matrix_synapse_version: v1.142.1 matrix_synapse_username: '' matrix_synapse_uid: '' From 388e79ea5a60548e587d547c3a9c80db8a14dc5a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 19 Nov 2025 04:15:43 +0000 Subject: [PATCH 031/209] chore(deps): update dependency traefik to v3.6.2-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 99e159cdb..3645ba8b3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-0 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.1-0 + version: v3.6.2-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-2 From fb2d7481dc9c92487264a1a2d0a75bd3e63e0d12 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 19 Nov 2025 06:50:55 +0200 Subject: [PATCH 032/209] Upgrade playbook-state-preserver (ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 -> dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3645ba8b3..e346f5a65 100644 --- a/requirements.yml +++ b/requirements.yml @@ -40,7 +40,7 @@ version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 name: playbook_runtime_messages - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git - version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16 + version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git version: v18.1-0 From b464f3cc552dd64d0406098d0a7fc528046a9ef7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 20 Nov 2025 06:14:56 +0200 Subject: [PATCH 033/209] Upgrade baibot (v1.8.1 -> v1.8.2) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index d925f6419..99d058476 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.8.1 +matrix_bot_baibot_version: v1.8.2 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From a116620238a8f30a645c9b5e7f6655016399031f Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Thu, 20 Nov 2025 17:16:04 +0900 Subject: [PATCH 034/209] Update the link to the FluffyChat website Signed-off-by: Suguru Hirahara --- docs/configuring-playbook-client-fluffychat-web.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuring-playbook-client-fluffychat-web.md b/docs/configuring-playbook-client-fluffychat-web.md index a438c585d..d28298b42 100644 --- a/docs/configuring-playbook-client-fluffychat-web.md +++ b/docs/configuring-playbook-client-fluffychat-web.md @@ -13,7 +13,7 @@ FluffyChat Web is a cute cross-platform (web, iOS, Android) messenger for Matrix 💡 **Note**: the latest version of FluffyChat Web is also available on the web, hosted by 3rd parties. If you trust giving your credentials to the following 3rd party Single Page Application, you can consider using it from there: -- [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffychat.im/) developers +- [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffy.chat/) developers ## Adjusting DNS records From 718113196795c9f0c20c4e6d03f774a0c99a7c34 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 17:56:24 +0000 Subject: [PATCH 035/209] chore(deps): update actions/checkout action to v6 --- .github/workflows/matrix.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 6865c4304..dc26ae656 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Run yamllint uses: frenck/action-yamllint@v1.5.0 ansible-lint: @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Run ansible-lint uses: ansible/ansible-lint@v25.11.0 @@ -37,6 +37,6 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@v6 - name: Run pre-commit uses: pre-commit/action@v3.0.1 From 6cc837600ae079f13c90ab2cde949af7b3ca0973 Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sun, 23 Nov 2025 04:53:37 +0000 Subject: [PATCH 036/209] Add Matrix.to (#4750) --- CHANGELOG.md | 8 + README.md | 1 + docs/configuring-playbook-matrixto.md | 68 +++++++ docs/configuring-playbook.md | 2 + group_vars/matrix_servers | 32 ++++ roles/custom/matrix-base/defaults/main.yml | 3 + .../custom/matrix-matrixto/defaults/main.yml | 178 ++++++++++++++++++ .../custom/matrix-matrixto/tasks/install.yml | 100 ++++++++++ roles/custom/matrix-matrixto/tasks/main.yml | 27 +++ .../matrix-matrixto/tasks/uninstall.yml | 45 +++++ .../matrix-matrixto/tasks/validate_config.yml | 43 +++++ roles/custom/matrix-matrixto/templates/env.j2 | 7 + .../matrix-matrixto/templates/labels.j2 | 59 ++++++ .../systemd/matrix-matrixto.service.j2 | 59 ++++++ setup.yml | 1 + 15 files changed, 633 insertions(+) create mode 100644 docs/configuring-playbook-matrixto.md create mode 100644 roles/custom/matrix-matrixto/defaults/main.yml create mode 100644 roles/custom/matrix-matrixto/tasks/install.yml create mode 100644 roles/custom/matrix-matrixto/tasks/main.yml create mode 100644 roles/custom/matrix-matrixto/tasks/uninstall.yml create mode 100644 roles/custom/matrix-matrixto/tasks/validate_config.yml create mode 100644 roles/custom/matrix-matrixto/templates/env.j2 create mode 100644 roles/custom/matrix-matrixto/templates/labels.j2 create mode 100644 roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index e164369d3..a295446f7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2025-11-23 + +## Matrix.to support + +The playbook now supports [Matrix.to](https://github.com/matrix-org/matrix.to) — a simple URL redirection service which powers [matrix.to](https://matrix.to). + +To learn more, see our [Setting up Matrix.to](docs/configuring-playbook-matrixto.md) documentation page. + # 2025-11-09 ## matrix-appservice-webhooks has been removed from the playbook diff --git a/README.md b/README.md index 4fa5954a7..8e90f577d 100644 --- a/README.md +++ b/README.md @@ -179,6 +179,7 @@ Various services that don't fit any other categories. | [synapse_auto_accept_invite](https://github.com/matrix-org/synapse-auto-accept-invite) | ❌ | Synapse module to automatically accept invites | [Link](docs/configuring-playbook-synapse-auto-accept-invite.md) | | [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | ❌ | Cli tool that automatically compresses `state_groups` database table in background | [Link](docs/configuring-playbook-synapse-auto-compressor.md) | | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | ❌ | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) | +| [Matrix.to](https://github.com/matrix-org/matrix.to) | ❌ | Simple URL redirection service for the Matrix ecosystem | [Link](docs/configuring-playbook-matrixto.md) | | [Etherpad](https://etherpad.org) | ❌ | Open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) | | [Jitsi](https://jitsi.org/) | ❌ | Open source video-conferencing platform | [Link](docs/configuring-playbook-jitsi.md) | | [Cactus Comments](https://cactus.chat) | ❌ | Federated comment system built on Matrix | [Link](docs/configuring-playbook-cactus-comments.md) | diff --git a/docs/configuring-playbook-matrixto.md b/docs/configuring-playbook-matrixto.md new file mode 100644 index 000000000..f8cc60e47 --- /dev/null +++ b/docs/configuring-playbook-matrixto.md @@ -0,0 +1,68 @@ + + +# Setting up Matrix.to (optional) + +The playbook can install and configure the [Matrix.to](https://github.com/matrix-org/matrix.to) URL redirection service for you. + +See the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) to learn what it does and why it might be useful to you. + +## Adjusting DNS records + +By default, this playbook installs Matrix.to on the `mt.` subdomain (`mt.example.com`) and requires you to create a CNAME record for `mt`, which targets `matrix.example.com`. + +When setting, replace `example.com` with your own. + +## Adjusting the playbook configuration + +To enable Matrix.to, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file: + +```yaml +matrix_matrixto_enabled: true +``` + +### Adjusting the Matrix.to URL (optional) + +By tweaking the `matrix_matrixto_hostname` variable, you can easily make the service available at a **different hostname** than the default one. + +Example additional configuration for your `vars.yml` file: + +```yaml +# Change the default hostname +matrix_matrixto_hostname: t.example.com +``` + +After changing the domain, **you may need to adjust your DNS** records to point the Matrix.to domain to the Matrix server. + +### Extending the configuration + +There are some additional things you may wish to configure about the server. + +Take a look at: + +- `roles/custom/matrix-matrixto/defaults/main.yml` for some variables that you can customize via your `vars.yml` file + +## Installing + +After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below: + + +```sh +ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start +``` + +The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all` + +`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too. + +## Usage + +Refer to the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) for available parameters, etc. + +## Troubleshooting + +As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-matrixto`. diff --git a/docs/configuring-playbook.md b/docs/configuring-playbook.md index 85127a0ac..31fd9e63d 100644 --- a/docs/configuring-playbook.md +++ b/docs/configuring-playbook.md @@ -247,6 +247,8 @@ Various services that don't fit any other categories. - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced) +- [Setting up Matrix.to](configuring-playbook-matrixto.md) + - [Setting up Etherpad](configuring-playbook-etherpad.md) - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2d9457f29..781d7ee53 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -363,6 +363,8 @@ devture_systemd_service_manager_services_list_auto: | + ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else []) + + ([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else []) + + ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else []) + ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else []) @@ -3077,6 +3079,36 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # ###################################################################### +###################################################################### +# +# matrix-matrixto +# +###################################################################### + +# We don't enable matrixto by default. +matrix_matrixto_enabled: false + +# The container image is not provided at https://github.com/matrix-org/matrix.to +matrix_matrixto_container_image_self_build: true + +matrix_matrixto_hostname: "{{ matrix_server_fqn_matrixto }}" + +matrix_matrixto_container_network: matrix-matrixto + +matrix_matrixto_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}" + +matrix_matrixto_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5000') if matrix_playbook_service_host_bind_interface_prefix else '' }}" + +matrix_matrixto_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}" +matrix_matrixto_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_matrixto_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_matrixto_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" + +###################################################################### +# +# /matrix-matrixto +# +###################################################################### ###################################################################### # diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 5c6723926..c389d67e7 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -148,6 +148,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}" # This is where you access rageshake. matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}" +# This is where you access Matrix.to. +matrix_server_fqn_matrixto: "mt.{{ matrix_domain }}" + matrix_federation_public_port: 8448 # The name of the Traefik entrypoint for handling Matrix Federation diff --git a/roles/custom/matrix-matrixto/defaults/main.yml b/roles/custom/matrix-matrixto/defaults/main.yml new file mode 100644 index 000000000..702ffdabe --- /dev/null +++ b/roles/custom/matrix-matrixto/defaults/main.yml @@ -0,0 +1,178 @@ +# SPDX-FileCopyrightText: 2023 - 2024 Nikita Chernyi +# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2024 Sergio Durigan Junior +# SPDX-FileCopyrightText: 2025 MASH project contributors +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +# Project source code URL: https://app.radicle.xyz/nodes/seed.radicle.garden/rad%3Az3Re1EQbd186vUQDwHByYiLadsVWY + +matrix_matrixto_enabled: true + +matrix_matrixto_identifier: matrix-matrixto +matrix_matrixto_base_path: "/{{ matrix_matrixto_identifier }}" + +matrix_matrixto_version: 1.2.17-1 + +matrix_matrixto_scheme: https + +# The hostname at which Matrix.to is served. +matrix_matrixto_hostname: "" + +# The path at which Matrix.to is exposed. +# This value must either be `/` or not end with a slash (e.g. `/matrixto`). +# +# Hosting Matrix.to under a subpath does not seem to be possible due to Matrix.to's +# technical limitations. +matrix_matrixto_path_prefix: / + +matrix_matrixto_container_image: "{{ matrix_matrixto_container_image_registry_prefix }}shirahara/matrixto:{{ matrix_matrixto_container_image_tag }}" +matrix_matrixto_container_image_tag: "{{ matrix_matrixto_version }}" +matrix_matrixto_container_image_registry_prefix: "{{ matrix_matrixto_container_image_registry_prefix_upstream }}" +matrix_matrixto_container_image_registry_prefix_upstream: "{{ matrix_matrixto_container_image_registry_prefix_upstream_default }}" +matrix_matrixto_container_image_registry_prefix_upstream_default: "" +matrix_matrixto_container_image_force_pull: "{{ matrix_matrixto_container_image.endswith(':latest') }}" + +matrix_matrixto_container_image_self_build: true +matrix_matrixto_container_image_self_build_name: "shirahara/matrixto:{{ matrix_matrixto_container_image_self_build_repo_version }}" +matrix_matrixto_container_image_self_build_repo: "https://seed.radicle.garden/z3Re1EQbd186vUQDwHByYiLadsVWY.git" +matrix_matrixto_container_image_self_build_repo_version: "{{ matrix_matrixto_version if matrix_matrixto_version != 'latest' else 'main' }}" +matrix_matrixto_container_image_self_build_src_files_path: "{{ matrix_matrixto_base_path }}/docker-src" + +# Controls whether the container exposes its HTTP port (tcp/8080 in the container). +# +# Takes an ":" or "" value (e.g. "127.0.0.1:2586"), or empty string to not expose. +matrix_matrixto_container_http_host_bind_port: "" + +# The base container network. It will be auto-created by this role if it doesn't exist already. +matrix_matrixto_container_network: "{{ matrix_matrixto_identifier }}" + +# The port number in the container +matrix_matrixto_container_http_port: 5000 + +# A list of additional container networks that the container would be connected to. +# The role does not create these networks, so make sure they already exist. +# Use this to expose this container to another reverse proxy, which runs in a different container network. +matrix_matrixto_container_additional_networks: "{{ matrix_matrixto_container_additional_networks_auto + matrix_matrixto_container_additional_networks_custom }}" +matrix_matrixto_container_additional_networks_auto: [] +matrix_matrixto_container_additional_networks_custom: [] + +# A list of additional "volumes" to mount in the container. +# This list gets populated dynamically at runtime. You can provide a different default value, +# if you wish to mount your own files into the container. +# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}. +# See the `--mount` documentation for the `docker run` command. +matrix_matrixto_container_additional_volumes: "{{ matrix_matrixto_container_additional_volumes_auto + matrix_matrixto_container_additional_volumes_custom }}" +matrix_matrixto_container_additional_volumes_auto: [] +matrix_matrixto_container_additional_volumes_custom: [] + +# matrix_matrixto_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# See `../templates/labels.j2` for details. +# +# To inject your own other container labels, see `matrix_matrixto_container_labels_additional_labels`. +matrix_matrixto_container_labels_traefik_enabled: true +matrix_matrixto_container_labels_traefik_docker_network: "{{ matrix_matrixto_container_network }}" +matrix_matrixto_container_labels_traefik_hostname: "{{ matrix_matrixto_hostname }}" +# The path prefix must either be `/` or not end with a slash (e.g. `/matrixto`). +matrix_matrixto_container_labels_traefik_path_prefix: "{{ matrix_matrixto_path_prefix }}" +matrix_matrixto_container_labels_traefik_rule: "Host(`{{ matrix_matrixto_container_labels_traefik_hostname }}`){% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`){% endif %}" +matrix_matrixto_container_labels_traefik_priority: 0 +matrix_matrixto_container_labels_traefik_entrypoints: web-secure +matrix_matrixto_container_labels_traefik_tls: "{{ matrix_matrixto_container_labels_traefik_entrypoints != 'web' }}" +matrix_matrixto_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls which additional headers to attach to all HTTP requests. +# To add your own custom request headers, use `matrix_matrixto_container_labels_traefik_additional_request_headers_custom` +matrix_matrixto_container_labels_traefik_additional_request_headers: "{{ matrix_matrixto_container_labels_traefik_additional_request_headers_auto | combine(matrix_matrixto_container_labels_traefik_additional_request_headers_custom) }}" +matrix_matrixto_container_labels_traefik_additional_request_headers_auto: {} +matrix_matrixto_container_labels_traefik_additional_request_headers_custom: {} + +# Controls which additional headers to attach to all HTTP responses. +# To add your own custom response headers, use `matrix_matrixto_container_labels_traefik_additional_response_headers_custom` +matrix_matrixto_container_labels_traefik_additional_response_headers: "{{ matrix_matrixto_container_labels_traefik_additional_response_headers_auto | combine(matrix_matrixto_container_labels_traefik_additional_response_headers_custom) }}" +matrix_matrixto_container_labels_traefik_additional_response_headers_auto: | + {{ + {} + | combine ({'X-XSS-Protection': matrix_matrixto_http_header_xss_protection} if matrix_matrixto_http_header_xss_protection else {}) + | combine ({'X-Content-Type-Options': matrix_matrixto_http_header_content_type_options} if matrix_matrixto_http_header_content_type_options else {}) + | combine ({'Content-Security-Policy': matrix_matrixto_http_header_content_security_policy} if matrix_matrixto_http_header_content_security_policy else {}) + | combine ({'Permissions-Policy': matrix_matrixto_http_header_permissions_policy} if matrix_matrixto_http_header_permissions_policy else {}) + | combine ({'Strict-Transport-Security': matrix_matrixto_http_header_strict_transport_security} if matrix_matrixto_http_header_strict_transport_security and matrix_matrixto_container_labels_traefik_tls else {}) + }} +matrix_matrixto_container_labels_traefik_additional_response_headers_custom: {} + +# matrix_matrixto_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file. +# See `../templates/labels.j2` for details. +# +# Example: +# matrix_matrixto_container_labels_additional_labels: | +# my.label=1 +# another.label="here" +matrix_matrixto_container_labels_additional_labels: "" + +# A list of extra arguments to pass to the container (`docker run` command) +matrix_matrixto_container_extra_arguments: [] + +# Specifies the value of the `X-XSS-Protection` header +# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. +# +# Learn more about it is here: +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection +# - https://portswigger.net/web-security/cross-site-scripting/reflected +matrix_matrixto_http_header_xss_protection: "1; mode=block" + +# Specifies the value of the `X-Content-Type-Options` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options +matrix_matrixto_http_header_content_type_options: nosniff + +# Specifies the value of the `Content-Security-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +matrix_matrixto_http_header_content_security_policy: frame-ancestors 'self' + +# Specifies the value of the `Permissions-Policy` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy +matrix_matrixto_http_header_permissions_policy: "{{ 'interest-cohort=()' if matrix_matrixto_floc_optout_enabled else '' }}" + +# Specifies the value of the `Strict-Transport-Security` header. +# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +matrix_matrixto_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_matrixto_hsts_preload_enabled else '' }}" + +# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses +# +# Learn more about what it is here: +# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea +# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network +# - https://amifloced.org/ +# +# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices. +# See: `matrix_matrixto_http_header_permissions_policy` +matrix_matrixto_floc_optout_enabled: true + +# Controls if HSTS preloading is enabled +# +# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and +# indicates a willingness to be "preloaded" into browsers: +# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` +# For more information visit: +# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security +# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security +# - https://hstspreload.org/#opt-in +# See: `matrix_matrixto_http_header_strict_transport_security` +matrix_matrixto_hsts_preload_enabled: false + +# List of systemd services that the Matrix.to systemd service depends on +matrix_matrixto_systemd_required_services_list: "{{ matrix_matrixto_systemd_required_services_list_default + matrix_matrixto_systemd_required_services_list_auto + matrix_matrixto_systemd_required_services_list_custom }}" +matrix_matrixto_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" +matrix_matrixto_systemd_required_services_list_auto: [] +matrix_matrixto_systemd_required_services_list_custom: [] + +# List of systemd services that the Matrix.to systemd service wants +matrix_matrixto_systemd_wanted_services_list: "{{ matrix_matrixto_systemd_wanted_services_list_default + matrix_matrixto_systemd_wanted_services_list_auto + matrix_matrixto_systemd_wanted_services_list_custom }}" +matrix_matrixto_systemd_wanted_services_list_default: [] +matrix_matrixto_systemd_wanted_services_list_auto: [] +matrix_matrixto_systemd_wanted_services_list_custom: [] + +# Additional environment variables. +matrix_matrixto_environment_variables_additional_variables: "" diff --git a/roles/custom/matrix-matrixto/tasks/install.yml b/roles/custom/matrix-matrixto/tasks/install.yml new file mode 100644 index 000000000..51a316c43 --- /dev/null +++ b/roles/custom/matrix-matrixto/tasks/install.yml @@ -0,0 +1,100 @@ +# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Ensure Matrix.to path exists + ansible.builtin.file: + path: "{{ item }}" + state: directory + mode: "0750" + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + with_items: + - "{{ matrix_matrixto_base_path }}" + +- name: Ensure Matrix.to support files installed + ansible.builtin.template: + src: "{{ role_path }}/templates/{{ item }}.j2" + dest: "{{ matrix_matrixto_base_path }}/{{ item }}" + mode: "0640" + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + with_items: + - env + - labels + +- name: Run if self-building of Matrix.to container image is not enabled + when: "not matrix_matrixto_container_image_self_build | bool" + block: + - name: Ensure Matrix.to container image is pulled via community.docker.docker_image + when: devture_systemd_docker_base_container_image_pull_method == 'ansible-module' + community.docker.docker_image: + name: "{{ matrix_matrixto_container_image }}" + source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" + force_source: "{{ matrix_matrixto_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_container_image_force_pull }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + + - name: Ensure Matrix.to container image is pulled via ansible.builtin.command + when: devture_systemd_docker_base_container_image_pull_method == 'command' + ansible.builtin.command: + cmd: "{{ devture_systemd_docker_base_host_command_docker }} pull {{ matrix_matrixto_container_image }}" + register: result + retries: "{{ devture_playbook_help_container_retries_count }}" + delay: "{{ devture_playbook_help_container_retries_delay }}" + until: result is not failed + changed_when: "'Downloaded newer image' in result.stdout" + +- name: Run if self-building of Matrix.to container image is enabled + when: "matrix_matrixto_container_image_self_build | bool" + block: + - name: Ensure Matrix.to repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_matrixto_container_image_self_build_repo }}" + version: "{{ matrix_matrixto_container_image_self_build_repo_version }}" + dest: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" + force: "yes" + register: matrix_matrixto_git_pull_results + + - name: Ensure Matrix.to container image is built + community.docker.docker_image: + name: "{{ matrix_matrixto_container_image_self_build_name }}" + source: build + force_source: "{{ matrix_matrixto_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" + pull: true + args: + +- name: Ensure Matrix.to container network is created via community.docker.docker_network + when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module' + community.docker.docker_network: + enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}" + name: "{{ matrix_matrixto_container_network }}" + driver: bridge + driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}" + +- name: Ensure Matrix.to container network is created via ansible.builtin.command + when: devture_systemd_docker_base_container_network_creation_method == 'command' + ansible.builtin.command: + cmd: >- + {{ devture_systemd_docker_base_host_command_docker }} network create + {% if devture_systemd_docker_base_ipv6_enabled %}--ipv6{% endif %} + {{ devture_systemd_docker_base_container_networks_driver_options_string }} + {{ matrix_matrixto_container_network }} + register: network_creation_result + changed_when: network_creation_result.rc == 0 + failed_when: network_creation_result.rc != 0 and 'already exists' not in network_creation_result.stderr + +- name: Ensure Matrix.to systemd service is present + ansible.builtin.template: + src: "{{ role_path }}/templates/systemd/matrix-matrixto.service.j2" + dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service" + mode: "0644" diff --git a/roles/custom/matrix-matrixto/tasks/main.yml b/roles/custom/matrix-matrixto/tasks/main.yml new file mode 100644 index 000000000..c600287f5 --- /dev/null +++ b/roles/custom/matrix-matrixto/tasks/main.yml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2023 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Perform Matrix.to installation tasks + when: matrix_matrixto_enabled | bool + tags: + - setup-all + - setup-matrixto + - install-all + - install-matrixto + block: + - name: Validate Matrix.to configuration + ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml" + - name: Install Matrix.to + ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml" + +- name: Perform Matrix.to uninstallation tasks + when: not matrix_matrixto_enabled | bool + tags: + - setup-all + - setup-matrixto + block: + - name: Uninstall Matrix.to + ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml" diff --git a/roles/custom/matrix-matrixto/tasks/uninstall.yml b/roles/custom/matrix-matrixto/tasks/uninstall.yml new file mode 100644 index 000000000..8eb66b561 --- /dev/null +++ b/roles/custom/matrix-matrixto/tasks/uninstall.yml @@ -0,0 +1,45 @@ +# SPDX-FileCopyrightText: 2023 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Check existence of Matrix.to systemd service + ansible.builtin.stat: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service" + register: matrix_matrixto_service_stat + +- name: Uninstall Matrix.to systemd services and files + when: matrix_matrixto_service_stat.stat.exists | bool + block: + - name: Ensure Matrix.to systemd service is stopped + ansible.builtin.service: + name: "{{ matrix_matrixto_identifier }}" + state: stopped + enabled: false + daemon_reload: true + + - name: Ensure Matrix.to systemd service does not exist + ansible.builtin.file: + path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service" + state: absent + + - name: Ensure Matrix.to container network does not exist via community.docker.docker_network + when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module' + community.docker.docker_network: + name: "{{ matrix_matrixto_container_network }}" + state: absent + + - name: Ensure Matrix.to container network does not exist via ansible.builtin.command + when: devture_systemd_docker_base_container_network_creation_method == 'command' + ansible.builtin.command: + cmd: >- + {{ devture_systemd_docker_base_host_command_docker }} network rm + {{ matrix_matrixto_container_network }} + register: network_deletion_result + changed_when: matrix_matrixto_container_network in network_deletion_result.stdout + + - name: Ensure Matrix.to path does not exist + ansible.builtin.file: + path: "{{ matrix_matrixto_base_path }}" + state: absent diff --git a/roles/custom/matrix-matrixto/tasks/validate_config.yml b/roles/custom/matrix-matrixto/tasks/validate_config.yml new file mode 100644 index 000000000..f7d807d18 --- /dev/null +++ b/roles/custom/matrix-matrixto/tasks/validate_config.yml @@ -0,0 +1,43 @@ +# SPDX-FileCopyrightText: 2023 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 Suguru Hirahara +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +--- +- name: Fail if required Matrix.to settings not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "lookup('vars', item, default='') | string | length == 0" + with_items: + - matrix_matrixto_hostname + - matrix_matrixto_path_prefix + - matrix_matrixto_container_network + +- name: Run if Traefik is enabled + when: matrix_matrixto_container_labels_traefik_enabled | bool + block: + - name: Fail if Traefik settings required for Matrix.to are not defined + ansible.builtin.fail: + msg: >- + You need to define a required configuration setting (`{{ item }}`). + when: "lookup('vars', item, default='') | string | length == 0" + with_items: + - matrix_matrixto_container_labels_traefik_hostname + - matrix_matrixto_container_labels_traefik_path_prefix + + - name: Fail if matrix_matrixto_container_labels_traefik_path_prefix is different than / + ansible.builtin.fail: + msg: >- + matrix_matrixto_container_labels_traefik_path_prefix (`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`) must be `/`. + Matrix.to does not support hosting under a subpath yet. + when: "matrix_matrixto_container_labels_traefik_path_prefix != '/'" + + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that `matrix_matrixto_container_labels_traefik_path_prefix` does not end with a slash + # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_matrixto_container_labels_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_matrixto_container_labels_traefik_path_prefix (`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/matrixto`). + when: "matrix_matrixto_container_labels_traefik_path_prefix != '/' and matrix_matrixto_container_labels_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-matrixto/templates/env.j2 b/roles/custom/matrix-matrixto/templates/env.j2 new file mode 100644 index 000000000..f9c78d0f3 --- /dev/null +++ b/roles/custom/matrix-matrixto/templates/env.j2 @@ -0,0 +1,7 @@ +{# +SPDX-FileCopyrightText: 2025 Suguru Hirahara + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{{ matrix_matrixto_environment_variables_additional_variables }} diff --git a/roles/custom/matrix-matrixto/templates/labels.j2 b/roles/custom/matrix-matrixto/templates/labels.j2 new file mode 100644 index 000000000..54c45a4b6 --- /dev/null +++ b/roles/custom/matrix-matrixto/templates/labels.j2 @@ -0,0 +1,59 @@ +{# +SPDX-FileCopyrightText: 2023 Slavi Pantaleev +SPDX-FileCopyrightText: 2025 Suguru Hirahara + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_matrixto_container_labels_traefik_enabled %} +traefik.enable=true + +{% if matrix_matrixto_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_matrixto_container_labels_traefik_docker_network }} +{% endif %} + +{% set middlewares = [] %} + +{% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_matrixto_identifier }}-slashless-redirect.redirectregex.regex=^({{ matrix_matrixto_container_labels_traefik_path_prefix | quote }})$ +traefik.http.middlewares.{{ matrix_matrixto_identifier }}-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + [matrix_matrixto_identifier + '-slashless-redirect'] %} +{% endif %} + +{% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %} +traefik.http.middlewares.{{ matrix_matrixto_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_matrixto_container_labels_traefik_path_prefix }} +{% set middlewares = middlewares + [matrix_matrixto_identifier + '-strip-prefix'] %} +{% endif %} + +{% if matrix_matrixto_container_labels_traefik_additional_request_headers.keys() | length > 0 %} +{% for name, value in matrix_matrixto_container_labels_traefik_additional_request_headers.items() %} +traefik.http.middlewares.{{ matrix_matrixto_identifier }}-add-request-headers.headers.customrequestheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + [matrix_matrixto_identifier + '-add-request-headers'] %} +{% endif %} + +{% if matrix_matrixto_container_labels_traefik_additional_response_headers.keys() | length > 0 %} +{% for name, value in matrix_matrixto_container_labels_traefik_additional_response_headers.items() %} +traefik.http.middlewares.{{ matrix_matrixto_identifier }}-add-response-headers.headers.customresponseheaders.{{ name }}={{ value }} +{% endfor %} +{% set middlewares = middlewares + [matrix_matrixto_identifier + '-add-response-headers'] %} +{% endif %} + +traefik.http.routers.{{ matrix_matrixto_identifier }}.rule={{ matrix_matrixto_container_labels_traefik_rule }} +{% if matrix_matrixto_container_labels_traefik_priority | int > 0 %} +traefik.http.routers.{{ matrix_matrixto_identifier }}.priority={{ matrix_matrixto_container_labels_traefik_priority }} +{% endif %} +traefik.http.routers.{{ matrix_matrixto_identifier }}.service={{ matrix_matrixto_identifier }} +{% if middlewares | length > 0 %} +traefik.http.routers.{{ matrix_matrixto_identifier }}.middlewares={{ middlewares | join(',') }} +{% endif %} +traefik.http.routers.{{ matrix_matrixto_identifier }}.entrypoints={{ matrix_matrixto_container_labels_traefik_entrypoints }} +traefik.http.routers.{{ matrix_matrixto_identifier }}.tls={{ matrix_matrixto_container_labels_traefik_tls | to_json }} +{% if matrix_matrixto_container_labels_traefik_tls %} +traefik.http.routers.{{ matrix_matrixto_identifier }}.tls.certResolver={{ matrix_matrixto_container_labels_traefik_tls_certResolver }} +{% endif %} + +traefik.http.services.{{ matrix_matrixto_identifier }}.loadbalancer.server.port={{ matrix_matrixto_container_http_port }} +{% endif %} + +{{ matrix_matrixto_container_labels_additional_labels }} diff --git a/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 b/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 new file mode 100644 index 000000000..920f423a5 --- /dev/null +++ b/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 @@ -0,0 +1,59 @@ +{# +SPDX-FileCopyrightText: 2023 Slavi Pantaleev +SPDX-FileCopyrightText: 2024 Nikita Chernyi +SPDX-FileCopyrightText: 2025 Suguru Hirahara + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +[Unit] +Description=Matrix.to ({{ matrix_matrixto_identifier }}) +{% for service in matrix_matrixto_systemd_required_services_list %} +Requires={{ service }} +After={{ service }} +{% endfor %} +{% for service in matrix_matrixto_systemd_wanted_services_list %} +Wants={{ service }} +{% endfor %} +DefaultDependencies=no + +[Service] +Type=simple +Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}" +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_matrixto_identifier }} 2>/dev/null || true' +ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_matrixto_identifier }} 2>/dev/null || true' + +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ + --rm \ + --name={{ matrix_matrixto_identifier }} \ + --log-driver=none \ + --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \ + --cap-drop=ALL \ + --read-only \ + --network={{ matrix_matrixto_container_network }} \ + {% if matrix_matrixto_container_http_host_bind_port %} + -p {{ matrix_matrixto_container_http_host_bind_port }}:{{ matrix_matrixto_container_http_port }} \ + {% endif %} + --env-file={{ matrix_matrixto_base_path }}/env \ + --label-file={{ matrix_matrixto_base_path }}/labels \ + --tmpfs=/tmp:rw,noexec,nosuid,size=128m \ + {% for arg in matrix_matrixto_container_extra_arguments %} + {{ arg }} \ + {% endfor %} + {{ matrix_matrixto_container_image_self_build_name if matrix_matrixto_container_image_self_build else matrix_matrixto_container_image }} + +{% for network in matrix_matrixto_container_additional_networks %} +ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_matrixto_identifier }} +{% endfor %} + +ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_matrixto_identifier }} + +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_matrixto_identifier }} 2>/dev/null || true' +ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_matrixto_identifier }} 2>/dev/null || true' + +Restart=always +RestartSec=30 +SyslogIdentifier={{ matrix_matrixto_identifier }} + +[Install] +WantedBy=multi-user.target diff --git a/setup.yml b/setup.yml index 1fec3de10..c2039a865 100644 --- a/setup.yml +++ b/setup.yml @@ -91,6 +91,7 @@ - custom/matrix-bot-draupnir - custom/matrix-cactus-comments - custom/matrix-cactus-comments-client + - custom/matrix-matrixto - custom/matrix-rageshake - custom/matrix-synapse - custom/matrix-synapse-auto-compressor From 2eadddcde97b2ca39e11c30934f7153267aeb431 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 23 Nov 2025 13:15:32 +0000 Subject: [PATCH 037/209] chore(deps): update gnuxie/draupnir docker tag to v2.8.0 --- .../custom/matrix-appservice-draupnir-for-all/defaults/main.yml | 2 +- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml index 51db84be3..c3bf5b258 100644 --- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml +++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml @@ -12,7 +12,7 @@ matrix_appservice_draupnir_for_all_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_appservice_draupnir_for_all_version: "v2.7.1" +matrix_appservice_draupnir_for_all_version: "v2.8.0" matrix_appservice_draupnir_for_all_container_image_self_build: false matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 2d4496db1..2149196d0 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -12,7 +12,7 @@ matrix_bot_draupnir_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_bot_draupnir_version: "v2.7.1" +matrix_bot_draupnir_version: "v2.8.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" From 4caf38e682fb9a6c8f932224143be0c5f7d20ae9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 25 Nov 2025 00:42:53 +0000 Subject: [PATCH 038/209] chore(deps): update ansible/ansible-lint action to v25.11.1 --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index dc26ae656..e5317c081 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.11.0 + uses: ansible/ansible-lint@v25.11.1 with: args: "roles/custom" setup_python: "true" From e128c761bad38d447024f116da76d2d1e414da14 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 24 Nov 2025 20:52:20 +0000 Subject: [PATCH 039/209] chore(deps): update dependency jitsi to v10655 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e346f5a65..d9d969878 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.6.5-4 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v10590-0 + version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git version: v1.9.4-0 From 6865a59e883e504954641d58cb67e39f153cef54 Mon Sep 17 00:00:00 2001 From: Michael Hoang Date: Tue, 25 Nov 2025 03:07:02 +0000 Subject: [PATCH 040/209] Document using Signal nicknames --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 978fa99fa..c1092fe0f 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -57,6 +57,7 @@ matrix_mautrix_signal_command_prefix: "!signal" # Displayname template for Signal users. # {{.ProfileName}} - The Signal profile name set by the user. # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances. +# {{.Nickname}} - The nickname set for the user in the native Signal app. This is not safe on multi-user instances. # {{.PhoneNumber}} - The phone number of the user. # {{.UUID}} - The UUID of the Signal user. # {{.AboutEmoji}} - The emoji set by the user in their profile. From 1f2f7e468ef54461f9b152de5426600f4bc4deef Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 25 Nov 2025 18:37:34 +0000 Subject: [PATCH 041/209] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.143.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 636259a31..a9bd74b06 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.142.1 +matrix_synapse_version: v1.143.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 889970314ace5c4d832840c3ca10770e8ad93412 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 26 Nov 2025 06:14:58 +0000 Subject: [PATCH 042/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2025.11.26 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index 934898c1a..f5246a316 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2025.11.12 +matrix_alertmanager_receiver_version: 2025.11.26 matrix_alertmanager_receiver_scheme: https From 430f350733e4695affccad06464a1ce73ceb1bb3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 11:35:09 +0200 Subject: [PATCH 043/209] Stop using deprecated `vars` variable --- .../tasks/validate_config.yml | 2 +- .../matrix-bot-draupnir/tasks/validate_config.yml | 4 ++-- .../matrix-bridge-hookshot/tasks/validate_config.yml | 10 +++++----- .../matrix-client-cinny/tasks/validate_config.yml | 2 +- roles/custom/matrix-corporal/tasks/validate_config.yml | 2 +- .../tasks/validate_config.yml | 2 +- .../matrix-static-files/tasks/validate_config.yml | 2 +- .../matrix-synapse-admin/tasks/validate_config.yml | 2 +- .../tasks/validate_config.yml | 2 +- .../tasks/ext/s3-storage-provider/validate_config.yml | 4 ++-- .../ext/synapse-http-antispam/validate_config.yml | 2 +- roles/custom/matrix-synapse/tasks/validate_config.yml | 6 +++--- 12 files changed, 20 insertions(+), 20 deletions(-) diff --git a/roles/custom/matrix-authentication-service/tasks/validate_config.yml b/roles/custom/matrix-authentication-service/tasks/validate_config.yml index ee40118a5..95a2badb0 100644 --- a/roles/custom/matrix-authentication-service/tasks/validate_config.yml +++ b/roles/custom/matrix-authentication-service/tasks/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_authentication_service_hostname', when: true} - {'name': 'matrix_authentication_service_config_database_username', when: true} diff --git a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml index d9c2a698a..0bfec3996 100644 --- a/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-draupnir/tasks/validate_config.yml @@ -44,7 +44,7 @@ - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true} - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"} - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"} - when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)" + when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)" - name: Fail if Draupnir room hijacking enabled without enabling the Synapse Admin API ansible.builtin.fail: @@ -57,7 +57,7 @@ with_items: - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"} - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"} - when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)" + when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)" - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml index 5364b063c..6a09e3834 100644 --- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml @@ -51,7 +51,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_hookshot_appservice_token" - "matrix_hookshot_homeserver_address" @@ -62,7 +62,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) to enable GitHub. - when: "matrix_hookshot_github_enabled and vars[item] == ''" + when: "matrix_hookshot_github_enabled and lookup('vars', item, default='') == ''" with_items: - "matrix_hookshot_github_auth_id" - "matrix_hookshot_github_webhook_secret" @@ -71,7 +71,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth. - when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''" + when: "matrix_hookshot_github_oauth_enabled and lookup('vars', item, default='') == ''" with_items: - "matrix_hookshot_github_oauth_client_id" - "matrix_hookshot_github_oauth_client_secret" @@ -80,7 +80,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) to enable Jira. - when: "matrix_hookshot_jira_enabled and vars[item] == ''" + when: "matrix_hookshot_jira_enabled and lookup('vars', item, default='') == ''" with_items: - "matrix_hookshot_jira_webhook_secret" @@ -88,7 +88,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth. - when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''" + when: "matrix_hookshot_jira_oauth_enabled and lookup('vars', item, default='') == ''" with_items: - "matrix_hookshot_jira_oauth_client_id" - "matrix_hookshot_jira_oauth_client_secret" diff --git a/roles/custom/matrix-client-cinny/tasks/validate_config.yml b/roles/custom/matrix-client-cinny/tasks/validate_config.yml index fee52fe3c..84719ed47 100644 --- a/roles/custom/matrix-client-cinny/tasks/validate_config.yml +++ b/roles/custom/matrix-client-cinny/tasks/validate_config.yml @@ -36,7 +36,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_cinny_container_labels_traefik_hostname - matrix_client_cinny_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-corporal/tasks/validate_config.yml b/roles/custom/matrix-corporal/tasks/validate_config.yml index cb394b81c..fd5cf11d4 100644 --- a/roles/custom/matrix-corporal/tasks/validate_config.yml +++ b/roles/custom/matrix-corporal/tasks/validate_config.yml @@ -10,7 +10,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_corporal_container_network" - "matrix_corporal_matrix_homeserver_api_endpoint" diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml index 440f720fd..fa2f4ab04 100644 --- a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml @@ -10,7 +10,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_livekit_jwt_service_hostname', when: true} - {'name': 'matrix_livekit_jwt_service_container_network', when: true} diff --git a/roles/custom/matrix-static-files/tasks/validate_config.yml b/roles/custom/matrix-static-files/tasks/validate_config.yml index fb2319ca3..7924507f7 100644 --- a/roles/custom/matrix-static-files/tasks/validate_config.yml +++ b/roles/custom/matrix-static-files/tasks/validate_config.yml @@ -8,7 +8,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"} - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"} diff --git a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml index d86fb5fac..2a3699d73 100644 --- a/roles/custom/matrix-synapse-admin/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-admin/tasks/validate_config.yml @@ -26,7 +26,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_synapse_admin_container_labels_traefik_hostname - matrix_synapse_admin_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml index 60a2cc996..65108ad85 100644 --- a/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml @@ -20,7 +20,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_synapse_auto_compressor_database_hostname - matrix_synapse_auto_compressor_database_password diff --git a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml index b9e84a3d2..a6b42ee7a 100644 --- a/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket" - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name" @@ -19,7 +19,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider. - when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''" + when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and lookup('vars', item, default='') == ''" with_items: - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id" - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key" diff --git a/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml index 037842f14..cfa304bd9 100644 --- a/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml @@ -8,7 +8,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) for using synapse-http-antispam. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_synapse_ext_synapse_http_antispam_enabled" - "matrix_synapse_ext_synapse_http_antispam_config_base_url" diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 9f10330a2..3f25cc934 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -10,7 +10,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_synapse_username', when: true} - {'name': 'matrix_synapse_uid', when: true} @@ -48,7 +48,7 @@ ansible.builtin.fail: msg: >- `{{ item }}` cannot be more than 1. This is a single-instance worker. - when: "vars[item] | int > 1" + when: "lookup('vars', item, default='') | int > 1" with_items: - "matrix_synapse_workers_appservice_workers_count" - "matrix_synapse_workers_user_dir_workers_count" @@ -166,7 +166,7 @@ - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service ansible.builtin.fail: msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise." - when: matrix_synapse_matrix_authentication_service_enabled and vars[item] | bool + when: matrix_synapse_matrix_authentication_service_enabled and lookup('vars', item, default='') | bool with_items: - matrix_synapse_ext_password_provider_rest_auth_enabled - matrix_synapse_ext_password_provider_shared_secret_auth_enabled From 07423d3dd4207e3f353097b1a3e9adbe0fa5c47a Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 11:35:28 +0200 Subject: [PATCH 044/209] Upgrade playbook-help (7663e3114513e56f28d3ed762059b445c678a71a -> 8630e4f1749bcb659c412820f754473f09055052) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d9d969878..aa36e390d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -34,7 +34,7 @@ version: v2.15.0-0 name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git - version: 7663e3114513e56f28d3ed762059b445c678a71a + version: 8630e4f1749bcb659c412820f754473f09055052 name: playbook_help - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6 From ddf0fe7167d835ad25c613a0d5b59d700f8c6293 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 11:56:57 +0200 Subject: [PATCH 045/209] Fix Ansible `inject_facts_as_vars` deprecation warning --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- roles/custom/matrix-synapse/defaults/main.yml | 2 +- roles/custom/matrix_playbook_migration/defaults/main.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index ee096431b..89ba1fcf6 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -26,7 +26,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme # Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM): # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357 # - https://github.com/element-hq/element-web/issues/19544 -matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}" +matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web matrix_client_element_version: v1.12.4 diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a9bd74b06..a4cc24145 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -675,7 +675,7 @@ matrix_synapse_caches_sync_response_cache_duration: "2m" # Controls how much memory this role thinks is available for cache-size-related calculations. # By default, all of the server's memory is taken into account, but you can adjust this. # You can also go for directly adjusting cache-sizes (matrix_synapse_cache_autotuning_max_cache_memory_usage, matrix_synapse_cache_autotuning_target_cache_memory_usage) instead of adjusting this. -matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_memtotal_mb * 1024 * 1024) | int }}" +matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_facts['memtotal_mb'] * 1024 * 1024) | int }}" # Controls the cap to use for matrix_synapse_cache_autotuning_max_cache_memory_usage. matrix_synapse_cache_size_calculations_max_cache_memory_usage_cap_bytes: "{{ (2 * 1024 * 1024 * 1024) }}" # 2GB diff --git a/roles/custom/matrix_playbook_migration/defaults/main.yml b/roles/custom/matrix_playbook_migration/defaults/main.yml index 78898231a..16f24ba4f 100644 --- a/roles/custom/matrix_playbook_migration/defaults/main.yml +++ b/roles/custom/matrix_playbook_migration/defaults/main.yml @@ -55,7 +55,7 @@ matrix_playbook_migration_matrix_postmoogle_migration_validation_enabled: true # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2999 # - https://github.com/geerlingguy/ansible-role-docker/pull/410 matrix_playbook_migration_debian_signedby_migration_enabled: true -matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_distribution | lower }}.list" +matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_facts['distribution'] | lower }}.list" # Controls if the old apt repository for Docker (`signed-by=/etc/apt/trusted.gpg.d/docker.asc`) will be removed, # so that the Docker role (7.2.0+) can install a new non-conflicting one (`signed-by=/etc/apt/keyrings/docker.asc`). From cbf8a2e7e9fcf6d1dd99cf17572f52ae277137fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 11:59:38 +0200 Subject: [PATCH 046/209] Upgrade docker-sdk-for-python (129c8590e106b83e6f4c259649a613c6279e937a -> c38854e4c8451520e20163af1dd5f657790332da) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index aa36e390d..c6d566d3e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: 7.8.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: 129c8590e106b83e6f4c259649a613c6279e937a + version: c38854e4c8451520e20163af1dd5f657790332da name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git version: v2.5.2-2 From bf3f4a9059a1a90adc05e0f2425536b53fea29e3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 12:01:47 +0200 Subject: [PATCH 047/209] Upgrade timesync (v1.1.0-0 -> v1.1.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index c6d566d3e..f45594237 100644 --- a/requirements.yml +++ b/requirements.yml @@ -64,7 +64,7 @@ version: v1.0.0-4 name: systemd_service_manager - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git - version: v1.1.0-0 + version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git version: v3.6.2-0 From 201d3ea0879679b6ec0eb708e0fc49413783d417 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 12:02:48 +0200 Subject: [PATCH 048/209] Upgrade Postgres (v18.1-0 -> v18.1-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index f45594237..5afd356b0 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git - version: v18.1-0 + version: v18.1-1 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git version: v18-0 From 9b7767f45163f0eb5b2fa9cdca5b75c46332c6b7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 13:17:04 +0200 Subject: [PATCH 049/209] Upgrade Postgres (v18.1-1 -> v18.1-2) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5afd356b0..3d7b37ab6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git - version: v18.1-1 + version: v18.1-2 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git version: v18-0 From ebdb2cc82745aebe85bb6514a7d602b2d887c942 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 26 Nov 2025 13:20:20 +0200 Subject: [PATCH 050/209] Use a proper (bool) value for the `matrix_bot_draupnir_login_native` variable Otherwise Ansible casts the "" string to a bool. This works, but it's deprecated and a bad idea anyway. --- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 2149196d0..34332989b 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -101,7 +101,7 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}" # Controls if we activate the config block for Pantalaimon for now. Its name will # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase. # This configuration option does not follow the common naming schema as its not controlling a config key directly. -matrix_bot_draupnir_login_native: "" +matrix_bot_draupnir_login_native: false # The room ID where people can use the bot. The bot has no access controls, so # anyone in this room can use the bot - secure your room! From 77a173f8b27ffd2eaa891bc8725c6157a8c9a380 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 26 Nov 2025 15:56:22 +0000 Subject: [PATCH 051/209] chore(deps): update oci.element.io/element-admin docker tag to v0.1.9 --- roles/custom/matrix-element-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-admin/defaults/main.yml b/roles/custom/matrix-element-admin/defaults/main.yml index 51d4274c8..c49c4aa21 100644 --- a/roles/custom/matrix-element-admin/defaults/main.yml +++ b/roles/custom/matrix-element-admin/defaults/main.yml @@ -11,7 +11,7 @@ matrix_element_admin_enabled: true # renovate: datasource=docker depName=oci.element.io/element-admin -matrix_element_admin_version: 0.1.8 +matrix_element_admin_version: 0.1.9 matrix_element_admin_scheme: https From 2821774fcae4c3d9fc36b24d19268c4063d53381 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 26 Nov 2025 21:55:40 +0000 Subject: [PATCH 052/209] chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.7.0 --- roles/custom/matrix-authentication-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index 24827bb69..b5c35ffc1 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 1.6.0 +matrix_authentication_service_version: 1.7.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" From d1b480de65dcb56fcd49539f98f67099c5c9abcc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 27 Nov 2025 18:52:16 +0000 Subject: [PATCH 053/209] chore(deps): update dependency backup_borg to v1.4.2-2.0.12-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3d7b37ab6..d4ec9277b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-5 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git - version: v1.4.2-2.0.11-1 + version: v1.4.2-2.0.12-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git version: v0.4.1-2 From eda41e89c1170989f4f486227e44d209c14fd751 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 28 Nov 2025 14:53:31 +0200 Subject: [PATCH 054/209] Upgrade baibot (v1.8.2 -> v1.8.3) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 99d058476..28aef060b 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.8.2 +matrix_bot_baibot_version: v1.8.3 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From a88c394ae06c9a44eee2b4dcd0c7fb9e3fd17c99 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 28 Nov 2025 15:38:47 +0000 Subject: [PATCH 055/209] chore(deps): update ghcr.io/matrix-org/rageshake docker tag to v1.17.1 --- roles/custom/matrix-rageshake/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-rageshake/defaults/main.yml b/roles/custom/matrix-rageshake/defaults/main.yml index 96f5b3ed7..75a97fa24 100644 --- a/roles/custom/matrix-rageshake/defaults/main.yml +++ b/roles/custom/matrix-rageshake/defaults/main.yml @@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: / # There are no stable container image tags yet. # See: https://github.com/matrix-org/rageshake/issues/69 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake -matrix_rageshake_version: 1.17.0 +matrix_rageshake_version: 1.17.1 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake" matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config" From bab3a47c50f258b6b2291196aeb6440beddec1ea Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 28 Nov 2025 18:48:24 +0000 Subject: [PATCH 056/209] fix zulip bridge service name on removal --- roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml b/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml index 5ae51b283..e19bba4ed 100644 --- a/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml +++ b/roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml @@ -15,7 +15,7 @@ block: - name: Ensure matrix-bridge-zulip is stopped ansible.builtin.service: - name: matrix-bridge-zulip + name: matrix-zulip-bridge state: stopped enabled: false daemon_reload: true From fb0a1bd489edae36674984bc05d3c0ffbf608455 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 30 Nov 2025 12:37:57 +0200 Subject: [PATCH 057/209] Upgrade baibot (v1.8.3 -> v1.9.0) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 28aef060b..0563eb378 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.8.3 +matrix_bot_baibot_version: v1.9.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From 7e0815c5eaca8cc2c261bcd2856025758c884c51 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 30 Nov 2025 14:04:01 +0000 Subject: [PATCH 058/209] chore(deps): update dependency sphinx to v9 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 6428447a7..2321f823f 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -19,7 +19,7 @@ PyYAML==6.0.3 requests==2.32.5 setuptools==80.9.0 snowballstemmer==3.0.1 -Sphinx==8.2.3 +Sphinx==9.0.0 sphinx-intl==2.3.2 sphinx-markdown-builder==0.6.8 sphinxcontrib-applehelp==2.0.0 From 64d890300b91543020667fd6bbc781c116eaaa5d Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 30 Nov 2025 17:50:05 +0200 Subject: [PATCH 059/209] Upgrade docker-sdk-for-python (c38854e4c8451520e20163af1dd5f657790332da -> 542a2d68db4e9a8e9bb4b508052760b900c7dce6) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d4ec9277b..cfa424c8d 100644 --- a/requirements.yml +++ b/requirements.yml @@ -13,7 +13,7 @@ version: 7.8.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git - version: c38854e4c8451520e20163af1dd5f657790332da + version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git version: v2.5.2-2 From a451f1fcb14465c85e52274f09b08b2b6bdc3046 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Dec 2025 01:58:57 +0000 Subject: [PATCH 060/209] chore(deps): update joseluisq/static-web-server docker tag to v2.40.0 --- roles/custom/matrix-cactus-comments-client/defaults/main.yml | 2 +- roles/custom/matrix-static-files/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/defaults/main.yml b/roles/custom/matrix-cactus-comments-client/defaults/main.yml index f5de37737..76406a6cb 100644 --- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml @@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas matrix_cactus_comments_client_public_path_file_permissions: "0644" # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_cactus_comments_client_version: 2.39.0 +matrix_cactus_comments_client_version: 2.40.0 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}" matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 68a29958a..44bfe6055 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -13,7 +13,7 @@ matrix_static_files_enabled: true matrix_static_files_identifier: matrix-static-files # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_static_files_version: 2.39.0 +matrix_static_files_version: 2.40.0 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}" matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" From f31be1a725b3b80c510a67d3e93796b1d99c78ef Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 1 Dec 2025 13:50:02 +0200 Subject: [PATCH 061/209] Adapt to static-webserver v2.40.0 changes to the public directory Ref: - https://github.com/static-web-server/static-web-server/releases/tag/v2.40.0 - https://github.com/static-web-server/static-web-server/pull/567 - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4767 Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4768 Regression since a451f1fcb14465c85e52274f09b08b2b6bdc3046 --- .../templates/systemd/matrix-cactus-comments-client.service.j2 | 2 +- .../templates/systemd/matrix-static-files.service.j2 | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2 b/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2 index 726c66c5b..995ce5d6f 100755 --- a/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2 +++ b/roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2 @@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% endif %} --env-file={{ matrix_cactus_comments_client_base_path }}/env \ --label-file={{ matrix_cactus_comments_client_base_path }}/labels \ - --mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/public,ro \ + --mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/var/public,ro \ {{ matrix_cactus_comments_client_container_image }} {% for network in matrix_cactus_comments_client_container_additional_networks %} diff --git a/roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2 b/roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2 index 01db2aaeb..8f93ef0e2 100755 --- a/roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2 +++ b/roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2 @@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% endif %} --env-file={{ matrix_static_files_base_path }}/env \ --label-file={{ matrix_static_files_base_path }}/labels \ - --mount type=bind,src={{ matrix_static_files_public_path }},dst=/public,ro \ + --mount type=bind,src={{ matrix_static_files_public_path }},dst=/var/public,ro \ --mount type=bind,src={{ matrix_static_files_config_path }},dst=/config,ro \ {{ matrix_static_files_container_image }} From db793428a1b91008a116b644252f4aff01451f4a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Dec 2025 14:40:28 +0000 Subject: [PATCH 062/209] chore(deps): update dependency livekit_server to v1.9.6-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index cfa424c8d..bc4258add 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.4-0 + version: v1.9.6-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From 1ee83861c3b203b3493c2134ce96e002454639da Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 1 Dec 2025 18:06:35 +0000 Subject: [PATCH 063/209] chore(deps): update dependency sphinx to v9.0.1 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 2321f823f..d355ab47e 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -19,7 +19,7 @@ PyYAML==6.0.3 requests==2.32.5 setuptools==80.9.0 snowballstemmer==3.0.1 -Sphinx==9.0.0 +Sphinx==9.0.1 sphinx-intl==2.3.2 sphinx-markdown-builder==0.6.8 sphinxcontrib-applehelp==2.0.0 From aea799260f0d5cc5a3e88950b529ef401e1aefb4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 02:48:53 +0000 Subject: [PATCH 064/209] chore(deps): update dependency docker to v7.9.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index bc4258add..e437caa36 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v0.4.1-2 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker - version: 7.8.0 + version: 7.9.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 From 0041bd01c360a36137b5b31d5ae76cfa47fbc074 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Dec 2025 07:38:38 +0200 Subject: [PATCH 065/209] Upgrade Postgres (v18.1-2 -> v18.1-3) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e437caa36..7ef1cac90 100644 --- a/requirements.yml +++ b/requirements.yml @@ -43,7 +43,7 @@ version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f name: playbook_state_preserver - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git - version: v18.1-2 + version: v18.1-3 name: postgres - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git version: v18-0 From 1838840f6567ede1219e6803f7ee80cfb542dfc7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:04:07 +0000 Subject: [PATCH 066/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.5 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 89ba1fcf6..5751f878c 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.4 +matrix_client_element_version: v1.12.5 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From d5709e45966fc52a0532aaa8eb241c380246f8a8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:04:00 +0000 Subject: [PATCH 067/209] chore(deps): update ghcr.io/element-hq/element-call docker tag to v0.16.3 --- roles/custom/matrix-element-call/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/defaults/main.yml b/roles/custom/matrix-element-call/defaults/main.yml index 160a0bc58..e9a52ee1d 100644 --- a/roles/custom/matrix-element-call/defaults/main.yml +++ b/roles/custom/matrix-element-call/defaults/main.yml @@ -21,7 +21,7 @@ matrix_element_call_enabled: false matrix_rtc_enabled: "{{ matrix_element_call_enabled }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-call -matrix_element_call_version: v0.16.1 +matrix_element_call_version: v0.16.3 matrix_element_call_scheme: https From cf97144ed813ed975485d5dc393d3bc5519d6472 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:03:21 +0000 Subject: [PATCH 068/209] Bump ansible/ansible-lint from 25.11.1 to 25.12.0 Bumps [ansible/ansible-lint](https://github.com/ansible/ansible-lint) from 25.11.1 to 25.12.0. - [Release notes](https://github.com/ansible/ansible-lint/releases) - [Commits](https://github.com/ansible/ansible-lint/compare/v25.11.1...v25.12.0) --- updated-dependencies: - dependency-name: ansible/ansible-lint dependency-version: 25.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index e5317c081..be3d4360c 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.11.1 + uses: ansible/ansible-lint@v25.12.0 with: args: "roles/custom" setup_python: "true" From 585d6068560a69761b7cb65791b09a8e56156b37 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 2 Dec 2025 14:37:37 +0000 Subject: [PATCH 069/209] chore(deps): update dependency prometheus to v3.8.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 7ef1cac90..e0c0b3c7b 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v18-0 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v3.7.3-1 + version: v3.8.0-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.9.1-12 From caa2e338bc968c60b309c9ccb4b93dcbc4a03497 Mon Sep 17 00:00:00 2001 From: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Date: Tue, 2 Dec 2025 17:55:33 +0000 Subject: [PATCH 070/209] Stop using deprecated `vars` variable for matrix-dimension --- roles/custom/matrix-dimension/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-dimension/tasks/validate_config.yml b/roles/custom/matrix-dimension/tasks/validate_config.yml index 5800d658f..3510b5c6f 100644 --- a/roles/custom/matrix-dimension/tasks/validate_config.yml +++ b/roles/custom/matrix-dimension/tasks/validate_config.yml @@ -39,7 +39,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_dimension_container_labels_traefik_hostname - matrix_dimension_container_labels_traefik_path_prefix From f8f7406c5116ec7a0bb7dca587dd8e93216e5cdc Mon Sep 17 00:00:00 2001 From: Kim Brose <2803622+HarHarLinks@users.noreply.github.com> Date: Tue, 2 Dec 2025 17:56:44 +0000 Subject: [PATCH 071/209] Stop using deprecated `vars` variable for matrix-element-call --- roles/custom/matrix-element-call/tasks/validate_config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-call/tasks/validate_config.yml b/roles/custom/matrix-element-call/tasks/validate_config.yml index 86fb84705..dec4027dd 100644 --- a/roles/custom/matrix-element-call/tasks/validate_config.yml +++ b/roles/custom/matrix-element-call/tasks/validate_config.yml @@ -17,7 +17,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_element_call_container_network', when: true} - {'name': 'matrix_element_call_hostname', when: true} From 325b22a302715ac3e0341a35a7bd950b755e26fe Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 2 Dec 2025 21:31:50 +0200 Subject: [PATCH 072/209] Stop using deprecated `vars` variable in all other custom roles Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4776 Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4777 --- .../tasks/validate_config.yml | 2 +- .../matrix-authentication-service/tasks/mas_cli_syn2mas.yml | 2 +- .../tasks/validate_config.yml | 2 +- roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml | 4 ++-- .../matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml | 2 +- roles/custom/matrix-bridge-sms/tasks/validate_config.yml | 2 +- .../matrix-cactus-comments-client/tasks/validate_config.yml | 2 +- roles/custom/matrix-cactus-comments/tasks/validate_config.yml | 2 +- .../custom/matrix-client-fluffychat/tasks/validate_config.yml | 4 ++-- roles/custom/matrix-client-hydrogen/tasks/validate_config.yml | 2 +- .../matrix-client-schildichat/tasks/validate_config.yml | 4 ++-- .../matrix-ldap-registration-proxy/tasks/validate_config.yml | 2 +- roles/custom/matrix-pantalaimon/tasks/validate_config.yml | 2 +- roles/custom/matrix-rageshake/tasks/validate_config.yml | 4 ++-- roles/custom/matrix-sygnal/tasks/validate_config.yml | 4 ++-- roles/custom/matrix-synapse/tasks/validate_config.yml | 4 ++-- 16 files changed, 22 insertions(+), 22 deletions(-) diff --git a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml index b07a2d2f4..b4a8945b3 100644 --- a/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml +++ b/roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml @@ -13,7 +13,7 @@ with_items: - "matrix_appservice_draupnir_for_all_config_adminRoom" - "matrix_bot_draupnir_container_network" - when: "vars[item] == '' or vars[item] is none" + when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none" - name: (Deprecation) Catch and report renamed matrix-appservice-draupnir-for-all settings ansible.builtin.fail: diff --git a/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml index b058d87d8..93ffc4dcc 100644 --- a/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml +++ b/roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml @@ -19,7 +19,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item.name }}`). - when: "item.when | bool and vars[item.name] | string | length == 0" + when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: - {'name': 'matrix_authentication_service_syn2mas_synapse_homeserver_config_path', when: true} diff --git a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml index 3021c8537..cf6946fd9 100644 --- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml @@ -10,7 +10,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_bot_matrix_registration_bot_bot_password" - "matrix_bot_matrix_registration_bot_api_base_url" diff --git a/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml b/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml index 53ef0fdd4..91622e32f 100644 --- a/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml +++ b/roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml @@ -18,14 +18,14 @@ - {'name': 'matrix_bot_mjolnir_raw_homeserver_url', when: true} - {'name': 'matrix_bot_mjolnir_pantalaimon_username', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"} - {'name': 'matrix_bot_mjolnir_pantalaimon_password', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"} - when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)" + when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)" - name: Fail if inappropriate variables are defined ansible.builtin.fail: msg: "The `{{ item.name }}` variable must be undefined or have a null value." with_items: - {'name': 'matrix_bot_mjolnir_access_token', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"} - when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)" + when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)" - name: (Deprecation) Catch and report renamed Mjolnir settings ansible.builtin.fail: diff --git a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml index 244da474f..8d0a4860a 100644 --- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_mautrix_androidsms_appservice_token" - "matrix_mautrix_androidsms_homeserver_token" diff --git a/roles/custom/matrix-bridge-sms/tasks/validate_config.yml b/roles/custom/matrix-bridge-sms/tasks/validate_config.yml index 2830ae8bb..ef1069d29 100644 --- a/roles/custom/matrix-bridge-sms/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-sms/tasks/validate_config.yml @@ -11,7 +11,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_sms_bridge_appservice_token" - "matrix_sms_bridge_homeserver_hostname" diff --git a/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml b/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml index fc3901551..b76cc963a 100644 --- a/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml +++ b/roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml @@ -8,7 +8,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_cactus_comments_client_hostname - matrix_cactus_comments_client_path_prefix diff --git a/roles/custom/matrix-cactus-comments/tasks/validate_config.yml b/roles/custom/matrix-cactus-comments/tasks/validate_config.yml index 71ae8f935..c1df48a06 100644 --- a/roles/custom/matrix-cactus-comments/tasks/validate_config.yml +++ b/roles/custom/matrix-cactus-comments/tasks/validate_config.yml @@ -24,7 +24,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_cactus_comments_as_token" - "matrix_cactus_comments_hs_token" diff --git a/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml b/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml index f11b81d65..01b6f93e0 100644 --- a/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml +++ b/roles/custom/matrix-client-fluffychat/tasks/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item }}`) for using FluffyChat Web. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_fluffychat_container_network @@ -27,7 +27,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_fluffychat_container_labels_traefik_hostname - matrix_client_fluffychat_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml index 6f1ced098..9a048b56e 100644 --- a/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml +++ b/roles/custom/matrix-client-hydrogen/tasks/validate_config.yml @@ -30,7 +30,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_hydrogen_container_labels_traefik_hostname - matrix_client_hydrogen_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-client-schildichat/tasks/validate_config.yml b/roles/custom/matrix-client-schildichat/tasks/validate_config.yml index df87b4356..d0477fe2e 100644 --- a/roles/custom/matrix-client-schildichat/tasks/validate_config.yml +++ b/roles/custom/matrix-client-schildichat/tasks/validate_config.yml @@ -20,7 +20,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item }}`) for using SchildiChat Web. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_schildichat_default_hs_url - matrix_client_schildichat_container_network @@ -39,7 +39,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_client_schildichat_container_labels_traefik_hostname - matrix_client_schildichat_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml b/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml index 3fc080949..289dd570a 100644 --- a/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml +++ b/roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml @@ -11,7 +11,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - "matrix_ldap_registration_proxy_hostname" - "matrix_ldap_registration_proxy_ldap_uri" diff --git a/roles/custom/matrix-pantalaimon/tasks/validate_config.yml b/roles/custom/matrix-pantalaimon/tasks/validate_config.yml index a6b764815..7117741cf 100644 --- a/roles/custom/matrix-pantalaimon/tasks/validate_config.yml +++ b/roles/custom/matrix-pantalaimon/tasks/validate_config.yml @@ -9,7 +9,7 @@ msg: "The `{{ item }}` variable must be defined and have a non-null value." with_items: - "matrix_pantalaimon_homeserver_url" - when: "vars[item] == '' or vars[item] is none" + when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none" - name: (Deprecation) Catch and report renamed Pantalaimon variables ansible.builtin.fail: diff --git a/roles/custom/matrix-rageshake/tasks/validate_config.yml b/roles/custom/matrix-rageshake/tasks/validate_config.yml index 4b1249372..19edb6197 100644 --- a/roles/custom/matrix-rageshake/tasks/validate_config.yml +++ b/roles/custom/matrix-rageshake/tasks/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_rageshake_hostname - matrix_rageshake_path_prefix @@ -29,7 +29,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_rageshake_container_labels_traefik_hostname - matrix_rageshake_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-sygnal/tasks/validate_config.yml b/roles/custom/matrix-sygnal/tasks/validate_config.yml index dfb806a18..a524fc1f4 100644 --- a/roles/custom/matrix-sygnal/tasks/validate_config.yml +++ b/roles/custom/matrix-sygnal/tasks/validate_config.yml @@ -9,7 +9,7 @@ ansible.builtin.fail: msg: > You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_sygnal_hostname - matrix_sygnal_path_prefix @@ -21,7 +21,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`). - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_sygnal_container_labels_traefik_hostname - matrix_sygnal_container_labels_traefik_path_prefix diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml index 3f25cc934..7e0595eff 100644 --- a/roles/custom/matrix-synapse/tasks/validate_config.yml +++ b/roles/custom/matrix-synapse/tasks/validate_config.yml @@ -138,7 +138,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`. - when: "vars[item] == ''" + when: "lookup('vars', item, default='') == ''" with_items: - matrix_synapse_container_image_customizations_templates_git_repository_url - matrix_synapse_container_image_customizations_templates_git_repository_branch @@ -147,7 +147,7 @@ ansible.builtin.fail: msg: >- You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`. - when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''" + when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and lookup('vars', item, default='') == ''" with_items: - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname From 717c9bfd7d013c2f445921491e7ef0ce220f5720 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Dec 2025 18:50:17 +0000 Subject: [PATCH 073/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.6 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 5751f878c..12485fabf 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.5 +matrix_client_element_version: v1.12.6 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From 472bf1c58c6926e54cd2c81ab430df2c3f0ca2e0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 4 Dec 2025 04:14:47 +0000 Subject: [PATCH 074/209] chore(deps): update dependency sphinx to v9.0.3 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index d355ab47e..d70f18ab4 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -19,7 +19,7 @@ PyYAML==6.0.3 requests==2.32.5 setuptools==80.9.0 snowballstemmer==3.0.1 -Sphinx==9.0.1 +Sphinx==9.0.3 sphinx-intl==2.3.2 sphinx-markdown-builder==0.6.8 sphinxcontrib-applehelp==2.0.0 From 1bc70935a084fff7baccaea16d0918ccd2ee1712 Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 4 Dec 2025 18:55:40 +0000 Subject: [PATCH 075/209] Synapse Admin v0.11.1-etke50 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 9e54b8d1d..904105884 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke49 +matrix_synapse_admin_version: v0.11.1-etke50 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" From c7ed2deb229d484da07532753dfe19f5b3483a1d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 12:39:43 +0000 Subject: [PATCH 076/209] chore(deps): update dependency livekit_server to v1.9.7-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index e0c0b3c7b..6a292d839 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.6-0 + version: v1.9.7-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From bbfe345758fa0bc7b3bebdec04ef9390681998ff Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sat, 6 Dec 2025 00:29:14 +0900 Subject: [PATCH 077/209] Update faq.md: add the section about coturn errors Signed-off-by: Suguru Hirahara --- docs/faq.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/faq.md b/docs/faq.md index 898a1c1f6..3e7c9767d 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -440,6 +440,19 @@ To prevent double-logging, Docker logging is disabled by explicitly passing `--l See [this section](maintenance-and-troubleshooting.md#how-to-see-the-logs) on the page for maintenance and troubleshooting for more details to see the logs. +### The server fails to start due to the `Unable to start service matrix-coturn.service` error. Why and how to solve it? + +The error is most likely because Traefik cannot obtain SSL certificates due to certain reasons such as wrong domain name configuration or port 80 being unavailable due to other services. + +If Traefik fails to obtain an SSL certificate for domain names such as `matrix.`, Traefik Certs Dumper cannot extract the SSL certificate out of there, and coturn cannot be started and the error occurs. Refer to these comments for details: + +- +- + +If you are not sure what the problem is, at first make sure that you have set the "base domain" (`example.com`, **not `matrix.example.com`**) to `matrix_domain`. You should be able to find it at the top of your `vars.yml`. + +If it is correctly specified, look Traefik's logs (`journalctl -fu matrix-traefik.service`) for errors by Let's Encrypt for troubleshooting. + ## Miscellaneous ### I would like to see this favorite service of mine integrated and become available on my Matrix server. How can I request it? From 98663a8386c653e9abe20464a46b3b2af0228f4b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 5 Dec 2025 15:38:35 +0000 Subject: [PATCH 078/209] chore(deps): update dependency urllib3 to v2.6.0 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index d70f18ab4..ef4acff13 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0 sphinxcontrib-serializinghtml==2.0.0 tabulate==0.9.0 uc-micro-py==1.0.3 -urllib3==2.5.0 +urllib3==2.6.0 From 940dcb016201f28781a82b65f995328661f6e607 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 6 Dec 2025 04:59:05 +0000 Subject: [PATCH 079/209] chore(deps): update dependency traefik to v3.6.4-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6a292d839..fbc62f0c4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.2-0 + version: v3.6.4-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-2 From 4238ec6e86f4e20ba8184a86f10a9c8fa9835cc8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Dec 2025 07:12:48 +0200 Subject: [PATCH 080/209] Upgrade baibot (v1.9.0 -> v1.10.0) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 0563eb378..5f696528c 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.9.0 +matrix_bot_baibot_version: v1.10.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From 64fc64921c706f95efd1642ac935253ed1f84c28 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Dec 2025 08:34:33 +0200 Subject: [PATCH 081/209] Upgrade livekit-jwt-service (v0.3.0 -> v0.4.0) and adapt configuration Ref: https://github.com/element-hq/lk-jwt-service/releases/tag/v0.4.0 Supersedes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4784 --- .../matrix-livekit-jwt-service/defaults/main.yml | 13 ++++++++++--- .../tasks/validate_config.yml | 9 +++++++++ .../matrix-livekit-jwt-service/templates/env.j2 | 2 +- .../matrix-livekit-jwt-service/templates/labels.j2 | 2 +- .../systemd/matrix-livekit-jwt-service.service.j2 | 2 +- 5 files changed, 22 insertions(+), 6 deletions(-) diff --git a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml index 13beb7d2d..95f525686 100644 --- a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml @@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: [] matrix_livekit_jwt_service_container_additional_networks_custom: [] # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service -matrix_livekit_jwt_service_version: 0.3.0 +matrix_livekit_jwt_service_version: 0.4.0 matrix_livekit_jwt_service_container_image_self_build: false matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git" @@ -68,8 +68,15 @@ matrix_livekit_jwt_service_container_labels_additional_labels: '' # A list of extra arguments to pass to the container matrix_livekit_jwt_service_container_extra_arguments: [] -# Controls the LK_JWT_PORT environment variable -matrix_livekit_jwt_service_environment_variable_livekit_jwt_port: 8080 +# Controls the port that the service listens on internally in the container. +# This is still used for Traefik configuration and container port binding. +matrix_livekit_jwt_service_container_port: 8080 + +# Controls the LIVEKIT_JWT_BIND environment variable. +# This is the preferred method in v0.4.0+, replacing the deprecated LIVEKIT_JWT_PORT. +# Format: "host:port" or ":port" (to bind to all interfaces). +# The default ":8080" binds to all interfaces on port 8080. +matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind: ":{{ matrix_livekit_jwt_service_container_port }}" # Controls the LIVEKIT_KEY environment variable matrix_livekit_jwt_service_environment_variable_livekit_key: "" diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml index fa2f4ab04..fb44aa236 100644 --- a/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml +++ b/roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml @@ -6,6 +6,15 @@ --- +- name: (Deprecation) Catch and report renamed LiveKit JWT Service settings + ansible.builtin.fail: + msg: >- + Your configuration contains a variable, which now has a different name. + Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml). + when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0" + with_items: + - {'old': 'matrix_livekit_jwt_service_environment_variable_livekit_jwt_port', 'new': 'matrix_livekit_jwt_service_container_port'} + - name: Fail if required LiveKit JWT Service settings are not defined ansible.builtin.fail: msg: > diff --git a/roles/custom/matrix-livekit-jwt-service/templates/env.j2 b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 index 56a5496a7..15ac9d4a7 100644 --- a/roles/custom/matrix-livekit-jwt-service/templates/env.j2 +++ b/roles/custom/matrix-livekit-jwt-service/templates/env.j2 @@ -5,7 +5,7 @@ SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev SPDX-License-Identifier: AGPL-3.0-or-later #} -LIVEKIT_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port | int | to_json }} +LIVEKIT_JWT_BIND={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind }} LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }} LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 index c372cbb78..5fd1e07ee 100644 --- a/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 +++ b/roles/custom/matrix-livekit-jwt-service/templates/labels.j2 @@ -10,7 +10,7 @@ traefik.enable=true traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }} -traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }} +traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_container_port }} {% set middlewares = [] %} diff --git a/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 index 351044cef..1d22b8cce 100644 --- a/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 +++ b/roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2 @@ -20,7 +20,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --cap-drop=ALL \ --network={{ matrix_livekit_jwt_service_container_network }} \ {% if matrix_livekit_jwt_service_container_http_host_bind_port %} - -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }} \ + -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_container_port }} \ {% endif %} --env-file={{ matrix_livekit_jwt_service_base_path }}/env \ --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \ From 95884479c3d0b78bc0706bff98a8dcc23fc20f3b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 6 Dec 2025 08:35:33 +0200 Subject: [PATCH 082/209] Fix tag name typo (`setup-jwt-service` -> `setup-livekit-jwt-service`) for the livekit-jwt-service role --- roles/custom/matrix-livekit-jwt-service/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-jwt-service/tasks/main.yml b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml index 29b49dde6..b51341f74 100644 --- a/roles/custom/matrix-livekit-jwt-service/tasks/main.yml +++ b/roles/custom/matrix-livekit-jwt-service/tasks/main.yml @@ -8,7 +8,7 @@ - tags: - setup-all - - setup-jwt-service + - setup-livekit-jwt-service - install-all - install-livekit-jwt-service block: From d5580ea32212f367f3085c0e9f627ef46df5ed35 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 7 Dec 2025 18:07:59 +0000 Subject: [PATCH 083/209] chore(deps): update dependency sphinx-markdown-builder to v0.6.9 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index ef4acff13..f7f4a88d8 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -21,7 +21,7 @@ setuptools==80.9.0 snowballstemmer==3.0.1 Sphinx==9.0.3 sphinx-intl==2.3.2 -sphinx-markdown-builder==0.6.8 +sphinx-markdown-builder==0.6.9 sphinxcontrib-applehelp==2.0.0 sphinxcontrib-devhelp==2.0.0 sphinxcontrib-htmlhelp==2.1.0 From 88dcfbdaa7dcbca6e38343c240e58185e2e27f30 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 8 Dec 2025 05:39:14 +0200 Subject: [PATCH 084/209] Override `matrix_matrixto_base_path` in terms of `matrix_base_data_path` in `group_vars/matrix_servers` Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4787 --- group_vars/matrix_servers | 2 ++ 1 file changed, 2 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 781d7ee53..ade6e9b84 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3088,6 +3088,8 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati # We don't enable matrixto by default. matrix_matrixto_enabled: false +matrix_matrixto_base_path: "{{ matrix_base_data_path }}/matrixto" + # The container image is not provided at https://github.com/matrix-org/matrix.to matrix_matrixto_container_image_self_build: true From f36983bfdb1f7b34a5e7e50a199b0d663e62dcb0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 05:33:08 +0000 Subject: [PATCH 085/209] chore(deps): update joseluisq/static-web-server docker tag to v2.40.1 --- roles/custom/matrix-cactus-comments-client/defaults/main.yml | 2 +- roles/custom/matrix-static-files/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-cactus-comments-client/defaults/main.yml b/roles/custom/matrix-cactus-comments-client/defaults/main.yml index 76406a6cb..5b647575d 100644 --- a/roles/custom/matrix-cactus-comments-client/defaults/main.yml +++ b/roles/custom/matrix-cactus-comments-client/defaults/main.yml @@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas matrix_cactus_comments_client_public_path_file_permissions: "0644" # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_cactus_comments_client_version: 2.40.0 +matrix_cactus_comments_client_version: 2.40.1 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}" matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}" diff --git a/roles/custom/matrix-static-files/defaults/main.yml b/roles/custom/matrix-static-files/defaults/main.yml index 44bfe6055..a247294f6 100644 --- a/roles/custom/matrix-static-files/defaults/main.yml +++ b/roles/custom/matrix-static-files/defaults/main.yml @@ -13,7 +13,7 @@ matrix_static_files_enabled: true matrix_static_files_identifier: matrix-static-files # renovate: datasource=docker depName=joseluisq/static-web-server -matrix_static_files_version: 2.40.0 +matrix_static_files_version: 2.40.1 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}" matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config" From 904a98d56cc1bb2760a65b56c34baba756dc2564 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 14:06:44 +0000 Subject: [PATCH 086/209] chore(deps): update dependency traefik_certs_dumper to v2.10.0-3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index fbc62f0c4..a951507fd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v3.6.4-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git - version: v2.10.0-2 + version: v2.10.0-3 name: traefik_certs_dumper - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git version: v9-0 From 59ab28cab2a9da9283272fbbc58524e388440429 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 18:34:59 +0000 Subject: [PATCH 087/209] chore(deps): update dependency urllib3 to v2.6.1 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index f7f4a88d8..e88571a33 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0 sphinxcontrib-serializinghtml==2.0.0 tabulate==0.9.0 uc-micro-py==1.0.3 -urllib3==2.6.0 +urllib3==2.6.1 From fe9f70517e120046685d23ad41b632fc957a1f47 Mon Sep 17 00:00:00 2001 From: The one with the braid Date: Tue, 9 Dec 2025 07:58:40 +0100 Subject: [PATCH 088/209] fix: migrate Traefik Cert Dumper configuration Relates to 904a98d56cc1bb2760a65b56c34baba756dc2564. Signed-off-by: The one with the braid --- CHANGELOG.md | 8 ++++++++ docs/configuring-playbook-own-webserver.md | 2 +- docs/howto-srv-server-delegation.md | 8 ++++---- group_vars/matrix_servers | 14 +++++++------- roles/custom/matrix-base/defaults/main.yml | 2 +- 5 files changed, 21 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a295446f7..d251894f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +# 2025-12-09 + +## Traefik Cert Dumper upgrade + +The variable `traefik_certs_dumper_ssl_dir_path` was renamed to `traefik_certs_dumper_ssl_path`. Users who use [their own webserver with Traefik](docs/configuring-playbook-own-webserver.md) may need to adjust their configuration. + +The variable `traefik_certs_dumper_dumped_certificates_dir_path` was renamed to `traefik_certs_dumper_dumped_certificates_path`. Users who use [SRV Server Delegation](docs/howto-srv-server-delegation.md) may need to adjust their configuration. + # 2025-11-23 ## Matrix.to support diff --git a/docs/configuring-playbook-own-webserver.md b/docs/configuring-playbook-own-webserver.md index 56a1b8e90..91c79c9c6 100644 --- a/docs/configuring-playbook-own-webserver.md +++ b/docs/configuring-playbook-own-webserver.md @@ -51,7 +51,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container # Adjust to point to your Traefik container matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container -traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory" +traefik_certs_dumper_ssl_path: "/path/to/your/traefiks/acme.json/directory" # Uncomment and adjust the variable below if the name of your federation entrypoint is different # than the default value (matrix-federation). diff --git a/docs/howto-srv-server-delegation.md b/docs/howto-srv-server-delegation.md index da6d0727a..95e724436 100644 --- a/docs/howto-srv-server-delegation.md +++ b/docs/howto-srv-server-delegation.md @@ -112,12 +112,12 @@ matrix_coturn_container_additional_volumes: | ( [ { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/*.' + matrix_domain + '/certificate.crt'), 'dst': '/certificate.crt', 'options': 'ro', }, { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/*.' + matrix_domain + '/privatekey.key'), 'dst': '/privatekey.key', 'options': 'ro', }, @@ -173,12 +173,12 @@ matrix_coturn_container_additional_volumes: | ( [ { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/certificate.crt'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/*.' + matrix_domain + '/certificate.crt'), 'dst': '/certificate.crt', 'options': 'ro', }, { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/*.' + matrix_domain + '/privatekey.key'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/*.' + matrix_domain + '/privatekey.key'), 'dst': '/privatekey.key', 'options': 'ro', }, diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index ade6e9b84..919b77019 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -2242,8 +2242,8 @@ matrix_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['a matrix_postmoogle_ssl_path: |- {{ { - 'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''), - 'other-traefik-container': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''), + 'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''), + 'other-traefik-container': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''), 'none': '', }[matrix_playbook_reverse_proxy_type] }} @@ -3191,12 +3191,12 @@ matrix_coturn_container_additional_volumes: | ( [ { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), 'dst': '/certificate.crt', 'options': 'ro', }, { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), 'dst': '/privatekey.key', 'options': 'ro', }, @@ -5881,7 +5881,7 @@ traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumpe traefik_certs_dumper_uid: "{{ matrix_user_uid }}" traefik_certs_dumper_gid: "{{ matrix_user_gid }}" -traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}" +traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}" traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}" @@ -5990,12 +5990,12 @@ livekit_server_container_additional_volumes_auto: | ( [ { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/' + livekit_server_config_turn_domain + '/certificate.crt'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + livekit_server_config_turn_domain + '/certificate.crt'), 'dst': livekit_server_config_turn_cert_file, 'options': 'ro', }, { - 'src': (traefik_certs_dumper_dumped_certificates_dir_path + '/' + livekit_server_config_turn_domain + '/privatekey.key'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + livekit_server_config_turn_domain + '/privatekey.key'), 'dst': livekit_server_config_turn_key_file, 'options': 'ro', }, diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index c389d67e7..8112c89ee 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -273,7 +273,7 @@ matrix_metrics_exposure_http_basic_auth_users: '' # - nevertheless, the playbook expects that you would install Traefik yourself via other means # - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.) # - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network -# - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_dir_path`) +# - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_path`) # # - `none` # - no reverse-proxy will be installed From c14d1bd1f4fa754a137ce351f9726ae660e6ead0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 4 Dec 2025 09:46:03 +0000 Subject: [PATCH 089/209] chore(deps): update dependency sphinx to v9.0.4 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index e88571a33..1e3a75a2a 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -19,7 +19,7 @@ PyYAML==6.0.3 requests==2.32.5 setuptools==80.9.0 snowballstemmer==3.0.1 -Sphinx==9.0.3 +Sphinx==9.0.4 sphinx-intl==2.3.2 sphinx-markdown-builder==0.6.9 sphinxcontrib-applehelp==2.0.0 From ddc5e094a363be679b32769026518ff93e7149d6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 03:38:59 +0000 Subject: [PATCH 090/209] chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.8.0 --- roles/custom/matrix-authentication-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index b5c35ffc1..c09451829 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 1.7.0 +matrix_authentication_service_version: 1.8.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" From fd612f99fd2aa43e8796b123389a711ea99d3048 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 03:38:55 +0000 Subject: [PATCH 091/209] chore(deps): update nginx docker tag to v1.29.4 --- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index dab3ab4d9..8c230e145 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -24,7 +24,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true # renovate: datasource=docker depName=nginx -matrix_synapse_reverse_proxy_companion_version: 1.29.3-alpine +matrix_synapse_reverse_proxy_companion_version: 1.29.4-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" From aec4185135e4a8dc12a6cc5c999d4fcec7b0d1c9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 9 Dec 2025 20:02:07 +0000 Subject: [PATCH 092/209] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.144.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index a4cc24145..625d4719e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.143.0 +matrix_synapse_version: v1.144.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 6a8a1dfa24be6967b39f4a52d38d0a6a008912da Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 10:42:46 +0000 Subject: [PATCH 093/209] chore(deps): update dependency valkey to v9.0.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a951507fd..acf1c06f7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -73,5 +73,5 @@ version: v2.10.0-3 name: traefik_certs_dumper - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git - version: v9-0 + version: v9.0.1-0 name: valkey From 3a12aa76824862c9ed4cb8b6372113bd4650573d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 13:52:34 +0000 Subject: [PATCH 094/209] chore(deps): update ansible/ansible-lint action to v25.12.1 --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index be3d4360c..ab6855464 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.12.0 + uses: ansible/ansible-lint@v25.12.1 with: args: "roles/custom" setup_python: "true" From 52278a8108a04bf2c3f6f2fa4c768d4afbaa6a92 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 19:54:06 +0000 Subject: [PATCH 095/209] chore(deps): update dependency livekit_server to v1.9.8-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index acf1c06f7..426c26db8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.7-0 + version: v1.9.8-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From f7a3bde4a78d99fae1fc814eca7d90da8739679f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 10 Dec 2025 19:54:13 +0000 Subject: [PATCH 096/209] chore(deps): update oci.element.io/element-admin docker tag to v0.1.10 --- roles/custom/matrix-element-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-element-admin/defaults/main.yml b/roles/custom/matrix-element-admin/defaults/main.yml index c49c4aa21..930b83a19 100644 --- a/roles/custom/matrix-element-admin/defaults/main.yml +++ b/roles/custom/matrix-element-admin/defaults/main.yml @@ -11,7 +11,7 @@ matrix_element_admin_enabled: true # renovate: datasource=docker depName=oci.element.io/element-admin -matrix_element_admin_version: 0.1.9 +matrix_element_admin_version: 0.1.10 matrix_element_admin_scheme: https From 5c0c03893fd9c2916fca8b794fd9cff0824be2db Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 11 Dec 2025 19:58:11 +0000 Subject: [PATCH 097/209] chore(deps): update dependency urllib3 to v2.6.2 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 1e3a75a2a..42a02c794 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0 sphinxcontrib-serializinghtml==2.0.0 tabulate==0.9.0 uc-micro-py==1.0.3 -urllib3==2.6.1 +urllib3==2.6.2 From fa3d05ea8100477dd7138ef1c7fa47ea6c5d9e67 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 12 Dec 2025 16:03:40 +0200 Subject: [PATCH 098/209] Bump OpenAI text-generation model for baibot (`gpt-5.1` -> `gpt-5.2`) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 5f696528c..4651287d4 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -368,7 +368,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "" matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true # For valid model choices, see: https://platform.openai.com/docs/models -matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.1 +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2 # The prompt text to use (can be null or empty to not use a prompt). # See: https://huggingface.co/docs/transformers/en/tasks/prompting matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}" From 1f31975aef5ddc6d95c91d7ff1bd3b6583083d3c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 12 Dec 2025 16:03:28 +0000 Subject: [PATCH 099/209] chore(deps): update dessant/lock-threads action to v6 --- .github/workflows/lock-threads.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lock-threads.yml b/.github/workflows/lock-threads.yml index c2722a7db..0cee26857 100644 --- a/.github/workflows/lock-threads.yml +++ b/.github/workflows/lock-threads.yml @@ -23,7 +23,7 @@ jobs: if: github.repository == 'spantaleev/matrix-docker-ansible-deploy' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v5 + - uses: dessant/lock-threads@v6 with: add-issue-labels: 'outdated' process-only: 'issues, prs' From 5612af92e809ce51c71cf1c64c502f6938ddfef0 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 14 Dec 2025 12:30:14 +0000 Subject: [PATCH 100/209] FluffyChat v2.3.0 --- roles/custom/matrix-client-fluffychat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-fluffychat/defaults/main.yml b/roles/custom/matrix-client-fluffychat/defaults/main.yml index cdb3831d0..25e1095cb 100644 --- a/roles/custom/matrix-client-fluffychat/defaults/main.yml +++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml @@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}" # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web -matrix_client_fluffychat_version: v2.2.0 +matrix_client_fluffychat_version: v2.3.0 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}" matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}" matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}" From 98331ae970edc65bcc3d3555d8de0ea4ca4de2ae Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Dec 2025 10:27:34 +0200 Subject: [PATCH 101/209] Upgrade baibot (v1.10.0 -> v1.11.0) and add support for configuring a custom avatar --- .../matrix-bot-baibot/defaults/main.yml | 19 ++++++++++++++++++- .../templates/config.yaml.j2 | 6 ++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 4651287d4..b31e70ff9 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.10.0 +matrix_bot_baibot_version: v1.11.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" @@ -70,6 +70,23 @@ matrix_bot_baibot_config_user_password: '' # Also see: `matrix_bot_baibot_config_user_mxid_localpart` matrix_bot_baibot_config_user_name: baibot +# Controls the `user.avatar` configuration setting. +# +# An optional path to an image file to be used as a custom avatar image. +# This path should be an in-container path (e.g., `/data/avatar.png`). +# Any type of content type is supported, but stick to common image formats (PNG, JPG, ..) for better compatibility with various Matrix clients. +# +# To use a custom avatar: +# - Use the auxiliary role (`aux_` variables) to upload your avatar file to the server (e.g. to {{ matrix_bot_baibot_data_path }}/avatar.png on the host), +# or do it any other way (without Ansible) you prefer +# - Set this variable to something like `/data/avatar.png` (the in-container path) +# +# Possible values: +# - null or empty string: use the default baibot avatar +# - "keep": don't touch the avatar, keep whatever is already set (useful if you manage the avatar via other means) +# - any other value: path to a custom avatar image file (must be an in-container path like `/data/avatar.png`) +matrix_bot_baibot_config_user_avatar: null + # Controls the `user.encryption.recovery_passphrase` configuration setting. # # An optional passphrase to use for backing up and recovering the bot's encryption keys. diff --git a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 index 4b4838192..19dda786c 100644 --- a/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 +++ b/roles/custom/matrix-bot-baibot/templates/config.yaml.j2 @@ -21,6 +21,12 @@ user: # Leave empty to use the default (baibot). name: {{ matrix_bot_baibot_config_user_name | to_json }} + # An optional path to an image file to be used as a custom avatar image. + # - null or empty string: use the default avatar + # - "keep": don't touch the avatar, keep whatever is already set + # - any other value: path to a custom avatar image file + avatar: {{ matrix_bot_baibot_config_user_avatar | to_json }} + encryption: # An optional passphrase to use for backing up and recovering the bot's encryption keys. # You can use any string here. From e813932240195c8fc55848c31d3188d4a0d08ce8 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Dec 2025 12:34:43 +0200 Subject: [PATCH 102/209] Upgrade Traefik (v3.6.4-0 -> v3.6.4-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 426c26db8..20f1951d5 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.4-0 + version: v3.6.4-1 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-3 From e7cb9eee79a63b7c7e50480f5e3571671f80b7a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Dec 2025 13:00:53 +0200 Subject: [PATCH 103/209] Configure `encodedCharacters` for various Traefik entrypoints to fix Traefik 3.6.3+ regression Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 Ref: https://doc.traefik.io/traefik/migrate/v3/#v364 --- group_vars/matrix_servers | 9 +++++ roles/custom/matrix-base/defaults/main.yml | 46 +++++++++++++++++++++- 2 files changed, 54 insertions(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 919b77019..45810a2e1 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5836,6 +5836,15 @@ traefik_gid: "{{ matrix_user_gid }}" # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint. traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs). +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true +traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true +traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true + traefik_additional_entrypoints_auto: | {{ ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else []) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 8112c89ee..e9bee12b8 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -321,6 +321,13 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -330,6 +337,19 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: {{ {} + | combine( + ( + { + 'http': { + 'encodedCharacters': { + 'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, + 'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, + } + } + } + ) + ) + | combine( ( ( @@ -391,7 +411,31 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled: "{{ matri matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-internal-matrix-client-api matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: '' -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" +# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. +# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. +# Ref: +# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 +# - https://doc.traefik.io/traefik/migrate/v3/#v364 +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | + {{ + {} + + | combine( + ( + { + 'http': { + 'encodedCharacters': { + 'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, + 'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, + } + } + } + ) + ) + }} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {} From 12bee503e0164396fa142acc6976382bdf093f94 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 15 Dec 2025 17:00:49 +0200 Subject: [PATCH 104/209] Configure `encodedCharacters` for the `web` Traefik entrypoint (if `matrix_playbook_ssl_enabled` is `false`) to fix Traefik 3.6.3+ regression in those cases Continuation of e7cb9eee79a63b7c7e50480f5e3571671f80b7a7 Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 --- group_vars/matrix_servers | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 45810a2e1..740f92709 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5844,6 +5844,11 @@ traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true +# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook +# and actually go through this entrypoint. +traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}" +traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}" +traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}" traefik_additional_entrypoints_auto: | {{ From f2242246ec99d0da1606f3444859938da1096258 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 10:33:22 +0000 Subject: [PATCH 105/209] chore(deps): update dependency container_socket_proxy to v0.4.2-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 20f1951d5..d4558589c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.4.2-2.0.12-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git - version: v0.4.1-2 + version: v0.4.2-0 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker version: 7.9.0 From a1df76f9d405b75756f7de3e60a4385ecadee189 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 13:55:36 +0000 Subject: [PATCH 106/209] chore(deps): update dock.mau.dev/mautrix/signal docker tag to v0.2512.0 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index c1092fe0f..3da4008f9 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/ matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal -matrix_mautrix_signal_version: v0.2511.0 +matrix_mautrix_signal_version: v0.2512.0 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}" From 17898f6be2d535e7145108ad435093bd187938f1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 13:55:32 +0000 Subject: [PATCH 107/209] chore(deps): update dock.mau.dev/mautrix/meta docker tag to v0.2512.0 --- .../matrix-bridge-mautrix-meta-instagram/defaults/main.yml | 2 +- .../matrix-bridge-mautrix-meta-messenger/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml index 693c869fc..8e7633c68 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml @@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta -matrix_mautrix_meta_instagram_version: v0.2511.0 +matrix_mautrix_meta_instagram_version: v0.2512.0 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram" matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config" diff --git a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml index 08303f45d..b73fe8be1 100644 --- a/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml @@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta -matrix_mautrix_meta_messenger_version: v0.2511.0 +matrix_mautrix_meta_messenger_version: v0.2512.0 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger" matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config" From 42cfbc06ccecbfde241a7661add009b69f06f282 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 15:01:33 +0000 Subject: [PATCH 108/209] chore(deps): update dependency prometheus to v3.8.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index d4558589c..59b5f0d8e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v18-0 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v3.8.0-0 + version: v3.8.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.9.1-12 From 6d202a30fc419472e1fc6118961e376f89365ef6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 15:01:39 +0000 Subject: [PATCH 109/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.7 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 12485fabf..c76955979 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.6 +matrix_client_element_version: v1.12.7 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From 2e313f6c38659703f6c239b7698e87eec2ae165d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 16 Dec 2025 19:04:41 +0000 Subject: [PATCH 110/209] chore(deps): update dock.mau.dev/mautrix/whatsapp docker tag to v0.2512.0 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index ff55d4073..faa655ddf 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp -matrix_mautrix_whatsapp_version: v0.2511.0 +matrix_mautrix_whatsapp_version: v0.2512.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" From c05849920d72b117aea90441b45d7bbdec70ba41 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 17 Dec 2025 05:58:50 +0000 Subject: [PATCH 111/209] chore(deps): update dependency traefik to v3.6.5-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 59b5f0d8e..671c6354f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.4-1 + version: v3.6.5-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-3 From 91e9d0b22780df333e5c77e6d74fc5559e5ecb1e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 08:24:47 +0000 Subject: [PATCH 112/209] chore(deps): update dependency livekit_server to v1.9.9-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 671c6354f..40100cd70 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.8-0 + version: v1.9.9-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From 16bec7bfbbad5d457dddf70aac0409c8744012f3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 14:45:29 +0000 Subject: [PATCH 113/209] chore(deps): update gnuxie/draupnir docker tag to v2.9.0 --- .../custom/matrix-appservice-draupnir-for-all/defaults/main.yml | 2 +- roles/custom/matrix-bot-draupnir/defaults/main.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml index c3bf5b258..2a38108bb 100644 --- a/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml +++ b/roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml @@ -12,7 +12,7 @@ matrix_appservice_draupnir_for_all_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_appservice_draupnir_for_all_version: "v2.8.0" +matrix_appservice_draupnir_for_all_version: "v2.9.0" matrix_appservice_draupnir_for_all_container_image_self_build: false matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" diff --git a/roles/custom/matrix-bot-draupnir/defaults/main.yml b/roles/custom/matrix-bot-draupnir/defaults/main.yml index 34332989b..a4202bba1 100644 --- a/roles/custom/matrix-bot-draupnir/defaults/main.yml +++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml @@ -12,7 +12,7 @@ matrix_bot_draupnir_enabled: true # renovate: datasource=docker depName=gnuxie/draupnir -matrix_bot_draupnir_version: "v2.8.0" +matrix_bot_draupnir_version: "v2.9.0" matrix_bot_draupnir_container_image_self_build: false matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git" From ce14e60a026997bf35ba4d46177b522378c40fe3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 18 Dec 2025 21:12:02 +0000 Subject: [PATCH 114/209] chore(deps): update dependency docutils to v0.22.4 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 42a02c794..71bef841e 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -3,7 +3,7 @@ babel==2.17.0 certifi==2025.11.12 charset-normalizer==3.4.4 click==8.3.1 -docutils==0.22.3 +docutils==0.22.4 idna==3.11 imagesize==1.4.1 Jinja2==3.1.6 From df6ac15324e5c6f029239e5886ae82482e4d3d81 Mon Sep 17 00:00:00 2001 From: QEDeD Date: Fri, 19 Dec 2025 12:30:00 +0100 Subject: [PATCH 115/209] Fix var-naming for encodedCharacters vars --- roles/custom/matrix-base/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index e9bee12b8..100e47875 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -326,8 +326,8 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (mat # Ref: # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 # - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa var-naming +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -417,8 +417,8 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matri # Ref: # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 # - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa var-naming +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa var-naming matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | {{ {} From a8ef76735d1bf144590516605ce51d210026e82f Mon Sep 17 00:00:00 2001 From: QEDeD Date: Fri, 19 Dec 2025 12:42:54 +0100 Subject: [PATCH 116/209] Narrow var-naming noqa to pattern --- roles/custom/matrix-base/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 100e47875..647fa55cb 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -326,8 +326,8 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (mat # Ref: # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 # - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa var-naming -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa var-naming +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -417,8 +417,8 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matri # Ref: # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 # - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa var-naming -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa var-naming +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | {{ {} From 68337b6f4597b244dccc831267984a8be25f822e Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Sat, 20 Dec 2025 00:23:24 +0900 Subject: [PATCH 117/209] Remove the tasks to retrieve a nonexistent container image for Matrix.to Signed-off-by: Suguru Hirahara --- .../custom/matrix-matrixto/defaults/main.yml | 8 +-- .../custom/matrix-matrixto/tasks/install.yml | 64 ++++++------------- .../systemd/matrix-matrixto.service.j2 | 2 +- 3 files changed, 20 insertions(+), 54 deletions(-) diff --git a/roles/custom/matrix-matrixto/defaults/main.yml b/roles/custom/matrix-matrixto/defaults/main.yml index 702ffdabe..be9762482 100644 --- a/roles/custom/matrix-matrixto/defaults/main.yml +++ b/roles/custom/matrix-matrixto/defaults/main.yml @@ -28,13 +28,7 @@ matrix_matrixto_hostname: "" # technical limitations. matrix_matrixto_path_prefix: / -matrix_matrixto_container_image: "{{ matrix_matrixto_container_image_registry_prefix }}shirahara/matrixto:{{ matrix_matrixto_container_image_tag }}" -matrix_matrixto_container_image_tag: "{{ matrix_matrixto_version }}" -matrix_matrixto_container_image_registry_prefix: "{{ matrix_matrixto_container_image_registry_prefix_upstream }}" -matrix_matrixto_container_image_registry_prefix_upstream: "{{ matrix_matrixto_container_image_registry_prefix_upstream_default }}" -matrix_matrixto_container_image_registry_prefix_upstream_default: "" -matrix_matrixto_container_image_force_pull: "{{ matrix_matrixto_container_image.endswith(':latest') }}" - +# There does not exist a known pre-built container image. It needs to be built locally. matrix_matrixto_container_image_self_build: true matrix_matrixto_container_image_self_build_name: "shirahara/matrixto:{{ matrix_matrixto_container_image_self_build_repo_version }}" matrix_matrixto_container_image_self_build_repo: "https://seed.radicle.garden/z3Re1EQbd186vUQDwHByYiLadsVWY.git" diff --git a/roles/custom/matrix-matrixto/tasks/install.yml b/roles/custom/matrix-matrixto/tasks/install.yml index 51a316c43..e4cc0f4f5 100644 --- a/roles/custom/matrix-matrixto/tasks/install.yml +++ b/roles/custom/matrix-matrixto/tasks/install.yml @@ -25,53 +25,25 @@ - env - labels -- name: Run if self-building of Matrix.to container image is not enabled - when: "not matrix_matrixto_container_image_self_build | bool" - block: - - name: Ensure Matrix.to container image is pulled via community.docker.docker_image - when: devture_systemd_docker_base_container_image_pull_method == 'ansible-module' - community.docker.docker_image: - name: "{{ matrix_matrixto_container_image }}" - source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}" - force_source: "{{ matrix_matrixto_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_container_image_force_pull }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed +- name: Ensure Matrix.to repository is present on self-build + ansible.builtin.git: + repo: "{{ matrix_matrixto_container_image_self_build_repo }}" + version: "{{ matrix_matrixto_container_image_self_build_repo_version }}" + dest: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" + force: "yes" + register: matrix_matrixto_git_pull_results - - name: Ensure Matrix.to container image is pulled via ansible.builtin.command - when: devture_systemd_docker_base_container_image_pull_method == 'command' - ansible.builtin.command: - cmd: "{{ devture_systemd_docker_base_host_command_docker }} pull {{ matrix_matrixto_container_image }}" - register: result - retries: "{{ devture_playbook_help_container_retries_count }}" - delay: "{{ devture_playbook_help_container_retries_delay }}" - until: result is not failed - changed_when: "'Downloaded newer image' in result.stdout" - -- name: Run if self-building of Matrix.to container image is enabled - when: "matrix_matrixto_container_image_self_build | bool" - block: - - name: Ensure Matrix.to repository is present on self-build - ansible.builtin.git: - repo: "{{ matrix_matrixto_container_image_self_build_repo }}" - version: "{{ matrix_matrixto_container_image_self_build_repo_version }}" - dest: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" - force: "yes" - register: matrix_matrixto_git_pull_results - - - name: Ensure Matrix.to container image is built - community.docker.docker_image: - name: "{{ matrix_matrixto_container_image_self_build_name }}" - source: build - force_source: "{{ matrix_matrixto_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" - force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_git_pull_results.changed }}" - build: - dockerfile: Dockerfile - path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" - pull: true - args: +- name: Ensure Matrix.to container image is built + community.docker.docker_image: + name: "{{ matrix_matrixto_container_image_self_build_name }}" + source: build + force_source: "{{ matrix_matrixto_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}" + force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_git_pull_results.changed }}" + build: + dockerfile: Dockerfile + path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}" + pull: true + args: - name: Ensure Matrix.to container network is created via community.docker.docker_network when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module' diff --git a/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 b/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 index 920f423a5..4d02857a5 100644 --- a/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 +++ b/roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2 @@ -40,7 +40,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% for arg in matrix_matrixto_container_extra_arguments %} {{ arg }} \ {% endfor %} - {{ matrix_matrixto_container_image_self_build_name if matrix_matrixto_container_image_self_build else matrix_matrixto_container_image }} + {{ matrix_matrixto_container_image_self_build_name }} {% for network in matrix_matrixto_container_additional_networks %} ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_matrixto_identifier }} From a073f21a8f650f55eefb2e352d4e31e92123e587 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 21 Dec 2025 17:07:14 +0000 Subject: [PATCH 118/209] Postmoogle v0.9.28 --- roles/custom/matrix-bridge-postmoogle/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-postmoogle/defaults/main.yml b/roles/custom/matrix-bridge-postmoogle/defaults/main.yml index afd72fe2c..458395e8c 100644 --- a/roles/custom/matrix-bridge-postmoogle/defaults/main.yml +++ b/roles/custom/matrix-bridge-postmoogle/defaults/main.yml @@ -18,7 +18,7 @@ matrix_postmoogle_docker_repo_version: "{{ 'main' if matrix_postmoogle_version = matrix_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src" # renovate: datasource=docker depName=ghcr.io/etkecc/postmoogle -matrix_postmoogle_version: v0.9.27 +matrix_postmoogle_version: v0.9.28 matrix_postmoogle_docker_image: "{{ matrix_postmoogle_docker_image_registry_prefix }}etkecc/postmoogle:{{ matrix_postmoogle_version }}" matrix_postmoogle_docker_image_registry_prefix: "{{ 'localhost/' if matrix_postmoogle_container_image_self_build else matrix_postmoogle_docker_image_registry_prefix_upstream }}" matrix_postmoogle_docker_image_registry_prefix_upstream: "{{ matrix_postmoogle_docker_image_registry_prefix_upstream_default }}" From 9ea18d6f2d3092faf6397624baa69b78777b3589 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Dec 2025 23:28:12 +0200 Subject: [PATCH 119/209] Upgrade baibot (v1.11.0 -> v1.12.0) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index b31e70ff9..57929b679 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.11.0 +matrix_bot_baibot_version: v1.12.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From 66c85f63e6cb8e65c73e43e689be13bcafb9a0a7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 21 Dec 2025 23:28:36 +0200 Subject: [PATCH 120/209] Update default OpenAI image generation model for baibot (gpt-image-1 -> gpt-image-1.5) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index 57929b679..cd3c3c77b 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -406,7 +406,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_response_format: opus matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_enabled: true -matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1 +matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1.5 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style: null matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size: null matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_quality: null From 927f6fa2e3b8ece0babe44c76125839799235fa6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 08:23:04 +0000 Subject: [PATCH 121/209] chore(deps): update dependency backup_borg to v1.4.2-2.0.13-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 40100cd70..4810fb991 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-5 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git - version: v1.4.2-2.0.12-0 + version: v1.4.2-2.0.13-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git version: v0.4.2-0 From 048ce7503d2c06a250bc3ae4b529ce86198ce78f Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 22 Dec 2025 12:37:51 +0000 Subject: [PATCH 122/209] borg v1.4.3 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 4810fb991..186f4c179 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-5 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git - version: v1.4.2-2.0.13-0 + version: v1.4.3-2.0.13-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git version: v0.4.2-0 From 3c64fe6eb5e1c576e06700637c20d0da36b08a67 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 21:04:39 +0000 Subject: [PATCH 123/209] chore(deps): update ansible/ansible-lint action to v25.12.2 --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index ab6855464..6b55b6a27 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.12.1 + uses: ansible/ansible-lint@v25.12.2 with: args: "roles/custom" setup_python: "true" From b0f73f79663cacb09d5037ecf176e1e3aef56c83 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 23 Dec 2025 01:55:35 +0000 Subject: [PATCH 124/209] chore(deps): update matrixconduit/matrix-conduit docker tag to v0.10.10 --- roles/custom/matrix-conduit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 4eba7cc69..5f9d2ed75 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}" matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/ # renovate: datasource=docker depName=matrixconduit/matrix-conduit -matrix_conduit_docker_image_tag: "v0.10.9" +matrix_conduit_docker_image_tag: "v0.10.10" matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}" matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit" From 484e94d49363137ff3cd5e8f9e678a947b7c28a8 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 23 Dec 2025 15:34:32 +0000 Subject: [PATCH 125/209] add matrix_synapse_ext_s3_storage_provider_container_arguments var --- roles/custom/matrix-synapse/defaults/main.yml | 2 ++ .../templates/synapse/ext/s3-storage-provider/bin/migrate.j2 | 3 +++ 2 files changed, 5 insertions(+) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 625d4719e..92a74b5c5 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -128,6 +128,8 @@ matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext" matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider" matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin" matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data" +# extra arguments to pass to s3-storage-provider script when starting Synapse container +matrix_synapse_ext_s3_storage_provider_container_arguments: [] matrix_synapse_container_client_api_port: 8008 diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 index 0d77b032f..ab32627c7 100644 --- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2 @@ -11,6 +11,9 @@ container_id=$(\ --workdir=/data \ --network={{ matrix_synapse_container_network }} \ --entrypoint=/bin/bash \ + {% for arg in matrix_synapse_ext_s3_storage_provider_container_arguments %} + {{ arg }} \ + {% endfor %} {{ matrix_synapse_docker_image_final }} \ -c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' \ ) From 9cbc9c6b064149e11b5861bae94d2392068af82b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Dec 2025 09:05:27 +0000 Subject: [PATCH 126/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2025.12.24 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index f5246a316..3e67e0e15 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2025.11.26 +matrix_alertmanager_receiver_version: 2025.12.24 matrix_alertmanager_receiver_scheme: https From ed20b659128c2359d047f817bef26982b9bc22d3 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Dec 2025 09:57:33 +0200 Subject: [PATCH 127/209] Upgrade Traefik (v3.6.5-0 -> v3.6.5-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 186f4c179..5cbc4b3c7 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.5-0 + version: v3.6.5-1 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-3 From edf833627e94eb78e27c596c94ef002d60b8726e Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 25 Dec 2025 10:01:17 +0200 Subject: [PATCH 128/209] Add `matrix_coturn_hostname` to allow for the Coturn domain to be different than `matrix_server_fqn_matrix` --- docs/configuring-playbook-turn.md | 17 +++++++++++++++++ group_vars/matrix_servers | 13 ++++++++++--- roles/custom/matrix-coturn/defaults/main.yml | 5 +++++ .../matrix-coturn/tasks/validate_config.yml | 1 + .../matrix-coturn/templates/turnserver.conf.j2 | 2 +- roles/custom/matrix-coturn/vars/main.yml | 8 ++++---- 6 files changed, 38 insertions(+), 8 deletions(-) diff --git a/docs/configuring-playbook-turn.md b/docs/configuring-playbook-turn.md index 9c9b31271..0cce596e5 100644 --- a/docs/configuring-playbook-turn.md +++ b/docs/configuring-playbook-turn.md @@ -49,6 +49,23 @@ Regardless of the selected authentication method, the playbook generates secrets If [Jitsi](configuring-playbook-jitsi.md) is installed, note that switching to `lt-cred-mech` will disable the integration between Jitsi and your coturn server, as Jitsi seems to support the `auth-secret` authentication method only. +### Customize the Coturn hostname (optional) + +By default, Coturn uses the same hostname as your Matrix homeserver (the value of `matrix_server_fqn_matrix`, which is typically `matrix.example.com`). + +If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file: + +```yaml +matrix_coturn_hostname: turn.example.com +``` + +The playbook will automatically: +- Configure Coturn to use this hostname +- Obtain an SSL certificate for the custom domain via Traefik +- Update all TURN URIs to point to the custom domain + +**Note**: Make sure the custom hostname resolves to your server's IP address via DNS before running the playbook. + ### Use your own external coturn server (optional) If you'd like to use another TURN server (be it coturn or some other one), add the following configuration to your `vars.yml` file. Make sure to replace `HOSTNAME_OR_IP` with your own. diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 740f92709..06ccd0952 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3152,6 +3152,8 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso matrix_coturn_enabled: true +matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}" + matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}" matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}" @@ -3191,12 +3193,12 @@ matrix_coturn_container_additional_volumes: | ( [ { - 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_server_fqn_matrix + '/certificate.crt'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/certificate.crt'), 'dst': '/certificate.crt', 'options': 'ro', }, { - 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_server_fqn_matrix + '/privatekey.key'), + 'src': (traefik_certs_dumper_dumped_certificates_path + '/' + matrix_coturn_hostname + '/privatekey.key'), 'dst': '/privatekey.key', 'options': 'ro', }, @@ -3206,7 +3208,7 @@ matrix_coturn_container_additional_volumes: | matrix_coturn_systemd_required_services_list_auto: | {{ - ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) + ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []) }} ###################################################################### @@ -5873,6 +5875,11 @@ traefik_systemd_required_services_list: | ([container_socket_proxy_identifier + '.service'] if container_socket_proxy_enabled else []) }} +traefik_additional_domains_to_obtain_certificates_for_auto: | + {{ + ([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else []) + }} + ######################################################################## # # # /traefik # diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index d3616f1b5..be86c6c36 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -18,6 +18,8 @@ matrix_coturn_enabled: true +matrix_coturn_hostname: '' + matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" @@ -111,6 +113,9 @@ matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_con matrix_coturn_turn_udp_min_port: 49152 matrix_coturn_turn_udp_max_port: 49172 +# Controls the `realm` configuration option +matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}" + # Controls which authentication method to enable. # # lt-cred-mech likely provides better compatibility, diff --git a/roles/custom/matrix-coturn/tasks/validate_config.yml b/roles/custom/matrix-coturn/tasks/validate_config.yml index 3fe51d9ea..205ce4c58 100644 --- a/roles/custom/matrix-coturn/tasks/validate_config.yml +++ b/roles/custom/matrix-coturn/tasks/validate_config.yml @@ -29,6 +29,7 @@ You need to define a required configuration setting (`{{ item.name }}`). when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0" with_items: + - {'name': 'matrix_coturn_hostname', when: true} - {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"} - {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"} - {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"} diff --git a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 index a969c4f99..73eb9eff1 100644 --- a/roles/custom/matrix-coturn/templates/turnserver.conf.j2 +++ b/roles/custom/matrix-coturn/templates/turnserver.conf.j2 @@ -11,7 +11,7 @@ lt-cred-mech user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }} {% endif %} -realm=turn.{{ matrix_server_fqn_matrix }} +realm={{ matrix_coturn_realm }} min-port={{ matrix_coturn_turn_udp_min_port }} max-port={{ matrix_coturn_turn_udp_max_port }} diff --git a/roles/custom/matrix-coturn/vars/main.yml b/roles/custom/matrix-coturn/vars/main.yml index 4391c2853..91932ec85 100644 --- a/roles/custom/matrix-coturn/vars/main.yml +++ b/roles/custom/matrix-coturn/vars/main.yml @@ -7,15 +7,15 @@ matrix_coturn_turn_uris: |- {{ ([ - 'turns:' + matrix_server_fqn_matrix + '?transport=udp', - 'turns:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turns:' + matrix_coturn_hostname + '?transport=udp', + 'turns:' + matrix_coturn_hostname + '?transport=tcp', ] if matrix_coturn_tls_enabled else []) + ([ - 'turn:' + matrix_server_fqn_matrix + '?transport=udp', + 'turn:' + matrix_coturn_hostname + '?transport=udp', ] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host') else []) + ([ - 'turn:' + matrix_server_fqn_matrix + '?transport=tcp', + 'turn:' + matrix_coturn_hostname + '?transport=tcp', ] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host') else []) }} From 1ca3c91fd722d85ea41fecb0055cd2679d66dcf3 Mon Sep 17 00:00:00 2001 From: Aine Date: Sun, 28 Dec 2025 23:27:56 +0000 Subject: [PATCH 129/209] etherpad v2.6.0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5cbc4b3c7..ec88049d2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git - version: v2.5.2-2 + version: v2.6.0-0 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.98.1-r0-2-2 From 6f736653e9481374da41f8b66ddf51033a3cc9e4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Dec 2025 10:09:32 +0000 Subject: [PATCH 130/209] chore(deps): update dependency traefik to v3.6.6-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index ec88049d2..3201f0ca3 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.5-1 + version: v3.6.6-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-3 From e7612dc0cef199a73731e8ebbff2b63c66ae00d7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Dec 2025 02:33:16 +0000 Subject: [PATCH 131/209] chore(deps): update matrixconduit/matrix-conduit docker tag to v0.10.11 --- roles/custom/matrix-conduit/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-conduit/defaults/main.yml b/roles/custom/matrix-conduit/defaults/main.yml index 5f9d2ed75..8c8fa3cba 100644 --- a/roles/custom/matrix-conduit/defaults/main.yml +++ b/roles/custom/matrix-conduit/defaults/main.yml @@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}" matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/ # renovate: datasource=docker depName=matrixconduit/matrix-conduit -matrix_conduit_docker_image_tag: "v0.10.10" +matrix_conduit_docker_image_tag: "v0.10.11" matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}" matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit" From be7536390de33333fb706d918f4241ad7e28cb37 Mon Sep 17 00:00:00 2001 From: Mark Monteiro Date: Tue, 30 Dec 2025 14:29:12 -0500 Subject: [PATCH 132/209] improve notes about configuring hookshot encryption - clarify that Redis is configured automatically - add note indicating that encryption is not currently supported when using MAS --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 2c9b6bcc7..fe2e298ad 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -72,8 +72,9 @@ matrix_hookshot_cache_redisUri: "{{ ('redis://' + matrix_hookshot_cache_redis_ho # Controls whether the end-to-bridge encryption support is enabled. # This requires that: # - support to also be enabled in the homeserver, see the documentation of Hookshot. -# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables. +# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables. Note that this is configured automatically by the playbook when encryption is enabled. # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html +# NOTE: Encryption is not currently (2025-12-30) supported when using MAS (https://github.com/matrix-org/matrix-hookshot/issues/1084) matrix_hookshot_encryption_enabled: "{{ matrix_bridges_encryption_enabled }}" # Controls whether metrics are enabled in the bridge configuration. From e60ef27bb8e1152dcad06f07cf489bfc17859a9a Mon Sep 17 00:00:00 2001 From: Mark Monteiro Date: Tue, 30 Dec 2025 12:35:45 -0500 Subject: [PATCH 133/209] update instructions for user admin management with MAS This is now supported via the mas-cli management tool --- docs/registering-users.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/registering-users.md b/docs/registering-users.md index 8de5bfeb3..aeecbd04b 100644 --- a/docs/registering-users.md +++ b/docs/registering-users.md @@ -161,6 +161,6 @@ You can then proceed to run the query above. ### Adding/Removing Administrator privileges to an existing user in Matrix Authentication Service -Promoting/demoting a user in Matrix Authentication Service cannot currently (2024-10-19) be done via the [`mas-cli` Management tool](./configuring-playbook-matrix-authentication-service.md#management). +Promoting/demoting a user in Matrix Authentication Service can be done using the [`mas-cli`](./configuring-playbook-matrix-authentication-service.md#management) management tool's [`manage promote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-promote-admin) and [`manage demote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-demote-admin) commands. For example: `/matrix/matrix-authentication-service/bin/mas-cli manage promote-admin some.username`. -You can do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint. +You can also do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint. From e09d10419c8f338b97b522b2aa32013295e438d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 31 Dec 2025 16:44:59 +0000 Subject: [PATCH 134/209] chore(deps): update dependency sphinx to v9.1.0 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 71bef841e..53d018569 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -19,7 +19,7 @@ PyYAML==6.0.3 requests==2.32.5 setuptools==80.9.0 snowballstemmer==3.0.1 -Sphinx==9.0.4 +Sphinx==9.1.0 sphinx-intl==2.3.2 sphinx-markdown-builder==0.6.9 sphinxcontrib-applehelp==2.0.0 From 5e558aab5518f0a309b27440af07ddc9249c0f47 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 1 Jan 2026 13:52:46 +0000 Subject: [PATCH 135/209] chore(deps): update dependency livekit_server to v1.9.10-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 3201f0ca3..8d42ca3fe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.9-0 + version: v1.9.10-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From 4f00bb47897d26d248a0f304d1203e0982425d77 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 4 Jan 2026 06:32:41 +0000 Subject: [PATCH 136/209] chore(deps): update dependency certifi to v2026 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 53d018569..c95ab06f5 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -1,6 +1,6 @@ alabaster==1.0.0 babel==2.17.0 -certifi==2025.11.12 +certifi==2026.1.4 charset-normalizer==3.4.4 click==8.3.1 docutils==0.22.4 From 5f3f57197e28529a1e24a39b7324ca2c3ab91b9f Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 6 Jan 2026 09:28:28 +0200 Subject: [PATCH 137/209] Revert "Remove outdated warning about Postmoogle not working well with Matrix Authentication Service" This reverts commit 81b371e690e17ec5c26d8993ce051ccc233f1ecd. Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/commit/81b371e690e17ec5c26d8993ce051ccc233f1ecd#commitcomment-173871096 --- docs/configuring-playbook-matrix-authentication-service.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/configuring-playbook-matrix-authentication-service.md b/docs/configuring-playbook-matrix-authentication-service.md index 094bb4d7f..eff0d9e8f 100644 --- a/docs/configuring-playbook-matrix-authentication-service.md +++ b/docs/configuring-playbook-matrix-authentication-service.md @@ -57,6 +57,10 @@ This section details what you can expect when switching to the Matrix Authentica - [Reminder bot](configuring-playbook-bot-matrix-reminder-bot.md) seems to be losing some of its state on each restart and may reschedule old reminders once again + - [Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first time around, but it consistently fails after restarting: + + > cannot initialize matrix bot error="olm account is marked as shared, keys seem to have disappeared from the server" + - ❌ **Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting). - ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break. From 858a4ab555a37f7196891ee7bf150b7f3a154085 Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 6 Jan 2026 09:47:01 +0000 Subject: [PATCH 138/209] Synapse Admin v0.11.1-etke51 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 904105884..eea553017 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke50 +matrix_synapse_admin_version: v0.11.1-etke51 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" From ed87ef7e508075fbbde5a2b20f3b110180edf904 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 7 Jan 2026 08:44:00 +0000 Subject: [PATCH 139/209] chore(deps): update dependency prometheus to v3.9.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 8d42ca3fe..153f44abe 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v18-0 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v3.8.1-0 + version: v3.9.0-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.9.1-12 From 13727bc0a28876e8f5de8ab142fce4abe2e983f3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 7 Jan 2026 18:35:45 +0000 Subject: [PATCH 140/209] chore(deps): update dependency urllib3 to v2.6.3 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index c95ab06f5..a58d6eeae 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0 sphinxcontrib-serializinghtml==2.0.0 tabulate==0.9.0 uc-micro-py==1.0.3 -urllib3==2.6.2 +urllib3==2.6.3 From 65213ff497b3a9b4f526de78f4c071e1fdf37dc4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 02:09:36 +0000 Subject: [PATCH 141/209] chore(deps): update ghcr.io/jasonlaguidice/matrix-steam-bridge docker tag to v1.1.0 --- roles/custom/matrix-bridge-steam/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-steam/defaults/main.yml b/roles/custom/matrix-bridge-steam/defaults/main.yml index 8f2860b34..b9aecde72 100644 --- a/roles/custom/matrix-bridge-steam/defaults/main.yml +++ b/roles/custom/matrix-bridge-steam/defaults/main.yml @@ -13,7 +13,7 @@ matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonla matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}" # renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge -matrix_steam_bridge_version: 1.0.8 +matrix_steam_bridge_version: 1.1.0 matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}" matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}" matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}" From 9d7c224021958eb9d4b704c11b0df8254d080d11 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:46:01 +0000 Subject: [PATCH 142/209] chore(deps): update dependency prometheus to v3.9.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 153f44abe..db049a2f8 100644 --- a/requirements.yml +++ b/requirements.yml @@ -49,7 +49,7 @@ version: v18-0 name: postgres_backup - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git - version: v3.9.0-0 + version: v3.9.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git version: v1.9.1-12 From ae88c51dd7c384ef24bfee4558cf9a86fb769082 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 13:03:08 +0000 Subject: [PATCH 143/209] chore(deps): update dependency container_socket_proxy to v0.4.2-1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index db049a2f8..a839280e1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -7,7 +7,7 @@ version: v1.4.3-2.0.13-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git - version: v0.4.2-0 + version: v0.4.2-1 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker version: 7.9.0 From e70d0d7673312a1d36eff5c259f63e9fea80031f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 13:03:01 +0000 Subject: [PATCH 144/209] chore(deps): update dependency auxiliary to v1.0.0-6 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index a839280e1..444dbc89c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,7 @@ --- - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git - version: v1.0.0-5 + version: v1.0.0-6 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git version: v1.4.3-2.0.13-0 From e4abe50daf26b0f2aa4b8aa23f9ceefcacefac86 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 16:14:31 +0000 Subject: [PATCH 145/209] chore(deps): update dependency grafana to v11.6.5-5 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 444dbc89c..840897384 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.98.1-r0-2-2 name: exim_relay - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git - version: v11.6.5-4 + version: v11.6.5-5 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v10655-0 From 5fe789cd9674846b3f763d3c211bfb5c833a05ac Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 16:14:25 +0000 Subject: [PATCH 146/209] chore(deps): update dependency etherpad to v2.6.0-1 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 840897384..2cd911981 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git - version: v2.6.0-0 + version: v2.6.0-1 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.98.1-r0-2-2 From 91711669c69cc27a92fd255d74693e5ad11e0ef6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 8 Jan 2026 16:13:50 +0000 Subject: [PATCH 147/209] Bump ansible/ansible-lint from 25.12.2 to 26.1.0 Bumps [ansible/ansible-lint](https://github.com/ansible/ansible-lint) from 25.12.2 to 26.1.0. - [Release notes](https://github.com/ansible/ansible-lint/releases) - [Commits](https://github.com/ansible/ansible-lint/compare/v25.12.2...v26.1.0) --- updated-dependencies: - dependency-name: ansible/ansible-lint dependency-version: 26.1.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 6b55b6a27..2aec3199f 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v25.12.2 + uses: ansible/ansible-lint@v26.1.0 with: args: "roles/custom" setup_python: "true" From e4d0d42f04fc68291b22b379c95f186d50cdd7f7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 01:55:40 +0000 Subject: [PATCH 148/209] chore(deps): update dependency traefik_certs_dumper to v2.10.0-4 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 2cd911981..fb5289dfb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -70,7 +70,7 @@ version: v3.6.6-0 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git - version: v2.10.0-3 + version: v2.10.0-4 name: traefik_certs_dumper - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git version: v9.0.1-0 From afe5b06771ae34dffdc7fc2ad1d60d1ffb95d5be Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 9 Jan 2026 08:43:28 +0000 Subject: [PATCH 149/209] Synapse Admin v0.11.1-etke52 --- roles/custom/matrix-synapse-admin/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index eea553017..68ab27cd3 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke51 +matrix_synapse_admin_version: v0.11.1-etke52 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" From 0bc84a7129c83d80717e5d85443d4c52cd97e5a5 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 12:58:31 +0000 Subject: [PATCH 150/209] chore(deps): update dependency prometheus_postgres_exporter to v0.18.1-2 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index fb5289dfb..80e707454 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v1.9.1-12 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.18.1-1 + version: v0.18.1-2 name: prometheus_postgres_exporter - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.4.1-0 From a3a2c568d065350b8afc1df912fd234b36abe3ad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 9 Jan 2026 12:58:24 +0000 Subject: [PATCH 151/209] chore(deps): update dependency prometheus_node_exporter to v1.9.1-13 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 80e707454..6d215706c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -52,7 +52,7 @@ version: v3.9.1-0 name: prometheus - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git - version: v1.9.1-12 + version: v1.9.1-13 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git version: v0.18.1-2 From dd54691137c478fb1288ef9df3df2d8f820f2536 Mon Sep 17 00:00:00 2001 From: akdk7 <97784161+akdk7@users.noreply.github.com> Date: Sat, 10 Jan 2026 14:07:12 +0100 Subject: [PATCH 152/209] Automatically integate matrix-media-repo with Valkey (if enabled) (#4851) * This push request is about handling Traefik ipallowlist to synapse-admin application. It's my first push request. If I forgot something please let me know. :-) * Changed position of variable and naming for better expandebility of traefik options * Remove useless `noqa var-naming` comment and too many blank lines at the end of the file * If redis ist enabled for matrix media repo it failes to connect to valkey due to inproper configuration. * Updated solution for fixing MMR redis connection * Clean up * Update valkey_container_network condition --------- Co-authored-by: AkDk7 Co-authored-by: Slavi Pantaleev --- group_vars/matrix_servers | 17 +++++++++++++++++ .../custom/matrix-media-repo/defaults/main.yml | 8 +------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 06ccd0952..2be5d7a42 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3648,6 +3648,8 @@ matrix_media_repo_container_additional_networks: | ([postgres_container_network] if (postgres_enabled and matrix_media_repo_database_hostname == postgres_connection_hostname and postgres_container_network != matrix_media_repo_container_network) else []) + ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_media_repo_container_labels_traefik_enabled) else []) + + + ([valkey_container_network] if valkey_enabled and matrix_media_repo_redis_enabled else []) ) | unique }} @@ -3713,6 +3715,21 @@ matrix_media_repo_homeservers_auto: matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}" +matrix_media_repo_redis_enabled: "{{ valkey_enabled }}" + +# Use next redis index since Synapse is on 0. You can chose between index 0 and 15. +matrix_media_repo_redis_database_number: 1 + +matrix_media_repo_redis_shards: | + {{ + ([{ + 'name': 'valkey', + 'addr': (valkey_identifier + valkey_container_http_port | string), + }]) + if valkey_enabled and matrix_media_repo_redis_enabled + else [] + }} + ###################################################################### # # /matrix-media-repo diff --git a/roles/custom/matrix-media-repo/defaults/main.yml b/roles/custom/matrix-media-repo/defaults/main.yml index c2485207e..68a5dafe8 100755 --- a/roles/custom/matrix-media-repo/defaults/main.yml +++ b/roles/custom/matrix-media-repo/defaults/main.yml @@ -895,13 +895,7 @@ matrix_media_repo_redis_database_number: 0 # The Redis shards that should be used by the media repo in the ring. The names of the # shards are for your reference and have no bearing on the connection, but must be unique. -matrix_media_repo_redis_shards: - - name: "server1" - addr: ":7000" - - name: "server2" - addr: ":7001" - - name: "server3" - addr: ":7002" +matrix_media_repo_redis_shards: [] # Optional sentry (https://sentry.io/) configuration for the media repo From 8a02d791ea1bd89e2c54b4fedde6460f15be70ea Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sat, 10 Jan 2026 15:10:09 +0200 Subject: [PATCH 153/209] Add missing `:` to `matrix_media_repo_redis_shards` entry Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4851#issuecomment-3732696383 --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 2be5d7a42..af77d73a3 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3724,7 +3724,7 @@ matrix_media_repo_redis_shards: | {{ ([{ 'name': 'valkey', - 'addr': (valkey_identifier + valkey_container_http_port | string), + 'addr': (valkey_identifier + ':' + valkey_container_http_port | string), }]) if valkey_enabled and matrix_media_repo_redis_enabled else [] From e1bf0aebd2f5c04dec7cac1b02cc5d5f7fd1c44b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 12 Jan 2026 10:10:14 +0200 Subject: [PATCH 154/209] Upgrade LiveKit (v1.9.10-0 -> v1.9.10-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 6d215706c..dde7ee6de 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10655-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.10-0 + version: v1.9.10-1 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From b5c5f34ca441f79d406dd32fa2b6302e27e4c8e4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 17:30:52 +0000 Subject: [PATCH 155/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.8 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index c76955979..29a5ce2ed 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.7 +matrix_client_element_version: v1.12.8 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From 78c7b61af80741e6da4f840d414af36c1607279c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 17:30:56 +0000 Subject: [PATCH 156/209] chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.9.0 --- roles/custom/matrix-authentication-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index c09451829..37a9ee7bb 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 1.8.0 +matrix_authentication_service_version: 1.9.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" From 41108b57e35fd1d9084a0163bced359359ef9e33 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 14 Jan 2026 09:35:51 +0000 Subject: [PATCH 157/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index 3e67e0e15..c8f0c2734 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2025.12.24 +matrix_alertmanager_receiver_version: 2026.1.14 matrix_alertmanager_receiver_scheme: https From a050107e0fb7c1ffa976149878e2691a04182ce4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 13 Jan 2026 21:53:54 +0000 Subject: [PATCH 158/209] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.145.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 92a74b5c5..dca771e0c 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.144.0 +matrix_synapse_version: v1.145.0 matrix_synapse_username: '' matrix_synapse_uid: '' From ac5dc5d44fa4c412ed8aefa730b1edf9822ebcc0 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 14 Jan 2026 12:07:09 +0200 Subject: [PATCH 159/209] Pull in some additional Synapse workers routing configuration Provoked by https://github.com/element-hq/synapse/pull/19281 which landed in Synapse v1.145.0, but we pull in a few other routes that I noticed to be missing. --- roles/custom/matrix-synapse/vars/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index f4de30ac8..8843c0600 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -200,12 +200,13 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(r0|v3|unstable)/notifications$ # Encryption requests - # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri` - ^/_matrix/client/(r0|v3|unstable)/keys/query$ - ^/_matrix/client/(r0|v3|unstable)/keys/changes$ - ^/_matrix/client/(r0|v3|unstable)/keys/claim$ - ^/_matrix/client/(r0|v3|unstable)/room_keys/ - - ^/_matrix/client/(r0|v3|unstable)/keys/upload/ + - ^/_matrix/client/(r0|v3|unstable)/keys/upload$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$ + - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$ # Registration/login requests - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$ @@ -223,6 +224,12 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/ - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/ + # Unstable MSC4140 support + - ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$ + + # Admin API requests + - ^/_synapse/admin/v2/users/[^/]+$ + # Start of intentionally-ignored-endpoints # # We ignore these below, because they're better sent to dedicated workers (various stream writers). From 1890f3a01a369915e625c2edf49a8edc312086c1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 14 Jan 2026 14:46:50 +0000 Subject: [PATCH 160/209] chore(deps): update dependency jitsi to v10710 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index dde7ee6de..70107ceba 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.6.5-5 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v10655-0 + version: v10710-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git version: v1.9.10-1 From 4d0cf32151ffc2b506c967be72d40dc98f69ff27 Mon Sep 17 00:00:00 2001 From: Aine Date: Thu, 15 Jan 2026 09:12:17 +0000 Subject: [PATCH 161/209] grafana: add /tmp tmpfs --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 70107ceba..2b54552fb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -22,7 +22,7 @@ version: v4.98.1-r0-2-2 name: exim_relay - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git - version: v11.6.5-5 + version: v11.6.5-6 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git version: v10710-0 From bd6202eb654222175dea30bcd3197fc263d58eb1 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Thu, 15 Jan 2026 14:40:38 +0200 Subject: [PATCH 162/209] Upgrade Traefik (v3.6.6-0 -> v3.6.7-1) and remove all (now-unnecessary) `encodedCharacters_*` setting overrides All these `encodedCharacters_*` settings default to `true` in Traefik v3.6.7, so we don't need to override their values. Ref: https://doc.traefik.io/traefik/v3.6/migrate/v3/#v367 Closes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4835 --- group_vars/matrix_servers | 14 ------ requirements.yml | 2 +- roles/custom/matrix-base/defaults/main.yml | 45 +------------------ .../matrix-base/tasks/validate_config.yml | 5 +++ 4 files changed, 7 insertions(+), 59 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index af77d73a3..3b88d902f 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -5855,20 +5855,6 @@ traefik_gid: "{{ matrix_user_gid }}" # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint. traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs). -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true -traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true -traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true -# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook -# and actually go through this entrypoint. -traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}" -traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}" -traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}" - traefik_additional_entrypoints_auto: | {{ ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else []) diff --git a/requirements.yml b/requirements.yml index 2b54552fb..00d579e08 100644 --- a/requirements.yml +++ b/requirements.yml @@ -67,7 +67,7 @@ version: v1.1.0-1 name: timesync - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git - version: v3.6.6-0 + version: v3.6.7-1 name: traefik - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git version: v2.10.0-4 diff --git a/roles/custom/matrix-base/defaults/main.yml b/roles/custom/matrix-base/defaults/main.yml index 647fa55cb..0fefb7300 100644 --- a/roles/custom/matrix-base/defaults/main.yml +++ b/roles/custom/matrix-base/defaults/main.yml @@ -321,13 +321,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}" matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}" -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] -matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}" # noqa var-naming matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}" # noqa var-naming @@ -337,19 +330,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default: {{ {} - | combine( - ( - { - 'http': { - 'encodedCharacters': { - 'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, - 'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, - } - } - } - ) - ) - | combine( ( ( @@ -412,30 +392,7 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-inter matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: '' matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}" -# Traefik v3.6.3+ blocks encoded characters in request paths by default for security. -# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc. -# Ref: -# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798 -# - https://doc.traefik.io/traefik/migrate/v3/#v364 -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true # noqa: var-naming[pattern] -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true # noqa: var-naming[pattern] -matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: | - {{ - {} - - | combine( - ( - { - 'http': { - 'encodedCharacters': { - 'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash, - 'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash, - } - } - } - ) - ) - }} +matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {} matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {} diff --git a/roles/custom/matrix-base/tasks/validate_config.yml b/roles/custom/matrix-base/tasks/validate_config.yml index 360c995b5..4f8f1db70 100644 --- a/roles/custom/matrix-base/tasks/validate_config.yml +++ b/roles/custom/matrix-base/tasks/validate_config.yml @@ -36,6 +36,11 @@ - {'old': 'matrix_container_global_registry_prefix', 'new': ''} - {'old': 'matrix_user_username', 'new': 'matrix_user_name'} - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'} + - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': ''} + - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': ''} + - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': ''} + - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': ''} + # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message. - name: Fail if matrix_homeserver_generic_secret_key is undefined From ea4b467cd3390e1beaaeb8f575993cea4f4c333d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 15 Jan 2026 12:42:33 +0000 Subject: [PATCH 163/209] chore(deps): update dependency livekit_server to v1.9.11-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 00d579e08..529a80a59 100644 --- a/requirements.yml +++ b/requirements.yml @@ -28,7 +28,7 @@ version: v10710-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git - version: v1.9.10-1 + version: v1.9.11-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git version: v2.15.0-0 From 28af19a1a71a30b5a57323c7a8e378e88138843e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 15 Jan 2026 12:42:39 +0000 Subject: [PATCH 164/209] chore(deps): update dependency myst-parser to v5 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index a58d6eeae..aeb80ee34 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -12,7 +12,7 @@ markdown-it-py==4.0.0 MarkupSafe==3.0.3 mdit-py-plugins==0.5.0 mdurl==0.1.2 -myst-parser==4.0.1 +myst-parser==5.0.0 packaging==25.0 Pygments==2.19.2 PyYAML==6.0.3 From 7c8a28d590a6885422d51484f385b9c92c4d5c34 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 15 Jan 2026 17:46:29 +0000 Subject: [PATCH 165/209] chore(deps): update ghcr.io/element-hq/lk-jwt-service docker tag to v0.4.1 --- roles/custom/matrix-livekit-jwt-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml index 95f525686..52eb7517c 100644 --- a/roles/custom/matrix-livekit-jwt-service/defaults/main.yml +++ b/roles/custom/matrix-livekit-jwt-service/defaults/main.yml @@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: [] matrix_livekit_jwt_service_container_additional_networks_custom: [] # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service -matrix_livekit_jwt_service_version: 0.4.0 +matrix_livekit_jwt_service_version: 0.4.1 matrix_livekit_jwt_service_container_image_self_build: false matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git" From a3ef7109b627364628c1156fc1eeb043fc12eee3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 15 Jan 2026 17:46:37 +0000 Subject: [PATCH 166/209] chore(deps): update dependency docker to v8 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 529a80a59..5cfda4106 100644 --- a/requirements.yml +++ b/requirements.yml @@ -10,7 +10,7 @@ version: v0.4.2-1 name: container_socket_proxy - src: git+https://github.com/geerlingguy/ansible-role-docker - version: 7.9.0 + version: 8.0.0 name: docker - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 From fa22053bf1cd2b8ab5920ba43cfd345700b1902b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Jan 2026 05:42:35 +0000 Subject: [PATCH 167/209] chore(deps): update ansible/ansible-lint action to v26.1.1 --- .github/workflows/matrix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/matrix.yml b/.github/workflows/matrix.yml index 2aec3199f..260dab9bb 100644 --- a/.github/workflows/matrix.yml +++ b/.github/workflows/matrix.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@v6 - name: Run ansible-lint - uses: ansible/ansible-lint@v26.1.0 + uses: ansible/ansible-lint@v26.1.1 with: args: "roles/custom" setup_python: "true" From aa69069627b4f3046cbd92ecee9199f490d440b2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Jan 2026 18:40:04 +0000 Subject: [PATCH 168/209] chore(deps): update dock.mau.dev/mautrix/signal docker tag to v0.2601.0 --- roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml index 3da4008f9..7d18ad5ff 100644 --- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml @@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/ matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal -matrix_mautrix_signal_version: v0.2512.0 +matrix_mautrix_signal_version: v0.2601.0 # See: https://mau.dev/mautrix/signal/container_registry matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}" From a6c447ade3e2ab2b502ab719082ffdd5c19365b3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Jan 2026 18:39:59 +0000 Subject: [PATCH 169/209] chore(deps): update dock.mau.dev/mautrix/gmessages docker tag to v0.2601.0 --- roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml index cc266a5df..6b10fd9ac 100644 --- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml @@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages -matrix_mautrix_gmessages_version: v0.2511.0 +matrix_mautrix_gmessages_version: v0.2601.0 # See: https://mau.dev/mautrix/gmessages/container_registry matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}" From c8fc50447068afb8428d7bd1829351aa8c6747fc Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Jan 2026 20:27:49 +0000 Subject: [PATCH 170/209] chore(deps): update dock.mau.dev/mautrix/whatsapp docker tag to v0.2601.0 --- roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml index faa655ddf..d814e36e8 100644 --- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml +++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml @@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}" # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp -matrix_mautrix_whatsapp_version: v0.2512.0 +matrix_mautrix_whatsapp_version: v0.2601.0 # See: https://mau.dev/mautrix/whatsapp/container_registry matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}" From ab97b942453b057a464d0c91ddf8c706d8559530 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 20 Jan 2026 09:26:15 +0000 Subject: [PATCH 171/209] chore(deps): update dependency ntfy to v2.16.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5cfda4106..b865b4c8f 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: v1.9.11-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git - version: v2.15.0-0 + version: v2.16.0-0 name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: 8630e4f1749bcb659c412820f754473f09055052 From e01a79865cee979b987f12bd42f09d60b539b6c7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 19 Jan 2026 20:00:42 +0000 Subject: [PATCH 172/209] chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.0 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index fe2e298ad..8cd50cc31 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: [] matrix_hookshot_container_additional_networks_custom: [] # renovate: datasource=docker depName=halfshot/matrix-hookshot -matrix_hookshot_version: 7.2.0 +matrix_hookshot_version: 7.3.0 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}" From 911031e2cf69e9eed06b0394d24421a54abca08b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 20 Jan 2026 16:10:30 +0200 Subject: [PATCH 173/209] Add support for Hookshot static connections (new in v7.3.0) This adds the matrix_hookshot_connections variable for configuring static webhook connections via the config file. See: https://github.com/matrix-org/matrix-hookshot/pull/1102 --- .../custom/matrix-bridge-hookshot/defaults/main.yml | 12 ++++++++++++ .../matrix-bridge-hookshot/templates/config.yaml.j2 | 1 + 2 files changed, 13 insertions(+) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 8cd50cc31..1a9075818 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -242,6 +242,18 @@ matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration" # noqa # level: admin matrix_hookshot_permissions: [] +# Static connections that can be configured by an administrator, as documented here: +# https://matrix-org.github.io/matrix-hookshot/latest/usage/static_connections.html +# Currently only generic webhooks are supported. +# Example: +# matrix_hookshot_connections: +# - connectionType: uk.half-shot.matrix-hookshot.generic.hook +# stateKey: my-unique-webhook-id +# roomId: "!room-id" +# state: +# name: My Static Webhook +matrix_hookshot_connections: [] + matrix_hookshot_bot_displayname: Hookshot Bot matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d' diff --git a/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2 b/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2 index 0e993f9d0..4fe504d7e 100644 --- a/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2 @@ -137,6 +137,7 @@ widgets: {% if matrix_hookshot_permissions %} permissions: {{ matrix_hookshot_permissions | to_json }} {% endif %} +connections: {{ matrix_hookshot_connections | to_json }} listeners: # (Optional) HTTP Listener configuration. # Bind resource endpoints to ports and addresses. From 47322a8d52c49359b7ebf3988e9df31f93fea5ce Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Jan 2026 06:06:36 +0000 Subject: [PATCH 174/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.1.21 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index c8f0c2734..59e549ad8 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2026.1.14 +matrix_alertmanager_receiver_version: 2026.1.21 matrix_alertmanager_receiver_scheme: https From cc9234d3baffa2a6fd61eab298747bdefc092fe7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Jan 2026 13:48:11 +0000 Subject: [PATCH 175/209] chore(deps): update ghcr.io/etkecc/fluffychat-web docker tag to v2.4.0 --- roles/custom/matrix-client-fluffychat/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-fluffychat/defaults/main.yml b/roles/custom/matrix-client-fluffychat/defaults/main.yml index 25e1095cb..5b41595a0 100644 --- a/roles/custom/matrix-client-fluffychat/defaults/main.yml +++ b/roles/custom/matrix-client-fluffychat/defaults/main.yml @@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}" # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web -matrix_client_fluffychat_version: v2.3.0 +matrix_client_fluffychat_version: v2.4.0 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}" matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}" matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}" From 82d6f3de2c5e4c7068cd1021093898f59ab09d47 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Jan 2026 13:48:05 +0000 Subject: [PATCH 176/209] chore(deps): update dependency setuptools to v80.10.1 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index aeb80ee34..951618089 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -17,7 +17,7 @@ packaging==25.0 Pygments==2.19.2 PyYAML==6.0.3 requests==2.32.5 -setuptools==80.9.0 +setuptools==80.10.1 snowballstemmer==3.0.1 Sphinx==9.1.0 sphinx-intl==2.3.2 From 292397234a7d11ef2e2ca17dbe69d8c58ea116a1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 22 Jan 2026 02:13:18 +0000 Subject: [PATCH 177/209] chore(deps): update dependency packaging to v26 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 951618089..0086d4546 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -13,7 +13,7 @@ MarkupSafe==3.0.3 mdit-py-plugins==0.5.0 mdurl==0.1.2 myst-parser==5.0.0 -packaging==25.0 +packaging==26.0 Pygments==2.19.2 PyYAML==6.0.3 requests==2.32.5 From 97c2915034a94f48f9291657d6ea919e30e68e63 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 23 Jan 2026 00:52:36 +0200 Subject: [PATCH 178/209] Upgrade baibot (v1.12.0 -> v1.13.0) --- roles/custom/matrix-bot-baibot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index cd3c3c77b..bbc2f49c6 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.12.0 +matrix_bot_baibot_version: v1.13.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" From 692c34ad9b190c62505ea6542e5613c0ced2b084 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 24 Jan 2026 17:03:34 +0000 Subject: [PATCH 179/209] chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.1 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 1a9075818..3e2548105 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: [] matrix_hookshot_container_additional_networks_custom: [] # renovate: datasource=docker depName=halfshot/matrix-hookshot -matrix_hookshot_version: 7.3.0 +matrix_hookshot_version: 7.3.1 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}" From b0e70f419fe82bf41cc923eb5e3f9e6490669e01 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 26 Jan 2026 01:14:31 +0000 Subject: [PATCH 180/209] chore(deps): update dependency setuptools to v80.10.2 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index 0086d4546..f91ee6fea 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -17,7 +17,7 @@ packaging==26.0 Pygments==2.19.2 PyYAML==6.0.3 requests==2.32.5 -setuptools==80.10.1 +setuptools==80.10.2 snowballstemmer==3.0.1 Sphinx==9.1.0 sphinx-intl==2.3.2 From b6bf91c150bf346d9ffc7719b391a4fdffea40ad Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 10:52:54 +0000 Subject: [PATCH 181/209] chore(deps): update dependency etherpad to v2.6.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index b865b4c8f..5490441e6 100644 --- a/requirements.yml +++ b/requirements.yml @@ -16,7 +16,7 @@ version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6 name: docker_sdk_for_python - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git - version: v2.6.0-1 + version: v2.6.1-0 name: etherpad - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git version: v4.98.1-r0-2-2 From 8a3c75b7bd15ffb76e60a4fbeb179e5bfa268b68 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 14:39:14 +0000 Subject: [PATCH 182/209] chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.9 --- roles/custom/matrix-client-element/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-client-element/defaults/main.yml b/roles/custom/matrix-client-element/defaults/main.yml index 29a5ce2ed..36a95211e 100644 --- a/roles/custom/matrix-client-element/defaults/main.yml +++ b/roles/custom/matrix-client-element/defaults/main.yml @@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}" # renovate: datasource=docker depName=ghcr.io/element-hq/element-web -matrix_client_element_version: v1.12.8 +matrix_client_element_version: v1.12.9 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}" matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}" From 6629867235cec3d9d5b02f5e7e920f7aa00a86c1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 18:51:26 +0000 Subject: [PATCH 183/209] chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.10.0 --- roles/custom/matrix-authentication-service/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-authentication-service/defaults/main.yml b/roles/custom/matrix-authentication-service/defaults/main.yml index 37a9ee7bb..2886a4d46 100644 --- a/roles/custom/matrix-authentication-service/defaults/main.yml +++ b/roles/custom/matrix-authentication-service/defaults/main.yml @@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src" # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service -matrix_authentication_service_version: 1.9.0 +matrix_authentication_service_version: 1.10.0 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}" matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}" matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/" From 93d110e61ea5702ef52e68bc2128ae53bed656e6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 18:51:31 +0000 Subject: [PATCH 184/209] chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.146.0 --- roles/custom/matrix-synapse/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dca771e0c..dce41468e 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -16,7 +16,7 @@ matrix_synapse_enabled: true matrix_synapse_github_org_and_repo: element-hq/synapse # renovate: datasource=docker depName=ghcr.io/element-hq/synapse -matrix_synapse_version: v1.145.0 +matrix_synapse_version: v1.146.0 matrix_synapse_username: '' matrix_synapse_uid: '' From 460d46999f4aa0a0e1f33adfc3344ba36a6be1c4 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Jan 2026 22:11:06 +0200 Subject: [PATCH 185/209] Make Synapse's `enable_local_media_storage` configurable Ref: - https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4882 - https://github.com/element-hq/synapse/pull/19204 - https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#enable_local_media_storage We default it to `true`, keeping up with upstream and the old behavior. s3-storage-provider users may set `matrix_synapse_enable_local_media_storage` to `false` to disable local file caching. This likely comes at the expense of some performance. For matrix-media-repo users, it likely doesn't matter what this is set to, as for a matrix-media-repo setup, all media-related API endpoints are captured and forwarded to matrix-media-repo (before reaching Synapse). --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index dce41468e..192fa58cd 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -1092,6 +1092,11 @@ matrix_synapse_workers_media_repository_workers_container_arguments: [] # Adjusting this value manually is generally not necessary. matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}" +# matrix_synapse_enable_local_media_storage controls whether the local on-disk media storage provider is enabled in Synapse. +# When disabled, media is stored only in configured `media_storage_providers` and temporary files are used for processing (no local caching). +# Warning: If this option is set to false and no `media_storage_providers` are configured, all media requests will return 404 errors as there will be no storage backend available. +matrix_synapse_enable_local_media_storage: true + # matrix_synapse_enable_authenticated_media controls if authenticated media is enabled. # If enabled all "old" media remains accessible over the legacy endpoints but new media is blocked. # while this option is enabled all media access and downloads have to be done via authenticated endpoints. diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index ff6f7b724..1a601da83 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -1035,11 +1035,15 @@ federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_ #enable_media_repo: false enable_media_repo: {{ matrix_synapse_enable_media_repo | to_json }} +# Enable the local on-disk media storage provider. +# When disabled, media is stored only in configured media_storage_providers and temporary files are used for processing (no local caching). +# Warning: If this option is set to false and no media_storage_providers are configured, all media requests will return 404 errors as there will be no storage backend available. +enable_local_media_storage: {{ matrix_synapse_enable_local_media_storage | to_json }} + # Enable authenticated media. # enable_authenticated_media blocks access to new media from the legacy endpoints # and freezes the unauthenticated media repo by blocking all downloads that are not using # the new authenticated endpoints. If this option is turned off all media reverts to being considered "old" - enable_authenticated_media: {{ matrix_synapse_enable_authenticated_media | to_json }} # Directory where uploaded images and attachments are stored. From fd6f72382d9bd5b0c312552e32fdee889a0a6379 Mon Sep 17 00:00:00 2001 From: Sid Manat Date: Tue, 27 Jan 2026 23:48:04 +0700 Subject: [PATCH 186/209] Upgrade Coturn (4.6.2-r11 -> 4.8.0-r0) --- roles/custom/matrix-coturn/defaults/main.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index be86c6c36..66e9374a2 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -18,7 +18,7 @@ matrix_coturn_enabled: true -matrix_coturn_hostname: '' +matrix_coturn_hostname: "" matrix_coturn_container_image_self_build: false matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn" @@ -26,7 +26,7 @@ matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_ matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" # renovate: datasource=docker depName=coturn/coturn -matrix_coturn_version: 4.6.2-r11 +matrix_coturn_version: 4.8.0-r0 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}" matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}" @@ -139,7 +139,7 @@ matrix_coturn_lt_cred_mech_password: "" # The external IP address of the machine where coturn is. # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done. # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled` -matrix_coturn_turn_external_ip_address: '' +matrix_coturn_turn_external_ip_address: "" matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}" # Controls whether external IP address auto-detection should be attempted. @@ -218,7 +218,7 @@ matrix_coturn_response_origin_only_with_rfc5780_enabled: true # simple-log # aux-server=1.2.3.4 # relay-ip=4.3.2.1 -matrix_coturn_additional_configuration: '' +matrix_coturn_additional_configuration: "" # To enable TLS, you need to provide paths to certificates. # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths. From 18b11eea3beddfeac7f1bd02d813aa479a837ee2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 27 Jan 2026 22:35:09 +0200 Subject: [PATCH 187/209] Try `versioning=loose` for the Coturn container image definition for Renovate Ref: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4880#issuecomment-3807433691 --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 66e9374a2..c44652b5a 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -25,7 +25,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}" matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" -# renovate: datasource=docker depName=coturn/coturn +# renovate: datasource=docker depName=coturn/coturn versioning=loose matrix_coturn_version: 4.8.0-r0 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}" From 67e650b5f952d5158b723ce2b70a0d3561408874 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 27 Jan 2026 20:42:40 +0000 Subject: [PATCH 188/209] chore(deps): update coturn/coturn docker tag to v4.8.0 --- roles/custom/matrix-coturn/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index c44652b5a..ee14fa958 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -26,7 +26,7 @@ matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_ matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile" # renovate: datasource=docker depName=coturn/coturn versioning=loose -matrix_coturn_version: 4.8.0-r0 +matrix_coturn_version: 4.8.0 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine" matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}" matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}" From 72d522b9f1d75f5b6895917cd92cb09796edc743 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 28 Jan 2026 18:54:17 +0000 Subject: [PATCH 189/209] chore(deps): update dependency backup_borg to v1.4.3-2.1.1-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 5490441e6..705b5e508 100644 --- a/requirements.yml +++ b/requirements.yml @@ -4,7 +4,7 @@ version: v1.0.0-6 name: auxiliary - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git - version: v1.4.3-2.0.13-0 + version: v1.4.3-2.1.1-0 name: backup_borg - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git version: v0.4.2-1 From b1ff71266b8e0eccda90b21e75ffcea91229229c Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Thu, 29 Jan 2026 12:06:56 +0200 Subject: [PATCH 190/209] Update matrix-appservice-irc to 4.0.0 with authenticated media proxy support - Upgrade from 1.0.1 to 4.0.0 - Add ircService.mediaProxy configuration for authenticated Matrix media - Add Traefik integration for media proxy endpoint - Generate signing key for authenticated media Closes #3512 Co-authored-by: Jade Ellis Co-authored-by: Slavi Pantaleev --- group_vars/matrix_servers | 9 + .../defaults/main.yml | 191 ++++++++++++++---- .../tasks/setup_install.yml | 46 ++++- .../tasks/validate_config.yml | 24 +++ .../templates/config.yaml.j2 | 83 +++++--- .../templates/labels.j2 | 63 ++++++ .../systemd/matrix-appservice-irc.service.j2 | 4 + 7 files changed, 352 insertions(+), 68 deletions(-) create mode 100644 roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 3b88d902f..9ec81fdbe 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -843,6 +843,8 @@ matrix_appservice_irc_container_additional_networks_auto: |- ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network]) + ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else []) + + + [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] ) | unique }} @@ -860,6 +862,13 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}" matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}" +matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}" # noqa var-naming + +matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}" +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}" +matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}" # noqa var-naming + ###################################################################### # # /matrix-bridge-appservice-irc diff --git a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml index 7ea0ee4cc..b11bac386 100644 --- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml +++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml @@ -8,7 +8,7 @@ # SPDX-FileCopyrightText: 2019 Lyubomir Popov # SPDX-FileCopyrightText: 2019 Sylvia van Os # SPDX-FileCopyrightText: 2020 John Goerzen -# SPDX-FileCopyrightText: 2021 - 2023 Thom Wiggers +# SPDX-FileCopyrightText: 2021 - 2026 Thom Wiggers # SPDX-FileCopyrightText: 2021 Ahmad Haghighi # SPDX-FileCopyrightText: 2021 Joseph Walton-Rivers # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis @@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`). # It's a bare version number now. We try to somewhat retain compatibility below. # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc -matrix_appservice_irc_version: 1.0.1 +matrix_appservice_irc_version: 4.0.0 matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}" matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}" matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}" @@ -46,8 +46,15 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data" matrix_appservice_irc_homeserver_url: "" -matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}' matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}' + +# ircService.mediaProxy configuration for serving publicly accessible URLs to authenticated Matrix media +matrix_appservice_irc_ircService_mediaProxy_bindPort: 11111 # noqa var-naming +matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: https # noqa var-naming +matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname: '{{ matrix_server_fqn_matrix }}' # noqa var-naming +matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix: '/irc/' # noqa var-naming +matrix_appservice_irc_ircService_mediaProxy_publicUrl: "{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme }}://{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}" # noqa var-naming + matrix_appservice_irc_homeserver_enablePresence: true # noqa var-naming matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999' @@ -89,20 +96,25 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # It is also used in the Third Party Lookup API as the instance `desc` # # property, where each server is an instance. # name: "ExampleNet" - +# # Additional addresses to connect to, used for load balancing between IRCDs. # additionalAddresses: [ "irc2.example.com" ] +# # Typically additionalAddresses would be in addition to the address key given above, +# # but some configurations wish to exclusively use additional addresses while reserving +# # the top key for identification purposes. Set this to true to exclusively use the +# # additionalAddresses array when connecting to servers. +# onlyAdditionalAddresses: false # # # # [DEPRECATED] Use `name`, above, instead. # # A human-readable description string # # description: "Example.com IRC network" - +# # # An ID for uniquely identifying this server amongst other servers being bridged. # # networkId: "example" - -# # URL to an icon used as the network icon whenever this network appear in -# # a network list. (Like in the Riot room directory, for instance.) -# # icon: https://example.com/images/hash.png - +# +# # MXC URL to an icon used as the network icon whenever this network appear in +# # a network list. (Like in the Element room directory, for instance.) +# # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf +# # # The port to connect to. Optional. # port: 6697 # # Whether to use SSL or not. Default: false. @@ -115,19 +127,26 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Whether to allow expired certs when connecting to the IRC server. # # Usually this should be off. Default: false. # allowExpiredCerts: false -# # A specific CA to trust instead of the default CAs. Optional. -# #ca: | -# # -----BEGIN CERTIFICATE----- -# # … -# # -----END CERTIFICATE----- - +# +# # Set additional TLS options for the connections to the IRC server. +# #tlsOptions: +# # A specific CA to trust instead of the default CAs. Optional. +# #ca: | +# # -----BEGIN CERTIFICATE----- +# # ... +# # -----END CERTIFICATE----- +# # Server name for the SNI (Server Name Indication) TLS extension. If the address you +# # are using does not report the correct certificate name, you can override it here. +# # servername: real.server.name +# # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback +# # # # # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. # # password: 'pa$$w0rd' # # # # Whether or not to send connection/error notices to real Matrix users. Default: true. # sendConnectionMessages: true - +# # quitDebounce: # # Whether parts due to net-splits are debounced for delayMs, to allow # # time for the netsplit to resolve itself. A netsplit is detected as being @@ -147,13 +166,13 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # delayMinMs: 3600000 # 1h # # Default: 7200000, = 2h # delayMaxMs: 7200000 # 2h - +# # # A map for conversion of IRC user modes to Matrix power levels. This enables bridging # # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has # # been given multiple modes, the one that maps to the highest power level will be used. # modePowerMap: # o: 50 - +# v: 1 # botConfig: # # Enable the presence of the bot in IRC channels. The bot serves as the entity # # which maps from IRC -> Matrix. You can disable the bot entirely which @@ -176,6 +195,8 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # enabled: true # # The nickname to give the AS bot. # nick: "MatrixBot" +# # The username to give to the AS bot. Defaults to "matrixbot" +# username: "matrixbot" # # The password to give to NickServ or IRC Server for this nick. Optional. # # password: "helloworld" # # @@ -184,7 +205,7 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # real Matrix users in them, even if there is a mapping for the channel. # # Default: true # joinChannelsIfNoUsers: true - +# # # Configuration for PMs / private 1:1 communications between users. # privateMessages: # # Enable the ability for PMs to be sent to/from IRC/Matrix. @@ -193,12 +214,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent Matrix users from sending PMs to the following IRC nicks. # # Optional. Default: []. # # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED - +# # # Should created Matrix PM rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Optional. Default: true. # federate: true - +# # # Configuration for mappings not explicitly listed in the 'mappings' # # section. # dynamicChannels: @@ -212,27 +233,34 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Should the AS publish the new Matrix room to the public room list so # # anyone can see it? Default: true. # published: true +# # Publish the rooms to the homeserver directory, as oppose to the appservice +# # room directory. Only used if `published` is on. +# # Default: false +# useHomeserverDirectory: true # # What should the join_rule be for the new Matrix room? If 'public', # # anyone can join the room. If 'invite', only users with an invite can # # join the room. Note that if an IRC channel has +k or +i set on it, # # join_rules will be set to 'invite' until these modes are removed. # # Default: "public". # joinRule: public -# # This will set the m.room.related_groups state event in newly created rooms -# # with the given groupId. This means flares will show up on IRC users in those rooms. -# # This should be set to the same thing as namespaces.users.group_id in irc_registration. -# # This does not alter existing rooms. -# # Leaving this option empty will not set the event. -# groupId: +myircnetwork:localhost # # Should created Matrix rooms be federated? If false, only users on the # # HS attached to this AS will be able to interact with this room. # # Default: true. # federate: true +# # Force this room version when creating IRC channels. Beware if the homeserver doesn't +# # support the room version then the request will fail. By default, no version is requested. +# # roomVersion: "1" # # The room alias template to apply when creating new aliases. This only # # applies if createAlias is 'true'. The following variables are exposed: # # $SERVER => The IRC server address (e.g. "irc.example.com") # # $CHANNEL => The IRC channel (e.g. "#python") # # This MUST have $CHANNEL somewhere in it. +# # +# # In certain circumstances you might want to bridge your whole IRC network as a +# # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the +# # template to just be $CHANNEL. Doing so will preclude you from supporting +# # other prefix characters though. +# # # # Default: '#irc_$SERVER_$CHANNEL' # aliasTemplate: "#irc_$CHANNEL" # # A list of user IDs which the AS bot will send invites to in response @@ -244,7 +272,11 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Prevent the given list of channels from being mapped under any # # circumstances. # # exclude: ["#foo", "#bar"] - +# +# # excludedUsers: +# # - regex: "@.*:evilcorp.com" +# # kickReason: "We don't like Evilcorp" +# # # Configuration for controlling how Matrix and IRC membership lists are # # synced. # membershipLists: @@ -253,12 +285,12 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # synced. This must be enabled for anything else in this section to take # # effect. Default: false. # enabled: false - +# # # Syncing membership lists at startup can result in hundreds of members to # # process all at once. This timer drip feeds membership entries at the # # specified rate. Default: 10000. (10s) # floodDelayMs: 10000 - +# # global: # ircToMatrix: # # Get a snapshot of all real IRC users on a channel (via NAMES) and @@ -267,7 +299,14 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Make virtual Matrix clients join and leave rooms as their real IRC # # counterparts join/part channels. Default: false. # incremental: false - +# # Should the bridge check if all Matrix users are connected to IRC and +# # joined to the channel before relaying messages into the room. +# # +# # This is considered a safety net to avoid any leakages by the bridge to +# # unconnected users, but given it ignores all IRC messages while users +# # are still connecting it may be overkill. +# requireMatrixJoined: false +# # matrixToIrc: # # Get a snapshot of all real Matrix users in the room and join all of # # them to the mapped IRC channel on startup. Default: false. @@ -276,21 +315,32 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # counterparts join/leave rooms. Make sure your 'maxClients' value is # # high enough! Default: false. # incremental: false - +# # # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. # rooms: # - room: "!qporfwt:localhost" # matrixToIrc: # initial: false # incremental: false - +# # # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. # channels: # - channel: "#foo" # ircToMatrix: # initial: false # incremental: false - +# requireMatrixJoined: false +# +# # Should the bridge ignore users which are not considered active on the bridge +# # during startup +# ignoreIdleUsersOnStartup: +# enabled: true +# # How many hours can a user be considered idle for before they are considered +# # ignoreable +# idleForHours: 720 +# # A regex which will exclude matching MXIDs from this check. +# exclude: "foobar" +# # mappings: # # 1:many mappings from IRC channels to room IDs on this IRC server. # # The Matrix room must already exist. Your Matrix client should expose @@ -300,27 +350,27 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # Channel key/password to use. Optional. If provided, Matrix users do # # not need to know the channel key in order to join the channel. # # key: "secret" - +# # # Configuration for virtual Matrix users. The following variables are # # exposed: # # $NICK => The IRC nick # # $SERVER => The IRC server address (e.g. "irc.example.com") # matrixClients: # # The user ID template to use when creating virtual Matrix users. This -# # MUST have $NICK somewhere in it. +# # MUST start with an @ and have $NICK somewhere in it. # # Optional. Default: "@$SERVER_$NICK". # # Example: "@irc.example.com_Alice:example.com" # userTemplate: "@irc_$NICK" # # The display name to use for created Matrix clients. This should have # # $NICK somewhere in it if it is specified. Can also use $SERVER to # # insert the IRC domain. -# # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" -# displayName: "$NICK (IRC)" +# # Optional. Default: "$NICK". Example: "Alice" +# displayName: "$NICK" # # Number of tries a client can attempt to join a room before the request # # is discarded. You can also use -1 to never retry or 0 to never give up. # # Optional. Default: -1 # joinAttempts: -1 - +# # # Configuration for virtual IRC users. The following variables are exposed: # # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) # # $USERID => The user ID @@ -349,9 +399,20 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # connected user. If not specified, all users will connect from the same # # (default) address. This may require additional OS-specific work to allow # # for the node process to bind to multiple different source addresses -# # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library +# # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1 +# # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library # # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. # # prefix: "2001:0db8:85a3::" # modify appropriately +# +# # Optional. Define blocks of IPv6 addresses for different homeservers +# # which can be used to restrict users of those homeservers to a given +# # IP. These blocks should be considered immutable once set, as changing +# # the startFrom value will NOT adjust existing IP addresses. +# # Changing the startFrom value to a lower value may conflict with existing clients. +# # Multiple homeservers may NOT share blocks. +# blocks: +# - homeserver: another-server.org +# startFrom: '10:0000' # # # # The maximum amount of time in seconds that the client can exist # # without sending another message before being disconnected. Use 0 to @@ -388,12 +449,36 @@ matrix_appservice_irc_ircService_servers: [] # noqa var-naming # # through the bridge e.g. caller ID as there is no way to /ACCEPT. # # Default: "" (no user modes) # # userModes: "R" - -# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container). +# # The format of the realname defined for users, either mxid or reverse-mxid +# realnameFormat: "mxid" +# # The minimum time to wait between connection attempts if we were disconnected +# # due to throttling. +# # pingTimeoutMs: 600000 +# # The rate at which to send pings to the IRCd if the client is being quiet for a while. +# # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears +# # that sometimes they don't get around to it and end up ping timing us out. +# # pingRateMs: 60000 +# # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from +# # defaults should be taken with care as it may dishonestly represent Matrix users on the IRC +# # network, and cause your bridge to be banned. +# kickOn: +# # Kick a Matrix user from a bridged room if they fail to join the IRC channel. +# channelJoinFailure: true +# # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC. +# ircConnectionFailure: true +# # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network. +# userQuit: true + +# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:9999"), or empty string to not expose. matrix_appservice_irc_container_http_host_bind_port: '' +# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port. +# +# Takes an ":" or "" value (e.g. "127.0.0.1:11111"), or empty string to not expose. +matrix_appservice_irc_container_media_proxy_host_bind_port: '' + matrix_appservice_irc_container_network: "" matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}" @@ -403,6 +488,26 @@ matrix_appservice_irc_container_additional_networks_custom: [] # A list of extra arguments to pass to the container matrix_appservice_irc_container_extra_arguments: [] +# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container. +# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`. +matrix_appservice_irc_container_labels_traefik_enabled: true +matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_appservice_irc_container_network }}" +matrix_appservice_irc_container_labels_traefik_entrypoints: web-secure +matrix_appservice_irc_container_labels_traefik_tls_certResolver: default # noqa var-naming + +# Controls whether Traefik labels for the media proxy will be applied +matrix_appservice_irc_container_labels_media_proxy_enabled: true +# Derived from publicUrl_pathPrefix, stripping any trailing slash (unless it's just "/") +matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix: "{{ '/' if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix == '/' else matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix.rstrip('/') }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`)" +matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000 +matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}" +matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}" # noqa var-naming + +# matrix-appservice-irc container additional labels +matrix_appservice_irc_container_labels_additional_labels: '' + # List of systemd services that matrix-appservice-irc.service depends on. matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}" matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}" diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml index 79b51ab6f..7bdead858 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors -# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev +# SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev +# SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers # SPDX-FileCopyrightText: 2019 Dan Arnfield # SPDX-FileCopyrightText: 2020 Chris van Dijk # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis @@ -121,6 +122,14 @@ owner: "{{ matrix_user_name }}" group: "{{ matrix_group_name }}" +- name: Ensure Matrix Appservice IRC labels file installed + ansible.builtin.template: + src: "{{ role_path }}/templates/labels.j2" + dest: "{{ matrix_appservice_irc_base_path }}/labels" + mode: 0644 + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + - name: Generate Appservice IRC passkey if it doesn't exist ansible.builtin.shell: cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048" @@ -128,6 +137,41 @@ become: true become_user: "{{ matrix_user_name }}" +- name: Check if an authenticated media signing key exists + ansible.builtin.stat: + path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + register: matrix_appservice_irc_stat_auth_media_key + +- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists + block: + - name: Generate IRC appservice signing key for authenticated media + community.docker.docker_container: + name: "create-auth-media-jwk-key" + image: "{{ matrix_appservice_irc_docker_image }}" + cleanup: true + network_mode: none + entrypoint: "/usr/local/bin/node" + command: > + -e "const webcrypto = require('node:crypto'); + async function main() { + const key = await webcrypto.subtle.generateKey({ + name: 'HMAC', + hash: 'SHA-512', + }, true, ['sign', 'verify']); + console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4)); + } + main().then(() => process.exit(0)).catch(err => { throw err });" + detach: false + register: matrix_appservice_irc_jwk_result + + - name: Write auth media signing key to file + ansible.builtin.copy: + content: "{{ matrix_appservice_irc_jwk_result.container.Output }}" + dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk" + mode: "0644" + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay. # Fix it. - name: (Migration) Ensure Appservice IRC passkey permissions are okay diff --git a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml index 00124dc40..a3a15ddb6 100644 --- a/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml +++ b/roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml @@ -44,3 +44,27 @@ - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': ''} - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'} - {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'} + - {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': ''} + +- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash + ansible.builtin.fail: + msg: >- + matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`). + when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'" + +- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash + ansible.builtin.fail: + msg: >- + matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`). + when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'" + +- when: matrix_appservice_irc_container_labels_traefik_enabled | bool + block: + # We ensure it doesn't end with a slash, because we handle both (slash and no-slash). + # Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up + # without having to do "does it end with a slash" checks elsewhere. + - name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash + ansible.builtin.fail: + msg: >- + matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`). + when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'" diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 index 8b7aca5b8..363ac9a1b 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2 @@ -1,14 +1,13 @@ #jinja2: lstrip_blocks: True +# +# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml +# +# Configuration specific to AS registration. Unless other marked, all fields +# are *REQUIRED*. +# Unless otherwise specified, these keys CANNOT be hot-reloaded. homeserver: - # The URL to the home server for client-server API calls, also used to form the - # media URLs as displayed in bridged IRC channels: - url: {{ matrix_appservice_irc_homeserver_url }} - # - # The URL of the homeserver hosting media files. This is only used to transform - # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By - # default, this is the homeserver URL, specified above. - # - media_url: {{ matrix_appservice_irc_homeserver_media_url }} + # The URL to the home server for client-server API calls + url: "{{ matrix_appservice_irc_homeserver_url }}" # Drop Matrix messages which are older than this number of seconds, according to # the event's origin_server_ts. @@ -20,18 +19,29 @@ homeserver: # clock times and hence produce different origin_server_ts values, which may be old # enough to cause *all* events from the homeserver to be dropped. # Default: 0 (don't ever drop) + # This key CAN be hot-reloaded. # dropMatrixMessagesAfterSecs: 300 # 5 minutes # The 'domain' part for user IDs on this home server. Usually (but not always) # is the "domain name" part of the HS URL. - domain: {{ matrix_appservice_irc_homeserver_domain }} + domain: "{{ matrix_appservice_irc_homeserver_domain }}" # Should presence be enabled for Matrix clients on this bridge. If disabled on the # homeserver then it should also be disabled here to avoid excess traffic. # Default: true enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }} + # Which port should the appservice bind to. Can be overridden by the one provided in the + # command line! Optional. + # bindPort: 8090 + + # Use this option to force the appservice to listen on another hostname for transactions. + # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional. + # bindHostname: 0.0.0.0 + +# Configuration specific to the IRC service ircService: + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in # the database. @@ -50,11 +60,18 @@ ircService: # Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies). eventCacheSize: 4096 + # All server keys can be hot-reloaded, however existing IRC connections + # will not have changes applied to them. servers: {{ matrix_appservice_irc_ircService_servers|to_json }} + # present relevant UI to the user. MSC2346 + bridgeInfoState: + enabled: false + initial: false # Configuration for an ident server. If you are running a public bridge it is # advised you setup an ident server so IRC mods can ban specific Matrix users # rather than the application service itself. + # This key CANNOT be hot-reloaded ident: # True to listen for Ident requests and respond with the # Matrix user's user_id (converted to ASCII, respecting RFC 1413). @@ -71,6 +88,10 @@ ircService: # Default: 0.0.0.0 address: "::" + # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set. + # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings + # encodingFallback: "ISO-8859-15" + # Configuration for logging. Optional. Default: console debug level logging # only. logging: @@ -87,33 +108,42 @@ ircService: # to rotations. maxFiles: 5 - # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: - # $ npm install prom-client@6.3.0 # Metrics will then be available via GET /metrics on the bridge listening port (-p). + # This key CANNOT be hot-reloaded metrics: # Whether to actually enable the metric endpoint. Default: false enabled: true + # Which port to listen on (omit to listen on the bindPort) + #port: 7001 + # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set + host: 127.0.0.1 + # When determining activeness of remote and matrix users, cut off at this number of hours. + userActivityThresholdHours: 72 # 3 days # When collecting remote user active times, which "buckets" should be used. Defaults are given below. # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). remoteUserAgeBuckets: - "1h" - "1d" - "1w" - # Configuration for the provisioning API. - # - # GET /_matrix/provision/link - # GET /_matrix/provision/unlink - # GET /_matrix/provision/listlinks - # + # This key CANNOT be hot-reloaded provisioning: # True to enable the provisioning HTTP endpoint. Default: false. enabled: false - # The number of seconds to wait before giving up on getting a response from - # an IRC channel operator. If the channel operator does not respond within the - # allotted time period, the provisioning request will fail. - # Default: 300 seconds (5 mins) - requestTimeoutSeconds: 300 + # Whether to enable hosting the setup widget page. Default: false. + widget: false + + # Config for the media proxy, required to serve publicly accessible URLs to authenticated Matrix media + mediaProxy: + # To generate a .jwk file: + # $ node src/generate-signing-key.js > signingkey.jwk + signingKeyPath: "/data/auth-media.jwk" + # How long should the generated URLs be valid for + ttlSeconds: 604800 + # The port for the media proxy to listen on + bindPort: {{ matrix_appservice_irc_ircService_mediaProxy_bindPort | to_json }} + # The publicly accessible URL to the media proxy + publicUrl: {{ matrix_appservice_irc_ircService_mediaProxy_publicUrl | to_json }} # Options here are generally only applicable to large-scale bridges and may have # consequences greater than other options in this configuration file. @@ -122,13 +152,18 @@ advanced: # however for large bridges it is important to rate limit the bridge to avoid # accidentally overloading the homeserver. Defaults to 1000, which should be # enough for the vast majority of use cases. + # This key CAN be hot-reloaded maxHttpSockets: 1000 + # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb + # This key CANNOT be hot-reloaded. + maxTxnSize: 10000000 # Use an external database to store bridge state. +# This key CANNOT be hot-reloaded. database: # database engine (must be 'postgres' or 'nedb'). Default: nedb engine: {{ matrix_appservice_irc_database_engine|to_json }} # Either a PostgreSQL connection string, or a path to the NeDB storage directory. # For postgres, it must start with postgres:// # For NeDB, it must start with nedb://. The path is relative to the project directory. - connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }} + connectionString: {{ matrix_appservice_irc_database_connectionString | to_json }} diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 new file mode 100644 index 000000000..fbffbdae9 --- /dev/null +++ b/roles/custom/matrix-bridge-appservice-irc/templates/labels.j2 @@ -0,0 +1,63 @@ +{# +SPDX-FileCopyrightText: 2025 Jade Ellis +SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers +SPDX-FileCopyrightText: 2026 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later +#} + +{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %} +traefik.enable=true + +{% if matrix_appservice_irc_container_labels_traefik_docker_network %} +traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }} +{% endif %} + +traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} + +############################################################ +# # +# IRC Bridge Media Proxy # +# # +############################################################ + +{% set middlewares = [] %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }} + +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix | quote }})$ +traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/ +{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %} +{% endif %} + +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %} +traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }} +{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %} +{% endif %} + + +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %} +traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }} +{% endif %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy +traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }} + +{% if middlewares | length > 0 %} +traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }} +{% endif %} + +traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }} +{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %} +traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }} +{% endif %} + +############################################################ +# # +# /IRC Bridge Media Proxy # +# # +############################################################ +{% endif %} + +{{ matrix_appservice_irc_container_labels_additional_labels }} diff --git a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 index aa26ff78b..a41feeed7 100644 --- a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 +++ b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% if matrix_appservice_irc_container_http_host_bind_port %} -p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \ {% endif %} + {% if matrix_appservice_irc_container_media_proxy_host_bind_port %} + -p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} \ + {% endif %} --mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \ --mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \ + --label-file={{ matrix_appservice_irc_base_path }}/labels \ {% for arg in matrix_appservice_irc_container_extra_arguments %} {{ arg }} \ {% endfor %} From b9631aea1cbd1ad051924cdec49ac76784376aa7 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Fri, 30 Jan 2026 21:14:11 +0200 Subject: [PATCH 191/209] Upgrade ntfy (v2.16.0-0 -> v2.16.0-1) --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 705b5e508..b11351d4c 100644 --- a/requirements.yml +++ b/requirements.yml @@ -31,7 +31,7 @@ version: v1.9.11-0 name: livekit_server - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git - version: v2.16.0-0 + version: v2.16.0-1 name: ntfy - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git version: 8630e4f1749bcb659c412820f754473f09055052 From 3f0ff4c510d7065e20b7193ffbda198675554b43 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 30 Jan 2026 17:57:29 +0000 Subject: [PATCH 192/209] chore(deps): update halfshot/matrix-hookshot docker tag to v7.3.2 --- roles/custom/matrix-bridge-hookshot/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-bridge-hookshot/defaults/main.yml b/roles/custom/matrix-bridge-hookshot/defaults/main.yml index 3e2548105..14a4dcc8c 100644 --- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml +++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml @@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: [] matrix_hookshot_container_additional_networks_custom: [] # renovate: datasource=docker depName=halfshot/matrix-hookshot -matrix_hookshot_version: 7.3.1 +matrix_hookshot_version: 7.3.2 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}" matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}" From f621eb80184c179dccb937982b7b2a19ecbba76c Mon Sep 17 00:00:00 2001 From: Aine Date: Fri, 30 Jan 2026 22:39:12 +0000 Subject: [PATCH 193/209] Synapse Admin v0.11.1-etke53 --- group_vars/matrix_servers | 3 +++ roles/custom/matrix-synapse-admin/defaults/main.yml | 7 +++++-- roles/custom/matrix-synapse-admin/templates/labels.j2 | 2 +- .../templates/systemd/matrix-synapse-admin.service.j2 | 10 ++++------ 4 files changed, 13 insertions(+), 9 deletions(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 9ec81fdbe..5d4fff09d 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -4723,6 +4723,9 @@ matrix_synapse_admin_enabled: false matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" +matrix_synapse_admin_container_uid: "{{ matrix_user_uid }}" +matrix_synapse_admin_container_gid: "{{ matrix_user_gid }}" + matrix_synapse_admin_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8766') if matrix_playbook_service_host_bind_interface_prefix else '' }}" matrix_synapse_admin_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}" diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 68ab27cd3..4fd8276d4 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -21,11 +21,14 @@ matrix_synapse_admin_base_path: "{{ matrix_base_data_path }}/synapse-admin" matrix_synapse_admin_config_path: "{{ matrix_synapse_admin_base_path }}/config" matrix_synapse_admin_docker_src_files_path: "{{ matrix_synapse_admin_base_path }}/docker-src" +matrix_synapse_admin_container_uid: '' +matrix_synapse_admin_container_gid: '' + matrix_synapse_admin_container_image_self_build: false matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git" # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin -matrix_synapse_admin_version: v0.11.1-etke52 +matrix_synapse_admin_version: v0.11.1-etke53 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}" matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}" matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}" @@ -40,7 +43,7 @@ matrix_synapse_admin_container_network: matrix-synapse-admin # Use this to expose this container to a reverse proxy, which runs in a different container network. matrix_synapse_admin_container_additional_networks: [] -# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/80 in the container). +# Controls whether the matrix-synapse-admin container exposes its HTTP port (tcp/8080 in the container). # # Takes an ":" or "" value (e.g. "127.0.0.1:8766"), or empty string to not expose. matrix_synapse_admin_container_http_host_bind_port: '' diff --git a/roles/custom/matrix-synapse-admin/templates/labels.j2 b/roles/custom/matrix-synapse-admin/templates/labels.j2 index bab69cec3..e030d49ca 100644 --- a/roles/custom/matrix-synapse-admin/templates/labels.j2 +++ b/roles/custom/matrix-synapse-admin/templates/labels.j2 @@ -12,7 +12,7 @@ traefik.enable=true traefik.docker.network={{ matrix_synapse_admin_container_labels_traefik_docker_network }} {% endif %} -traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=80 +traefik.http.services.matrix-synapse-admin.loadbalancer.server.port=8080 {% set middlewares = [] %} diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 76ba438ac..8aa724c1d 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -21,16 +21,14 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --name=matrix-synapse-admin \ --log-driver=none \ --cap-drop=ALL \ - --cap-add=CHOWN \ - --cap-add=NET_BIND_SERVICE \ - --cap-add=SETUID \ - --cap-add=SETGID \ + --read-only \ + --user={{ matrix_synapse_admin_container_user_uid }}:{{ matrix_synapse_admin_container_user_gid }} \ --network={{ matrix_synapse_admin_container_network }} \ {% if matrix_synapse_admin_container_http_host_bind_port %} - -p {{ matrix_synapse_admin_container_http_host_bind_port }}:80 \ + -p {{ matrix_synapse_admin_container_http_host_bind_port }}:8080 \ {% endif %} --label-file={{ matrix_synapse_admin_base_path }}/labels \ - --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/app/config.json,ro \ + --mount type=bind,src={{ matrix_synapse_admin_config_path }}/config.json,dst=/var/public/config.json,ro \ {% for arg in matrix_synapse_admin_container_extra_arguments %} {{ arg }} \ {% endfor %} From 2f66b7df947c6ae911d9efa9b2c81a582f34f55b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 31 Jan 2026 08:59:40 +0000 Subject: [PATCH 194/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.1.31 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index 59e549ad8..78f31a435 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2026.1.21 +matrix_alertmanager_receiver_version: 2026.1.31 matrix_alertmanager_receiver_scheme: https From 5bbb1930cb8d6410aba764c7feb96ca8f65c270a Mon Sep 17 00:00:00 2001 From: Aine Date: Sat, 31 Jan 2026 23:55:47 +0000 Subject: [PATCH 195/209] Synapse Admin i18n menu --- .../custom/matrix-synapse-admin/defaults/main.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/roles/custom/matrix-synapse-admin/defaults/main.yml b/roles/custom/matrix-synapse-admin/defaults/main.yml index 4fd8276d4..cdb02f3e2 100644 --- a/roles/custom/matrix-synapse-admin/defaults/main.yml +++ b/roles/custom/matrix-synapse-admin/defaults/main.yml @@ -215,15 +215,21 @@ matrix_synapse_admin_config_corsCredentials: "same-origin" # noqa var-naming # Controls the menu configuration setting, which, if defined, adds new menu items to the Synapse Admin UI. # The format is a list of objects, where each object has the following keys: -# - `label` (string): The label of the menu item. -# - `icon` (string): The icon of the menu item, one of the https://github.com/etkecc/synapse-admin/blob/main/src/components/icons.ts -# - `url` (string): The URL of the menu item. +# - `label` (string, required): The label of the menu item. +# - `i18n` (dict, optional): Dictionary of translations for the label. The keys should be BCP 47 language tags (e.g., en, fr, de) supported by Synapse Admin (see src/i18n). +# - `icon` (string, optional): The icon of the menu item, one of the https://github.com/etkecc/synapse-admin/blob/main/src/components/icons.ts +# - `url` (string, required): The URL of the menu item. # Example: # [ # { # "label": "Contact support", +# "i18n": { +# "de": "Support kontaktieren", +# "fr": "Contacter le support", +# "zh": "联系支持" +# }, # "icon": "SupportAgent", -# "url": "https://github.com/spantaleev/matrix-docker-ansible-deploy/issues" +# "url": "https://github.com/etkecc/synapse-admin/issues" # } # ] matrix_synapse_admin_config_menu: [] From aeea016e3c0908dd27c13ffe4c32d7e12ce63747 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 1 Feb 2026 15:08:43 +0000 Subject: [PATCH 196/209] chore(deps): update dependency babel to v2.18.0 --- i18n/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/requirements.txt b/i18n/requirements.txt index f91ee6fea..ca7999bc9 100644 --- a/i18n/requirements.txt +++ b/i18n/requirements.txt @@ -1,5 +1,5 @@ alabaster==1.0.0 -babel==2.17.0 +babel==2.18.0 certifi==2026.1.4 charset-normalizer==3.4.4 click==8.3.1 From 76e13f820061aed36f5af31b94c92462177ac6e2 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Feb 2026 15:59:00 +0200 Subject: [PATCH 197/209] Add native Sliding Sync (MSC3575) endpoint to worker routing The /_matrix/client/unstable/org.matrix.simplified_msc3575/sync endpoint can be handled by generic workers, but Synapse's workers.md documentation doesn't mention it. The code confirms it's worker-compatible: - SlidingSyncRestServlet is registered via sync.register_servlets: https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/client/sync.py#L1128-L1131 - sync.register_servlets is NOT in the worker exclusion list: https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/rest/__init__.py#L180-L194 - GenericWorkerStore includes SlidingSyncStore: https://github.com/element-hq/synapse/blob/0dfcffab0f/synapse/app/generic_worker.py#L168 This adds the endpoint to both: - matrix_synapse_workers_sync_worker_client_server_endpoints (for specialized sync workers with sticky routing) - matrix_synapse_workers_generic_worker_endpoints (documenting generic worker capability) --- roles/custom/matrix-synapse/vars/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/custom/matrix-synapse/vars/main.yml b/roles/custom/matrix-synapse/vars/main.yml index 8843c0600..55943645b 100644 --- a/roles/custom/matrix-synapse/vars/main.yml +++ b/roles/custom/matrix-synapse/vars/main.yml @@ -26,6 +26,8 @@ matrix_synapse_workers_room_worker_federation_endpoints: # Sync workers handle /sync and the (now deprecated) related endpoints matrix_synapse_workers_sync_worker_client_server_endpoints: - ^/_matrix/client/(api/v1|r0|v3|unstable)/(sync|events|initialSync|rooms/[^/]+/initialSync)$ + # Native Sliding Sync (MSC3575) - supported on generic workers since Synapse 1.114 + - ^/_matrix/client/unstable/org.matrix.simplified_msc3575/sync$ # Client reader workers handle generic client-server endpoints that don't contain a roomid or sync matrix_synapse_workers_client_reader_client_server_endpoints: @@ -149,6 +151,8 @@ matrix_synapse_workers_generic_worker_endpoints: - ^/_matrix/client/(api/v1|r0|v3)/events$ - ^/_matrix/client/(api/v1|r0|v3)/initialSync$ - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$ + # Native Sliding Sync (MSC3575) - supported since Synapse 1.114 + - ^/_matrix/client/unstable/org.matrix.simplified_msc3575/sync$ # Federation requests - ^/_matrix/federation/v1/event/ From c63a0f984b61d134136d46d8b48bec867ecc7f4f Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 3 Feb 2026 20:41:19 +0000 Subject: [PATCH 198/209] chore(deps): update dependency valkey to v9.0.2-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index b11351d4c..13c593ed1 100644 --- a/requirements.yml +++ b/requirements.yml @@ -73,5 +73,5 @@ version: v2.10.0-4 name: traefik_certs_dumper - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git - version: v9.0.1-0 + version: v9.0.2-0 name: valkey From 81f815d19ba64726253b34bb67ee9d21271fba3f Mon Sep 17 00:00:00 2001 From: Aine Date: Tue, 3 Feb 2026 21:40:11 +0000 Subject: [PATCH 199/209] fix uid/gid vars for Synapse Admin --- .../templates/systemd/matrix-synapse-admin.service.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 index 8aa724c1d..daf633a26 100644 --- a/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 +++ b/roles/custom/matrix-synapse-admin/templates/systemd/matrix-synapse-admin.service.j2 @@ -22,7 +22,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ --log-driver=none \ --cap-drop=ALL \ --read-only \ - --user={{ matrix_synapse_admin_container_user_uid }}:{{ matrix_synapse_admin_container_user_gid }} \ + --user={{ matrix_synapse_admin_container_uid }}:{{ matrix_synapse_admin_container_gid }} \ --network={{ matrix_synapse_admin_container_network }} \ {% if matrix_synapse_admin_container_http_host_bind_port %} -p {{ matrix_synapse_admin_container_http_host_bind_port }}:8080 \ From 5cc69ca7eba1b1ec0f23d23143b068ec6ba335fa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Feb 2026 03:14:47 +0200 Subject: [PATCH 200/209] Add whoami-based sync worker routing for user-level sticky sessions This adds a new routing mechanism for sync workers that resolves access tokens to usernames via Synapse's whoami endpoint, enabling true user-level sticky routing regardless of which device or token is used. Previously, sticky routing relied on parsing the username from native Synapse tokens (`syt__...`), which only works with native Synapse auth and provides device-level stickiness at best. This new approach works with any auth system (native Synapse, MAS, etc.) because Synapse handles token validation internally. Implementation uses nginx's auth_request module with an njs script because: - The whoami lookup requires an async HTTP subrequest (ngx.fetch) - js_set handlers must return synchronously and don't support async operations - auth_request allows the async lookup to complete, then captures the result via response headers into nginx variables The njs script: - Extracts access tokens from Authorization header or query parameter - Calls Synapse's whoami endpoint to resolve token -> username - Caches results in a shared memory zone to minimize latency - Returns the username via a `X-User-Identifier` header The username is then used by nginx's upstream hash directive for consistent worker selection. This leverages nginx's built-in health checking and failover. --- .../defaults/main.yml | 75 +++++++ .../tasks/setup_install.yml | 23 +- ...ix-synapse-reverse-proxy-companion.conf.j2 | 61 +++++- .../templates/nginx/nginx.conf.j2 | 17 +- .../nginx/njs/whoami_sync_worker_router.js.j2 | 202 ++++++++++++++++++ ...synapse-reverse-proxy-companion.service.j2 | 3 + 6 files changed, 368 insertions(+), 13 deletions(-) create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 8c230e145..0e33721ba 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -28,6 +28,7 @@ matrix_synapse_reverse_proxy_companion_version: 1.29.4-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" +matrix_synapse_reverse_proxy_companion_njs_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/njs" # List of systemd services that matrix-synapse-reverse-proxy-companion.service depends on matrix_synapse_reverse_proxy_companion_systemd_required_services_list: "{{ matrix_synapse_reverse_proxy_companion_systemd_required_services_list_default + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_auto + matrix_synapse_reverse_proxy_companion_systemd_required_services_list_custom }}" @@ -290,3 +291,77 @@ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time: "24 # As such, it trusts the protocol scheme forwarded by the upstream proxy. matrix_synapse_reverse_proxy_companion_trust_forwarded_proto: true matrix_synapse_reverse_proxy_companion_x_forwarded_proto_value: "{{ '$http_x_forwarded_proto' if matrix_synapse_reverse_proxy_companion_trust_forwarded_proto else '$scheme' }}" + + +######################################################################################## +# # +# njs module # +# # +######################################################################################## + +# Controls whether the njs module is loaded. +matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled }}" + +######################################################################################## +# # +# /njs module # +# # +######################################################################################## + + +######################################################################################## +# # +# Whoami-based sync worker routing # +# # +######################################################################################## + +# Controls whether the whoami-based sync worker router is enabled. +# When enabled, the reverse proxy will call Synapse's /_matrix/client/v3/account/whoami endpoint +# to resolve access tokens to usernames, allowing consistent routing of requests from the same user +# to the same sync worker regardless of which device or token they use. +# +# This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse +# handles the token validation internally. +# +# Without this, sticky routing falls back to parsing the username from the access token (only works +# with native Synapse tokens of the form syt__...), which only provides +# device-level stickiness (same token -> same worker) rather than user-level stickiness. +# +# Enabled by default when there are sync workers, because sync workers benefit from user-level +# stickiness due to their per-user in-memory caches. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}" + +# The whoami endpoint path (Matrix spec endpoint). +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint: /_matrix/client/v3/account/whoami + +# The full URL to the whoami endpoint. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url: "http://{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_endpoint }}" + +# Cache duration (in seconds) for whoami lookup results. +# Token -> username mappings are cached to avoid repeated whoami calls. +# A longer TTL reduces load on Synapse but means username changes take longer to take effect. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds: 3600 + +# Size of the shared memory zone for caching whoami results (in megabytes). +# Each cached entry is approximately 100-200 bytes. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb: 1 + +# Controls whether verbose logging is enabled for the whoami sync worker router. +# When enabled, logs cache hits/misses and routing decisions. +# Useful for debugging, but should be disabled in production. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: false + +# The length of the access token to show in logs when logging is enabled. +# Keeping this short is a good idea from a security perspective. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length: 12 + +# Controls whether debug response headers are added to sync requests. +# When enabled, adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers. +# Useful for debugging routing behavior, but should be disabled in production. +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: false + +######################################################################################## +# # +# /Whoami-based sync worker routing # +# # +######################################################################################## diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml index 4d732ad22..c093691b3 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/tasks/setup_install.yml @@ -7,14 +7,16 @@ - name: Ensure matrix-synapse-reverse-proxy-companion paths exist ansible.builtin.file: - path: "{{ item }}" + path: "{{ item.path }}" state: directory mode: 0750 owner: "{{ matrix_user_name }}" group: "{{ matrix_group_name }}" with_items: - - "{{ matrix_synapse_reverse_proxy_companion_base_path }}" - - "{{ matrix_synapse_reverse_proxy_companion_confd_path }}" + - {path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}", when: true} + - {path: "{{ matrix_synapse_reverse_proxy_companion_confd_path }}", when: true} + - {path: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}", when: "{{ matrix_synapse_reverse_proxy_companion_njs_enabled }}"} + when: item.when | bool - name: Ensure matrix-synapse-reverse-proxy-companion is configured ansible.builtin.template: @@ -33,6 +35,21 @@ - src: "{{ role_path }}/templates/labels.j2" dest: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/labels" +- name: Ensure matrix-synapse-reverse-proxy-companion whoami sync worker router njs script is deployed + ansible.builtin.template: + src: "{{ role_path }}/templates/nginx/njs/whoami_sync_worker_router.js.j2" + dest: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}/whoami_sync_worker_router.js" + owner: "{{ matrix_user_name }}" + group: "{{ matrix_group_name }}" + mode: 0644 + when: matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled | bool + +- name: Ensure matrix-synapse-reverse-proxy-companion njs path is removed when njs is disabled + ansible.builtin.file: + path: "{{ matrix_synapse_reverse_proxy_companion_njs_path }}" + state: absent + when: not matrix_synapse_reverse_proxy_companion_njs_enabled + - name: Ensure matrix-synapse-reverse-proxy-companion nginx container image is pulled community.docker.docker_image: name: "{{ matrix_synapse_reverse_proxy_companion_container_image }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 2e40372eb..6c72ca2ad 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -41,20 +41,48 @@ {% endfor %} {% endmacro %} +{% macro render_locations_to_upstream_with_whoami_sync_worker_router(locations, upstream_name) %} + {% for location in locations %} + location ~ {{ location }} { + # Use auth_request to call the whoami sync worker router. + # The handler resolves the access token to a user identifier and returns it + # in the X-User-Identifier header, which is then used for upstream hashing. + auth_request /_whoami_sync_worker_router; + auth_request_set $user_identifier $sent_http_x_user_identifier; + + {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled %} + add_header X-Sync-Worker-Router-User-Identifier $user_identifier always; + add_header X-Sync-Worker-Router-Upstream $upstream_addr always; + {% endif %} + + proxy_pass http://{{ upstream_name }}$request_uri; + proxy_http_version 1.1; + proxy_set_header Connection ""; + } + {% endfor %} +{% endmacro %} + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} +# Access token to user identifier mapping logic. +# This is used for sticky routing to ensure requests from the same user are routed to the same worker. +{% if not matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} +# Extracts the base64-encoded localpart from native Synapse access tokens. +# Native Synapse tokens have the format: syt___ +# See: https://github.com/element-hq/synapse/blob/1bddd25a85d82b2ef4a2a42f6ecd476108d7dd96/synapse/handlers/auth.py#L1448-L1459 # Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf -# Client username from access token +# Note: This only works with native Synapse tokens, not with MAS or other auth systems. map $arg_access_token $accesstoken_from_urlparam { - default $arg_access_token; - "~syt_(?.*?)_.*" $username; + default $arg_access_token; + "~syt_(?.*?)_.*" $b64localpart; } -# Client username from MXID -map $http_authorization $mxid_localpart { - default $http_authorization; - "~Bearer syt_(?.*?)_.*" $username; - "" $accesstoken_from_urlparam; +map $http_authorization $user_identifier { + default $http_authorization; + "~Bearer syt_(?.*?)_.*" $b64localpart; + "" $accesstoken_from_urlparam; } +{% endif %} + # Whether to upgrade HTTP connection map $http_upgrade $connection_upgrade { default upgrade; @@ -76,7 +104,7 @@ map $request_uri $room_name { {% endif %} {% if sync_workers | length > 0 %} - {{- render_worker_upstream('sync_workers_upstream', sync_workers, 'hash $mxid_localpart consistent;') }} + {{- render_worker_upstream('sync_workers_upstream', sync_workers, 'hash $user_identifier consistent;') }} {% endif %} {% if client_reader_workers | length > 0 %} @@ -134,6 +162,17 @@ server { proxy_max_temp_file_size 0; proxy_set_header Host $host; + {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} + # Internal location for whoami-based sync worker routing. + # This is called via auth_request from sync worker locations. + # The njs handler calls the whoami endpoint to resolve access tokens to usernames, + # then returns the username in the X-User-Identifier header for upstream hashing. + location = /_whoami_sync_worker_router { + internal; + js_content whoami_sync_worker_router.handleAuthRequest; + } + {% endif %} + {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} # Client-server overrides — These locations must go to the main Synapse process location ~ {{ matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex }} { @@ -207,7 +246,11 @@ server { # sync workers # https://tcpipuk.github.io/synapse/deployment/workers.html # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf + {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} + {{ render_locations_to_upstream_with_whoami_sync_worker_router(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} + {% else %} {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} + {% endif %} {% endif %} {% if client_reader_workers | length > 0 %} diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 index 26cc6f523..aa52a05e1 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 @@ -8,6 +8,12 @@ # - various temp paths are changed to `/tmp`, so that a non-root user can write to them # - the `user` directive was removed, as we don't want nginx to switch users +# load_module directives must be first or nginx will choke with: +# > [emerg] "load_module" directive is specified too late. +{% if matrix_synapse_reverse_proxy_companion_njs_enabled %} +load_module modules/ngx_http_js_module.so; +{% endif %} + worker_processes {{ matrix_synapse_reverse_proxy_companion_worker_processes }}; error_log /var/log/nginx/error.log warn; pid /tmp/nginx.pid; @@ -22,7 +28,6 @@ events { {% endfor %} } - http { proxy_temp_path /tmp/proxy_temp; client_body_temp_path /tmp/client_temp; @@ -33,6 +38,16 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; + {% if matrix_synapse_reverse_proxy_companion_njs_enabled %} + js_path /njs/; + {% endif %} + + {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} + # njs module for whoami-based sync worker routing + js_import whoami_sync_worker_router from whoami_sync_worker_router.js; + js_shared_dict_zone zone=whoami_sync_worker_router_cache:{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb }}m; + {% endif %} + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 new file mode 100644 index 000000000..fe32d6efd --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2 @@ -0,0 +1,202 @@ +#jinja2: lstrip_blocks: True +// Whoami-based sync worker router +// +// This script resolves access tokens to usernames by calling the whoami endpoint. +// Results are cached to minimize latency impact. The username is returned via the +// X-User-Identifier header, which nginx captures and uses for upstream hashing. +// +// This works with any authentication system (native Synapse auth, MAS, etc.) because +// Synapse handles token validation internally. +// +// Why auth_request instead of js_set? +// ----------------------------------- +// A simpler approach would be to use js_set to populate a variable (e.g., $user_identifier) +// and then use that variable in an upstream's `hash` directive. However, this doesn't work +// because: +// +// 1. The whoami lookup requires an HTTP subrequest (ngx.fetch), which is asynchronous. +// 2. js_set handlers must return synchronously - nginx's variable evaluation doesn't support +// async operations. Using async functions with js_set causes errors like: +// "async operation inside variable handler" +// +// The auth_request approach solves this by: +// 1. Making a subrequest to an internal location that uses js_content (which supports async) +// 2. Returning the user identifier via a response header (X-User-Identifier) +// 3. Capturing that header with auth_request_set into $user_identifier +// 4. Using $user_identifier in the upstream's hash directive for consistent routing + +const WHOAMI_URL = {{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_url | to_json }}; +const CACHE_TTL_MS = {{ (matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_ttl_seconds * 1000) | to_json }}; + +const LOGGING_ENABLED = {{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled | to_json }}; +const LOGGING_TOKEN_LENGTH = {{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_token_length | to_json }}; + +function log(message) { + if (LOGGING_ENABLED) { + // Using WARN level because nginx's error_log is hardcoded to 'warn' and our logs won't be visible otherwise + ngx.log(ngx.WARN, 'whoami_sync_worker_router: ' + message); + } +} + +// Truncate token for logging (show first X chars only for security) +function truncateToken(token) { + if (!token || token.length <= LOGGING_TOKEN_LENGTH) { + return token; + } + return token.substring(0, LOGGING_TOKEN_LENGTH) + '...'; +} + +// Extract token from request (Authorization header or query parameter) +function extractToken(r) { + // Try Authorization header first + const authHeader = r.headersIn['Authorization']; + if (authHeader && authHeader.startsWith('Bearer ')) { + return authHeader.substring(7); + } + + // Fall back to access_token query parameter (deprecated in Matrix v1.11, but homeservers must support it) + if (r.args.access_token) { + return r.args.access_token; + } + + return null; +} + +// Extract localpart from user_id (e.g., "@alice:example.com" -> "alice") +function extractLocalpart(userId) { + if (!userId || !userId.startsWith('@')) { + return null; + } + const colonIndex = userId.indexOf(':'); + if (colonIndex === -1) { + return null; + } + return userId.substring(1, colonIndex); +} + +// Get cached username for token +function getCachedUsername(token) { + const cache = ngx.shared.whoami_sync_worker_router_cache; + if (!cache) { + return null; + } + + const entry = cache.get(token); + if (entry) { + try { + const data = JSON.parse(entry); + if (data.expires > Date.now()) { + log('cache hit for token ' + truncateToken(token) + ' -> ' + data.username); + return data.username; + } + // Expired, remove from cache + log('cache expired for token ' + truncateToken(token)); + cache.delete(token); + } catch (e) { + cache.delete(token); + } + } + return null; +} + +// Cache username for token +function cacheUsername(token, username) { + const cache = ngx.shared.whoami_sync_worker_router_cache; + if (!cache) { + return; + } + + try { + const entry = JSON.stringify({ + username: username, + expires: Date.now() + CACHE_TTL_MS + }); + cache.set(token, entry); + log('cached token ' + truncateToken(token) + ' -> ' + username); + } catch (e) { + // Cache full or other error, log and continue + ngx.log(ngx.WARN, 'whoami_sync_worker_router: cache error: ' + e.message); + } +} + +// Call whoami endpoint to get user_id +async function lookupWhoami(token) { + log('performing whoami lookup for token ' + truncateToken(token)); + try { + const response = await ngx.fetch(WHOAMI_URL, { + method: 'GET', + headers: { + 'Authorization': 'Bearer ' + token + } + }); + + if (response.ok) { + const data = await response.json(); + if (data.user_id) { + const localpart = extractLocalpart(data.user_id); + log('whoami lookup success: ' + data.user_id + ' -> ' + localpart); + return localpart; + } + } else if (response.status === 401) { + // Token is invalid/expired - this is expected for some requests + log('whoami lookup returned 401 (invalid/expired token)'); + return null; + } else { + ngx.log(ngx.WARN, 'whoami_sync_worker_router: whoami returned status ' + response.status); + } + } catch (e) { + ngx.log(ngx.ERR, 'whoami_sync_worker_router: whoami failed: ' + e.message); + } + + return null; +} + +// Set response header with the user identifier for upstream hashing +function setUserIdentifier(r, identifier) { + log('resolved user identifier: ' + identifier); + r.headersOut['X-User-Identifier'] = identifier; +} + +// Main handler for auth_request subrequest. +// Returns 200 with X-User-Identifier header containing the user identifier for upstream hashing. +async function handleAuthRequest(r) { + const token = extractToken(r); + + if (!token) { + // No token found (e.g., OPTIONS preflight requests don't include Authorization header). + // We return a random value to distribute these requests across workers. + // Returning an empty string would cause all no-token requests to hash to the same value, + // routing them all to a single worker. + // This doesn't affect the cache since we only cache token -> username mappings. + log('no token found in request, distributing randomly'); + setUserIdentifier(r, '_no_token_' + Math.random()); + r.return(200); + return; + } + + // Check cache first + const cachedUsername = getCachedUsername(token); + if (cachedUsername) { + setUserIdentifier(r, cachedUsername); + r.return(200); + return; + } + + // Perform whoami lookup + log('cache miss for token ' + truncateToken(token)); + const username = await lookupWhoami(token); + if (username) { + cacheUsername(token, username); + setUserIdentifier(r, username); + r.return(200); + return; + } + + // Whoami lookup failed, fall back to using the token itself for hashing. + // This still provides device-level sticky routing (same token -> same worker). + log('whoami lookup failed, falling back to token-based routing'); + setUserIdentifier(r, token); + r.return(200); +} + +export default { handleAuthRequest }; diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 index e2f255e23..2f0aff36f 100755 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/systemd/matrix-synapse-reverse-proxy-companion.service.j2 @@ -36,6 +36,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \ {% endif %} --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_base_path }}/nginx.conf,dst=/etc/nginx/nginx.conf,ro \ --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_confd_path }},dst=/etc/nginx/conf.d,ro \ + {% if matrix_synapse_reverse_proxy_companion_njs_enabled %} + --mount type=bind,src={{ matrix_synapse_reverse_proxy_companion_njs_path }},dst=/njs,ro \ + {% endif %} --label-file={{ matrix_synapse_reverse_proxy_companion_base_path }}/labels \ {% for arg in matrix_synapse_reverse_proxy_companion_container_arguments %} {{ arg }} \ From 45c855c853a18d498543b4bc794681fe5e0aa766 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Feb 2026 03:48:55 +0200 Subject: [PATCH 201/209] Remove old map-based user identifier extraction for sync workers The whoami-based approach is now the only implementation for sync worker routing. It works with all token types (native Synapse, MAS, etc.) and is automatically enabled when sync workers exist. The old map-based approach only worked with native Synapse tokens (syt__...) and would give poor results with MAS or other auth systems. --- .../defaults/main.yml | 4 ---- ...ix-synapse-reverse-proxy-companion.conf.j2 | 23 ------------------- 2 files changed, 27 deletions(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 0e33721ba..02251478c 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -323,10 +323,6 @@ matrix_synapse_reverse_proxy_companion_njs_enabled: "{{ matrix_synapse_reverse_p # This works with any authentication system (native Synapse auth, MAS, etc.) because Synapse # handles the token validation internally. # -# Without this, sticky routing falls back to parsing the username from the access token (only works -# with native Synapse tokens of the form syt__...), which only provides -# device-level stickiness (same token -> same worker) rather than user-level stickiness. -# # Enabled by default when there are sync workers, because sync workers benefit from user-level # stickiness due to their per-user in-memory caches. matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled: "{{ matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'sync_worker') | list | length > 0 }}" diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 index 6c72ca2ad..20af557ca 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2 @@ -64,25 +64,6 @@ {% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %} -# Access token to user identifier mapping logic. -# This is used for sticky routing to ensure requests from the same user are routed to the same worker. -{% if not matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} -# Extracts the base64-encoded localpart from native Synapse access tokens. -# Native Synapse tokens have the format: syt___ -# See: https://github.com/element-hq/synapse/blob/1bddd25a85d82b2ef4a2a42f6ecd476108d7dd96/synapse/handlers/auth.py#L1448-L1459 -# Maps from https://tcpipuk.github.io/synapse/deployment/nginx.html#mapsconf -# Note: This only works with native Synapse tokens, not with MAS or other auth systems. -map $arg_access_token $accesstoken_from_urlparam { - default $arg_access_token; - "~syt_(?.*?)_.*" $b64localpart; -} -map $http_authorization $user_identifier { - default $http_authorization; - "~Bearer syt_(?.*?)_.*" $b64localpart; - "" $accesstoken_from_urlparam; -} -{% endif %} - # Whether to upgrade HTTP connection map $http_upgrade $connection_upgrade { default upgrade; @@ -246,11 +227,7 @@ server { # sync workers # https://tcpipuk.github.io/synapse/deployment/workers.html # https://tcpipuk.github.io/synapse/deployment/nginx.html#locationsconf - {% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %} {{ render_locations_to_upstream_with_whoami_sync_worker_router(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} - {% else %} - {{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_sync_worker_client_server_locations, 'sync_workers_upstream') }} - {% endif %} {% endif %} {% if client_reader_workers | length > 0 %} From 93f626446655d28748e74558452341acb08d2df5 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Feb 2026 03:53:31 +0200 Subject: [PATCH 202/209] Add CHANGELOG entry for whoami-based sync worker routing --- CHANGELOG.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d251894f0..7f8435ebc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,30 @@ +# 2026-02-04 + +## Whoami-based sync worker routing for improved sticky sessions for Synapse + +Deployments using [Synapse workers](./docs/configuring-playbook-synapse.md#load-balancing-with-workers) now benefit from improved sync worker routing via a new whoami-based mechanism (making use of the [whoami Matrix Client-Server API](https://spec.matrix.org/v1.17/client-server-api/#get_matrixclientv3accountwhoami)). + +Previously, sticky routing for sync workers relied on parsing usernames from access tokens, which only worked with native Synapse tokens (`syt__...`). This approach failed for [Matrix Authentication Service](docs/configuring-playbook-matrix-authentication-service.md) (MAS) deployments, where tokens are opaque and don't contain username information. This resulted in device-level stickiness (same token → same worker) rather than user-level stickiness (same user → same worker regardless of device), leading to suboptimal cache utilization on sync workers. + +The new implementation calls Synapse's `/whoami` endpoint to resolve access tokens to usernames, enabling proper user-level sticky routing regardless of the authentication system in use (native Synapse auth, MAS, etc.). Results are cached to minimize overhead. + +This change: +- **Automatically enables** when sync workers are configured (no action required) +- **Works universally** with any authentication system +- **Replaces the old implementation** entirely to keep the codebase simple +- **Adds minimal overhead** (one cached internal subrequest per sync request) for non-MAS deployments + +For debugging, you can enable verbose logging and/or response headers showing routing decisions: + +```yaml +# Logs cache hits/misses and routing decisions to the container's stderr +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_logging_enabled: true + +# Adds X-Sync-Worker-Router-User-Identifier and X-Sync-Worker-Router-Upstream headers to sync responses +matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled: true +``` + + # 2025-12-09 ## Traefik Cert Dumper upgrade From 7d4536cf78be1dedc73ff69fe0581fcbf4c9799b Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Feb 2026 04:21:47 +0200 Subject: [PATCH 203/209] Upgrade baibot (v1.13.0 -> v1.14.0) and add built-in tools configuration support --- CHANGELOG.md | 13 +++++++++++++ docs/configuring-playbook-bot-baibot.md | 6 ++++++ roles/custom/matrix-bot-baibot/defaults/main.yml | 7 ++++++- .../templates/provider/openai-config.yml.j2 | 3 +++ 4 files changed, 28 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f8435ebc..e3b1a1dec 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,18 @@ # 2026-02-04 +## baibot now supports OpenAI's built-in tools (Web Search and Code Interpreter) + +**TLDR**: if you're using the [OpenAI provider](https://github.com/etkecc/baibot/blob/main/docs/providers.md#openai) with [baibot](docs/configuring-playbook-bot-baibot.md), you can now enable [built-in tools](https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only) (`web_search` and `code_interpreter`) to extend the model's capabilities. + +These tools are **disabled by default** and can be enabled via Ansible variables for static agent configurations: + +```yaml +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true +``` + +Users who define agents dynamically at runtime will need to [update their agents](https://github.com/etkecc/baibot/blob/61d18b2/docs/agents.md#updating-agents) to enable these tools. See the [baibot v1.14.0 changelog](https://github.com/etkecc/baibot/blob/61d18b2/CHANGELOG.md) for details. + ## Whoami-based sync worker routing for improved sticky sessions for Synapse Deployments using [Synapse workers](./docs/configuring-playbook-synapse.md#load-balancing-with-workers) now benefit from improved sync worker routing via a new whoami-based mechanism (making use of the [whoami Matrix Client-Server API](https://spec.matrix.org/v1.17/client-server-api/#get_matrixclientv3accountwhoami)). diff --git a/docs/configuring-playbook-bot-baibot.md b/docs/configuring-playbook-bot-baibot.md index 60d9bd94e..aaf19ce54 100644 --- a/docs/configuring-playbook-bot-baibot.md +++ b/docs/configuring-playbook-bot-baibot.md @@ -243,6 +243,12 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "YOUR_ # If you'd like to use another text-generation agent, uncomment and adjust: # matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4.1 + +# Uncomment below to enable OpenAI's built-in tools. +# These tools are disabled by default. Enabling them may incur additional costs. +# See: https://github.com/etkecc/baibot/blob/61d18b2/docs/features.md#%EF%B8%8F-built-in-tools-openai-only +# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: true +# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: true ``` Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/openai`. diff --git a/roles/custom/matrix-bot-baibot/defaults/main.yml b/roles/custom/matrix-bot-baibot/defaults/main.yml index bbc2f49c6..f0ea90218 100644 --- a/roles/custom/matrix-bot-baibot/defaults/main.yml +++ b/roles/custom/matrix-bot-baibot/defaults/main.yml @@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src" # renovate: datasource=docker depName=ghcr.io/etkecc/baibot -matrix_bot_baibot_version: v1.13.0 +matrix_bot_baibot_version: v1.14.0 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}" matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}" matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}" @@ -395,6 +395,11 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_response_tokens: ~ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens: 128000 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens: 400000 +# Built-in tools configuration (OpenAI only). +# These tools extend the model's capabilities but are disabled by default following upstream defaults. +# See: https://github.com/etkecc/baibot/blob/main/docs/features.md#%EF%B8%8F-built-in-tools-openai-only +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search: false +matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter: false matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled: true matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_model_id: whisper-1 diff --git a/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2 b/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2 index 37ceeaada..ebbc27669 100644 --- a/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2 +++ b/roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2 @@ -15,6 +15,9 @@ text_generation: max_completion_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_completion_tokens | int | to_json }} {% endif %} max_context_tokens: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_max_context_tokens | int | to_json }} + tools: + web_search: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_web_search | to_json }} + code_interpreter: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_tools_code_interpreter | to_json }} {% endif %} {% if matrix_bot_baibot_config_agents_static_definitions_openai_config_speech_to_text_enabled %} From a7ddb189b52ae6f0909bd557e0828ad92c9fe984 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Wed, 4 Feb 2026 04:26:15 +0200 Subject: [PATCH 204/209] Add missing license file for whoami_sync_worker_router.js.j2 --- .../nginx/njs/whoami_sync_worker_router.js.j2.license | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license new file mode 100644 index 000000000..dbb307901 --- /dev/null +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/njs/whoami_sync_worker_router.js.j2.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: 2026 Slavi Pantaleev + +SPDX-License-Identifier: AGPL-3.0-or-later From d548f7ba8cd0fe54817d818d57363217ecd81f35 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Feb 2026 08:44:26 +0000 Subject: [PATCH 205/209] chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.2.4 --- roles/custom/matrix-alertmanager-receiver/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml index 78f31a435..537ea490d 100644 --- a/roles/custom/matrix-alertmanager-receiver/defaults/main.yml +++ b/roles/custom/matrix-alertmanager-receiver/defaults/main.yml @@ -11,7 +11,7 @@ matrix_alertmanager_receiver_enabled: true # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver -matrix_alertmanager_receiver_version: 2026.1.31 +matrix_alertmanager_receiver_version: 2026.2.4 matrix_alertmanager_receiver_scheme: https From 2c0688334ff206214644c2d9e7372ef3425fdbd8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Feb 2026 16:49:07 +0000 Subject: [PATCH 206/209] chore(deps): update dependency jitsi to v10741 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 13c593ed1..64701381e 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,7 +25,7 @@ version: v11.6.5-6 name: grafana - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git - version: v10710-0 + version: v10741-0 name: jitsi - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git version: v1.9.11-0 From 8f6ae1f7344740c61efcc7bbf99ad5eedab44546 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 5 Feb 2026 04:33:52 +0000 Subject: [PATCH 207/209] chore(deps): update nginx docker tag to v1.29.5 --- .../matrix-synapse-reverse-proxy-companion/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml index 02251478c..decb536d2 100644 --- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml +++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml @@ -24,7 +24,7 @@ matrix_synapse_reverse_proxy_companion_enabled: true # renovate: datasource=docker depName=nginx -matrix_synapse_reverse_proxy_companion_version: 1.29.4-alpine +matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion" matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d" From 1f0e33e07a9842f37fb207205ed431957beeded4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Feb 2026 22:51:23 +0000 Subject: [PATCH 208/209] chore(deps): update dependency prometheus_postgres_exporter to v0.19.0-0 --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 64701381e..9f134feff 100644 --- a/requirements.yml +++ b/requirements.yml @@ -55,7 +55,7 @@ version: v1.9.1-13 name: prometheus_node_exporter - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git - version: v0.18.1-2 + version: v0.19.0-0 name: prometheus_postgres_exporter - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git version: v1.4.1-0 From c8920885f9653775007dcb613e849267d18825a6 Mon Sep 17 00:00:00 2001 From: Suguru Hirahara Date: Thu, 5 Feb 2026 18:05:00 +0900 Subject: [PATCH 209/209] Replace `valkey_container_http_port` See: https://github.com/mother-of-all-self-hosting/ansible-role-valkey/commit/36d4bd4548ab4ef9f345c5b959e60c571dfa7c69 Signed-off-by: Suguru Hirahara --- group_vars/matrix_servers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 5d4fff09d..739bbeef4 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -3733,7 +3733,7 @@ matrix_media_repo_redis_shards: | {{ ([{ 'name': 'valkey', - 'addr': (valkey_identifier + ':' + valkey_container_http_port | string), + 'addr': (valkey_identifier + ':' + valkey_container_tcp_port | string), }]) if valkey_enabled and matrix_media_repo_redis_enabled else []