More progress on matrix-static-files role and cleaning up of matrix-base and matrix-nginx-proxy

2 лет назад · da48a605bb
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@@ -40,15 +40,15 @@ To learn how to set it up, read the Installing section below.
 [MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service. Automated services may also index this information and use it for abuse reports, etc.
 The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_homeserver_admin_contacts` and `matrix_homeserver_support_url`.
 The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_static_files_file_matrix_support_property_m_contacts` and `matrix_static_files_file_matrix_support_property_m_support_page`.
 Example snippet for `vars.yml`:
 ```
 # Enable generation of `/.well-known/matrix/support`.
 matrix_well_known_matrix_support_enabled: true
 matrix_static_files_file_matrix_support_enabled: true
 # Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929
 matrix_homeserver_admin_contacts:
 matrix_static_files_file_matrix_support_property_m_contacts:
  - matrix_id: "@admin1:{{ matrix_domain }}"
    email_address: admin@domain.tld
    role: m.role.admin
@@ -58,7 +58,7 @@ matrix_homeserver_admin_contacts:
  - email_address: security@domain.tld
    role: m.role.security
 matrix_homeserver_support_url: "https://example.domain.tld/support"
 matrix_static_files_file_matrix_support_property_m_support_page: "https://example.domain.tld/support"
 ```
 To learn how to set up `/.well-known/matrix/support` for the base domain, read the Installing section below.
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -2996,8 +2996,6 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"
 matrix_nginx_proxy_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
 # OCSP stapling does not make sense when self-signed certificates are used.
 # See https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1073
 # and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1074
@@ -4599,21 +4597,17 @@ matrix_static_files_container_labels_traefik_docker_network: "{{ matrix_playbook
 matrix_static_files_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_static_files_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_client_element_jitsi_preferred_domain }}"
 matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
 matrix_static_files_file_matrix_client_property_org_matrix_msc3575_proxy_url: "{{ matrix_homeserver_sliding_sync_url }}"
 matrix_static_files_file_matrix_client_property_m_tile_server_entries_enabled: "{{ matrix_client_element_location_sharing_enabled }}"
 matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "https://{{ matrix_server_fqn_element }}/map_style.json"
 matrix_static_files_file_matrix_client_property_io_element_e2ee_default: "{{ matrix_well_known_matrix_client_io_element_e2ee_default }}"
 matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required }}"
 matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods: "{{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods }}"
 matrix_static_files_file_matrix_server_property_m_server: "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
 matrix_static_files_file_matrix_support_property_m_contacts: "{{ matrix_homeserver_admin_contacts }}"
 matrix_static_files_file_matrix_support_property_m_support_page: "{{ matrix_homeserver_support_url }}"
 matrix_static_files_self_check_hostname_matrix: "{{ matrix_server_fqn_matrix }}"
 matrix_static_files_self_check_hostname_identity: "{{ matrix_domain }}"
 ########################################################################
 #                                                                      #
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@@ -52,21 +52,6 @@ matrix_bots_homeserver_systemd_services_list: "{{ matrix_homeserver_systemd_serv
 # Whether homeserver software is installed depends on other (`matrix_HOMESERVER_enabled`) variables - see `group_vars/matrix_servers`.
 matrix_homeserver_enabled: true
 # Homeserver admin contacts and support page as per MSC 1929
 # See: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
 # Users in form:
 # matrix_homeserver_admin_contacts:
 #   - matrix_id: @admin:domain.tld
 #     email_address: admin@domain.tld
 #     role: admin
 #   - email_address: security@domain.tld
 #     role: security
 # Also see: `matrix_well_known_matrix_support_enabled`
 matrix_homeserver_admin_contacts: []
 # Url string like https://domain.tld/support.html
 # Also see: `matrix_well_known_matrix_support_enabled`
 matrix_homeserver_support_url: ''
 # This will contain the homeserver implementation that is in use.
 # Valid values: synapse, dendrite, conduit
 #
@@ -161,8 +146,6 @@ matrix_base_data_path_mode: "750"
 matrix_bin_path: "{{ matrix_base_data_path }}/bin"
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
 matrix_host_command_sleep: "/usr/bin/env sleep"
 matrix_host_command_chown: "/usr/bin/env chown"
 matrix_host_command_fusermount: "/usr/bin/env fusermount"
@@ -203,122 +186,9 @@ matrix_identity_server_url: ~
 matrix_integration_manager_rest_url: ~
 matrix_integration_manager_ui_url: ~
 # The domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
 matrix_client_element_jitsi_preferred_domain: ''  # noqa var-naming
 # Controls whether Element should use End-to-End Encryption by default.
 # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_default: true
 # Controls whether Element should require a secure backup set up before Element can be used.
 # Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
 # Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
 # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
 # See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
 # Controls whether element related entries should be added to the client well-known. Override this to false to hide
 # element related well-known entries.
 # By default if any of the following change from their default this is set to true:
 # `matrix_well_known_matrix_client_io_element_e2ee_default`
 # `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required`
 # `matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods`
 matrix_well_known_matrix_client_io_element_e2ee_entries_enabled: "{{ not matrix_well_known_matrix_client_io_element_e2ee_default or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required or matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods | length > 0 }}"
 # Default `/.well-known/matrix/client` configuration - it covers the generic use case.
 # You can customize it by controlling the various variables inside the template file that it references.
 #
 # For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
 # or completely replace this variable with your own template.
 #
 # The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
 # Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
 # This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
 #
 # You can override individual variables from the default configuration, or introduce new ones.
 #
 # If you need something more special, you can take full control by
 # completely redefining `matrix_well_known_matrix_client_configuration`.
 #
 # Example configuration extension follows:
 #
 # matrix_well_known_matrix_client_configuration_extension_json: |
 #   {
 #     "io.element.call_behaviour": {
 #       "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
 #     }
 #   }
 matrix_well_known_matrix_client_configuration_extension_json: '{}'
 matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json | from_json if matrix_well_known_matrix_client_configuration_extension_json | from_json is mapping else {} }}"
 # Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
 matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default | combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
 # Default `/.well-known/matrix/server` configuration - it covers the generic use case.
 # You can customize it by controlling the various variables inside the template file that it references.
 #
 # For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
 # or completely replace this variable with your own template.
 #
 # The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
 # Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
 # This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
 #
 # You can override individual variables from the default configuration, or introduce new ones.
 #
 # If you need something more special, you can take full control by
 # completely redefining `matrix_well_known_matrix_server_configuration`.
 #
 # Example configuration extension follows:
 #
 # matrix_well_known_matrix_server_configuration_extension_json: |
 #   {
 #     "something": "another"
 #   }
 matrix_well_known_matrix_server_configuration_extension_json: '{}'
 matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json | from_json if matrix_well_known_matrix_server_configuration_extension_json | from_json is mapping else {} }}"
 # Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
 matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default | combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
 # The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
 # This is unlike what it does when looking up YAML template files (no automatic parsing there).
 matrix_well_known_matrix_support_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-support.j2') }}"
 matrix_well_known_matrix_support_configuration_extension_json: '{}'
 matrix_well_known_matrix_support_configuration_extension: "{{ matrix_well_known_matrix_support_configuration_extension_json | from_json if matrix_well_known_matrix_support_configuration_extension_json | from_json is mapping else {} }}"
 # Holds the final `/.well-known/matrix/support` configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_support_configuration_default` and `matrix_well_known_matrix_support_configuration_extension_json`.
 matrix_well_known_matrix_support_configuration: "{{ matrix_well_known_matrix_support_configuration_default | combine(matrix_well_known_matrix_support_configuration_extension, recursive=True) }}"
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"
 # Controls whether a `/.well-known/matrix/support` file is generated and used at all.
 # For details about this file, see the spec: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
 #
 # This is not enabled by default, as for it to be useful, other information is necessary.
 # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc.
 matrix_well_known_matrix_support_enabled: false
 matrix_homeserver_container_extra_arguments_auto: []
 matrix_homeserver_app_service_config_files_auto: []
--- a/roles/custom/matrix-base/tasks/main.yml
+++ b/roles/custom/matrix-base/tasks/main.yml
@@ -21,19 +21,3 @@
    - common
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
 - tags:
    - setup-all
    - setup-ma1sd
    - setup-synapse
    - setup-dendrite
    - setup-conduit
    - setup-nginx-proxy
    - install-all
    - install-ma1sd
    - install-synapse
    - install-dendrite
    - install-conduit
    - install-nginx-proxy
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
--- a/roles/custom/matrix-base/tasks/setup_well_known.yml
+++ b/roles/custom/matrix-base/tasks/setup_well_known.yml
@@ -1,14 +0,0 @@
 ---
 # We need others to be able to read these directories too,
 # so that matrix-nginx-proxy's nginx user can access the files.
 #
 # For running with another webserver, we recommend being part of the `matrix` group.
 - name: Ensure Matrix static-files path exists
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"
--- a/roles/custom/matrix-base/tasks/validate_config.yml
+++ b/roles/custom/matrix-base/tasks/validate_config.yml
@@ -18,9 +18,9 @@
    - {'old': 'hostname_riot', 'new': 'matrix_server_fqn_element'}
    - {'old': 'matrix_server_fqn_riot', 'new': 'matrix_server_fqn_element'}
    - {'old': 'matrix_local_bin_path', 'new': '<there is no global bin path anymore - each role has its own>'}
    - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_default'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods'}
    - {'old': 'matrix_client_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
    - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
 # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
 - name: Fail if matrix_homeserver_generic_secret_key is undefined
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
@@ -1,51 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 {
 	"m.homeserver": {
 		"base_url": "{{ matrix_homeserver_url }}"
 	}
 	{% if matrix_identity_server_url %},
 	"m.identity_server": {
 		"base_url": "{{ matrix_identity_server_url }}"
 	}
 	{% endif %}
 	{% if matrix_integration_manager_rest_url and matrix_integration_manager_ui_url %},
 	"m.integrations": {
 		"managers": [
 			{
 				"api_url": "{{ matrix_integration_manager_rest_url }}",
 				"ui_url": "{{ matrix_integration_manager_ui_url }}"
 			}
 		]
 	}
 	{% endif %}
 	{% if matrix_client_element_jitsi_preferred_domain %},
 	"io.element.jitsi": {
 		"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
 	},
 	"im.vector.riot.jitsi": {
 		"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
 	}
 	{% endif %}
 	{% if matrix_homeserver_sliding_sync_url %},
 	"org.matrix.msc3575.proxy": {
 		"url": "{{ matrix_homeserver_sliding_sync_url }}"
 	}
 	{% endif %}
 	{% if matrix_client_element_location_sharing_enabled %},
 	"m.tile_server": {
        "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json"
    }
 	{% endif %}
 	{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
 	"io.element.e2ee": {
 		"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }},
 		"secure_backup_required": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required|to_json }},
 		"secure_backup_setup_methods": {{ matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods|to_json }}
 	}
 	{% endif %}
 	{% if matrix_well_known_matrix_client_io_element_e2ee_entries_enabled %},
 	"im.vector.riot.e2ee": {
 		"default": {{ matrix_well_known_matrix_client_io_element_e2ee_default|to_json }}
 	}
 	{% endif %}
 }
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-server.j2
@@ -1,4 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 {
 	"m.server": "{{ matrix_server_fqn_matrix_federation }}:{{ matrix_federation_public_port }}"
 }
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2
@@ -1,7 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 {
    "contacts": {{ matrix_homeserver_admin_contacts|to_json }}
    {% if matrix_homeserver_support_url %},
        "support_page": {{ matrix_homeserver_support_url|to_json }}
    {% endif %}
 }
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@@ -568,15 +568,6 @@ matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_
 # you may wish to set this to '$proxy_add_x_forwarded_for' instead.
 matrix_nginx_proxy_x_forwarded_for: '$remote_addr'
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true
 # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
 #
 # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
 # so we default to not following redirects as well.
 matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects: none
 # For OCSP purposes, we need to define a resolver at the `server{}` level or `http{}` level (we do the latter).
 #
 # Otherwise, we get warnings like this:
--- a/roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml
+++ b/roles/custom/matrix-nginx-proxy/tasks/setup_well_known.yml
@@ -1,25 +0,0 @@
 ---
 - ansible.builtin.set_fact:
    matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
 # We need others to be able to read these directories too,
 # so that matrix-nginx-proxy's nginx user can access the files.
 #
 # For running with another webserver, we recommend being part of the `matrix` group.
 - name: Ensure Matrix static-files path exists
  ansible.builtin.file:
    path: "{{ item }}"
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"
 - name: Ensure Matrix /.well-known/matrix/client configured
  ansible.builtin.template:
    src: "{{ role_path }}/templates/well-known/matrix-client.j2"
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-base-domain.conf.j2
@@ -24,17 +24,6 @@
 	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
 		{{- configuration_block }}
 	{% endfor %}
 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
 		{#
 			A somewhat long expires value is used to prevent outages
 			in case this is unreachable due to network failure.
 		#}
 		expires 4h;
 		default_type application/json;
 		add_header Access-Control-Allow-Origin *;
 	}
 {% endmacro %}
 server {
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@@ -29,18 +29,6 @@
 	add_header X-XSS-Protection "{{ matrix_nginx_proxy_xss_protection }}";
 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};
 		{#
 			A somewhat long expires value is used to prevent outages
 			in case this is unreachable due to network failure or
 			due to the base domain's server completely dying.
 		#}
 		expires 4h;
 		default_type application/json;
 		add_header Access-Control-Allow-Origin *;
 	}
 	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
 		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
 	{% endif %}
--- a/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@@ -41,7 +41,6 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% if matrix_ssl_retrieval_method != 'none' %}
 			--mount type=bind,src={{ matrix_ssl_config_dir_path }},dst={{ matrix_ssl_config_dir_path }},ro \
 			{% endif %}
 			--mount type=bind,src={{ matrix_static_files_base_path }},dst={{ matrix_static_files_base_path }},ro \
 			{% for volume in matrix_nginx_proxy_container_additional_volumes %}
 			-v {{ volume.src }}:{{ volume.dst }}:{{ volume.options }} \
 			{% endfor %}
--- a/roles/custom/matrix-static-files/defaults/main.yml
+++ b/roles/custom/matrix-static-files/defaults/main.yml
@@ -112,6 +112,9 @@ matrix_static_files_file_matrix_client_property_m_integrations_managers_api_url:
 matrix_static_files_file_matrix_client_property_m_integrations_managers_ui_url: "{{ matrix_integration_manager_ui_url }}"
 # Controls the io.element.jitsi/preferredDomain property in the /.well-known/matrix/client file
 # This specifies the domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
 # See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
 matrix_static_files_file_matrix_client_property_io_element_jitsi_preferred_domain: ""
 # Controls the org.matrix.msc3575.proxy/url (sliding sync) property in the /.well-known/matrix/client file
@@ -295,6 +298,17 @@ matrix_static_files_file_matrix_support_configuration: "{{ matrix_static_files_f
 #                                                                      #
 ########################################################################
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_static_files_self_check_validate_certificates: true
 matrix_static_files_self_check_hostname_matrix: ''
 matrix_static_files_self_check_hostname_identity: ''
 # Controls whether redirects will be followed when checking the `/.well-known/matrix/client` resource.
 #
 # As per the spec (https://matrix.org/docs/spec/client_server/r0.6.0#well-known-uri), it shouldn't be,
 # so we default to not following redirects as well.
 matrix_static_files_self_check_well_known_matrix_client_follow_redirects: none
 # TODO - review this one
 # Specifies where requests for the root URI (`/`) on the `matrix.` domain should be redirected.
--- a/roles/custom/matrix-static-files/tasks/self_check_well_known.yml
+++ b/roles/custom/matrix-static-files/tasks/self_check_well_known.yml
@@ -1,27 +1,28 @@
 ---
 # TODO - migrate these variables and deprecate the old ones
 # TODO - deprecate the old variables in the matrix-nginx-proxy role
 - name: Determine well-known files to check (Matrix)
 - name: Determine well-known files to check (start with /.well-known/matrix/client)
  ansible.builtin.set_fact:
    well_known_file_checks:
      - path: /.well-known/matrix/client
        purpose: Client Discovery
        cors: true
        follow_redirects: "{{ matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects }}"
        validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
        follow_redirects: "{{ matrix_static_files_self_check_well_known_matrix_client_follow_redirects }}"
        validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"
 - when: matrix_well_known_matrix_server_enabled | bool
  block:
    - ansible.builtin.set_fact:
    - name: Prepare /.well-known/matrix/server to well-known files to check, if enabled
      ansible.builtin.set_fact:
        well_known_file_check_matrix_server:
          path: /.well-known/matrix/server
          purpose: Server Discovery
          cors: false
          follow_redirects: safe
          validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
          validate_certs: "{{ matrix_static_files_self_check_validate_certificates }}"
    - name: Determine domains that we require certificates for (ma1sd)
    - name: Inject /.well-known/matrix/server to well-known files to check, if enabled
      ansible.builtin.set_fact:
        well_known_file_checks: "{{ well_known_file_checks + [well_known_file_check_matrix_server] }}"
--- a/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml
+++ b/roles/custom/matrix-static-files/tasks/self_check_well_known_file.yml
@@ -1,8 +1,8 @@
 ---
 - ansible.builtin.set_fact:
    well_known_url_matrix: "https://{{ matrix_server_fqn_matrix }}{{ well_known_file_check.path }}"
    well_known_url_identity: "https://{{ matrix_domain }}{{ well_known_file_check.path }}"
    well_known_url_matrix: "https://{{ matrix_static_files_self_check_hostname_matrix }}{{ well_known_file_check.path }}"
    well_known_url_identity: "https://{{ matrix_static_files_self_check_hostname_identity }}{{ well_known_file_check.path }}"
 # These well-known files may be served without a `Content-Type: application/json` header,
 # so we can't rely on the uri module's automatic parsing of JSON.
--- a/roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/cleanup_matrix_static_files_well_known.yml
@@ -0,0 +1,9 @@
 ---
 # Files used to be installed by the `matrix-base` role into `/matrix/static-files/.well-known/*`.
 # Such files are now generated by the `matrix-static-files` role into a slightly different path: `/matrix/static-files/public/.well-known/*`.
 - name: Ensure old /matrix/static-files/.well-known files are deleted
  ansible.builtin.file:
    path: "{{ matrix_base_data_path }}/static-files/.well-known"
    state: absent
--- a/roles/custom/matrix_playbook_migration/tasks/main.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/main.yml
@@ -21,6 +21,12 @@
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_usr_local_bin.yml"
 - tags:
    - setup-all
    - install-all
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/cleanup_matrix_static_files_well_known.yml"
 - when: devture_traefik_enabled | bool
  tags:
    - setup-all
--- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
+++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml
@@ -67,6 +67,16 @@
    - {'old': 'matrix_well_known_matrix_server_enabled', 'new': 'matrix_static_files_file_matrix_server_enabled'}
    - {'old': 'matrix_well_known_matrix_support_enabled', 'new': 'matrix_static_files_file_matrix_support_enabled'}
    - {'old': 'matrix_homeserver_admin_contacts', 'new': 'matrix_static_files_file_matrix_support_property_m_contacts'}
    - {'old': 'matrix_homeserver_support_url', 'new': 'matrix_static_files_file_matrix_support_property_m_support_page'}
    - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_default', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_default'}
    - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
    - {'old': 'matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
    - {'old': 'matrix_well_known_matrix_client_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_client_configuration_extension_json'}
    - {'old': 'matrix_well_known_matrix_server_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_server_configuration_extension_json'}
    - {'old': 'matrix_well_known_matrix_support_configuration_extension_json', 'new': 'matrix_static_files_file_matrix_support_configuration_extension_json'}
    - {'old': 'matrix_nginx_proxy_self_check_validate_certificates', 'new': 'matrix_static_files_self_check_validate_certificates'}
    - {'old': 'matrix_nginx_proxy_self_check_well_known_matrix_client_follow_redirects', 'new': 'matrix_static_files_self_check_well_known_matrix_client_follow_redirects'}
 - name: (Deprecation) Catch and report matrix_postgres variables
  ansible.builtin.fail: