The docs claimed that reverse-proxying "or simply a 302 redirect" needs
no CORS headers. That is only true for reverse-proxying: browsers apply
CORS checks to every response in a redirect chain, so a redirect
response itself must also carry Access-Control-Allow-Origin, otherwise
web clients fail even though the final destination sets the header.
Fixes#4650
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The user-namespace regexes in the mautrix-meta-messenger and
mautrix-meta-instagram registration templates interpolated
the bridge username prefix without regex-escaping it, unlike the
neighboring homeserver domain and appservice username values. The
default prefixes are regex-safe, but a customized prefix containing
regex metacharacters would produce a wrong (too broad or invalid)
appservice user namespace.
Related to the registration regex discussion in #5096.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The playbook-shipped welcome.html hardcoded #2e2f32 for the headline and
welcome text, which is nearly invisible on the dark background Element
renders when the dark theme is active. Element Web's default
use_system_theme behavior keys the theme off the system color scheme, so
switch the text to Element's dark-theme text color (#ebeef2) under a
prefers-color-scheme: dark media query.
Fixes#4838
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Pulls in borgmatic 2.1.6, fixing the 2.1.4 JSON parsing regression
(borgmatic-collective/borgmatic#1294) where warnings on stderr, such as
OpenSSH post-quantum key exchange notices, broke parsing of borg's JSON
output and failed the backup run.
Fixes#5188
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The wildcard certificate examples attached tls.domains labels to a
router named matrix-synapse-federation-api, but the Synapse role
actually names it matrix-synapse-public-federation-api (see
templates/synapse/labels.j2), so the documented labels matched nothing
and the certificate configuration silently did not apply.
Fixes#3129
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
matrix_appservice_discord_container_image_self_build only switched the
image registry prefix to localhost/, but the role never had any build
tasks, so enabling it always ended in an image pull failure. Remove the
variable and reject it in validate_config.yml with a hint that the
prebuilt image is amd64-only and that mautrix-discord is the better
option on other architectures.
Fixes#2379
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The import-synapse-media-store task synchronizes the media store with
ansible.posix.synchronize delegated to the server itself, which requires
the rsync binary on the server. Nothing in the playbook installs it, so
the import failed on minimal systems with "Failed to find required
executable rsync". Document the prerequisite.
Fixes#2551
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Caddy evaluates directives according to its own fixed directive order,
not their order in the Caddyfile. redir runs before reverse_proxy, so a
redirect elsewhere in the same site block silently shadows the
/.well-known/matrix reverse-proxying. Add a note and a handle-block
example that enforces the intended priority.
Fixes#1080
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The exporter's wal collector (enabled by default) calls pg_ls_waldir(),
which Postgres restricts to superusers and members of the pg_monitor
role. The exporter user is created as a plain managed-database user, so
scraping logged "permission denied for function pg_ls_waldir" on every
run.
Grant pg_monitor via the managed database's additional_sql_queries,
which the Postgres role applies both on initial creation and on
subsequent runs, covering existing installations too.
Fixes#3039
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Pulls in the pgloader connection string handling fix, which keeps the
Postgres password out of the command line and Ansible error output.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The upstream Synapse Grafana dashboard uses `{{job}}-{{index}}` in its
legends to tell workers apart, but the worker scrape configs only set
instance, worker_id, job and app labels. Without an index label, the
dashboard legends collapsed and workers could not be distinguished.
Derive the index label from the worker id (its per-type index is the
first number in the id, e.g. federation-sender-1, stream-writer-2-events),
matching the index label already set on the main process target.
Fixes#2158Fixes#2159
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Element Desktop (Electron) loads the location-sharing map style from a
`vector://vector` origin, so fetching map_style.json from the Element
domain is a cross-origin request. Without an Access-Control-Allow-Origin
header, the request is blocked and maps fail to load with "This homeserver
is not configured correctly to display maps".
Add a dedicated Traefik router for map_style.json that attaches an
Access-Control-Allow-Origin header (configurable via
matrix_client_element_location_sharing_map_style_access_control_allow_origin,
defaulting to `*`). It is only defined when location sharing is enabled.
Fixes#2291
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- add SPDX licensing information for REUSE compliance
- drop the JSONC comment from devcontainer.json, keeping it strict JSON
(as required by the check-json pre-commit hook)
- bump the base image to the current ghcr.io/devture/ansible release
- mention the dev container in docs/ansible.md
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
flake.lock already pins agru at the v0.2.1 commit (via #5415);
this label only names the built derivation.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This lets Renovate periodically refresh flake.lock, keeping the
nixpkgs and agru inputs of the development shell up to date.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Attaches a com.centurylinklabs.watchtower.enable=false label to the
matrix-matrixto container by default, telling Watchtower (if in use)
to skip it. The image is built locally from source, so Watchtower
cannot update it and merely produces 'digest retrieval failed' errors
on every run.
A dedicated variable is used (instead of pre-filling
matrix_matrixto_container_labels_additional_labels) so that people
overriding the additional-labels variable do not lose the label.
Fixes#4820
Based on the report and initial patch in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4821 by @der-domi
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Running `just add-inventory-host example.com 1.2.3.4` (or
`make add-inventory-host domain=example.com ip=1.2.3.4`) adds a new
host to the inventory, creating inventory/hosts and
inventory/host_vars/matrix.DOMAIN/vars.yml from the example files,
with strong secrets generated automatically.
Existing configuration is never overwritten. The command refuses to
run if the host is already in the inventory, so it can also be used
for adding more hosts later.
Based on the idea proposed in
https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/4682 by @Ser5
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The sygnal container images (since v0.16.0) hardcode a HEALTHCHECK which
relies on curl, but the image does not include curl, so the healthcheck
can never pass. See https://github.com/element-hq/sygnal/issues/326
This unblocks upgrading sygnal past v0.15.1.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This is a major upgrade which performs a one-way database migration
and removes LDAP support upstream.
The continuwuity.toml.j2 template is re-synced with the v26.6.1 example
config. Notably, registration_token is now only rendered when non-empty,
because v26+ refuses to start when it is set to an empty string.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>