The newly extracted role also has native Traefik support,
so we no longer need to rely on `matrix-nginx-proxy` for
reverse-proxying to Ntfy.

The new role uses port `80` inside the container (not `8080`, like
before), because that's the default assumption of the officially
published container image. Using a custom port (like `8080`), means the
default healthcheck command (which hardcodes port `80`) doesn't work.
Instead of fiddling to override the healthcheck command, we've decided
to stick to the default port instead. This only affects the
inside-the-container port, not any external ports.

The new role also supports adding the network ranges of the container's
multiple additional networks as "exempt hosts". Previously, only one
network's address range was added to "exempt hosts".

Wiring happens via `group_vars/matrix_servers` now.

.. and try to auto-switch between `bind` and `volume` depending on
whether there's a slash in the `src` path.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2482

Related to 6a52be7987 and 28e7ef9c71f02

* make banlist consistent
* proper multi-error message
* ignore "." MX hosts
* try recipient domain directly, even when MX records found, but failed

Signed-off-by: Julian-Samuel Gebühr <julian-samuel@gebuehr.net>

Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now

Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now

Serving at a path other than `/` doesn't work well yet.

We were mounting our own configuration to
`/usr/share/nginx/html/config.json`, which is a symlink to
`/tmp/config.json`. So we effectively mount our file to
`/tmp/config.json`.

When starting:

- if Hydrogen sees a `CONFIG_OVERRIDE` environment variable,
  it will try to save it into our read-only config file and fail.

- if Hydrogen doesn't see a `CONFIG_OVERRIDE` environment variable (the
  path we go through, because we don't pass such a variable),
  it will try to copy its bundled configuration (`/config.json.bundled`)
  to `/tmp/config.json`. Because our configuration is mounted as read-only, it will
  fail.

In both cases, it will fail with:

> cp: can't create '/tmp/config.json': File exists

Source: 3720de36bb/docker/dynamic-config.sh

We work around this by mounting our configuration on top of the bundled
one (`/config.json.bundled`). We then let Hydrogen's startup script copy
it to `/tmp/config.json` (a tmpfs we've mounted into the container) and use it from there.

This may proof useful to someone in the future.

We've had it on `matrix-nginx-proxy` before, but
our initial support for Traefik did not include any of these security
headers.

Previously, we had to run it at a subpath, like `/synapse-admin`.

We can now dedicate a whole domain and the `/` path to it, should we
wish to do so.

Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now

* live SSL certificates reload on file changes (e.g., on automatic certs renewal)
* print all errors when trying connection to an SMTP server

Previously, it had to go through matrix-nginx-proxy.
It's exposed to Traefik directly via container labels now.

It's probably unnecessary, as this user is only used in the borg container
internally, but.. It doesn't hurt to set it to `matrix`.

* fix: only add element related entries to client well-known if element is enabled

* Fix matrix-base/defaults/main.yml syntax

---------

Co-authored-by: Slavi Pantaleev <slavi@devture.com>

The playbook tries to avoid such variables which are sometimes defined
and sometimes not. We'd rather not check for `is defined`.

None of the other roles use handlers.

We rely on com.devture.ansible.role.systemd_service_manager to reload services when it's necessary to do so.

Leaving an orphan directory is okay and can be improved later on.