Merge remote-tracking branch 'origin/master' into synapse-workers

2021-01-23 15:04:11 +01:00
parent c8f051a42d a56cb34850
commit 183adec3d8
156 changed files with 1764 additions and 529 deletions
--- a/roles/matrix-aux/defaults/main.yml
+++ b/roles/matrix-aux/defaults/main.yml
@ -0,0 +1,72 @@
+---
+
+# matrix-aux is a role that manages auxiliary files and directories on your Matrix server.
+#
+# Certain components (like matrix-synapse, etc.) may sometimes require additional templates (email templates, privacy policies, etc.).
+# This role allows such files to be managed by the playbook.
+#
+# Note that files and directories created via this role are not automatically made available for containers to use.
+# If you use this role to put files in a directory that's already mounted into a container,
+# you can access the files without additional work.
+# Otherwise, you'd need to mount the file/directory to the container that needs it.
+# Roles usually provide a `matrix_*_additional_volumes` or `matrix_*_container_extra_arguments` variable
+# that you can use to mount an additional volume.
+
+# The default permission mode when creating directories using `matrix_aux_directory_definitions`
+matrix_aux_directory_default_mode: '0750'
+
+# Holds a list of directories to create on the server.
+#
+# By default, directories are:
+# - created with permissions as specified in `matrix_aux_directory_default_mode`
+# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
+#
+# Example:
+#
+# matrix_aux_directory_definitions:
+#   - dest: /matrix/aux
+#
+#   - dest: /matrix/another
+#     mode: '0700'
+#     owner: 'some-user'
+#     group: 'some-group'
+matrix_aux_directory_definitions: []
+
+# The default permission mode when creating directories using `matrix_aux_directory_definitions`
+matrix_aux_file_default_mode: '0640'
+
+# Holds a list of files to create on the server.
+#
+# By default, files are:
+# - created with permissions as specified in `matrix_aux_file_default_mode`
+# - owned by the `matrix_user_username` user and `matrix_user_groupname` group (usually `matrix:matrix`)
+#
+# You can define the file content inline (in your `vars.yml` file) or as an external file (see the example below).
+# Defining the content inline in `vars.yml` has the benefit of not splitting your configuration into multiple files,
+# but rather keeping everything inside `vars.yml` (which also gets backed up on the server in `/matrix/vars.yml`).
+#
+# Note: parent paths for files must exist.
+# If you've defined a file with a destination of `/matrix/some/path/file.txt`,
+# then you likely need to add `/matrix/some/path` to `matrix_aux_directory_definitions` as well.
+# You don't need to do this for directories that the playbook already creates for you.
+#
+# Example:
+#
+# matrix_aux_file_definitions:
+#   - dest: "{{ matrix_synapse_config_dir_path }}/something.html"
+#     content: |
+#       <!doctype html>
+#       <html><body>Something</body></html>
+#
+#   - dest: /matrix/aux/some-other-file.txt
+#     content: "Something"
+#     mode: '0600'
+#     owner: 'some-user'
+#     group: 'some-group'
+#
+#   - dest: /matrix/aux/yet-another-file.txt
+#     content: "{{ lookup('template', '/path/to/file.txt.j2') }}"
+#     mode: '0600'
+#     owner: 'some-user'
+#     group: 'some-group'
+matrix_aux_file_definitions: []
--- a/roles/matrix-aux/tasks/main.yml
+++ b/roles/matrix-aux/tasks/main.yml
@ -0,0 +1,5 @@
+- import_tasks: "{{ role_path }}/tasks/setup.yml"
+  when: run_stop|bool
+  tags:
+    - setup-all
+    - setup-aux-files
--- a/roles/matrix-aux/tasks/setup.yml
+++ b/roles/matrix-aux/tasks/setup.yml
@ -0,0 +1,19 @@
+---
+
+- name: Ensure AUX directories are created
+  file:
+    dest: "{{ item.dest }}"
+    state: directory
+    owner: "{{ item.owner|default(matrix_user_username) }}"
+    group: "{{ item.group|default(matrix_user_groupname) }}"
+    mode: "{{ item.mode|default(matrix_aux_directory_default_mode) }}"
+  with_items: "{{ matrix_aux_directory_definitions }}"
+
+- name: Ensure AUX files are created
+  copy:
+    dest: "{{ item.dest }}"
+    content: "{{ item.content }}"
+    owner: "{{ item.owner|default(matrix_user_username) }}"
+    group: "{{ item.group|default(matrix_user_groupname) }}"
+    mode: "{{ item.mode|default(matrix_aux_file_default_mode) }}"
+  with_items: "{{ matrix_aux_file_definitions }}"
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -48,7 +48,16 @@ matrix_base_data_path_mode: "750"

 matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
 matrix_systemd_path: "/etc/systemd/system"
+
+# Specifies the path to use for the `HOME` environment variable for systemd unit files.
+# Docker 20.10 complains with `WARNING: Error loading config file: .dockercfg: $HOME is not defined`
+# if `$HOME` is not defined, so we define something to make it happy.
+matrix_systemd_unit_home_path: /root
+
+# This is now unused. We keep it so that cleanup tasks can use it.
+# To be removed in the future.
 matrix_cron_path: "/etc/cron.d"
+
 matrix_local_bin_path: "/usr/local/bin"

 matrix_host_command_docker: "/usr/bin/env docker"
--- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
+++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
@ -20,8 +20,6 @@ else
 		rm -f {{ matrix_systemd_path }}/$s
 	done
 	systemctl daemon-reload
-	echo "Remove matrix cronjobs"
-	find /etc/cron.d/ -name "matrix-*" -delete
 	echo "Remove matrix scripts"
 	find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete
 	echo "Remove unused Docker images and resources"
--- a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml
+++ b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}"
  when: matrix_bot_matrix_reminder_bot_enabled|bool
--- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
+++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot

--- a/roles/matrix-bridge-appservice-discord/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}"
  when: matrix_appservice_discord_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord

--- a/roles/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-irc/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_appservice_irc_enabled: true

+matrix_appservice_irc_container_self_build: false
+matrix_appservice_irc_docker_repo: "https://github.com/matrix-org/matrix-appservice-irc.git"
+matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-irc/docker-src"
+
 matrix_appservice_irc_docker_image: "docker.io/matrixdotorg/matrix-appservice-irc:release-0.17.1"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-appservice-irc/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_appservice_irc_enabled|bool and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}"
  when: matrix_appservice_irc_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@ -2,15 +2,17 @@

 - name: Ensure Appservice IRC paths exist
  file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
-    - "{{ matrix_appservice_irc_base_path }}"
-    - "{{ matrix_appservice_irc_config_path }}"
-    - "{{ matrix_appservice_irc_data_path }}"
+    - { path: "{{ matrix_appservice_irc_base_path }}", when: true }
+    - { path: "{{ matrix_appservice_irc_config_path }}", when: true }
+    - { path: "{{ matrix_appservice_irc_data_path }}", when: true }
+    - { path: "{{ matrix_appservice_irc_docker_src_files_path }}", when: "{{ matrix_appservice_irc_container_self_build }}" }
+  when: item.when|bool

 - name: Check if an old passkey file already exists
  stat:
@ -59,6 +61,26 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_appservice_irc_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_irc_docker_image_force_pull }}"
+  when: "matrix_appservice_irc_enabled|bool and not matrix_appservice_irc_container_self_build|bool"
+
+- name: Ensure matrix-appservice-irc repository is present when self-building
+  git:
+    repo: "{{ matrix_appservice_irc_docker_repo }}"
+    dest: "{{ matrix_appservice_irc_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_appservice_irc_git_pull_results
+  when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool"
+
+- name: Ensure matrix-appservice-irc Docker image is build
+  docker_image:
+    name: "{{ matrix_appservice_irc_docker_image }}"
+    source: build
+    force_source: yes
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_appservice_irc_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_appservice_irc_enabled|bool and matrix_appservice_irc_container_self_build|bool and matrix_appservice_irc_git_pull_results.changed"

 - name: Ensure Matrix Appservice IRC config installed
  copy:
--- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc

--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_appservice_slack_enabled: true

+matrix_appservice_slack_container_self_build: false
+matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
+matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
+
 matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-appservice-slack/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}"
  when: matrix_appservice_slack_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
@ -8,9 +8,11 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
-    - "{{ matrix_appservice_slack_base_path }}"
-    - "{{ matrix_appservice_slack_config_path }}"
-    - "{{ matrix_appservice_slack_data_path }}"
+    - { path: "{{ matrix_appservice_slack_base_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_config_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_data_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" }
+  when: item.when|bool

 - set_fact:
    matrix_appservice_slack_requires_restart: false
@ -35,6 +37,26 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}"
+  when: "not matrix_appservice_slack_container_self_build|bool"
+
+- name: Ensure matrix-appservice-slack repository is present when self-building
+  git:
+    repo: "{{ matrix_appservice_slack_docker_repo }}"
+    dest: "{{ matrix_appservice_slack_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_appservice_slack_git_pull_results
+  when: "matrix_appservice_slack_container_self_build|bool"
+
+- name: Ensure matrix-appservice-slack Docker image is built
+  docker_image:
+    name: "{{ matrix_appservice_slack_docker_image }}"
+    source: build
+    force_source: yes
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_appservice_slack_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed"

 - name: Ensure Matrix Appservice Slack config installed
  copy:
--- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
+++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack

--- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}"
  when: matrix_appservice_webhooks_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks

--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -35,12 +35,15 @@ matrix_mautrix_facebook_homeserver_token: ''

 # Database-related configuration fields.
 #
-# To use SQLite, stick to these defaults.
+# To use SQLite:
+# - change the engine (`matrix_mautrix_facebook_database_engine: 'sqlite'`)
+# - change to the last bridge version that supported SQLite:
+#   `matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}tulir/mautrix-facebook:da1b4ec596e334325a1589e70829dea46e73064b"`
+# - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future).
 #
 # To use Postgres:
-# - change the engine (`matrix_mautrix_facebook_database_engine: 'postgres'`)
 # - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables
-matrix_mautrix_facebook_database_engine: 'sqlite'
+matrix_mautrix_facebook_database_engine: 'postgres'

 matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
 matrix_mautrix_facebook_sqlite_database_path_in_container: "/data/mautrix-facebook.db"
--- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}"
  when: matrix_mautrix_facebook_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/validate_config.yml
@ -8,3 +8,24 @@
  with_items:
    - "matrix_mautrix_facebook_appservice_token"
    - "matrix_mautrix_facebook_homeserver_token"
+
+- block:
+    - name: Fail if on SQLite, unless on the last version supporting SQLite
+      fail:
+        msg: >-
+          You're trying to use the mautrix-facebook bridge with an SQLite database.
+          Going forward, this bridge only supports Postgres.
+          To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database
+      when: "not matrix_mautrix_facebook_docker_image.endswith(':da1b4ec596e334325a1589e70829dea46e73064b')"
+
+    - name: Inject warning if still on SQLite
+      set_fact:
+        matrix_playbook_runtime_results: |
+          {{
+            matrix_playbook_runtime_results|default([])
+            +
+            [
+              "NOTE: Your mautrix-facebook bridge setup is still on SQLite. Your bridge is not getting any updates and will likely stop working at some point. To learn more about this, see our changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#breaking-change-the-mautrix-facebook-bridge-now-requires-a-postgres-database"
+            ]
+          }}
+  when: "matrix_mautrix_facebook_database_engine == 'sqlite'"
--- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@ -8,6 +8,10 @@ homeserver:
    # Whether or not to verify the SSL certificate of the homeserver.
    # Only applies if address starts with https://
    verify_ssl: true
+    # Whether or not the homeserver supports asmux-specific endpoints,
+    # such as /_matrix/client/unstable/net.maunium.asmux/dms for atomically
+    # updating m.direct.
+    asmux: false

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
@ -22,11 +26,7 @@ appservice:
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

-    # The full URI to the database. SQLite and Postgres are fully supported.
-    # Other DBMSes supported by SQLAlchemy may or may not work.
-    # Format examples:
-    #   SQLite:   sqlite:///filename.db
-    #   Postgres: postgres://username:password@hostname/dbname
+    # The full URI to the database. Only Postgres is currently supported.
    database: {{ matrix_mautrix_facebook_appservice_database|to_json }}

    # Public part of web server for out-of-Matrix interaction with the bridge.
@ -38,6 +38,10 @@ appservice:
        # The base URL where the public-facing endpoints are available. The prefix is not added
        # implicitly.
        external: https://example.com/public
+        # Shared secret for integration managers such as mautrix-manager.
+        # If set to "generate", a random string will be generated on the next startup.
+        # If null, integration manager access to the API will not be possible.
+        shared_secret: generate

    # The unique ID of this appservice.
    id: facebook
@ -46,12 +50,17 @@ appservice:
    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
    # to leave display name/avatar as-is.
    bot_displayname: Facebook bridge bot
-    bot_avatar: mxc://maunium.net/ddtNPZSKMNqaUzqrHuWvUADv
+    bot_avatar: mxc://maunium.net/ygtkteZsXnGJLJHRchUwYWak

    # Authentication tokens for AS <-> HS communication.
    as_token: "{{ matrix_mautrix_facebook_appservice_token }}"
    hs_token: "{{ matrix_mautrix_facebook_homeserver_token }}"

+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+
 # Bridge config
 bridge:
    # Localpart template of MXIDs for Facebook users.
@ -76,6 +85,7 @@ bridge:
    # "own_nickname" (user-specific!)
    displayname_preference:
    - name
+    - first_name

    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!fb"
@ -120,6 +130,18 @@ bridge:
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: false
+        # Options for automatic key sharing.
+        key_sharing:
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow: false
+            # Require the requesting device to have a valid cross-signing signature?
+            # This doesn't require that the bridge has verified the device, only that the user has verified it.
+            # Not yet implemented.
+            require_cross_signing: false
+            # Require devices to be verified by the bridge?
+            # Verification by the bridge is not yet implemented.
+            require_verification: true
    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
    # been sent to Facebook.
    delivery_receipts: false
@ -161,6 +183,10 @@ bridge:
    # Whether or not the bridge should try to "refresh" the connection if a normal reconnection
    # attempt fails.
    refresh_on_reconnection_fail: false
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false

    # Permissions for using the bridge.
    # Permitted values:
@ -192,9 +218,7 @@ logging:
    loggers:
        mau:
            level: DEBUG
-        fbchat:
-            level: DEBUG
-        hbmqtt:
+        paho:
            level: INFO
        aiohttp:
            level: INFO
--- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}"
  when: matrix_mautrix_hangouts_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
+++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \
--- a/roles/matrix-bridge-mautrix-signal/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}"
  when: matrix_mautrix_signal_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/setup_install.yml
@ -35,6 +35,9 @@
    - "{{ matrix_mautrix_signal_base_path }}"
    - "{{ matrix_mautrix_signal_config_path }}"
    - "{{ matrix_mautrix_signal_daemon_path }}"
+    - "{{ matrix_mautrix_signal_daemon_path }}/avatars"
+    - "{{ matrix_mautrix_signal_daemon_path }}/attachments"
+    - "{{ matrix_mautrix_signal_daemon_path }}/data"

 - name: Ensure mautrix-signal config.yaml installed
  copy:
--- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
@ -13,6 +13,7 @@ Wants={{ service }}

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"

 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon
@ -20,9 +21,11 @@ ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre={{ matrix_host_command_sleep }} 5

+# We can't use `--read-only` for this bridge.
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
 			{{ matrix_mautrix_signal_daemon_docker_image }}
--- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
@ -13,6 +13,7 @@ Wants={{ service }}

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal

@ -22,16 +23,19 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-signal \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
 			{% if matrix_mautrix_signal_container_http_host_bind_port %}
 			-p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \
 			{% endif %}
 			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
-			-v {{ matrix_mautrix_signal_config_path }}:/data:z \
+			-v {{ matrix_mautrix_signal_config_path }}:/config:z \
 			{% for arg in matrix_mautrix_signal_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_signal_docker_image }} \
-			python3 -m mautrix_signal -c /data/config.yaml
+			python3 -m mautrix_signal -c /config/config.yaml

 ExecStop=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
 ExecStop=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_mautrix_telegram_enabled: true

+matrix_mautrix_telegram_container_self_build: false
+matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
+matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
+
 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}"
  when: matrix_mautrix_telegram_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -34,24 +34,46 @@
      when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool"
  when: "matrix_mautrix_telegram_database_engine == 'postgres'"

+- name: Ensure Mautrix Telegram paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" }
+  when: item.when|bool
+
 - name: Ensure Mautrix Telegram image is pulled
  docker_image:
    name: "{{ matrix_mautrix_telegram_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}"
+  when: "not matrix_mautrix_telegram_container_self_build|bool"

- name: Ensure Mautrix Telegram paths exist
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - "{{ matrix_mautrix_telegram_base_path }}"
-    - "{{ matrix_mautrix_telegram_config_path }}"
-    - "{{ matrix_mautrix_telegram_data_path }}"
+- name: Ensure matrix-mautrix-telegram repository is present when self-building
+  git:
+    repo: "{{ matrix_mautrix_telegram_docker_repo }}"
+    dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_mautrix_telegram_git_pull_results
+  when: "matrix_mautrix_telegram_container_self_build|bool"
+
+- name: Ensure matrix-mautrix-telegram Docker image is build
+  docker_image:
+    name: "{{ matrix_mautrix_telegram_docker_image }}"
+    source: build
+    force_source: yes
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}"
  when: matrix_mautrix_whatsapp_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -26,6 +26,7 @@
              engine_variable_name: 'matrix_mautrix_whatsapp_database_engine'
              engine_old: 'sqlite'
              systemd_services_to_stop: ['matrix-mautrix-whatsapp.service']
+              pgloader_options: ['--with "quote identifiers"']

        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"

--- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp

--- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}"
  when: matrix_mx_puppet_discord_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
@ -122,20 +122,4 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
+  files: []
--- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2
+++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord

--- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}"
  when: matrix_mx_puppet_instagram_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-instagram/templates/config.yaml.j2
@ -66,20 +66,4 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
+  files: []
--- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
+++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram

--- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}"
  when: matrix_mx_puppet_skype_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/config.yaml.j2
@ -42,30 +42,7 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
-      # Optionally enable/disable logging for certain modules
-      #disabled:
-      #  - PresenceHandler
-      #  - module: bot-sdk-MatrixLiteClient
-      #    regex: /_matrix/client/r0/presence/ # this regex needs to match to disable the log
-      #enabled:
-      #  - Store
+  files: []

 database:
 {% if matrix_mx_puppet_skype_database_engine == 'postgres' %}
--- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype

--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}"
  when: matrix_mx_puppet_slack_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/config.yaml.j2
@ -80,20 +80,4 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
+  files: []
--- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack

--- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}"
  when: matrix_mx_puppet_steam_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-steam/templates/config.yaml.j2
@ -83,20 +83,4 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
+  files: []
--- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2
+++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam

--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}"
  when: matrix_mx_puppet_twitter_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-twitter/templates/config.yaml.j2
@ -76,20 +76,4 @@ logging:
  lineDateFormat: MMM-D HH:mm:ss.SSS
  # Logging files
  # Log files are rotated daily by default
-  files:
-    # Log file path
-    - file: "/data/bridge.log"
-      # Log level for this file
-      # Allowed values starting with most verbose:
-      # silly, debug, verbose, info, warn, error
-      level: info
-      # Date and time formatting
-      datePattern: YYYY-MM-DD
-      # Maximum number of logs to keep.
-      # This can be a number of files or number of days.
-      # If using days, add 'd' as a suffix
-      maxFiles: 14d
-      # Maximum size of the file after which it will rotate. This can be a
-      # number of bytes, or units of kb, mb, and gb. If using the units, add
-      # 'k', 'm', or 'g' as the suffix
-      maxSize: 50m
+  files: []
--- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2
+++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter

--- a/roles/matrix-bridge-sms/tasks/init.yml
+++ b/roles/matrix-bridge-sms/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}"
  when: matrix_sms_bridge_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2
+++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge
 ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge

--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"

-matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.16"
+matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.17"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

--- a/roles/matrix-client-element/tasks/init.yml
+++ b/roles/matrix-client-element/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}"
  when: matrix_client_element_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
--- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
+++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element

--- a/roles/matrix-common-after/tasks/start.yml
+++ b/roles/matrix-common-after/tasks/start.yml
@ -1,6 +1,6 @@
 ---

- name: Deterimne whether we should make services autostart
+- name: Determine whether we should make services autostart
  set_fact:
    matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}"

@ -46,7 +46,7 @@
        Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
    with_items: "{{ matrix_systemd_services_list }}"
    when:
-      - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'"
+      - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')"
  when: " ansible_distribution != 'Archlinux'"

 - block:
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service']

 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
-matrix_corporal_docker_image_tag: "1.11.0"
+matrix_corporal_docker_image_tag: "2.1.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"

 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: ""
 matrix_corporal_matrix_timeout_milliseconds: 45000

 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
-matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
+matrix_corporal_corporal_user_id_local_part: "matrix-corporal"

 matrix_corporal_http_gateway_timeout_milliseconds: 60000

+# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API
+# on the gateway (Client-Server API) server.
+# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`).
+# Doing so allows Interactive Authentication to work.
+matrix_corporal_http_gateway_internal_rest_auth_enabled: false
+
 matrix_corporal_http_api_enabled: false
 matrix_corporal_http_api_auth_token: ""
 matrix_corporal_http_api_timeout_milliseconds: 15000
--- a/roles/matrix-corporal/tasks/init.yml
+++ b/roles/matrix-corporal/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}"
  when: matrix_corporal_enabled|bool
--- a/roles/matrix-corporal/tasks/validate_config.yml
+++ b/roles/matrix-corporal/tasks/validate_config.yml
@ -16,7 +16,6 @@
    msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
  when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"

-
 - name: (Deprecation) Catch and report renamed corporal variables
  fail:
    msg: >-
@ -25,3 +24,4 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
+    - {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'}
--- a/roles/matrix-corporal/templates/config.json.j2
+++ b/roles/matrix-corporal/templates/config.json.j2
@ -7,14 +7,20 @@
 		"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
 	},

+	"Corporal": {
+		"UserID": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}"
+	},
+
 	"Reconciliation": {
-		"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}",
 		"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
 	},

 	"HttpGateway": {
 		"ListenAddress": "0.0.0.0:41080",
-		"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}
+		"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }},
+		"InternalRESTAuth": {
+			"Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }}
+		}
 	},

 	"HttpApi": {
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal

--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -3,7 +3,7 @@ matrix_coturn_enabled: true
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"

-matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3"
+matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

--- a/roles/matrix-coturn/tasks/init.yml
+++ b/roles/matrix-coturn/tasks/init.yml
@ -1,7 +1,11 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}"
  when: matrix_coturn_enabled|bool

+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}"
+  when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
+
 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
--- a/roles/matrix-coturn/tasks/main.yml
+++ b/roles/matrix-coturn/tasks/main.yml
@ -8,8 +8,14 @@
    - setup-all
    - setup-coturn

- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
-  when: run_setup|bool
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_coturn_enabled|bool"
+  tags:
+    - setup-all
+    - setup-coturn
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_coturn_enabled|bool"
  tags:
    - setup-all
    - setup-coturn
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@ -1,137 +0,0 @@
---
-
-#
-# Tasks related to setting up Coturn
-#
-
- name: Ensure Matrix Coturn path exists
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
-  when: matrix_coturn_enabled|bool and item.when
-
- name: Ensure Coturn image is pulled
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
-  when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build
-
- name: Ensure Coturn repository is present on self-build
-  git:
-    repo: "{{ matrix_coturn_container_image_self_build_repo }}"
-    dest: "{{ matrix_coturn_docker_src_files_path }}"
-    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
-    force: "yes"
-  register: matrix_coturn_git_pull_results
-  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build"
-
- name: Ensure Coturn Docker image is built
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    source: build
-    force_source: "{{ matrix_coturn_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_coturn_docker_src_files_path }}"
-      pull: yes
-  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool"
-
- name: Ensure Coturn configuration path exists
-  file:
-    path: "{{ matrix_coturn_base_path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  when: matrix_coturn_enabled|bool
-
- name: Ensure turnserver.conf installed
-  template:
-    src: "{{ role_path }}/templates/turnserver.conf.j2"
-    dest: "{{ matrix_coturn_config_path }}"
-    mode: 0644
-  when: matrix_coturn_enabled|bool
-
- name: Ensure Coturn network is created in Docker
-  docker_network:
-    name: "{{ matrix_coturn_docker_network }}"
-    driver: bridge
-  when: matrix_coturn_enabled|bool
-
- name: Ensure matrix-coturn.service installed
-  template:
-    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
-    dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
-    mode: 0644
-  register: matrix_coturn_systemd_service_result
-  when: matrix_coturn_enabled|bool
-
- name: Ensure systemd reloaded after matrix-coturn.service installation
-  service:
-    daemon_reload: yes
-  when: "matrix_coturn_enabled|bool and matrix_coturn_systemd_service_result.changed"
-
-# This may be unnecessary when more long-lived certificates are used.
-# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
-# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2"
-    dest: /etc/cron.d/matrix-coturn-ssl-reload
-    mode: 0644
-  when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
-
-
-#
-# Tasks related to getting rid of Coturn (if it was previously enabled)
-#
-
- name: Ensure matrix-coturn-ssl-reload cronjob removed
-  file:
-    path: /etc/cron.d/matrix-coturn-ssl-reload
-    state: absent
-  when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool"
-
- name: Check existence of matrix-coturn service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
-  register: matrix_coturn_service_stat
-  when: "not matrix_coturn_enabled|bool"
-
- name: Ensure matrix-coturn is stopped
-  service:
-    name: matrix-coturn
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure matrix-coturn.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
-    state: absent
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure systemd reloaded after matrix-coturn.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure Matrix coturn paths don't exist
-  file:
-    path: "{{ matrix_coturn_base_path }}"
-    state: absent
-  when: "not matrix_coturn_enabled|bool"
-
- name: Ensure coturn Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    state: absent
-  when: "not matrix_coturn_enabled|bool"
--- a/roles/matrix-coturn/tasks/setup_install.yml
+++ b/roles/matrix-coturn/tasks/setup_install.yml
@ -0,0 +1,104 @@
+---
+
+# This is a cleanup/migration task. It can be removed some time in the future.
+- name: (Migration) Remove deprecated cronjob
+  file:
+    path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload"
+    state: absent
+
+- name: Ensure Matrix Coturn path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
+  when: "item.when|bool"
+
+- name: Ensure Coturn image is pulled
+  docker_image:
+    name: "{{ matrix_coturn_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
+  when: "not matrix_coturn_container_image_self_build|bool"
+
+- block:
+    - name: Ensure Coturn repository is present on self-build
+      git:
+        repo: "{{ matrix_coturn_container_image_self_build_repo }}"
+        dest: "{{ matrix_coturn_docker_src_files_path }}"
+        version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
+        force: "yes"
+      register: matrix_coturn_git_pull_results
+
+    - name: Ensure Coturn Docker image is built
+      docker_image:
+        name: "{{ matrix_coturn_docker_image }}"
+        source: build
+        force_source: "{{ matrix_coturn_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_coturn_docker_src_files_path }}"
+          pull: yes
+  when: "matrix_coturn_container_image_self_build|bool"
+
+- name: Ensure Coturn configuration path exists
+  file:
+    path: "{{ matrix_coturn_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure turnserver.conf installed
+  template:
+    src: "{{ role_path }}/templates/turnserver.conf.j2"
+    dest: "{{ matrix_coturn_config_path }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Coturn network is created in Docker
+  docker_network:
+    name: "{{ matrix_coturn_docker_network }}"
+    driver: bridge
+
+- name: Ensure matrix-coturn.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
+    mode: 0644
+  register: matrix_coturn_systemd_service_change_results
+
+# This may be unnecessary when more long-lived certificates are used.
+# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
+# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
+- name: Ensure reloading systemd units installed, if necessary
+  template:
+    src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
+    dest: "{{ matrix_systemd_path }}/{{ item }}"
+    mode: 0644
+  register: "matrix_coturn_systemd_service_change_results"
+  when: "matrix_coturn_tls_enabled|bool"
+  with_items:
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+# A similar task exists in `setup_uninstall.yml`
+- name: Ensure reloading systemd units uninstalled, if unnecessary
+  file:
+    path: "{{ item }}"
+    state: absent
+  register: "matrix_coturn_systemd_service_change_results"
+  when: "not matrix_coturn_tls_enabled|bool"
+  with_items:
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+- name: Ensure systemd reloaded if systemd units changed
+  service:
+    daemon_reload: yes
+  when: "matrix_coturn_systemd_service_change_results.changed"
--- a/roles/matrix-coturn/tasks/setup_uninstall.yml
+++ b/roles/matrix-coturn/tasks/setup_uninstall.yml
@ -0,0 +1,45 @@
+---
+
+- name: Check existence of matrix-coturn service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
+  register: matrix_coturn_service_stat
+  when: "not matrix_coturn_enabled|bool"
+
+- name: Ensure matrix-coturn is stopped
+  service:
+    name: matrix-coturn
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_coturn_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-coturn-reload.timer is stopped
+  service:
+    name: matrix-coturn
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_coturn_service_stat.stat.exists|bool"
+
+- name: Ensure systemd units don't exist
+  file:
+    path: "{{ matrix_systemd_path }}/{{ item }}"
+    state: absent
+  register: matrix_coturn_systemd_unit_uninstallation_result
+  with_items:
+    - matrix-coturn.service
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+- name: Ensure systemd reloaded after unit removal
+  service:
+    daemon_reload: yes
+  when: "matrix_coturn_systemd_unit_uninstallation_result.changed|bool"
+
+- name: Ensure Matrix coturn paths don't exist
+  file:
+    path: "{{ matrix_coturn_base_path }}"
+    state: absent
+
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
--- a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2
+++ b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2
@ -1 +0,0 @@
-20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
@ -0,0 +1,6 @@
+[Unit]
+Description=Reloads matrix-coturn so that new SSL certificates can kick in
+
+[Service]
+Type=oneshot
+ExecStart={{ matrix_host_command_systemctl }} reload matrix-coturn.service
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
+
+[Timer]
+Unit=matrix-coturn-reload.service
+OnCalendar=Sunday *-*-* 13:00:00
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn

--- a/roles/matrix-dimension/tasks/init.yml
+++ b/roles/matrix-dimension/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}"
  when: matrix_dimension_enabled|bool
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension

--- a/roles/matrix-dynamic-dns/tasks/init.yml
+++ b/roles/matrix-dynamic-dns/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
  when: "matrix_dynamic_dns_enabled|bool"
--- a/roles/matrix-dynamic-dns/tasks/uninstall.yml
+++ b/roles/matrix-dynamic-dns/tasks/uninstall.yml
@ -22,3 +22,6 @@
  service:
    daemon_reload: yes
  when: "matrix_dynamic_dns_service_stat.stat.exists"
+
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
--- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2
+++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \
--- a/roles/matrix-email2matrix/tasks/init.yml
+++ b/roles/matrix-email2matrix/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}"
  when: matrix_email2matrix_enabled|bool
--- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
+++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
@ -7,6 +7,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix

--- a/roles/matrix-jitsi/tasks/init.yml
+++ b/roles/matrix-jitsi/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}"
  when: matrix_jitsi_enabled|bool
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
@ -89,8 +89,5 @@
    state: absent
  when: "not matrix_jitsi_enabled|bool"

- name: Ensure jitsi-jicofo Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_jitsi_jicofo_docker_image }}"
-    state: absent
-  when: "not matrix_jitsi_enabled|bool"
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
@ -89,8 +89,5 @@
    state: absent
  when: "not matrix_jitsi_enabled|bool"

- name: Ensure jitsi-jvb Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_jitsi_jvb_docker_image }}"
-    state: absent
-  when: "not matrix_jitsi_enabled|bool"
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@ -80,8 +80,5 @@
    state: absent
  when: "not matrix_jitsi_enabled|bool"

- name: Ensure jitsi-prosody Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_jitsi_prosody_docker_image }}"
-    state: absent
-  when: "not matrix_jitsi_enabled|bool"
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
--- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
@ -90,8 +90,6 @@
    state: absent
  when: "not matrix_jitsi_enabled|bool"

- name: Ensure jitsi-web Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_jitsi_web_docker_image }}"
-    state: absent
-  when: "not matrix_jitsi_enabled|bool"
+# Intentionally not removing the Docker image when uninstalling.
+# We can't be sure it had been pulled by us in the first place.
+
--- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
+++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo

--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb

--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody

--- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
+++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web

--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@ -5,10 +5,13 @@ matrix_ma1sd_enabled: true

 matrix_ma1sd_container_image_self_build: false
 matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
+matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"

 matrix_ma1sd_architecture: "amd64"

-matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}"
+matrix_ma1sd_version: "2.4.0"
+
+matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}"
 matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}"
 matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"

--- a/roles/matrix-ma1sd/tasks/init.yml
+++ b/roles/matrix-ma1sd/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
  when: matrix_ma1sd_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
--- a/roles/matrix-ma1sd/tasks/setup_install.yml
+++ b/roles/matrix-ma1sd/tasks/setup_install.yml
@ -79,21 +79,24 @@
    git:
      repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
      dest: "{{ matrix_ma1sd_docker_src_files_path }}"
-      version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}"
+      version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
      force: "yes"
    register: matrix_ma1sd_git_pull_results

  - name: Ensure ma1sd Docker image is built
-    shell: "./gradlew dockerBuild"
+    shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild"
    args:
      chdir: "{{ matrix_ma1sd_docker_src_files_path }}"

  - name: Ensure ma1sd Docker image is tagged correctly
    docker_image:
-      # The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`.
-      # Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building)
-      # to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`.
-      name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}"
+      # The build script always tags the image with 2 tags:
+      # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`)
+      #   or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release)
+      # - generic one: `ma1uta/ma1sd:latest-dev`
+      #
+      # It's hard to predict the first one, so we'll use the latter.
+      name: "ma1uta/ma1sd:latest-dev"
      repository: "{{ matrix_ma1sd_docker_image }}"
      force_tag: yes
      source: local
--- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd

--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"

-matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0"
+matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

@ -19,6 +19,8 @@ matrix_mailer_container_user_gid: 101
 # A list of extra arguments to pass to the container
 matrix_mailer_container_extra_arguments: []

+matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}"
+
 matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
 matrix_mailer_relay_use: false
 matrix_mailer_relay_host_name: "mail.example.com"
--- a/roles/matrix-mailer/tasks/init.yml
+++ b/roles/matrix-mailer/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
  when: matrix_mailer_enabled|bool
--- a/roles/matrix-mailer/templates/env-mailer.j2
+++ b/roles/matrix-mailer/templates/env-mailer.j2
@ -6,3 +6,4 @@ SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port
 SMTP_USERNAME={{ matrix_mailer_relay_auth_username }}
 SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }}
 {% endif %}
+HOSTNAME={{ matrix_mailer_hostname }}
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@ -7,9 +7,12 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer

+# --hostname gives us a friendlier hostname than the default.
+# The real hostname is passed via a `HOSTNAME` environment variable though.
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
 			--log-driver=none \
 			--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
--- a/Show More
+++ b/Show More
				`@ -1 +0,0 @@`
				`20 4 /5 * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service`