Merge branch 'spantaleev:master' into default_room_version_9

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.44.0
-matrix_synapse_version_arm64: v1.44.0
+matrix_synapse_version: v1.49.0
+matrix_synapse_version_arm64: v1.49.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -27,7 +27,13 @@ matrix_synapse_storage_path: "{{ matrix_synapse_base_path }}/storage"
 matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
 matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
 
-# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/8008 in the container).
+matrix_synapse_container_client_api_port: 8008
+
+matrix_synapse_container_federation_api_tls_port: 8448
+
+matrix_synapse_container_federation_api_plain_port: 8048
+
+# Controls whether the matrix-synapse container exposes the Client/Server API port (tcp/{{ matrix_synapse_container_client_api_port }} in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8008"), or empty string to not expose.
 matrix_synapse_container_client_api_host_bind_port: ''
@@ -146,7 +152,7 @@ matrix_synapse_federation_rr_transactions_per_room_per_second: 50
 
 # Controls whether the TLS federation listener is enabled (tcp/8448).
 # Only makes sense if federation is enabled (`matrix_synapse_federation_enabled`).
-# Note that federation may potentially be enabled as non-TLS on tcp/8048 as well.
+# Note that federation may potentially be enabled as non-TLS on `matrix_synapse_container_federation_api_plain_port` as well.
 # If you're serving Synapse behind an HTTPS-capable reverse-proxy,
 # you can disable the TLS listener (`matrix_synapse_tls_federation_listener_enabled: false`).
 matrix_synapse_tls_federation_listener_enabled: true
@@ -467,6 +473,8 @@ matrix_synapse_turn_allow_guests: False
 matrix_synapse_email_enabled: false
 matrix_synapse_email_smtp_host: ""
 matrix_synapse_email_smtp_port: 587
+matrix_synapse_email_smtp_user: ""
+matrix_synapse_email_smtp_pass: ""
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <matrix@{{ matrix_domain }}>"
 matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_element }}"

roles/matrix-synapse/files/workers-doc-to-yaml.awk

@@ -86,7 +86,7 @@ enable_parsing {
 
                 # FIXME: https://github.com/matrix-org/synapse/issues/7530
                 # https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/456#issuecomment-719015911
-                if (api_endpoint_regex == "^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$") {
+                if (api_endpoint_regex == "^/_matrix/client/(r0|v3|unstable)/auth/.*/fallback/web$") {
                     worker_stanza_append("  # FIXME: possible bug with SSO and multiple generic workers\n")
                     worker_stanza_append("  # see https://github.com/matrix-org/synapse/issues/7530\n")
                     worker_stanza_append("  # " api_endpoint_regex linefeed)

roles/matrix-synapse/tasks/goofys/setup_uninstall.yml

@@ -7,6 +7,7 @@
   service:
     name: matrix-goofys
     state: stopped
+    enabled: no
     daemon_reload: yes
   register: stopping_result
   when: "matrix_goofys_service_stat.stat.exists"

roles/matrix-synapse/tasks/import_media_store.yml

@@ -44,6 +44,7 @@
   service:
     name: matrix-synapse
     state: stopped
+    enabled: no
     daemon_reload: yes
   register: stopping_result
 

roles/matrix-synapse/tasks/synapse/setup_install.yml

@@ -67,8 +67,6 @@
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
     --cap-drop=ALL
     --mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data
-    -e UID={{ matrix_user_uid }}
-    -e GID={{ matrix_user_gid }}
     -e SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
     -e SYNAPSE_SERVER_NAME={{ matrix_server_fqn_matrix }}
     -e SYNAPSE_REPORT_STATS=no

roles/matrix-synapse/tasks/synapse/setup_uninstall.yml

@@ -7,6 +7,7 @@
   service:
     name: matrix-synapse
     state: stopped
+    enabled: no
     daemon_reload: yes
   register: stopping_result
   when: "matrix_synapse_service_stat.stat.exists"

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -66,8 +66,28 @@ pid_file: /homeserver.pid
 # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
 # 'listeners' below).
 #
+# Defaults to 'https://<server_name>/'.
+#
 public_baseurl: https://{{ matrix_server_fqn_matrix }}/
 
+# Uncomment the following to tell other servers to send federation traffic on
+# port 443.
+#
+# By default, other servers will try to reach our server on port 8448, which can
+# be inconvenient in some environments.
+#
+# Provided 'https://<server_name>/' on port 443 is routed to Synapse, this
+# option configures Synapse to serve a file at
+# 'https://<server_name>/.well-known/matrix/server'. This will tell other
+# servers to send traffic to port 443 instead.
+#
+# See https://matrix-org.github.io/synapse/latest/delegate.html for more
+# information.
+#
+# Defaults to 'false'.
+#
+#serve_server_wellknown: true
+
 # Set the soft limit on the number of file descriptors synapse can use
 # Zero is used to indicate synapse should set the soft limit to the
 # hard limit.
@@ -269,14 +289,14 @@ default_room_version: {{ matrix_synapse_default_room_version|to_json }}
 listeners:
 {% if matrix_synapse_metrics_enabled %}
   - type: metrics
-    port: {{ matrix_synapse_metrics_port }}
+    port: {{ matrix_synapse_metrics_port|to_json }}
     bind_addresses:
       - '0.0.0.0'
 {% endif %}
 
 {% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %}
   # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
-  - port: 8448
+  - port: {{ matrix_synapse_container_federation_api_tls_port|to_json }}
     tls: true
     bind_addresses: ['::']
     type: http
@@ -289,7 +309,7 @@ listeners:
 
   # Unsecure HTTP listener (Client API): for when matrix traffic passes through a reverse proxy
   # that unwraps TLS.
-  - port: 8008
+  - port: {{ matrix_synapse_container_client_api_port|to_json }}
     tls: false
     bind_addresses: ['::']
     type: http
@@ -302,7 +322,7 @@ listeners:
 {% if matrix_synapse_federation_port_enabled %}
   # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy
   # that unwraps TLS.
-  - port: 8048
+  - port: {{ matrix_synapse_container_federation_api_plain_port|to_json }}
     tls: false
     bind_addresses: ['::']
     type: http
@@ -492,6 +512,48 @@ redaction_retention_period: {{ matrix_synapse_redaction_retention_period }}
 
 user_ips_max_age: {{ matrix_synapse_user_ips_max_age }}
 
+# Inhibits the /requestToken endpoints from returning an error that might leak
+# information about whether an e-mail address is in use or not on this
+# homeserver.
+# Note that for some endpoints the error situation is the e-mail already being
+# used, and for others the error is entering the e-mail being unused.
+# If this option is enabled, instead of returning an error, these endpoints will
+# act as if no error happened and return a fake session ID ('sid') to clients.
+#
+#request_token_inhibit_3pid_errors: true
+
+# A list of domains that the domain portion of 'next_link' parameters
+# must match.
+#
+# This parameter is optionally provided by clients while requesting
+# validation of an email or phone number, and maps to a link that
+# users will be automatically redirected to after validation
+# succeeds. Clients can make use this parameter to aid the validation
+# process.
+#
+# The whitelist is applied whether the homeserver or an
+# identity server is handling validation.
+#
+# The default value is no whitelist functionality; all domains are
+# allowed. Setting this value to an empty list will instead disallow
+# all domains.
+#
+#next_link_domain_whitelist: ["matrix.org"]
+
+# Templates to use when generating email or HTML page contents.
+#
+templates:
+  # Directory in which Synapse will try to find template files to use to generate
+  # email or HTML page contents.
+  # If not set, or a file is not found within the template directory, a default
+  # template from within the Synapse package will be used.
+  #
+  # See https://matrix-org.github.io/synapse/latest/templates.html for more
+  # information about using custom templates.
+  #
+  #custom_template_directory: /path/to/custom/templates/
+
+
 # Message retention policy at the server level.
 #
 # Room admins and mods can define a retention period for their rooms using the
@@ -561,47 +623,6 @@ retention:
   #  - shortest_max_lifetime: 3d
   #    interval: 1d
 
-# Inhibits the /requestToken endpoints from returning an error that might leak
-# information about whether an e-mail address is in use or not on this
-# homeserver.
-# Note that for some endpoints the error situation is the e-mail already being
-# used, and for others the error is entering the e-mail being unused.
-# If this option is enabled, instead of returning an error, these endpoints will
-# act as if no error happened and return a fake session ID ('sid') to clients.
-#
-#request_token_inhibit_3pid_errors: true
-
-# A list of domains that the domain portion of 'next_link' parameters
-# must match.
-#
-# This parameter is optionally provided by clients while requesting
-# validation of an email or phone number, and maps to a link that
-# users will be automatically redirected to after validation
-# succeeds. Clients can make use this parameter to aid the validation
-# process.
-#
-# The whitelist is applied whether the homeserver or an
-# identity server is handling validation.
-#
-# The default value is no whitelist functionality; all domains are
-# allowed. Setting this value to an empty list will instead disallow
-# all domains.
-#
-#next_link_domain_whitelist: ["matrix.org"]
-
-# Templates to use when generating email or HTML page contents.
-#
-templates:
-  # Directory in which Synapse will try to find template files to use to generate
-  # email or HTML page contents.
-  # If not set, or a file is not found within the template directory, a default
-  # template from within the Synapse package will be used.
-  #
-  # See https://matrix-org.github.io/synapse/latest/templates.html for more
-  # information about using custom templates.
-  #
-  #custom_template_directory: /path/to/custom/templates/
-
 
 ## TLS ##
 
@@ -646,8 +667,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #
 #federation_certificate_verification_whitelist:
 #  - lon.example.com
-#  - *.domain.com
-#  - *.onion
+#  - "*.domain.com"
+#  - "*.onion"
 
 # List of custom certificate authorities for federation traffic.
 #
@@ -1206,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #
 #session_lifetime: 24h
 
+# Time that an access token remains valid for, if the session is
+# using refresh tokens.
+# For more information about refresh tokens, please see the manual.
+# Note that this only applies to clients which advertise support for
+# refresh tokens.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is 5 minutes.
+#
+#refreshable_access_token_lifetime: 5m
+
+# Time that a refresh token remains valid for (provided that it is not
+# exchanged for another one first).
+# This option can be used to automatically log-out inactive sessions.
+# Please see the manual for more information.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is infinite.
+#
+#refresh_token_lifetime: 24h
+
+# Time that an access token remains valid for, if the session is NOT
+# using refresh tokens.
+# Please note that not all clients support refresh tokens, so setting
+# this to a short value may be inconvenient for some users who will
+# then be logged out frequently.
+#
+# Note also that this is calculated at login time: changes are not applied
+# retrospectively to existing sessions for users that have already logged in.
+#
+# By default, this is infinite.
+#
+#nonrefreshable_access_token_lifetime: 24h
+
+# The user must provide all of the below types of 3PID when registering.
+
 # The user must provide all of the below types of 3PID when registering.
 #
 #registrations_require_3pid:
@@ -1270,7 +1331,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # in on this server.
 #
 # (By default, no suggestion is made, so it is left up to the client.
-# This setting is ignored unless public_baseurl is also set.)
+# This setting is ignored unless public_baseurl is also explicitly set.)
 #
 #default_identity_server: https://matrix.org
 
@@ -1295,8 +1356,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # by the Matrix Identity Service API specification:
 # https://matrix.org/docs/spec/identity_service/latest
 #
-# If a delegate is specified, the config option public_baseurl must also be filled out.
-#
 account_threepid_delegates:
     email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
     msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
@@ -1989,11 +2048,10 @@ sso:
     # phishing attacks from evil.site. To avoid this, include a slash after the
     # hostname: "https://my.client/".
     #
-    # If public_baseurl is set, then the login fallback page (used by clients
-    # that don't natively support the required login flows) is whitelisted in
-    # addition to any URLs in this list.
+    # The login fallback page (used by clients that don't natively support the
+    # required login flows) is whitelisted in addition to any URLs in this list.
     #
-    # By default, this list is empty.
+    # By default, this list contains only the login fallback page.
     #
     #client_whitelist:
     #  - https://riot.im/develop
@@ -2211,6 +2269,12 @@ sso:
     #
     #algorithm: "provided-by-your-issuer"
 
+    # Name of the claim containing a unique identifier for the user.
+    #
+    # Optional, defaults to `sub`.
+    #
+    #subject_claim: "sub"
+
     # The issuer to validate the "iss" claim against.
     #
     # Optional, if provided the "iss" claim will be required and
@@ -2320,9 +2384,10 @@ email:
 
   # Username/password for authentication to the SMTP server. By default, no
   # authentication is attempted.
-  #
-  #smtp_user: "exampleusername"
-  #smtp_pass: "examplepassword"
+  {% if matrix_synapse_email_smtp_user %}
+  smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }}
+  smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }}
+  {% endif %}
 
   # Uncomment the following to require TLS transport security for SMTP.
   # By default, Synapse will connect over plain text, and will then switch to
@@ -2620,8 +2685,8 @@ user_directory:
     # indexes were (re)built was before Synapse 1.44, you'll have to
     # rebuild the indexes in order to search through all known users.
     # These indexes are built the first time Synapse starts; admins can
-    # manually trigger a rebuild following the instructions at
-    #     https://matrix-org.github.io/synapse/latest/user_directory.html
+    # manually trigger a rebuild via API following the instructions at
+    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
     #
     # Uncomment to return search results containing all known users, even if that
     # user does not share a room with the requester.

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2

@@ -17,8 +17,6 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
 ExecStart={{ matrix_host_command_docker }} run --rm --name {{ matrix_synapse_worker_container_name }} \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			-e UID={{ matrix_user_uid }} \
-			-e GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -33,20 +33,18 @@ ExecStartPre={{ matrix_host_command_sleep }} 3
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-synapse \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-			--env=UID={{ matrix_user_uid }} \
-			--env=GID={{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_synapse_tmp_directory_size_mb }}m \
 			--network={{ matrix_docker_network }} \
 			{% if matrix_synapse_container_client_api_host_bind_port %}
-			-p {{ matrix_synapse_container_client_api_host_bind_port }}:8008 \
+			-p {{ matrix_synapse_container_client_api_host_bind_port }}:{{ matrix_synapse_container_client_api_port }} \
 			{% endif %}
 			{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled and matrix_synapse_container_federation_api_tls_host_bind_port %}
-			-p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:8448 \
+			-p {{ matrix_synapse_container_federation_api_tls_host_bind_port }}:{{ matrix_synapse_container_federation_api_tls_port }} \
 			{% endif %}
 			{% if matrix_synapse_federation_enabled and matrix_synapse_container_federation_api_plain_host_bind_port %}
-			-p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:8048 \
+			-p {{ matrix_synapse_container_federation_api_plain_host_bind_port }}:{{ matrix_synapse_container_federation_api_plain_port }} \
 			{% endif %}
 			{% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %}
 			-p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \

roles/matrix-synapse/templates/synapse/usr-local-bin/matrix-synapse-register-user.j2

@@ -11,7 +11,7 @@ password=$2
 admin=$3
 
 if [ "$admin" -eq "1" ]; then
-	docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:8008
+	docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --admin http://localhost:{{ matrix_synapse_container_client_api_port }}
 else
-	docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:8008
+	docker exec matrix-synapse register_new_matrix_user -u "$user" -p "$password" -c /data/homeserver.yaml --no-admin http://localhost:{{ matrix_synapse_container_client_api_port }}
 fi

roles/matrix-synapse/templates/synapse/worker.yaml.j2

@@ -38,7 +38,7 @@ worker_listeners:
 {% endif %}
 
 {% if matrix_synapse_worker_details.type == 'frontend_proxy' %}
-worker_main_http_uri: http://matrix-synapse:8008
+worker_main_http_uri: http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}
 {% endif %}
 
 worker_daemonize: false

roles/matrix-synapse/vars/workers.yml

@@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints:
   # expressions:
 
   # Sync requests
-  - ^/_matrix/client/(v2_alpha|r0)/sync$
-  - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$
-  - ^/_matrix/client/(api/v1|r0)/initialSync$
-  - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$
+  - ^/_matrix/client/(v2_alpha|r0|v3)/sync$
+  - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$
+  - ^/_matrix/client/(api/v1|r0|v3)/initialSync$
+  - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$
 
   # Federation requests
   - ^/_matrix/federation/v1/event/
@@ -33,46 +33,46 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/federation/v1/get_groups_publicised$
   - ^/_matrix/key/v2/query
   - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
-  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
+  - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/
 
   # Inbound federation transaction request
   - ^/_matrix/federation/v1/send/
 
   # Client API requests
-  - ^/_matrix/client/(api/v1|r0|unstable)/createRoom$
-  - ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/members$
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$
   - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
-  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
+  - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$
   - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
-  - ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$
-  - ^/_matrix/client/(api/v1|r0|unstable)/devices$
-  - ^/_matrix/client/(api/v1|r0|unstable)/keys/query$
-  - ^/_matrix/client/(api/v1|r0|unstable)/keys/changes$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/query$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/versions$
-  - ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$
-  - ^/_matrix/client/(api/v1|r0|unstable)/joined_groups$
-  - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups$
-  - ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/event/
-  - ^/_matrix/client/(api/v1|r0|unstable)/joined_rooms$
-  - ^/_matrix/client/(api/v1|r0|unstable)/search$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_groups$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicised_groups$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/publicised_groups/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/search$
 
   # Registration/login requests
-  - ^/_matrix/client/(api/v1|r0|unstable)/login$
-  - ^/_matrix/client/(r0|unstable)/register$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
+  - ^/_matrix/client/(r0|v3|unstable)/register$
   - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$
 
   # Event sending requests
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/redact
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/
-  - ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$
-  - ^/_matrix/client/(api/v1|r0|unstable)/join/
-  - ^/_matrix/client/(api/v1|r0|unstable)/profile/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/join/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/
 
 
   # Additionally, the following REST endpoints can be handled for GET requests:
@@ -86,7 +86,7 @@ matrix_synapse_workers_generic_worker_endpoints:
   # for the room are in flight:
 
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$
+  # ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$
 
   # Additionally, the following endpoints should be included if Synapse is configured
   # to use SSO (you only need to include the ones for whichever SSO provider you're
@@ -94,7 +94,7 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # for all SSO providers
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/login/sso/redirect
+  # ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect
   # ^/_synapse/client/pick_idp$
   # ^/_synapse/client/pick_username
   # ^/_synapse/client/new_user_consent$
@@ -110,7 +110,7 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # CAS requests.
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/login/cas/ticket$
+  # ^/_matrix/client/(api/v1|r0|v3|unstable)/login/cas/ticket$
 
   # Ensure that all SSO logins go to a single process.
   # For multiple workers not handling the SSO endpoints properly, see
@@ -271,19 +271,19 @@ matrix_synapse_workers_media_repository_endpoints:
   # expose the `media` resource. For example:
 
   # ```yaml
-  #     worker_listeners:
-  #      - type: http
-  #        port: 8085
-  #        resources:
-  #          - names:
-  #            - media
+  # worker_listeners:
+  #  - type: http
+  #    port: 8085
+  #    resources:
+  #      - names:
+  #        - media
   # ```
 
   # Note that if running multiple media repositories they must be on the same server
   # and you must configure a single instance to run the background tasks, e.g.:
 
   # ```yaml
-  #     media_instance_running_background_jobs: "media-repository-1"
+  # media_instance_running_background_jobs: "media-repository-1"
   # ```
 
   # Note that if a reverse proxy is used , then `/_matrix/media/` must be routed for both inbound client and federation requests (if they are handled separately).
@@ -292,7 +292,7 @@ matrix_synapse_workers_user_dir_endpoints:
   # Handles searches in the user directory. It can handle REST endpoints matching
   # the following regular expressions:
 
-  - ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/user_directory/search$
 
   # When using this worker you must also set `update_user_directory: False` in the
   # shared configuration file to stop the main synapse running background
@@ -303,13 +303,13 @@ matrix_synapse_workers_frontend_proxy_endpoints:
   # load from the main synapse. It can handle REST endpoints matching the following
   # regular expressions:
 
-  - ^/_matrix/client/(api/v1|r0|unstable)/keys/upload
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/upload
 
   # If `use_presence` is False in the homeserver config, it can also handle REST
   # endpoints matching the following regular expressions:
 
   # FIXME: ADDITIONAL CONDITIONS REQUIRED: to be enabled manually
-  # ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status
+  # ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status
 
   # This "stub" presence handler will pass through `GET` request but make the
   # `PUT` effectively a no-op.
@@ -319,7 +319,9 @@ matrix_synapse_workers_frontend_proxy_endpoints:
   # the `worker_main_http_uri` setting in the `frontend_proxy` worker configuration
   # file. For example:
 
-  #     worker_main_http_uri: http://127.0.0.1:8008
+  # ```yaml
+  # worker_main_http_uri: http://127.0.0.1:8008
+  # ```
 
 matrix_synapse_workers_avail_list:
   - appservice