Merge branch 'master' into master

roles/matrix-base/tasks/setup_server_base.yml

@@ -49,7 +49,7 @@
 
 - name: Ensure Docker repository is enabled (Debian)
   apt_repository:
-    repo: "deb https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
+    repo: "deb [arch=amd64] https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
     state: present
     update_cache: yes
   when: ansible_os_family == 'Debian'

roles/matrix-bridge-appservice-discord/defaults/main.yml

@@ -69,7 +69,7 @@ matrix_appservice_discord_configuration_yaml: |
     disableJoinLeaveNotifications: false
   # Authentication configuration for the discord bot.
   auth:
-    clientID: {{ matrix_appservice_discord_client_id|string }}
+    clientID: {{ matrix_appservice_discord_client_id|string|to_json }}
     botToken: {{ matrix_appservice_discord_bot_token }}
   logging:
     # What level should the logger output to the console at.
@@ -86,6 +86,8 @@ matrix_appservice_discord_configuration_yaml: |
     #     enable:
     #       - "DiscordBot"
   database:
+    userStorePath: "/data/user-store.db"
+    roomStorePath: "/data/room-store.db"
     # You may either use SQLite or Postgresql for the bridge database, which contains
     # important mappings for events and user puppeting configurations.
     # Use the filename option for SQLite, or connString for Postgresql.

roles/matrix-bridge-appservice-discord/tasks/setup_install.yml

@@ -32,10 +32,12 @@
   failed_when: false
   when: "matrix_appservice_discord_stat_db.stat.exists"
 
-# In addition to this, there used to be some `user-store-db` and `room-store.db` files.
-# They're no longer in use, so we're not relocating them in an effort to point them out as neither `./data`, nor `./config`.
 - name: (Data relocation) Move AppService Discord discord.db file to ./data directory
-  command: "mv {{ matrix_appservice_discord_base_path }}/discord.db {{ matrix_appservice_discord_data_path }}/discord.db"
+  command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}"
+  with_items:
+    - discord.db
+    - user-store.db
+    - room-store.db
   when: "matrix_appservice_discord_stat_db.stat.exists"
 
 - name: Ensure AppService Discord config.yaml installed

roles/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -3,7 +3,8 @@
 
 matrix_mautrix_facebook_enabled: true
 
-matrix_mautrix_facebook_docker_image: "tulir/mautrix-facebook:latest"
+# See: https://mau.dev/tulir/mautrix-facebook/container_registry
+matrix_mautrix_facebook_docker_image: "dock.mau.dev/tulir/mautrix-facebook:latest"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
 
 matrix_mautrix_facebook_base_path: "{{ matrix_base_data_path }}/mautrix-facebook"
@@ -12,7 +13,7 @@ matrix_mautrix_facebook_data_path: "{{ matrix_mautrix_facebook_base_path }}/data
 
 matrix_mautrix_facebook_homeserver_address: 'http://matrix-synapse:8008'
 matrix_mautrix_facebook_homeserver_domain: '{{ matrix_domain }}'
-matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:8080'
+matrix_mautrix_facebook_appservice_address: 'http://matrix-mautrix-facebook:29319'
 
 # A list of extra arguments to pass to the container
 matrix_mautrix_facebook_container_extra_arguments: []
@@ -51,7 +52,7 @@ matrix_mautrix_facebook_configuration_yaml: |
 
       # The hostname and port where this appservice should listen.
       hostname: 0.0.0.0
-      port: 8080
+      port: 29319
       # The maximum body size of appservice API requests (from the homeserver) in mebibytes
       # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
       max_body_size: 1

roles/matrix-bridge-mautrix-hangouts/defaults/main.yml

@@ -0,0 +1,196 @@
+# mautrix-hangouts is a Matrix <-> Hangouts bridge
+# See: https://github.com/tulir/mautrix-hangouts
+
+matrix_mautrix_hangouts_enabled: true
+
+# See: https://mau.dev/tulir/mautrix-hangouts/container_registry
+matrix_mautrix_hangouts_docker_image: "dock.mau.dev/tulir/mautrix-hangouts:latest"
+matrix_mautrix_hangouts_docker_image_force_pull: "{{ matrix_mautrix_hangouts_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_hangouts_base_path: "{{ matrix_base_data_path }}/mautrix-hangouts"
+matrix_mautrix_hangouts_config_path: "{{ matrix_mautrix_hangouts_base_path }}/config"
+matrix_mautrix_hangouts_data_path: "{{ matrix_mautrix_hangouts_base_path }}/data"
+
+matrix_mautrix_hangouts_public_endpoint: '/mautrix-hangouts'
+
+matrix_mautrix_hangouts_homeserver_address: 'http://matrix-synapse:8008'
+matrix_mautrix_hangouts_homeserver_domain: '{{ matrix_domain }}'
+matrix_mautrix_hangouts_appservice_address: 'http://matrix-mautrix-hangouts:8080'
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_hangouts_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-hangouts.service depends on.
+matrix_mautrix_hangouts_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-mautrix-hangouts.service wants
+matrix_mautrix_hangouts_systemd_wanted_services_list: []
+
+matrix_mautrix_hangouts_appservice_token: ''
+matrix_mautrix_hangouts_homeserver_token: ''
+
+# Default mxisd configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_hangouts_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_hangouts_configuration_yaml: |
+  #jinja2: lstrip_blocks: "True"
+  # Homeserver details
+  homeserver:
+      # The address that this appservice can use to connect to the homeserver.
+      address: {{ matrix_mautrix_hangouts_homeserver_address }}
+      # The domain of the homeserver (for MXIDs, etc).
+      domain: {{ matrix_mautrix_hangouts_homeserver_domain }}
+      # Whether or not to verify the SSL certificate of the homeserver.
+      # Only applies if address starts with https://
+      verify_ssl: true
+
+  # Application service host/registration related details
+  # Changing these values requires regeneration of the registration.
+  appservice:
+      # The address that the homeserver can use to connect to this appservice.
+      address: {{ matrix_mautrix_hangouts_appservice_address }}
+
+      # The hostname and port where this appservice should listen.
+      hostname: 0.0.0.0
+      port: 8080
+      # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+      # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+      max_body_size: 1
+
+      # The full URI to the database. SQLite and Postgres are fully supported.
+      # Other DBMSes supported by SQLAlchemy may or may not work.
+      # Format examples:
+      #   SQLite:   sqlite:///filename.db
+      #   Postgres: postgres://username:password@hostname/dbname
+      database: sqlite:////data/mautrix-hangouts.db
+
+      # The unique ID of this appservice.
+      id: hangouts
+      # Username of the appservice bot.
+      bot_username: hangoutsbot
+      # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+      # to leave display name/avatar as-is.
+      bot_displayname: Hangouts bridge bot
+      bot_avatar: mxc://maunium.net/FBXZnpfORkBEruORbikmleAy
+
+      # Authentication tokens for AS <-> HS communication.
+      as_token: "{{ matrix_mautrix_hangouts_appservice_token }}"
+      hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}"
+
+  # Bridge config
+  bridge:
+      # Localpart template of MXIDs for Hangouts users.
+      # {userid} is replaced with the user ID of the Hangouts user.
+      username_template: "hangouts_{userid}"
+      # Displayname template for Hangouts users.
+      # {displayname} is replaced with the display name of the Hangouts user
+      #               as defined below in displayname_preference.
+      # Keys available for displayname_preference are also available here.
+      displayname_template: '{full_name} (Hangouts)'
+      # Available keys:
+      # "name" (full name)
+      # "first_name"
+      # "last_name"
+      # "nickname"
+      # "own_nickname" (user-specific!)
+      displayname_preference:
+      - name
+
+      # The prefix for commands. Only required in non-management rooms.
+      command_prefix: "!HO"
+
+      # Number of chats to sync (and create portals for) on startup/login.
+      # Maximum 20, set 0 to disable automatic syncing.
+      initial_chat_sync: 20
+      # Whether or not the Hangouts users of logged in Matrix users should be
+      # invited to private chats when the user sends a message from another client.
+      invite_own_puppet_to_pm: false
+      # Whether or not to use /sync to get presence, read receipts and typing notifications when using
+      # your own Matrix account as the Matrix puppet for your Hangouts account.
+      sync_with_custom_puppets: true
+
+      # Whether or not to bridge presence in both directions. Hangouts allows users not to broadcast
+      # presence, but then it won't send other users' presence to the client.
+      presence: true
+
+      # Public website and API configs
+      web:
+          # Auth server config
+          auth:
+              # Publicly accessible base URL for the login endpoints.
+              # The prefix below is not implicitly added. This URL and all subpaths should be proxied
+              # or otherwise pointed to the appservice's webserver to the path specified below (prefix).
+              # This path should usually include a trailing slash.
+              # Internal prefix in the appservice web server for the login endpoints.
+              public: "{{ matrix_homeserver_url }}{{ matrix_mautrix_hangouts_public_endpoint }}/login"
+              prefix: "{{ matrix_mautrix_hangouts_public_endpoint }}/login"
+
+
+      # Permissions for using the bridge.
+      # Permitted values:
+      #       user - Use the bridge with puppeting.
+      #      admin - Use and administrate the bridge.
+      # Permitted keys:
+      #        * - All Matrix users
+      #   domain - All users on that homeserver
+      #     mxid - Specific user
+      permissions:
+        '{{ matrix_mautrix_hangouts_homeserver_domain }}': user
+
+  # Python logging configuration.
+  #
+  # See section 16.7.2 of the Python documentation for more info:
+  # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+  logging:
+      version: 1
+      formatters:
+          colored:
+              (): mautrix_hangouts.util.ColorFormatter
+              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+          normal:
+              format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+      handlers:
+          console:
+              class: logging.StreamHandler
+              formatter: colored
+      loggers:
+          mau:
+              level: DEBUG
+          hangups:
+              level: DEBUG
+          aiohttp:
+              level: INFO
+      root:
+          level: DEBUG
+          handlers: [console]
+
+matrix_mautrix_hangouts_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_hangouts_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_hangouts_configuration_yaml`.
+
+matrix_mautrix_hangouts_configuration_extension: "{{ matrix_mautrix_hangouts_configuration_extension_yaml|from_yaml if matrix_mautrix_hangouts_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_hangouts_configuration_yaml`.
+matrix_mautrix_hangouts_configuration: "{{ matrix_mautrix_hangouts_configuration_yaml|from_yaml|combine(matrix_mautrix_hangouts_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_hangouts_registration_yaml: |
+  id: hangouts
+  as_token: "{{ matrix_mautrix_hangouts_appservice_token }}"
+  hs_token: "{{ matrix_mautrix_hangouts_homeserver_token }}"
+  namespaces:
+    users:
+    - exclusive: true
+      regex: '^@hangouts_.+:{{ matrix_mautrix_hangouts_homeserver_domain|regex_escape }}$'
+  url: {{ matrix_mautrix_hangouts_appservice_address }}
+  sender_localpart: hangoutsbot
+  rate_limited: false
+
+matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml|from_yaml }}"

roles/matrix-bridge-mautrix-hangouts/tasks/init.yml

@@ -0,0 +1,62 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}"
+  when: matrix_mautrix_hangouts_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      {{ ["--mount type=bind,src={{ matrix_mautrix_hangouts_config_path }}/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro"] }}
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-mautrix-hangouts-registration.yaml"] }}
+  when: matrix_mautrix_hangouts_enabled|bool
+
+- block:
+  - name: Fail if matrix-nginx-proxy role already executed
+    fail:
+      msg: >-
+        Trying to append Mautrix Hangouts's reverse-proxying configuration to matrix-nginx-proxy,
+        but it's pointless since the matrix-nginx-proxy role had already executed.
+        To fix this, please change the order of roles in your plabook,
+        so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-hangouts role.
+    when: matrix_nginx_proxy_role_executed|default(False)|bool
+
+  - name: Generate Mautrix Hangouts proxying configuration for matrix-nginx-proxy
+    set_fact:
+      matrix_mautrix_hangouts_matrix_nginx_proxy_configuration: |
+        location {{ matrix_mautrix_hangouts_public_endpoint }} {
+        {% if matrix_nginx_proxy_enabled|default(False) %}
+        	{# Use the embedded DNS resolver in Docker containers to discover the service #}
+        	resolver 127.0.0.11 valid=5s;
+        	set $backend "matrix-mautrix-hangouts:8080";
+        	proxy_pass http://$backend;
+        {% else %}
+        	{# Generic configuration for use outside of our container setup #}
+        	proxy_pass http://127.0.0.1:9007;
+        {% endif %}
+        }
+  - name: Register Mautrix Hangouts proxying configuration with matrix-nginx-proxy
+    set_fact:
+      matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+        {{
+          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+          +
+          [matrix_mautrix_hangouts_matrix_nginx_proxy_configuration]
+        }}
+  tags:
+   - always
+  when: matrix_mautrix_hangouts_enabled|bool
+
+- name: Warn about reverse-proxying if matrix-nginx-proxy not used
+  debug:
+    msg: >-
+      NOTE: You've enabled the Mautrix Hangouts bridge but are not using the matrix-nginx-proxy
+      reverse proxy.
+      Please make sure that you're proxying the `{{ matrix_mautrix_hangouts_public_endpoint }}`
+      URL endpoint to the matrix-mautrix-hangouts container.
+      You can expose the container's port using the `matrix_mautrix_hangouts_container_http_host_bind_port` variable.
+  when: "matrix_mautrix_hangouts_enabled|bool and matrix_nginx_proxy_enabled is not defined"

roles/matrix-bridge-mautrix-hangouts/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_mautrix_hangouts_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-hangouts
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_mautrix_hangouts_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-hangouts
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_mautrix_hangouts_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-hangouts

roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml

@@ -0,0 +1,73 @@
+---
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-mautrix-hangouts role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- name: Ensure Mautrix Hangouts image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_hangouts_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_hangouts_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_hangouts_docker_image_force_pull }}"
+
+- name: Ensure Mautrix Hangouts paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_mautrix_hangouts_base_path }}"
+    - "{{ matrix_mautrix_hangouts_config_path }}"
+    - "{{ matrix_mautrix_hangouts_data_path }}"
+
+- name: Check if an old database file already exists
+  stat:
+    path: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db"
+  register: matrix_mautrix_hangouts_stat_database
+
+- name: (Data relocation) Ensure matrix-mautrix-hangouts.service is stopped
+  service:
+    name: matrix-mautrix-hangouts
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_mautrix_hangouts_stat_database.stat.exists"
+
+- name: (Data relocation) Move mautrix-hangouts database file to ./data directory
+  command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
+  when: "matrix_mautrix_hangouts_stat_database.stat.exists"
+
+- name: Ensure mautrix-hangouts config.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_hangouts_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure mautrix-hangouts registration.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_hangouts_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure matrix-mautrix-hangouts.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-hangouts.service.j2"
+    dest: "/etc/systemd/system/matrix-mautrix-hangouts.service"
+    mode: 0644
+  register: matrix_mautrix_hangouts_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_hangouts_systemd_service_result.changed"

roles/matrix-bridge-mautrix-hangouts/tasks/setup_uninstall.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Check existence of matrix-mautrix-hangouts service
+  stat:
+    path: "/etc/systemd/system/matrix-mautrix-hangouts.service"
+  register: matrix_mautrix_hangouts_service_stat
+
+- name: Ensure matrix-mautrix-hangouts is stopped
+  service:
+    name: matrix-mautrix-hangouts
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_hangouts_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-hangouts.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-mautrix-hangouts.service"
+    state: absent
+  when: "matrix_mautrix_hangouts_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-mautrix-hangouts.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_hangouts_service_stat.stat.exists"

roles/matrix-bridge-mautrix-hangouts/tasks/validate_config.yml

@@ -0,0 +1,14 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_mautrix_hangouts_public_endpoint"
+    - "matrix_mautrix_hangouts_appservice_token"
+    - "matrix_mautrix_hangouts_homeserver_token"
+- debug:
+    msg:
+    - '`matrix_mautrix_hangouts_homeserver_domain` == {{ matrix_mautrix_hangouts_homeserver_domain }}'

roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2

@@ -0,0 +1,48 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Hangouts server
+{% for service in matrix_mautrix_hangouts_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_mautrix_hangouts_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-mautrix-hangouts
+ExecStartPre=-/usr/bin/docker rm matrix-mautrix-hangouts
+ExecStartPre=/usr/bin/docker run --rm --name matrix-mautrix-hangouts-db \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			-v {{ matrix_mautrix_hangouts_config_path }}:/config:z \
+			-v {{ matrix_mautrix_hangouts_data_path }}:/data:z \
+			{{ matrix_mautrix_hangouts_docker_image }} \
+			alembic -x config=/config/config.yaml upgrade head
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre=/bin/sleep 5
+
+ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-hangouts \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_hangouts_config_path }}:/config:z \
+			-v {{ matrix_mautrix_hangouts_data_path }}:/data:z \
+			{% for arg in matrix_mautrix_hangouts_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_hangouts_docker_image }} \
+			python3 -m mautrix_hangouts -c /config/config.yaml
+
+ExecStop=-/usr/bin/docker kill matrix-mautrix-hangouts
+ExecStop=-/usr/bin/docker rm matrix-mautrix-hangouts
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-hangouts
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -3,7 +3,8 @@
 
 matrix_mautrix_telegram_enabled: true
 
-matrix_mautrix_telegram_docker_image: "tulir/mautrix-telegram:v0.6.0"
+# See: https://mau.dev/tulir/mautrix-telegram/container_registry
+matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.0"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
 
 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -3,7 +3,8 @@
 
 matrix_mautrix_whatsapp_enabled: true
 
-matrix_mautrix_whatsapp_docker_image: "tulir/mautrix-whatsapp:latest"
+# See: https://mau.dev/tulir/mautrix-whatsapp/container_registry
+matrix_mautrix_whatsapp_docker_image: "dock.mau.dev/tulir/mautrix-whatsapp"
 matrix_mautrix_whatsapp_docker_image_force_pull: "{{ matrix_mautrix_whatsapp_docker_image.endswith(':latest') }}"
 
 matrix_mautrix_whatsapp_base_path: "{{ matrix_base_data_path }}/mautrix-whatsapp"

roles/matrix-corporal/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']
 
-matrix_corporal_docker_image: "devture/matrix-corporal:1.4.0"
+matrix_corporal_docker_image: "devture/matrix-corporal:1.5.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"
 
 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"

roles/matrix-email2matrix/defaults/main.yml

@@ -0,0 +1,43 @@
+matrix_email2matrix_enabled: true
+
+matrix_email2matrix_base_path: "{{ matrix_base_data_path }}/email2matrix"
+matrix_email2matrix_config_dir_path: "{{ matrix_email2matrix_base_path }}/config"
+
+matrix_email2matrix_docker_image: "devture/email2matrix:1.0.1"
+matrix_email2matrix_docker_image_force_pull: "{{ matrix_email2matrix_docker_image.endswith(':latest') }}"
+
+# A list of extra arguments to pass to the container
+matrix_email2matrix_container_extra_arguments: []
+
+# List of systemd services that matrix-corporal.service depends on
+matrix_email2matrix_systemd_required_services_list: ['docker.service']
+
+# Controls where the matrix-email2matrix container exposes the SMTP (tcp/2525 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2525").
+#
+# By default, we listen on port 25 on all of the host's network interfaces.
+matrix_email2matrix_smtp_host_bind_port: "25"
+
+matrix_email2matrix_smtp_hostname: "{{ matrix_server_fqn_matrix }}"
+
+# A list of mailbox to Matrix mappings.
+#
+# Example:
+# matrix_email2matrix_matrix_mappings:
+#  - MailboxName: "mailbox1"
+#    MatrixRoomId: "!bpcwlxIUxVvvgXcbjy:example.com"
+#    MatrixHomeserverUrl: "{{ matrix_homeserver_url }}"
+#    MatrixUserId": "@email2matrix:{{ matrix_domain }}"
+#    MatrixAccessToken": "TOKEN_HERE"
+#    IgnoreSubject: false
+#
+#  - MailboxName: "mailbox2"
+#    MatrixRoomId: "!another:example.com"
+#    MatrixHomeserverUrl: "{{ matrix_homeserver_url }}"
+#    MatrixUserId": "@email2matrix:{{ matrix_domain }}"
+#    MatrixAccessToken": "TOKEN_HERE"
+#    IgnoreSubject: true
+matrix_email2matrix_matrix_mappings: []
+
+matrix_email2matrix_misc_debug: false

roles/matrix-email2matrix/tasks/init.yml

@@ -0,0 +1,3 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}"
+  when: matrix_email2matrix_enabled|bool

roles/matrix-email2matrix/tasks/main.yml

@@ -0,0 +1,15 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_email2matrix_enabled|bool"
+  tags:
+    - setup-all
+    - setup-email2matrix
+
+- import_tasks: "{{ role_path }}/tasks/setup_email2matrix.yml"
+  when: run_setup|bool
+  tags:
+    - setup-all
+    - setup-email2matrix

roles/matrix-email2matrix/tasks/setup_email2matrix.yml

@@ -0,0 +1,88 @@
+---
+
+#
+# Tasks related to setting up Email2Matrix
+#
+
+- name: Ensure Email2Matrix paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_email2matrix_base_path }}"
+    - "{{ matrix_email2matrix_config_dir_path }}"
+  when: matrix_email2matrix_enabled|bool
+
+- name: Ensure Email2Matrix configuration file created
+  template:
+    src: "{{ role_path }}/templates/config.json.j2"
+    dest: "{{ matrix_email2matrix_config_dir_path }}/config.json"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+    mode: 0640
+  when: matrix_email2matrix_enabled|bool
+
+- name: Ensure Email2Matrix image is pulled
+  docker_image:
+    name: "{{ matrix_email2matrix_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_email2matrix_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_email2matrix_docker_image_force_pull }}"
+  when: matrix_email2matrix_enabled|bool
+
+- name: Ensure matrix-email2matrix.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-email2matrix.service.j2"
+    dest: "/etc/systemd/system/matrix-email2matrix.service"
+    mode: 0644
+  register: matrix_email2matrix_systemd_service_result
+  when: matrix_email2matrix_enabled|bool
+
+- name: Ensure systemd reloaded after matrix-email2matrix.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_email2matrix_enabled|bool and matrix_email2matrix_systemd_service_result.changed"
+
+#
+# Tasks related to getting rid of the Email2Matrix (if it was previously enabled)
+#
+
+- name: Check existence of matrix-email2matrix service
+  stat:
+    path: "/etc/systemd/system/matrix-email2matrix.service"
+  register: matrix_email2matrix_service_stat
+  when: "not matrix_email2matrix_enabled|bool"
+
+- name: Ensure matrix-email2matrix is stopped
+  service:
+    name: matrix-email2matrix
+    state: stopped
+    daemon_reload: yes
+  register: stopping_result
+  when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
+
+- name: Ensure matrix-email2matrix.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-email2matrix.service"
+    state: absent
+  when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-email2matrix.service removal
+  service:
+    daemon_reload: yes
+  when: "not matrix_email2matrix_enabled|bool and matrix_email2matrix_service_stat.stat.exists"
+
+- name: Ensure Email2Matrix data path doesn't exist
+  file:
+    path: "{{ matrix_email2matrix_base_path }}"
+    state: absent
+  when: "not matrix_email2matrix_enabled|bool"
+
+- name: Ensure Email2Matrix Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_email2matrix_docker_image }}"
+    state: absent
+  when: "not matrix_email2matrix_enabled|bool"

roles/matrix-email2matrix/tasks/validate_config.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Fail if no mappings
+  fail:
+    msg: >
+      You need to define at least one mapping in `matrix_email2matrix_matrix_mappings` for enabling Email2Matrix.
+  when: "matrix_email2matrix_matrix_mappings|length == 0"

roles/matrix-email2matrix/templates/config.json.j2

@@ -0,0 +1,14 @@
+#jinja2: lstrip_blocks: "True"
+{
+	"Smtp": {
+		"ListenInterface": "0.0.0.0:2525",
+		"Hostname": {{ matrix_email2matrix_smtp_hostname|to_json }},
+		"Workers": 10
+	},
+	"Matrix": {
+		"Mappings": {{ matrix_email2matrix_matrix_mappings|to_nice_json }}
+	},
+	"Misc": {
+		"Debug": {{ matrix_email2matrix_misc_debug|to_json }}
+	}
+}

roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2

@@ -0,0 +1,32 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Email2Matrix
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-email2matrix
+ExecStartPre=-/usr/bin/docker rm matrix-email2matrix
+
+ExecStart=/usr/bin/docker run --rm --name matrix-email2matrix \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_docker_network }} \
+			-p {{ matrix_email2matrix_smtp_host_bind_port }}:2525 \
+			--mount type=bind,src={{ matrix_email2matrix_config_dir_path }}/config.json,dst=/config.json,ro \
+			{% for arg in matrix_email2matrix_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_email2matrix_docker_image }}
+
+ExecStop=-/usr/bin/docker kill matrix-email2matrix
+ExecStop=-/usr/bin/docker rm matrix-email2matrix
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-email2matrix
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-mailer/defaults/main.yml

@@ -2,7 +2,7 @@ matrix_mailer_enabled: true
 
 matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"
 
-matrix_mailer_docker_image: "devture/exim-relay:4.92-r0-0"
+matrix_mailer_docker_image: "devture/exim-relay:4.92.1-r0-1"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
 
 # The user/group that the container runs with.

roles/matrix-mxisd/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_mxisd_enabled: true
 
-matrix_mxisd_docker_image: "kamax/mxisd:1.4.5"
+matrix_mxisd_docker_image: "kamax/mxisd:1.4.6"
 matrix_mxisd_docker_image_force_pull: "{{ matrix_mxisd_docker_image.endswith(':latest') }}"
 
 matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"

roles/matrix-nginx-proxy/defaults/main.yml

@@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
-matrix_nginx_proxy_docker_image: "nginx:1.17.2-alpine"
+matrix_nginx_proxy_docker_image: "nginx:1.17.3-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"
 
 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@@ -144,7 +144,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []
 
 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.33.1"
+matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.37.1"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
@@ -152,3 +152,8 @@ matrix_ssl_lets_encrypt_support_email: ~
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
+
+
+# ngnix status page configurations.
+matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
+matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']

roles/matrix-nginx-proxy/tasks/validate_config.yml

@@ -10,3 +10,8 @@
     - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container'}
     - {'old': 'matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container', 'new': 'matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container'}
 
+- name: Fail on unknown matrix_ssl_retrieval_method
+  fail:
+    msg: >-
+      `matrix_ssl_retrieval_method` needs to be set to a known value.
+  when: "matrix_ssl_retrieval_method not in ['lets-encrypt', 'self-signed', 'manually-managed', 'none']"

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-synapse.conf.j2

@@ -1,4 +1,17 @@
 #jinja2: lstrip_blocks: "True"
+{% macro render_nginx_status_location_block(addresses) %}
+	{# Empty first line to make indentation prettier. #}
+
+	location /nginx_status {
+		stub_status on;
+		access_log off;
+		{% for address in addresses %}
+		allow {{ address }};
+		{% endfor %}
+		deny all;
+	}
+{% endmacro %}
+
 server {
 	listen {{ 8080 if matrix_nginx_proxy_enabled else 80 }};
 	server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
@@ -17,6 +30,10 @@ server {
 		{% endif %}
 	}
 
+	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
+		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
+	{% endif %}
+
 	location / {
 		return 301 https://$http_host$request_uri;
 	}
@@ -52,6 +69,10 @@ server {
 		add_header Access-Control-Allow-Origin *;
 	}
 
+	{% if matrix_nginx_proxy_proxy_matrix_nginx_status_enabled %}
+		{{ render_nginx_status_location_block(matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses) }}
+	{% endif %}
+
 	{% if matrix_nginx_proxy_proxy_matrix_corporal_api_enabled %}
 	location /_matrix/corporal {
 		{% if matrix_nginx_proxy_enabled %}

roles/matrix-postgres/defaults/main.yml

@@ -8,9 +8,9 @@ matrix_postgres_db_name: ""
 matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
 matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"
 
-matrix_postgres_docker_image_v9: "postgres:9.6.14-alpine"
-matrix_postgres_docker_image_v10: "postgres:10.9-alpine"
-matrix_postgres_docker_image_v11: "postgres:11.4-alpine"
+matrix_postgres_docker_image_v9: "postgres:9.6.15-alpine"
+matrix_postgres_docker_image_v10: "postgres:10.10-alpine"
+matrix_postgres_docker_image_v11: "postgres:11.5-alpine"
 matrix_postgres_docker_image_latest: "{{ matrix_postgres_docker_image_v11 }}"
 
 # This variable is assigned at runtime. Overriding its value has no effect.

roles/matrix-riot-web/defaults/main.yml

@@ -1,6 +1,6 @@
 matrix_riot_web_enabled: true
 
-matrix_riot_web_docker_image: "bubuntux/riot-web:v1.3.0"
+matrix_riot_web_docker_image: "bubuntux/riot-web:v1.3.3"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"
 
 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

roles/matrix-synapse/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_synapse_enabled: true
 
-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.2.1"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.3.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@@ -61,8 +61,11 @@ matrix_synapse_template_synapse_log: "{{ role_path }}/templates/synapse/synapse.
 
 matrix_synapse_macaroon_secret_key: ""
 matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
+matrix_synapse_allow_guest_access: false
 matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
 
+matrix_synapse_id_servers_public: ['matrix.org', 'vector.im']
+
 # The list of identity servers to use for Synapse.
 # We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
 # This most likely gets overwritten later, so that a local Identity server is used.
@@ -77,9 +80,9 @@ matrix_synapse_tmp_directory_size_mb: "{{ matrix_synapse_max_upload_size_mb * 50
 # Possible options are defined here https://docs.python.org/3/library/logging.html#logging-levels
 # warning: setting log level to DEBUG will make synapse log sensitive information such
 # as access tokens
-matrix_synapse_log_level: "INFO"
-matrix_synapse_storage_sql_log_level: "INFO"
-matrix_synapse_root_log_level: "INFO"
+matrix_synapse_log_level: "WARNING"
+matrix_synapse_storage_sql_log_level: "WARNING"
+matrix_synapse_root_log_level: "WARNING"
 
 # Rate limits
 matrix_synapse_rc_message:
@@ -223,6 +226,7 @@ matrix_synapse_database_database: ""
 
 matrix_synapse_turn_uris: []
 matrix_synapse_turn_shared_secret: ""
+matrix_synapse_turn_allow_guests: False
 
 matrix_synapse_email_enabled: false
 matrix_synapse_email_smtp_host: ""

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -280,6 +280,26 @@ listeners:
 #  - medium: 'email'
 #    address: 'reserved_user@example.com'
 
+# Used by phonehome stats to group together related servers.
+#server_context: context
+
+# Resource-constrained Homeserver Settings
+#
+# If limit_remote_rooms.enabled is True, the room complexity will be
+# checked before a user joins a new remote room. If it is above
+# limit_remote_rooms.complexity, it will disallow joining or
+# instantly leave.
+#
+# limit_remote_rooms.complexity_error can be set to customise the text
+# displayed to the user when a room above the complexity threshold has
+# its join cancelled.
+#
+# Uncomment the below lines to enable:
+#limit_remote_rooms:
+#  enabled: True
+#  complexity: 1.0
+#  complexity_error: "This room is too complex."
+
 # Whether to require a user to be in the room to add an alias to it.
 # Defaults to 'true'.
 #
@@ -559,6 +579,13 @@ federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_
 
 
 
+## Media Store ##
+
+# Enable the media store service in the Synapse master. Uncomment the
+# following if you are using a separate media store worker.
+#
+#enable_media_repo: false
+
 # Directory where uploaded images and attachments are stored.
 #
 media_store_path: "/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}"
@@ -749,7 +776,7 @@ turn_shared_secret: {{ matrix_synapse_turn_shared_secret|string|to_json }}
 # connect to arbitrary endpoints without having first signed up for a
 # valid account (e.g. by passing a CAPTCHA).
 #
-turn_allow_guests: False
+turn_allow_guests: {{ matrix_synapse_turn_allow_guests|to_json }}
 
 
 ## Registration ##
@@ -796,6 +823,16 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #  period: 6w
 #  renew_at: 1w
 #  renew_email_subject: "Renew your %(app)s account"
+#  # Directory in which Synapse will try to find the HTML files to serve to the
+#  # user when trying to renew an account. Optional, defaults to
+#  # synapse/res/templates.
+#  template_dir: "res/templates"
+#  # HTML to be displayed to the user after they successfully renewed their
+#  # account. Optional.
+#  account_renewed_html_path: "account_renewed.html"
+#  # HTML to be displayed when the user tries to renew an account with an invalid
+#  # renewal token. Optional.
+#  invalid_token_html_path: "invalid_token.html"
 
 # Time that a user's session remains valid for, after they log in.
 #
@@ -854,7 +891,7 @@ registration_shared_secret: {{ matrix_synapse_registration_shared_secret|string|
 # participate in rooms hosted on this server which have been made
 # accessible to anonymous users.
 #
-#allow_guest_access: false
+allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 
 # The identity server which we suggest that clients should use when users log
 # in on this server.
@@ -945,10 +982,6 @@ app_service_config_files: {{ matrix_synapse_app_service_config_files|to_json }}
 #
 macaroon_secret_key: {{ matrix_synapse_macaroon_secret_key|string|to_json }}
 
-# Used to enable access token expiration.
-#
-#expire_access_token: False
-
 # a secret which is used to calculate HMACs for form values, to stop
 # falsification of values. Must be specified for the User Consent
 # forms to work.
@@ -1509,3 +1542,19 @@ opentracing:
     #
     #homeserver_whitelist:
     #  - ".*"
+
+    # Jaeger can be configured to sample traces at different rates.
+    # All configuration options provided by Jaeger can be set here.
+    # Jaeger's configuration mostly related to trace sampling which
+    # is documented here:
+    # https://www.jaegertracing.io/docs/1.13/sampling/.
+    #
+    #jaeger_config:
+    #  sampler:
+    #    type: const
+    #    param: 1
+
+    #  Logging whether spans were started and reported
+    #
+    #  logging:
+    #    false