Allow Synapse manhole to be enabled

Can you double check that the way I have this set only exposes it locally? It is important that the manhole is not available to the outside world since it is quite powerful and the password is hard coded.

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -229,11 +229,13 @@ listeners:
         compress: false
 {% endif %}
 
+{% if matrix_synapse_manhole_enabled %}
   # Turn on the twisted ssh manhole service on localhost on the given
   # port.
-  # - port: 9000
-  #   bind_addresses: ['::1', '127.0.0.1']
-  #   type: manhole
+  - port: 9000
+    bind_addresses: ['0.0.0.0']
+    type: manhole
+{% endif %}
 
 
 ## Homeserver blocking ##

roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -41,6 +41,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
 			{% if matrix_synapse_metrics_enabled and matrix_synapse_container_metrics_api_host_bind_port %}
 			-p {{ matrix_synapse_container_metrics_api_host_bind_port }}:{{ matrix_synapse_metrics_port }} \
 			{% endif %}
+			{% if matrix_synapse_manhole_enabled and matrix_synapse_container_manhole_api_host_bind_port %}
+			-p {{ matrix_synapse_container_manhole_api_host_bind_port }}:9000 \
+			{% endif %}
 			-v {{ matrix_synapse_config_dir_path }}:/data:ro \
 			-v {{ matrix_synapse_run_path }}:/matrix-run:rw \
 			-v {{ matrix_synapse_storage_path }}:/matrix-media-store-parent:slave \