Merge branch 'master' of https://github.com/spantaleev/matrix-docker-ansible-deploy

roles/matrix-base/tasks/server_base/setup_debian.yml

@@ -28,7 +28,7 @@
   apt:
     name:
       - bash-completion
-      - python-docker
+      - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
       - ntp
       - fuse
     state: latest

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_appservice_irc_enabled: true
 
-matrix_appservice_irc_docker_image: "tedomum/matrix-appservice-irc:latest"
+matrix_appservice_irc_docker_image: "matrixdotorg/matrix-appservice-irc:release-0.14.1"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
 
 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
@@ -377,11 +377,6 @@ matrix_appservice_irc_configuration_yaml: |
     enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
 
   ircService:
-    # The nedb database URI to connect to. This is the name of the directory to
-    # dump .db files to. This is relative to the project directory.
-    # Required.
-    databaseUri: "nedb:///data"
-
     # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
     # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
     # the database.
@@ -474,6 +469,15 @@ matrix_appservice_irc_configuration_yaml: |
     # enough for the vast majority of use cases.
     maxHttpSockets: 1000
 
+  # Use an external database to store bridge state.
+  database:
+    # database engine (must be 'postgres' or 'nedb'). Default: nedb
+    engine: "nedb"
+    # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
+    # For postgres, it must start with postgres://
+    # For NeDB, it must start with nedb://. The path is relative to the project directory.
+    connectionString: "nedb:///data"
+
 matrix_appservice_irc_configuration_extension_yaml: |
   # Your custom YAML configuration for Appservice IRC servers goes here.
   # This configuration extends the default starting configuration (`matrix_appservice_irc_configuration_yaml`).

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -98,13 +98,15 @@
     --cap-drop=ALL
     -v {{ matrix_appservice_irc_config_path }}:/config:z
     -v {{ matrix_appservice_irc_data_path }}:/data:z
+    --entrypoint=/bin/bash
     {{ matrix_appservice_irc_docker_image }}
-    node app.js
+    -c
+    'node app.js
     -r
     -f /config/registration-template.yaml
     -u "http://matrix-appservice-irc:9999"
     -c /config/config.yaml
-    -l irc_bot
+    -l irc_bot'
   changed_when: false
 
 - name: Read Appservice IRC registration-template.yaml

roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2

@@ -30,8 +30,9 @@ ExecStart=/usr/bin/docker run --rm --name matrix-appservice-irc \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
+			--entrypoint=/bin/bash \
 			{{ matrix_appservice_irc_docker_image }} \
-			-c /config/config.yaml -f /config/registration.yaml -p 9999
+			-c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999'
 
 ExecStop=-/usr/bin/docker kill matrix-appservice-irc
 ExecStop=-/usr/bin/docker rm matrix-appservice-irc

roles/matrix-bridge-appservice-slack/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_appservice_slack_enabled: true
 
-matrix_appservice_slack_docker_image: "matrixdotorg/matrix-appservice-slack:release-1.0.2"
+matrix_appservice_slack_docker_image: "cadair/matrix-appservice-slack:latest"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
 
 matrix_appservice_slack_base_path: "{{ matrix_base_data_path }}/appservice-slack"
@@ -51,24 +51,6 @@ matrix_appservice_slack_configuration_yaml: |
     bot_username: "{{ matrix_appservice_slack_bot_name }}"
     username_prefix: {{ matrix_appservice_slack_user_prefix }}
 
-    # Optional if slack_hook_port and inbound_uri_prefix are defined, required otherwise.
-    rtm:
-      # Use the RTM API to listen for requests, which does not require
-      # the bridge to listen on the hook port.
-      # You should leave this enabled, unless you plan to use the
-      # bridge exclusively for webhooks.
-      enable: true
-      logging: "silent" # Logging level specific to RTM traffic.
-      # A prefix similar to inbound_uri_prefix for oauth2 requests. inbound_uri_prefix will be used if this is not set
-      # Optional
-      # redirect_prefix: "https://my.server.here:9898/mycustomoauthendpoint"
-
-    # Allow users to add channels dynamically by using oauth, or puppet themselves.
-    # Optional
-    oauth2:
-      client_id: ""
-      client_secret: ""
-
     homeserver:
         media_url: "{{ matrix_appservice_slack_homeserver_media_url }}"
         url: "{{ matrix_appservice_slack_homeserver_url }}"

roles/matrix-bridge-appservice-webhooks/defaults/main.yml

@@ -0,0 +1,105 @@
+# matrix-appservice-webhooks is a Matrix <-> webhook bridge
+# See: https://github.com/turt2live/matrix-appservice-webhooks
+
+matrix_appservice_webhooks_enabled: true
+
+matrix_appservice_webhooks_docker_image: "turt2live/matrix-appservice-webhooks:latest"
+matrix_appservice_webhooks_docker_image_force_pull: "{{ matrix_appservice_webhooks_docker_image.endswith(':latest') }}"
+
+matrix_appservice_webhooks_base_path: "{{ matrix_base_data_path }}/appservice-webhooks"
+matrix_appservice_webhooks_config_path: "{{ matrix_appservice_webhooks_base_path }}/config"
+matrix_appservice_webhooks_data_path: "{{ matrix_appservice_webhooks_base_path }}/data"
+
+# If nginx-proxy is disabled, the bridge itself expects its endpoint to be on its own domain (e.g. "localhost:6789")
+matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
+matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"
+
+# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
+matrix_appservice_webhooks_control_room_id: ''
+matrix_appservice_webhooks_bot_name: 'webhookbot'
+matrix_appservice_webhooks_user_prefix: '_webhook'
+
+# Controls the webhooks_PORT and MATRIX_PORT of the installation
+matrix_appservice_webhooks_matrix_port: 6789
+matrix_appservice_webhooks_webhooks_port: 6788
+
+# Controls whether the appservice-webhooks container exposes its HTTP port (tcp/6788 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
+matrix_appservice_webhooks_container_http_host_bind_port: ''
+
+matrix_appservice_webhooks_homeserver_media_url: "matrix.{{ matrix_domain }}"
+matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:8008"
+matrix_appservice_webhooks_homeserver_domain: "{{ matrix_domain }}"
+matrix_appservice_webhooks_appservice_url: 'http://matrix-appservice-webhooks'
+
+# A list of extra arguments to pass to the container
+matrix_appservice_webhooks_container_extra_arguments: []
+
+# List of systemd services that matrix-appservice-webhooks.service depends on.
+matrix_appservice_webhooks_systemd_required_services_list: ['docker.service', 'matrix-synapse.service']
+
+# List of systemd services that matrix-appservice-webhooks.service wants
+matrix_appservice_webhooks_systemd_wanted_services_list: []
+
+matrix_appservice_webhooks_appservice_token: ''
+matrix_appservice_webhooks_homeserver_token: ''
+matrix_appservice_webhooks_id_token: ''
+matrix_appservice_webhooks_api_secret: ''
+
+# Logging information (info and verbose is available) default is: info
+matrix_appservice_webhooks_log_level: 'info'
+
+matrix_appservice_webhooks_configuration_yaml: |
+
+  # Configuration specific to the application service. All fields (unless otherwise marked) are required.
+  homeserver:
+    # The domain for the client-server API calls.
+    url: "{{ matrix_appservice_webhooks_homeserver_url }}"
+
+    # The domain part for user IDs on this home server. Usually, but not always, this is the same as the
+    # home server's URL.
+    domain: "{{ matrix_domain }}"
+
+  # Configuration specific to the bridge. All fields (unless otherwise marked) are required.
+  webhookBot:
+    # The localpart to use for the bot. May require re-registering the application service.
+    localpart: "_webhook"
+
+  # Provisioning API options
+  provisioning:
+    # Your secret for the API. Required for all provisioning API requests.
+    secret: '{{ matrix_appservice_webhooks_api_secret }}'
+
+  # Configuration related to the web portion of the bridge. Handles the inbound webhooks
+  web:
+    hookUrlBase:  "{{ matrix_appservice_webhooks_inbound_uri_prefix }}"
+
+  logging:
+    console: true
+    consoleLevel: {{ matrix_appservice_webhooks_log_level }}
+    writeFiles: false
+
+matrix_appservice_webhooks_configuration_extension_yaml: |
+  #
+
+matrix_appservice_webhooks_configuration_extension: "{{ matrix_appservice_webhooks_configuration_extension_yaml|from_yaml if matrix_appservice_webhooks_configuration_extension_yaml|from_yaml else {} }}"
+
+matrix_appservice_webhooks_configuration: "{{ matrix_appservice_webhooks_configuration_yaml|from_yaml|combine(matrix_appservice_webhooks_configuration_extension, recursive=True) }}"
+
+matrix_appservice_webhooks_registration_yaml: |
+  id: "{{ matrix_appservice_webhooks_id_token }}"
+  hs_token: "{{ matrix_appservice_webhooks_homeserver_token }}"
+  as_token: "{{ matrix_appservice_webhooks_appservice_token }}"
+  namespaces:
+    users:
+      - exclusive: true
+        regex: '^@{{ matrix_appservice_webhooks_user_prefix | regex_escape }}.*:{{ matrix_domain | regex_escape }}$'
+    aliases: []
+    rooms: []
+  url: "{{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}"
+  sender_localpart: _webhook
+  rate_limited: false
+  protocols: null
+
+matrix_appservice_webhooks_registration: "{{ matrix_appservice_webhooks_registration_yaml|from_yaml }}"

roles/matrix-bridge-appservice-webhooks/tasks/init.yml

@@ -0,0 +1,78 @@
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
+  when: matrix_appservice_webhooks_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-appservice-webhooks-registration.yaml"] }}
+  when: matrix_appservice_webhooks_enabled|bool
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-appservice-webhooks role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- block:
+  - name: Fail if matrix-nginx-proxy role already executed
+    fail:
+      msg: >-
+        Trying to append webhooks Appservice's reverse-proxying configuration to matrix-nginx-proxy,
+        but it's pointless since the matrix-nginx-proxy role had already executed.
+        To fix this, please change the order of roles in your plabook,
+        so that the matrix-nginx-proxy role would run after the matrix-bridge-appservice-webhooks role.
+    when: matrix_nginx_proxy_role_executed|default(False)|bool
+
+  - name: Generate Matrix Appservice webhooks proxying configuration for matrix-nginx-proxy
+    set_fact:
+      matrix_appservice_webhooks_matrix_nginx_proxy_configuration: |
+        location {{ matrix_appservice_webhooks_public_endpoint }}/ {
+        {% if matrix_nginx_proxy_enabled|default(False) %}
+        {# Use the embedded DNS resolver in Docker containers to discover the service #}
+          resolver 127.0.0.11 valid=5s;
+          proxy_pass {{ matrix_appservice_webhooks_appservice_url }}:{{ matrix_appservice_webhooks_matrix_port }}/;
+        {% else %}
+          {# Generic configuration for use outside of our container setup #}
+          proxy_pass http://127.0.0.1:{{ matrix_appservice_webhooks_matrix_port }}/;
+        {% endif %}
+        }
+
+  - name: Register webhooks Appservice proxying configuration with matrix-nginx-proxy
+    set_fact:
+      matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+        {{
+          matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+          +
+          [matrix_appservice_webhooks_matrix_nginx_proxy_configuration]
+        }}
+  tags:
+   - always
+  when: matrix_appservice_webhooks_enabled|bool
+
+- name: Warn about reverse-proxying if matrix-nginx-proxy not used
+  debug:
+    msg: >-
+      NOTE: You've enabled the Matrix webhooks bridge but are not using the matrix-nginx-proxy
+      reverse proxy.
+      Please make sure that you're proxying the `{{ matrix_appservice_webhooks_public_endpoint }}`
+      URL endpoint to the matrix-appservice-webhooks container.
+      You can expose the container's port using the `matrix_appservice_webhooks_container_http_host_bind_port` variable.
+  when: "matrix_appservice_webhooks_enabled|bool and matrix_nginx_proxy_enabled is not defined"

roles/matrix-bridge-appservice-webhooks/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_appservice_webhooks_enabled|bool"
+  tags:
+    - setup-all
+    - setup-appservice-webhooks

roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml

@@ -0,0 +1,64 @@
+---
+
+- name: Ensure Appservice webhooks image is pulled
+  docker_image:
+    name: "{{ matrix_appservice_webhooks_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_appservice_webhooks_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_webhooks_docker_image_force_pull }}"
+
+- name: Ensure AppService webhooks paths exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "{{ matrix_appservice_webhooks_base_path }}"
+    - "{{ matrix_appservice_webhooks_config_path }}"
+    - "{{ matrix_appservice_webhooks_data_path }}"
+
+- name: Ensure Matrix Appservice webhooks config is installed
+  copy:
+    content: "{{ matrix_appservice_webhooks_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure Matrix Appservice webhooks schema.yml template exists
+  template:
+    src: "{{ role_path }}/templates/schema.yml.j2"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure Matrix Appservice webhooks database.json template exists
+  template:
+    src: "{{ role_path }}/templates/database.json.j2"
+    dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure appservice-webhooks registration.yaml installed
+  copy:
+    content: "{{ matrix_appservice_webhooks_registration|to_nice_yaml }}"
+    dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure matrix-appservice-webhooks.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-appservice-webhooks.service.j2"
+    dest: "/etc/systemd/system/matrix-appservice-webhooks.service"
+    mode: 0644
+  register: matrix_appservice_webhooks_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-appservice-webhooks.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_systemd_service_result.changed"

roles/matrix-bridge-appservice-webhooks/tasks/setup_uninstall.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Check existence of matrix-appservice-webhooks service
+  stat:
+    path: "/etc/systemd/system/matrix-appservice-webhooks.service"
+  register: matrix_appservice_webhooks_service_stat
+
+- name: Ensure matrix-appservice-webhooks is stopped
+  service:
+    name: matrix-appservice-webhooks
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"
+
+- name: Ensure matrix-appservice-webhooks.service doesn't exist
+  file:
+    path: "/etc/systemd/system/matrix-appservice-webhooks.service"
+    state: absent
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-appservice-webhooks.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_appservice_webhooks_service_stat.stat.exists"

roles/matrix-bridge-appservice-webhooks/tasks/validate_config.yml

@@ -0,0 +1,12 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_appservice_webhooks_appservice_token"
+    - "matrix_appservice_webhooks_homeserver_token"
+    - "matrix_appservice_webhooks_id_token"
+    - "matrix_appservice_webhooks_api_secret"

roles/matrix-bridge-appservice-webhooks/templates/database.json.j2

@@ -0,0 +1,13 @@
+{
+  "defaultEnv": {
+    "ENV": "NODE_ENV"
+  },
+  "development": {
+    "driver": "sqlite3",
+    "filename": "/data/development.db"
+  },
+  "production": {
+    "driver": "sqlite3",
+    "filename": "/data/production.db"
+  }
+}

roles/matrix-bridge-appservice-webhooks/templates/schema.yml.j2

@@ -0,0 +1,54 @@
+"$schema": "http://json-schema.org/draft-04/schema#"
+type: "object"
+properties:
+  provisioning:
+    type: "object"
+    properties:
+      secret:
+        type: "string"
+  homeserver:
+    type: "object"
+    properties:
+      domain:
+        type: "string"
+      url:
+        type: "string"
+      mediaUrl:
+        type: "string"
+  web:
+    type: "object"
+    properties:
+      hookUrlBase:
+        type: "string"
+  webhookBot:
+    type: "object"
+    properties:
+      localpart:
+        type: "string"
+      appearance:
+        type: "object"
+        properties:
+          displayName:
+            type: "string"
+          avatarUrl:
+            type: "string"
+  logging:
+    type: "object"
+    properties:
+      file:
+        type: "string"
+      console:
+        type: "boolean"
+      consoleLevel:
+        type: "string"
+      fileLevel:
+        type: "string"
+      writeFiles:
+        type: "boolean"
+      rotate:
+        type: "object"
+        properties:
+          size:
+            type: "number"
+          count:
+            type: "number"

roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2

@@ -0,0 +1,43 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Appservice webhooks server
+{% for service in matrix_appservice_webhooks_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_appservice_webhooks_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-appservice-webhooks
+ExecStartPre=-/usr/bin/docker rm matrix-appservice-webhooks
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre=/bin/sleep 5
+
+ExecStart=/usr/bin/docker run --rm --name matrix-appservice-webhooks \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_appservice_webhooks_container_http_host_bind_port %}
+			-p {{ matrix_appservice_webhooks_container_http_host_bind_port }}:{{matrix_appservice_webhooks_matrix_port}} \
+			{% endif %}
+			-v {{ matrix_appservice_webhooks_config_path }}:/config:z \
+			-v {{ matrix_appservice_webhooks_data_path }}:/data:z \
+			{% for arg in matrix_appservice_webhooks_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_appservice_webhooks_docker_image }} \
+			node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml
+
+ExecStop=-/usr/bin/docker kill matrix-appservice-webhooks
+ExecStop=-/usr/bin/docker rm matrix-appservice-webhooks
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-appservice-webhooks
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -4,7 +4,7 @@
 matrix_mautrix_telegram_enabled: true
 
 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
-matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.6.1"
+matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.7.0"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
 
 matrix_mautrix_telegram_base_path: "{{ matrix_base_data_path }}/mautrix-telegram"

roles/matrix-corporal/tasks/self_check_corporal.yml

@@ -6,7 +6,7 @@
 - name: Check Matrix Corporal HTTP gateway
   uri:
     url: "{{ corporal_client_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
     return_content: true
   register: result_corporal_client_api
   ignore_errors: true

roles/matrix-mxisd/tasks/self_check_mxisd.yml

@@ -6,7 +6,7 @@
 - name: Check mxisd Identity Service
   uri:
     url: "{{ mxisd_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
     validate_certs: "{{ matrix_mxisd_self_check_validate_certificates }}"
   register: result_mxisd
   ignore_errors: true

roles/matrix-nginx-proxy/defaults/main.yml

@@ -152,15 +152,27 @@ matrix_nginx_proxy_proxy_matrix_federation_api_ssl_certificate_key: "{{ matrix_s
 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_nginx_proxy_tmp_directory_size_mb: "{{ (matrix_nginx_proxy_proxy_matrix_federation_api_client_max_body_size_mb | int) * 50 }}"
 
-# A list of strings containing additional configuration blocks to add to the matrix domain's server configuration.
+# A list of strings containing additional configuration blocks to add to the nginx http's server configuration.
+matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix synapse's server configuration.
 matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: []
 
+# A list of strings containing additional configuration blocks to add to the matrix riot's server configuration.
+matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix dimension's server configuration.
+matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks: []
+
+# A list of strings containing additional configuration blocks to add to the matrix domain server configuration.
+matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []
+
 # Specifies when to reload the matrix-nginx-proxy service so that
 # a new SSL certificate could go into effect.
 matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
 
 # Specifies which SSL protocols to use when serving Riot and Synapse
-matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2 TLSv1.3"
+matrix_nginx_proxy_ssl_protocols: "TLSv1.2 TLSv1.3"
 
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true

roles/matrix-nginx-proxy/tasks/self_check_well_known.yml

@@ -6,7 +6,7 @@
       - path: /.well-known/matrix/client
         purpose: Client Discovery
         cors: true
-        follow_redirects: false
+        follow_redirects: none
         validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
 
 - block:
@@ -15,7 +15,7 @@
           path: /.well-known/matrix/server
           purpose: Server Discovery
           cors: false
-          follow_redirects: true
+          follow_redirects: safe
           validate_certs: "{{ matrix_nginx_proxy_self_check_validate_certificates }}"
 
     - name: Determine domains that we require certificates for (mxisd)

roles/matrix-nginx-proxy/tasks/self_check_well_known_file.yml

@@ -9,7 +9,7 @@
 - name: Check .well-known on the matrix hostname
   uri:
     url: "{{ well_known_url_matrix }}"
-    follow_redirects: false
+    follow_redirects: none
     return_content: true
     validate_certs: "{{ well_known_file_check.validate_certs }}"
   register: result_well_known_matrix

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -3,6 +3,9 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+{% for configuration_block in matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}
 
 	location / {
 		{% if matrix_nginx_proxy_enabled %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -5,6 +5,9 @@
 
 	gzip on;
 	gzip_types text/plain application/json;
+	{% for configuration_block in matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks %}
+		{{- configuration_block }}
+	{% endfor %}
 
 	location /.well-known/matrix {
 		root {{ matrix_static_files_base_path }};

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-riot-web.conf.j2

@@ -3,6 +3,9 @@
 {% macro render_vhost_directives() %}
 	gzip on;
 	gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
+	{% for configuration_block in matrix_nginx_proxy_proxy_riot_additional_server_configuration_blocks %}
+		{{- configuration_block }}
+	{% endfor %}
 
 	location / {
 		{% if matrix_nginx_proxy_enabled %}

roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-http.conf.j2

@@ -3,4 +3,7 @@
 # which can sometimes be too low to handle our 2 vhosts (Synapse and Riot).
 #
 # Thus, we ensure a larger bucket size value is used.
-server_names_hash_bucket_size 64;
+server_names_hash_bucket_size 64;
+{% for configuration_block in matrix_nginx_proxy_proxy_http_additional_server_configuration_blocks %}
+	{{- configuration_block }}
+{% endfor %}

roles/matrix-postgres/tasks/setup_postgres.yml

@@ -73,13 +73,19 @@
     mode: 0750
   when: matrix_postgres_enabled|bool
 
-- name: Ensure matrix-make-user-admin script created
+- name: Ensure matrix-change-user-admin-status script created
   template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
-    dest: "/usr/local/bin/matrix-make-user-admin"
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-change-user-admin-status.j2"
+    dest: "/usr/local/bin/matrix-change-user-admin-status"
     mode: 0750
   when: matrix_postgres_enabled|bool
 
+- name: (Migration) Ensure old matrix-make-user-admin script deleted
+  file:
+    path: "/usr/local/bin/matrix-make-user-admin"
+    state: absent
+  when: matrix_postgres_enabled|bool
+
 - name: Ensure matrix-postgres-update-user-password-hash script created
   template:
     src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-update-user-password-hash.j2"
@@ -146,6 +152,6 @@
     state: absent
   with_items:
     - matrix-postgres-cli
-    - matrix-make-user-admin
+    - matrix-change-user-admin-status
     - matrix-postgres-update-user-password-hash
   when: "not matrix_postgres_enabled|bool"

roles/matrix-postgres/tasks/upgrade_postgres.yml

@@ -20,6 +20,11 @@
     postgres_start_wait_time: 15
   when: "postgres_start_wait_time|default('') == ''"
 
+- name: Set postgres_force_upgrade, if not provided
+  set_fact:
+    postgres_force_upgrade: false
+  when: "postgres_force_upgrade|default('') == ''"
+
 - name: Fail, if trying to upgrade external Postgres database
   fail:
     msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
@@ -45,7 +50,7 @@
 - name: Abort, if already at latest Postgres version
   fail:
     msg: "You are already running the latest Postgres version supported ({{ matrix_postgres_docker_image_latest }}). Nothing to do"
-  when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest"
+  when: "matrix_postgres_detected_version_corresponding_docker_image == matrix_postgres_docker_image_latest and not postgres_force_upgrade"
 
 - debug:
     msg: "Upgrading database from {{ matrix_postgres_detected_version_corresponding_docker_image }} to {{ matrix_postgres_docker_image_latest }}"

roles/matrix-postgres/templates/env-postgres-server.j2

@@ -1,4 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 POSTGRES_USER={{ matrix_postgres_connection_username }}
 POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
-POSTGRES_DB={{ matrix_postgres_db_name }}
+POSTGRES_DB={{ matrix_postgres_db_name }}
+# Synapse refuses to run if collation is not C.
+# See https://github.com/matrix-org/synapse/issues/6722
+POSTGRES_INITDB_ARGS=--lc-collate C --lc-ctype C --encoding UTF8

roles/matrix-postgres/templates/usr-local-bin/matrix-change-user-admin-status.j2

@@ -0,0 +1,19 @@
+#jinja2: lstrip_blocks: "True"
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <0/1>"
+	echo "Usage: 0 = non-admin"
+	echo "Usage: 1 = admin"
+	exit 1
+fi
+
+docker run \
+	-it \
+	--rm \
+	--user=991:991 \
+	--cap-drop=ALL \
+	--env-file=/matrix/postgres/env-postgres-psql \
+	--network matrix \
+	postgres:12.1-alpine \
+	psql -h matrix-postgres -c "UPDATE users set admin=$2 WHERE name like '@$1:{{ matrix_domain }}'"

roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2

@@ -1,17 +0,0 @@
-#jinja2: lstrip_blocks: "True"
-#!/bin/bash
-
-if [ $# -ne 1 ]; then
-	echo "Usage: "$0" <username>"
-	exit 1
-fi
-
-docker run \
-	-it \
-	--rm \
-	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
-    --cap-drop=ALL \
-	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
-	--network {{ matrix_docker_network }} \
-	{{ matrix_postgres_docker_image_to_use }} \
-	psql -h {{ matrix_postgres_connection_hostname }} -c "UPDATE users set admin=1 WHERE name like '@$1:{{ matrix_domain }}'"

roles/matrix-riot-web/defaults/main.yml

@@ -1,6 +1,6 @@
 matrix_riot_web_enabled: true
 
-matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.7"
+matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.8"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"
 
 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

roles/matrix-riot-web/tasks/self_check_riot_web.yml

@@ -6,7 +6,7 @@
 - name: Check riot-web
   uri:
     url: "{{ riot_web_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
     validate_certs: "{{ matrix_riot_web_self_check_validate_certificates }}"
   register: result_riot_web
   ignore_errors: true

roles/matrix-synapse/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_synapse_enabled: true
 
-matrix_synapse_docker_image: "matrixdotorg/synapse:v1.8.0"
+matrix_synapse_docker_image: "matrixdotorg/synapse:v1.9.1"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@@ -259,13 +259,13 @@ matrix_synapse_email_smtp_host: ""
 matrix_synapse_email_smtp_port: 587
 matrix_synapse_email_smtp_require_transport_security: false
 matrix_synapse_email_notif_from: "Matrix <matrix@{{ matrix_domain }}>"
-matrix_synapse_email_riot_base_url: "https://{{ matrix_server_fqn_riot }}"
+matrix_synapse_email_client_base_url: "https://{{ matrix_server_fqn_riot }}"
 
 
 # Enable this to activate the REST auth password provider module.
-# See: https://github.com/kamax-io/matrix-synapse-rest-auth
+# See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
 matrix_synapse_ext_password_provider_rest_auth_enabled: false
-matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/kamax-io/matrix-synapse-rest-auth/v0.1.2/rest_auth_provider.py"
+matrix_synapse_ext_password_provider_rest_auth_download_url: "https://raw.githubusercontent.com/ma1uta/matrix-synapse-rest-password-provider/ed377fb70513c2e51b42055eb364195af1ccaf33/rest_auth_provider.py"
 matrix_synapse_ext_password_provider_rest_auth_endpoint: ""
 matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
 matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true

roles/matrix-synapse/tasks/self_check_client_api.yml

@@ -3,7 +3,7 @@
 - name: Check Matrix Client API
   uri:
     url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
     validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
   register: result_matrix_synapse_client_api
   ignore_errors: true

roles/matrix-synapse/tasks/self_check_federation_api.yml

@@ -3,7 +3,7 @@
 - name: Check Matrix Federation API
   uri:
     url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
-    follow_redirects: false
+    follow_redirects: none
     validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
   register: result_matrix_synapse_federation_api
   ignore_errors: true

roles/matrix-synapse/tasks/validate_config.yml

@@ -15,6 +15,7 @@
       Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
   when: "item.old in vars"
   with_items:
+    - {'old': 'matrix_synapse_email_riot_base_url', 'new': '<superseded by client_base_url>'}
     - {'old': 'matrix_synapse_container_expose_api_port', 'new': '<superseded by matrix_synapse_container_federation_api_plain_host_bind_port>'}
     - {'old': 'matrix_synapse_no_tls', 'new': '<removed>'}
     - {'old': 'matrix_enable_room_list_search', 'new': 'matrix_synapse_enable_room_list_search'}

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -392,17 +392,17 @@ retention:
   #
   # The rationale for this per-job configuration is that some rooms might have a
   # retention policy with a low 'max_lifetime', where history needs to be purged
-  # of outdated messages on a very frequent basis (e.g. every 5min), but not want
-  # that purge to be performed by a job that's iterating over every room it knows,
-  # which would be quite heavy on the server.
+  # of outdated messages on a more frequent basis than for the rest of the rooms
+  # (e.g. every 12h), but not want that purge to be performed by a job that's
+  # iterating over every room it knows, which could be heavy on the server.
   #
   #purge_jobs:
   #  - shortest_max_lifetime: 1d
   #    longest_max_lifetime: 3d
-  #    interval: 5m:
+  #    interval: 12h
   #  - shortest_max_lifetime: 3d
   #    longest_max_lifetime: 1y
-  #    interval: 24h
+  #    interval: 1d
 
 
 ## TLS ##
@@ -891,23 +891,6 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # Optional account validity configuration. This allows for accounts to be denied
 # any request after a given period.
 #
-# ``enabled`` defines whether the account validity feature is enabled. Defaults
-# to False.
-#
-# ``period`` allows setting the period after which an account is valid
-# after its registration. When renewing the account, its validity period
-# will be extended by this amount of time. This parameter is required when using
-# the account validity feature.
-#
-# ``renew_at`` is the amount of time before an account's expiry date at which
-# Synapse will send an email to the account's email address with a renewal link.
-# This needs the ``email`` and ``public_baseurl`` configuration sections to be
-# filled.
-#
-# ``renew_email_subject`` is the subject of the email sent out with the renewal
-# link. ``%(app)s`` can be used as a placeholder for the ``app_name`` parameter
-# from the ``email`` section.
-#
 # Once this feature is enabled, Synapse will look for registered users without an
 # expiration date at startup and will add one to every account it found using the
 # current settings at that time.
@@ -918,32 +901,55 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 # date will be randomly selected within a range [now + period - d ; now + period],
 # where d is equal to 10% of the validity period.
 #
-#account_validity:
-#  enabled: True
-#  period: 6w
-#  renew_at: 1w
-#  renew_email_subject: "Renew your %(app)s account"
-#  # Directory in which Synapse will try to find the HTML files to serve to the
-#  # user when trying to renew an account. Optional, defaults to
-#  # synapse/res/templates.
-#  template_dir: "res/templates"
-#  # HTML to be displayed to the user after they successfully renewed their
-#  # account. Optional.
-#  account_renewed_html_path: "account_renewed.html"
-#  # HTML to be displayed when the user tries to renew an account with an invalid
-#  # renewal token. Optional.
-#  invalid_token_html_path: "invalid_token.html"
+account_validity:
+  # The account validity feature is disabled by default. Uncomment the
+  # following line to enable it.
+  #
+  #enabled: true
 
-# Time that a user's session remains valid for, after they log in.
-#
-# Note that this is not currently compatible with guest logins.
-#
-# Note also that this is calculated at login time: changes are not applied
-# retrospectively to users who have already logged in.
-#
-# By default, this is infinite.
-#
-#session_lifetime: 24h
+  # The period after which an account is valid after its registration. When
+  # renewing the account, its validity period will be extended by this amount
+  # of time. This parameter is required when using the account validity
+  # feature.
+  #
+  #period: 6w
+
+  # The amount of time before an account's expiry date at which Synapse will
+  # send an email to the account's email address with a renewal link. By
+  # default, no such emails are sent.
+  #
+  # If you enable this setting, you will also need to fill out the 'email' and
+  # 'public_baseurl' configuration sections.
+  #
+  #renew_at: 1w
+
+  # The subject of the email sent out with the renewal link. '%(app)s' can be
+  # used as a placeholder for the 'app_name' parameter from the 'email'
+  # section.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  # If this is not set, a default value is used.
+  #
+  #renew_email_subject: "Renew your %(app)s account"
+
+  # Directory in which Synapse will try to find templates for the HTML files to
+  # serve to the user when trying to renew an account. If not set, default
+  # templates from within the Synapse package will be used.
+  #
+  #template_dir: "res/templates"
+
+  # File within 'template_dir' giving the HTML to be displayed to the user after
+  # they successfully renewed their account. If not set, default text is used.
+  #
+  #account_renewed_html_path: "account_renewed.html"
+
+  # File within 'template_dir' giving the HTML to be displayed when the user
+  # tries to renew an account with an invalid renewal token. If not set,
+  # default text is used.
+  #
+  #invalid_token_html_path: "invalid_token.html"
 
 # The user must provide all of the below types of 3PID when registering.
 #
@@ -1378,107 +1384,123 @@ password_config:
    pepper: {{ matrix_synapse_password_config_pepper|string|to_json }}
 
 
-
-# Enable sending emails for password resets, notification events or
-# account expiry notices
-#
-# If your SMTP server requires authentication, the optional smtp_user &
-# smtp_pass variables should be used
-#
-#email:
-#   enable_notifs: false
-#   smtp_host: "localhost"
-#   smtp_port: 25 # SSL: 465, STARTTLS: 587
-#   smtp_user: "exampleusername"
-#   smtp_pass: "examplepassword"
-#   require_transport_security: False
-#   notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
-#   app_name: Matrix
-#
-#   # Enable email notifications by default
-#   #
-#   notif_for_new_users: True
-#
-#   # Defining a custom URL for Riot is only needed if email notifications
-#   # should contain links to a self-hosted installation of Riot; when set
-#   # the "app_name" setting is ignored
-#   #
-#   riot_base_url: "http://localhost/riot"
-#
-#   # Configure the time that a validation email or text message code
-#   # will expire after sending
-#   #
-#   # This is currently used for password resets
-#   #
-#   #validation_token_lifetime: 1h
-#
-#   # Template directory. All template files should be stored within this
-#   # directory. If not set, default templates from within the Synapse
-#   # package will be used
-#   #
-#   # For the list of default templates, please see
-#   # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
-#   #
-#   #template_dir: res/templates
-#
-#   # Templates for email notifications
-#   #
-#   notif_template_html: notif_mail.html
-#   notif_template_text: notif_mail.txt
-#
-#   # Templates for account expiry notices
-#   #
-#   expiry_template_html: notice_expiry.html
-#   expiry_template_text: notice_expiry.txt
-#
-#   # Templates for password reset emails sent by the homeserver
-#   #
-#   #password_reset_template_html: password_reset.html
-#   #password_reset_template_text: password_reset.txt
-#
-#   # Templates for registration emails sent by the homeserver
-#   #
-#   #registration_template_html: registration.html
-#   #registration_template_text: registration.txt
-#
-#   # Templates for validation emails sent by the homeserver when adding an email to
-#   # your user account
-#   #
-#   #add_threepid_template_html: add_threepid.html
-#   #add_threepid_template_text: add_threepid.txt
-#
-#   # Templates for password reset success and failure pages that a user
-#   # will see after attempting to reset their password
-#   #
-#   #password_reset_template_success_html: password_reset_success.html
-#   #password_reset_template_failure_html: password_reset_failure.html
-#
-#   # Templates for registration success and failure pages that a user
-#   # will see after attempting to register using an email or phone
-#   #
-#   #registration_template_success_html: registration_success.html
-#   #registration_template_failure_html: registration_failure.html
-#
-#   # Templates for success and failure pages that a user will see after attempting
-#   # to add an email or phone to their account
-#   #
-#   #add_threepid_success_html: add_threepid_success.html
-#   #add_threepid_failure_html: add_threepid_failure.html
 {% if matrix_synapse_email_enabled %}
+# Configuration for sending emails from Synapse.
+#
 email:
-   enable_notifs: true
-   smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
-   smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
-   require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
-   notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
-   app_name: Matrix
-   notif_template_html: notif_mail.html
-   notif_template_text: notif_mail.txt
-   # Templates for account expiry notices.
-   expiry_template_html: notice_expiry.html
-   expiry_template_text: notice_expiry.txt
-   notif_for_new_users: True
-   riot_base_url: {{ matrix_synapse_email_riot_base_url|string|to_json }}
+  # The hostname of the outgoing SMTP server to use. Defaults to 'localhost'.
+  #
+  #smtp_host: mail.server
+  smtp_host: {{ matrix_synapse_email_smtp_host|string|to_json }}
+
+  # The port on the mail server for outgoing SMTP. Defaults to 25.
+  #
+  #smtp_port: 587
+  smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
+
+  # Username/password for authentication to the SMTP server. By default, no
+  # authentication is attempted.
+  #
+  # smtp_user: "exampleusername"
+  # smtp_pass: "examplepassword"
+
+  # Uncomment the following to require TLS transport security for SMTP.
+  # By default, Synapse will connect over plain text, and will then switch to
+  # TLS via STARTTLS *if the SMTP server supports it*. If this option is set,
+  # Synapse will refuse to connect unless the server supports STARTTLS.
+  #
+  #require_transport_security: true
+  require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
+
+  # Enable sending emails for messages that the user has missed
+  #
+  #enable_notifs: false
+  enable_notifs: true
+
+  # notif_from defines the "From" address to use when sending emails.
+  # It must be set if email sending is enabled.
+  #
+  # The placeholder '%(app)s' will be replaced by the application name,
+  # which is normally 'app_name' (below), but may be overridden by the
+  # Matrix client application.
+  #
+  # Note that the placeholder must be written '%(app)s', including the
+  # trailing 's'.
+  #
+  #notif_from: "Your Friendly %(app)s homeserver <noreply@example.com>"
+  notif_from: {{ matrix_synapse_email_notif_from|string|to_json }}
+
+  # app_name defines the default value for '%(app)s' in notif_from. It
+  # defaults to 'Matrix'.
+  #
+  #app_name: my_branded_matrix_server
+  app_name: Matrix
+
+  # Uncomment the following to disable automatic subscription to email
+  # notifications for new users. Enabled by default.
+  #
+  #notif_for_new_users: false
+  notif_for_new_users: True
+
+  # Custom URL for client links within the email notifications. By default
+  # links will be based on "https://matrix.to".
+  #
+  # (This setting used to be called riot_base_url; the old name is still
+  # supported for backwards-compatibility but is now deprecated.)
+  #
+  #client_base_url: "http://localhost/riot"
+  client_base_url: {{ matrix_synapse_email_client_base_url|string|to_json }}
+
+  # Configure the time that a validation email will expire after sending.
+  # Defaults to 1h.
+  #
+  #validation_token_lifetime: 15m
+
+  # Directory in which Synapse will try to find the template files below.
+  # If not set, default templates from within the Synapse package will be used.
+  #
+  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  # If you *do* uncomment it, you will need to make sure that all the templates
+  # below are in the directory.
+  #
+  # Synapse will look for the following templates in this directory:
+  #
+  # * The contents of email notifications of missed events: 'notif_mail.html' and
+  #   'notif_mail.txt'.
+  #
+  # * The contents of account expiry notice emails: 'notice_expiry.html' and
+  #   'notice_expiry.txt'.
+  #
+  # * The contents of password reset emails sent by the homeserver:
+  #   'password_reset.html' and 'password_reset.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in the password reset email: 'password_reset_success.html' and
+  #   'password_reset_failure.html'
+  #
+  # * The contents of address verification emails sent during registration:
+  #   'registration.html' and 'registration.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in an address verification email sent during registration:
+  #   'registration_success.html' and 'registration_failure.html'
+  #
+  # * The contents of address verification emails sent when an address is added
+  #   to a Matrix account: 'add_threepid.html' and 'add_threepid.txt'
+  #
+  # * HTML pages for success and failure that a user will see when they follow
+  #   the link in an address verification email sent when an address is added
+  #   to a Matrix account: 'add_threepid_success.html' and
+  #   'add_threepid_failure.html'
+  #
+  # You can see the default templates at:
+  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
+  #
+  #template_dir: "res/templates"
+  notif_template_html: notif_mail.html
+  notif_template_text: notif_mail.txt
+  expiry_template_html: notice_expiry.html
+  expiry_template_text: notice_expiry.txt
 {% endif %}