Merge remote-tracking branch 'upstream/master' into gomatrixhosting-testing

2021-12-15 15:10:06 +08:00
parent aef9a1ea1f 5be1310541
commit 9b4e4477d9
49 changed files with 488 additions and 181 deletions
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false
 # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
 matrix_client_element_e2ee_secure_backup_setup_methods: []

+# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_client_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_client_configuration_extension_json: |
+#   {
+#     "io.element.call_behaviour": {
+#       "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
+#     }
+#   }
+matrix_well_known_matrix_client_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
+matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
+
+# Default `/.well-known/matrix/server` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_server_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_server_configuration_extension_json: |
+#   {
+#     "something": "another"
+#   }
+matrix_well_known_matrix_server_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
+matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
+
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"

--- a/roles/matrix-base/tasks/setup_well_known.yml
+++ b/roles/matrix-base/tasks/setup_well_known.yml
@ -13,16 +13,16 @@
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

 - name: Ensure Matrix /.well-known/matrix/client file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}"
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
    mode: 0644
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix /.well-known/matrix/server file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}"
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
    mode: 0644
    owner: "{{ matrix_user_username }}"
--- a/roles/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/matrix-bot-mjolnir/defaults/main.yml
@ -3,14 +3,13 @@

 matrix_bot_mjolnir_enabled: true

-matrix_bot_mjolnir_version: "v1.1.20"
+matrix_bot_mjolnir_version: "v1.2.1"

 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

 matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
 matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}"
-
 matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}"

 matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir"
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false
 #
 # To use Postgres:
 # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables
+# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables
 matrix_appservice_discord_database_engine: 'sqlite'

 matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db"
--- a/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-webhooks/defaults/main.yml
@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks
 matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
 matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"

-# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
-matrix_appservice_webhooks_control_room_id: ''
 matrix_appservice_webhooks_bot_name: 'webhookbot'
 matrix_appservice_webhooks_user_prefix: '_webhook'

--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: ''
 # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future).
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables
 matrix_mautrix_facebook_database_engine: 'postgres'

 matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
--- a/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-googlechat/defaults/main.yml
@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables
 matrix_mautrix_googlechat_database_engine: 'sqlite'

 matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"
--- a/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/defaults/main.yml
@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables
 matrix_mautrix_hangouts_database_engine: 'sqlite'

 matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
--- a/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-instagram/defaults/main.yml
@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: ''
 # Database-related configuration fields.
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables
 matrix_mautrix_instagram_database_engine: 'postgres'

 matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram'
--- a/roles/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-signal/defaults/main.yml
@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false
 matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git"
 matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src"

-matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
+matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"

 matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
--- a/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -15,6 +15,8 @@ homeserver:
    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null

 # Application service host/registration related details
 # Changing these values requires regeneration of the registration.
@ -32,25 +34,19 @@ appservice:
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1

-    # The full URI to the database. Only Postgres is currently supported.
+    # The full URI to the database. SQLite and Postgres are supported.
+    # Format examples:
+    #   SQLite:   sqlite:///filename.db
+    #   Postgres: postgres://username:password@hostname/dbname
    database: {{ matrix_mautrix_signal_database_connection_string }}
-    # Additional arguments for asyncpg.create_pool()
+    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
    database_opts:
        min_size: 5
        max_size: 10

-    # Provisioning API part of the web server for automated portal creation and fetching information.
-    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
-    provisioning:
-        # Whether or not the provisioning API should be enabled.
-        enabled: true
-        # The prefix to use in the provisioning API endpoints.
-        prefix: /_matrix/provision/v1
-        # The shared secret to authorize users of the API.
-        # Set to "generate" to generate and save a new token.
-        shared_secret: generate
-
    # The unique ID of this appservice.
    id: signal
    # Username of the appservice bot.
@ -66,7 +62,12 @@ appservice:
    # Example: "+signal:example.com". Set to false to disable.
    community_id: false

-    # Authentication tokens for AS <-> HS communication.
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: false
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
    as_token: "{{ matrix_mautrix_signal_appservice_token }}"
    hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"

@ -75,6 +76,17 @@ metrics:
    enabled: false
    listen_port: 8000

+# Manhole config.
+manhole:
+    # Whether or not opening the manhole is allowed.
+    enabled: false
+    # The path for the unix socket.
+    path: /var/tmp/mautrix-signal.manhole
+    # The list of UIDs who can be added to the whitelist.
+    # If empty, any UIDs can be specified in the open-manhole command.
+    whitelist:
+    - 0
+
 signal:
    # Path to signald unix socket
    socket_path: /signald/signald.sock
@ -91,6 +103,8 @@ signal:
    delete_unknown_accounts_on_start: false
    # Whether or not message attachments should be removed from disk after they're bridged.
    remove_file_after_handling: true
+    # Whether or not users can register a primary device
+    registration_enabled: true

 # Bridge config
 bridge:
@ -102,6 +116,7 @@ bridge:
    # available variable in displayname_preference. The variables in displayname_preference
    # can also be used here directly.
    displayname_template: "{displayname} (Signal)"
+    # Whether or not contact list displaynames should be used.
    # Possible values: disallow, allow, prefer
    #
    # Multi-user instances are recommended to disallow contact list names, as otherwise there can
@ -140,7 +155,7 @@ bridge:
    # If false, created portal rooms will never be federated.
    federate_rooms: true
    # End-to-bridge encryption support options. You must install the e2be optional dependency for
-    # this to work. See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html
+    # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: false
@ -173,12 +188,38 @@ bridge:
    # This field will automatically be changed back to false after it,
    # except if the config file is not writable.
    resend_bridge_info: false
-    # Interval at which to resync contacts.
+    # Interval at which to resync contacts (in seconds).
    periodic_sync: 0

+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: true
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision/v1
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "!signal"

+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Signal bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `register` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+
+    # Send each message separately (for readability in some clients)
+    management_room_multiple_messages: false
+
    # Permissions for using the bridge.
    # Permitted values:
    #      relay - Allowed to be relayed through the bridge, no access to commands.
--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false
 matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

-matrix_mautrix_telegram_version: v0.10.1
+matrix_mautrix_telegram_version: v0.10.2
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables
 matrix_mautrix_telegram_database_engine: 'sqlite'

 matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
--- a/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables
 matrix_mautrix_whatsapp_database_engine: 'sqlite'

 matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
--- a/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/defaults/main.yml
@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url
 matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}'

+matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}"
+
 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver
 # "@.*" to allow anyone
--- a/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
@ -9,17 +9,17 @@ bridge:
  domain: {{ matrix_mx_puppet_discord_homeserver_domain }}
  # Reachable URL of the Matrix homeserver
  homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }}
+  # Optionally specify a different media URL used for the media store
+  #
+  # This is where Discord will download user profile pictures and media
+  # from
+  mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }}
  {% if matrix_mx_puppet_discord_login_shared_secret != '' %}
  loginSharedSecretMap:
    {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }}
  {% endif %}
  # Display name of the bridge bot
  displayname: Discord Puppet Bridge
-  # Optionally specify a different media URL used for the media store
-  #
-  # This is where Discord will download user profile pictures and media
-  # from
-  #mediaUrl: https://external-url.org

 presence:
  # Bridge Discord online/offline status
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"

-matrix_client_element_version: v1.9.5
+matrix_client_element_version: v1.9.7
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -22,7 +22,7 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

-matrix_corporal_version: 2.2.1
+matrix_corporal_version: 2.2.2
 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_corporal_docker_image_tag: "{{ matrix_corporal_version }}" # for backward-compatibility
--- a/roles/matrix-dimension/defaults/main.yml
+++ b/roles/matrix-dimension/defaults/main.yml
@ -10,10 +10,16 @@ matrix_dimension_admins: []
 # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates
 matrix_dimension_widgets_allow_self_signed_ssl_certificates: false

+matrix_dimension_container_image_self_build: false
+matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git"
+matrix_dimension_container_image_self_build_branch: master
+
 matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
+matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension"

 matrix_dimension_version: latest
-matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"

 # List of systemd services that matrix-dimension.service depends on.
@ -48,7 +54,7 @@ matrix_dimension_homeserver_federationUrl: ""
 #
 # To use Postgres:
 # - change the engine (`matrix_dimension_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_dimension_postgres_*` variables
+# - adjust your database credentials via the `matrix_dimension_database_*` variables
 matrix_dimension_database_engine: 'sqlite'

 matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db"
--- a/roles/matrix-dimension/tasks/setup_install.yml
+++ b/roles/matrix-dimension/tasks/setup_install.yml
@ -90,6 +90,29 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
+  when: "not matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_pull_results
+
+- name: Ensure dimension repository is present on self-build
+  git:
+    repo: "{{ matrix_dimension_container_image_self_build_repo }}"
+    dest: "{{ matrix_dimension_docker_src_files_path }}"
+    version: "{{ matrix_dimension_container_image_self_build_branch }}"
+    force: "yes"
+  when: "matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_git_pull_results
+
+- name: Ensure Dimension Docker image is built
+  docker_image:
+    name: "{{ matrix_dimension_docker_image }}"
+    source: build
+    force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_dimension_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_dimension_container_image_self_build|bool"

 - name: Ensure matrix-dimension.service installed
  template:
--- a/roles/matrix-grafana/defaults/main.yml
+++ b/roles/matrix-grafana/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_grafana_enabled: false

-matrix_grafana_version: 8.2.2
+matrix_grafana_version: 8.3.1
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"

--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@ -9,10 +9,23 @@ matrix_jitsi_enable_transcriptions: false
 matrix_jitsi_enable_p2p: true
 matrix_jitsi_enable_av_moderation: true

-# Authentication type, must be one of internal, jwt or ldap. Currently only
-# internal and ldap are supported by this playbook.
+# Authentication type, must be one of internal, jwt or ldap.
+# Currently only internal and ldap mechanisms are supported by this playbook.
 matrix_jitsi_auth_type: internal

+# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
+#
+# Accounts added here and subsquently removed will not be automatically removed
+# from the Prosody server until user account cleaning is integrated into the playbook.
+#
+# Example:
+# matrix_jitsi_prosody_auth_internal_accounts:
+#  - username: "jitsi-moderator"
+#    password: "secret-password"
+#  - username: "another-user"
+#    password: "another-password"
+matrix_jitsi_prosody_auth_internal_accounts: []
+
 # Configuration options for LDAP authentication. For details see upstream:
 #   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
 # Defaults are taken from:
@ -54,7 +67,7 @@ matrix_jitsi_jibri_recorder_password: ''

 matrix_jitsi_enable_lobby: false

-matrix_jitsi_version: stable-6173
+matrix_jitsi_version: stable-6726
 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility

 matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
@ -205,7 +218,6 @@ matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: ''

-
 matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"

--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@ -4,7 +4,7 @@
 # Tasks related to setting up jitsi-prosody
 #

- name: Ensure Matrix jitsi-prosody path exists
+- name: Ensure Matrix jitsi-prosody environment exists
  file:
    path: "{{ item.path }}"
    state: directory
@ -25,14 +25,14 @@
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
  when: matrix_jitsi_enabled|bool

- name: Ensure jitsi-prosody environment variables file created
+- name: Ensure jitsi-prosody environment variables file is created
  template:
    src: "{{ role_path }}/templates/prosody/env.j2"
    dest: "{{ matrix_jitsi_prosody_base_path }}/env"
    mode: 0640
  when: matrix_jitsi_enabled|bool

- name: Ensure matrix-jitsi-prosody.service installed
+- name: Ensure matrix-jitsi-prosody.service file is installed
  template:
    src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
    dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
@ -40,16 +40,24 @@
  register: matrix_jitsi_prosody_systemd_service_result
  when: matrix_jitsi_enabled|bool

- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
+- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
  service:
    daemon_reload: yes
  when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"

+- name: Ensure authentication is properly configured
+  include_tasks:
+    file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
+  when:
+    - matrix_jitsi_enabled|bool
+    - matrix_jitsi_enable_auth|bool
+
+
 #
 # Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
 #

- name: Check existence of matrix-jitsi-prosody service
+- name: Ensure matrix-jitsi-prosody.service file exists
  stat:
    path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
  register: matrix_jitsi_prosody_service_stat
@ -64,13 +72,13 @@
  register: stopping_result
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

- name: Ensure matrix-jitsi-prosody.service doesn't exist
+- name: Ensure matrix-jitsi-prosody.service file doesn't exist
  file:
    path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
    state: absent
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
+- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
  service:
    daemon_reload: yes
  when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
--- a/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
+++ b/roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml
@ -0,0 +1,43 @@
+---
+#
+# Start Necessary Services
+#
+
+- name: Ensure matrix-jitsi-prosody container is running
+  systemd:
+    state: started
+    name: matrix-jitsi-prosody
+  register: matrix_jitsi_prosody_start_result
+
+
+#
+# Tasks related to configuring Jitsi internal authentication
+#
+
+- name: Ensure Jitsi internal authentication users are configured
+  shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
+  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
+  when:
+    - matrix_jitsi_auth_type == "internal"
+    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
+
+
+#
+# Tasks related to configuring other Jitsi authentication mechanisms
+#
+
+
+
+#
+# Tasks related to cleaning after Jitsi authentication configuration
+#
+
+
+#
+# Stop Necessary Services
+#
+- name: Ensure matrix-jitsi-prosody container is stopped if necessary
+  systemd:
+    state: stopped
+    name: matrix-jitsi-prosody
+  when: matrix_jitsi_prosody_start_result.changed|bool
--- a/roles/matrix-jitsi/tasks/validate_config.yml
+++ b/roles/matrix-jitsi/tasks/validate_config.yml
@ -3,14 +3,14 @@
 - name: Fail if required Jitsi settings not defined
  fail:
    msg: >-
-      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
+      You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.

      If you're setting up Jitsi for the first time, you may have missed a step.
      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).

-      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
-      it means that your installation may be using some default passwords that the playbook used to define until now.
-      This is not secure and we urge you to rebuild your Jitsi setup.
+      If you had previously setup Jitsi successfully and are only now facing this error,
+      it means that your installation is most likely using default passwords previously defined by the playbook.
+      These defaults are insecure. Jitsi should be rebuilt with secure values.
      Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
  when: "vars[item] == ''"
  with_items:
@ -19,6 +19,20 @@
    - "matrix_jitsi_jicofo_auth_password"
    - "matrix_jitsi_jvb_auth_password"

+
+- name: Fail if a Jitsi internal authentication account is not defined
+  fail:
+    msg: >-
+      At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
+      
+      If you're setting up Jitsi for the first time, you may have missed a step.
+      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
+  when:
+    - matrix_jitsi_enable_auth|bool
+    - matrix_jitsi_auth_type == 'internal'
+    - matrix_jitsi_prosody_auth_internal_accounts|length == 0
+
+
 - name: (Deprecation) Catch and report renamed settings
  fail:
    msg: >-
--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false
 #
 # To use Postgres:
 # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables
+# - adjust your database credentials via the `matrix_ma1sd_database_*` variables
 matrix_ma1sd_database_engine: 'sqlite'

 matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"
--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"

-matrix_mailer_version: 4.94.2-r0-5
+matrix_mailer_version: 4.95-r0
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -382,6 +382,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets
 # To see the full list for suportes ciphers run `openssl ciphers` on your server
 matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"

+# Specifies what to use for the X-Forwarded-For variable.
+# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,
+# you may wish to set this to '$proxy_add_x_forwarded_for' instead.
+matrix_nginx_proxy_x_forwarded_for: '$remote_addr'
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2
@ -27,7 +27,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2
@ -35,7 +35,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2
@ -33,7 +33,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2
@ -30,7 +30,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -58,7 +58,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@ -76,7 +76,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@ -94,7 +94,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 	{% endif %}

@ -111,7 +111,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@ -136,7 +136,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

 		client_body_buffer_size 25M;
@ -284,7 +284,7 @@ server {
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};

 		client_body_buffer_size 25M;
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2
@ -37,7 +37,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}

--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2
@ -30,7 +30,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}

 	# colibri (JVB) websockets
@ -45,7 +45,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";

@ -70,7 +70,7 @@
 		proxy_read_timeout 900s;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 		tcp_nodelay on;
 	}
--- a/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
+++ b/roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2
@ -28,7 +28,7 @@
 		{% endif %}

 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 {% endmacro %}
--- a/roles/matrix-postgres-backup/defaults/main.yml
+++ b/roles/matrix-postgres-backup/defaults/main.yml
@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr
 matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}"
 matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}"
 matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}"
-matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}"
+matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}"

 # This variable is assigned at runtime. Overriding its value has no effect.
 matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}'
--- a/roles/matrix-prometheus/defaults/main.yml
+++ b/roles/matrix-prometheus/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_prometheus_enabled: false

-matrix_prometheus_version: v2.30.3
+matrix_prometheus_version: v2.31.1
 matrix_prometheus_docker_image: "{{ matrix_container_global_registry_prefix }}prom/prometheus:{{ matrix_prometheus_version }}"
 matrix_prometheus_docker_image_force_pull: "{{ matrix_prometheus_docker_image.endswith(':latest') }}"

--- a/roles/matrix-redis/defaults/main.yml
+++ b/roles/matrix-redis/defaults/main.yml
@ -5,7 +5,7 @@ matrix_redis_connection_password: ""
 matrix_redis_base_path: "{{ matrix_base_data_path }}/redis"
 matrix_redis_data_path: "{{ matrix_redis_base_path }}/data"

-matrix_redis_version: 6.2.4-alpine
+matrix_redis_version: 6.2.6-alpine
 matrix_redis_docker_image_v6: "{{ matrix_container_global_registry_prefix }}redis:{{ matrix_redis_version }}"
 matrix_redis_docker_image_latest: "{{ matrix_redis_docker_image_v6 }}"
 matrix_redis_docker_image_to_use: '{{ matrix_redis_docker_image_latest }}'
--- a/roles/matrix-registration/defaults/main.yml
+++ b/roles/matrix-registration/defaults/main.yml
@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_registration_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_registration_postgres_*` variables
+# - adjust your database credentials via the `matrix_registration_database_*` variables
 matrix_registration_database_engine: 'sqlite'

 matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3"
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.47.1
-matrix_synapse_version_arm64: v1.47.1
+matrix_synapse_version: v1.49.0
+matrix_synapse_version_arm64: v1.49.0
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -667,8 +667,8 @@ tls_private_key_path: {{ matrix_synapse_tls_private_key_path|to_json }}
 #
 #federation_certificate_verification_whitelist:
 #  - lon.example.com
-#  - *.domain.com
-#  - *.onion
+#  - "*.domain.com"
+#  - "*.onion"

 # List of custom certificate authorities for federation traffic.
 #
@ -1227,6 +1227,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #
 #session_lifetime: 24h

+# Time that an access token remains valid for, if the session is
+# using refresh tokens.
+# For more information about refresh tokens, please see the manual.
+# Note that this only applies to clients which advertise support for
+# refresh tokens.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is 5 minutes.
+#
+#refreshable_access_token_lifetime: 5m
+
+# Time that a refresh token remains valid for (provided that it is not
+# exchanged for another one first).
+# This option can be used to automatically log-out inactive sessions.
+# Please see the manual for more information.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is infinite.
+#
+#refresh_token_lifetime: 24h
+
+# Time that an access token remains valid for, if the session is NOT
+# using refresh tokens.
+# Please note that not all clients support refresh tokens, so setting
+# this to a short value may be inconvenient for some users who will
+# then be logged out frequently.
+#
+# Note also that this is calculated at login time: changes are not applied
+# retrospectively to existing sessions for users that have already logged in.
+#
+# By default, this is infinite.
+#
+#nonrefreshable_access_token_lifetime: 24h
+
+# The user must provide all of the below types of 3PID when registering.
+
 # The user must provide all of the below types of 3PID when registering.
 #
 #registrations_require_3pid:
@ -2229,6 +2269,12 @@ sso:
    #
    #algorithm: "provided-by-your-issuer"

+    # Name of the claim containing a unique identifier for the user.
+    #
+    # Optional, defaults to `sub`.
+    #
+    #subject_claim: "sub"
+
    # The issuer to validate the "iss" claim against.
    #
    # Optional, if provided the "iss" claim will be required and
@ -2338,8 +2384,10 @@ email:

  # Username/password for authentication to the SMTP server. By default, no
  # authentication is attempted.
+  {% if matrix_synapse_email_smtp_user %}
  smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }}
  smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }}
+  {% endif %}

  # Uncomment the following to require TLS transport security for SMTP.
  # By default, Synapse will connect over plain text, and will then switch to
@ -2637,8 +2685,8 @@ user_directory:
    # indexes were (re)built was before Synapse 1.44, you'll have to
    # rebuild the indexes in order to search through all known users.
    # These indexes are built the first time Synapse starts; admins can
-    # manually trigger a rebuild following the instructions at
-    #     https://matrix-org.github.io/synapse/latest/user_directory.html
+    # manually trigger a rebuild via API following the instructions at
+    #     https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/background_updates.html#run
    #
    # Uncomment to return search results containing all known users, even if that
    # user does not share a room with the requester.
--- a/roles/matrix-synapse/vars/workers.yml
+++ b/roles/matrix-synapse/vars/workers.yml
@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/federation/v1/get_groups_publicised$
  - ^/_matrix/key/v2/query
  - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
-  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
+  - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/

  # Inbound federation transaction request
  - ^/_matrix/federation/v1/send/
@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints:
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$
  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
-  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
+  - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$
  - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$
  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$