Merge pull request #3041 from Braindot-fr/3031-feat-add-signalgo-bridge

[#3031] Update mautrix-signal to the go version (signalgo merged to signal)
2024-01-02 15:59:58 +02:00 · 2024-01-02 15:59:58 +02:00 · 9ff405504d
commit 9ff405504d
parent c4fa8d473e 4db1e5930d
15 changed files with 415 additions and 491 deletions
--- a/docs/configuring-playbook-bridge-mautrix-signal.md
+++ b/docs/configuring-playbook-bridge-mautrix-signal.md
@ -6,6 +6,8 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/signal/inde
 **Note/Prerequisite**: If you're running with the Postgres database server integrated by the playbook (which is the default), you don't need to do anything special and can easily proceed with installing. However, if you're [using an external Postgres server](configuring-playbook-external-postgres.md), you'd need to manually prepare a Postgres database for this bridge and adjust the variables related to that (`matrix_mautrix_signal_database_*`).
 **Note**: This revamped version of the [mautrix-signal (legacy)](configuring-playbook-bridge-mautrix-signal.md) may increase the CPU usage of your homeserver.
 Use the following playbook configuration:
 ```yaml
@ -14,14 +16,7 @@ matrix_mautrix_signal_enabled: true
 There are some additional things you may wish to configure about the bridge before you continue.
 The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file:
 ```yaml
 matrix_mautrix_signal_relaybot_enabled: true
 ```
 If you want to activate the relay bot in a room, use `!signal set-relay`.
 Use `!signal unset-relay` to deactivate.
 By default, any user on your homeserver will be able to use the bridge.
 If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from.
 Different levels of permission can be granted to users:
@ -46,7 +41,7 @@ matrix_mautrix_signal_configuration_extension_yaml: |
      '@YOUR_USERNAME:YOUR_DOMAIN': admin
 ```
-This will add the admin permission to the specific user, while keepting the default permissions.
+This will add the admin permission to the specific user, while keeping the default permissions.
 In case you want to replace the default permissions settings **completely**, populate the following item within your `vars.yml` file:
 ```yaml
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -274,9 +274,7 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else [])
    +
-    ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else [])
+    ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else [])
    +
    ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal-daemon']}] if matrix_mautrix_signal_enabled else [])
    +
    ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-telegram']}] if matrix_mautrix_telegram_enabled else [])
    +
@ -1038,7 +1036,6 @@ matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-mautrix-signal
@ -1048,6 +1045,8 @@ matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_
 # We don't enable bridges by default.
 matrix_mautrix_signal_enabled: false
 matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 matrix_mautrix_signal_systemd_required_services_list: |
  {{
    ['docker.service']
@ -1057,8 +1056,6 @@ matrix_mautrix_signal_systemd_required_services_list: |
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
    +
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
    +
    ['matrix-mautrix-signal-daemon.service']
  }}
 matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
@ -1077,13 +1074,10 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi
 # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
 matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}"
-matrix_mautrix_signal_database_engine: 'postgres'
+matrix_mautrix_signal_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
 matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 ######################################################################
 #
 # /matrix-bridge-mautrix-signal
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@ -5,68 +5,57 @@
 matrix_mautrix_signal_enabled: true
 matrix_mautrix_signal_container_image_self_build: false
-matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
+matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/signal.git"
-matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
+matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.4.3
+matrix_mautrix_signal_version: 18e006300885e7432f0791211dec77345ae974a2-{{ matrix_architecture }}
-# renovate: datasource=docker depName=signald/signald
+
 matrix_mautrix_signal_daemon_version: 0.23.2
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"
 matrix_mautrix_signal_daemon_container_image_self_build: false
 matrix_mautrix_signal_daemon_docker_repo: "https://gitlab.com/signald/signald"
 matrix_mautrix_signal_daemon_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_daemon_version == 'latest' else matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src"
 matrix_mautrix_signal_daemon_docker_image: "{{ matrix_mautrix_signal_daemon_docker_image_name_prefix }}signald/signald:{{ matrix_mautrix_signal_daemon_docker_image_tag }}"
 matrix_mautrix_signal_daemon_docker_image_name_prefix: "docker.io/"
 matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image_tag.endswith(':latest') }}"
 matrix_mautrix_signal_daemon_docker_image_tag: "{{ matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"
-matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/bridge"
+matrix_mautrix_signal_config_path: "{{ matrix_mautrix_signal_base_path }}/config"
-matrix_mautrix_signal_daemon_path: "{{ matrix_mautrix_signal_base_path }}/signald"
+matrix_mautrix_signal_data_path: "{{ matrix_mautrix_signal_base_path }}/data"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_mautrix_signal_base_path }}/docker-src"
-matrix_mautrix_signal_homeserver_address: ''
+matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}"
-matrix_mautrix_signal_homeserver_domain: ''
+matrix_mautrix_signal_homeserver_domain: "{{ matrix_domain }}"
-matrix_mautrix_signal_appservice_address: 'http://matrix-mautrix-signal:29328'
+matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 matrix_mautrix_signal_command_prefix: "!signal"
-# Controls whether the matrix-mautrix-signal container exposes its port (tcp/29328 in the container).
+matrix_mautrix_signal_bridge_permissions: |
-#
+  {{
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9006"), or empty string to not expose.
+    {'*': 'relay', matrix_mautrix_signal_homeserver_domain: 'user'}
-matrix_mautrix_signal_container_http_host_bind_port: ''
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
  }}
 # Enable bridge relay functionality
 matrix_mautrix_signal_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
 # Only allow admins on this home server to set themselves as a relay user
 matrix_mautrix_signal_bridge_relay_admin_only: true
 # A list of extra arguments to pass to the container
 matrix_mautrix_signal_container_extra_arguments: []
 # List of systemd services that matrix-mautrix-signal.service depends on.
-matrix_mautrix_signal_systemd_required_services_list:
+matrix_mautrix_signal_systemd_required_services_list: ['docker.service']
  - 'docker.service'
  - 'matrix-mautrix-signal-daemon.service'
 # List of systemd services that matrix-mautrix-signal.service wants
 matrix_mautrix_signal_systemd_wanted_services_list: []
 # List of systemd services that matrix-mautrix-signal-daemon.service depends on.
 matrix_mautrix_signal_daemon_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-mautrix-signal-daemon.service wants
 matrix_mautrix_signal_daemon_systemd_wanted_services_list: []
 matrix_mautrix_signal_appservice_token: ''
 matrix_mautrix_signal_homeserver_token: ''
 matrix_mautrix_signal_appservice_bot_username: signalbot
-# Specifies the default log level for all bridge loggers.
+# Minimum severity of journal log messages.
-matrix_mautrix_signal_logging_level: WARNING
+# Options: debug, info, warn, error, fatal
 matrix_mautrix_signal_logging_level: 'warn'
 # Whether or not created rooms should have federation enabled.
 # If false, created portal rooms will never be federated.
@ -82,50 +71,51 @@ matrix_mautrix_signal_metrics_enabled: false
 # See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
 matrix_mautrix_signal_metrics_proxying_enabled: false
-# Database-related configuration fields
+# Database-related configuration fields.
 #
-# This bridge only supports postgres.
+# To use SQLite, stick to these defaults.
 #
-matrix_mautrix_signal_database_engine: 'postgres'
+# To use Postgres:
 # - change the engine (`matrix_mautrix_signal_database_engine: 'postgres'`)
 # - adjust your database credentials via the `matrix_mautrix_signal_database_*` variables
 matrix_mautrix_signal_database_engine: 'sqlite'
 matrix_mautrix_signal_sqlite_database_path_local: "{{ matrix_mautrix_signal_data_path }}/mautrix-signal.db"
 matrix_mautrix_signal_sqlite_database_path_in_container: "/data/mautrix-signal.db?_txlock=immediate"
 matrix_mautrix_signal_database_username: 'matrix_mautrix_signal'
 matrix_mautrix_signal_database_password: 'some-password'
 matrix_mautrix_signal_database_hostname: ''
 matrix_mautrix_signal_database_port: 5432
 matrix_mautrix_signal_database_name: 'matrix_mautrix_signal'
 matrix_mautrix_signal_database_sslmode: disable
-matrix_mautrix_signal_database_connection_string: 'postgres://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}'
+matrix_mautrix_signal_database_connection_string: 'postgresql://{{ matrix_mautrix_signal_database_username }}:{{ matrix_mautrix_signal_database_password }}@{{ matrix_mautrix_signal_database_hostname }}:{{ matrix_mautrix_signal_database_port }}/{{ matrix_mautrix_signal_database_name }}?sslmode={{ matrix_mautrix_signal_database_sslmode }}'
-matrix_mautrix_signal_appservice_database: "{{
+matrix_mautrix_signal_appservice_database_type: "{{
-  {
+	{
-    'postgres': matrix_mautrix_signal_database_connection_string,
+		'sqlite': 'sqlite3-fk-wal',
-  }[matrix_mautrix_signal_database_engine]
+		'postgres':'postgres',
- }}"
+	}[matrix_mautrix_signal_database_engine]
 }}"
 matrix_mautrix_signal_appservice_database_uri: "{{
 	{
 		'sqlite': matrix_mautrix_signal_sqlite_database_path_in_container,
 		'postgres': matrix_mautrix_signal_database_connection_string,
 	}[matrix_mautrix_signal_database_engine]
 }}"
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_signal_login_shared_secret: ''
 matrix_mautrix_signal_bridge_login_shared_secret_map:
  "{{ {matrix_mautrix_signal_homeserver_domain: matrix_mautrix_signal_login_shared_secret} if matrix_mautrix_signal_login_shared_secret else {} }}"
-# Enable bridge relay bot functionality
+# Servers to always allow double puppeting from
-matrix_mautrix_signal_relaybot_enabled: "{{ matrix_bridges_relay_enabled }}"
+matrix_mautrix_signal_bridge_double_puppet_server_map:
  "{{ matrix_mautrix_signal_homeserver_domain :  matrix_mautrix_signal_homeserver_address }}"
-# Permissions for using the bridge.
+# Default mautrix-signal configuration template which covers the generic use case.
 # Permitted values:
 #      relay - Allowed to be relayed through the bridge, no access to commands.
 #       user - Use the bridge with puppeting.
 #      admin - Use and administrate the bridge.
 # Permitted keys:
 #        * - All Matrix users
 #   domain - All users on that homeserver
 #     mxid - Specific user
 #
 # This variable used to contain a YAML string, but now needs to contain a hashmap/dictionary.
 matrix_mautrix_signal_bridge_permissions: |
  {{
    {'*': 'relay', matrix_mautrix_signal_homeserver_domain: 'user'}
    | combine({matrix_admin: 'admin'} if matrix_admin else {})
  }}
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
 # For a more advanced customization, you can extend the default (see `matrix_mautrix_signal_configuration_extension_yaml`)
@ -147,19 +137,29 @@ matrix_mautrix_signal_configuration_extension: "{{ matrix_mautrix_signal_configu
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_signal_configuration_yaml`.
 matrix_mautrix_signal_configuration: "{{ matrix_mautrix_signal_configuration_yaml | from_yaml | combine(matrix_mautrix_signal_configuration_extension, recursive=True) }}"
-matrix_mautrix_signal_registration_yaml: "{{ lookup('template', 'templates/registration.yaml.j2') }}"
+matrix_mautrix_signal_registration_yaml: |
  id: signal
  url: {{ matrix_mautrix_signal_appservice_address }}
  as_token: "{{ matrix_mautrix_signal_appservice_token }}"
  hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"
  # See https://github.com/mautrix/signal/issues/43
  sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }}
  rate_limited: false
  namespaces:
      users:
      - regex: '^@signal_[-a-f0-9]+:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
        exclusive: true
      - exclusive: true
        regex: '^@{{ matrix_mautrix_signal_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
  de.sorunome.msc2409.push_ephemeral: true
 matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml | from_yaml }}"
-matrix_mautrix_signal_log_level: 'DEBUG'
+# Enable End-to-bridge encryption
 matrix_mautrix_signal_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_signal_bridge_encryption_default: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"
 matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"
-# Additional environment variables to pass to the Signal Daemon container
+# On conduit versions before 0.5.0 this option prevented users from joining spaces created by the bridge.
-#
+# Setting this to false fixed the issue.
-# Example:
+matrix_mautrix_signal_bridge_restricted_rooms: true
 # matrix_mautrix_signal_daemon_environment_variables_extension: |
 #   SIGNALD_TRUST_NEW_KEYS=true
 matrix_mautrix_signal_daemon_environment_variables_extension: ''
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/inject_into_nginx_proxy.yml
@ -3,7 +3,7 @@
 - name: Fail if matrix-nginx-proxy role already executed
  ansible.builtin.fail:
    msg: >-
-      Trying to append mautrix-whatapp-metrics's reverse-proxying configuration to matrix-nginx-proxy,
+      Trying to append mautrix-signal-metrics's reverse-proxying configuration to matrix-nginx-proxy,
      but it's pointless since the matrix-nginx-proxy role had already executed.
      To fix this, please change the order of roles in your playbook,
      so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-signal role.
@ -18,7 +18,7 @@
            {% if matrix_nginx_proxy_enabled | default(False) %}
              {# Use the embedded DNS resolver in Docker containers to discover the service #}
              resolver 127.0.0.11 valid=5s;
-              set $backend "matrix-mautrix-signal:8000";
+              set $backend "matrix-mautrix-signal:8001";
              proxy_pass http://$backend/metrics;
            {% else %}
              return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml
@ -1,5 +1,13 @@
 ---
 - tags:
    - setup-all
    - setup-mautrix-signal
    - install-all
    - install-mautrix-signal
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/remove_legacy.yml"
 - tags:
    - setup-all
    - setup-nginx-proxy
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/remove_legacy.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/remove_legacy.yml
@ -0,0 +1,21 @@
 ---
 # Signal daemon service
 - name: Check existence of matrix-mautrix-signal-daemon service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service"
  register: matrix_mautrix_signal_daemon_service_stat
 - when: matrix_mautrix_signal_daemon_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-mautrix-signal-daemon is stopped
      ansible.builtin.service:
        name: matrix-mautrix-signal-daemon
        state: stopped
        enabled: false
        daemon_reload: true
    - name: Ensure matrix-mautrix-signal-daemon.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service"
        state: absent
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_install.yml
@ -1,30 +1,71 @@
 ---
- name: Ensure Mautrix Signal image is pulled
+- ansible.builtin.set_fact:
    matrix_mautrix_signal_requires_restart: false
 - when: "matrix_mautrix_signal_database_engine == 'postgres'"
  block:
    - name: Check if an SQLite database already exists
      ansible.builtin.stat:
        path: "{{ matrix_mautrix_signal_sqlite_database_path_local }}"
      register: matrix_mautrix_signal_sqlite_database_path_local_stat_result
    - when: "matrix_mautrix_signal_sqlite_database_path_local_stat_result.stat.exists | bool"
      block:
        - ansible.builtin.include_role:
            name: galaxy/com.devture.ansible.role.postgres
            tasks_from: migrate_db_to_postgres
          vars:
            devture_postgres_db_migration_request:
              src: "{{ matrix_mautrix_signal_sqlite_database_path_local }}"
              dst: "{{ matrix_mautrix_signal_database_connection_string }}"
              caller: "{{ role_path | basename }}"
              engine_variable_name: 'matrix_mautrix_signal_database_engine'
              engine_old: 'sqlite'
              systemd_services_to_stop: ['matrix-mautrix-signal.service']
              pgloader_options: ['--with "quote identifiers"']
        - ansible.builtin.set_fact:
            matrix_mautrix_signal_requires_restart: true
 - name: Ensure Mautrix signal paths exists
  ansible.builtin.file:
    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {path: "{{ matrix_mautrix_signal_base_path }}", when: true}
    - {path: "{{ matrix_mautrix_signal_config_path }}", when: true}
    - {path: "{{ matrix_mautrix_signal_data_path }}", when: true}
    - {path: "{{ matrix_mautrix_signal_docker_src_files_path }}", when: "{{ matrix_mautrix_signal_container_image_self_build }}"}
  when: item.when | bool
 - name: Ensure Mautrix signal image is pulled
  community.docker.docker_image:
    name: "{{ matrix_mautrix_signal_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_signal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_docker_image_force_pull }}"
-  when: "not matrix_mautrix_signal_container_image_self_build | bool"
+  when: not matrix_mautrix_signal_container_image_self_build
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
-
+- name: Ensure Mautrix signal repository is present on self-build
 - name: Ensure Mautrix Signal repository is present on self-build
  ansible.builtin.git:
-    repo: "{{ matrix_mautrix_signal_docker_repo }}"
+    repo: "{{ matrix_mautrix_signal_container_image_self_build_repo }}"
    version: "{{ matrix_mautrix_signal_docker_repo_version }}"
    dest: "{{ matrix_mautrix_signal_docker_src_files_path }}"
    version: "{{ matrix_mautrix_signal_container_image_self_build_branch }}"
    force: "yes"
  become: true
  become_user: "{{ matrix_user_username }}"
  register: matrix_mautrix_signal_git_pull_results
  when: "matrix_mautrix_signal_container_image_self_build | bool"
- name: Ensure Mautrix Signal image is built
+- name: Ensure Mautrix signal Docker image is built
  community.docker.docker_image:
    name: "{{ matrix_mautrix_signal_docker_image }}"
    source: build
@ -36,62 +77,38 @@
      pull: true
  when: "matrix_mautrix_signal_container_image_self_build | bool"
 - name: Check if an old database file exists
  ansible.builtin.stat:
    path: "{{ matrix_mautrix_signal_base_path }}/mautrix-signal.db"
  register: matrix_mautrix_signal_stat_database
- name: Ensure Mautrix Signal Daemon image is pulled
+- name: Check if an old matrix state file exists
-  community.docker.docker_image:
+  ansible.builtin.stat:
-    name: "{{ matrix_mautrix_signal_daemon_docker_image }}"
+    path: "{{ matrix_mautrix_signal_base_path }}/mx-state.json"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+  register: matrix_mautrix_signal_stat_mx_state
    force_source: "{{ matrix_mautrix_signal_daemon_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_docker_image_force_pull }}"
  when: matrix_mautrix_signal_enabled and not matrix_mautrix_signal_daemon_container_image_self_build | bool
  register: matrix_mautrix_signal_daemon_pull_results
- name: Ensure Mautrix Signal Daemon repository is present on self-build
+- name: (Data relocation) Ensure matrix-mautrix-signal.service is stopped
-  ansible.builtin.git:
+  ansible.builtin.service:
-    repo: "{{ matrix_mautrix_signal_daemon_docker_repo }}"
+    name: matrix-mautrix-signal
-    version: "{{ matrix_mautrix_signal_daemon_docker_repo_version }}"
+    state: stopped
-    dest: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}"
+    enabled: false
-    force: "yes"
+    daemon_reload: true
-  become: true
+  failed_when: false
-  become_user: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_signal_stat_database.stat.exists"
  register: matrix_mautrix_signal_daemon_git_pull_results
  when: "matrix_mautrix_signal_daemon_container_image_self_build | bool"
- name: Ensure Mautrix Signal Daemon image is built
+- name: (Data relocation) Move mautrix-signal database file to ./data directory
-  community.docker.docker_image:
+  ansible.builtin.command:
-    name: "{{ matrix_mautrix_signal_daemon_docker_image }}"
+    cmd: "mv {{ matrix_mautrix_signal_base_path }}/mautrix-signal.db {{ matrix_mautrix_signal_data_path }}/mautrix-signal.db"
-    source: build
+    creates: "{{ matrix_mautrix_signal_data_path }}/mautrix-signal.db"
-    force_source: "{{ matrix_mautrix_signal_daemon_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    removes: "{{ matrix_mautrix_signal_base_path }}/mautrix-signal.db"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_signal_daemon_git_pull_results.changed }}"
+  when: "matrix_mautrix_signal_stat_database.stat.exists"
    build:
      dockerfile: Containerfile
      path: "{{ matrix_mautrix_signal_daemon_docker_src_files_path }}"
      pull: true
  when: "matrix_mautrix_signal_daemon_container_image_self_build | bool"
- name: Ensure Mautrix Signal paths exist
+- name: (Data relocation) Move mautrix-signal mx-state file to ./data directory
-  ansible.builtin.file:
+  ansible.builtin.command:
-    path: "{{ item }}"
+    cmd: "mv {{ matrix_mautrix_signal_base_path }}/mx-state.json {{ matrix_mautrix_signal_data_path }}/mx-state.json"
-    state: directory
+    creates: "{{ matrix_mautrix_signal_data_path }}/mx-state.json"
-    mode: 0750
+    removes: "{{ matrix_mautrix_signal_base_path }}/mx-state.json"
-    owner: "{{ matrix_user_username }}"
+  when: "matrix_mautrix_signal_stat_mx_state.stat.exists"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_mautrix_signal_base_path }}"
    - "{{ matrix_mautrix_signal_config_path }}"
    - "{{ matrix_mautrix_signal_daemon_path }}"
    - "{{ matrix_mautrix_signal_daemon_path }}/avatars"
    - "{{ matrix_mautrix_signal_daemon_path }}/attachments"
    - "{{ matrix_mautrix_signal_daemon_path }}/data"
 - name: Ensure mautrix-signal-daemon environment variables file created
  ansible.builtin.template:
    src: "{{ role_path }}/templates/env.j2"
    dest: "{{ matrix_mautrix_signal_daemon_path }}/env"
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
    mode: 0644
 - name: Ensure mautrix-signal config.yaml installed
  ansible.builtin.copy:
@ -109,15 +126,15 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 - name: Ensure matrix-mautrix-signal-daemon.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal-daemon.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service"
    mode: 0644
  register: matrix_mautrix_signal_daemon_systemd_service_result
 - name: Ensure matrix-mautrix-signal.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-mautrix-signal.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service"
    mode: 0644
 - name: Ensure matrix-mautrix-signal.service restarted, if necessary
  ansible.builtin.service:
    name: "matrix-mautrix-signal.service"
    state: restarted
    daemon_reload: true
  when: "matrix_mautrix_signal_requires_restart | bool"
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/setup_uninstall.yml
@ -1,26 +1,5 @@
 ---
 # Signal daemon service
 - name: Check existence of matrix-mautrix-signal-daemon service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service"
  register: matrix_mautrix_signal_daemon_service_stat
 - when: matrix_mautrix_signal_daemon_service_stat.stat.exists | bool
  block:
    - name: Ensure matrix-mautrix-signal-daemon is stopped
      ansible.builtin.service:
        name: matrix-mautrix-signal-daemon
        state: stopped
        enabled: false
        daemon_reload: true
    - name: Ensure matrix-mautrix-signal-daemon.service doesn't exist
      ansible.builtin.file:
        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal-daemon.service"
        state: absent
 # Bridge service
 - name: Check existence of matrix-mautrix-signal service
  ansible.builtin.stat:
    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-signal.service"
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/validate_config.yml
@ -6,35 +6,15 @@
      You need to define a required configuration setting (`{{ item.name }}`).
  when: "item.when | bool and vars[item.name] == ''"
  with_items:
    - {'name': 'matrix_mautrix_signal_homeserver_domain', when: true}
    - {'name': 'matrix_mautrix_signal_homeserver_address', when: true}
    - {'name': 'matrix_mautrix_signal_homeserver_token', when: true}
    - {'name': 'matrix_mautrix_signal_appservice_token', when: true}
    - {'name': 'matrix_mautrix_signal_homeserver_token', when: true}
    - {'name': 'matrix_mautrix_signal_database_hostname', when: "{{ matrix_mautrix_signal_database_engine == 'postgres' }}"}
- name: (Deprecation) Fail if matrix_mautrix_signal_bridge_permissions specified as YAML string, instead of a dictionary
+- name: (Deprecation) Catch and report renamed settings
  ansible.builtin.fail:
    msg: >-
      The `matrix_mautrix_signal_bridge_permissions` variable in your configuration is specified as a YAML string.
      The playbook now expects a hashmap/dictionary in this variable.
      Change your configuration like this:
      matrix_mautrix_signal_bridge_permissions: {{ matrix_mautrix_signal_bridge_permissions | from_yaml | to_json }}
  when: "matrix_mautrix_signal_bridge_permissions is string"
 - name: (Deprecation) Catch and report renamed Signal variables
  ansible.builtin.fail:
    msg: >-
      Your configuration contains a variable, which now has a different name.
      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
  when: "item.old in vars"
  with_items:
-    - {'old': 'matrix_mautrix_signal_container_exposed_port_number', 'new': '<superseded by matrix_mautrix_signal_container_http_host_bind_port>'}
+    - {'old': 'matrix_mautrix_signal_log_level', 'new': 'matrix_mautrix_signal_logging_level'}
    - {'old': 'matrix_mautrix_signal_db_user', 'new': 'matrix_mautrix_signal_database_username'}
    - {'old': 'matrix_mautrix_signal_db_password', 'new': 'matrix_mautrix_signal_database_password'}
    - {'old': 'matrix_mautrix_signal_db_database', 'new': 'matrix_mautrix_signal_database_name'}
    - {'old': 'matrix_mautrix_signal_db_host', 'new': 'matrix_mautrix_signal_database_hostname'}
    - {'old': 'matrix_mautrix_signal_db_port', 'new': 'matrix_mautrix_signal_database_port'}
    - {'old': 'matrix_mautrix_signal_db_url', 'new': 'matrix_mautrix_signal_database_connection_string'}
    - {'old': 'matrix_mautrix_signal_configuration_permissions', 'new': '<superseded by matrix_mautrix_signal_configuration_extension_yaml>'}
    - {'old': 'matrix_mautrix_signal_container_self_build', 'new': 'matrix_mautrix_signal_container_image_self_build'}
    - {'old': 'matrix_mautrix_signal_daemon_container_self_build', 'new': 'matrix_mautrix_signal_daemon_container_image_self_build'}
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2
@ -5,200 +5,142 @@ homeserver:
    address: {{ matrix_mautrix_signal_homeserver_address }}
    # The domain of the homeserver (for MXIDs, etc).
    domain: {{ matrix_mautrix_signal_homeserver_domain }}
-    # Whether or not to verify the SSL certificate of the homeserver.
+
-    # Only applies if address starts with https://
+    # What software is the homeserver running?
-    verify_ssl: true
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
-    asmux: false
+    software: standard
    # Number of retries for all HTTP requests if the homeserver isn't reachable.
    http_retry_count: 4
    # The URL to push real-time bridge status to.
-    # If set, the bridge will make POST requests to this URL whenever a user's Signal connection state changes.
+    # If set, the bridge will make POST requests to this URL whenever a user's discord connection state changes.
    # The bridge will use the appservice as_token to authorize requests.
    status_endpoint: null
    # Endpoint for reporting per-message status.
    message_send_checkpoint_endpoint: null
    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
    async_media: false
-# Application service host/registration related details
+    # Should the bridge use a websocket for connecting to the homeserver?
    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
    # mautrix-asmux (deprecated), and hungryserv (proprietary).
    websocket: false
    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
    ping_interval_seconds: 0
 # Application service host/registration related details.
 # Changing these values requires regeneration of the registration.
 appservice:
    # The address that the homeserver can use to connect to this appservice.
-    address: {{ matrix_mautrix_signal_appservice_address }}
+    address: {{ matrix_mautrix_signal_appservice_address | to_json }}
    # When using https:// the TLS certificate and key files for the address.
    tls_cert: false
    tls_key: false
    # The hostname and port where this appservice should listen.
    hostname: 0.0.0.0
-    port: 29328
+    port: 8080
    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
    max_body_size: 1
-    # The full URI to the database. SQLite and Postgres are supported.
+    # Database config.
-    # Format examples:
+    database:
-    #   SQLite:   sqlite:///filename.db
+        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
-    #   Postgres: postgres://username:password@hostname/dbname
+        type: {{ matrix_mautrix_signal_appservice_database_type|to_json }}
-    database: {{ matrix_mautrix_signal_database_connection_string }}
+        # The database URI.
-    # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
+        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
-    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+        #           https://github.com/mattn/go-sqlite3#connection-string
-    # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
+        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
-    # For sqlite, min_size is used as the connection thread pool size and max_size is ignored.
+        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-    database_opts:
+        uri: {{ matrix_mautrix_signal_appservice_database_uri|to_json }}
-        min_size: 5
+        # Maximum number of connections. Mostly relevant for Postgres.
-        max_size: 10
+        max_open_conns: 20
        max_idle_conns: 2
        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
        # Parsed with https://pkg.go.dev/time#ParseDuration
        max_conn_idle_time: null
        max_conn_lifetime: null
    # The unique ID of this appservice.
    id: signal
-    # Username of the appservice bot.
+    # Appservice bot details.
-    bot_username: {{ matrix_mautrix_signal_appservice_bot_username|to_json }}
+    bot:
-    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+        # Username of the appservice bot.
-    # to leave display name/avatar as-is.
+        username: signalbot
-    bot_displayname: Signal bridge bot
+        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
-    bot_avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
+        # to leave display name/avatar as-is.
        displayname: signal bridge bot
        avatar: mxc://maunium.net/wPJgTQbZOtpBFmDNkiNEMDUp
    # Whether or not to receive ephemeral events via appservice transactions.
    # Requires MSC2409 support (i.e. Synapse 1.22+).
-    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: true
-    ephemeral_events: false
+
    # Should incoming events be handled asynchronously?
    # This may be necessary for large public instances with lots of messages going through.
    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
    async_transactions: false
    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
-    as_token: "{{ matrix_mautrix_signal_appservice_token }}"
+    as_token: {{ matrix_mautrix_signal_appservice_token | to_json }}
-    hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"
+    hs_token: {{ matrix_mautrix_signal_homeserver_token | to_json }}
-# Prometheus telemetry config. Requires prometheus-client to be installed.
+# Prometheus config.
 metrics:
-    enabled: {{ matrix_mautrix_signal_metrics_enabled | to_json }}
+    # Enable prometheus metrics?
    listen_port: 8000
 # Manhole config.
 manhole:
    # Whether or not opening the manhole is allowed.
    enabled: false
-    # The path for the unix socket.
+    # IP and port where the metrics listener should be. The path is always /metrics
-    path: /var/tmp/mautrix-signal.manhole
+    listen: 127.0.0.1:8000
    # The list of UIDs who can be added to the whitelist.
    # If empty, any UIDs can be specified in the open-manhole command.
    whitelist:
    - 0
 signal:
    # Path to signald unix socket
    socket_path: /signald/signald.sock
    # Directory for temp files when sending files to Signal. This should be an
    # absolute path that signald can read. For attachments in the other direction,
    # make sure signald is configured to use an absolute path as the data directory.
    outgoing_attachment_dir: /signald/attachments
    # Directory where signald stores avatars for groups.
    avatar_dir: /signald/avatars
    # Directory where signald stores auth data. Used to delete data when logging out.
    data_dir: /signald/data
    # Whether or not unknown signald accounts should be deleted when the bridge is started.
    # When this is enabled, any UserInUse errors should be resolved by restarting the bridge.
    delete_unknown_accounts_on_start: false
    # Whether or not message attachments should be removed from disk after they're bridged.
    remove_file_after_handling: true
    # Whether or not users can register a primary device
    registration_enabled: true
 # Bridge config
 bridge:
    # Localpart template of MXIDs for Signal users.
-    # {userid} is replaced with an identifier for the Signal user.
+    # {{ '{{.}}' }} is replaced with the internal ID of the Signal user.
-    username_template: "signal_{userid}"
+    username_template: "{{ 'signal_{{.}}' }}"
-    # Displayname template for Signal users.
+    # Displayname template for Signal users. This is also used as the room name in DMs if private_chat_portal_meta is enabled.
-    # {displayname} is replaced with the displayname of the Signal user, which is the first
+    # Available variables: TODO
-    # available variable in displayname_preference. The variables in displayname_preference
+    displayname_template: "{{ '{{.ProfileName}} (Signal)' }}"
-    # can also be used here directly.
+    # Whether to explicitly set the avatar and room name for private chat portal rooms.
-    displayname_template: "{displayname} (Signal)"
+    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
-    # Whether or not contact list displaynames should be used.
+    # If set to `always`, all DM rooms will have explicit names and avatars set.
-    # Possible values: disallow, allow, prefer
+    # If set to `never`, DM rooms will never have names and avatars set.
-    #
+    private_chat_portal_meta: default
    # Multi-user instances are recommended to disallow contact list names, as otherwise there can
    # be conflicts between names from different users' contact lists.
    contact_list_names: disallow
    # Available variables: full_name, first_name, last_name, phone, uuid
    displayname_preference:
    - full_name
    - phone
-    # Whether or not to create portals for all groups on login/connect.
+    portal_message_buffer: 128
-    autocreate_group_portal: true
+
-    # Whether or not to create portals for all contacts on login/connect.
+    # Should the bridge send a read receipt from the bridge bot when a message has been sent to Signal?
-    autocreate_contact_portal: false
+    delivery_receipts: false
-    # Whether or not to use /sync to get read receipts and typing notifications
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
-    # when double puppeting is enabled
+    message_status_events: false
-    sync_with_custom_puppets: true
+    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
-    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    message_error_notices: true
    # Should the bridge update the m.direct account data event when double puppeting is enabled.
    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
    # and is therefore prone to race conditions.
    sync_direct_chat_list: false
-    # Allow using double puppeting from any server with a valid client .well-known file.
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
-    double_puppet_allow_discovery: false
+    # This field will automatically be changed back to false after it, except if the config file is not writable.
-    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
+    resend_bridge_info: false
    double_puppet_server_map: {}
    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
    # If using this for other servers than the bridge's server,
    # you must also set the URL in the double_puppet_server_map.
    login_shared_secret_map:
        {{ matrix_mautrix_signal_homeserver_domain }}: {{ matrix_mautrix_signal_login_shared_secret|to_json }}
    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
    federate_rooms: {{ matrix_mautrix_signal_federate_rooms|to_json }}
-    # End-to-bridge encryption support options. You must install the e2be optional dependency for
+    # Servers to always allow double puppeting from
-    # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
+    double_puppet_server_map:
-    encryption:
+        "{{ matrix_mautrix_signal_homeserver_domain }}": {{ matrix_mautrix_signal_homeserver_address }}
-        # Allow encryption, work in group chat rooms with e2ee enabled
+    # Allow using double puppeting from any server with a valid client .well-known file.
-        allow: {{ matrix_mautrix_signal_bridge_encryption_allow|to_json }}
+    double_puppet_allow_discovery: false
-        # Default to encryption, force-enable encryption in all portals the bridge creates
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
-        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+    #
-        default: {{ matrix_mautrix_signal_bridge_encryption_default|to_json }}
+    # If set, double puppeting will be enabled automatically for local users
-        # Options for automatic key sharing.
+    # instead of users having to find an access token and run `login-matrix`
-        key_sharing:
+    # manually.
-            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+    login_shared_secret_map: {{ matrix_mautrix_signal_bridge_login_shared_secret_map|to_json }}
            # You must use a client that supports requesting keys from other users to use this feature.
            allow: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow|to_json }}
            # Require the requesting device to have a valid cross-signing signature?
            # This doesn't require that the bridge has verified the device, only that the user has verified it.
            # Not yet implemented.
            require_cross_signing: false
            # Require devices to be verified by the bridge?
            # Verification by the bridge is not yet implemented.
            require_verification: true
    # Whether or not to explicitly set the avatar and room name for private
    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
    private_chat_portal_meta: false
    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
    # been sent to Signal. This let's you check manually whether the bridge is receiving your
    # messages.
    # Note that this is not related to Signal delivery receipts.
    delivery_receipts: false
    # Whether or not delivery errors should be reported as messages in the Matrix room. (not yet implemented)
    delivery_error_reports: true
    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
    # This field will automatically be changed back to false after it,
    # except if the config file is not writable.
    resend_bridge_info: false
    # Interval at which to resync contacts (in seconds).
    periodic_sync: 0
-    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
-    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    # Null means there's no enforced timeout.
-    provisioning:
+    message_handling_timeout:
-        # Whether or not the provisioning API should be enabled.
+        # Send an error message after this timeout, but keep waiting for the response until the deadline.
-        enabled: true
+        # This is counted from the origin_server_ts, so the warning time is consistent regardless of the source of delay.
-        # The prefix to use in the provisioning API endpoints.
+        # If the message is older than this when it reaches the bridge, the message won't be handled at all.
-        prefix: /_matrix/provision/v1
+        error_after: null
-        # The shared secret to authorize users of the API.
+        # Drop messages after this timeout. They may still go through if the message got sent to the servers.
-        # Set to "generate" to generate and save a new token.
+        # This is counted from the time the bridge starts handling the message.
-        shared_secret: generate
+        deadline: 120s
    # The prefix for commands. Only required in non-management rooms.
    command_prefix: "{{ matrix_mautrix_signal_command_prefix }}"
    # Messages sent upon joining a management room.
    # Markdown is supported. The defaults are listed below.
    management_room_text:
@ -207,67 +149,132 @@ bridge:
        # Sent when joining a management room and the user is already logged in.
        welcome_connected: "Use `help` for help."
        # Sent when joining a management room and the user is not logged in.
-        welcome_unconnected: "Use `help` for help or `register` to log in."
+        welcome_unconnected: "Use `help` for help or `login` to log in."
        # Optional extra text sent when joining a management room.
        additional_help: ""
-    # Send each message separately (for readability in some clients)
+    # End-to-bridge encryption support options.
-    management_room_multiple_messages: false
+    #
    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
        allow: {{ matrix_mautrix_signal_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
        default: {{ matrix_mautrix_signal_bridge_encryption_default|to_json }}
        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
        appservice: false
        # Require encryption, drop any unencrypted messages.
        require: false
        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
        # You must use a client that supports requesting keys from other users to use this feature.
        allow_key_sharing: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow|to_json }}
        # Options for deleting megolm sessions from the bridge.
        delete_keys:
            # Beeper-specific: delete outbound sessions when hungryserv confirms
            # that the user has uploaded the key to key backup.
            delete_outbound_on_ack: false
            # Don't store outbound sessions in the inbound table.
            dont_store_outbound: false
            # Ratchet megolm sessions forward after decrypting messages.
            ratchet_on_decrypt: false
            # Delete fully used keys (index >= max_messages) after decrypting messages.
            delete_fully_used_on_decrypt: false
            # Delete previous megolm sessions from same device when receiving a new one.
            delete_prev_on_new_session: false
            # Delete megolm sessions received from a device when the device is deleted.
            delete_on_device_delete: false
            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
            periodically_delete_expired: false
            # Delete inbound megolm sessions that don't have the received_at field used for
            # automatic ratcheting and expired session deletion. This is meant as a migration
            # to delete old keys prior to the bridge update.
            delete_outdated_inbound: false
        # What level of device verification should be required from users?
        #
        # Valid levels:
        #   unverified - Send keys to all device in the room.
        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
        #                           Note that creating user signatures from the bridge bot is not currently possible.
        #   verified - Require manual per-device verification
        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
        verification_levels:
            # Minimum level for which the bridge should send keys to when bridging messages from Signal to Matrix.
            receive: unverified
            # Minimum level that the bridge should accept for incoming Matrix messages.
            send: unverified
            # Minimum level that the bridge should require for accepting key requests.
            share: cross-signed-tofu
        # Options for Megolm room key rotation. These options allow you to
        # configure the m.room.encryption event content. See:
        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
        # more information about that event.
        rotation:
            # Enable custom Megolm room key rotation settings. Note that these
            # settings will only apply to rooms created after this option is
            # set.
            enable_custom: false
            # The maximum number of milliseconds a session should be used
            # before changing it. The Matrix spec recommends 604800000 (a week)
            # as the default.
            milliseconds: 604800000
            # The maximum number of messages that should be sent with a given a
            # session before changing it. The Matrix spec recommends 100 as the
            # default.
            messages: 100
            # Disable rotating keys when a user's devices change?
            # You should not enable this option unless you understand all the implications.
            disable_device_change_key_rotation: false
    # Settings for provisioning API
    provisioning:
        # Prefix for the provisioning API paths.
        prefix: /_matrix/provision
        # Shared secret for authentication. If set to "generate", a random secret will be generated,
        # or if set to "disable", the provisioning API will be disabled.
        shared_secret: generate
        # Enable debug API at /debug with provisioning authentication.
        debug_endpoints: false
    # Permissions for using the bridge.
    # Permitted values:
-    #      relay - Allowed to be relayed through the bridge, no access to commands.
+    #    relay - Talk through the relaybot (if enabled), no access otherwise
-    #       user - Use the bridge with puppeting.
+    #     user - Access to use the bridge to chat with a Signal account.
-    #      admin - Use and administrate the bridge.
+    #    admin - User level and some additional administration tools
    # Permitted keys:
    #        * - All Matrix users
    #   domain - All users on that homeserver
    #     mxid - Specific user
    permissions: {{ matrix_mautrix_signal_bridge_permissions|to_json }}
    # Settings for relay mode
    relay:
-        # Whether or not relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
+        # Whether relay mode should be allowed. If allowed, `!signal set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
-        enabled: {{ matrix_mautrix_signal_relaybot_enabled }}
+        enabled: {{ matrix_mautrix_signal_bridge_relay_enabled | to_json }}
-        # The formats to use when sending messages to Signal via a relay user.
+        # Should only admins be allowed to set themselves as relay users?
-        #
+        admin_only: {{ matrix_mautrix_signal_bridge_relay_admin_only | to_json }}
-        # Available variables:
+        # The formats to use when sending messages to WhatsApp via the relaybot.
        #   $sender_displayname - The display name of the sender (e.g. Example User)
        #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
        #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
        #   $message            - The message content
        message_formats:
-            m.text: '$sender_displayname: $message'
+            m.text: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
-            m.notice: '$sender_displayname: $message'
+            m.notice: "<b>{{ '{{ .Sender.Displayname }}' }}</b>:: {{ '{{ .Message }}' }}"
-            m.emote: '* $sender_displayname $message'
+            m.emote: "* <b>{{ '{{ .Sender.Displayname }}' }}</b>: {{ '{{ .Message }}' }}"
-            m.file: '$sender_displayname sent a file'
+            m.file: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a file"
-            m.image: '$sender_displayname  sent an image'
+            m.image: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an image"
-            m.audio: '$sender_displayname  sent an audio file'
+            m.audio: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent an audio file"
-            m.video: '$sender_displayname  sent a video'
+            m.video: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a video"
-            m.location: '$sender_displayname  sent a location'
+            m.location: "<b>{{ '{{ .Sender.Displayname }}' }}</b>: sent a location"
-
+# Logging config. See https://github.com/tulir/zeroconfig for details.
 # Python logging configuration.
 #
 # See section 16.7.2 of the Python documentation for more info:
 # https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
 logging:
-    version: 1
+    directory: ./logs
-    formatters:
+    file_name_format: ''
-        colored:
+    file_date_format: "2006-01-02"
-            (): mautrix_signal.util.ColorFormatter
+    file_mode: 384
-            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    timestamp_format: Jan _2, 2006 15:04:05
-        normal:
+    print_level: {{ matrix_mautrix_signal_logging_level | to_json }}
-            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    print_json: false
-    handlers:
+    file_json: false
        console:
            class: logging.StreamHandler
            formatter: colored
    loggers:
        mau:
            level: {{ matrix_mautrix_signal_logging_level|to_json }}
        aiohttp:
            level: {{ matrix_mautrix_signal_logging_level|to_json }}
    root:
        level: {{ matrix_mautrix_signal_logging_level|to_json }}
        handlers: [console]
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/env.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/env.j2
@ -1 +0,0 @@
 {{ matrix_mautrix_signal_daemon_environment_variables_extension }}
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/registration.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/registration.yaml.j2
@ -1,18 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 id: signal
 as_token: "{{ matrix_mautrix_signal_appservice_token }}"
 hs_token: "{{ matrix_mautrix_signal_homeserver_token }}"
 namespaces:
    users:
    - exclusive: true
      regex: '^@signal_.+:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
    - exclusive: true
      regex: '^@{{ matrix_mautrix_signal_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
    aliases:
    - exclusive: true
      regex: '^#signal_.+:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
 url: {{ matrix_mautrix_signal_appservice_address }}
 # See https://github.com/mautrix/signal/issues/43
 sender_localpart: _bot_{{ matrix_mautrix_signal_appservice_bot_username }}
 rate_limited: false
 de.sorunome.msc2409.push_ephemeral: true
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
@ -1,52 +0,0 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mautrix Signal daemon
 {% for service in matrix_mautrix_signal_daemon_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mautrix_signal_daemon_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-signal-daemon 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
 ExecStartPre={{ matrix_host_command_sleep }} 5
 # Migration task required by the 0.19.0 upgrade
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
 			{{ matrix_mautrix_signal_daemon_docker_image }} \
 			--migrate-data
 # We can't use `--read-only` for this bridge.
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-signal-daemon \
 			--log-driver=none \
            --env-file={{ matrix_mautrix_signal_daemon_path }}/env \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
 			{{ matrix_mautrix_signal_daemon_docker_image }}
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-signal-daemon 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-signal-daemon 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-signal-daemon
 [Install]
 WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
@ -1,15 +1,14 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
-Description=Matrix Mautrix Signal server
+Description=Matrix Mautrix Signal bridge
 {% for service in matrix_mautrix_signal_systemd_required_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
 {% for service in matrix_mautrix_signal_systemd_wanted_services_list %}
 Wants={{ service }}
 {% endfor %}
 DefaultDependencies=no
 [Service]
 Type=simple
@ -22,25 +21,20 @@ ExecStartPre={{ matrix_host_command_sleep }} 5
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-signal \
 			--log-driver=none \
 			--network={{ matrix_docker_network }} \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
-			--read-only \
+			--network={{ matrix_docker_network }} \
-			--tmpfs /tmp \
+			--mount type=bind,src={{ matrix_mautrix_signal_config_path }},dst=/config,ro \
-			{% if matrix_mautrix_signal_container_http_host_bind_port %}
+			--mount type=bind,src={{ matrix_mautrix_signal_data_path }},dst=/data \
-			-p {{ matrix_mautrix_signal_container_http_host_bind_port }}:29328 \
+			--workdir=/data \
 			{% endif %}
 			-v {{ matrix_mautrix_signal_daemon_path }}:/signald:z \
 			-v {{ matrix_mautrix_signal_config_path }}:/config:z \
 			{% for arg in matrix_mautrix_signal_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_signal_docker_image }} \
-			python3 -m mautrix_signal -c /config/config.yaml --no-update
+			/usr/bin/mautrix-signal -c /config/config.yaml -r /config/registration.yaml --no-update
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-signal 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-signal 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-mautrix-signal
--- a/setup.yml
+++ b/setup.yml
@ -58,8 +58,8 @@
    - custom/matrix-bridge-mautrix-hangouts
    - custom/matrix-bridge-mautrix-googlechat
    - custom/matrix-bridge-mautrix-instagram
    - custom/matrix-bridge-mautrix-signal
    - custom/matrix-bridge-mautrix-telegram
    - custom/matrix-bridge-mautrix-signal
    - custom/matrix-bridge-mautrix-gmessages
    - custom/matrix-bridge-mautrix-whatsapp
    - custom/matrix-bridge-mautrix-wsproxy
		`@ -1 +0,0 @@`
			`{{ matrix_mautrix_signal_daemon_environment_variables_extension }}`