chore(mautrix-whatsapp): update bridge settings

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2114

.github/workflows/matrix.yml

@@ -13,7 +13,7 @@ jobs:
       - name: Check out
         uses: actions/checkout@v3
       - name: Run yamllint
-        uses: frenck/action-yamllint@v1.2.0
+        uses: frenck/action-yamllint@v1.3.0
   ansible-lint:
     name: ansible-lint
     runs-on: ubuntu-latest

.gitignore

@@ -1,7 +1,3 @@
-/inventory/*
-!/inventory/.gitkeep
-!/inventory/host_vars/.gitkeep
-!/inventory/scripts
 /roles/*/files/scratchpad
 .DS_Store
 .python-version

CHANGELOG.md

@@ -1,3 +1,112 @@
+# 2022-09-15
+
+## (Potential Backward Compatibility Break) Major improvements to Synapse workers
+
+People who are interested in running a Synapse worker setup should know that **our Synapse worker implementation is much more powerful now**:
+
+- we've added support for [Stream writers](#stream-writers-support)
+- we've added support for [multiple federation sender workers](#multiple-federation-sender-workers-support)
+- we've added support for [multiple pusher workers](#multiple-pusher-workers-support)
+- we've added support for [running background tasks on a worker](#background-tasks-can-run-on-a-worker)
+- we've restored support for [`appservice` workers](#appservice-worker-support-is-back)
+- we've restored support for [`user_dir` workers](#user-directory-worker-support-is-back)
+- we've made it possible to [reliably use more than 1 `media_repository` worker](#using-more-than-1-media-repository-worker-is-now-more-reliable)
+- see the [Potential Backward Incompatibilities after these Synapse worker changes](#potential-backward-incompatibilities-after-these-synapse-worker-changes)
+
+### Stream writers support
+
+From now on, the playbook lets you easily set up various [stream writer workers](https://matrix-org.github.io/synapse/latest/workers.html#stream-writers) which can handle different streams (`events` stream; `typing` URL endpoints, `to_device` URL endpoints, `account_data` URL endpoints, `receipts` URL endpoints, `presence` URL endpoints). All of this work was previously handled by the main Synapse process, but can now be offloaded to stream writer worker processes.
+
+If you're using `matrix_synapse_workers_preset: one-of-each`, you'll automatically get 6 additional workers (one for each of the above stream types). Our `little-federation-helper` preset (meant to be quite minimal and focusing in improved federation performance) does not include stream writer workers.
+
+If you'd like to customize the number of workers we also make that possible using these variables:
+
+```yaml
+# Synapse only supports more than 1 worker for the `events` stream.
+# All other streams can utilize either 0 or 1 workers, not more than that.
+matrix_synapse_workers_stream_writer_events_stream_workers_count: 5
+matrix_synapse_workers_stream_writer_typing_stream_workers_count: 1
+matrix_synapse_workers_stream_writer_to_device_stream_workers_count: 1
+matrix_synapse_workers_stream_writer_account_data_stream_workers_count: 1
+matrix_synapse_workers_stream_writer_receipts_stream_workers_count: 1
+matrix_synapse_workers_stream_writer_presence_stream_workers_count: 1
+```
+
+### Multiple federation sender workers support
+
+Until now, we only supported a single `federation_sender` worker (`matrix_synapse_workers_federation_sender_workers_count` could either be `0` or `1`).
+From now on, you can have as many as you want to help with your federation traffic.
+
+### Multiple pusher workers support
+
+Until now, we only supported a single `pusher` worker (`matrix_synapse_workers_pusher_workers_count` could either be `0` or `1`).
+From now on, you can have as many as you want to help with pushing notifications out.
+
+### Background tasks can run on a worker
+
+From now on, you can put [background task processing on a worker](https://matrix-org.github.io/synapse/latest/workers.html#background-tasks).
+
+With `matrix_synapse_workers_preset: one-of-each`, you'll get one `background` worker automatically.
+You can also control the `background` workers count with `matrix_synapse_workers_background_workers_count`. Only  `0` or `1` workers of this type are supported by Synapse.
+
+### Appservice worker support is back
+
+We previously had an `appservice` worker type, which [Synapse deprecated in v1.59.0](https://github.com/matrix-org/synapse/blob/v1.59.0/docs/upgrade.md#deprecation-of-the-synapseappappservice-and-synapseappuser_dir-worker-application-types). So did we, at the time.
+
+The new way to implement such workers is by using a `generic_worker` and dedicating it to the task of talking to Application Services.
+From now on, we have support for this.
+
+With `matrix_synapse_workers_preset: one-of-each`, you'll get one `appservice` worker automatically.
+You can also control the `appservice` workers count with `matrix_synapse_workers_appservice_workers_count`. Only  `0` or `1` workers of this type are supported by Synapse.
+
+### User Directory worker support is back
+
+We previously had a `user_dir` worker type, which [Synapse deprecated in v1.59.0](https://github.com/matrix-org/synapse/blob/v1.59.0/docs/upgrade.md#deprecation-of-the-synapseappappservice-and-synapseappuser_dir-worker-application-types). So did we, at the time.
+
+The new way to implement such workers is by using a `generic_worker` and dedicating it to the task of serving the user directory.
+From now on, we have support for this.
+
+With `matrix_synapse_workers_preset: one-of-each`, you'll get one `user_dir` worker automatically.
+You can also control the `user_dir` workers count with `matrix_synapse_workers_user_dir_workers_count`. Only  `0` or `1` workers of this type are supported by Synapse.
+
+### Using more than 1 media repository worker is now more reliable
+
+With `matrix_synapse_workers_preset: one-of-each`, we only launch one `media_repository` worker.
+
+If you've been configuring `matrix_synapse_workers_media_repository_workers_count` manually, you may have increased that to more workers.
+When multiple media repository workers are in use, background tasks related to the media repository must always be configured to run on a single `media_repository` worker via `media_instance_running_background_jobs`. Until now, we weren't doing this correctly, but we now are.
+
+### Potential Backward Incompatibilities after these Synapse worker changes
+
+Below we'll discuss **potential backward incompatibilities**.
+
+- **Worker names** (container names, systemd services, worker configuration files) **have changed**. Workers are now labeled sequentially (e.g. `matrix-synapse-worker_generic_worker-18111` -> `matrix-synapse-worker-generic-0`). The playbook will handle these changes automatically.
+
+- Due to increased worker types support above, people who use `matrix_synapse_workers_preset: one-of-each` should be aware that with these changes, **the playbook will deploy 9 additional workers** (6 stream writers, 1 `appservice` worker, 1 `user_dir` worker, 1 background task worker). This **may increase RAM/CPU usage**, etc. If you find your server struggling, consider disabling some workers with the appropriate `matrix_synapse_workers_*_workers_count` variables.
+
+- **Metric endpoints have also changed** (`/metrics/synapse/worker/generic_worker-18111` -> `/metrics/synapse/worker/generic-worker-0`). If you're [collecting metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-metrics-to-an-external-prometheus-server), consider revisiting our [Collecting Synapse worker metrics to an external Prometheus server](docs/configuring-playbook-prometheus-grafana.md#collecting-synapse-worker-metrics-to-an-external-prometheus-server) docs and updating your Prometheus configuration. **If you're collecting metrics to the integrated Prometheus server** (not enabled by default), **your Prometheus configuration will be updated automatically**. Old data (from before this change) may stick around though.
+
+- **the format of `matrix_synapse_workers_enabled_list` has changed**. You were never advised to use this variable for directly creating workers (we advise people to control workers using `matrix_synapse_workers_preset` or by tweaking `matrix_synapse_workers_*_workers_count` variables only), but some people may have started using the `matrix_synapse_workers_enabled_list` variable to gain more control over workers. If you're one of them, you'll need to adjust its value. See `roles/matrix-synapse/defaults/main.yml` for more information on the new format. The playbook will also do basic validation and complain if you got something wrong.
+
+
+# 2022-09-09
+
+## Cactus Comments support
+
+Thanks to [Julian-Samuel Gebühr (@moan0s)](https://github.com/moan0s), the playbook can now set up [Cactus Comments](https://cactus.chat) - federated comment system for the web based on Matrix.
+
+See our [Setting up a Cactus Comments server](docs/configuring-playbook-cactus-comments.md) documentation to get started.
+
+
+# 2022-08-23
+
+## Postmoogle email bridge support
+
+Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook can now set up the new [Postmoogle](https://gitlab.com/etke.cc/postmoogle) email bridge/bot. Postmoogle is like the [email2matrix bridge](https://github.com/devture/email2matrix) (also [already supported by the playbook](docs/configuring-playbook-email2matrix.md)), but more capable and with the intention to soon support *sending* emails, not just receiving.
+
+See our [Setting up Postmoogle email bridging](docs/configuring-playbook-bot-postmoogle.md) documentation to get started.
+
+
 # 2022-08-10
 
 ## mautrix-whatsapp default configuration changes

README.md

@@ -113,6 +113,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot - see [docs/configuring-playbook-bot-honoroit.md](docs/configuring-playbook-bot-honoroit.md) for setup documentation
 
+- (optional) [Postmoogle](https://gitlab.com/etke.cc/postmoogle) email to matrix bot - see [docs/configuring-playbook-bot-postmoogle.md](docs/configuring-playbook-bot-postmoogle.md) for setup documentation
+
 - (optional) [Go-NEB](https://github.com/matrix-org/go-neb) multi functional bot written in Go - see [docs/configuring-playbook-bot-go-neb.md](docs/configuring-playbook-bot-go-neb.md) for setup documentation
 
 - (optional) [Mjolnir](https://github.com/matrix-org/mjolnir), a moderation tool for Matrix - see [docs/configuring-playbook-bot-mjolnir.md](docs/configuring-playbook-bot-mjolnir.md) for setup documentation
@@ -135,6 +137,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [Buscarron](https://gitlab.com/etke.cc/buscarron) bot - see [docs/configuring-playbook-bot-buscarron.md](docs/configuring-playbook-bot-buscarron.md) for setup documentation
 
+- (optional) [Cactus Comments](https://cactus.chat), a federated comment system built on matrix - see [docs/configuring-playbook-cactus-comments.md](docs/configuring-playbook-cactus-comments.md) for setup documentation
+
 Basically, this playbook aims to get you up-and-running with all the necessities around Matrix, without you having to do anything else.
 
 **Note**: the list above is exhaustive. It includes optional or even some advanced components that you will most likely not need.

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/configuring-dns.md

@@ -28,18 +28,22 @@ If you are using Cloudflare DNS, make sure to disable the proxy and set all reco
 
 ## DNS settings for optional services/features
 
-| Type  | Host                         | Priority | Weight | Port | Target                 |
-| ----- | ---------------------------- | -------- | ------ | ---- | ---------------------- |
-| SRV   | `_matrix-identity._tcp`      | 10       | 0      | 443  | `matrix.<your-domain>` |
-| CNAME | `dimension`                  | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `jitsi`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `stats`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `goneb`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `sygnal`                     | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `ntfy`                       | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `hydrogen`                   | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `cinny`                      | -        | -      | -    | `matrix.<your-domain>` |
-| CNAME | `buscarron`                  | -        | -      | -    | `matrix.<your-domain>` |
+| Used by component                                                                                                       | Type  | Host                           | Priority | Weight | Port | Target                      |
+| ----------------------------------------------------------------------------------------------------------------------- | ----- | ------------------------------ | -------- | ------ | ---- | --------------------------- |
+| [ma1sd](configuring-playbook-ma1sd.md) identity server                                                                  | SRV   | `_matrix-identity._tcp`        | 10       | 0      | 443  | `matrix.<your-domain>`      |
+| [Dimension](configuring-playbook-dimension.md) integration server                                                       | CNAME | `dimension`                    | -        | -      | -    | `matrix.<your-domain>`      |
+| [Jitsi](configuring-playbook-jitsi.md) video-conferencing platform                                                      | CNAME | `jitsi`                        | -        | -      | -    | `matrix.<your-domain>`      |
+| [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) monitoring system                                      | CNAME | `stats`                        | -        | -      | -    | `matrix.<your-domain>`      |
+| [Go-NEB](configuring-playbook-bot-go-neb.md) bot                                                                        | CNAME | `goneb`                        | -        | -      | -    | `matrix.<your-domain>`      |
+| [Sygnal](configuring-playbook-sygnal.md) push notification gateway                                                      | CNAME | `sygnal`                       | -        | -      | -    | `matrix.<your-domain>`      |
+| [ntfy](configuring-playbook-ntfy.md) push notifications server                                                          | CNAME | `ntfy`                         | -        | -      | -    | `matrix.<your-domain>`      |
+| [Hydrogen](configuring-playbook-client-hydrogen.md) web client                                                          | CNAME | `hydrogen`                     | -        | -      | -    | `matrix.<your-domain>`      |
+| [Cinny](configuring-playbook-client-cinny.md) web client                                                                | CNAME | `cinny`                        | -        | -      | -    | `matrix.<your-domain>`      |
+| [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot                                                         | CNAME | `buscarron`                    | -        | -      | -    | `matrix.<your-domain>`      |
+| [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | MX    | `matrix`                       | 10       | 0      | -    | `matrix.<your-domain>`      |
+| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge                                                       | TXT   | `matrix`                       | -        | -      | -    | `v=spf1 ip4:<your-ip> -all` |
+| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge                                                       | TXT   | `_dmarc.matrix`                | -        | -      | -    | `v=DMARC1; p=quarantine;`   |
+| [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge                                                       | TXT   | `postmoogle._domainkey.matrix` | -        | -      | -    | get it from `!pm dkim`      |
 
 ## Subdomains setup
 
@@ -77,3 +81,8 @@ This is an optional feature for the optionally-installed [ma1sd service](configu
 Note: This `_matrix-identity._tcp` SRV record for the identity server is different from the `_matrix._tcp` that can be used for Synapse delegation. See [howto-server-delegation.md](howto-server-delegation.md) for more information about delegation.
 
 When you're done with the DNS configuration and ready to proceed, continue with [Getting the playbook](getting-the-playbook.md).
+
+## `_dmarc`, `postmoogle._domainkey` TXT and `matrix` MX records setup
+
+To make the [postmoogle](configuring-playbook-bot-postmoogle.md) email bridge enable its email sending features, you need to configure
+SPF (TXT), DMARC (TXT), DKIM (TXT) and MX records

docs/configuring-playbook-bot-go-neb.md

@@ -21,20 +21,7 @@ You can use the playbook to [register a new user](registering-users.md):
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 
-
-## Getting an access token
-
-If you use curl, you can get an access token like this:
-
-```
-curl -X POST --header 'Content-Type: application/json' -d '{
-    "identifier": { "type": "m.id.user", "user": "bot.go-neb" },
-    "password": "a strong password",
-    "type": "m.login.password"
-}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
-```
-
-Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token), but doing so might lead to decryption problems. That warning comes from [here](https://github.com/matrix-org/go-neb#quick-start).
+Once the user is created you can [obtain an access token](obtaining-access-tokens.md).
 
 
 ## Adjusting the playbook configuration

docs/configuring-playbook-bot-matrix-registration-bot.md

@@ -26,14 +26,7 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 ## Obtaining an admin access token
 
-In order to use the bot you need to add an admin user's access token token to the configuration. As you created an admin user for the
-bot, it is recommended to obtain an access token by logging into Element/Schildichat with the bot account
-(using the password you set) and navigate to `Settings->Help&About` and scroll to the bottom.
-You can expand "Access token" to copy it.
-
-![Obatining an admin access token with Element](assets/obtain_admin_access_token_element.png)
-
-**IMPORTANT**: once you copy the token, just close the Matrix client window/tab. Do not "log out", as that would invalidate the token.
+In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
 
 ## Adjusting the playbook configuration
 
@@ -63,7 +56,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 
 ## Usage
 
-To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
+To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain).
 
 In this room send `help` and the bot will reply with all options.
 

docs/configuring-playbook-bot-maubot.md

@@ -54,10 +54,4 @@ Choose a strong password for the bot. You can generate a good password with a co
 
 ## Obtaining an admin access token
 
-This can be done via `mbc auth` (see the [maubot documentation](https://docs.mau.fi/maubot/usage/cli/auth.html)) or  by logging into Element/Schildichat with the bot account
-(using the password you set) and navigate to `Settings->Help&About` and scroll to the bottom.
-You can expand "Access token" to copy it.
-
-![Obatining an admin access token with Element](assets/obtain_admin_access_token_element.png)
-
-**IMPORTANT**: once you copy the token, just close the Matrix client window/tab. Do not "log out", as that would invalidate the token.
+This can be done via `mbc auth` (see the [maubot documentation](https://docs.mau.fi/maubot/usage/cli/auth.html)). Alternatively, use Element or curl to [obtain an access token](obtaining-access-tokens.md).

docs/configuring-playbook-bot-mjolnir.md

@@ -24,22 +24,12 @@ If you would like Mjolnir to be able to deactivate users, move aliases, shutdown
 
 ## 2. Get an access token
 
-If you use curl, you can get an access token like this:
-
-```
-curl -X POST --header 'Content-Type: application/json' -d '{
-    "identifier": { "type": "m.id.user", "user": "bot.mjolnir" },
-    "password": "PASSWORD_FOR_THE_BOT",
-    "type": "m.login.password"
-}' 'https://matrix.DOMAIN/_matrix/client/r0/login'
-```
-
-Alternatively, you can use a full-featured client (such as Element) to log in and get the access token from there (note: don't log out from the client as that will invalidate the token).
+Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
 
 
 ## 3. Make sure the account is free from rate limiting
 
-You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. [Currently there is no Synapse config option for this](https://github.com/matrix-org/synapse/issues/6286) so you have to manually edit the Synapse database. Manually editing the Synapse database is rarely a good idea but in this case it is required. Please ask for help if you are uncomfortable with these steps.
+You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
 
 1. Copy the statement below into a text editor. 
 

docs/configuring-playbook-bot-postmoogle.md

@@ -0,0 +1,59 @@
+# Setting up Postmoogle (optional)
+
+**Note**: email bridging can also happen via the [email2matrix](configuring-playbook-email2matrix.md) bridge supported by the playbook.
+
+The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you.
+
+It's a bot/bridge you can use to forward emails to Matrix rooms
+
+See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you.
+
+
+## Registering the bot user
+
+By default, the playbook will set up the bot with a username like this: `@postmoogle:DOMAIN`.
+
+(to use a different username, adjust the `matrix_bot_postmoogle_login` variable).
+
+You **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
+
+```
+ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=postmoogle password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
+```
+
+Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
+
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+
+```yaml
+matrix_bot_postmoogle_enabled: true
+
+# Adjust this to whatever password you chose when registering the bot user
+matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT
+```
+
+You will also need to add several DNS records so that postmoogle can send emails.
+See [Configuring DNS](configuring-dns.md).
+
+
+## Installing
+
+After configuring the playbook, run the [installation](installing.md) command again:
+
+```
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+
+## Usage
+
+To use the bot, invite the `@postmoogle:DOMAIN` into a room you want to use as a mailbox.
+
+Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the email address `NAME@matrix.domain`. Emails sent to that email address will be forwarded to the room.
+
+Send `!pm help` to the room to see the bot's help menu for additional commands.
+
+You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle).

docs/configuring-playbook-bridge-appservice-kakaotalk.md

@@ -2,6 +2,8 @@
 
 The playbook can install and configure [matrix-appservice-kakaotalk](https://src.miscworks.net/fair/matrix-appservice-kakaotalk) for you. `matrix-appservice-kakaotalk` is a bridge to [Kakaotalk](https://www.kakaocorp.com/page/service/service/KakaoTalk?lang=ENG) based on [node-kakao](https://github.com/storycraft/node-kakao) (now unmaintained) and some [mautrix-facebook](https://github.com/mautrix/facebook) code.
 
+**NOTE**: there have been recent reports (~2022-09-16) that **using this bridge may get your account banned**.
+
 See the project's [documentation](https://src.miscworks.net/fair/matrix-appservice-kakaotalk) to learn what it does and why it might be useful to you.
 
 
@@ -46,13 +48,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Appservice-Kakaotalk", "initial_device_display_name": "Appservice-Kakaotalk"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-discord.md

@@ -60,13 +60,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Discord", "initial_device_display_name": "Mautrix-Discord"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-facebook.md

@@ -58,13 +58,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Facebook", "initial_device_display_name": "Mautrix-Facebook"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-googlechat.md

@@ -29,13 +29,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-googlechat", "initial_device_display_name": "Mautrix-googlechat"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-hangouts.md

@@ -31,13 +31,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Hangouts", "initial_device_display_name": "Mautrix-Hangouts"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-signal.md

@@ -73,13 +73,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Signal", "initial_device_display_name": "Mautrix-Signal"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-bridge-mautrix-telegram.md

@@ -28,13 +28,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Telegram", "initial_device_display_name": "Mautrix-Telegram"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send `login-matrix` to the bot and follow instructions about how to send the access token to it
 

docs/configuring-playbook-bridge-mautrix-whatsapp.md

@@ -44,13 +44,7 @@ This is the recommended way of setting up Double Puppeting, as it's easier to ac
 
 When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
 
-- retrieve a Matrix access token for yourself. You can use the following command:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Mautrix-Whatsapp", "initial_device_display_name": "Mautrix-Whatsapp"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
 
 - send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
 

docs/configuring-playbook-cactus-comments.md

@@ -0,0 +1,65 @@
+# Setting up Cactus Comments (optional)
+
+The playbook can install and configure [Cactus Comments](https://cactus.chat) for you.
+
+Cactus Comments is a **federated comment system** built on Matrix. The role allows you to self-host the system.
+It respects your privacy, and puts you in control.
+
+See the project's [documentation](https://cactus.chat/docs/getting-started/introduction/) to learn what it
+does and why it might be useful to you.
+
+
+## Configuration
+
+Add the following block to your `vars.yaml` and make sure to exchange the tokens to randomly generated values.
+
+```yaml
+#################
+## Cactus Chat ##
+#################
+
+matrix_cactus_comments_enabled: true
+
+# To allow guest comments without users needing to log in, you need to have guest registration enabled.
+# To do this you need to uncomment one of the following lines (depending if you are using synapse or dentrite as a homeserver)
+# If you don't know which one you use: The default is synapse ;)
+# matrix_synapse_allow_guest_access: true
+# matrix_dentrite_allow_guest_access
+```
+
+## Installing
+
+After configuring the playbook, run the [installation](installing.md) command again:
+
+```
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+
+## Usage
+
+Upon starting Cactus Comments, a `bot.cactusbot` user account is created automatically.
+
+To get started, send a `help` message to the `@bot.cactusbot:your-homeserver.com` bot to confirm it's working.
+Then, register a site by typing: `register <sitename>`. You will then be invited into a moderation room.
+Now you are good to go and can include the comment section on your website!
+
+**Careful:** To really make use of self-hosting you need change a few things in comparison to the official docs!
+
+Insert the following snippet into you page and make sure to replace `example.com` with your base domain!
+
+
+```html
+<script type="text/javascript" src="https://matrix.example.com/cactus-comments/cactus.js"></script>
+<link rel="stylesheet" href="https://matrix.example.com/cactus-comments/style.css" type="text/css">
+<div id="comment-section"></div>
+<script>
+initComments({
+  node: document.getElementById("comment-section"),
+  defaultHomeserverUrl: "https://matrix.example.com:8448",
+  serverName: "example.com",
+  siteName: "YourSiteName",
+  commentSectionId: "1"
+})
+</script>
+```

docs/configuring-playbook-dimension.md

@@ -39,27 +39,7 @@ We recommend that you create a dedicated Matrix user for Dimension (`dimension`
 Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.
 
 You are required to specify an access token (belonging to this new user) for Dimension to work.
-To get an access token for the Dimension user, you can follow one of two options:
-
-*Through an interactive login*:
-
-1. In a private browsing session (incognito window), open Element.
-1. Log in with the `dimension` user and its password.
-1. Set the display name and avatar, if required.
-1. In the settings page choose "Help & About", scroll down to the bottom and expand the `Access Token` section.
-1. Copy the access token to your configuration.
-1. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
-
-*With CURL*
-
-```
-curl -X POST --header 'Content-Type: application/json' -d '{
-    "identifier": { "type": "m.id.user", "user": "YourDimensionUsername" },
-    "password": "YourDimensionPassword",
-    "type": "m.login.password"
-}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
-```
-*Change `YourDimensionUsername`, `YourDimensionPassword`, and `YOURDOMAIN` accordingly.*
+To get an access token for the Dimension user, you can follow the documentation on [how to do obtain an access token](obtaining-access-tokens.md).
 
 **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
 

docs/configuring-playbook-email2matrix.md

@@ -1,5 +1,8 @@
 # Setting up Email2Matrix (optional)
 
+**Note**: email bridging can also happen via the [Postmoogle](configuring-playbook-bot-postmoogle.md) bot supported by the playbook.
+Postmoogle is much more powerful and easier to use, so we recommend that you use it, instead of Email2Matrix.
+
 The playbook can install and configure [email2matrix](https://github.com/devture/email2matrix) for you.
 
 See the project's [documentation](https://github.com/devture/email2matrix/blob/master/docs/README.md) to learn what it does and why it might be useful to you.
@@ -7,6 +10,10 @@ See the project's [documentation](https://github.com/devture/email2matrix/blob/m
 
 ## Preparation
 
+### DNS configuration
+
+It's not strictly necessary, but you may increase the chances that incoming emails reach your server by adding an `MX` record for `matrix.DOMAIN`, as described in the [Configuring DNS](configuring-dns.md) documentation page.
+
 ### Port availability
 
 Ensure that port 25 is available on your Matrix server and open in your firewall.
@@ -34,18 +41,7 @@ You'll need the room id when doing [Configuration](#configuration) below.
 
 ### Obtaining an access token for the sender user
 
-In order for the sender user created above to be able to send messages to the room, we'll need to obtain an access token for it.
-
-To do this, you can execute a command like this:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "email2matrix" }, "password": "MATRIX_PASSWORD_FOR_THE_USER", "type": "m.login.password", "device_id": "Email2Matrix", "initial_device_display_name": "Email2Matrix"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
-
-Take note of the `access_token` value. You'll need the access token when doing [Configuration](#configuration) below.
-
+In order for the sender user created above to be able to send messages to the room, we'll need to obtain an access token for it. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
 
 ## Configuration
 

docs/configuring-playbook-own-webserver.md

@@ -1,11 +1,14 @@
 # Using your own webserver, instead of this playbook's nginx proxy (optional, advanced)
 
-By default, this playbook installs its own nginx webserver (in a Docker container) which listens on ports 80 and 443.
+By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443.
 If that's alright, you can skip this.
 
 If you don't want this playbook's nginx webserver to take over your server's 80/443 ports like that,
 and you'd like to use your own webserver (be it nginx, Apache, Varnish Cache, etc.), you can.
 
+You should note, however, that the playbook's services work best when you keep using the integrated `matrix-nginx-proxy` webserver.
+For example, disabling `matrix-nginx-proxy` when running a [Synapse worker setup for load-balancing](configuring-playbook-synapse.md#load-balancing-with-workers) (a more advanced, non-default configuration) is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)). If you need a such more scalable setup, disabling `matrix-nginx-proxy` will be a bad idea. If yours will be a simple (default, non-worker-load-balancing) deployment, disabling `matrix-nginx-proxy` may be fine.
+
 There are **2 ways you can go about it**, if you'd like to use your own webserver:
 
 - [Method 1: Disabling the integrated nginx reverse-proxy webserver](#method-1-disabling-the-integrated-nginx-reverse-proxy-webserver)

docs/configuring-playbook-prometheus-grafana.md

@@ -90,11 +90,11 @@ matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_b
 
 Using `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true` (see above).
 
-Note : The playbook will hash the basic_auth password for you on setup. Thus, you need to give the plain-text version of the password as a variable. 
+Note : The playbook will hash the basic_auth password for you on setup. Thus, you need to give the plain-text version of the password as a variable.
 
 ### Collecting Synapse worker metrics to an external Prometheus server
 
-If you are using workers (`matrix_synapse_workers_enabled: true`) and have enabled `matrix_synapse_metrics_proxying_enabled` as described above, the playbook will also automatically expose all Synapse worker threads' metrics to `https://matrix.DOMAIN/metrics/synapse/worker/TYPE-ID`, where `TYPE` corresponds to the type and `ID` to the instanceId of a worker as exemplified in `matrix_synapse_workers_enabled_list`.
+If you are using workers (`matrix_synapse_workers_enabled: true`) and have enabled `matrix_synapse_metrics_proxying_enabled` as described above, the playbook will also automatically expose all Synapse worker threads' metrics to `https://matrix.DOMAIN/metrics/synapse/worker/ID`, where `ID` corresponds to the worker `id` as exemplified in `matrix_synapse_workers_enabled_list`.
 
 The playbook also generates an exemplary config file (`/matrix/synapse/external_prometheus.yml.template`) with all the correct paths which you can copy to your Prometheus server and adapt to your needs. Make sure to edit the specified `password_file` path and contents and path to your `synapse-v2.rules`.
 It will look a bit like this:
@@ -111,8 +111,8 @@ scrape_configs:
         labels:
           job: "master"
           index: 1
-  - job_name: 'synapse-generic_worker-1'
-    metrics_path: /metrics/synapse/worker/generic_worker-18111
+  - job_name: 'matrix-synapse-synapse-worker-generic-worker-0'
+    metrics_path: /metrics/synapse/worker/generic-worker-0
     scheme: https
     basic_auth:
       username: prometheus

docs/configuring-playbook-synapse.md

@@ -42,7 +42,7 @@ matrix_postgres_process_extra_arguments: [
 ]
 ```
 
-If you're using the default setup (the `matrix-nginx-proxy` webserver being enabled) or you're using your own `nginx` server (which imports the configuration files generated by the playbook), you're good to go. If you use some other webserver, you may need to tweak your reverse-proxy setup manually to forward traffic to the various workers.
+**NOTE**: Disabling `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: false`) (that is, [using your own other webserver](configuring-playbook-own-webserver.md) when running a Synapse worker setup is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)).
 
 In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`.
 

docs/configuring-playbook.md

@@ -143,6 +143,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Email2Matrix](configuring-playbook-email2matrix.md) (optional)
 
+- [Setting up Postmoogle email bridging](configuring-playbook-bot-postmoogle.md) (optional)
+
 - [Setting up Matrix SMS bridging](configuring-playbook-bridge-matrix-bridge-sms.md) (optional)
 
 - [Setting up Heisenbridge bouncer-style IRC bridging](configuring-playbook-bridge-heisenbridge.md) (optional)
@@ -177,3 +179,5 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
 
 - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional)
+
+- [Setting up a Cactus Comments server](configuring-playbook-cactus-comments.md) - a federated comment system built on Matrix (optional)

docs/container-images.md

@@ -100,6 +100,8 @@ These services are not part of our default installation, but can be enabled by [
 
 - [etke.cc/honoroit](https://gitlab.com/etke.cc/honoroit/container_registry) - the [honoroit](https://gitlab.com/etke.cc/honoroit) helpdesk bot (optional)
 
+- [etke.cc/postmoogle](https://gitlab.com/etke.cc/postmoogle/container_registry) - the [Postmoogle](https://gitlab.com/etke.cc/postmoogle) email bridge bot (optional)
+
 - [matrixdotorg/go-neb](https://hub.docker.com/r/matrixdotorg/go-neb) - the [Go-NEB](https://github.com/matrix-org/go-neb) bot (optional)
 
 - [matrixdotorg/mjolnir](https://hub.docker.com/r/matrixdotorg/mjolnir) - the [mjolnir](https://github.com/matrix-org/mjolnir) moderation bot (optional)
@@ -115,3 +117,5 @@ These services are not part of our default installation, but can be enabled by [
 - [matrixdotorg/sygnal](https://hub.docker.com/r/matrixdotorg/sygnal/) - [Sygnal](https://github.com/matrix-org/sygnal) is a reference Push Gateway for Matrix
 
 - [binwiederhier/ntfy](https://hub.docker.com/r/binwiederhier/ntfy/) - [ntfy](https://ntfy.sh/) is a self-hosted, UnifiedPush-compatible push notifications server
+
+- [cactuscomments/cactus-appservice](https://hub.docker.com/r/cactuscomments/cactus-appservice/) - [Cactus Comments](https://cactus.chat) a federated comment system built on Matrix

docs/maintenance-synapse.md

@@ -16,14 +16,7 @@ Table of contents:
 
 You can use the **[Purge History API](https://github.com/matrix-org/synapse/blob/master/docs/admin_api/purge_history_api.md)** to delete old messages on a per-room basis. **This is destructive** (especially for non-federated rooms), because it means **people will no longer have access to history past a certain point**.
 
-To make use of this API, **you'll need an admin access token** first. You can find your access token in the setting of some clients (like Element).
-Alternatively, you can log in and obtain a new access token like this:
-
-```
-curl \
---data '{"identifier": {"type": "m.id.user", "user": "YOUR_MATRIX_USERNAME" }, "password": "YOUR_MATRIX_PASSWORD", "type": "m.login.password", "device_id": "Synapse-Purge-History-API"}' \
-https://matrix.DOMAIN/_matrix/client/r0/login
-```
+To make use of this API, **you'll need an admin access token** first. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
 
 Synapse's Admin API is not exposed to the internet by default. To expose it you will need to add `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` to your `vars.yml` file.
 

docs/obtaining-access-tokens.md

@@ -0,0 +1,49 @@
+# Obtaining an Access Token
+
+When setting up some optional features like bots and bridges you will need to provide an access token for some user. This document provides documentation on how to obtain such an access token.
+
+**Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
+
+## Prerequisites
+
+The user for whom you want to obtain an access token needs to already exist. You can use this playbook to [register a new user](registering-users.md), if you have not already.
+
+Below, we describe 2 ways to generate an access token for a user - using [Element](#obtain-an-access-token-via-element) or [curl](#obtain-an-access-token-via-curl). For both ways you need the user's password.
+
+## Obtain an access token via Element
+
+1. In a private browsing session (incognito window), open Element.
+1. Log in with the user's credentials.
+1. In the settings page, choose "Help & About", scroll down to the bottom and expand the `Access Token` section (see screenshot below).
+1. Copy the access token to your configuration.
+1. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
+
+![Obtaining an access token with Element](assets/obtain_admin_access_token_element.png)
+
+
+## Obtain an access token via curl
+
+You can use the following command to get an access token for your user directly from the [Matrix Client-Server API](https://www.matrix.org/docs/guides/client-server-api#login):
+
+```
+curl -XPOST -d '{
+    "identifier": { "type": "m.id.user", "user": "USERNAME" },
+    "password": "PASSWORD",
+    "type": "m.login.password",
+    "device_id": "YOURDEVICEID"
+}' 'https://matrix.YOURDOMAIN/_matrix/client/r0/login'
+```
+Change `USERNAME`, `PASSWORD`, and `YOURDOMAIN` accordingly.
+
+`YOURDEVICEID` is optional and can be used to more easily identify the session later. When omitted (mind the commas in the JSON payload if you'll be omitting it), a random device ID will be generated.
+
+Your response will look like this (prettified):
+
+```
+{
+    "user_id":"@USERNAME:YOURDOMAIN",
+    "access_token":">>>YOUR_ACCESS_TOKEN_IS_HERE<<<",
+    "home_server":"YOURDOMAIN",
+    "device_id":"YOURDEVICEID"
+}
+```

docs/updating-users-passwords.md

@@ -34,7 +34,7 @@ where `<password-hash>` is the hash returned by the docker command above.
 
 Use the Synapse User Admin API as described here: https://github.com/matrix-org/synapse/blob/master/docs/admin_api/user_admin_api.rst#reset-password
 
-This requires an access token from a server admin account. *This method will also log the user out of all of their clients while the other options do not.*
+This requires an [access token](obtaining-access-tokens.md) from a server admin account. *This method will also log the user out of all of their clients while the other options do not.*
 
 If you didn't make your account a server admin when you created it, you can use the `/usr/local/bin/matrix-change-user-admin-status` script as described in [registering-users.md](registering-users.md).
 

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -1202,6 +1202,39 @@ matrix_bot_buscarron_container_image_self_build: "{{ matrix_architecture not in
 #
 ######################################################################
 
+######################################################################
+#
+# matrix-bot-postmoogle
+#
+######################################################################
+
+# We don't enable bots by default.
+matrix_bot_postmoogle_enabled: false
+matrix_bot_postmoogle_ssl_path: "{{ matrix_ssl_config_dir_path }}"
+matrix_bot_postmoogle_tls_cert: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem"
+matrix_bot_postmoogle_tls_key: "/ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem"
+
+matrix_bot_postmoogle_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+    +
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+  }}
+
+# Postgres is the default, except if not using `matrix_postgres` (internal postgres)
+matrix_bot_postmoogle_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
+matrix_bot_postmoogle_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'postmoogle.db') | to_uuid }}"
+
+matrix_bot_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
+
+######################################################################
+#
+# /matrix-bot-postmoogle
+#
+######################################################################
+
 
 ######################################################################
 #
@@ -1299,6 +1332,35 @@ matrix_backup_borg_systemd_required_services_list: |
 # /matrix-backup-borg
 #
 ######################################################################
+######################################################################
+#
+# matrix-cactus-comments
+#
+######################################################################
+
+matrix_cactus_comments_enabled: false
+
+# Derive secret values from homeserver secret
+matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token') | to_uuid }}"
+matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token') | to_uuid }}"
+
+matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
+matrix_cactus_comments_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+    +
+    (['matrix-' + matrix_homeserver_implementation + '.service'])
+  }}
+
+matrix_cactus_comments_client_nginx_path: "{{ '/cactus-comments/' if matrix_nginx_proxy_enabled else matrix_cactus_comments_client_path + '/' }}"
+
+######################################################################
+#
+# /matrix-cactus-comments
+#
+######################################################################
 
 ######################################################################
 #
@@ -1698,14 +1760,20 @@ matrix_nginx_proxy_synapse_workers_enabled: "{{ matrix_synapse_workers_enabled }
 matrix_nginx_proxy_synapse_workers_list: "{{ matrix_synapse_workers_enabled_list }}"
 matrix_nginx_proxy_synapse_generic_worker_client_server_locations: "{{ matrix_synapse_workers_generic_worker_client_server_endpoints }}"
 matrix_nginx_proxy_synapse_generic_worker_federation_locations: "{{ matrix_synapse_workers_generic_worker_federation_endpoints }}"
+matrix_nginx_proxy_synapse_stream_writer_typing_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_typing_stream_worker_client_server_endpoints }}"
+matrix_nginx_proxy_synapse_stream_writer_to_device_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_to_device_stream_worker_client_server_endpoints }}"
+matrix_nginx_proxy_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}"
+matrix_nginx_proxy_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}"
+matrix_nginx_proxy_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}"
 matrix_nginx_proxy_synapse_media_repository_locations: "{{matrix_synapse_workers_media_repository_endpoints|default([]) }}"
-matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_endpoints|default([]) }}"
-matrix_nginx_proxy_synapse_frontend_proxy_locations: "{{ matrix_synapse_workers_frontend_proxy_endpoints|default([]) }}"
+matrix_nginx_proxy_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints|default([]) }}"
 
 matrix_nginx_proxy_systemd_wanted_services_list: |
   {{
     ['matrix-' + matrix_homeserver_implementation + '.service']
     +
+    (matrix_synapse_webserving_workers_systemd_services_list if matrix_homeserver_implementation == 'synapse' and matrix_synapse_workers_enabled else [])
+    +
     (['matrix-corporal.service'] if matrix_corporal_enabled else [])
     +
     (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
@@ -1761,6 +1829,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
     +
     ([matrix_server_fqn_ntfy] if matrix_ntfy_enabled else [])
     +
+    ([matrix_bot_postmoogle_domain] if matrix_bot_postmoogle_enabled else [])
+    +
     ([matrix_domain] if matrix_nginx_proxy_base_domain_serving_enabled else [])
     +
     matrix_ssl_additional_domains_to_obtain_certificates_for
@@ -1807,10 +1877,6 @@ matrix_postgres_additional_databases: |
     }] if (matrix_synapse_enabled and matrix_synapse_database_database != matrix_postgres_db_name and matrix_synapse_database_host == 'matrix-postgres') else [])
     +
     ([{
-      'name': matrix_dendrite_appservice_database,
-      'username': matrix_dendrite_database_user,
-      'password': matrix_dendrite_database_password,
-    },{
       'name': matrix_dendrite_federationapi_database,
       'username': matrix_dendrite_database_user,
       'password': matrix_dendrite_database_password,
@@ -1862,6 +1928,12 @@ matrix_postgres_additional_databases: |
       'password': matrix_bot_honoroit_database_password,
     }] if (matrix_bot_honoroit_enabled and matrix_bot_honoroit_database_engine == 'postgres' and matrix_bot_honoroit_database_hostname == 'matrix-postgres') else [])
     +
+    ([{
+      'name': matrix_bot_postmoogle_database_name,
+      'username': matrix_bot_postmoogle_database_username,
+      'password': matrix_bot_postmoogle_database_password,
+    }] if (matrix_bot_postmoogle_enabled and matrix_bot_postmoogle_database_engine == 'postgres' and matrix_bot_postmoogle_database_hostname == 'matrix-postgres') else [])
+    +
     ([{
       'name': matrix_bot_maubot_database_name,
       'username': matrix_bot_maubot_database_username,
@@ -2201,9 +2273,7 @@ matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}"
 
 matrix_synapse_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
-# When ma1sd is enabled, we can use it to validate email addresses and phone numbers.
-# Synapse can validate email addresses by itself as well, but it's probably not what we want by default when we have an identity server.
-matrix_synapse_account_threepid_delegates_email: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
+# When ma1sd is enabled, we can use it to validate phone numbers. It's something that the homeserver cannot do by itself.
 matrix_synapse_account_threepid_delegates_msisdn: "{{ 'http://matrix-ma1sd:' + matrix_ma1sd_container_port | string if matrix_ma1sd_enabled else '' }}"
 
 # Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
@@ -2295,6 +2365,9 @@ matrix_synapse_redis_enabled: "{{ matrix_redis_enabled }}"
 matrix_synapse_redis_host: "{{ 'matrix-redis' if matrix_redis_enabled else '' }}"
 matrix_synapse_redis_password: "{{ matrix_redis_connection_password if matrix_redis_enabled else '' }}"
 
+matrix_synapse_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}"
+matrix_synapse_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}"
+
 ######################################################################
 #
 # /matrix-synapse
@@ -2560,6 +2633,9 @@ matrix_dendrite_systemd_wanted_services_list: |
     (['matrix-coturn.service'] if matrix_coturn_enabled else [])
   }}
 
+matrix_dendrite_container_runtime_injected_arguments: "{{ matrix_homeserver_container_runtime_injected_arguments }}"
+matrix_dendrite_app_service_runtime_injected_config_files: "{{ matrix_homeserver_app_service_runtime_injected_config_files }}"
+
 ######################################################################
 #
 # /matrix-dendrite

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,379 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: true
+matrix_nginx_proxy_https_enabled: false
+matrix_nginx_proxy_container_http_host_bind_port: "127.0.10.1:8080"
+matrix_nginx_proxy_container_federation_host_bind_port: "127.0.10.1:8448"
+matrix_nginx_proxy_trust_forwarded_proto: true
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
+#matrix_nginx_proxy_proxy_synapse_metrics: true
+matrix_nginx_proxy_proxy_matrix_metrics_enabled: true
+matrix_synapse_metrics_enabled: true
+matrix_synapse_metrics_proxying_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_docker_installation_enabled: false
+
+#matrix_client_element_version: v1.8.4
+#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
+#matrix_mautrix_telegram_version: v0.10.0
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 25
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 5
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 1.5
+matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 2
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+# Enable experimental spaces support
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_max: 20
+  experimental_features:
+    spaces_enabled: true
+  caches:
+    per_cache_factors:
+      device_id_exists: 3
+      get_users_in_room: 4
+      _get_joined_users_from_context: 4
+      _get_joined_profile_from_event_id: 3
+      "*stateGroupMembersCache*": 2
+      _matches_user_in_member_list: 3
+      get_users_who_share_room_with_user: 3
+      is_interested_in_room: 2
+      get_user_by_id: 1.5
+      room_push_rule_cache: 1.5
+    expire_caches: true
+    cache_entry_ttl: 45m
+    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_mute_bridging: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_bridge_allow_user_invite: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+#matrix_mx_puppet_skype_enabled: false
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+# matrix_mx_puppet_skype_container_extra_arguments:
+#   - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+# matrix_mx_puppet_skype_configuration_extension_yaml: |
+#     bridge:
+#         enableGroupSync: true
+#         avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+#     metrics:
+#         enabled: true
+#         port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+#         path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: true
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
+matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_roomdir_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+39366364363633336238333130353832663162393038633665396333343732353964333363666539
+6562346632343235623835643735386434316666393234360a383634616537393134613631383836
+61333835363666623033306166376232303930306433343366373463653234623736643633383734
+3330333665383539650a383132353032386230393031626361343764323034386230363066306331
+34646236336262623435633566363033613737373064616266336237343233663066396163373034
+62303765353066653737366539626461636531636438323932333134363136363134646164646531
+63656638666233313437663261396665653736373164323433306435323336633938313164646264
+33653661633965363833393031616463633761356234633630643562306366653133366637346166
+38636433343736343461613731623538633361363934343764326466313261353633646230353065
+37366134303164356433333961346663313963626165323966656536313532376162326565383539
+65363333633964323838663461373666353665643236623839646664653661613838353239613137
+39353061323131306365656261343630313665356165623064616436653566373663343733316237
+34393666383465323463313838393465643830373632373938633763666636346539666233303265
+38353337633833373331356663633936326334366337393135653030333531613565643666633038
+64393862303765366632393137313432376563353335353231323464633637343334346634306534
+35613330373336633031376263306466306437656635396133613335386130346163663438386136
+61646437343938663431343736363564376238316666373531616231366132643864346538363866
+35396433366137356162313963666134383134306462313336613735386639363936326131383939
+66623833643433663039623837623133303336666233623935313438366136353332313165333936
+31386632336535383533646639636164313331346630633366383739623261366465656632393062
+63373332623738303364623437666531396331646666336230353333366261653438363861656466
+39333762633037383336393164616563396564383232636533363864636230616664303330323932
+66666234633362346132303932643464366466323535303835363430333737666661373534333934
+61393362616438626636383564613335363634626231663234616438343464383461303632363033
+39336362396339316661323662393665383031643931626333646335643335353661653939363538
+38666561313539613566386132336630643237333432656236356132616230663561343665353938
+33366663353834356434366335373265373439363430636533303933656264366338623232613435
+35356662383232386137313064313363303861326635333435393737643663336534363234623430
+32376432353330613666396337303935376366613564353039396164383361616337656535346166
+34396635356266326461613135303639643935363261396363636338636564643838313262326266
+31663139343336376233303637373864363835313839326433656235616332333134306139623239
+37636639356263646437373362333931613262363363313462666534643765313139386461623731
+33376635653133353033333733613464396632636634313063326363313030376632643863336237
+61636638353237313764313435626463633964643665313536326235343639663137373436303564
+30636232626137376339303238653664346538356430306238633037366332316263623666373062
+63646533646131303466653637346463613237323161313265613834383634626237323563653733
+38656435303264346663663465333966376631666530333833353233376263336436613065366362
+36366263343438393132326661623031316663663231663464383732343064383234616636306530
+66613634626362316533303034393063666632343262613431613635663866636433623535363238
+30643933613731363236346234336662613633323831633437613435326465383530653765616262
+63373538396364316563343365303134373466663639386137663564356532353531343636613135
+63316463353264316164306566326462333732316431643939626161346530636638636662303037
+34346461313961613063336332333934383363373335616636363661396362613661383762663866
+64303834636264376461396266663763336665356561376161333136336638646363313133353161
+31643061623833623239373432633537663664636334623534326639616633616361333834366131
+30376361656238353332656666316637643133623433333861653265636266376639666135383638
+37363337326231656530363536393737383565666266306532626361633633353539363866376534
+61303737326632303762626666306134343837376566343035386663613336626332383035383035
+37633462373066373062313862323766316362393832666466396637363562353865303366323062
+39346332383966313437646138623364656234663066663639663138626163656433363038323166
+65613862386665643438323061323763306635666162303366323131363436633335356332393366
+63373966383132303434633835333438333337303664346335643066623839343835643364306561
+34643336346564363462396330643263653931376664386335313433376332653832323437376135
+35383231386133363236653334393433306638303131323064343931623538323130343666653061
+36353536383632333964343730346265626433303131346531303133663832363036333261386237
+30363361356265356139323761623563396565336137333733656431636531333234323061343862
+33623935346663333735613661363234646234356331323636386637343661373363363261646231
+33643233343235323230393933616664623166666266333862323631653835666135303233653635
+63373061656163353762636531613632366638383366303864343132376162643963366564363563
+61336338613935613532636165383463633866633036393533313433643562313737383431353163
+37623165373933376236393931363939633963666636303136373065376635623761346537643530
+35363464313630376233633863306238616138666464316534363332333937343362343233346431
+34643032323934353939666364323239653932363735373061633434653062326336353239633261
+38306237336266663038656534393664646138343038323335633064616431386666613739326630
+34383963666534313530376331366238343836303036306336343533666332386163643033643138
+33336333333338353733383165306139623964303035653439623131633566356136386431613135
+63616462386639303230343866346631346532353531373132613433363239646330653666633532
+65393766333238383531313132633537633833363335303630376239396565373730646331313633
+30383861303739343265623934643635633361623262356433323035393062353630346430646262
+63303434353038646361353661616339313937323336303566303536366163623362356332383862
+37326333393761633732653264646333653439363039323238383361336233323232613336303464
+34393635633131313135313665363161306466643364393734346264633030373234306466653862
+32336163666435636162343465386633653863363533616339636531306130383331376563393533
+65366136626662343065383164646665613035393636373565346235656439303933343563366339
+36643838393033353033396535613331303031646162316361613564323163633434633861356135
+62343461616335323565636633383962316531316362396165366533346166336163623232366261
+39376230376562626135346333326437373733373266393236383435343562653034313133376236
+61666138346562613330633630373837653465393233613261353937336666646231366666393335
+35393463333936323664323831396639333462626238613164616435363664643438653763623431
+32663237363134353061373563396535653565636431366565386337653863316333343738343432
+62303132636338303462313439376535363063333833363632613832303436353834376561333330
+66633632383135646263626333643230343630326539663762633934316261633062663732373932
+30306438386263626335373838343236643562326135663366353638353163346365396261313133
+36333634306133353235316237343738623263333732343063356238333162323931346664346539
+66323733643061386334306130633537353630663336313966663538373963313435666564316539
+63613030366332363432303036396232306537663765653938353736376135316539613135623632
+66356639623635663365323635646635383638346539323438336261393332373935383536333831
+61306639343061333639336162366536366438356166396266666132303932333037613632623666
+63616662343830303664353931306632323630316162643432653835313962633735626163366332
+34373637633066333432383533316363613031393963373963386161663430623533383165653561
+38343439633066366663643138326264653539336530393932386236366533663935353664343966
+39323161646231353234633961633732613065323039663062313661386565366534623430356632
+64343732336238393262363338363734643639353830646163343361653761633134303163616562
+35633436393832393137383534613031303963613339333566343065336530623964636662353065
+32366630353538383339346465376661323666333234373665613164633866363364613066643034
+37616630366232353166366535633936366536626462353831643335306337353564316461653564
+66663133373466333431336366346435623436656230376232613665633466333463636263373464
+30386434336538303061666566383033616563303564666362346432663130306531613063363537
+646635613236636563666161666630653836

inventory/hosts

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31336566376336626265653165306635633033376662656164383037383834653239656136333734
+3833666339393037323035343565343235396163636166370a643933333933386133366564396465
+30393637613164356564393337633361653432333232383664303739363736633435363764343530
+3532313739363963660a343434356534316230623133636366386334323465376139363162616238
+39396638366262313531653635326361616537396338363533303961623165343931373939306239
+31336632643166633662653765333231393461643933306464303165633037343061323636313034
+34376631656563646665373566633431366638383863666130323264316337663237343135306236
+66323536346164663239343139623430303230333466633437643337343930363530653964626163
+38336363633730393136333637383631636266396636646533356262376630646139303636666538
+32366437353163663865623234643061313639646162643965393535353938313133326237313265
+66646163333535396539646461356334633532313530653834623263386265383765356130333466
+30373531306137393935363030313739666536363138363962646565306439393239303030643162
+33333166663430393866666439653532623034396130313066383035396535646633366237303264
+36356665366461323664373038366364623937386233313039323837666333653764616462333365
+31326264633236373937313537633961633164323138356135633765663639323537656263633766
+38653836323263386333376131333330326237393666363064326463663961633839393039323835
+61306265333232623037356465393133323733363634646364336261326333366239346565366338
+61646132333033373866623739343830336164316461646366666237313565626639323537623732
+38323830656136323137323530343764666433633432366136643538323832653130376363653135
+64376261386635636533353961613335663962306337353866616464613636303735336230623962
+3336

roles/matrix-backup-borg/defaults/main.yml

@@ -26,8 +26,11 @@ matrix_backup_borg_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-backup-borg.service wants
 matrix_backup_borg_systemd_wanted_services_list: []
 
-# systemd calendar configuration for backup job
+# systemd calendar configuration for the backup job
+# the actual job may run with a delay (see matrix_backup_borg_schedule_randomized_delay_sec)
 matrix_backup_borg_schedule: "*-*-* 04:00:00"
+# the delay with which the systemd timer may run in relation to the `matrix_backup_borg_schedule` schedule
+matrix_backup_borg_schedule_randomized_delay_sec: 2h
 
 # what directories should be added to backup
 matrix_backup_borg_location_source_directories: []

roles/matrix-backup-borg/templates/systemd/matrix-backup-borg.timer.j2

@@ -4,7 +4,7 @@ Description=Matrix Borg Backup timer
 [Timer]
 Unit=matrix-backup-borg.service
 OnCalendar={{ matrix_backup_borg_schedule }}
-RandomizedDelaySec=2h
+RandomizedDelaySec={{ matrix_backup_borg_schedule_randomized_delay_sec }}
 
 [Install]
 WantedBy=timers.target

roles/matrix-base/defaults/main.yml

@@ -134,7 +134,7 @@ matrix_host_command_openssl: "/usr/bin/env openssl"
 matrix_host_command_systemctl: "/usr/bin/env systemctl"
 matrix_host_command_sh: "/usr/bin/env sh"
 
-matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 7) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int > 18)  else ( 'systemd' if ansible_os_family == 'Suse' else 'ntp' ) }}"
+matrix_ntpd_package: "{{ 'systemd-timesyncd' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 7) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int > 18)  else ('systemd' if ansible_os_family == 'Suse' else 'ntp') }}"
 matrix_ntpd_service: "{{ 'systemd-timesyncd' if (ansible_os_family == 'RedHat' and ansible_distribution_major_version | int > 7) or (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version | int > 18) or ansible_distribution == 'Archlinux' or ansible_os_family == 'Suse' else ('ntpd' if ansible_os_family == 'RedHat' else 'ntp') }}"
 
 matrix_homeserver_url: "https://{{ matrix_server_fqn_matrix }}"

roles/matrix-base/tasks/server_base/setup_fedora.yml

@@ -18,6 +18,7 @@
   when: matrix_docker_installation_enabled | bool and matrix_docker_package_name == 'docker-ce'
 
 - name: Ensure yum packages are installed
+  when: false
   ansible.builtin.yum:
     name:
       - "{{ matrix_ntpd_package }}"

roles/matrix-base/tasks/server_base/setup_raspbian.yml

@@ -36,6 +36,6 @@
   ansible.builtin.apt:
     name:
       - "{{ matrix_docker_package_name }}"
-      - "python{{'3' if ansible_python.version.major == 3 else ''}}-docker"
+      - "python{{ '3' if ansible_python.version.major == 3 else '' }}-docker"
     state: present
   when: matrix_docker_installation_enabled | bool

roles/matrix-base/tasks/server_base/setup_redhat.yml

@@ -28,4 +28,5 @@
       - "{{ matrix_docker_package_name }}"
       - docker-python
     state: present
-  when: matrix_docker_installation_enabled | bool
+  when: matrix_docker_installation_enabled | bool and false
+

roles/matrix-base/vars/main.yml

@@ -2,3 +2,6 @@
 # This will contain a list of enabled services that the playbook is managing.
 # Each component is expected to append its service name to this list.
 matrix_systemd_services_list: []
+
+matrix_homeserver_container_runtime_injected_arguments: []
+matrix_homeserver_app_service_runtime_injected_config_files: []

roles/matrix-bot-buscarron/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_bot_buscarron_docker_repo: "https://gitlab.com/etke.cc/buscarron.git"
 matrix_bot_buscarron_docker_repo_version: "{{ matrix_bot_buscarron_version }}"
 matrix_bot_buscarron_docker_src_files_path: "{{ matrix_base_data_path }}/buscarron/docker-src"
 
-matrix_bot_buscarron_version: v1.2.0
+matrix_bot_buscarron_version: v1.2.1
 matrix_bot_buscarron_docker_image: "{{ matrix_bot_buscarron_docker_image_name_prefix }}buscarron:{{ matrix_bot_buscarron_version }}"
 matrix_bot_buscarron_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_buscarron_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
 matrix_bot_buscarron_docker_image_force_pull: "{{ matrix_bot_buscarron_docker_image.endswith(':latest') }}"

roles/matrix-bot-honoroit/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
-matrix_bot_honoroit_version: v0.9.12
+matrix_bot_honoroit_version: v0.9.14
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
 matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@@ -88,6 +88,17 @@ matrix_bot_honoroit_loglevel: ''
 # Disable encryption
 matrix_bot_honoroit_noencryption: false
 
+# A list of whitelisted users allowed to use/invite honoroit
+# If not defined, everyone is allowed.
+# Example set of rules:
+# matrix_bot_honoroit_allowedusers:
+# - @someone:example.com
+# - @another:example.com
+# - @bot.*:example.com
+# - @*:another.com
+matrix_bot_honoroit_allowedusers:
+  - "@*:*"
+
 # Max items in cache
 matrix_bot_honoroit_cachesize: ''
 

roles/matrix-bot-honoroit/templates/env.j2

@@ -10,7 +10,8 @@ HONOROIT_LOGLEVEL={{ matrix_bot_honoroit_loglevel }}
 HONOROIT_CACHESIZE={{ matrix_bot_honoroit_cachesize }}
 HONOROIT_NOENCRYPTION={{ matrix_bot_honoroit_noencryption }}
 HONOROIT_IGNORENOTHREAD={{ matrix_bot_honoroit_ignorenothread }}
-HONOROIT_IGNOREDROOMS={{ matrix_bot_honoroit_ignoredrooms|join(' ') }}
+HONOROIT_IGNOREDROOMS={{ matrix_bot_honoroit_ignoredrooms | join(' ') }}
+HONOROIT_ALLOWEDUSERS={{ matrix_bot_honoroit_allowedusers | join(' ') }}
 HONOROIT_TEXT_PREFIX_OPEN={{ matrix_bot_honoroit_text_prefix_open }}
 HONOROIT_TEXT_PREFIX_DONE={{ matrix_bot_honoroit_text_prefix_done }}
 HONOROIT_TEXT_NOENCRYPTION={{ matrix_bot_honoroit_text_noencryption }}

roles/matrix-bot-maubot/tasks/init.yml

@@ -35,7 +35,7 @@
             +
             [matrix_bot_maubot_matrix_nginx_proxy_configuration]
           }}
-      when: matrix_bot_maubot_proxy_management_interface|bool
+      when: matrix_bot_maubot_proxy_management_interface | bool
 
     - name: Warn about reverse-proxying if matrix-nginx-proxy not used
       ansible.builtin.debug:

roles/matrix-bot-maubot/tasks/setup_uninstall.yml

@@ -12,18 +12,18 @@
     enabled: false
     daemon_reload: true
   register: stopping_result
-  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+  when: "matrix_bot_maubot_service_stat.stat.exists | bool"
 
 - name: Ensure matrix-bot-maubot.service doesn't exist
   ansible.builtin.file:
     path: "{{ matrix_systemd_path }}/matrix-bot-maubot.service"
     state: absent
-  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+  when: "matrix_bot_maubot_service_stat.stat.exists | bool"
 
 - name: Ensure systemd reloaded after matrix-bot-maubot.service removal
   ansible.builtin.service:
     daemon_reload: true
-  when: "matrix_bot_maubot_service_stat.stat.exists|bool"
+  when: "matrix_bot_maubot_service_stat.stat.exists | bool"
 
 - name: Ensure Matrix maubot paths don't exist
   ansible.builtin.file:

roles/matrix-bot-postmoogle/defaults/main.yml

@@ -0,0 +1,148 @@
+---
+# postmoogle is an email to matrix bot
+# Project source code URL: https://gitlab.com/etke.cc/postmoogle
+
+matrix_bot_postmoogle_enabled: true
+
+matrix_bot_postmoogle_container_image_self_build: false
+matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git"
+matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}"
+matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
+
+matrix_bot_postmoogle_version: v0.9.2
+matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}postmoogle:{{ matrix_bot_postmoogle_version }}"
+matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/etke.cc/' }}"
+matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}"
+
+matrix_bot_postmoogle_base_path: "{{ matrix_base_data_path }}/postmoogle"
+matrix_bot_postmoogle_config_path: "{{ matrix_bot_postmoogle_base_path }}/config"
+matrix_bot_postmoogle_data_path: "{{ matrix_bot_postmoogle_base_path }}/data"
+
+# A list of extra arguments to pass to the container
+matrix_bot_postmoogle_container_extra_arguments: []
+
+# List of systemd services that matrix-bot-postmoogle.service depends on
+matrix_bot_postmoogle_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-bot-postmoogle.service wants
+matrix_bot_postmoogle_systemd_wanted_services_list: []
+
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_bot_postmoogle_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_bot_postmoogle_database_*` variables
+matrix_bot_postmoogle_database_engine: 'sqlite'
+
+matrix_bot_postmoogle_sqlite_database_path_local: "{{ matrix_bot_postmoogle_data_path }}/bot.db"
+matrix_bot_postmoogle_sqlite_database_path_in_container: "/data/bot.db"
+
+matrix_bot_postmoogle_database_username: 'postmoogle'
+matrix_bot_postmoogle_database_password: 'some-password'
+matrix_bot_postmoogle_database_hostname: 'matrix-postgres'
+matrix_bot_postmoogle_database_port: 5432
+matrix_bot_postmoogle_database_name: 'postmoogle'
+
+matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode=disable'
+
+matrix_bot_postmoogle_storage_database: "{{
+	{
+		'sqlite': matrix_bot_postmoogle_sqlite_database_path_in_container,
+		'postgres': matrix_bot_postmoogle_database_connection_string,
+	}[matrix_bot_postmoogle_database_engine]
+}}"
+
+matrix_bot_postmoogle_database_dialect: "{{
+  {
+    'sqlite': 'sqlite3',
+    'postgres': 'postgres',
+  }[matrix_bot_postmoogle_database_engine]
+}}"
+
+
+# The bot's username. This user needs to be created manually beforehand.
+# Also see `matrix_bot_postmoogle_password`.
+matrix_bot_postmoogle_login: "postmoogle"
+
+# The password that the bot uses to authenticate.
+matrix_bot_postmoogle_password: ''
+
+matrix_bot_postmoogle_homeserver: "{{ matrix_homeserver_container_url }}"
+
+# Command prefix
+matrix_bot_postmoogle_prefix: '!pm'
+
+# Max email size in megabytes, including attachments
+matrix_bot_postmoogle_maxsize: '1024'
+
+# DEPRECATED, use !pm users instead
+# A list of whitelisted users allowed to use the bridge.
+# If not defined, everyone is allowed.
+# Example set of rules:
+# matrix_bot_postmoogle_users:
+# - @someone:example.com
+# - @another:example.com
+# - @bot.*:example.com
+# - @*:another.com
+matrix_bot_postmoogle_users:
+  - "@*:{{ matrix_domain }}"
+
+# A list of admins
+# Example set of rules:
+# matrix_bot_postmoogle_admins:
+# - @someone:example.com
+# - @another:example.com
+# - @bot.*:example.com
+# - @*:another.com
+matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"
+
+# Sentry DSN
+matrix_bot_postmoogle_sentry: ''
+
+# Log level
+matrix_bot_postmoogle_loglevel: 'INFO'
+
+# Disable encryption
+matrix_bot_postmoogle_noencryption: false
+
+matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}"
+
+# in-container ports
+matrix_bot_postmoogle_port: '2525'
+matrix_bot_postmoogle_tls_port: '25587'
+
+# on-host ports
+matrix_bot_postmoogle_smtp_host_bind_port: '25'
+matrix_bot_postmoogle_submission_host_bind_port: '587'
+
+### SSL
+## on-host SSL dir
+matrix_bot_postmoogle_ssl_path: ""
+
+## in-container SSL paths
+# matrix_bot_postmoogle_tls_cert is the SSL certificate's certificate.
+# This is likely set via group_vars/matrix_servers, so you don't need to set it.
+# If you do need to set it manually, note that this is an in-container path.
+# To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path
+# Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/fullchain.pem
+matrix_bot_postmoogle_tls_cert: ""
+
+# matrix_bot_postmoogle_tls_key is the SSL certificate's key.
+# This is likely set via group_vars/matrix_servers, so you don't need to set it.
+# If you do need to set it manually, note that this is an in-container path.
+# To mount a certificates volumes into the container, use matrix_bot_postmoogle_ssl_path
+# Example value: /ssl/live/{{ matrix_bot_postmoogle_domain }}/privkey.pem
+matrix_bot_postmoogle_tls_key: ""
+
+# Mandatory TLS, even on plain SMTP port
+matrix_bot_postmoogle_tls_required: false
+
+# Additional environment variables to pass to the postmoogle container
+#
+# Example:
+# matrix_bot_postmoogle_environment_variables_extension: |
+#   postmoogle_TEXT_DONE=Done
+matrix_bot_postmoogle_environment_variables_extension: ''

roles/matrix-bot-postmoogle/tasks/init.yml

@@ -0,0 +1,5 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-postmoogle.service'] }}"
+  when: matrix_bot_postmoogle_enabled | bool

roles/matrix-bot-postmoogle/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool"
+  tags:
+    - setup-all
+    - setup-bot-postmoogle
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup | bool and matrix_bot_postmoogle_enabled | bool"
+  tags:
+    - setup-all
+    - setup-bot-postmoogle
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup | bool and not matrix_bot_postmoogle_enabled | bool"
+  tags:
+    - setup-all
+    - setup-bot-postmoogle

roles/matrix-bot-postmoogle/tasks/setup_install.yml

@@ -0,0 +1,99 @@
+---
+- block:
+    - name: Check if an SQLite database already exists
+      ansible.builtin.stat:
+        path: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}"
+      register: matrix_bot_postmoogle_sqlite_database_path_local_stat_result
+
+    - block:
+        - ansible.builtin.set_fact:
+            matrix_postgres_db_migration_request:
+              src: "{{ matrix_bot_postmoogle_sqlite_database_path_local }}"
+              dst: "{{ matrix_bot_postmoogle_database_connection_string }}"
+              caller: "{{ role_path | basename }}"
+              engine_variable_name: 'matrix_bot_postmoogle_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-bot-postmoogle.service']
+
+        - ansible.builtin.import_role:
+            name: matrix-postgres
+            tasks_from: migrate_db_to_postgres
+
+        - ansible.builtin.set_fact:
+            matrix_bot_postmoogle_requires_restart: true
+      when: "matrix_bot_postmoogle_sqlite_database_path_local_stat_result.stat.exists | bool"
+  when: "matrix_bot_postmoogle_database_engine == 'postgres'"
+
+- name: Ensure postmoogle paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_bot_postmoogle_config_path }}", when: true}
+    - {path: "{{ matrix_bot_postmoogle_data_path }}", when: true}
+    - {path: "{{ matrix_bot_postmoogle_docker_src_files_path }}", when: matrix_bot_postmoogle_container_image_self_build}
+  when: "item.when | bool"
+
+- name: Ensure postmoogle environment variables file created
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/env.j2"
+    dest: "{{ matrix_bot_postmoogle_config_path }}/env"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0640
+
+- name: Ensure postmoogle image is pulled
+  docker_image:
+    name: "{{ matrix_bot_postmoogle_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_bot_postmoogle_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_postmoogle_docker_image_force_pull }}"
+  when: "not matrix_bot_postmoogle_container_image_self_build | bool"
+  register: result
+  retries: "{{ matrix_container_retries_count }}"
+  delay: "{{ matrix_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure postmoogle repository is present on self-build
+  ansible.builtin.git:
+    repo: "{{ matrix_bot_postmoogle_docker_repo }}"
+    version: "{{ matrix_bot_postmoogle_docker_repo_version }}"
+    dest: "{{ matrix_bot_postmoogle_docker_src_files_path }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  register: matrix_bot_postmoogle_git_pull_results
+  when: "matrix_bot_postmoogle_container_image_self_build | bool"
+
+- name: Ensure postmoogle image is built
+  docker_image:
+    name: "{{ matrix_bot_postmoogle_docker_image }}"
+    source: build
+    force_source: "{{ matrix_bot_postmoogle_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_bot_postmoogle_docker_src_files_path }}"
+      pull: true
+  when: "matrix_bot_postmoogle_container_image_self_build | bool"
+
+- name: Ensure matrix-bot-postmoogle.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-bot-postmoogle.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-bot-postmoogle.service"
+    mode: 0644
+  register: matrix_bot_postmoogle_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-bot-postmoogle.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_bot_postmoogle_systemd_service_result.changed | bool"
+
+- name: Ensure matrix-bot-postmoogle.service restarted, if necessary
+  ansible.builtin.service:
+    name: "matrix-bot-postmoogle.service"
+    state: restarted
+  when: "matrix_bot_postmoogle_systemd_service_result.changed | bool"

roles/matrix-bot-postmoogle/tasks/setup_uninstall.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Check existence of matrix-postmoogle service
+  ansible.builtin.stat:
+    path: "{{ matrix_systemd_path }}/matrix-bot-postmoogle.service"
+  register: matrix_bot_postmoogle_service_stat
+
+- name: Ensure matrix-postmoogle is stopped
+  ansible.builtin.service:
+    name: matrix-bot-postmoogle
+    state: stopped
+    enabled: false
+    daemon_reload: true
+  register: stopping_result
+  when: "matrix_bot_postmoogle_service_stat.stat.exists | bool"
+
+- name: Ensure matrix-bot-postmoogle.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ matrix_systemd_path }}/matrix-bot-postmoogle.service"
+    state: absent
+  when: "matrix_bot_postmoogle_service_stat.stat.exists | bool"
+
+- name: Ensure systemd reloaded after matrix-bot-postmoogle.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_bot_postmoogle_service_stat.stat.exists | bool"
+
+- name: Ensure Matrix postmoogle paths don't exist
+  ansible.builtin.file:
+    path: "{{ matrix_bot_postmoogle_base_path }}"
+    state: absent
+
+- name: Ensure postmoogle Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_bot_postmoogle_docker_image }}"
+    state: absent

roles/matrix-bot-postmoogle/tasks/validate_config.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Fail if required settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_bot_postmoogle_password"

roles/matrix-bot-postmoogle/templates/env.j2

@@ -0,0 +1,19 @@
+POSTMOOGLE_LOGIN={{ matrix_bot_postmoogle_login }}
+POSTMOOGLE_PASSWORD={{ matrix_bot_postmoogle_password }}
+POSTMOOGLE_HOMESERVER={{ matrix_bot_postmoogle_homeserver }}
+POSTMOOGLE_DOMAIN={{ matrix_bot_postmoogle_domain }}
+POSTMOOGLE_PORT={{ matrix_bot_postmoogle_port }}
+POSTMOOGLE_DB_DSN={{ matrix_bot_postmoogle_database_connection_string }}
+POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }}
+POSTMOOGLE_PREFIX={{ matrix_bot_postmoogle_prefix }}
+POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }}
+POSTMOOGLE_SENTRY={{ matrix_bot_postmoogle_sentry }}
+POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }}
+POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }}
+POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }}
+POSTMOOGLE_TLS_PORT={{ matrix_bot_postmoogle_tls_port }}
+POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }}
+POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }}
+POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }}
+
+{{ matrix_bot_postmoogle_environment_variables_extension }}

roles/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2

@@ -0,0 +1,46 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix helpdesk bot
+{% for service in matrix_bot_postmoogle_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_bot_postmoogle_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-postmoogle 2>/dev/null || true'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-postmoogle 2>/dev/null || true'
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-postmoogle \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_bot_postmoogle_config_path }}/env \
+			-p {{ matrix_bot_postmoogle_smtp_host_bind_port }}:{{ matrix_bot_postmoogle_port }} \
+			{% if matrix_bot_postmoogle_ssl_path %}
+			-p {{ matrix_bot_postmoogle_submission_host_bind_port }}:{{ matrix_bot_postmoogle_tls_port }} \
+			{% endif %}
+			--mount type=bind,src={{ matrix_bot_postmoogle_data_path }},dst=/data \
+			{% if matrix_bot_postmoogle_ssl_path %}
+			--mount type=bind,src={{ matrix_bot_postmoogle_ssl_path }},dst=/ssl \
+			{% endif %}
+			{% for arg in matrix_bot_postmoogle_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_bot_postmoogle_docker_image }}
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-bot-postmoogle 2>/dev/null || true'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-bot-postmoogle 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-bot-postmoogle
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-appservice-discord/tasks/init.yml

@@ -13,16 +13,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_appservice_discord_config_path }}/registration.yaml,dst=/matrix-appservice-discord-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-appservice-discord-registration.yaml"]
       }}

roles/matrix-bridge-appservice-irc/defaults/main.yml

@@ -11,10 +11,11 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
-matrix_appservice_irc_version: 0.34.0
+matrix_appservice_irc_version: 0.35.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
+matrix_appservice_irc_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_container_global_registry_prefix }}"
 
 matrix_appservice_irc_base_path: "{{ matrix_base_data_path }}/appservice-irc"
 matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config"

roles/matrix-bridge-appservice-irc/tasks/init.yml

@@ -20,16 +20,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_appservice_irc_config_path }}/registration.yaml,dst=/matrix-appservice-irc-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-appservice-irc-registration.yaml"]
       }}

roles/matrix-bridge-appservice-irc/tasks/validate_config.yml

@@ -23,7 +23,7 @@
       You need to define one or more servers by either using `matrix_appservice_irc_ircService_servers`
       or by extending the base configuration with additional configuration in `matrix_appservice_irc_configuration_extension_yaml`.
       Overriding the whole bridge's configuration (`matrix_appservice_irc_configuration`) is yet another possibility.
-  when: "matrix_appservice_irc_configuration.ircService.servers|length == 0"
+  when: "matrix_appservice_irc_configuration.ircService.servers | length == 0"
 
 - name: (Deprecation) Catch and report renamed appservice-irc variables
   ansible.builtin.fail:

roles/matrix-bridge-appservice-kakaotalk/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_appservice_kakaotalk_config_path }}/registration.yaml,dst=/matrix-appservice-kakaotalk-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-appservice-kakaotalk-registration.yaml"]
       }}

roles/matrix-bridge-appservice-slack/tasks/init.yml

@@ -20,16 +20,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_appservice_slack_config_path }}/slack-registration.yaml,dst=/matrix-appservice-slack-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-appservice-slack-registration.yaml"]
       }}

roles/matrix-bridge-appservice-webhooks/tasks/init.yml

@@ -13,16 +13,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml,dst=/matrix-appservice-webhooks-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-appservice-webhooks-registration.yaml"]
       }}

roles/matrix-bridge-beeper-linkedin/tasks/init.yml

@@ -6,16 +6,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_beeper_linkedin_config_path }}/registration.yaml,dst=/matrix-beeper-linkedin-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-beeper-linkedin-registration.yaml"]
       }}

roles/matrix-bridge-go-skype-bridge/tasks/init.yml

@@ -5,16 +5,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_go_skype_bridge_config_path }}/registration.yaml,dst=/matrix-go-skype-bridge-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-go-skype-bridge-registration.yaml"]
       }}

roles/matrix-bridge-heisenbridge/defaults/main.yml

@@ -4,7 +4,7 @@
 
 matrix_heisenbridge_enabled: true
 
-matrix_heisenbridge_version: 1.13.1
+matrix_heisenbridge_version: 1.14.0
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
 

roles/matrix-bridge-heisenbridge/tasks/init.yml

@@ -13,16 +13,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_heisenbridge_base_path }}/registration.yaml,dst=/heisenbridge-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/heisenbridge-registration.yaml"]
       }}

roles/matrix-bridge-hookshot/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
 
-matrix_hookshot_version: 1.8.1
+matrix_hookshot_version: 2.2.0
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"

roles/matrix-bridge-hookshot/tasks/init.yml

@@ -13,16 +13,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_hookshot_base_path }}/registration.yml,dst=/hookshot-registration.yml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/hookshot-registration.yml"]
       }}

roles/matrix-bridge-mautrix-discord/tasks/init.yml

@@ -5,16 +5,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_discord_config_path }}/registration.yaml,dst=/matrix-mautrix-discord-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-discord-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-discord/templates/systemd/matrix-mautrix-discord.service.j2

@@ -31,7 +31,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-discor
 			{{ arg }} \
 			{% endfor %}
 			{{ matrix_mautrix_discord_docker_image }} \
-			/usr/bin/mautrix-discord -c /config/config.yaml -r /config/registration.yaml
+			/usr/bin/mautrix-discord -c /config/config.yaml -r /config/registration.yaml --no-update
 
 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-discord 2>/dev/null || true'
 ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-discord 2>/dev/null || true'

roles/matrix-bridge-mautrix-facebook/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_facebook_config_path }}/registration.yaml,dst=/matrix-mautrix-facebook-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-facebook-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-googlechat/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_googlechat_config_path }}/registration.yaml,dst=/matrix-mautrix-googlechat-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-googlechat-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-hangouts/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_hangouts_config_path }}/registration.yaml,dst=/matrix-mautrix-hangouts-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-hangouts-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-instagram/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
 matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"
 
-matrix_mautrix_instagram_version: v0.1.3
+matrix_mautrix_instagram_version: v0.2.0
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"

roles/matrix-bridge-mautrix-instagram/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_instagram_config_path }}/registration.yaml,dst=/matrix-mautrix-instagram-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-instagram-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -9,8 +9,8 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
 matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"
 
-matrix_mautrix_signal_version: v0.3.0
-matrix_mautrix_signal_daemon_version: 0.21.0
+matrix_mautrix_signal_version: v0.4.0
+matrix_mautrix_signal_daemon_version: 0.21.1
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "dock.mau.dev/mautrix/signal:{{ matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_image_force_pull: "{{ matrix_mautrix_signal_docker_image.endswith(':latest') }}"

roles/matrix-bridge-mautrix-signal/tasks/init.yml

@@ -6,16 +6,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_signal_config_path }}/registration.yaml,dst=/matrix-mautrix-signal-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-signal-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
 
-matrix_mautrix_telegram_version: v0.11.3
+matrix_mautrix_telegram_version: v0.12.0
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
@@ -131,6 +131,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -149,6 +151,7 @@ matrix_mautrix_telegram_registration_yaml: |
   url: {{ matrix_mautrix_telegram_appservice_address }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml | from_yaml }}"
 
@@ -156,3 +159,8 @@ matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_y
 matrix_mautrix_telegram_username_template: 'telegram_{userid}'
 matrix_mautrix_telegram_alias_template: 'telegram_{groupname}'
 matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)'
+
+# Enable End-to-bridge encryption
+matrix_mautrix_telegram_bridge_encryption_allow: false
+matrix_mautrix_telegram_bridge_encryption_default: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"
+matrix_mautrix_telegram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"

roles/matrix-bridge-mautrix-telegram/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_telegram_config_path }}/registration.yaml,dst=/matrix-mautrix-telegram-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-telegram-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -176,27 +176,29 @@ bridge:
             height: 256
             background: "020202"  # only for gif
             fps: 30               # only for webm
-    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
-    # and login_shared_secret to be configured in order to get a device for the bridge bot.
+    # End-to-bridge encryption support options.
     #
-    # Additionally, https://github.com/matrix-org/synapse/pull/5758 is required if using a normal
-    # application service.
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
     encryption:
         # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_mautrix_telegram_bridge_encryption_allow|to_json }}
         # Default to encryption, force-enable encryption in all portals the bridge creates
         # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
-        # Database for the encryption data. Currently only supports Postgres and an in-memory
-        # store that's persisted as a pickle.
-        # If set to `default`, will use the appservice postgres database
-        # or a pickle file if the appservice database is sqlite.
-        #
-        # Format examples:
-        #   Pickle:   pickle:///filename.pickle
-        #   Postgres: postgres://username:password@hostname/dbname
+        default: {{ matrix_mautrix_telegram_bridge_encryption_default|to_json }}
+        # Database for the encryption data. If set to `default`, will use the appservice database.
         database: default
-
+        # Options for automatic key sharing.
+        key_sharing:
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow: {{ matrix_mautrix_telegram_bridge_encryption_key_sharing_allow|to_json }}
+            # Require the requesting device to have a valid cross-signing signature?
+            # This doesn't require that the bridge has verified the device, only that the user has verified it.
+            # Not yet implemented.
+            require_cross_signing: false
+            # Require devices to be verified by the bridge?
+            # Verification by the bridge is not yet implemented.
+            require_verification: true
     # Whether or not to explicitly set the avatar and room name for private
     # chat portal rooms. This will be implicitly enabled if encryption.default is true.
     private_chat_portal_meta: false

roles/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false
 matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git"
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
-matrix_mautrix_twitter_version: v0.1.4
+matrix_mautrix_twitter_version: v0.1.5
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"

roles/matrix-bridge-mautrix-twitter/tasks/init.yml

@@ -6,16 +6,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-twitter-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
 matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
-matrix_mautrix_whatsapp_version: v0.6.1
+matrix_mautrix_whatsapp_version: v0.7.0
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
@@ -86,10 +86,6 @@ matrix_mautrix_whatsapp_login_shared_secret: ''
 matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
   "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}"
 
-# Servers to always allow double puppeting from
-matrix_mautrix_whatsapp_bridge_double_puppet_server_map:
-  "{{ matrix_mautrix_whatsapp_homeserver_domain :  matrix_mautrix_whatsapp_homeserver_address }}"
-
 # Enable End-to-bridge encryption
 matrix_mautrix_whatsapp_bridge_encryption_allow: false
 matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"

roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml

@@ -5,16 +5,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mautrix_whatsapp_config_path }}/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mautrix-whatsapp-registration.yaml"]
       }}

roles/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -5,6 +5,9 @@ homeserver:
     address: {{ matrix_mautrix_whatsapp_homeserver_address }}
     # The domain of the homeserver (for MXIDs, etc).
     domain: {{ matrix_mautrix_whatsapp_homeserver_domain }}
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
     # The URL to push real-time bridge status to.
     # If set, the bridge will make POST requests to this URL whenever a user's whatsapp connection state changes.
     # The bridge will use the appservice as_token to authorize requests.
@@ -52,7 +55,7 @@ appservice:
     # Whether or not to receive ephemeral events via appservice transactions.
     # Requires MSC2409 support (i.e. Synapse 1.22+).
     # You should disable bridge -> sync_with_custom_puppets when this is enabled.
-    ephemeral_events: false
+    ephemeral_events: true
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: "{{ matrix_mautrix_whatsapp_appservice_token }}"
@@ -188,7 +191,7 @@ bridge:
     # Should Matrix users leaving groups be bridged to WhatsApp?
     bridge_matrix_leave: true
     # Should the bridge sync with double puppeting to receive EDUs that aren't normally sent to appservices.
-    sync_with_custom_puppets: true
+    sync_with_custom_puppets: false
     # Should the bridge update the m.direct account data event when double puppeting is enabled.
     # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
     # and is therefore prone to race conditions.
@@ -268,6 +271,9 @@ bridge:
     # Should the bridge never send alerts to the bridge management room?
     # These are mostly things like the user being logged out.
     disable_bridge_alerts: false
+    # Should the bridge stop if the WhatsApp server says another user connected with the same session?
+    # This is only safe on single-user bridges.
+    crash_on_stream_replaced: false
     # Should the bridge detect URLs in outgoing messages, ask the homeserver to generate a preview,
     # and send it to WhatsApp? URL previews can always be sent using the `com.beeper.linkpreviews`
     # key in the event content even if this is disabled.
@@ -311,6 +317,8 @@ bridge:
         # This will cause the bridge bot to be in private chats for the encryption to work properly.
         # It is recommended to also set private_chat_portal_meta to true when using this.
         default: {{ matrix_mautrix_whatsapp_bridge_encryption_default|to_json }}
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
         # Require encryption, drop any unencrypted messages.
         require: false
         # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.

roles/matrix-bridge-mx-puppet-discord/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_discord_config_path }}/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-discord-registration.yaml"]
       }}

roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/matrix-bridge-mx-puppet-groupme/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_groupme_config_path }}/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-groupme-registration.yaml"]
       }}

roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_instagram_config_path }}/registration.yaml,dst=/matrix-mx-puppet-instagram-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-instagram-registration.yaml"]
       }}

roles/matrix-bridge-mx-puppet-slack/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_slack_config_path }}/registration.yaml,dst=/matrix-mx-puppet-slack-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-slack-registration.yaml"]
       }}

roles/matrix-bridge-mx-puppet-steam/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_steam_config_path }}/registration.yaml,dst=/matrix-mx-puppet-steam-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-steam-registration.yaml"]
       }}

roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml

@@ -12,16 +12,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_mx_puppet_twitter_config_path }}/registration.yaml,dst=/matrix-mx-puppet-twitter-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-mx-puppet-twitter-registration.yaml"]
       }}

roles/matrix-bridge-sms/tasks/init.yml

@@ -14,16 +14,16 @@
 
 # If the matrix-synapse role is not used, these variables may not exist.
 - ansible.builtin.set_fact:
-    matrix_synapse_container_extra_arguments: >
+    matrix_homeserver_container_runtime_injected_arguments: >
       {{
-        matrix_synapse_container_extra_arguments | default([])
+        matrix_homeserver_container_runtime_injected_arguments | default([])
         +
         ["--mount type=bind,src={{ matrix_sms_bridge_config_path }}/registration.yaml,dst=/matrix-sms-bridge-registration.yaml,ro"]
       }}
 
-    matrix_synapse_app_service_config_files: >
+    matrix_homeserver_app_service_runtime_injected_config_files: >
       {{
-        matrix_synapse_app_service_config_files | default([])
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
         +
         ["/matrix-sms-bridge-registration.yaml"]
       }}

roles/matrix-cactus-comments/defaults/main.yml

@@ -0,0 +1,60 @@
+---
+# Cactus Comments is a federated comment system built on Matrix
+# Project source code URL: https://gitlab.com/cactus-comments/cactus-appservice
+# Project source code URL: https://gitlab.com/cactus-comments/cactus-client
+
+matrix_cactus_comments_enabled: true
+matrix_cactus_comments_serve_client_enabled: true
+matrix_cactus_comments_container_image_self_build: false
+matrix_cactus_comments_docker_repo: "https://gitlab.com/cactus-comments/cactus-appservice.git"
+matrix_cactus_comments_docker_repo_version: "{{ matrix_cactus_comments_version if matrix_cactus_comments_version != 'latest' else 'main' }}"
+matrix_cactus_comments_docker_src_files_path: "{{ matrix_cactus_comments_base_path }}/docker-src"
+
+
+matrix_cactus_comments_base_path: "{{ matrix_base_data_path }}/cactus-comments"
+matrix_cactus_comments_container_tmp_path: "{{ matrix_cactus_comments_base_path }}/tmp"
+matrix_cactus_comments_client_path: "{{ matrix_cactus_comments_base_path }}/client"
+matrix_cactus_comments_client_file_permissions: "0644"
+
+matrix_cactus_comments_app_service_config_file: "{{ matrix_cactus_comments_base_path }}/cactus_appservice.yaml"
+matrix_cactus_comments_app_service_env_file: "{{ matrix_cactus_comments_base_path }}/cactus.env"
+
+matrix_cactus_comments_as_token: ''
+matrix_cactus_comments_hs_token: ''
+matrix_cactus_comments_homeserver_url: "{{ matrix_homeserver_container_url }}"
+matrix_cactus_comments_user_id: "bot.cactusbot"
+matrix_cactus_comments_tmp_directory_size_mb: 1
+
+matrix_cactus_comments_container_port: 5000
+
+matrix_cactus_comments_version: 0.9.0
+matrix_cactus_comments_docker_image: "{{ matrix_container_global_registry_prefix }}cactuscomments/cactus-appservice:{{ matrix_cactus_comments_version }}"
+matrix_cactus_comments_docker_image_force_pull: "{{ matrix_cactus_comments_docker_image.endswith(':latest') }}"
+
+# matrix_cactus_comments_client_version specifies the version of the cactus-client release to use.
+# For available versions, see: https://gitlab.com/cactus-comments/cactus-client/-/releases
+# Also see: `matrix_cactus_comments_client_local_dir`
+matrix_cactus_comments_client_version: "0.13.0"
+
+# matrix_cactus_comments_client_local_dir specifies a local directory (on the Ansible controller, not on the remote server) with cactus-client files to use.
+# This is an alternative to `matrix_cactus_comments_client_version`, to be used when you'd like to
+# provide the files locally / manually.
+matrix_cactus_comments_client_local_dir: ''
+
+# matrix_cactus_comments_client_nginx_path specifies the path where nginx can access the client files.
+# The default value assumes a container setup. If you're running nginx without a container, consider adjusting this path
+matrix_cactus_comments_client_nginx_path: "/cactus-comments/"
+
+# matrix_cactus_comments_client_endpoint specifies where nginx will serve the files in nginx is enabled
+matrix_cactus_comments_client_endpoint: "/cactus-comments/"
+
+# List of systemd services that matrix-cactus-comments.service depends on
+matrix_bot_cactus_comments_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-cactus-comments.service wants
+matrix_bot_cactus_comments_systemd_wanted_services_list: []
+
+# A list of extra arguments to pass to the container
+matrix_cactus_comments_container_extra_arguments: []
+
+matrix_cactus_comments_environment_variables_extension: ''

roles/matrix-cactus-comments/tasks/init.yml

@@ -0,0 +1,69 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-cactus-comments.service'] }}"
+  when: matrix_cactus_comments_enabled | bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- ansible.builtin.set_fact:
+    matrix_homeserver_container_runtime_injected_arguments: >
+      {{
+        matrix_homeserver_container_runtime_injected_arguments | default([])
+        +
+        ["--mount type=bind,src={{ matrix_cactus_comments_app_service_config_file }},dst=/matrix-cactus-comments.yaml,ro"]
+      }}
+
+    matrix_homeserver_app_service_runtime_injected_config_files: >
+      {{
+        matrix_homeserver_app_service_runtime_injected_config_files | default([])
+        +
+        ["/matrix-cactus-comments.yaml"]
+      }}
+  when: matrix_cactus_comments_enabled | bool
+
+- block:
+    - name: Fail if matrix-nginx-proxy role already executed
+      ansible.builtin.fail:
+        msg: >-
+          Trying to append Cactus Comment's reverse-proxying configuration to matrix-nginx-proxy,
+          but it's pointless since the matrix-nginx-proxy role had already executed.
+          To fix this, please change the order of roles in your playbook,
+          so that the matrix-nginx-proxy role would run after the matrix-cactus-comments role.
+      when: matrix_nginx_proxy_role_executed | default(False) | bool
+
+    - name: Mount volume
+      ansible.builtin.set_fact:
+        matrix_nginx_proxy_container_additional_volumes: >
+          {{
+            matrix_nginx_proxy_container_additional_volumes | default([])
+            +
+            [{"src": "{{ matrix_cactus_comments_client_path }}", "dst": "/cactus-comments/cactus-comments", "options": "ro"}]
+          }}
+
+    - name: Generate Cactus Comment proxying configuration for matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_cactus_comments_nginx_proxy_configuration: |
+          location {{ matrix_cactus_comments_client_endpoint }} {
+              root {{ matrix_cactus_comments_client_nginx_path }};
+          }
+
+    - name: Register Cactus Comment proxying configuration with matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+          {{
+            matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks | default([])
+            +
+            [matrix_cactus_comments_nginx_proxy_configuration]
+          }}
+
+    - name: Warn about reverse-proxying if matrix-nginx-proxy not used
+      ansible.builtin.debug:
+        msg: >-
+          NOTE: You've enabled Cactus Comments but are not using the matrix-nginx-proxy
+          reverse proxy.
+          Please make sure that you're proxying client files in {{ matrix_cactus_comments_client_path }} correctly
+      when: "not matrix_nginx_proxy_enabled | default(False) | bool"
+
+  tags:
+    - always
+  when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool

roles/matrix-cactus-comments/tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup | bool and matrix_cactus_comments_enabled | bool"
+  tags:
+    - setup-all
+    - setup-cactus-comments
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup | bool and matrix_cactus_comments_enabled | bool"
+  tags:
+    - setup-all
+    - setup-cactus-comments
+
+- ansible.builtin.import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup | bool and not matrix_cactus_comments_enabled | bool"
+  tags:
+    - setup-all
+    - setup-cactus-comments

roles/matrix-cactus-comments/tasks/setup_install.yml

@@ -0,0 +1,138 @@
+---
+
+- name: Ensure cactus comments paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_cactus_comments_base_path }}", when: true}
+    - {path: "{{ matrix_cactus_comments_client_path }}", when: true}
+    - {path: "{{ matrix_cactus_comments_container_tmp_path }}", when: true}
+    - {path: "{{ matrix_cactus_comments_docker_src_files_path }}", when: matrix_cactus_comments_container_image_self_build}
+  when: "item.when | bool"
+
+- name: Ensure cactus comments environment file created
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/env.j2"
+    dest: "{{ matrix_cactus_comments_app_service_env_file }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0640
+
+- name: Ensure cactus comments appservice file created
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/cactus_appservice.yaml.j2"
+    dest: "{{ matrix_cactus_comments_app_service_config_file }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+    mode: 0640
+
+- name: Ensure cactus comments image is pulled
+  docker_image:
+    name: "{{ matrix_cactus_comments_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_cactus_comments_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_cactus_comments_docker_image_force_pull }}"
+  when: "not matrix_cactus_comments_container_image_self_build | bool"
+  register: result
+  retries: "{{ matrix_container_retries_count }}"
+  delay: "{{ matrix_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure cactus comments repository is present on self-build
+  ansible.builtin.git:
+    repo: "{{ matrix_cactus_comments_docker_repo }}"
+    version: "{{ matrix_cactus_comments_docker_repo_version }}"
+    dest: "{{ matrix_cactus_comments_docker_src_files_path }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  register: matrix_cactus_comments_git_pull_results
+  when: "matrix_cactus_comments_container_image_self_build | bool"
+
+- name: Ensure cactus comments image is built
+  docker_image:
+    name: "{{ matrix_cactus_comments_docker_image }}"
+    source: build
+    force_source: "{{ matrix_cactus_comments_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_cactus_comments_docker_src_files_path }}"
+      pull: true
+  when: "matrix_cactus_comments_container_image_self_build | bool"
+
+- block:
+    - name: Download client binary to local folder
+      ansible.builtin.get_url:
+        url: "https://gitlab.com/cactus-comments/cactus-client/-/archive/v{{ matrix_cactus_comments_client_version }}/cactus-client-v{{ matrix_cactus_comments_client_version }}.tar.gz"
+        dest: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz"
+        mode: '0644'
+      register: _download_client
+      until: _download_client is succeeded
+      retries: 5
+      delay: 2
+      check_mode: false
+
+    - name: Unpack client
+      ansible.builtin.unarchive:
+        src: "/tmp/cactus-comments-{{ matrix_cactus_comments_client_version }}.tar.gz"
+        dest: "/tmp/"
+        remote_src: true
+        mode: 0600
+      check_mode: false
+
+    - name: Propagate client javascript file
+      ansible.builtin.copy:
+        src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/cactus.js"
+        remote_src: true
+        dest: "{{ matrix_cactus_comments_client_path }}/cactus.js"
+        mode: "{{ matrix_cactus_comments_client_file_permissions }}"
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+    - name: Propagate client style file
+      ansible.builtin.copy:
+        src: "/tmp/cactus-client-v{{ matrix_cactus_comments_client_version }}/src/style.css"
+        remote_src: true
+        dest: "{{ matrix_cactus_comments_client_path }}/style.css"
+        mode: "{{ matrix_cactus_comments_client_file_permissions }}"
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+  when: matrix_cactus_comments_client_local_dir | length == 0
+
+- block:
+    - name: Propagate locally distributed client javascreipt
+      ansible.builtin.copy:
+        src: "{{ matrix_cactus_comments_client_local_dir }}/src/cactus.js"
+        dest: "{{ matrix_cactus_comments_client_path }}/cactus.js"
+        mode: "{{ matrix_cactus_comments_client_file_permissions }}"
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+    - name: Propagate locally distributed client style.css
+      ansible.builtin.copy:
+        src: "{{ matrix_cactus_comments_client_local_dir }}/src/style.css"
+        dest: "{{ matrix_cactus_comments_client_path }}/style.css"
+        mode: "{{ matrix_cactus_comments_client_file_permissions }}"
+        owner: "{{ matrix_user_username }}"
+        group: "{{ matrix_user_groupname }}"
+  when: matrix_cactus_comments_client_local_dir | length > 0
+
+- name: Ensure matrix-cactus-comments.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-cactus-comments.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-cactus-comments.service"
+    mode: 0644
+  register: matrix_cactus_comments_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-cactus-comments.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_cactus_comments_systemd_service_result.changed | bool"
+
+- name: Ensure matrix-cactus-comments.service restarted, if necessary
+  ansible.builtin.service:
+    name: "matrix-cactus-comments.service"
+    state: restarted

roles/matrix-cactus-comments/tasks/setup_uninstall.yml

@@ -0,0 +1,36 @@
+---
+
+- name: Check existence of matrix-cactus-comments service
+  ansible.builtin.stat:
+    path: "{{ matrix_systemd_path }}/matrix-cactus-comments.service"
+  register: matrix_cactus_comments_service_stat
+
+- name: Ensure cactus comments is stopped
+  ansible.builtin.service:
+    name: matrix-cactus-comments
+    state: stopped
+    enabled: false
+    daemon_reload: true
+  register: stopping_result
+  when: "matrix_cactus_comments_service_stat.stat.exists | bool"
+
+- name: Ensure matrix-cactus-comments.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ matrix_systemd_path }}/matrix-cactus-comments.service"
+    state: absent
+  when: "matrix_cactus_comments_service_stat.stat.exists | bool"
+
+- name: Ensure systemd reloaded after matrix-cactus-comments.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_cactus_comments_service_stat.stat.exists | bool"
+
+- name: Ensure Matrix cactus comments paths don't exist
+  ansible.builtin.file:
+    path: "{{ matrix_cactus_comments_base_path }}"
+    state: absent
+
+- name: Ensure cactus comments Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_cactus_comments_docker_image }}"
+    state: absent

roles/matrix-cactus-comments/tasks/validate_config.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Fail if required settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_cactus_comments_as_token"
+    - "matrix_cactus_comments_hs_token"