meta: move inventory structure to be more usable

Necro-posting and notifying all subscribers for the purpose of preventing necro-posting is somewhat ironic

.github/renovate.json

@@ -1,12 +1,17 @@
 {
 	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
 	"extends": [
-		"config:base"
+		"config:recommended"
 	],
-	"labels": ["dependencies"],
-	"regexManagers": [
+	"labels": [
+		"dependencies"
+	],
+	"customManagers": [
 		{
-			"fileMatch": ["defaults/main.yml$"],
+			"customType": "regex",
+			"fileMatch": [
+				"defaults/main.yml$"
+			],
 			"matchStrings": [
 				"# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?(?:_version|_tag)\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
 			]
@@ -14,11 +19,11 @@
 	],
 	"packageRules": [
 		{
-			"matchSourceUrlPrefixes": [
-				"https://github.com/devture/com.devture.ansible.role",
-				"https://github.com/mother-of-all-self-hosting"
-			],
-			"ignoreUnstable": false
+			"ignoreUnstable": false,
+			"matchSourceUrls": [
+				"https://github.com/devture/com.devture.ansible.role{/,}**",
+				"https://github.com/mother-of-all-self-hosting{/,}**"
+			]
 		}
 	],
 	"ignoreDeps": [

.github/workflows/lock-threads.yml

@@ -0,0 +1,29 @@
+# SPDX-FileCopyrightText: 2017 - 2023 Armin Sebastian
+#
+# SPDX-License-Identifier: MIT
+
+---
+name: 'Lock Threads'
+on:  # yamllint disable-line rule:truthy
+  # Use this to do a dry run from a pull request
+  # pull_request:
+  schedule:
+    - cron: '0 * * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+  pull-requests: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  action:
+    if: github.repository == 'spantaleev/matrix-docker-ansible-deploy'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dessant/lock-threads@v5
+        with:
+          add-issue-labels: 'outdated'
+          process-only: 'issues, prs'

LICENSES/MIT.txt

@@ -0,0 +1,18 @@
+MIT License
+
+Copyright (c) <year> <copyright holders>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and 
+associated documentation files (the "Software"), to deal in the Software without restriction, including 
+without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 
+copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the 
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial 
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT 
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO 
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 
+USE OR OTHER DEALINGS IN THE SOFTWARE.

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 result_format = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/configuring-playbook-dynamic-dns.md

@@ -14,7 +14,7 @@ Most cloud providers / ISPs will charge you extra for a static IP address. If yo
 
 ## Prerequisite
 
-You'll need to get a username and password from your DNS provider. Please consult with the provider about how to retrieve them.
+You'll need to authenticate with your DNS provider somehow, in most cases this is simply a username and password but can differ from provider to provider. Please consult with your providers documentation and the upstream [ddclient documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in) to determine what you'll need to provide to authenticate.
 
 ## Adjusting the playbook configuration
 
@@ -31,6 +31,8 @@ matrix_dynamic_dns_domain_configurations:
     domain: "{{ matrix_domain }}"
 ```
 
+Keep in mind that certain providers may require a different configuration of the `matrix_dynamic_dns_domain_configurations` variable, for provider specific examples see the [upstream documentation](https://github.com/ddclient/ddclient/blob/main/ddclient.conf.in).
+
 ### Extending the configuration
 
 There are some additional things you may wish to configure about the component.
@@ -57,7 +59,8 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 Additional resources:
 
 - https://matrix.org/docs/guides/free-small-matrix-server
+- https://github.com/linuxserver/docker-ddclient
 
 ## Troubleshooting
 
-As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-dynamic-dns`.
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-dynamic-dns`. However, due to an [upstream issue](https://github.com/linuxserver/docker-ddclient/issues/54#issuecomment-1153143132) the logging output is not always complete. For advanced debugging purposes running the `ddclient` tool outside of the container is useful via the following: `ddclient -file ./ddclient.conf -daemon=0 -debug -verbose -noquiet`.

docs/configuring-playbook-livekit-server.md

@@ -25,4 +25,14 @@ To ensure LiveKit Server functions correctly, the following firewall rules and p
 
 - `7882/udp`: ICE/UDP Mux
 
+- `3479/udp`: TURN/UDP. Also see the [Limitations](#limitations) section below.
+
+- `5350/tcp`: TURN/TCP. Also see the [Limitations](#limitations) section below.
+
 💡 The suggestions above are inspired by the upstream [Ports and Firewall](https://docs.livekit.io/home/self-hosting/ports-firewall/) documentation based on how LiveKit is configured in the playbook. If you've using custom configuration for the LiveKit Server role, you may need to adjust the firewall rules accordingly.
+
+## Limitations
+
+For some reason, LiveKit Server's TURN ports (`3479/udp` and `5350/tcp`) are not reachable over IPv6 regardless of whether you've [enabled IPv6](./configuring-ipv6.md) for your server.
+
+It seems like LiveKit Server intentionally only listens on `udp4` and `tcp4` as seen [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L128) and [here](https://github.com/livekit/livekit/blob/154b4d26b769c68a03c096124094b97bf61a996f/pkg/service/turn.go#L92).

docs/configuring-playbook-synapse-auto-compressor.md

@@ -24,12 +24,15 @@ matrix_synapse_auto_compressor_enabled: true
 
 ### Edit the schedule (optional)
 
-By default the task will run 0 a.m. every day based on the `matrix_synapse_auto_compressor_schedule` variable. It is defined in the format of systemd timer calendar.
+By default the task will around 0 a.m. every day based on the `matrix_synapse_auto_compressor_schedule` variable with a randomized delay of 6 hours (controlled by the `matrix_synapse_auto_compressor_schedule_randomized_delay_sec` variable). It is defined in the format of systemd timer calendar.
 
 To edit the schedule, add the following configuration to your `vars.yml` file (adapt to your needs):
 
 ```yaml
 matrix_synapse_auto_compressor_schedule: "*-*-* 00:00:00"
+
+# Consider adjusting the randomized delay or setting it to 0 to disable randomized delays.
+# matrix_synapse_auto_compressor_schedule_randomized_delay_sec: 6h
 ```
 
 ### Extending the configuration

docs/prerequisites.md

@@ -59,10 +59,10 @@ We will be using `example.com` as the domain in the following instruction. Pleas
 
   - `80/tcp`: HTTP webserver
   - `443/tcp` and `443/udp`: HTTPS webserver
-  - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
-  - `3478/udp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
-  - `5349/tcp`: TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
-  - `5349/udp`: TURN over UDP (used by [coturn](./docs/configuring-playbook-turn.md))
+  - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
+  - `3478/udp`: STUN/TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
+  - `5349/tcp`: TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
+  - `5349/udp`: TURN over UDP (used by [coturn](./configuring-playbook-turn.md))
   - `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**.
   - the range `49152-49172/udp`: TURN over UDP
   - potentially some other ports, depending on the additional (non-default) services that you enable in the **configuring the playbook** step (later on). Consult each service's documentation page in `docs/` for that.

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -3568,10 +3568,8 @@ matrix_coturn_container_additional_volumes: |
     )
   }}
 
-matrix_coturn_systemd_required_services_list: |
+matrix_coturn_systemd_required_services_list_auto: |
   {{
-    [devture_systemd_docker_base_docker_service_name]
-    +
     ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
   }}
 
@@ -5599,7 +5597,7 @@ grafana_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_prim
 
 grafana_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '3000') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 
-grafana_provisioning_datasources: |
+grafana_provisioning_datasources_datasources: |
   {{
     ([{
       'name': (matrix_server_fqn_matrix + ' - Prometheus'),
@@ -6316,11 +6314,38 @@ livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm6
 livekit_server_container_network: "{{ matrix_addons_container_network }}"
 livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
 
+livekit_server_container_additional_volumes_auto: |
+  {{
+    (
+      [
+       {
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
+         'dst': livekit_server_config_turn_cert_file,
+         'options': 'ro',
+       },
+       {
+         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
+         'dst': livekit_server_config_turn_key_file,
+         'options': 'ro',
+       },
+      ] if (matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and livekit_server_config_turn_enabled and (livekit_server_config_turn_cert_file and livekit_server_config_turn_key_file)) else []
+    )
+  }}
+
 livekit_server_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 livekit_server_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 livekit_server_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 livekit_server_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
+livekit_server_container_labels_public_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
+livekit_server_container_labels_public_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
+
+livekit_server_metrics_proxying_enabled: "{{ livekit_server_config_prometheus_enabled and matrix_metrics_exposure_enabled }}"
+livekit_server_metrics_proxying_hostname: "{{ matrix_metrics_exposure_hostname }}"
+livekit_server_metrics_proxying_path_prefix: "{{ matrix_metrics_exposure_path_prefix }}/livekit-server"
+
+livekit_server_config_prometheus_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
+
 livekit_server_config_keys_auto: |-
   {{
     {}
@@ -6340,6 +6365,33 @@ livekit_server_config_turn_tls_port: 5350
 # Note that TURN is not enabled by default. See `livekit_server_config_turn_enabled`.
 livekit_server_config_turn_udp_port: 3479
 
+# LiveKit's TURN implementation requires SSL certificates.
+# We only enable it if we can provide them automatically via Traefik + Traefik Certs Dumper.
+livekit_server_config_turn_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled }}"
+
+livekit_server_config_turn_cert_file: |-
+  {{
+    {
+      'playbook-managed-traefik': ('/certificate.crt' if traefik_certs_dumper_enabled else ''),
+      'other-traefik-container': ('/certificate.crt' if traefik_certs_dumper_enabled else ''),
+      'none': '',
+    }[matrix_playbook_reverse_proxy_type]
+  }}
+
+livekit_server_config_turn_key_file: |-
+  {{
+    {
+      'playbook-managed-traefik': ('/privatekey.key' if traefik_certs_dumper_enabled else ''),
+      'other-traefik-container': ('/privatekey.key' if traefik_certs_dumper_enabled else ''),
+      'none': '',
+    }[matrix_playbook_reverse_proxy_type]
+  }}
+
+livekit_server_systemd_required_services_list_auto: |
+  {{
+    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + livekit_server_config_turn_domain + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and livekit_server_config_turn_enabled else [])
+  }}
+
 ########################################################################
 #                                                                      #
 # /livekit-server                                                      #

inventory/host_vars/matrix.finallycoffee.eu/postgresql.yml

@@ -0,0 +1,16 @@
+---
+postgres_max_connections: 400
+postgres_shared_buffers: 3145728 # (3072 MiB)
+postgres_effective_cache_size: 8388608 # (8192 MiB)
+postgres_maintenance_work_mem: 786432 # (768 MiB)
+postgres_wal_buffers: 16384 # (16 MiB)
+postgres_random_page_cost: 1.3
+postgres_work_mem: 4096
+postgres_huge_pages: try
+postgres_min_wal_size: 524288 # (512 MiB)
+postgres_max_wal_size: 4194304 # (4GiB)
+postgres_max_worker_processes: 8
+postgres_max_parallel_workers: 8
+postgres_max_parallel_workers_per_gather: 4
+postgres_max_parallel_maintenance_workers: 4
+

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,386 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+matrix_playbook_ssl_enabled: true
+traefik_config_entrypoint_web_secure_enabled: false
+traefik_container_web_host_bind_port: '127.0.10.1:8080'
+traefik_config_entrypoint_web_forwardedHeaders_insecure: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.10.2:8448'
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
+  forwardedHeaders:
+    insecure: true
+
+matrix_synapse_metrics_proxying_enabled: true
+matrix_sliding_sync_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 300
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+#matrix_synapse_rc_federation:
+#  window_size: 1000
+#  sleep_limit: 50
+#  sleep_delay: 500
+#  reject_limit: 50
+#  concurrent: 10
+#matrix_synapse_rc_message:
+#  per_second: 0.5
+#  burst_count: 25
+#matrix_synapse_rc_joins:
+#  local:
+#    per_second: 0.5
+#    burst_count: 20
+#  remote:
+#    per_second: 0.05
+#    burst_count: 20
+#matrix_synapse_rc_joins_per_room:
+#  per_second: 1
+#  burst_count: 10
+#matrix_synapse_rc_invites:
+#  per_room:
+#    per_second: 0.5
+#    burst_count: 10
+#  per_user:
+#    per_second: 0.006
+#    burst_count: 10
+#  per_issuer:
+#    per_second: 2
+#    burst_count: 20
+
+## Synapse cache tuning
+#matrix_synapse_caches_global_factor: 1.5
+#matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 1
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+#matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+#matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+#matrix_synapse_ext_password_provider_rest_auth_enabled: true
+#matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+#matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+#matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+#matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_min: 10
+      cp_max: 30
+      cp_reconnect: True
+
+#  caches:
+#    per_cache_factors:
+#      device_id_exists: 3
+#      get_users_in_room: 4
+#      _get_joined_users_from_context: 4
+#      _get_joined_profile_from_event_id: 3
+#      "*stateGroupMembersCache*": 2
+#      _matches_user_in_member_list: 3
+#      get_users_who_share_room_with_user: 3
+#      is_interested_in_room: 2
+#      get_user_by_id: 1.5
+#      room_push_rule_cache: 1.5
+#    expire_caches: true
+#    cache_entry_ttl: 45m
+#    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+#matrix_synapse_admin_enabled: true
+#matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: false
+#matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+#matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+#matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+#matrix_dimension_configuration_extension_yaml: |
+#    telegram:
+#        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+matrix_bridges_encryption_enabled: true
+matrix_bridges_encryption_default: true
+matrix_appservice_double_puppet_enabled: true
+
+matrix_mautrix_slack_enabled: true
+matrix_mautrix_slack_appservice_bot_username: slack
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: false
+#matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+#matrix_mx_puppet_instagram_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_instagram_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    presence:
+#        enabled: true
+#        interval: 3000
+#
+#
+##
+## mx-puppet-discord configuration
+##
+matrix_mx_puppet_discord_enabled: false
+#matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+#matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+#matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+#matrix_mx_puppet_discord_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_discord_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: false
+#matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+#matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+#matrix_mx_puppet_slack_oauth_redirect_path: '/bridge/slack/oauth'
+#matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+#matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+#matrix_mx_puppet_slack_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+#matrix_mx_puppet_slack_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
+matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_room_directory_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+#matrix_ma1sd_configuration_extension_yaml: |
+#    hashing:
+#      enabled: true
+#      pepperLength: 20
+#      rotationPolicy: per_requests
+#      requests: 10
+#      hashStorageType: sql
+#      algorithms:
+#          - none
+#          - sha256
+
+
+# Matrix mail notification relay setup
+exim_relay_enabled: true
+exim_relay_sender_address: "system-matrix@{{ matrix_domain }}"
+exim_relay_relay_use: true
+exim_relay_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+exim_relay_relay_host_port: 587
+exim_relay_relay_auth: true
+exim_relay_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+exim_relay_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,105 @@
+$ANSIBLE_VAULT;1.1;AES256
+61626165616330663863393762663031623164636666346339343636363035663463636135656533
+3338383762633130346536613334626164306464333835380a353264386431326437616234393165
+61323266623432353731373634353339393936643130346434346530336563326533386331646533
+3030663037666664360a346636343966663733663836633736316630663230613137663166336336
+62383131343934353635633261323036613231646439626162306238313132316664653237653533
+34376464633335626133376138343139653561613232333133393535393137653964633561313761
+62653632663432313936336231613832626362343737383863343562636437646439666638383733
+63313538616430393536356534303164633332653538643264353834393465373538643963343039
+31366661636263353936363931343938323563626538303133366263363533393564386466666361
+38666264643931336563633663663538616431313231336364653631383261326537336162313837
+32373730343538653862326636303264353737353139663161393762383138393531363264633531
+32383661396537636635666665316630663032333932393131336235663938623932383230343830
+31613563656663343830353438396535663864306531333239623738653838633331386465353466
+37366363643334623165373562363465636161396437333966303864663033636665623564613565
+39643635333636363132633462386536393634303838343835363633626162363236653839376230
+34666430363933336335323330386339656339356637653931643565303166303436333562333361
+38633838636337316137343564613338346239663933356130396562306164376430363233373632
+66303430303034353262343565373139333535636231623062633537653636376136656138623637
+34396562376233643234643436323433336436393163363935643033643833386631633762343162
+33633136316635326532343430383437366139333830373731636265386234356164393066333663
+37663934633437653364356231383934313132343162323436373339393964656336646164333533
+37626336616565323237633736653433316238366261303465343466643363303131376665346231
+62623133336561313732393837323330643138663830353662366139373366383436323530333732
+38623633666537643038636163303164653866343934616236343733386533663936303637326462
+63633137626632613736313333643363373963306161353431396261646635383930366166363135
+66353962643638616635376137346439383339303236323761366439306638623762343966623035
+30323435396533633238313962306366343362393339616131393839653565666666313833313433
+66386362353061323465666563616230336565663339646162623634643330646239343934373636
+33363061316637613266373831376133303337616639643239393835636138323266613134633633
+65356634636562313961643865353334306131333030373566666535373039343337613964306465
+32393163666232383266363763336132653765316162663961653933633832626533646537376136
+64613133373135616531343837616264656461313963646565656465656165303534343834663734
+62313865366634656265613264623234653165633839323030643333643139323531643637393439
+61656561303732663834336334643765616234373063306236303538646663316131663933323236
+63396263663034613832653361383061336132663032646133323931386562653661346264363439
+35636463613635316239363061363836623564303933373964363365626133373039643264666530
+30343165366365333339366639353033666634613162363164333433633563613461666532323566
+63303836353331326439646139653738633866356463303264623166306262393766346338373537
+62373865303264633663666333323135343530323434383835393763363739636135646538336364
+33376438636264393635383163353431336463396263333239626566653262373434316532343633
+61363061623430636462393135316564636536633963393338383334643134366232396564316635
+31373963633164653235643665653863303831663065383433363036633962633462393839363235
+36323562323634643639643561636261643136313633656236656566353539343063386162383234
+38653461633561353639336531353333393262633065386539353031386332343739656261653238
+31326434386130336465613233663563323035666631303137313665336566363134306638663265
+62353430353934633965316636643566653235366230323139656539646539626236616138313362
+31643437366563383164306331303662356562616366366237613633666534623765323034396534
+38326537376265343065313738316433353266633539313134323735383864623663323662633662
+65613862623766343736343031636238356161343036363566646635643334373030386434646135
+64336263356663376564333935623135396231623165326437393563333361356435346634616665
+66376231666633643936323264323565346637343538366138616631383964376632613437323163
+30366537326533363939643237376538366230313263623139323662396633343239343066313564
+63356533373338653030313038653137666434323737323763623136666530313035356634666633
+35643530333632633664643361633964666432336631636561343739646266653634353963323534
+35663731616539646332393837633566393734643033623937316661653839663937303666376339
+65653036373565323435636637373231316265393231333734356462356635346531366530316262
+37643632346164366561353236373633623464643536373361666263303739356335333934313537
+31373035633333313065613162346133663736313265376230393135353431343765306539633032
+63353338656231376666613138353235613362643334653537353237653139396533363630303033
+36363039613232666266333535343466336263663762623865376532326262666332303361356266
+65646337323037383564666639363636333135323265633932333264346363326466343234653936
+65656535343663356562613064323138656338633064633462313864616665653230626638373939
+61623862386364396335323836396664653731633365623936383435383330643038386665653238
+62643961626464313666343431303064303338396135643432383730613161336435306262653132
+38373432393564333562363761386239343366343465386638643737663561633837303734333835
+66366465633164346365356637313534376136303630666432613664363030323336316639393339
+61383565316432383633383832363439316366373536336639643961333663303631633464633238
+31396331386163386261393565346266636436386465326639326363663930666665306637393263
+65363763336561316566363164626466643637343731666530386432343431653634353336376461
+33366233366533656334666138346661323463633133303933626163343666623761613961346231
+35383232306336386665313264393933646631656333613138353532666133366339656564353865
+35353330393131366137663466333363653866323936353734306361633163626537363561346332
+65363231623766666638383661323964633034366261633035303861383135383235656465373738
+66373762626130356633626436366533626633353836346239666333353262656665636330626561
+66613165313137373766623464646330643662393033396266643662653136393233336265353430
+38376130663634333133353763383264623133373230323938316638323864643430386633376564
+65356264623766666637353866326638613435663830623063343439373030663663623432393863
+33343134626465313230646239646537653938613938633736346235323438393237363639373932
+61376231386265366132333965333133343737623066383534666633396635356537623432623132
+62656431323033633265626265613736383435376132613532333037613834313130626361373533
+39653361323366636335343865343737346264636433386332666332376662343634356630316135
+30366163333561353338663666363738313732303031333637636266623530623261306335616233
+31346436346663643464626134313338346439323838343663613135663834666632653866346431
+64376566343963346664366363353636636231386530363961333131383133323163396265313563
+35393534343664336237336231313831333739633662306636373338663434613231306538343865
+61613063306432623932616534363865333639396232383562396161383539363336303463323731
+63313239666538306239663864653839616132363662336331636262353061663136386331306131
+66336361396239383638623463663635613364366433343739356331633330633561653038633530
+38303832363663656432396636613134613965373639353731366138323435326135626339353263
+39313032333966376135653664623666626233613530646534636362646237303465653931666563
+65343936623462633162343334643335623834323364646362633232346237306337303430616363
+61633930343132303962653432636230343331343332616434323035633963623138653737306566
+34353135623134626237653165663738633435656439393234643432353535646439313638653664
+39326437393166633937663261336330656266303431383437626163623163303133323139313563
+39383664633739373664653131326665306533633162373535396464663637653662336237656161
+39633138383166316437313237303733336365343066366462643165643865653039343037633263
+61613730393666636530633231396165363033313161663463323861663262383234643236643038
+61633138323664613061663538383333323566393262303633623136613166636361306562356163
+66363033373262396461316438643238396633353962616362623363303035353765393164616230
+35303664616539363639373830623337396239626539613761613839363638326664306465313762
+34646634326338306430653065343231366430666534306331336532346535663737633639363834
+34623539616339363535633365306230663264626234363637366436353833663136303032623338
+32633761333165393231303165393234643363313839373339666433666130313035643836626531
+63356638666264333163

inventory/hosts

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+37366366376266633033656235333633346134336666323465356666353363323130366365393534
+3365373534643965613139656465323663393862336163640a623663366631323035346632353030
+37396264356137336535363663323935646464333138653035623562346438643139323439366132
+3364356364353738660a616638393635333938373838316631396536386134333831613831343732
+39333066363566643864343661646633326134633039316636306332303063366665373638353735
+34386339633566663038613538316233306238383734623363623666346261336562663039373264
+31313061616432643761633139643039636164613136643264663131666166646531366335346164
+34303339393334616434633736383763653035386333363137336431363034653263306261646661
+37323563373436333736633836666563646162303232393932346430373039346431356166393930
+37616639333038653936633163323139396666303638663039623633633832333737633764643863
+61383763613865323061636662663837656339373335643066333964393362303766366533303332
+63646335356639366130393530373936636330633132356639626531303839656166346263613733
+31333362316537323934306434393630656161353465636434303538643835396361613563663437
+34383765626235356530396433643037306233663263623664636163326132316237386231323165
+65643235356434626161396136303563633836313961343664653339623862633338313963333237
+63663961636661383634343532356234626531373938313164373561386139366338393066623036
+36633137623361626161313961386630623635323336353036623165316632353333383162623531
+61353138613030343636326166303762656264643834396330313563616439323265333039323566
+64356538346662613836356462613536656636373065643734346166353466363266353939393535
+66333739623735656463373530646663303535643562363534306438323135353763303363376135
+37653566306461396563333135633235626130313231636165383438376237383663373939353637
+30366661303131333438376363366131613361326635366264363064633034376230353137663030
+346238306532363635623732396366633538

requirements.txt

@@ -0,0 +1,11 @@
+ansible==11.3.0
+ansible-core==2.18.3
+cffi==1.17.1
+cryptography==44.0.2
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+packaging==24.2
+passlib==1.7.4
+pycparser==2.22
+PyYAML==6.0.2
+resolvelib==1.0.1

requirements.yml

@@ -4,7 +4,7 @@
   version: v1.0.0-5
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.0-1.9.13-0
+  version: v1.4.0-1.9.13-1
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.3.0-4
@@ -16,22 +16,22 @@
   version: 129c8590e106b83e6f4c259649a613c6279e937a
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.2.7-4
+  version: v2.3.0-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-0
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.5.2-2
+  version: v11.6.0-0
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10133-1-0
+  version: v10169-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.8.4-2
+  version: v1.8.4-5
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.11.0-4
+  version: v2.11.0-5
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 201c939eed363de269a83ba29784fc3244846048
@@ -52,7 +52,7 @@
   version: v2.55.1-3
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.8.2-5
+  version: v1.9.1-0
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
   version: v0.14.0-9
@@ -67,7 +67,7 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.3.4-1
+  version: v3.3.5-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-0

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.5.0
+matrix_bot_baibot_version: v1.5.1
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-mautrix-googlechat/templates/systemd/matrix-mautrix-googlechat.service.j2

@@ -13,6 +13,8 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-mautrix-googlechat 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-googlechat 2>/dev/null || true'
 
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -221,6 +221,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -239,6 +241,7 @@ matrix_mautrix_telegram_registration_yaml: |
   url: {{ matrix_mautrix_telegram_appservice_address }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/custom/matrix-cactus-comments-client/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.36.0
+matrix_cactus_comments_client_version: 2.36.1
 
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"

roles/custom/matrix-client-cinny/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"
 
 # renovate: datasource=docker depName=ajbura/cinny
-matrix_client_cinny_version: v4.5.1
+matrix_client_cinny_version: v4.6.0
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_registry_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_client_cinny_docker_image_registry_prefix_upstream }}"
 matrix_client_cinny_docker_image_registry_prefix_upstream: "{{ matrix_client_cinny_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.96
+matrix_client_element_version: v1.11.97
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"
@@ -113,10 +113,7 @@ matrix_client_element_systemd_required_services_list: "{{ [devture_systemd_docke
 # Controls the healthcheck command for the container.
 #
 # Leave empty to use the default (upstream) command.
-#
-# The default command is a patch until https://github.com/element-hq/element-web/pull/29471
-# lands in a release.
-matrix_client_element_container_healthcheck_cmd: "wget -q --spider http://localhost:$ELEMENT_WEB_PORT/config.json"
+matrix_client_element_container_healthcheck_cmd: ""
 
 # Specifies the value of the `X-XSS-Protection` header
 # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.

roles/custom/matrix-client-element/tasks/setup_install.yml

@@ -101,6 +101,19 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: false
+    #when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element Web nginx.conf file is removed
   ansible.builtin.file:
     path: "{{ matrix_client_element_data_path }}/nginx.conf"

roles/custom/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/custom/matrix-coturn/defaults/main.yml

@@ -56,7 +56,10 @@ matrix_coturn_docker_src_files_path: "{{ matrix_coturn_base_path }}/docker-src"
 matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
 
 # List of systemd services that matrix-coturn.service depends on
-matrix_coturn_systemd_required_services_list: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_coturn_systemd_required_services_list: "{{ matrix_coturn_systemd_required_services_list_default + matrix_coturn_systemd_required_services_list_auto + matrix_coturn_systemd_required_services_list_custom }}"
+matrix_coturn_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_coturn_systemd_required_services_list_auto: []
+matrix_coturn_systemd_required_services_list_custom: []
 
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically at runtime. You can provide a different default value,

roles/custom/matrix-dynamic-dns/defaults/main.yml

@@ -55,6 +55,18 @@ matrix_dynamic_dns_base_path: "{{ matrix_base_data_path }}/dynamic-dns"
 matrix_dynamic_dns_config_path: "{{ matrix_dynamic_dns_base_path }}/config"
 matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/docker-src"
 
+# Config options
+matrix_dynamic_dns_use: "web"
+
+# The endpoint to use to determine your external IP
+matrix_dynamic_dns_web: "https://cloudflare.com/cdn-cgi/trace"
+
+# The field to extract the IP from
+# If your endpoint defined in `matrix_dynamic_dns_web` doesn't need this, just set it to ""
+matrix_dynamic_dns_web_skip: "ip="
+
+matrix_dynamic_dns_additional_configuration_blocks: []
+
 # Holds the configurations (the domains to update DNS for, the providers they use, etc.)
 #
 # Example:
@@ -65,7 +77,3 @@ matrix_dynamic_dns_docker_src_files_path: "{{ matrix_dynamic_dns_base_path }}/do
 #     password: XXXXXXXXXXXXXXXX
 #     domain: "{{ matrix_domain }}"
 matrix_dynamic_dns_domain_configurations: []
-
-# Config options
-matrix_dynamic_dns_additional_configuration_blocks: []
-matrix_dynamic_dns_use: "web"

roles/custom/matrix-dynamic-dns/tasks/validate_config.yml

@@ -14,8 +14,8 @@
 - name: Fail if required matrix-dynamic-dns settings not defined in configuration blocks
   ansible.builtin.fail:
     msg: >-
-      One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, provider, protocol).
-  when: "'domain' not in configuration or 'provider' not in configuration or 'protocol' not in configuration"
+      One of the configurations in matrix_dynamic_dns_domain_configurations is missing a required key (domain, protocol).
+  when: "'domain' not in configuration or 'protocol' not in configuration"
   with_items: "{{ matrix_dynamic_dns_domain_configurations }}"
   loop_control:
     loop_var: configuration

roles/custom/matrix-dynamic-dns/templates/ddclient.conf.j2

@@ -10,24 +10,57 @@ syslog=no
 pid=/var/run/ddclient/ddclient.pid
 ssl=yes
 use={{ matrix_dynamic_dns_use }}
-
-{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
-protocol={{ dynamic_dns_domain_configuration.protocol }}
-server={{ dynamic_dns_domain_configuration.provider }} {% if 'username' in dynamic_dns_domain_configuration %}
-login='{{ dynamic_dns_domain_configuration.username }}' {% endif %} {% if 'password' in dynamic_dns_domain_configuration %}
-password='{{ dynamic_dns_domain_configuration.password }}' {% endif %} {% if 'static' in dynamic_dns_domain_configuration %}
-static=yes {% endif %} {% if 'custom' in dynamic_dns_domain_configuration %}
-custom=yes {% endif %} {% if 'zone' in dynamic_dns_domain_configuration %}
-zone={{ dynamic_dns_domain_configuration.zone }} {% endif %} {% if 'ttl' in dynamic_dns_domain_configuration %}
-ttl={{ dynamic_dns_domain_configuration.ttl }} {% endif %} {% if 'mx' in dynamic_dns_domain_configuration %}
-mx={{ dynamic_dns_domain_configuration.mx }} {% endif %} {% if 'wildcard' in dynamic_dns_domain_configuration %}
-wildcard=yes {% endif %}
-{{ dynamic_dns_domain_configuration.domain }}
-
-{% endfor %}
-
+web='{{ matrix_dynamic_dns_web }}'
+{% if matrix_dynamic_dns_web_skip %}
+web-skip='{{ matrix_dynamic_dns_web_skip }}'
+{% endif %}
 
 {% for matrix_dynamic_dns_additional_configuration in matrix_dynamic_dns_additional_configuration_blocks %}
 {{ matrix_dynamic_dns_additional_configuration }}
-
+{% endfor %}
+
+{% for dynamic_dns_domain_configuration in matrix_dynamic_dns_domain_configurations %}
+protocol={{ dynamic_dns_domain_configuration.protocol }}
+
+{% if 'provider' in dynamic_dns_domain_configuration %}
+server={{ dynamic_dns_domain_configuration.provider }}
+{% endif %}
+
+{% if 'username' in dynamic_dns_domain_configuration %}
+login='{{ dynamic_dns_domain_configuration.username }}'
+{% endif %}
+
+{% if 'password' in dynamic_dns_domain_configuration %}
+password='{{ dynamic_dns_domain_configuration.password }}'
+{% endif %}
+
+{% if 'static' in dynamic_dns_domain_configuration %}
+static=yes
+{% endif %}
+
+{% if 'custom' in dynamic_dns_domain_configuration %}
+custom=yes
+{% endif %}
+
+{% if 'zone' in dynamic_dns_domain_configuration %}
+zone={{ dynamic_dns_domain_configuration.zone }}
+{% endif %}
+
+{% if 'ttl' in dynamic_dns_domain_configuration %}
+ttl={{ dynamic_dns_domain_configuration.ttl }}
+{% endif %}
+
+{% if 'mx' in dynamic_dns_domain_configuration %}
+mx={{ dynamic_dns_domain_configuration.mx }}
+{% endif %}
+
+{% if 'wildcard' in dynamic_dns_domain_configuration %}
+wildcard=yes
+{% endif %}
+
+{% if 'script' in dynamic_dns_domain_configuration %}
+script={{ dynamic_dns_domain_configuration.script }}
+{% endif %}
+
+{{ dynamic_dns_domain_configuration.domain }}
 {% endfor %}

roles/custom/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2

@@ -23,7 +23,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--network={{ matrix_dynamic_dns_container_network }} \
   			-e PUID={{ matrix_user_uid }} \
   			-e PGID={{ matrix_user_gid }} \
-			--mount type=bind,src={{ matrix_dynamic_dns_config_path }},dst=/config/ddclient \
+			--mount type=bind,src={{ matrix_dynamic_dns_config_path }},dst=/config \
 			{% for arg in matrix_dynamic_dns_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-element-call/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_element_call_enabled: false
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.8.0
+matrix_element_call_version: v0.9.0
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.2.1
+matrix_livekit_jwt_service_version: 0.2.3
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

roles/custom/matrix-static-files/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.36.0
+matrix_static_files_version: 2.36.1
 
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"

roles/custom/matrix-synapse-auto-compressor/defaults/main.yml

@@ -64,9 +64,14 @@ matrix_synapse_auto_compressor_database_name: 'synapse'
 # connection string to synapse database (postgres only)
 matrix_synapse_auto_compressor_synapse_database: 'postgres://{{ matrix_synapse_auto_compressor_database_username | urlencode() }}:{{ matrix_synapse_auto_compressor_database_password | urlencode() }}@{{ matrix_synapse_auto_compressor_database_hostname }}:{{ matrix_synapse_auto_compressor_database_port }}/{{ matrix_synapse_auto_compressor_database_name }}'
 
-# systemd calendar configuration for the compressor job
+# Controls the `OnCalendar` configuration for the compressor job.
+# Also see: `matrix_synapse_auto_compressor_schedule_randomized_delay_sec`
 matrix_synapse_auto_compressor_schedule: "*-*-* 00:00:00"
 
+# The `RandomizedDelaySec` delay (in seconds or as a systemd time string) to randomize the `OnCalendar` start time (`matrix_synapse_auto_compressor_schedule`) of the compressor job.
+# This can be set to 0 to disable randomized delays.
+matrix_synapse_auto_compressor_schedule_randomized_delay_sec: 6h
+
 # The number of state groups to work on at once.
 # All of the entries from state_groups_state are requested from the database for state groups that are worked on.
 # Therefore small chunk sizes may be needed on machines with low memory.

roles/custom/matrix-synapse-auto-compressor/templates/matrix-synapse-auto-compressor.timer.j2

@@ -11,6 +11,7 @@ Description=Synapse State Auto Compressor Timer
 [Timer]
 Unit=matrix-synapse-auto-compressor.service
 OnCalendar={{ matrix_synapse_auto_compressor_schedule }}
+RandomizedDelaySec={{ matrix_synapse_auto_compressor_schedule_randomized_delay_sec }}
 
 [Install]
 WantedBy=timers.target

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.127.1
+matrix_synapse_version: v1.128.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''

roles/custom/matrix-synapse/templates/synapse/customizations/Dockerfile.j2

@@ -1,4 +1,43 @@
 #jinja2: lstrip_blocks: "True"
+{% if matrix_synapse_container_image_customizations_templates_enabled %}
+FROM {{ matrix_synapse_docker_image }} AS templates-builder
+
+{#
+This ugly script below does quite a lot:
+	- installs git and other dependencies temporarily, just so we could do a shallow-clone
+	- prepare the SSH config: keyscanning (if enabled), private key (if enabled)
+	- performs a git shallow clone with just the branch we need
+	- makes sure the files are owned by the user that will actually run the container later
+#}
+{% set dependencies = ['git', 'ssh', 'openssh-client'] %}
+{% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}
+RUN echo '{{ matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key | b64encode }}' | base64 -d > /custom-templates-private-key
+RUN chmod 400 /custom-templates-private-key
+{% endif %}
+
+RUN apt-get update && apt-get install --no-install-recommends -y {{ dependencies | join(' ') }}
+
+{% if matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled %}
+RUN mkdir ~/.ssh
+RUN chmod 700 ~/.ssh
+RUN ssh-keyscan -t rsa {{ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname }} >> ~/.ssh/known_hosts
+{% endif %}
+
+RUN {% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}GIT_SSH_COMMAND='ssh -i /custom-templates-private-key'{% endif %} git \
+	clone \
+		--branch={{ matrix_synapse_container_image_customizations_templates_git_repository_branch }} \
+		--depth=1 \
+		--single-branch \
+		--no-tags \
+		{{ matrix_synapse_container_image_customizations_templates_git_repository_url }} \
+		{{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}
+
+RUN /bin/sh -c 'cd {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && git rev-parse HEAD > git-revision.txt'
+RUN rm -rf {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/.git
+
+RUN chown -R {{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}
+{% endif %}
+
 FROM {{ matrix_synapse_docker_image }}
 
 {% if matrix_synapse_container_image_customizations_auto_accept_invite_installation_enabled %}
@@ -14,46 +53,7 @@ RUN pip install synapse-s3-storage-provider=={{ matrix_synapse_ext_synapse_s3_st
 {% endif %}
 
 {% if matrix_synapse_container_image_customizations_templates_enabled %}
-{#
-This ugly script below does quite a lot:
-	- installs git and other dependencies temporarily, just so we could do a shallow-clone
-	- prepare the SSH config: keyscanning (if enabled), private key (if enabled)
-	- performs a git shallow clone with just the branch we need
-	- makes sure the files are owned by the user that will actually run the container later
-	- removes the `.git` directory to save space, but keeps git revision in `git-revision.txt`, should we need it for debugging
-	- finally, verifies that the templates path can indeed be found within the base path (sanity check)
-#}
-{% set dependencies = ['git', 'ssh', 'openssh-client'] %}
-RUN \
-	{% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}
-	echo '{{ matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key | b64encode }}' | base64 -d > /custom-templates-private-key && \
-	chmod 400 /custom-templates-private-key && \
-	{% endif %}
-	apt-get update && \
-	apt-get install --no-install-recommends -y {{ dependencies | join(' ') }} && \
-	{% if matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled %}
-	mkdir ~/.ssh && \
-	chmod 700 ~/.ssh && \
-	ssh-keyscan -t rsa {{ matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname }} >> ~/.ssh/known_hosts && \
-	{% endif %}
-	{% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}GIT_SSH_COMMAND='ssh -i /custom-templates-private-key'{% endif %} git \
-		clone \
-			--branch={{ matrix_synapse_container_image_customizations_templates_git_repository_branch }} \
-			--depth=1 \
-			--single-branch \
-			--no-tags \
-			{{ matrix_synapse_container_image_customizations_templates_git_repository_url }} \
-			{{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \
-	/bin/sh -c 'cd {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && git rev-parse HEAD > git-revision.txt' && \
-	rm -rf {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/.git && \
-	chown -R {{ matrix_synapse_uid }}:{{ matrix_synapse_gid }} {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} && \
-	apt-get autoremove -y {{ dependencies | join(' ') }} && \
-	{% if matrix_synapse_container_image_customizations_templates_git_repository_ssh_private_key %}
-	rm /custom-templates-private-key && \
-	{% endif %}
-	true
-
-RUN /bin/sh -c 'stat {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}/{{ matrix_synapse_container_image_customizations_templates_in_container_template_files_relative_path }} || exit 1'
+COPY --from=templates-builder {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }} {{ matrix_synapse_container_image_customizations_templates_in_container_base_path }}
 {% endif %}
 
 {{ matrix_synapse_container_image_customizations_dockerfile_body_custom }}

setup.yml

@@ -164,3 +164,4 @@
         - install-all
 
     - role: galaxy/playbook_runtime_messages
+

templates/Caddyfile.j2

@@ -0,0 +1,106 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /metrics/synapse/main-process
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /metrics/synapse/worker/appservice-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-0 {
+                uri replace /metrics/synapse/worker/federation-sender-0 /metrics/synapse/worker/federation-sender-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-1 {
+                uri replace /metrics/synapse/worker/federation-sender-1 /metrics/synapse/worker/federation-sender-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-2 {
+                uri replace /metrics/synapse/worker/federation-sender-2 /metrics/synapse/worker/federation-sender-2
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-0 {
+                uri replace /metrics/synapse/worker/generic-0 /metrics/synapse/worker/generic-worker-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-1 {
+                uri replace /metrics/synapse/worker/generic-1 /metrics/synapse/worker/generic-worker-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-0 {
+                uri replace /metrics/synapse/worker/media-0 /metrics/synapse/worker/media-repository-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-1 {
+                uri replace /metrics/synapse/worker/media-1 /metrics/synapse/worker/media-repository-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /_matrix/federation/* http://{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}
+        reverse_proxy * http://{{ devture_traefik_container_web_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}