chore: update to 1.79.0

chore: bump synapse version to 1.73.0
fixup: add appservice worker!
2023-06-04 20:47:10 +02:00 · 2023-06-04 20:47:05 +02:00 · 2023-06-04 20:47:00 +02:00 · 2023-06-04 20:46:56 +02:00 · 2023-06-04 20:46:51 +02:00 · 2023-06-04 20:46:46 +02:00
140 changed files with 1791 additions and 2198 deletions
--- a/.editorconfig
+++ b/.editorconfig
@ -23,6 +23,10 @@ indent_size = 2
 indent_style = space
 indent_size = 2

+[justfile]
+indent_style = space
+indent_size = 4
+
 # Markdown Files
 #
 # Two spaces at the end of a line in Markdown mean "new line",
--- a/.envrc
+++ b/.envrc
@ -0,0 +1 @@
+use flake
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@ -13,7 +13,7 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run yamllint
-        uses: frenck/action-yamllint@v1.4.0
+        uses: frenck/action-yamllint@v1.4.1
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
@ -21,6 +21,6 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run ansible-lint
-        uses: ansible-community/ansible-lint-action@v6.11.0
+        uses: ansible-community/ansible-lint-action@v6.16.0
        with:
          path: roles/custom
--- a/.gitignore
+++ b/.gitignore
@ -5,6 +5,7 @@
 /roles/**/files/scratchpad
 .DS_Store
 .python-version
+flake.lock

 # ignore roles pulled by ansible-galaxy
 /roles/galaxy/*
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,38 @@
+# 2023-05-25
+
+## Enabling `forget_rooms_on_leave` by default for Synapse
+
+With the [Synapse v1.84.0 update](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2698), we've also **changed the default value** of the `forget_rooms_on_leave` setting of Synapse to a value of `true`.
+This way, **when you leave a room, Synapse will now forget it automatically**.
+
+The upstream Synapse default is `false` (disabled), so that you must forget rooms manually after leaving.
+
+**We go against the upstream default** ([somewhat controversially](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2700)) in an effort to make Synapse leaner and potentially do what we believe most users would expect their homeserver to be doing.
+
+If you'd like to go back to the old behavior, add the following to your configuration: `matrix_synapse_forget_rooms_on_leave: false`
+
+
+# 2023-04-03
+
+## The matrix-jitsi role lives independently now
+
+**TLDR**: the `matrix-jitsi` role is now included from the [ansible-role-jitsi](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi) repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook). Some variables have been renamed. All functionality remains intact.
+
+The `matrix-jitsi` role has been relocated in its own repository, part of the [MASH playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) project - an Ansible playbook for self-hosting [a growing list of FOSS software](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md). If hosting a Jitsi stack on the Matrix server itself did not stand right with you or you always wanted to host most stuff, you can now use this new playbook to do so.
+
+As part of the extraction process of this role out of the Matrix playbook, a few other things improved:
+
+- **native Traefik support** has been added
+- **support for hosting under a subpath** has been added, although it suffers from a few minor issues listed [here](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/jitsi.md#url)
+
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Jitsi or not.
+
+If you're making use of Jitsi via this playbook, you will need to update variable references in your `vars.yml` file:
+
+  - `matrix_jitsi_*_docker_image_` -> `matrix_jitsi_*_container_image_`
+  - `matrix_jitsi_` -> `jitsi_`
+  - some other internal variables have changed, but the playbook will tell you about them
+
 # 2023-03-22

 ## ntfy Web App is disabled by default
@ -17,7 +52,7 @@ The `matrix-prometheus` role has been relocated in its own repository, part of t

 Extracting the Prometheus role out of this Matrix playbook required huge internal refactoring to the way the Prometheus configuration (scraping jobs) is generated. If you notice any breakage after upgrading, let us know.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not.
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Prometheus or not.

 If you're making use of Prometheus via this playbook, you will need to update variable references in your `vars.yml` file:

@ -59,7 +94,7 @@ To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playboo

 **TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.

 If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file:

@ -167,7 +202,7 @@ Additional details are available in the [Customizing templates](docs/configuring

 The `matrix-redis` role (which configures [Redis](https://redis.io/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/redis). This makes it possible to easily use it in other Ansible playbooks.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_redis_` -> `redis_`).

 ## The matrix-ntfy role lives independently now

@ -175,7 +210,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh

 The `matrix-ntfy` role (which configures [Ntfy](https://ntfy.sh/)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/ntfy). This makes it possible to easily use it in other Ansible playbooks.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Ntfy or not. If you're making use of Ntfy via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_ntfy_` -> `ntfy_`).


 # 2023-02-15
@ -186,7 +221,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh

 The `matrix-grafana` role (which configures [Grafana](docs/configuring-playbook-prometheus-grafana.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/grafana). This makes it possible to easily use it in other Ansible playbooks.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Grafana or not. If you're making use of Grafana via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_grafana_` -> `grafana_`).


 # 2023-02-13
@ -197,7 +232,7 @@ You need to **update you roles** (`just roles` or `make roles`) regardless of wh

 Thanks to [moan0s](https://github.com/moan0s), the `matrix-backup-borg` role (which configures [Borg backups](docs/configuring-playbook-backup-borg.md)) has been extracted from the playbook and now lives in its [own repository](https://gitlab.com/etke.cc/roles/backup_borg). This makes it possible to easily use it in other Ansible playbooks and will become part of [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) soon.

-You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).
+You need to **update your roles** (`just roles` or `make roles`) regardless of whether you're enabling Borg backup functionality or not. If you're making use of Borg backups via this playbook, you will need to update variable references in your `vars.yml` file (`matrix_backup_borg_` -> `backup_borg_`).


 # 2023-02-12
@ -1556,7 +1591,7 @@ People who have [fine-tuned Jitsi](docs/configuring-playbook-jitsi.md#optional-f

 The next time you run the playbook [installation](docs/installing.md) command, our validation logic will tell you if you're using some variables like that and will recommend a migration path for each one.

-Additionally, we've recently disabled transcriptions (`matrix_jitsi_enable_transcriptions: false`) and recording (`matrix_jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working.
+Additionally, we've recently disabled transcriptions (`jitsi_enable_transcriptions: false`) and recording (`jitsi_enable_recording: false`) by default. These features did not work anyway, because we don't install the required dependencies for them (Jigasi and Jibri, respectively). If you've been somehow pointing your Jitsi installation to some manually installed Jigasi/Jibri service, you may need to toggle these flags back to enabled to have transcriptions and recordings working.


 # 2020-11-23
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml

+inventory = inventory/hosts
+
 [connection]
 pipelining = True
--- a/docs/configuring-playbook-bot-chatgpt.md
+++ b/docs/configuring-playbook-bot-chatgpt.md
@ -20,10 +20,12 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.chatgpt
 ```


-## 2. Get an access token
+## 2. Get an access token and create encryption keys

 Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).

+To make sure the bot can read encrypted messages, it will need an encryption key, just like any other new user. While obtaining the access token, follow the prompts to setup a backup key. More information can be found in the [element documentation](https://element.io/help#encryption6).
+

 ## 3. Adjusting the playbook configuration

--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@ -30,30 +30,12 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t

 ## 3. Make sure the account is free from rate limiting

-You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
+You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.

-1. Copy the statement below into a text editor.
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 

-	```
-	INSERT INTO ratelimit_override VALUES ('@bot.draupnir:DOMAIN', 0, 0);
-	```
+The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.

-1. Change the username (`@bot.draupnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
-
-1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
-
-1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
-
-1. Paste in the `INSERT INTO` command that you edited and press enter.
-
-You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
-
-```
-      user_id          | messages_per_second | burst_count
-----------------------+---------------------+-------------
- @bot.draupnir:raim.ist |                   0 |           0`
-```
-then you did it correctly.


 ## 4. Create a management room
--- a/docs/configuring-playbook-bot-honoroit.md
+++ b/docs/configuring-playbook-bot-honoroit.md
@ -14,6 +14,10 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 ```yaml
 matrix_bot_honoroit_enabled: true

+# Uncomment and adjust if you'd like to change the hostname or path
+# matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"
+# matrix_bot_honoroit_path_prefix: /honoroit
+
 # Uncomment and adjust this part if you'd like to use a username different than the default
 # matrix_bot_honoroit_login: honoroit

--- a/docs/configuring-playbook-bot-mjolnir.md
+++ b/docs/configuring-playbook-bot-mjolnir.md
@ -29,31 +29,11 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t

 ## 3. Make sure the account is free from rate limiting

-You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). This can also be manually done by editing the Synapse database. Manually editing the Synapse database is rarely a good idea. Please ask for help if you are uncomfortable with these steps.
+You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.

-1. Copy the statement below into a text editor. 
-
-	```
-	INSERT INTO ratelimit_override VALUES ('@bot.mjolnir:DOMAIN', 0, 0);
-	```
-
-1. Change the username (`@bot.mjolnir:DOMAIN`) to the username you used when you registered the bot's account. You must change `DOMAIN` to your server's domain.
-
-1. Get a database terminal by following these steps: [maintenance-postgres.md#getting-a-database-terminal](maintenance-postgres.md#getting-a-database-terminal)
-
-1. Connect to Synapse's database by typing `\connect synapse` into the database terminal
-
-1. Paste in the `INSERT INTO` command that you edited and press enter.
-
-You can run `SELECT * FROM ratelimit_override;` to see if it worked. If the output looks like this:
-
-```
-      user_id          | messages_per_second | burst_count
-----------------------+---------------------+-------------
- @bot.mjolnir:raim.ist |                   0 |           0`
-```
-then you did it correctly.
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 

+The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.

 ## 4. Create a management room

--- a/docs/configuring-playbook-bot-postmoogle.md
+++ b/docs/configuring-playbook-bot-postmoogle.md
@ -4,12 +4,26 @@

 The playbook can install and configure [Postmoogle](https://gitlab.com/etke.cc/postmoogle) for you.

-It's a bot/bridge you can use to forward emails to Matrix rooms
+It's a bot/bridge you can use to forward emails to Matrix rooms. 
+Postmoogle runs an SMTP email server and allows you to assign mailbox addresses to Matrix rooms.

 See the project's [documentation](https://gitlab.com/etke.cc/postmoogle) to learn what it does and why it might be useful to you.

+## Prerequisites

-## Adjusting the playbook configuration
+### Networking
+
+Open the following ports on your server to be able to receive incoming emails:
+
+  - `25/tcp`: SMTP
+  - `587/tcp`: Submission (TLS-encrypted SMTP)
+
+If you don't open these ports, you will still be able to send emails, but not receive any.
+
+These port numbers are configurable via the `matrix_bot_postmoogle_smtp_host_bind_port` and `matrix_bot_postmoogle_submission_host_bind_port` variables, but other email servers will try to deliver on these default (standard) ports, so changing them is of little use.
+
+
+### Adjusting the playbook configuration

 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:

@ -21,9 +35,20 @@ matrix_bot_postmoogle_enabled: true

 # Generate a strong password here. Consider generating it with `pwgen -s 64 1`
 matrix_bot_postmoogle_password: PASSWORD_FOR_THE_BOT
+
+# Uncomment to add one or more admins to this bridge:
+#
+# matrix_bot_postmoogle_admins:
+#  - '@yourAdminAccount:domain.com'
+#
+# .. unless you've made yourself an admin of all bridges like this:
+#
+# matrix_admin: '@yourAdminAccount:domain.com'
 ```

-You will also need to add several DNS records so that postmoogle can send emails.
+### DNS
+
+You will also need to add several DNS records so that Postmoogle can send emails.
 See [Configuring DNS](configuring-dns.md).


@ -51,3 +76,13 @@ Then send `!pm mailbox NAME` to expose this Matrix room as an inbox with the ema
 Send `!pm help` to the room to see the bot's help menu for additional commands.

 You can also refer to the upstream [documentation](https://gitlab.com/etke.cc/postmoogle).
+
+### Debug/Logs
+
+As with all other services, you can find their logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by running something like `journalctl -fu matrix-bot-postmoogle`
+
+The default logging level for this bridge is `INFO`, but you can increase it to `DEBUG` with the following additional configuration: 
+
+```yaml
+matrix_bot_postmoogle_loglevel: 'DEBUG'
+```
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@ -16,7 +16,7 @@ Refer to the [official instructions](https://matrix-org.github.io/matrix-hooksho
 1. Enable the bridge by adding `matrix_hookshot_enabled: true` to your `vars.yml` file
 2. For each of the services (GitHub, GitLab, Jira, Figma, generic webhooks) fill in the respective variables `matrix_hookshot_service_*` listed in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) as required.
 3. Take special note of the `matrix_hookshot_*_enabled` variables. Services that need no further configuration are enabled by default (GitLab, Generic), while you must first add the required configuration and enable the others (GitHub, Jira, Figma).
-4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-matrix-aux-role) explained below.
+4. If you're setting up the GitHub bridge, you'll need to generate and download a private key file after you created your GitHub app. Copy the contents of that file to the variable `matrix_hookshot_github_private_key` so the playbook can install it for you, or use one of the [other methods](#manage-github-private-key-with-aux-role) explained below.
 5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready. Hookshot can be set up individually using the tag `setup-hookshot`.

 Other configuration options are available via the `matrix_hookshot_configuration_extension_yaml` and `matrix_hookshot_registration_extension_yaml` variables, see the comments in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) for how to use them.
@ -58,23 +58,23 @@ See also `matrix_hookshot_matrix_nginx_proxy_configuration` in [init.yml](/roles

 The different listeners are also reachable *internally* in the docker-network via the container's name (configured by `matrix_hookshot_container_url`) and on different ports (e.g. `matrix_hookshot_appservice_port`). Read [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml) in detail for more info.

-### Manage GitHub Private Key with matrix-aux role
+### Manage GitHub Private Key with aux role

 The GitHub bridge requires you to install a private key file. This can be done in multiple ways:
 - copy the *contents* of the downloaded file and set the variable `matrix_hookshot_github_private_key` to the contents (see example in [main.yml](/roles/custom/matrix-bridge-hookshot/defaults/main.yml)).
 - somehow copy the file to the path `{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}` (default: `/matrix/hookshot/private-key.pem`) on the server manually.
- use the `matrix-aux` role to copy the file from an arbitrary path on your ansible client to the correct path on the server.
+- use the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) to copy the file from an arbitrary path on your ansible client to the correct path on the server.

-To use `matrix-aux`, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add to `matrix-aux` configuration like this:
+To use the `aux` role, make sure the `matrix_hookshot_github_private_key` variable is empty. Then add the following additional configuration:
 ```yaml
-matrix_aux_file_definitions:
+aux_file_definitions:
  - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
    content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
    mode: '0400'
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 ```
-For more info see the documentation in the [matrix-aux base configuration file](/roles/custom/matrix-aux/defaults/main.yml).
+For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml).

 ### Provisioning API

--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -9,12 +9,12 @@ The setup done by the playbook is very similar to [docker-jitsi-meet](https://gi

 ## Prerequisites

-Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record. See [Configuring DNS](configuring-dns.md).
+Before installing Jitsi, make sure you've created the `jitsi.DOMAIN` DNS record (unless you've changed `jitsi_hostname`, as described below). See [Configuring DNS](configuring-dns.md) for details about DNS changes.

 You may also need to open the following ports to your server:

 - `4443/tcp` - RTP media fallback over TCP
- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/custom/matrix-jitsi/defaults/main.yml)).
+- `10000/udp` - RTP media over UDP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`jitsi_jvb_stun_servers`](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/defaults/main.yml)).


 ## Installation
@ -22,17 +22,15 @@ You may also need to open the following ports to your server:
 Add this to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
-matrix_jitsi_enabled: true
+jitsi_enabled: true

-# Run `bash inventory/scripts/jitsi-generate-passwords.sh` to generate these passwords,
-# or define your own strong passwords manually.
-matrix_jitsi_jicofo_auth_password: ""
-matrix_jitsi_jvb_auth_password: ""
-matrix_jitsi_jibri_recorder_password: ""
-matrix_jitsi_jibri_xmpp_password: ""
+# Uncomment and adjust if you need to use another hostname
+# jitsi_hostname: "jitsi.{{ matrix_domain }}"
+
+# Uncomment and possible adjust if you'd like to host under a subpath
+# jitsi_path_prefix: /jitsi
 ```

-
 ## (Optional) Configure Jitsi authentication and guests mode

 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
@ -44,19 +42,19 @@ Currently, there are three supported authentication modes: 'internal' (default),

 **Note:** Authentication is not tested via the playbook's self-checks.
 We therefore recommend that you manually verify if authentication is required by jitsi.
-For this, try to manually create a conference on jitsi.DOMAIN in your browser. 
+For this, try to manually create a conference on jitsi.DOMAIN in your browser.

 ### Authenticate using Jitsi accounts (Auth-Type 'internal')
-The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms. 
+The default authentication mechanism is 'internal' auth, which requires jitsi-accounts to be setup and is the recommended setup, as it also works in federated rooms.
 With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join.
 If a registered host is not yet present, guests are put on hold in individual waiting rooms.

 Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
-matrix_jitsi_enable_auth: true
-matrix_jitsi_enable_guests: true
-matrix_jitsi_prosody_auth_internal_accounts:
+jitsi_enable_auth: true
+jitsi_enable_guests: true
+jitsi_prosody_auth_internal_accounts:
  - username: "jitsi-moderator"
    password: "secret-password"
  - username: "another-user"
@ -69,7 +67,7 @@ matrix_jitsi_prosody_auth_internal_accounts:

 ### Authenticate using Matrix OpenID (Auth-Type 'matrix')

-**Attention: Probably breaks jitsi in federated rooms and does not allow sharing conference links with guests.**
+**Attention: Probably breaks Jitsi in federated rooms and does not allow sharing conference links with guests.**

 Using this authentication type require a [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service).
 By default, this playbook creates and configures a user-verification-service to run locally, see [configuring-user-verification-service](configuring-playbook-user-verification-service.md).
@ -77,8 +75,8 @@ By default, this playbook creates and configures a user-verification-service to
 To enable set this configuration at host level:

 ```yaml
-matrix_jitsi_enable_auth: true
-matrix_jitsi_auth_type: "matrix"
+jitsi_enable_auth: true
+jitsi_auth_type: matrix
 matrix_user_verification_service_enabled: true
 ```

@ -89,21 +87,21 @@ For more information see also [https://github.com/matrix-org/prosody-mod-auth-ma
 An example LDAP configuration could be:

 ```yaml
-matrix_jitsi_enable_auth: true
-matrix_jitsi_auth_type: ldap
-matrix_jitsi_ldap_url: "ldap://ldap.DOMAIN"
-matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
-#matrix_jitsi_ldap_binddn: ""
-#matrix_jitsi_ldap_bindpw: ""
-matrix_jitsi_ldap_filter: "uid=%u"
-matrix_jitsi_ldap_auth_method: "bind"
-matrix_jitsi_ldap_version: "3"
-matrix_jitsi_ldap_use_tls: true
-matrix_jitsi_ldap_tls_ciphers: ""
-matrix_jitsi_ldap_tls_check_peer: true
-matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
-matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
-matrix_jitsi_ldap_start_tls: false
+jitsi_enable_auth: true
+jitsi_auth_type: ldap
+jitsi_ldap_url: "ldap://ldap.DOMAIN"
+jitsi_ldap_base: "OU=People,DC=DOMAIN"
+#jitsi_ldap_binddn: ""
+#jitsi_ldap_bindpw: ""
+jitsi_ldap_filter: "uid=%u"
+jitsi_ldap_auth_method: "bind"
+jitsi_ldap_version: "3"
+jitsi_ldap_use_tls: true
+jitsi_ldap_tls_ciphers: ""
+jitsi_ldap_tls_check_peer: true
+jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
+jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
+jitsi_ldap_start_tls: false
 ```

 For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
@ -120,7 +118,7 @@ Here is how to do it in the playbook.
 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 ```yaml
-matrix_jitsi_jvb_container_extra_arguments:
+jitsi_jvb_container_extra_arguments:
  - '--env "JVB_ADVERTISE_IPS=<Local IP address of the host>"'
 ```

@ -129,7 +127,7 @@ matrix_jitsi_jvb_container_extra_arguments:
 Sample **additional** `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration to save up resources (explained below):

 ```yaml
-matrix_jitsi_web_custom_config_extension: |
+jitsi_web_custom_config_extension: |
  config.enableLayerSuspension = true;

  config.disableAudioLevels = true;
@ -137,13 +135,12 @@ matrix_jitsi_web_custom_config_extension: |
  // Limit the number of video feeds forwarded to each client
  config.channelLastN = 4;

-matrix_jitsi_web_config_resolution_width_ideal_and_max: 480
-matrix_jitsi_web_config_resolution_height_ideal_and_max: 240
+jitsi_web_config_resolution_width_ideal_and_max: 480
+jitsi_web_config_resolution_height_ideal_and_max: 240
 ```

 You may want to **suspend unused video layers** until they are requested again, to save up resources on both server and clients.
 Read more on this feature [here](https://jitsi.org/blog/new-off-stage-layer-suppression-feature/)
-For this add this line to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

 You may wish to **disable audio levels** to avoid excessive refresh of the client-side page and decrease the CPU consumption involved.

@ -157,10 +154,10 @@ You may want to **limit the maximum video resolution**, to save up resources on

 The playbook allows a user to set a max number of participants allowed to join a Jitsi conference. By default there is no limit.

-In order to set the max number of participants add the following variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+In order to set the max number of participants use the following **additional** configuration:

-```
-matrix_prosody_jitsi_max_participants: <INTEGER OF MAX PARTICPANTS>
+```yaml
+jitsi_prosody_max_participants: 4 # example value
 ```

 ## (Optional) Additional JVBs
@ -176,18 +173,18 @@ For this role to work you will need an additional section in the ansible hosts f
 <your jvb hosts> ansible_host=<ip address of the jvb host>
 ```

-Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB.  
-The server id is set with the variable `matrix_jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container. 
+Each JVB will require a server id to be set so that it can be uniquely identified and this allows Jitsi to keep track of which conferences are on which JVB.
+The server id is set with the variable `jitsi_jvb_server_id` which ends up as the JVB_WS_SERVER_ID environment variables in the JVB docker container.
 This variable can be set via the host file, a parameter to the ansible command or in the `vars.yaml` for the host which will have the additional JVB. For example:

 ``` yaml
-matrix_jitsi_jvb_server_id: 'jvb-2'
+jitsi_jvb_server_id: 'jvb-2'
 ```

 ``` INI
 [jitsi_jvb_servers]
-jvb-2.example.com ansible_host=192.168.0.2 matrix_jitsi_jvb_server_id=jvb-2
-jvb-3.example.com ansible_host=192.168.0.3 matrix_jitsi_jvb_server_id=jvb-2
+jvb-2.example.com ansible_host=192.168.0.2 jitsi_jvb_server_id=jvb-2
+jvb-3.example.com ansible_host=192.168.0.3 jitsi_jvb_server_id=jvb-2
 ```

 Note that the server id `jvb-1` is reserved for the JVB instance running on the Matrix host and therefore should not be used as the id of an additional jvb host.
@ -195,20 +192,20 @@ Note that the server id `jvb-1` is reserved for the JVB instance running on the
 The additional JVB will also need to expose the colibri web socket port and this can be done with the following variable:

 ```yaml
-matrix_jitsi_jvb_container_colibri_ws_host_bind_port: 9090
+jitsi_jvb_container_colibri_ws_host_bind_port: 9090
 ```

-The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable 
-`matrix_jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example:
+The JVB will also need to know where the prosody xmpp server is located, similar to the server id this can be set in the vars for the JVB by using the variable
+`jitsi_xmpp_server`. The Jitsi prosody container is deployed on the matrix server by default so the value can be set to the matrix domain. For example:

 ```yaml
-matrix_jitsi_xmpp_server: "{{ matrix_domain }}"
+jitsi_xmpp_server: "{{ matrix_domain }}"
 ```

 However, it can also be set the ip address of the matrix server. This can be useful if you wish to use a private ip. For example:

 ```yaml
-matrix_jitsi_xmpp_server: "192.168.0.1"
+jitsi_xmpp_server: "192.168.0.1"
 ```

 The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable
@ -223,7 +220,7 @@ matrix_nginx_proxy_proxy_jitsi_additional_jvbs:
 ```


-Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo 
+Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
 to route conferences too.

 ## (Optional) Enable Gravatar
@ -234,7 +231,7 @@ Since element already sends the url of configured Matrix avatars to Jitsi, we di
 To enable Gravatar set:

 ```yaml
-matrix_jitsi_disable_gravatar: false
+jitsi_disable_gravatar: false
 ```

 **Beware:** This leaks information to a third party, namely the Gravatar-Service (unless configured otherwise: gravatar.com).
@ -262,7 +259,7 @@ You can use the self-hosted Jitsi server in multiple ways:

 ### Rebuilding your Jitsi installation

-**If you ever run into any trouble** or **if you change configuration (`matrix_jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.
+**If you ever run into any trouble** or **if you change configuration (`jitsi_*` variables) too much**, we urge you to rebuild your Jitsi setup.

 We normally don't require such manual intervention for other services, but Jitsi services generate a lot of configuration files on their own.

@ -270,7 +267,6 @@ These files are not all managed by Ansible (at least not yet), so you may someti

 To rebuild your Jitsi configuration:

- SSH into the server and do this:
-  - stop all Jitsi services (`systemctl stop matrix-jitsi-*`).
-  - remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
- ask Ansible to set up Jitsi anew and restart services (`ansible-playbook -i inventory/hosts setup.yml --tags=setup-jitsi,start`)
+- ask Ansible to stop all Jitsi services: `just run-tags stop-group --extra-vars=group=jitsi`
+- SSH into the server and do this and remove all Jitsi configuration & data (`rm -rf /matrix/jitsi`)
+- ask Ansible to set up Jitsi anew and restart services (`just install-service jitsi`)
--- a/docs/configuring-playbook-ldap-auth.md
+++ b/docs/configuring-playbook-ldap-auth.md
@ -8,7 +8,9 @@ If you decide that you'd like to let this playbook install it for you, you need

 ```yaml
 matrix_synapse_ext_password_provider_ldap_enabled: true
-matrix_synapse_ext_password_provider_ldap_uri: "ldap://ldap.mydomain.tld:389"
+matrix_synapse_ext_password_provider_ldap_uri: 
+  - "ldap://ldap-01.mydomain.tld:389"
+  - "ldap://ldap-02.mydomain.tld:389"
 matrix_synapse_ext_password_provider_ldap_start_tls: true
 matrix_synapse_ext_password_provider_ldap_base: "ou=users,dc=example,dc=com"
 matrix_synapse_ext_password_provider_ldap_attributes_uid: "uid"
--- a/docs/configuring-playbook-matrix-corporal.md
+++ b/docs/configuring-playbook-matrix-corporal.md
@ -91,7 +91,7 @@ matrix_corporal_policy_provider_config: |
  }

 # Modify the policy below as you see fit
-matrix_aux_file_definitions:
+aux_file_definitions:
  - dest: "{{ matrix_corporal_config_dir_path }}/policy.json"
    content: |
      {
--- a/docs/configuring-playbook-mautrix-bridges.md
+++ b/docs/configuring-playbook-mautrix-bridges.md
@ -33,6 +33,13 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
 ```

 Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:
+
+**for all bridges with encryption support**:
+```yaml
+matrix_bridges_encryption_enabled: true
+```
+
+**Alternatively**, for a specific bridge:
 ```yaml
 matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
  bridge:
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -153,14 +153,14 @@ devture_traefik_additional_entrypoints_auto:
    port: 8449
    host_bind_port: '127.0.0.1:8449'
    config: {}
-	# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
-	# config:
-	#   forwardedHeaders:
-	#     insecure: true
-	#     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
+    # If your reverse-proxy runs on another machine, remove the config above and use this config instead:
+    # config:
+    #   forwardedHeaders:
+    #     insecure: true
+    #     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```

-For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
+For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).


 ### Using no reverse-proxy on the Matrix side at all
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@ -40,9 +40,9 @@ If you'd like to use your own SSL certificates, instead of the default (SSL cert
 To use your own SSL certificates with Traefik, you need to:

 - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
+- put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually
 - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
- put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
+- put the SSL files on the server, with the help of this Ansible playbook (via the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux)) or manually

 ```yaml
 # Disable ACME / Let's Encrypt support.
@ -53,7 +53,7 @@ devture_traefik_config_certificatesResolvers_acme_enabled: false
 devture_traefik_ssl_dir_enabled: true

 # Tell Traefik to load our custom configuration file (certificates.yml).
-# The file is created below, in `matrix_aux_file_definitions`.
+# The file is created below, in `aux_file_definitions`.
 # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
 devture_traefik_configuration_extension_yaml: |
  providers:
@ -61,9 +61,9 @@ devture_traefik_configuration_extension_yaml: |
      filename: /config/certificates.yml
      watch: true

-# Use the matrix-aux role to create our custom files on the server.
-# If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
-matrix_aux_file_definitions:
+# Use the aux role to create our custom files on the server.
+# If you'd like to do this manually, you remove this `aux_file_definitions` variable.
+aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
--- a/docs/configuring-playbook-sygnal.md
+++ b/docs/configuring-playbook-sygnal.md
@ -55,7 +55,7 @@ matrix_sygnal_apps:
    api_key: your_api_key_for_gcm
    # .. more configuration ..

-matrix_aux_file_definitions:
+aux_file_definitions:
  - dest: "{{ matrix_sygnal_data_path }}/my_key.p8"
    content: |
      some
@ -73,7 +73,7 @@ Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easi
 To configure [APNS](https://developer.apple.com/notifications/) (Apple Push Notification Service), you'd need to provide one or more certificate files.
 To do that, the above example configuration:

- makes use of the `matrix-aux` role (and its `matrix_aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See `roles/custom/matrix-aux/defaults/main.yml` for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `matrix-aux`.
+- makes use of the [`aux` role](https://github.com/mother-of-all-self-hosting/ansible-role-aux) (and its `aux_file_definitions` variable) to make the playbook install files into `/matrix/sygnal/data` (the `matrix_sygnal_data_path` variable). See [`defaults/main.yml` file](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml) of the `aux` role for usage examples. It also makes sure the files are owned by `matrix:matrix`, so that Sygnal can read them. Of course, you can also install these files manually yourself, if you'd rather not use `aux`.

 - references these files in the Sygnal configuration (`matrix_sygnal_apps`) using a path like `/data/..` (the `/matrix/sygnal/data` directory on the host system is mounted into the `/data` directory inside the container)

--- a/docs/configuring-playbook-synapse.md
+++ b/docs/configuring-playbook-synapse.md
@ -42,8 +42,6 @@ devture_postgres_process_extra_arguments: [
 ]
 ```

-**NOTE**: Disabling `matrix-nginx-proxy` (`matrix_nginx_proxy_enabled: false`) (that is, [using your own other webserver](configuring-playbook-own-webserver.md) when running a Synapse worker setup is likely to cause various troubles (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2090)).
-
 In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`.


@ -119,3 +117,10 @@ matrix_synapse_container_image_customizations_templates_git_repository_ssh_priva

 As mentioned in Synapse's Templates documentation, Synapse will fall back to its own templates if a template is not found in that directory.
 Due to this, it's recommended to only store and maintain template files in your repository if you need to make custom changes. Other files (which you don't need to change), should not be duplicated, so that you don't need to worry about getting out-of-sync with the original Synapse templates.
+
+
+## Monitoring Synapse Metrics with Prometheus and Grafana
+
+This playbook allows you to enable Synapse metrics, which can provide insight into the performance and activity of Synapse.
+
+To enable Synapse metrics see [`configuring-playbook-prometheus-grafana.md`](./configuring-playbook-prometheus-grafana.md)
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@ -36,7 +36,7 @@ If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might
 If you do not do it, Jitsi will fall back to an upstream service.

 ```yaml
-matrix_jitsi_web_stun_servers:
+jitsi_web_stun_servers:
 - stun:HOSTNAME_OR_IP:PORT
 ```
 You can put multiple host/port combinations if you like.
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -12,7 +12,7 @@ You can then follow these steps inside the playbook directory:

 1. copy the sample configuration file (`cp examples/vars.yml inventory/host_vars/matrix.<your-domain>/vars.yml`)

-1. edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.
+1. edit the configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`) to your liking. You may also take a look at the various `roles/*/ROLE_NAME_HERE/defaults/main.yml` files and see if there's something you'd like to copy over and override in your `vars.yml` configuration file.

 1. copy the sample inventory hosts file (`cp examples/hosts inventory/hosts`)

--- a/docs/faq.md
+++ b/docs/faq.md
@ -262,7 +262,7 @@ matrix_server_fqn_element: "element.YOUR_BASE_DOMAIN"
 # Feel free to use `dimension.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that.
 matrix_server_fqn_dimension: "dimension.YOUR_BASE_DOMAIN"

-# This is where you access Jitsi (if enabled via `matrix_jitsi_enabled: true`; NOT enabled by default).
+# This is where you access Jitsi (if enabled via `jitsi_enabled: true`; NOT enabled by default).
 #
 # Feel free to use `jitsi.matrix.YOUR_BASE_DOMAIN`, if you'd prefer that.
 matrix_server_fqn_jitsi: "jitsi.YOUR_BASE_DOMAIN"
--- a/docs/importing-synapse-sqlite.md
+++ b/docs/importing-synapse-sqlite.md
@ -3,24 +3,28 @@
 Run this if you'd like to import your database from a previous default installation of Synapse.
 (don't forget to import your `media_store` files as well - see [the importing-synapse-media-store guide](importing-synapse-media-store.md)).

-While this playbook always sets up PostgreSQL, by default a Synapse installation would run
-using an SQLite database.
+While this playbook only supports running Synapse in combination with PostgreSQL, a Synapse instance installed manually usually defaults to using an SQLite database.

-If you have such a Synapse setup and wish to migrate it here (and over to PostgreSQL), this command is for you.
+If you have such a Synapse setup and wish to migrate it to one managed by the playbook (and over to PostgreSQL), this documentation page is for you.


 ## Prerequisites

-Before doing the actual import, **you need to upload your SQLite database file to the server** (any path is okay).
+Before doing the actual import:

+- **ensure you have NOT started Synapse yet**. That is, make sure you have followed the [Installing step](installing.md), but haven't run the playbook's `start` tag yet. If you had started your new Synapse instance, it may have already initialized your Postgres database and importing onto it may not work. In such cases, you may need to clean up the `synapse` database first.
+- **ensure you have uploaded your SQLite database file to the server** (any path is okay)
+- if you're using the integrated Postgres server (**by default, you are** using it, unless you've explicitly switched to [Using an external PostgreSQL server](configuring-playbook-external-postgres.md)), **make sure Postgres is started** by running `just start-group postgres`

 ## Importing

 Run this command (make sure to replace `<server-path-to-homeserver.db>` with a file path on your server):

-	ansible-playbook -i inventory/hosts setup.yml --extra-vars='server_path_homeserver_db=<server-path-to-homeserver.db>' --tags=import-synapse-sqlite-db
+```sh
+just run-tags import-synapse-sqlite-db --extra-vars=server_path_homeserver_db=<server-path-to-homeserver.db>
+```

 **Notes**:

- `<server-path-to-homeserver.db>` must be a file path to a `homeserver.db` **file on the server** (not on your local machine!).
+- `<server-path-to-homeserver.db>` must be replaced with a file path to a `homeserver.db` **file on the server** (not on your local machine!).
 - if the SQLite database is from an older version of Synapse, the **importing procedure may run migrations on it to bring it up to date**. That is, your SQLite database file may get modified and become unusable with your older Synapse version. Keeping a copy of the original is probably wise.
--- a/examples/caddy2/Caddyfile
+++ b/examples/caddy2/Caddyfile
@ -1,112 +1,10 @@
-(cors) {
-	@cors_preflight method OPTIONS
-
-	handle @cors_preflight {
-		header Access-Control-Allow-Origin "{args.0}"
-		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
-		header Access-Control-Allow-Headers "Content-Type, Authorization"
-		header Access-Control-Max-Age "3600"
-	}
-}
-
-
-matrix.DOMAIN.tld {
-
-  # creates letsencrypt certificate
-  # tls your@email.com
-
-  @identity {
-        path /_matrix/identity/*
-  }
-
-  @noidentity {
-        not path /_matrix/identity/*
-  }
-
-  @search {
-        path /_matrix/client/r0/user_directory/search/*
-  }
-
-  @nosearch {
-        not path /_matrix/client/r0/user_directory/search/*
-  }
-
-  @static {
-        path /matrix/static-files/*
-  }
-
-  @nostatic {
-        not path /matrix/static-files/*
-  }
-
-  @wellknown {
-        path /.well-known/matrix/*
-  }
-
-  header {
-        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-        # Enable cross-site filter (XSS) and tell browser to block detected attacks
-        X-XSS-Protection "1; mode=block"
-        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-        X-Content-Type-Options "nosniff"
-        # Disallow the site to be rendered within a frame (clickjacking protection)
-        X-Frame-Options "DENY"
-        # X-Robots-Tag
-        X-Robots-Tag "noindex, noarchive, nofollow"
-  }
-
-  # Cache
-  header @static {
-        # Cache
-    Cache-Control "public, max-age=31536000"
-    defer
-  }
-
-  # identity
-  handle @identity {
-        reverse_proxy localhost:8090  {
-               header_up X-Forwarded-Port {http.request.port}
-               header_up X-Forwarded-Proto {http.request.scheme}
-               header_up X-Forwarded-TlsProto {tls_protocol}
-               header_up X-Forwarded-TlsCipher {tls_cipher}
-               header_up X-Forwarded-HttpsProto {proto}
-        }
-  }
-
-  # search
-  handle @search {
-        reverse_proxy localhost:8090   {
-               header_up X-Forwarded-Port {http.request.port}
-               header_up X-Forwarded-Proto {http.request.scheme}
-               header_up X-Forwarded-TlsProto {tls_protocol}
-               header_up X-Forwarded-TlsCipher {tls_cipher}
-               header_up X-Forwarded-HttpsProto {proto}
-        }
-  }
-
-  handle @wellknown {
-        encode zstd gzip
-        root * /matrix/static-files
-	header Cache-Control max-age=14400
-        header Content-Type application/json
-        header Access-Control-Allow-Origin *
-        file_server
-  }
-  
-  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
-  #handle @wellknown {
-  #  # .well-known is handled by base domain
-  #  reverse_proxy https://DOMAIN.tld {
-  #  header_up Host {http.reverse_proxy.upstream.hostport}
-  #}
+matrix.example.tld {

  handle {
        encode zstd gzip

-        reverse_proxy localhost:8008  {
+        reverse_proxy localhost:81  {
               header_up X-Forwarded-Port {http.request.port}
-               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@ -114,13 +12,12 @@ matrix.DOMAIN.tld {
  }
 }

-matrix.DOMAIN.tld:8448 {
+matrix.example.tld:8448 {
    handle {
        encode zstd gzip

-        reverse_proxy 127.0.0.1:8048 {
+        reverse_proxy 127.0.0.1:8449 {
               header_up X-Forwarded-Port {http.request.port}
-               header_up X-Forwarded-Proto {http.request.scheme}
               header_up X-Forwarded-TlsProto {tls_protocol}
               header_up X-Forwarded-TlsCipher {tls_cipher}
               header_up X-Forwarded-HttpsProto {proto}
@ -128,142 +25,16 @@ matrix.DOMAIN.tld:8448 {
    }
 }

-element.DOMAIN.tld {

-      # creates letsencrypt certificate
-      # tls your@email.com
-
-      import cors https://*.DOMAIN.tld
-
-      header {
-                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-                # Enable cross-site filter (XSS) and tell browser to block detected attacks
-                X-XSS-Protection "1; mode=block"
-                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-                X-Content-Type-Options "nosniff"
-                # Disallow the site to be rendered within a frame (clickjacking protection)
-                X-Frame-Options "DENY"
-                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
-                # Content-Security-Policy frame-src https://*.DOMAIN.tld
-                # X-Robots-Tag
-                X-Robots-Tag "noindex, noarchive, nofollow"
-        }
-
-        handle {
-              encode zstd gzip
-
-              reverse_proxy localhost:8765 {
-                     header_up X-Forwarded-Port {http.request.port}
-                     header_up X-Forwarded-Proto {http.request.scheme}
-                     header_up X-Forwarded-TlsProto {tls_protocol}
-                     header_up X-Forwarded-TlsCipher {tls_cipher}
-                     header_up X-Forwarded-HttpsProto {proto}
-        }
-}
-
-#dimension.DOMAIN.tld {
-#
-#      # creates letsencrypt certificate
-#      # tls your@email.com
-#
-#      import cors https://*.DOMAIN.tld
-#
-#      header {
-#          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-#          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-#          # Enable cross-site filter (XSS) and tell browser to block detected attacks
-#          X-XSS-Protection "1; mode=block"
-#          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-#          X-Content-Type-Options "nosniff"
-#          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
-#          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
-#          # X-Robots-Tag
-#          X-Robots-Tag "noindex, noarchive, nofollow"
-#    }
-#
-#      handle {
-#          encode zstd gzip
-#
-#          reverse_proxy localhost:8184  {
-#                  header_up X-Forwarded-Port {http.request.port}
-#                  header_up X-Forwarded-Proto {http.request.scheme}
-#                  header_up X-Forwarded-TlsProto {tls_protocol}
-#                  header_up X-Forwarded-TlsCipher {tls_cipher}
-#                  header_up X-Forwarded-HttpsProto {proto}
-#          }
-#    }
-#}
-
-
-#jitsi.DOMAIN.tld {
-#
-#  creates letsencrypt certificate
-#  tls your@email.com
-#
-#  import cors https://*.DOMAIN.tld
-#
-#  header {
-#        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-#        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-#
-#        # Enable cross-site filter (XSS) and tell browser to block detected attacks
-#        X-XSS-Protection "1; mode=block"
-#
-#        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-#        X-Content-Type-Options "nosniff"
-
-#        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
-#        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
-#
-#        # Disable some features
-#        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
-#
-#        # Referer
-#        Referrer-Policy "no-referrer"
-#
-#        # X-Robots-Tag
-#        X-Robots-Tag "none"
-#
-#        # Remove Server header
-#        -Server
-#  }
-#
-#  handle {
-#        encode zstd gzip
-#
-#        reverse_proxy 127.0.0.1:13080 {
-#               header_up X-Forwarded-Port {http.request.port}
-#               header_up X-Forwarded-Proto {http.request.scheme}
-#               header_up X-Forwarded-TlsProto {tls_protocol}
-#               header_up X-Forwarded-TlsCipher {tls_cipher}
-#               header_up X-Forwarded-HttpsProto {proto}
-#        }
-#  }
-#}
-#DOMAIN.com {
+example.tld {
 # Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
-#    @wellknown {
-#        path /.well-known/matrix/*
-#    }
-#
-#    handle @wellknown {
-#        reverse_proxy https://matrix.DOMAIN.com {
-#            header_up Host {http.reverse_proxy.upstream.hostport}
-#        }
-#    }
-#    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
-#      # handle /.well-known/* {
-#	#	encode zstd gzip
-#	#	header Cache-Control max-age=14400
-#	#	header Content-Type application/json
-#	#	header Access-Control-Allow-Origin *
-#	#}
-#
-#    # Configration for the base domain goes here
-#   # handle {
-#   #    header -Server
-#   #     encode zstd gzip
-#   #    reverse_proxy localhost:4020
-#   # }
-#}
+    @wellknown {
+        path /.well-known/matrix/*
+    }
+
+    handle @wellknown {
+        reverse_proxy https://matrix.example.tld {
+            header_up Host {http.reverse_proxy.upstream.hostport}
+        }
+    }
+}
--- a/examples/caddy2/Caddyfile.deprecated
+++ b/examples/caddy2/Caddyfile.deprecated
@ -0,0 +1,269 @@
+(cors) {
+	@cors_preflight method OPTIONS
+
+	handle @cors_preflight {
+		header Access-Control-Allow-Origin "{args.0}"
+		header Access-Control-Allow-Methods "HEAD, GET, POST, PUT, PATCH, DELETE"
+		header Access-Control-Allow-Headers "Content-Type, Authorization"
+		header Access-Control-Max-Age "3600"
+	}
+}
+
+
+matrix.DOMAIN.tld {
+
+  # creates letsencrypt certificate
+  # tls your@email.com
+
+  @identity {
+        path /_matrix/identity/*
+  }
+
+  @noidentity {
+        not path /_matrix/identity/*
+  }
+
+  @search {
+        path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @nosearch {
+        not path /_matrix/client/r0/user_directory/search/*
+  }
+
+  @static {
+        path /matrix/static-files/*
+  }
+
+  @nostatic {
+        not path /matrix/static-files/*
+  }
+
+  @wellknown {
+        path /.well-known/matrix/*
+  }
+
+  header {
+        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+        X-XSS-Protection "1; mode=block"
+        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+        X-Content-Type-Options "nosniff"
+        # Disallow the site to be rendered within a frame (clickjacking protection)
+        X-Frame-Options "DENY"
+        # X-Robots-Tag
+        X-Robots-Tag "noindex, noarchive, nofollow"
+  }
+
+  # Cache
+  header @static {
+        # Cache
+    Cache-Control "public, max-age=31536000"
+    defer
+  }
+
+  # identity
+  handle @identity {
+        reverse_proxy localhost:8090  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  # search
+  handle @search {
+        reverse_proxy localhost:8090   {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+
+  handle @wellknown {
+        encode zstd gzip
+        root * /matrix/static-files
+	header Cache-Control max-age=14400
+        header Content-Type application/json
+        header Access-Control-Allow-Origin *
+        file_server
+  }
+  
+  # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the base domain
+  #handle @wellknown {
+  #  # .well-known is handled by base domain
+  #  reverse_proxy https://DOMAIN.tld {
+  #  header_up Host {http.reverse_proxy.upstream.hostport}
+  #}
+
+  handle {
+        encode zstd gzip
+
+        reverse_proxy localhost:8008  {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+  }
+}
+
+matrix.DOMAIN.tld:8448 {
+    handle {
+        encode zstd gzip
+
+        reverse_proxy 127.0.0.1:8048 {
+               header_up X-Forwarded-Port {http.request.port}
+               header_up X-Forwarded-Proto {http.request.scheme}
+               header_up X-Forwarded-TlsProto {tls_protocol}
+               header_up X-Forwarded-TlsCipher {tls_cipher}
+               header_up X-Forwarded-HttpsProto {proto}
+        }
+    }
+}
+
+element.DOMAIN.tld {
+
+      # creates letsencrypt certificate
+      # tls your@email.com
+
+      import cors https://*.DOMAIN.tld
+
+      header {
+                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+                # Enable cross-site filter (XSS) and tell browser to block detected attacks
+                X-XSS-Protection "1; mode=block"
+                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+                X-Content-Type-Options "nosniff"
+                # Disallow the site to be rendered within a frame (clickjacking protection)
+                X-Frame-Options "DENY"
+                # If using integrations that add frames to Element, such as Dimension and its integrations running on the same domain, it can be a good idea to limit sources allowed to be rendered
+                # Content-Security-Policy frame-src https://*.DOMAIN.tld
+                # X-Robots-Tag
+                X-Robots-Tag "noindex, noarchive, nofollow"
+        }
+
+        handle {
+              encode zstd gzip
+
+              reverse_proxy localhost:8765 {
+                     header_up X-Forwarded-Port {http.request.port}
+                     header_up X-Forwarded-Proto {http.request.scheme}
+                     header_up X-Forwarded-TlsProto {tls_protocol}
+                     header_up X-Forwarded-TlsCipher {tls_cipher}
+                     header_up X-Forwarded-HttpsProto {proto}
+        }
+}
+
+#dimension.DOMAIN.tld {
+#
+#      # creates letsencrypt certificate
+#      # tls your@email.com
+#
+#      import cors https://*.DOMAIN.tld
+#
+#      header {
+#          # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#          Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#          # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#          X-XSS-Protection "1; mode=block"
+#          # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#          X-Content-Type-Options "nosniff"
+#          # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain (clickjacking protection)
+#          Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
+#          # X-Robots-Tag
+#          X-Robots-Tag "noindex, noarchive, nofollow"
+#    }
+#
+#      handle {
+#          encode zstd gzip
+#
+#          reverse_proxy localhost:8184  {
+#                  header_up X-Forwarded-Port {http.request.port}
+#                  header_up X-Forwarded-Proto {http.request.scheme}
+#                  header_up X-Forwarded-TlsProto {tls_protocol}
+#                  header_up X-Forwarded-TlsCipher {tls_cipher}
+#                  header_up X-Forwarded-HttpsProto {proto}
+#          }
+#    }
+#}
+
+
+#jitsi.DOMAIN.tld {
+#
+#  creates letsencrypt certificate
+#  tls your@email.com
+#
+#  import cors https://*.DOMAIN.tld
+#
+#  header {
+#        # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+#        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+#
+#        # Enable cross-site filter (XSS) and tell browser to block detected attacks
+#        X-XSS-Protection "1; mode=block"
+#
+#        # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+#        X-Content-Type-Options "nosniff"
+
+#        # Only allow same base domain to render this website in a frame; Can be removed if the client (Element for example) is hosted on another domain
+#        Content-Security-Policy frame-ancestors https://*.DOMAIN.tld
+#
+#        # Disable some features
+#        Feature-Policy "accelerometer 'none';ambient-light-sensor 'none'; autoplay 'none';camera 'none';encrypted-media 'none';focus-without-user-activation 'none'; geolocation 'none';gyroscope #'none';magnetometer 'none';microphone 'none';midi 'none';payment 'none';picture-in-picture 'none'; speaker 'none';sync-xhr 'none';usb 'none';vr 'none'"
+#
+#        # Referer
+#        Referrer-Policy "no-referrer"
+#
+#        # X-Robots-Tag
+#        X-Robots-Tag "none"
+#
+#        # Remove Server header
+#        -Server
+#  }
+#
+#  handle {
+#        encode zstd gzip
+#
+#        reverse_proxy 127.0.0.1:13080 {
+#               header_up X-Forwarded-Port {http.request.port}
+#               header_up X-Forwarded-Proto {http.request.scheme}
+#               header_up X-Forwarded-TlsProto {tls_protocol}
+#               header_up X-Forwarded-TlsCipher {tls_cipher}
+#               header_up X-Forwarded-HttpsProto {proto}
+#        }
+#  }
+#}
+#DOMAIN.com {
+# Uncomment this if you are following "(Option 3): Setting up reverse-proxying of the well-known files from the base domain's server to the Matrix server" of https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-well-known.md#option-3-setting-up-reverse-proxying-of-the-well-known-files-from-the-base-domains-server-to-the-matrix-server
+#    @wellknown {
+#        path /.well-known/matrix/*
+#    }
+#
+#    handle @wellknown {
+#        reverse_proxy https://matrix.DOMAIN.com {
+#            header_up Host {http.reverse_proxy.upstream.hostport}
+#        }
+#    }
+#    # If you have other well-knowns already handled by your base domain, you can replace the above block by this one, along with the replacement suggested in the matrix subdomain
+#      # handle /.well-known/* {
+#	#	encode zstd gzip
+#	#	header Cache-Control max-age=14400
+#	#	header Content-Type application/json
+#	#	header Access-Control-Allow-Origin *
+#	#}
+#
+#    # Configration for the base domain goes here
+#   # handle {
+#   #    header -Server
+#   #     encode zstd gzip
+#   #    reverse_proxy localhost:4020
+#   # }
+#}
--- a/examples/caddy2/README.md
+++ b/examples/caddy2/README.md
@ -1,12 +1,20 @@
-# Caddyfile
+# Caddy reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

-This directory contains sample files that show you how to do reverse-proxying using Caddy2.
+This directory contains a sample config that shows you how to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with your own [Caddy](https://caddyserver.com/) reverse-proxy.

-## Config

-| Variable           | Function |
-| ------------------ | -------- |
-| tls your@email.com | Specify an email address for your [ACME account](https://caddyserver.com/docs/caddyfile/directives/tls) (but if only one email is used for all sites, we recommend the email [global option](https://caddyserver.com/docs/caddyfile/options) instead) | 
-| tls                | To enable [tls](https://caddyserver.com/docs/caddyfile/directives/tls) support uncomment the lines for tls |
-| Dimension         | To enable Dimension support uncomment the lines for Dimension and set your data |
-| Jitsi              | To enable Jitsi support uncomment the lines for Jitsi and set your data |
+## Prerequisite configuration
+
+To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
+
+
+## Using the Caddyfile
+
+You can either just use the [Caddyfile](Caddyfile) directly or append its content to your own Caddyfile.
+In both cases make sure to replace all the `example.tld` domains with your own domain.
+
+This example does  not include additional services like element, but you should be able copy the first block and replace the matrix subdomain with the additional services subdomain. I have not tested this though.
+
+# Caddyfile.deprecated
+
+This can be used as a [Caddy](https://caddyserver.com/) reverse-proxy without intermediary playbook managed reverse proxy. However, this setup is not supported by the playbook anymore. Instead [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) as described above.
--- a/examples/nginx/README.md
+++ b/examples/nginx/README.md
@ -1,6 +1,6 @@
 # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy

-This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
+This directory contains a sample config that shows you how to use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.


 ## Prerequisite configuration
@ -10,7 +10,7 @@ To get started, first follow the [front the integrated reverse-proxy webserver w

 ## Using the nginx configuration

-Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`).
+Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it in your nginx configuration (e.g. `include /path/to/matrix.conf;`).

 This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.

--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,19 @@
+{
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+
+  outputs = { self, nixpkgs, ... }:
+    let
+      pkgs = import nixpkgs { system = "x86_64-linux"; };
+    in
+    {
+      devShell.x86_64-linux = pkgs.mkShell {
+        buildInputs = with pkgs; [
+          just
+          python311Packages.ansible-core
+          python311Packages.passlib
+        ];
+        LC_ALL = "C.UTF-8";
+        LC_CTYPE = "C.UTF-8";
+      };
+    };
+}
--- a/gpg/open_vault.sh
+++ b/gpg/open_vault.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null
--- a/gpg/vault_passphrase.gpg
+++ b/gpg/vault_passphrase.gpg
@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
+rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -192,7 +192,7 @@ matrix_homeserver_app_service_config_files_auto: |

 # This list is not exhaustive and final.
 # Synapse workers are still injected into the list at runtime.
-# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
+# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
 #
 # Priority levels are like this:
 # - core services (the homeserver) get a level of ~1000
@ -210,25 +210,25 @@ devture_systemd_service_manager_services_list_auto: |
  {{
    ([{'name': (backup_borg_identifier + '.timer'), 'priority': 5000, 'groups': ['matrix', 'backup', 'borg']}] if backup_borg_enabled else [])
    +
-    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron']}] if matrix_bot_buscarron_enabled else [])
+    ([{'name': 'matrix-bot-buscarron.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'buscarron', 'bot-buscarron']}] if matrix_bot_buscarron_enabled else [])
    +
-    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb']}] if matrix_bot_go_neb_enabled else [])
+    ([{'name': 'matrix-bot-go-neb.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'go-neb', 'bot-go-neb']}] if matrix_bot_go_neb_enabled else [])
    +
-    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit']}] if matrix_bot_honoroit_enabled else [])
+    ([{'name': 'matrix-bot-honoroit.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'honoroit', 'bot-honoroit']}] if matrix_bot_honoroit_enabled else [])
    +
-    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
+    ([{'name': 'matrix-bot-matrix-registration-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'registration-bot', 'bot-matrix-registration-bot']}] if matrix_bot_matrix_registration_bot_enabled else [])
    +
-    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
+    ([{'name': 'matrix-bot-matrix-reminder-bot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'reminder-bot', 'bot-matrix-reminder-bot']}] if matrix_bot_matrix_reminder_bot_enabled else [])
    +
-    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot']}] if matrix_bot_maubot_enabled else [])
+    ([{'name': 'matrix-bot-maubot.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'maubot', 'bot-maubot']}] if matrix_bot_maubot_enabled else [])
    +
-    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir']}] if matrix_bot_mjolnir_enabled else [])
+    ([{'name': 'matrix-bot-mjolnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'mjolnir', 'bot-mjolnir']}] if matrix_bot_mjolnir_enabled else [])
    +
-    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir']}] if matrix_bot_draupnir_enabled else [])
+    ([{'name': 'matrix-bot-draupnir.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'draupnir', 'bot-draupnir']}] if matrix_bot_draupnir_enabled else [])
    +
-    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle']}] if matrix_bot_postmoogle_enabled else [])
+    ([{'name': 'matrix-bot-postmoogle.service', 'priority': 4000, 'groups': ['matrix', 'bots', 'postmoogle', 'bot-postmoogle']}] if matrix_bot_postmoogle_enabled else [])
    +
-    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt']}] if matrix_bot_chatgpt_enabled else [])
+    ([{'name': 'matrix-bot-chatgpt.service', 'priority': 2200, 'groups': ['matrix', 'bots', 'chatgpt', 'bot-chatgpt']}] if matrix_bot_chatgpt_enabled else [])
    +
    ([{'name': 'matrix-appservice-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'appservice-discord']}] if matrix_appservice_discord_enabled else [])
    +
@ -288,11 +288,11 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-cactus-comments.service', 'priority': 2000, 'groups': ['matrix', 'cactus-comments']}] if matrix_cactus_comments_enabled else [])
    +
-    ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny']}] if matrix_client_cinny_enabled else [])
+    ([{'name': 'matrix-client-cinny.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'cinny', 'client-cinny']}] if matrix_client_cinny_enabled else [])
    +
-    ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element']}] if matrix_client_element_enabled else [])
+    ([{'name': 'matrix-client-element.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'element', 'client-element']}] if matrix_client_element_enabled else [])
    +
-    ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen']}] if matrix_client_hydrogen_enabled else [])
+    ([{'name': 'matrix-client-hydrogen.service', 'priority': 2000, 'groups': ['matrix', 'clients', 'hydrogen', 'client-hydrogen']}] if matrix_client_hydrogen_enabled else [])
    +
    ([{'name': ('matrix-' + matrix_homeserver_implementation + '.service'), 'priority': 1000, 'groups': ['matrix', 'homeservers', matrix_homeserver_implementation]}] if matrix_homeserver_enabled else [])
    +
@ -314,13 +314,13 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else [])
    +
-    ([{'name': 'matrix-jitsi-web.service', 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if matrix_jitsi_enabled else [])
+    ([{'name': (jitsi_identifier + '-web.service'), 'priority': 4200, 'groups': ['matrix', 'jitsi', 'jitsi-web']}] if jitsi_enabled else [])
    +
-    ([{'name': 'matrix-jitsi-prosody.service', 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if matrix_jitsi_enabled else [])
+    ([{'name': (jitsi_identifier + '-prosody.service'), 'priority': 4000, 'groups': ['matrix', 'jitsi', 'jitsi-prosody']}] if jitsi_enabled else [])
    +
-    ([{'name': 'matrix-jitsi-jicofo.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if matrix_jitsi_enabled else [])
+    ([{'name': (jitsi_identifier + '-jicofo.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jicofo']}] if jitsi_enabled else [])
    +
-    ([{'name': 'matrix-jitsi-jvb.service', 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if matrix_jitsi_enabled else [])
+    ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
    +
    ([{'name': 'matrix-ldap-registration-proxy.service', 'priority': 2000, 'groups': ['matrix', 'ldap-registration-proxy']}] if matrix_ldap_registration_proxy_enabled else [])
    +
@ -1653,8 +1653,15 @@ matrix_bot_maubot_database_password: "{{ '%s' | format(matrix_homeserver_generic

 # We don't enable bots by default.
 matrix_bot_honoroit_enabled: false
+
 matrix_bot_honoroit_hostname: "{{ matrix_server_fqn_matrix }}"

+matrix_bot_honoroit_path_prefix: /honoroit
+
+# For consistency with other things hosted at the matrix FQN, we adjust the metrics endpoint
+# so that metrics would be served at `/metrics/SERVICE_NAME`, and not at the default path for the role (`PREFIX/metrics`).
+matrix_bot_honoroit_container_labels_traefik_metrics_path: /metrics/honoroit
+
 matrix_bot_honoroit_systemd_required_services_list: |
  {{
    ['docker.service']
@ -2278,7 +2285,7 @@ etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"

 etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"

-etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}"
+etherpad_framing_enabled: "{{ matrix_dimension_enabled or jitsi_enabled }}"

 etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"

@ -2352,26 +2359,57 @@ matrix_email2matrix_container_image_self_build: "{{ matrix_architecture not in [

 ######################################################################
 #
-# matrix-jitsi
+# jitsi
 #
 ######################################################################

-matrix_jitsi_enabled: false
+jitsi_enabled: false
+
+jitsi_architecture: "{{ matrix_architecture }}"
+
+jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
+
+jitsi_identifier: matrix-jitsi
+
+jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
+
+jitsi_uid: "{{ matrix_user_uid }}"
+jitsi_gid: "{{ matrix_user_gid }}"

 # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the Jitsi HTTP port to the local host.
-matrix_jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+jitsi_web_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

-matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+jitsi_web_container_additional_networks_auto: |
+  {{
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+  }}

-matrix_jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+jitsi_jvb_container_colibri_ws_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '13090') if matrix_playbook_service_host_bind_interface_prefix else '' }}"

-matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
-matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
-matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
+jitsi_jvb_container_additional_networks_auto: |
+  {{
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+  }}

-matrix_jitsi_web_stun_servers: |
+jitsi_prosody_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5280') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+
+jitsi_prosody_container_additional_networks_auto: |
+  {{
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+  }}
+
+jitsi_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
+jitsi_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+jitsi_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+jitsi_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jibri', rounds=655555) | to_uuid }}"
+jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jicofo', rounds=655555) | to_uuid }}"
+jitsi_jvb_auth_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'jvb', rounds=655555) | to_uuid }}"
+
+jitsi_web_stun_servers: |
  {{
    [
      'stun:' + matrix_server_fqn_matrix + ':5349',
@ -2381,24 +2419,39 @@ matrix_jitsi_web_stun_servers: |
    else [ 'stun:meet-jit-si-turnrelay.jitsi.net:443']
  }}

+# The Jitsi instance installed by this playbook is meant for embedding into Matrix clients, so framing is allowed.
+jitsi_web_framing_enabled: true
+
+jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
+jitsi_turn_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
+jitsi_turns_host: "{{ ('turn.' + matrix_server_fqn_matrix) if matrix_coturn_enabled else '' }}"
+jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port if matrix_coturn_enabled else '' }}"
+jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port if matrix_coturn_enabled else '' }}"
+
 # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
-# unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false.
-# Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true,
+# unless explicitly disabled by setting `jitsi_etherpad_enabled` to false.
+# Falls back to the scalar.vector.im etherpad in case someone sets `jitsi_etherpad_enabled` to true,
 # while also setting `etherpad_enabled` to false.
-matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
-matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
+jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
+jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"

 # Allow verification using JWT and matrix-UVS
-matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
-matrix_jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
+jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
+jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"

-matrix_jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
+jitsi_self_check_validate_certificates: "{{ false if matrix_ssl_retrieval_method == 'self-signed' else true }}"
+
+# Gravatar is enabled by default upstream, but there's no need to leak data there needlessly
+# when embedding Jitsi in Matrix rooms.
+jitsi_disable_gravatar: true

 ######################################################################
 #
-# /matrix-jitsi
+# /jitsi
 #
 ######################################################################
+
+
 ######################################################################
 #
 # matrix-ldap-registration-proxy
@ -2530,7 +2583,14 @@ matrix_nginx_proxy_container_federation_host_bind_port: "{{ matrix_federation_pu
 matrix_nginx_proxy_trust_forwarded_proto: "{{ matrix_playbook_reverse_proxy_type != 'playbook-managed-nginx' }}"
 matrix_nginx_proxy_x_forwarded_for: "{{ '$remote_addr' if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else '$proxy_add_x_forwarded_for' }}"

-matrix_nginx_proxy_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+matrix_nginx_proxy_container_additional_networks: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+      +
+      ([jitsi_container_network] if jitsi_enabled and matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' and jitsi_container_network != matrix_nginx_proxy_container_network else [])
+    ) | unique
+  }}

 matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container: "{{ 'matrix-corporal:41080' if matrix_corporal_enabled else 'matrix-nginx-proxy:12080' }}"
 matrix_nginx_proxy_proxy_matrix_client_api_addr_sans_container: "{{ '127.0.0.1:41080' if matrix_corporal_enabled else '127.0.0.1:12080' }}"
@ -2557,8 +2617,7 @@ matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and mat
 matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"

-matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
-matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}"
+matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"

 matrix_nginx_proxy_proxy_grafana_enabled: "{{ grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_sygnal_enabled: "{{ matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
@ -2570,7 +2629,6 @@ matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_ent
 matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"

 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
-matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"

 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
@ -2638,33 +2696,31 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
    +
-    (['matrix-client-cinny.service'] if matrix_client_cinny_enabled else [])
+    (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled else [])
+    (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-client-element.service'] if matrix_client_element_enabled else [])
+    (['matrix-client-element.service'] if matrix_client_element_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled else [])
+    (['matrix-client-hydrogen.service'] if matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    ([(grafana_identifier + '.service')] if grafana_enabled else [])
+    ([(grafana_identifier + '.service')] if grafana_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-dimension.service'] if matrix_dimension_enabled else [])
+    (['matrix-dimension.service'] if matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-rageshake.service'] if matrix_rageshake_enabled else [])
+    (['matrix-rageshake.service'] if matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-sygnal.service'] if matrix_sygnal_enabled else [])
+    (['matrix-sygnal.service'] if matrix_sygnal_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    ([(ntfy_identifier + '.service')] if ntfy_enabled else [])
+    ([(ntfy_identifier + '.service')] if ntfy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
+    ([(jitsi_identifier + '-web.service')] if jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else [])
+    (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
+    ([etherpad_identifier + '.service'] if etherpad_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
-    ([etherpad_identifier + '.service'] if etherpad_enabled else [])
-    +
-    (['matrix-hookshot.service'] if matrix_hookshot_enabled else [])
+    (['matrix-hookshot.service'] if matrix_hookshot_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
  }}

 matrix_ssl_domains_to_obtain_certificates_for: |
@ -2687,7 +2743,7 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
    +
-    ([matrix_server_fqn_jitsi] if matrix_jitsi_enabled else [])
+    ([matrix_server_fqn_jitsi] if jitsi_enabled else [])
    +
    ([matrix_server_fqn_grafana] if grafana_enabled else [])
    +
@ -3185,7 +3241,7 @@ matrix_client_element_enable_presence_by_hs_url: |

 matrix_client_element_welcome_user_id: ~

-matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if matrix_jitsi_enabled else '' }}"
+matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"

 ######################################################################
 #
@ -4007,7 +4063,7 @@ matrix_user_verification_service_systemd_required_services_list: |
 # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose
 # matrix-user-verfification-services's client-server port to port 3003.
 # By default Matrix-User-Verification-Service binds to port 3000, which collides with grafana, therefore this uses port 3003.
-matrix_user_verification_service_container_http_host_bind_port: "{{  '' if (matrix_jitsi_enabled | bool and matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}"
+matrix_user_verification_service_container_http_host_bind_port: "{{  '' if (jitsi_enabled | bool and jitsi_enable_auth | bool and jitsi_auth_type == 'matrix') else matrix_playbook_service_host_bind_interface_prefix ~ '3003' }}"

 # URL exposed in the docker network
 matrix_user_verification_service_container_url: "http://{{  matrix_user_verification_service_container_name }}:3000"
@ -4064,11 +4120,16 @@ devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik"
 devture_traefik_uid: "{{ matrix_user_uid }}"
 devture_traefik_gid: "{{ matrix_user_gid }}"

-devture_traefik_additional_entrypoints_auto:
-  - name: matrix-federation
-    port: "{{ matrix_federation_public_port }}"
-    host_bind_port: "{{ matrix_federation_public_port }}"
-    config: {}
+devture_traefik_federation_entrypoint:
+  name: matrix-federation
+  port: "{{ matrix_federation_public_port }}"
+  host_bind_port: "{{ matrix_federation_public_port }}"
+  config: {}
+
+devture_traefik_additional_entrypoints_auto: |
+  {{
+    ([devture_traefik_federation_entrypoint] if (matrix_federation_public_port != devture_traefik_config_entrypoint_web_port) and (matrix_federation_public_port != devture_traefik_config_entrypoint_web_secure_port) else [])
+  }}

 devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"

--- a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
@ -0,0 +1,411 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: true
+matrix_nginx_proxy_https_enabled: false
+matrix_nginx_proxy_container_http_host_bind_port: "127.0.10.1:8080"
+matrix_nginx_proxy_container_federation_host_bind_port: "127.0.10.1:8448"
+matrix_nginx_proxy_trust_forwarded_proto: true
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
+#matrix_nginx_proxy_proxy_synapse_metrics: true
+matrix_nginx_proxy_proxy_matrix_metrics_enabled: true
+matrix_synapse_metrics_enabled: true
+matrix_synapse_metrics_proxying_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_client_element_version: v1.8.4
+#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.77.0"
+#matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages"
+#matrix_synapse_default_room_version: "10"
+#matrix_mautrix_telegram_version: v0.10.0
+matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_playbook_reverse_proxy_type: playbook-managed-nginx
+# per https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#adapting-the-configuration-for-existing-synapse-installations
+#matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 120
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+#matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+devture_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 50
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 10
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+matrix_synapse_rc_joins:
+  local:
+    per_second: 0.5
+    burst_count: 20
+  remote:
+    per_second: 0.05
+    burst_count: 20
+matrix_synapse_rc_joins_per_room:
+  per_second: 1
+  burst_count: 10
+matrix_synapse_rc_invites:
+  per_room:
+    per_second: 0.5
+    burst_count: 10
+  per_user:
+    per_second: 0.006
+    burst_count: 10
+  per_issuer:
+    per_second: 2
+    burst_count: 20
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 1.5
+matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 2
+matrix_synapse_workers_federation_sender_workers_count: 2
+matrix_synapse_workers_pusher_workers_count: 1
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+# Enable experimental spaces support
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_max: 20
+  experimental_features:
+    spaces_enabled: true
+  caches:
+    per_cache_factors:
+      device_id_exists: 3
+      get_users_in_room: 4
+      _get_joined_users_from_context: 4
+      _get_joined_profile_from_event_id: 3
+      "*stateGroupMembersCache*": 2
+      _matches_user_in_member_list: 3
+      get_users_who_share_room_with_user: 3
+      is_interested_in_room: 2
+      get_user_by_id: 1.5
+      room_push_rule_cache: 1.5
+    expire_caches: true
+    cache_entry_ttl: 45m
+    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_mute_bridging: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_bridge_allow_user_invite: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+#matrix_mx_puppet_skype_enabled: false
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+# matrix_mx_puppet_skype_container_extra_arguments:
+#   - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+# matrix_mx_puppet_skype_configuration_extension_yaml: |
+#     bridge:
+#         enableGroupSync: true
+#         avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+#     metrics:
+#         enabled: true
+#         port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+#         path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: true
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
+matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_roomdir_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"
--- a/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+39366364363633336238333130353832663162393038633665396333343732353964333363666539
+6562346632343235623835643735386434316666393234360a383634616537393134613631383836
+61333835363666623033306166376232303930306433343366373463653234623736643633383734
+3330333665383539650a383132353032386230393031626361343764323034386230363066306331
+34646236336262623435633566363033613737373064616266336237343233663066396163373034
+62303765353066653737366539626461636531636438323932333134363136363134646164646531
+63656638666233313437663261396665653736373164323433306435323336633938313164646264
+33653661633965363833393031616463633761356234633630643562306366653133366637346166
+38636433343736343461613731623538633361363934343764326466313261353633646230353065
+37366134303164356433333961346663313963626165323966656536313532376162326565383539
+65363333633964323838663461373666353665643236623839646664653661613838353239613137
+39353061323131306365656261343630313665356165623064616436653566373663343733316237
+34393666383465323463313838393465643830373632373938633763666636346539666233303265
+38353337633833373331356663633936326334366337393135653030333531613565643666633038
+64393862303765366632393137313432376563353335353231323464633637343334346634306534
+35613330373336633031376263306466306437656635396133613335386130346163663438386136
+61646437343938663431343736363564376238316666373531616231366132643864346538363866
+35396433366137356162313963666134383134306462313336613735386639363936326131383939
+66623833643433663039623837623133303336666233623935313438366136353332313165333936
+31386632336535383533646639636164313331346630633366383739623261366465656632393062
+63373332623738303364623437666531396331646666336230353333366261653438363861656466
+39333762633037383336393164616563396564383232636533363864636230616664303330323932
+66666234633362346132303932643464366466323535303835363430333737666661373534333934
+61393362616438626636383564613335363634626231663234616438343464383461303632363033
+39336362396339316661323662393665383031643931626333646335643335353661653939363538
+38666561313539613566386132336630643237333432656236356132616230663561343665353938
+33366663353834356434366335373265373439363430636533303933656264366338623232613435
+35356662383232386137313064313363303861326635333435393737643663336534363234623430
+32376432353330613666396337303935376366613564353039396164383361616337656535346166
+34396635356266326461613135303639643935363261396363636338636564643838313262326266
+31663139343336376233303637373864363835313839326433656235616332333134306139623239
+37636639356263646437373362333931613262363363313462666534643765313139386461623731
+33376635653133353033333733613464396632636634313063326363313030376632643863336237
+61636638353237313764313435626463633964643665313536326235343639663137373436303564
+30636232626137376339303238653664346538356430306238633037366332316263623666373062
+63646533646131303466653637346463613237323161313265613834383634626237323563653733
+38656435303264346663663465333966376631666530333833353233376263336436613065366362
+36366263343438393132326661623031316663663231663464383732343064383234616636306530
+66613634626362316533303034393063666632343262613431613635663866636433623535363238
+30643933613731363236346234336662613633323831633437613435326465383530653765616262
+63373538396364316563343365303134373466663639386137663564356532353531343636613135
+63316463353264316164306566326462333732316431643939626161346530636638636662303037
+34346461313961613063336332333934383363373335616636363661396362613661383762663866
+64303834636264376461396266663763336665356561376161333136336638646363313133353161
+31643061623833623239373432633537663664636334623534326639616633616361333834366131
+30376361656238353332656666316637643133623433333861653265636266376639666135383638
+37363337326231656530363536393737383565666266306532626361633633353539363866376534
+61303737326632303762626666306134343837376566343035386663613336626332383035383035
+37633462373066373062313862323766316362393832666466396637363562353865303366323062
+39346332383966313437646138623364656234663066663639663138626163656433363038323166
+65613862386665643438323061323763306635666162303366323131363436633335356332393366
+63373966383132303434633835333438333337303664346335643066623839343835643364306561
+34643336346564363462396330643263653931376664386335313433376332653832323437376135
+35383231386133363236653334393433306638303131323064343931623538323130343666653061
+36353536383632333964343730346265626433303131346531303133663832363036333261386237
+30363361356265356139323761623563396565336137333733656431636531333234323061343862
+33623935346663333735613661363234646234356331323636386637343661373363363261646231
+33643233343235323230393933616664623166666266333862323631653835666135303233653635
+63373061656163353762636531613632366638383366303864343132376162643963366564363563
+61336338613935613532636165383463633866633036393533313433643562313737383431353163
+37623165373933376236393931363939633963666636303136373065376635623761346537643530
+35363464313630376233633863306238616138666464316534363332333937343362343233346431
+34643032323934353939666364323239653932363735373061633434653062326336353239633261
+38306237336266663038656534393664646138343038323335633064616431386666613739326630
+34383963666534313530376331366238343836303036306336343533666332386163643033643138
+33336333333338353733383165306139623964303035653439623131633566356136386431613135
+63616462386639303230343866346631346532353531373132613433363239646330653666633532
+65393766333238383531313132633537633833363335303630376239396565373730646331313633
+30383861303739343265623934643635633361623262356433323035393062353630346430646262
+63303434353038646361353661616339313937323336303566303536366163623362356332383862
+37326333393761633732653264646333653439363039323238383361336233323232613336303464
+34393635633131313135313665363161306466643364393734346264633030373234306466653862
+32336163666435636162343465386633653863363533616339636531306130383331376563393533
+65366136626662343065383164646665613035393636373565346235656439303933343563366339
+36643838393033353033396535613331303031646162316361613564323163633434633861356135
+62343461616335323565636633383962316531316362396165366533346166336163623232366261
+39376230376562626135346333326437373733373266393236383435343562653034313133376236
+61666138346562613330633630373837653465393233613261353937336666646231366666393335
+35393463333936323664323831396639333462626238613164616435363664643438653763623431
+32663237363134353061373563396535653565636431366565386337653863316333343738343432
+62303132636338303462313439376535363063333833363632613832303436353834376561333330
+66633632383135646263626333643230343630326539663762633934316261633062663732373932
+30306438386263626335373838343236643562326135663366353638353163346365396261313133
+36333634306133353235316237343738623263333732343063356238333162323931346664346539
+66323733643061386334306130633537353630663336313966663538373963313435666564316539
+63613030366332363432303036396232306537663765653938353736376135316539613135623632
+66356639623635663365323635646635383638346539323438336261393332373935383536333831
+61306639343061333639336162366536366438356166396266666132303932333037613632623666
+63616662343830303664353931306632323630316162643432653835313962633735626163366332
+34373637633066333432383533316363613031393963373963386161663430623533383165653561
+38343439633066366663643138326264653539336530393932386236366533663935353664343966
+39323161646231353234633961633732613065323039663062313661386565366534623430356632
+64343732336238393262363338363734643639353830646163343361653761633134303163616562
+35633436393832393137383534613031303963613339333566343065336530623964636662353065
+32366630353538383339346465376661323666333234373665613164633866363364613066643034
+37616630366232353166366535633936366536626462353831643335306337353564316461653564
+66663133373466333431336366346435623436656230376232613665633466333463636263373464
+30386434336538303061666566383033616563303564666362346432663130306531613063363537
+646635613236636563666161666630653836
--- a/inventory/hosts
+++ b/inventory/hosts
@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+34373565633762393838366465623964356238366661386638373937363563613036646662333330
+3436326333353462346464656136363131376565386433620a613965643930313137353134616134
+39656164373331383333613630323531646132626263626661313735313136326132343866313733
+3737323866333566320a376564393337306438636261393535623435326139393830613765646630
+63363538343963636231623031346539363937383363376133333562376339343361303337343133
+39323431653963613134376465333762653038393839313137323832313633343639623665393263
+34623034353564613665333037366231613261343336613730666130396437363332373463313137
+39326237626130323336626265653431383332303065323536316634353735313565633862633937
+65303032306434663962653866366538636133623530343836633233636664386230366165356462
+35623536356462623261666533626436613465346461313733356531386338626263376561363131
+30373534653437363165623138656636323638393734323836396536336364376131333066343432
+38653564623432623461353266623263643430383965373138663361646665616566613337663837
+63343766303936383330643561356233333961303436656564363061393136356163393463383033
+66343034633230373362343332613338646537353934373264633965636431373630326632356535
+36393363356261616234386266333462373065646436653430653561366330353732616135346165
+30306164633666666339336261306264306133616263623430376536346364306336373332326463
+37333735376365373536613734653961326434653665356436323635373863636266663130303431
+39396534633064383566306133363431323537313639383464303433373761363333303936626366
+37383637336631663931303265393562356336623861613161663738393038353263616662633634
+37373932306261666531303265646365323464363930313238343537343433636639383764343139
+35303831646166376365363536656239346630346561356464653362363637306234353761653432
+61323865663266613433343639343762363437333562346633396462623436346364363033383739
+646230333738313565356339346435656331
--- a/inventory/scripts/jitsi-generate-passwords.sh
+++ b/inventory/scripts/jitsi-generate-passwords.sh
@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-# This is a bash script for generating strong passwords for the Jitsi role in this ansible project:
-# https://github.com/spantaleev/matrix-docker-ansible-deploy
-
-function generatePassword() {
-    openssl rand -hex 16
-}
-
-echo "# If this script fails, it's likely because you don't have the openssl tool installed."
-echo "# Install it before using this script, or simply create your own passwords manually."
-
-echo ""
-
-JICOFO_AUTH_PASSWORD=$(generatePassword)
-JVB_AUTH_PASSWORD=$(generatePassword)
-JIBRI_RECORDER_PASSWORD=$(generatePassword)
-JIBRI_XMPP_PASSWORD=$(generatePassword)
-
-echo "# Paste these variables into your inventory/host_vars/matrix.DOMAIN/vars.yml file:"
-echo ""
-echo "matrix_jitsi_jicofo_auth_password: $JICOFO_AUTH_PASSWORD"
-echo "matrix_jitsi_jvb_auth_password: $JVB_AUTH_PASSWORD"
-echo "matrix_jitsi_jibri_recorder_password: $JIBRI_RECORDER_PASSWORD"
-echo "matrix_jitsi_jibri_xmpp_password: $JIBRI_XMPP_PASSWORD"
--- a/32
+++ b/32
@ -1,48 +1,60 @@
 # Shows help
 default:
-	@just --list --justfile {{ justfile() }}
+    @just --list --justfile {{ justfile() }}

 # Pulls external Ansible roles
 roles:
-	rm -rf roles/galaxy
-	ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
+    #!/usr/bin/env sh
+    if [ -x "$(command -v agru)" ]; then
+    	agru
+    else
+    	rm -rf roles/galaxy
+    	ansible-galaxy install -r requirements.yml -p roles/galaxy/ --force
+    fi
+
+# Updates requirements.yml if there are any new tags available. Requires agru
+update:
+    @agru -u

 # Runs ansible-lint against all roles in the playbook
 lint:
-	ansible-lint
+    ansible-lint

 # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
 install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)

 # Runs installation tasks for a single service
 install-service service *extra_args:
-	just --justfile {{ justfile() }} run --tags=install-{{ service }},start-group --extra-vars=group={{ service }} {{ extra_args }}
+    just --justfile {{ justfile() }} run \
+    --tags=install-{{ service }},start-group \
+    --extra-vars=group={{ service }} \
+    --extra-vars=devture_systemd_service_manager_service_restart_mode=one-by-one {{ extra_args }}

 # Runs the playbook with --tags=setup-all,ensure-matrix-users-created,start and optional arguments
 setup-all *extra_args: (run-tags "setup-all,ensure-matrix-users-created,start" extra_args)

 # Runs the playbook with the given list of arguments
 run +extra_args:
-	time ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}
+    ansible-playbook -i inventory/hosts setup.yml {{ extra_args }}

 # Runs the playbook with the given list of comma-separated tags and optional arguments
 run-tags tags *extra_args:
-	just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}
+    just --justfile {{ justfile() }} run --tags={{ tags }} {{ extra_args }}

 # Runs the playbook in user-registration mode
 register-user username password admin_yes_or_no *extra_args:
-	time ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}
+    ansible-playbook -i inventory/hosts setup.yml --tags=register-user --extra-vars="username={{ username }} password={{ password }} admin={{ admin_yes_or_no }}" {{ extra_args }}

 # Starts all services
 start-all *extra_args: (run-tags "start-all" extra_args)

 # Starts a specific service group
 start-group group *extra_args:
-	@just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}
+    @just --justfile {{ justfile() }} run-tags start-group --extra-vars="group={{ group }}" {{ extra_args }}

 # Stops all services
 stop-all *extra_args: (run-tags "stop-all" extra_args)

 # Stops a specific service group
 stop-group group *extra_args:
-	@just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
+    @just --justfile {{ justfile() }} run-tags stop-group --extra-vars="group={{ group }}" {{ extra_args }}
--- a/playbooks/jitsi_jvb.yml
+++ b/playbooks/jitsi_jvb.yml
@ -8,5 +8,5 @@
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    - custom/matrix-base
-    - custom/matrix-jitsi
+    - galaxy/jitsi
    - custom/matrix-common-after
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -100,7 +100,7 @@
    - custom/matrix-client-element
    - custom/matrix-client-hydrogen
    - custom/matrix-client-cinny
-    - custom/matrix-jitsi
+    - galaxy/jitsi
    - custom/matrix-user-verification-service
    - custom/matrix-ldap-registration-proxy
    - custom/matrix-ma1sd
--- a/requirements.yml
+++ b/requirements.yml
@ -1,69 +1,53 @@
 ---

- src: geerlingguy.docker
-  version: 6.1.0
-
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
+  version: v1.0.0-1
+  name: aux
+- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
+  version: v1.2.4-1.7.13-0
+- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
+  version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
  version: 129c8590e106b83e6f4c259649a613c6279e937a
-
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
-
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
-  version: 327d2e17f5189ac2480d6012f58cf64a2b46efba
-
- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: 3d5bb2976815958cdce3f368fa34fb51554f899b
-
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
-  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
-
- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
-  version: 38764398bf82b06a1736c3bfedc71dfd229e4b52
-
- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
-  version: 8e9ec48a09284c84704d7a2dce17da35f181574d
-
- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
-  version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096
-
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
-
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
-  version: v1.5.0-7
-
- src: git+https://gitlab.com/etke.cc/roles/prometheus_postgres_exporter.git
-  version: v0.12.0-0
-
- src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.4-1.7.9-0
-
- src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v9.4.7-0
-
- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
-  version: v2.2.0-0
-
- src: git+https://gitlab.com/etke.cc/roles/redis.git
-  version: v7.0.10-0
-
- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
-  version: v1.8.18-2
-
- src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
-  version: v0.1.1-1
-
+- src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
+  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
+- src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
+  version: v15.3-0
+- src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
+  version: 8e9ec48a09284c84704d7a2dce17da35f181574d
+- src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
+  version: v1.0.0-0
+- src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
+  version: v1.0.0-1
+- src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
+  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.9.9-0
-
+  version: v2.10.1-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
-
- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
-  name: aux
-  version: v1.0.0-0
-
+- src: git+https://gitlab.com/etke.cc/roles/etherpad.git
+  version: v1.8.18-2
+- src: git+https://github.com/geerlingguy/ansible-role-docker
+  version: 6.1.0
+  name: geerlingguy.docker
+- src: git+https://gitlab.com/etke.cc/roles/grafana.git
+  version: v9.5.2-0
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
+  version: v8615-0
+  name: jitsi
+- src: git+https://gitlab.com/etke.cc/roles/ntfy.git
+  version: v2.5.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
+  version: v2.44.0-0
  name: prometheus
-  version: v2.43.0-0
+- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
+  version: v1.6.0-0
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
+  version: v0.12.0-0
+  name: prometheus_postgres_exporter
+- src: git+https://gitlab.com/etke.cc/roles/redis.git
+  version: v7.0.10-0
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@ -13,6 +13,9 @@ matrix_domain: ~
 # Example value: "@someone:{{ matrix_domain }}"
 matrix_admin: ''

+# Global var to enable/disable encryption across all bridges with encryption support
+matrix_bridges_encryption_enabled: false
+
 # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
 #
 # Unless you're wrapping this playbook in another one
--- a/roles/custom/matrix-bot-buscarron/defaults/main.yml
+++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml
@ -14,6 +14,10 @@ matrix_bot_buscarron_hostname: ''
 # This value must either be `/` or not end with a slash (e.g. `/buscarron`).
 matrix_bot_buscarron_path_prefix: /

+# The path at which Buscarron will expose metrics
+# This value must either be `/` or not end with a slash (e.g. `/metrics`).
+matrix_bot_buscarron_metrics_path: /metrics
+
 matrix_bot_buscarron_base_path: "{{ matrix_base_data_path }}/buscarron"
 matrix_bot_buscarron_config_path: "{{ matrix_bot_buscarron_base_path }}/config"
 matrix_bot_buscarron_data_path: "{{ matrix_bot_buscarron_base_path }}/data"
@ -36,6 +40,15 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_buscarron_container_additional_networks: []

+# enable basic auth for metrics
+matrix_bot_buscarron_basicauth_enabled: false
+# temporary file name on the host that runs ansible
+matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd"
+# username
+matrix_bot_buscarron_basicauth_user: ''
+# password
+matrix_bot_buscarron_basicauth_password: ''
+
 # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
@ -46,6 +59,8 @@ matrix_bot_buscarron_container_labels_traefik_hostname: "{{ matrix_bot_buscarron
 # The path prefix must either be `/` or not end with a slash (e.g. `/buscarron`).
 matrix_bot_buscarron_container_labels_traefik_path_prefix: "{{ matrix_bot_buscarron_path_prefix }}"
 matrix_bot_buscarron_container_labels_traefik_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`){% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_buscarron_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_bot_buscarron_container_labels_traefik_metrics_path: "{{ matrix_bot_buscarron_metrics_path }}"
+matrix_bot_buscarron_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_buscarron_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_buscarron_container_labels_traefik_metrics_path }}`)"
 matrix_bot_buscarron_container_labels_traefik_priority: 0
 matrix_bot_buscarron_container_labels_traefik_entrypoints: web-secure
 matrix_bot_buscarron_container_labels_traefik_tls: "{{ matrix_bot_buscarron_container_labels_traefik_entrypoints != 'web' }}"
--- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
@ -40,6 +40,21 @@
    - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true}
  when: "item.when | bool"

+- name: Determine basicauth filename
+  ansible.builtin.set_fact:
+    matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}"
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
+- name: Generate basic auth file
+  community.general.htpasswd:
+    path: "{{ matrix_bot_buscarron_basicauth_file }}"
+    name: "{{ matrix_bot_buscarron_basicauth_user }}"
+    password: "{{ matrix_bot_buscarron_basicauth_password }}"
+    mode: 0640
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
 - name: Ensure buscarron support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
@ -51,6 +66,14 @@
    - env
    - labels

+- name: Ensure temporary basic auth file is removed
+  ansible.builtin.file:
+    path: "{{ matrix_bot_buscarron_basicauth_file }}"
+    state: absent
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_buscarron_basicauth_enabled | bool
+
 - name: Ensure buscarron image is pulled
  community.docker.docker_image:
    name: "{{ matrix_bot_buscarron_docker_image }}"
--- a/roles/custom/matrix-bot-buscarron/templates/labels.j2
+++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2
@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_buscarron_container_labels_traefik_docker_n
 {% endif %}

 {% set middlewares = [] %}
+{% set middlewares_metrics = [] %}

 {% if matrix_bot_buscarron_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-buscarron-slashless-redirect.redirectregex.regex=({{ matrix_bot_buscarron_container_labels_traefik_path_prefix | quote }})$
@ -18,6 +19,11 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes=
 {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %}
 {% endif %}

+{% if matrix_bot_buscarron_basicauth_enabled %}
+traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }}
+{% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %}
+{% endif %}
+
 {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
@ -38,8 +44,23 @@ traefik.http.routers.matrix-bot-buscarron.tls={{ matrix_bot_buscarron_container_
 {% if matrix_bot_buscarron_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
 {% endif %}
-
 traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080
+
+{% if middlewares_metrics | length > 0 %}
+traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }}
+{% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron
+traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }}
+traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }}
+{% if matrix_bot_buscarron_container_labels_traefik_tls %}
+traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080
+{% endif %}
+
 {% endif %}

 {{ matrix_bot_buscarron_container_labels_additional_labels }}
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@ -4,7 +4,7 @@

 matrix_bot_chatgpt_enabled: true

-matrix_bot_chatgpt_version: 3.0.0
+matrix_bot_chatgpt_version: 3.1.2

 matrix_bot_chatgpt_container_image_self_build: false
 matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@ -4,7 +4,7 @@

 matrix_bot_draupnir_enabled: true

-matrix_bot_draupnir_version: "v1.80.1"
+matrix_bot_draupnir_version: "v1.83.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@ -11,6 +11,10 @@ matrix_bot_honoroit_hostname: ''
 # This value must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_path_prefix: /

+# The path at which honoroit will expose metrics
+# This value must either be `/` or not end with a slash (e.g. `/metrics`).
+matrix_bot_honoroit_metrics_path: /metrics
+
 matrix_bot_honoroit_container_image_self_build: false
 matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
@ -34,6 +38,15 @@ matrix_bot_honoroit_container_network: matrix-bot-honoroit
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_honoroit_container_additional_networks: []

+# enable basic auth for metrics
+matrix_bot_honoroit_basicauth_enabled: false
+# temporary file name on the host that runs ansible
+matrix_bot_honoroit_basicauth_file: "/tmp/matrix_bot_honoroit_htpasswd"
+# username
+matrix_bot_honoroit_basicauth_user: ''
+# password
+matrix_bot_honoroit_basicauth_password: ''
+
 # matrix_bot_honoroit_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
@ -43,7 +56,8 @@ matrix_bot_honoroit_container_labels_traefik_docker_network: "{{ matrix_bot_hono
 matrix_bot_honoroit_container_labels_traefik_hostname: "{{ matrix_bot_honoroit_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/honoroit`).
 matrix_bot_honoroit_container_labels_traefik_path_prefix: "{{ matrix_bot_honoroit_path_prefix }}"
-matrix_bot_honoroit_container_labels_traefik_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`){% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_honoroit_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_bot_honoroit_container_labels_traefik_metrics_path: "{{ '' if matrix_bot_honoroit_path_prefix == '/' else matrix_bot_honoroit_path_prefix }}{{ matrix_bot_honoroit_metrics_path }}"
+matrix_bot_honoroit_container_labels_traefik_metrics_rule: "Host(`{{ matrix_bot_honoroit_container_labels_traefik_hostname }}`) && Path(`{{ matrix_bot_honoroit_container_labels_traefik_metrics_path }}`)"
 matrix_bot_honoroit_container_labels_traefik_priority: 0
 matrix_bot_honoroit_container_labels_traefik_entrypoints: web-secure
 matrix_bot_honoroit_container_labels_traefik_tls: "{{ matrix_bot_honoroit_container_labels_traefik_entrypoints != 'web' }}"
--- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
@ -40,6 +40,21 @@
    - {path: "{{ matrix_bot_honoroit_docker_src_files_path }}", when: true}
  when: "item.when | bool"

+- name: Determine basicauth filename
+  ansible.builtin.set_fact:
+    matrix_bot_honoroit_basicauth_file_tmp: "{{ matrix_bot_honoroit_basicauth_file }}_{{ inventory_hostname }}"
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
+- name: Generate basic auth file
+  community.general.htpasswd:
+    path: "{{ matrix_bot_honoroit_basicauth_file }}"
+    name: "{{ matrix_bot_honoroit_basicauth_user }}"
+    password: "{{ matrix_bot_honoroit_basicauth_password }}"
+    mode: 0640
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
 - name: Ensure honoroit support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
@ -51,6 +66,14 @@
    - env
    - labels

+- name: Ensure temporary basic auth file is removed
+  ansible.builtin.file:
+    path: "{{ matrix_bot_honoroit_basicauth_file }}"
+    state: absent
+  become: false
+  delegate_to: 127.0.0.1
+  when: matrix_bot_honoroit_basicauth_enabled | bool
+
 - name: Ensure honoroit image is pulled
  community.docker.docker_image:
    name: "{{ matrix_bot_honoroit_docker_image }}"
@ -86,6 +109,11 @@
      pull: true
  when: "matrix_bot_honoroit_container_image_self_build | bool"

+- name: Ensure honoroit container network is created
+  community.general.docker_network:
+    name: "{{ matrix_bot_honoroit_container_network }}"
+    driver: bridge
+
 - name: Ensure matrix-bot-honoroit.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-bot-honoroit.service.j2"
--- a/roles/custom/matrix-bot-honoroit/templates/labels.j2
+++ b/roles/custom/matrix-bot-honoroit/templates/labels.j2
@ -6,6 +6,7 @@ traefik.docker.network={{ matrix_bot_honoroit_container_labels_traefik_docker_ne
 {% endif %}

 {% set middlewares = [] %}
+{% set middlewares_metrics = [] %}

 {% if matrix_bot_honoroit_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-honoroit-slashless-redirect.redirectregex.regex=({{ matrix_bot_honoroit_container_labels_traefik_path_prefix | quote }})$
@ -25,21 +26,26 @@ traefik.http.middlewares.matrix-bot-honoroit-add-headers.headers.customresponseh
 {% set middlewares = middlewares + ['matrix-bot-honoroit-add-headers'] %}
 {% endif %}

-traefik.http.routers.matrix-bot-honoroit.rule={{ matrix_bot_honoroit_container_labels_traefik_rule }}
-{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-bot-honoroit.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
-{% endif %}
-traefik.http.routers.matrix-bot-honoroit.service=matrix-bot-honoroit
-{% if middlewares | length > 0 %}
-traefik.http.routers.matrix-bot-honoroit.middlewares={{ middlewares | join(',') }}
-{% endif %}
-traefik.http.routers.matrix-bot-honoroit.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
-traefik.http.routers.matrix-bot-honoroit.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
-{% if matrix_bot_honoroit_container_labels_traefik_tls %}
-traefik.http.routers.matrix-bot-honoroit.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
+{% if matrix_bot_honoroit_basicauth_enabled %}
+traefik.http.middlewares.matrix-bot-honoroit-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_honoroit_basicauth_file) }}
+{% set middlewares_metrics = middlewares + ['matrix-bot-honoroit-auth'] %}
+{% endif %}
+
+{% if middlewares_metrics | length > 0 %}
+traefik.http.routers.matrix-bot-honoroit-metrics.rule={{ matrix_bot_honoroit_container_labels_traefik_metrics_rule }}
+{% if matrix_bot_honoroit_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-bot-honoroit-metrics.priority={{ matrix_bot_honoroit_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-bot-honoroit-metrics.service=matrix-bot-honoroit-metrics
+traefik.http.routers.matrix-bot-honoroit-metrics.middlewares={{ middlewares_metrics | join(',') }}
+traefik.http.routers.matrix-bot-honoroit-metrics.entrypoints={{ matrix_bot_honoroit_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-honoroit-metrics.tls={{ matrix_bot_honoroit_container_labels_traefik_tls | to_json }}
+{% if matrix_bot_honoroit_container_labels_traefik_tls %}
+traefik.http.routers.matrix-bot-honoroit-metrics.tls.certResolver={{ matrix_bot_honoroit_container_labels_traefik_tls_certResolver }}
+{% endif %}
+traefik.http.services.matrix-bot-honoroit-metrics.loadbalancer.server.port=8080
 {% endif %}

-traefik.http.services.matrix-bot-honoroit.loadbalancer.server.port=8080
 {% endif %}

 {{ matrix_bot_honoroit_container_labels_additional_labels }}
--- a/roles/custom/matrix-bot-maubot/defaults/main.yml
+++ b/roles/custom/matrix-bot-maubot/defaults/main.yml
@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"


-matrix_bot_maubot_version: v0.4.0
+matrix_bot_maubot_version: v0.4.1
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@ -81,10 +81,10 @@ matrix_bot_postmoogle_maxsize: '1024'
 # A list of admins
 # Example set of rules:
 # matrix_bot_postmoogle_admins:
-# - @someone:example.com
-# - @another:example.com
-# - @bot.*:example.com
-# - @*:another.com
+# - '@someone:example.com'
+# - '@another:example.com'
+# - '@bot.*:example.com'
+# - '@*:another.com'
 matrix_bot_postmoogle_admins: "{{ [matrix_admin] if matrix_admin else [] }}"

 # Sentry DSN. Deprecated, use matrix_bot_postmoogle_monitoring_sentry_dsn
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser

 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
-matrix_appservice_irc_version: 0.37.0
+matrix_appservice_irc_version: 0.38.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
@ -120,7 +120,7 @@ matrix_appservice_kakaotalk_appservice_bot_username: kakaotalkbot
 matrix_appservice_kakaotalk_user_prefix: 'kakaotalk_'

 # End-to-bridge encryption configuration
-matrix_appservice_kakaotalk_bridge_encryption_allow: false
+matrix_appservice_kakaotalk_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_appservice_kakaotalk_bridge_encryption_default: "{{ matrix_appservice_kakaotalk_bridge_encryption_allow }}"

 # Specifies the default log level for all bridge loggers.
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@ -83,6 +83,11 @@ matrix_beeper_linkedin_login_shared_secret: ''
 # Specifies the default log level for all bridge loggers.
 matrix_beeper_linkedin_logging_level: WARNING

+# Enable End-to-bridge encryption
+matrix_beeper_linkedin_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_beeper_linkedin_bridge_encryption_default: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}"
+matrix_beeper_linkedin_bridge_encryption_key_sharing_allow: "{{ matrix_beeper_linkedin_bridge_encryption_allow }}"
+
 # Default beeper-linkedin configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
--- a/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2
@ -156,15 +156,15 @@ bridge:
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_beeper_linkedin_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
+        default: {{ matrix_beeper_linkedin_bridge_encryption_default|to_json }}
        # Options for automatic key sharing.
        key_sharing:
            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
            # You must use a client that supports requesting keys from other users to use this feature.
-            allow: false
+            allow: {{ matrix_beeper_linkedin_bridge_encryption_key_sharing_allow|to_json }}
            # Require the requesting device to have a valid cross-signing signature?
            # This doesn't require that the bridge has verified the device, only that the user has verified it.
            # Not yet implemented.
--- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
@ -86,7 +86,7 @@ matrix_go_skype_bridge_bridge_double_puppet_server_map:
  "{{ matrix_go_skype_bridge_homeserver_domain :  matrix_go_skype_bridge_homeserver_address }}"

 # Enable End-to-bridge encryption
-matrix_go_skype_bridge_bridge_encryption_allow: false
+matrix_go_skype_bridge_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_go_skype_bridge_bridge_encryption_default: "{{ matrix_go_skype_bridge_bridge_encryption_allow }}"

 # Minimum severity of journal log messages.
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

-matrix_hookshot_version: 3.0.1
+matrix_hookshot_version: 4.1.0

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
@ -81,7 +81,7 @@
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      -v {{ matrix_hookshot_base_path }}/config.yml:/config.yml
-      {{ matrix_hookshot_docker_image }} node Config/Config.js /config.yml
+      {{ matrix_hookshot_docker_image }} node config/Config.js /config.yml
  register: hookshot_config_validation_result
  changed_when: false

--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
 matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
 matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"

-matrix_mautrix_discord_version: v0.2.0
+matrix_mautrix_discord_version: v0.4.0
 # See: https://mau.dev/mautrix/discord/container_registry
 matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
 matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
@ -137,7 +137,7 @@ matrix_mautrix_discord_registration_yaml: |
 matrix_mautrix_discord_registration: "{{ matrix_mautrix_discord_registration_yaml | from_yaml }}"

 # Enable End-to-bridge encryption
-matrix_mautrix_discord_bridge_encryption_allow: false
+matrix_mautrix_discord_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_discord_bridge_encryption_default: "{{ matrix_mautrix_discord_bridge_encryption_allow }}"
 matrix_mautrix_discord_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_discord_bridge_encryption_allow }}"

--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -7,7 +7,7 @@ matrix_mautrix_facebook_enabled: true
 matrix_mautrix_facebook_container_image_self_build: false
 matrix_mautrix_facebook_container_image_self_build_repo: "https://mau.dev/mautrix/facebook.git"

-matrix_mautrix_facebook_version: v0.4.1
+matrix_mautrix_facebook_version: v0.5.0
 matrix_mautrix_facebook_docker_image: "{{ matrix_mautrix_facebook_docker_image_name_prefix }}mautrix/facebook:{{ matrix_mautrix_facebook_version }}"
 matrix_mautrix_facebook_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_facebook_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_mautrix_facebook_docker_image_force_pull: "{{ matrix_mautrix_facebook_docker_image.endswith(':latest') }}"
@ -149,3 +149,8 @@ matrix_mautrix_facebook_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_facebook_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_facebook_bridge_encryption_default: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}"
+matrix_mautrix_facebook_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_facebook_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@ -126,15 +126,15 @@ bridge:
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_mautrix_facebook_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
+        default: {{ matrix_mautrix_facebook_bridge_encryption_default|to_json }}
        # Options for automatic key sharing.
        key_sharing:
            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
            # You must use a client that supports requesting keys from other users to use this feature.
-            allow: false
+            allow_key_sharing: {{ matrix_mautrix_facebook_bridge_encryption_key_sharing_allow|to_json }}
            # Require the requesting device to have a valid cross-signing signature?
            # This doesn't require that the bridge has verified the device, only that the user has verified it.
            # Not yet implemented.
--- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
@ -129,3 +129,7 @@ matrix_mautrix_googlechat_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_googlechat_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_googlechat_bridge_encryption_default: "{{ matrix_mautrix_googlechat_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/templates/config.yaml.j2
@ -88,10 +88,10 @@ bridge:
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_mautrix_googlechat_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
+        default: {{ matrix_mautrix_googlechat_bridge_encryption_default|to_json }}

    # Whether or not created rooms should have federation enabled.
    # If false, created portal rooms will never be federated.
--- a/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-hangouts/defaults/main.yml
@ -126,3 +126,7 @@ matrix_mautrix_hangouts_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_mautrix_hangouts_registration: "{{ matrix_mautrix_hangouts_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_hangouts_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_hangouts_bridge_encryption_default: "{{ matrix_mautrix_hangouts_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-hangouts/templates/config.yaml.j2
@ -88,10 +88,10 @@ bridge:
    # application service.
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_mautrix_hangouts_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
+        default: {{ matrix_mautrix_hangouts_bridge_encryption_default|to_json }}

    # Public website and API configs
    web:
--- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_instagram_container_image_self_build: false
 matrix_mautrix_instagram_container_image_self_build_repo: "https://github.com/mautrix/instagram.git"
 matrix_mautrix_instagram_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_instagram_version == 'latest' else matrix_mautrix_instagram_version }}"

-matrix_mautrix_instagram_version: v0.2.3
+matrix_mautrix_instagram_version: v0.3.0
 # See: https://mau.dev/tulir/mautrix-instagram/container_registry
 matrix_mautrix_instagram_docker_image: "{{ matrix_mautrix_instagram_docker_image_name_prefix }}mautrix/instagram:{{ matrix_mautrix_instagram_version }}"
 matrix_mautrix_instagram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_instagram_container_image_self_build else 'dock.mau.dev/' }}"
@ -129,3 +129,8 @@ matrix_mautrix_instagram_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_instagram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_instagram_bridge_encryption_default: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}"
+matrix_mautrix_instagram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_instagram_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
@ -143,15 +143,15 @@ bridge:
  # application service.
  encryption:
    # Allow encryption, work in group chat rooms with e2ee enabled
-    allow: false
+    allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }}
    # Default to encryption, force-enable encryption in all portals the bridge creates
    # This will cause the bridge bot to be in private chats for the encryption to work properly.
-    default: false
+    default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }}
    # Options for automatic key sharing.
    key_sharing:
      # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
      # You must use a client that supports requesting keys from other users to use this feature.
-      allow: false
+      allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }}
      # Require the requesting device to have a valid cross-signing signature?
      # This doesn't require that the bridge has verified the device, only that the user has verified it.
      # Not yet implemented.
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@ -9,8 +9,8 @@ matrix_mautrix_signal_docker_repo: "https://mau.dev/mautrix/signal.git"
 matrix_mautrix_signal_docker_repo_version: "{{ 'master' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signal/docker-src"

-matrix_mautrix_signal_version: v0.4.2
-matrix_mautrix_signal_daemon_version: 0.23.1
+matrix_mautrix_signal_version: v0.4.3
+matrix_mautrix_signal_daemon_version: 0.23.2
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_name_prefix }}mautrix/signal:{{ matrix_mautrix_signal_version }}"
 matrix_mautrix_signal_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_signal_container_image_self_build else 'dock.mau.dev/' }}"
@ -152,7 +152,7 @@ matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml

 matrix_mautrix_signal_log_level: 'DEBUG'

-matrix_mautrix_signal_bridge_encryption_allow: false
+matrix_mautrix_signal_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_signal_bridge_encryption_default: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"
 matrix_mautrix_signal_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_signal_bridge_encryption_allow }}"

--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@ -133,6 +133,6 @@ matrix_mautrix_slack_registration_yaml: |
 matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}"

 # Enable End-to-bridge encryption
-matrix_mautrix_slack_bridge_encryption_allow: false
+matrix_mautrix_slack_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_slack_bridge_encryption_default: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"
 matrix_mautrix_slack_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_slack_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

-matrix_mautrix_telegram_version: v0.13.0
+matrix_mautrix_telegram_version: v0.14.0
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
@ -136,6 +136,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"

+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
  id: telegram
  as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@ -154,6 +156,7 @@ matrix_mautrix_telegram_registration_yaml: |
  url: {{ matrix_mautrix_telegram_appservice_address }}
  rate_limited: false
  de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"

 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml | from_yaml }}"

@ -163,6 +166,6 @@ matrix_mautrix_telegram_alias_template: 'telegram_{groupname}'
 matrix_mautrix_telegram_displayname_template: '{displayname} (Telegram)'

 # Enable End-to-bridge encryption
-matrix_mautrix_telegram_bridge_encryption_allow: false
+matrix_mautrix_telegram_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_telegram_bridge_encryption_default: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"
 matrix_mautrix_telegram_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_telegram_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_twitter_container_image_self_build: false
 matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/mautrix/twitter.git"
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"

-matrix_mautrix_twitter_version: v0.1.5
+matrix_mautrix_twitter_version: v0.1.6
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"
@ -127,3 +127,8 @@ matrix_mautrix_twitter_registration_yaml: |
  de.sorunome.msc2409.push_ephemeral: true

 matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml | from_yaml }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_twitter_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_twitter_bridge_encryption_default: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}"
+matrix_mautrix_twitter_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_twitter_bridge_encryption_allow }}"
--- a/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2
@ -126,15 +126,15 @@ bridge:
    # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
    encryption:
        # Allow encryption, work in group chat rooms with e2ee enabled
-        allow: false
+        allow: {{ matrix_mautrix_twitter_bridge_encryption_allow|to_json }}
        # Default to encryption, force-enable encryption in all portals the bridge creates
        # This will cause the bridge bot to be in private chats for the encryption to work properly.
-        default: false
+        default: {{ matrix_mautrix_twitter_bridge_encryption_default|to_json }}
        # Options for automatic key sharing.
        key_sharing:
            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
            # You must use a client that supports requesting keys from other users to use this feature.
-            allow: false
+            allow: {{ matrix_mautrix_twitter_bridge_encryption_key_sharing_allow|to_json }}
            # Require the requesting device to have a valid cross-signing signature?
            # This doesn't require that the bridge has verified the device, only that the user has verified it.
            # Not yet implemented.
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
 matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

-matrix_mautrix_whatsapp_version: v0.8.3
+matrix_mautrix_whatsapp_version: v0.8.5
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
@ -97,7 +97,7 @@ matrix_mautrix_whatsapp_bridge_login_shared_secret_map:
  "{{ {matrix_mautrix_whatsapp_homeserver_domain: matrix_mautrix_whatsapp_login_shared_secret} if matrix_mautrix_whatsapp_login_shared_secret else {} }}"

 # Enable End-to-bridge encryption
-matrix_mautrix_whatsapp_bridge_encryption_allow: false
+matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"
 matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_whatsapp_bridge_encryption_allow }}"

--- a/roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
@ -70,7 +70,7 @@ namePatterns:
  #
  # name: username of the user
  # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"

  # A user's guild-specific displayname - if they've set a custom nick in
  # a guild
@ -82,7 +82,7 @@ namePatterns:
  # displayname: the user's custom group-specific nick
  # channel: the name of the channel
  # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"

  # Room names for bridged Discord channels
  #
@ -90,7 +90,7 @@ namePatterns:
  #
  # name: name of the channel
  # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"

  # Group names for bridged Discord servers
  #
--- a/roles/custom/matrix-client-cinny/defaults/main.yml
+++ b/roles/custom/matrix-client-cinny/defaults/main.yml
@ -6,7 +6,7 @@ matrix_client_cinny_enabled: true
 matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"

-matrix_client_cinny_version: v2.2.4
+matrix_client_cinny_version: v2.2.6
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"

-matrix_client_element_version: v1.11.25
+matrix_client_element_version: v1.11.31
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-client-element/tasks/setup_install.yml
+++ b/roles/custom/matrix-client-element/tasks/setup_install.yml
@ -90,6 +90,19 @@
    - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
  when: "item.src is not none"

+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: false
+    #when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element config files removed
  ansible.builtin.file:
    path: "{{ matrix_client_element_data_path }}/{{ item.name }}"
--- a/roles/custom/matrix-client-element/templates/welcome.html.j2
+++ b/roles/custom/matrix-client-element/templates/welcome.html.j2
@ -33,7 +33,7 @@ h1::after {
 }

 .mx_Logo {
-    height: 54px;
+    height: 92px;
    margin-top: 2px;
 }

--- a/roles/custom/matrix-client-hydrogen/templates/config.json.j2
+++ b/roles/custom/matrix-client-hydrogen/templates/config.json.j2
@ -3,7 +3,7 @@
 	"defaultHomeServer": {{ matrix_client_hydrogen_default_hs_url | string | to_json }},
 	"bugReportEndpointUrl": {{ matrix_client_hydrogen_bugReportEndpointUrl | to_json }},
 	"themeManifests": [
-		"{{ matrix_client_hydrogen_path_prefix }}assets/theme-element.json"
+		"{{ '' if matrix_client_hydrogen_path_prefix == '/' else matrix_client_hydrogen_path_prefix }}/assets/theme-element.json"
 	],
 	"defaultTheme": {
 		"light": "element-light",
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"

-matrix_coturn_version: 4.6.1-r2
+matrix_coturn_version: 4.6.1-r3
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-coturn/tasks/setup_install.yml
+++ b/roles/custom/matrix-coturn/tasks/setup_install.yml
@ -73,7 +73,6 @@
    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-coturn.service"
    mode: 0644
-  register: matrix_coturn_systemd_service_change_results

 # This may be unnecessary when more long-lived certificates are used.
 # We optimize for the common use-case though (short-lived Let's Encrypt certificates).
@ -83,7 +82,6 @@
    src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ item }}"
    mode: 0644
-  register: "matrix_coturn_systemd_service_change_results"
  when: "matrix_coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
@ -94,13 +92,7 @@
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
-  register: "matrix_coturn_systemd_service_change_results"
  when: "not matrix_coturn_tls_enabled | bool"
  with_items:
    - matrix-coturn-reload.service
    - matrix-coturn-reload.timer
-
- name: Ensure systemd reloaded if systemd units changed
-  ansible.builtin.service:
-    daemon_reload: true
-  when: "matrix_coturn_systemd_service_change_results.changed"
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@ -4,8 +4,12 @@

 matrix_dendrite_enabled: true

-matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}matrixdotorg/dendrite-monolith:{{ matrix_dendrite_docker_image_tag }}"
-matrix_dendrite_docker_image_name_prefix: "docker.io/"
+matrix_dendrite_container_image_self_build: false
+matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/dendrite.git"
+
+matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
+matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
+matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_dendrite_docker_image_tag: "v0.12.0"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"

@ -17,6 +21,8 @@ matrix_dendrite_nats_storage_path: "{{ matrix_dendrite_base_path }}/nats"
 matrix_dendrite_bin_path: "{{ matrix_dendrite_base_path }}/bin"
 matrix_dendrite_ext_path: "{{ matrix_dendrite_base_path }}/ext"

+matrix_dendrite_docker_src_files_path: "{{ matrix_dendrite_base_path }}/docker-src"
+
 # By default, we make Dendrite only serve HTTP (not HTTPS).
 # HTTPS is usually served at the reverse-proxy side (usually via `matrix-nginx-proxy`).
 #
@ -85,14 +91,14 @@ matrix_dendrite_systemd_wanted_services_list: []
 # matrix_dendrite_template_dendrite_config: "{{ playbook_dir }}/inventory/host_vars/<host>/dendrite.yaml.j2"
 matrix_dendrite_template_dendrite_config: "{{ role_path }}/templates/dendrite/dendrite.yaml.j2"

-matrix_dendrite_client_api_registration_shared_secret: ''
+matrix_dendrite_client_api_registration_shared_secret: ""
 matrix_dendrite_allow_guest_access: false

 matrix_dendrite_max_file_size_bytes: 10485760

 # Controls which HTTP header (e.g. 'X-Forwarded-For', 'X-Real-IP') to inspect to find the real remote IP address of the client.
 # This is likely required if Dendrite is running behind a reverse proxy server.
-matrix_dendrite_sync_api_real_ip_header: 'X-Forwarded-For'
+matrix_dendrite_sync_api_real_ip_header: "X-Forwarded-For"

 # The tmpfs at /tmp needs to be large enough to handle multiple concurrent file uploads.
 matrix_dendrite_tmp_directory_size_mb: 500
@ -147,7 +153,7 @@ matrix_dendrite_metrics_password: "metrics"

 # Postgres database information
 matrix_dendrite_database_str: "postgresql://{{ matrix_dendrite_database_user }}:{{ matrix_dendrite_database_password }}@{{ matrix_dendrite_database_hostname }}"
-matrix_dendrite_database_hostname: ''
+matrix_dendrite_database_hostname: ""
 matrix_dendrite_database_user: "dendrite"
 matrix_dendrite_database_password: "itsasecret"
 matrix_dendrite_federation_api_database: "dendrite_federationapi"
--- a/roles/custom/matrix-dendrite/tasks/setup_install.yml
+++ b/roles/custom/matrix-dendrite/tasks/setup_install.yml
@ -1,17 +1,23 @@
 ---
-
 - name: Ensure Dendrite paths exist
  ansible.builtin.file:
-    path: "{{ item }}"
+    path: "{{ item.path }}"
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
-    - "{{ matrix_dendrite_config_dir_path }}"
-    - "{{ matrix_dendrite_bin_path }}"
-    - "{{ matrix_dendrite_ext_path }}"
-    - "{{ matrix_dendrite_nats_storage_path }}"
+    - path: "{{ matrix_dendrite_config_dir_path }}"
+      when: true
+    - path: "{{ matrix_dendrite_bin_path }}"
+      when: true
+    - path: "{{ matrix_dendrite_ext_path }}"
+      when: true
+    - path: "{{ matrix_dendrite_nats_storage_path }}"
+      when: true
+    - path: "{{ matrix_dendrite_docker_src_files_path }}"
+      when: "{{ matrix_dendrite_container_image_self_build }}"
+  when: "item.when | bool"

 # This will throw a Permission Denied error if already mounted using fuse
 - name: Check Dendrite media store path
@ -37,6 +43,7 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_dendrite_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_docker_image_force_pull }}"
+  when: "not matrix_dendrite_container_image_self_build | bool"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
@ -72,6 +79,34 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"

+- when: "matrix_dendrite_container_image_self_build | bool"
+  block:
+    - name: Ensure Dendrite repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_dendrite_container_image_self_build_repo }}"
+        dest: "{{ matrix_dendrite_docker_src_files_path }}"
+        version: "{{ matrix_dendrite_docker_image.split(':')[1] }}"
+        force: "yes"
+      become: true
+      become_user: "{{ matrix_user_username }}"
+      register: matrix_dendrite_git_pull_results
+
+    - name: Check if Dendrite Docker image exists
+      ansible.builtin.command: "{{ devture_systemd_docker_base_host_command_docker }} images --quiet --filter 'reference={{ matrix_dendrite_docker_image }}'"
+      register: matrix_dendrite_docker_image_check_result
+      changed_when: false
+
+    # Invoking the `docker build` command here, instead of calling the `docker_image` Ansible module,
+    # because the latter does not support BuildKit.
+    # See: https://github.com/ansible-collections/community.general/issues/514
+    - name: Ensure Dendrite Docker image is built
+      ansible.builtin.command:
+        cmd: "{{ devture_systemd_docker_base_host_command_docker }} build -t {{ matrix_dendrite_docker_image }} {{ matrix_dendrite_docker_src_files_path }}"
+      environment:
+        DOCKER_BUILDKIT: 1
+      changed_when: true
+      when: "matrix_dendrite_git_pull_results.changed | bool or matrix_dendrite_docker_image_check_result.stdout == ''"
+
 - name: Ensure Dendrite container network is created
  community.general.docker_network:
    name: "{{ matrix_dendrite_container_network }}"
--- a/roles/custom/matrix-jitsi/defaults/main.yml
+++ b/roles/custom/matrix-jitsi/defaults/main.yml
@ -1,320 +0,0 @@
---
-# Project source code URL: https://github.com/jitsi/docker-jitsi-meet
-
-matrix_jitsi_enabled: true
-
-matrix_jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
-
-matrix_jitsi_enable_auth: false
-matrix_jitsi_enable_guests: false
-matrix_jitsi_enable_recording: false
-matrix_jitsi_enable_transcriptions: false
-matrix_jitsi_enable_jaas_components: false
-matrix_jitsi_enable_p2p: true
-matrix_jitsi_enable_av_moderation: true
-matrix_jitsi_enable_breakout_rooms: true
-matrix_jitsi_disable_gravatar: true
-
-# Authentication type, must be one of internal, jwt, matrix or ldap.
-# Currently, only internal, matrix and ldap mechanisms are supported by this playbook.
-# matrix auth verifies against matrix openID, and requires a user-verification-service to run.
-matrix_jitsi_auth_type: internal
-
-# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
-#
-# Accounts added here and subsequently removed will not be automatically removed
-# from the Prosody server until user account cleaning is integrated into the playbook.
-#
-# Example:
-# matrix_jitsi_prosody_auth_internal_accounts:
-#  - username: "jitsi-moderator"
-#    password: "secret-password"
-#  - username: "another-user"
-#    password: "another-password"
-matrix_jitsi_prosody_auth_internal_accounts: []
-
-# Configuration options for LDAP authentication. For details see upstream:
-#   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
-# Defaults are taken from:
-#   https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
-matrix_jitsi_ldap_url: ""
-matrix_jitsi_ldap_base: ""
-matrix_jitsi_ldap_binddn: ""
-matrix_jitsi_ldap_bindpw: ""
-matrix_jitsi_ldap_filter: "uid=%u"
-matrix_jitsi_ldap_auth_method: "bind"
-matrix_jitsi_ldap_version: "3"
-matrix_jitsi_ldap_use_tls: false
-matrix_jitsi_ldap_tls_ciphers: ""
-matrix_jitsi_ldap_tls_check_peer: false
-matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
-matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
-matrix_jitsi_ldap_start_tls: false
-
-# Auth type: matrix
-matrix_jitsi_prosody_auth_matrix_user_verification_repo_location: "https://github.com/matrix-org/prosody-mod-auth-matrix-user-verification"
-matrix_jitsi_prosody_auth_matrix_user_verification_repo_target: "{{ matrix_jitsi_prosody_ext_path }}/prosody_auth_matrix_user_verification"
-matrix_jitsi_prosody_auth_matrix_user_verification_repo_version: "2839499cb03894d8cfc3e5b2219441427cb133d8"  # v1.8.0
-matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels: true
-matrix_jitsi_prosody_auth_matrix_uvs_location: ""
-# Should match domain, see https://github.com/vector-im/element-web/pull/15114/commits/0410a6b3be82a41457275e4d1ce879dea146e092
-matrix_jitsi_prosody_auth_matrix_jwt_app_id: "{{ matrix_server_fqn_jitsi }}"
-matrix_jitsi_prosody_auth_matrix_files:
-  - path: "mod_auth_matrix_user_verification.lua"
-    when: true
-  - path: "mod_matrix_power_sync.lua"
-    when: "{{ matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels }}"
-
-# Plugged in group_vars
-matrix_jitsi_prosody_auth_matrix_uvs_auth_token: ''
-
-matrix_jitsi_timezone: UTC
-
-matrix_jitsi_xmpp_domain: meet.jitsi
-matrix_jitsi_xmpp_server: xmpp.meet.jitsi
-matrix_jitsi_xmpp_auth_domain: auth.meet.jitsi
-matrix_jitsi_xmpp_bosh_url_base: http://{{ matrix_jitsi_xmpp_server }}:5280
-matrix_jitsi_xmpp_guest_domain: guest.meet.jitsi
-matrix_jitsi_xmpp_muc_domain: muc.meet.jitsi
-matrix_jitsi_xmpp_internal_muc_domain: internal-muc.meet.jitsi
-matrix_jitsi_xmpp_modules: ''
-
-matrix_jitsi_recorder_domain: recorder.meet.jitsi
-
-
-matrix_jitsi_jibri_brewery_muc: jibribrewery
-matrix_jitsi_jibri_pending_timeout: 90
-matrix_jitsi_jibri_xmpp_user: jibri
-matrix_jitsi_jibri_xmpp_password: ''
-matrix_jitsi_jibri_recorder_user: recorder
-matrix_jitsi_jibri_recorder_password: ''
-
-matrix_jitsi_enable_lobby: false
-
-matrix_jitsi_version: stable-8319
-matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}"  # for backward-compatibility
-
-matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
-matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.endswith(':latest') }}"
-
-matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
-matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
-matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
-matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs"
-
-matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
-
-# STUN servers used in the web UI. Feel free to point them to your own STUN server.
-# Addresses need to be prefixed with one of `stun:`, `turn:` or `turns:`.
-matrix_jitsi_web_stun_servers: ['stun:meet-jit-si-turnrelay.jitsi.net:443']
-
-# Setting up TURN
-# Default set with Coturn container
-matrix_jitsi_turn_credentials: "{{ matrix_coturn_turn_static_auth_secret }}"
-matrix_jitsi_turn_host: "turn.{{ matrix_server_fqn_matrix }}"
-matrix_jitsi_turns_host: "turn.{{ matrix_server_fqn_matrix }}"
-matrix_jitsi_turn_port: "{{ matrix_coturn_container_stun_plain_host_bind_port }}"
-matrix_jitsi_turns_port: "{{ matrix_coturn_container_stun_tls_host_bind_port }}"
-matrix_jitsi_turn_transport: tcp
-
-# Controls whether Etherpad will be available within Jitsi
-matrix_jitsi_etherpad_enabled: false
-
-# Controls whether the matrix-jitsi-web container exposes its HTTP port (tcp/80 in the container).
-#
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:13080"), or empty string to not expose.
-matrix_jitsi_web_container_http_host_bind_port: ''
-
-# A list of extra arguments to pass to the container
-matrix_jitsi_web_container_extra_arguments: []
-
-# List of systemd services that matrix-jitsi-web.service depends on
-matrix_jitsi_web_systemd_required_services_list: ['docker.service']
-
-
-# Custom configuration to be appended to `interface_config.js`, passed to Jitsi Web.
-#
-# Note: not to be confused with `matrix_jitsi_web_custom_config_extension`.
-#
-# For interface configuration, the flow is like this:
-# - a default `interface_config.js` is generated from within the docker image
-# - the contents of `matrix_jitsi_web_custom_interface_config_extension` is appended and can define new settings or override defaults.
-#
-# Example:
-# matrix_jitsi_web_custom_interface_config_extension: |
-#   interfaceConfig.LANG_DETECTION = false;
-#   interfaceConfig.SHOW_JITSI_WATERMARK = false;
-#   interfaceConfig.DISABLE_VIDEO_BACKGROUND = true;
-matrix_jitsi_web_custom_interface_config_extension: ''
-
-
-# Controls after which participant audio will be muted. If not specified, defaults to Jitsi's default value (likely 10)
-matrix_jitsi_web_config_start_audio_muted_after_nth_participant: ~
-# Controls after which participant video will be muted. If not specified, defaults to Jitsi's default value (likely 10)
-matrix_jitsi_web_config_start_video_muted_after_nth_participant: ~
-
-matrix_jitsi_web_config_defaultLanguage: 'en'  # noqa var-naming
-
-# Ideal and also maximum resolution width. If not specified, defaults to Jitsi's default value (likely 1280)
-matrix_jitsi_web_config_resolution_width_ideal_and_max: ~
-# Minimum resolution width. If not specified, defaults to Jitsi's default value (likely 320)
-matrix_jitsi_web_config_resolution_width_min: ~
-# Ideal and also maximum resolution height. If not specified, defaults to Jitsi's default value (likely 720)
-matrix_jitsi_web_config_resolution_height_ideal_and_max: ~
-# Minimum resolution height. If not specified, defaults to Jitsi's default value (likely 180)
-matrix_jitsi_web_config_resolution_height_min: ~
-
-# Custom configuration to be injected into `custom-config.js`, passed to Jitsi Web.
-# This configuration gets appended to the final configuration that Jitsi Web uses.
-#
-# Note: not to be confused with `matrix_jitsi_web_custom_interface_config_extension`.
-#
-# The flow is like this:
-# - some default configuration is automatically generated based on the environment variables passed to the Jitsi Web container
-# - the contents of `custom-config.js` is appended to it (see `templates/web/custom-config.js.j2`)
-# - said `custom-config.js` contains your custom contents specified in `matrix_jitsi_web_custom_config_extension`.
-#
-# Example:
-# matrix_jitsi_web_custom_config_extension: |
-#   if (!config.hasOwnProperty('testing')) config.testing = {};
-#   config.testing.p2pTestMode = true
-matrix_jitsi_web_custom_config_extension: ''
-
-# Additional environment variables to pass to the Jitsi Web container.
-# You can use this to further influence the default configuration generated by the Jitsi Web container on every startup.
-# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
-# by using `matrix_jitsi_web_custom_config_extension`.
-#
-# Example:
-# matrix_jitsi_web_environment_variables_extension: |
-#   ENABLE_FILE_RECORDING_SERVICE=1
-#   DROPBOX_APPKEY=something
-#   DROPBOX_REDIRECT_URI=something
-matrix_jitsi_web_environment_variables_extension: ''
-
-
-matrix_jitsi_prosody_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/prosody:{{ matrix_jitsi_container_image_tag }}"
-matrix_jitsi_prosody_docker_image_force_pull: "{{ matrix_jitsi_prosody_docker_image.endswith(':latest') }}"
-
-matrix_jitsi_prosody_base_path: "{{ matrix_base_data_path }}/jitsi/prosody"
-matrix_jitsi_prosody_config_path: "{{ matrix_jitsi_prosody_base_path }}/config"
-matrix_jitsi_prosody_plugins_path: "{{ matrix_jitsi_prosody_base_path }}/prosody-plugins-custom"
-matrix_jitsi_prosody_ext_path: "{{ matrix_jitsi_prosody_base_path }}/ext"
-
-# well known is currently only needed for auth type "matrix"
-matrix_jitsi_require_well_known: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"
-matrix_jitsi_wellknown_element_jitsi_json: '{"auth": "openidtoken-jwt"}'
-
-#
-matrix_jitsi_muc_modules: |
-  {{
-    (['matrix_power_sync'] if matrix_jitsi_prosody_auth_matrix_uvs_sync_power_levels | bool else [])
-  }}
-
-# A list of extra arguments to pass to the container
-matrix_jitsi_prosody_container_extra_arguments: []
-
-# List of systemd services that matrix-jitsi-prosody.service depends on
-matrix_jitsi_prosody_systemd_required_services_list: ['docker.service']
-
-# Neccessary Port binding for those disabling the integrated nginx proxy
-matrix_jitsi_prosody_container_http_host_bind_port: ''
-
-matrix_jitsi_prosody_container_jvb_host_bind_port: 5222
-
-matrix_jitsi_jicofo_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jicofo:{{ matrix_jitsi_container_image_tag }}"
-matrix_jitsi_jicofo_docker_image_force_pull: "{{ matrix_jitsi_jicofo_docker_image.endswith(':latest') }}"
-
-matrix_jitsi_jicofo_base_path: "{{ matrix_base_data_path }}/jitsi/jicofo"
-matrix_jitsi_jicofo_config_path: "{{ matrix_jitsi_jicofo_base_path }}/config"
-
-# A list of extra arguments to pass to the container
-matrix_jitsi_jicofo_container_extra_arguments: []
-
-# List of systemd services that matrix-jitsi-jicofo.service depends on
-matrix_jitsi_jicofo_systemd_required_services_list: ['docker.service', 'matrix-jitsi-prosody.service']
-
-matrix_jitsi_jicofo_component_secret: ''
-matrix_jitsi_jicofo_auth_user: focus
-matrix_jitsi_jicofo_auth_password: ''
-
-# To enable Sentry integration for Jicofo, specify a valid DSN connection string
-matrix_jitsi_jicofo_sentry_dsn: ''
-
-matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
-matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
-
-matrix_jitsi_jvb_base_path: "{{ matrix_base_data_path }}/jitsi/jvb"
-matrix_jitsi_jvb_config_path: "{{ matrix_jitsi_jvb_base_path }}/config"
-
-# A list of extra arguments to pass to the container
-matrix_jitsi_jvb_container_extra_arguments: []
-
-# List of systemd services that matrix-jitsi-jvb.service depends on
-matrix_jitsi_jvb_systemd_required_services_list: ['docker.service']
-
-matrix_jitsi_jvb_auth_user: jvb
-matrix_jitsi_jvb_auth_password: ''
-
-# To enable Sentry integration for JVB, specify a valid DSN connection string
-matrix_jitsi_jvb_sentry_dsn: ''
-
-# STUN servers used by JVB on the server-side, so it can discover its own external IP address.
-# Pointing this to a STUN server running on the same Docker network may lead to incorrect IP address discovery.
-matrix_jitsi_jvb_stun_servers: ['meet-jit-si-turnrelay.jitsi.net:443']
-
-matrix_jitsi_jvb_brewery_muc: jvbbrewery
-matrix_jitsi_jvb_rtp_udp_port: 10000
-matrix_jitsi_jvb_rtp_tcp_port: 4443
-matrix_jitsi_jvb_server_id: 'jvb-1'
-
-
-# Custom configuration to be injected into `custom-sip-communicator.properties`, passed to Jitsi JVB.
-# This configuration gets appended to the final configuration that Jitsi JVB uses.
-#
-# The flow is like this:
-# - some default configuration is automatically generated based on the environment variables passed to the Jitsi JVB container
-# - the contents of `custom-sip-communicator.properties` is appended to it (see `templates/jvb/custom-sip-communicator.properties.j2`)
-# - said `custom-sip-communicator.properties` contains your custom contents specified in `matrix_jitsi_jvb_custom_config_extension`.
-#
-# Example:
-# matrix_jitsi_jvb_custom_config_extension: |
-#   org.jitsi.videobridge.xmpp.user.shard.DISABLE_CERTIFICATE_VERIFICATION=false
-#   org.jitsi.videobridge.ENABLE_STATISTICS=false
-matrix_jitsi_jvb_custom_config_extension: ''
-
-# Additional environment variables to pass to the Jitsi JVB container.
-# You can use this to further influence the default configuration generated by the Jitsi JVB container on every startup.
-# Besides influencing the final configuration by passing environment variables, you can also inject custom configuration
-# by using `matrix_jitsi_jvb_custom_config_extension`.
-#
-# Example:
-# matrix_jitsi_jvb_environment_variables_extension: |
-#   SOME_VARIABLE=1
-#   ANOTHER_VARIABLE=something
-matrix_jitsi_jvb_environment_variables_extension: ''
-
-# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/10000 in the container).
-#
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:10000"), or empty string to not expose.
-matrix_jitsi_jvb_container_rtp_udp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_udp_port }}"
-
-# Controls whether the matrix-jitsi-jvb container exposes its RTP UDP port (udp/4443 in the container).
-#
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4443"), or empty string to not expose.
-matrix_jitsi_jvb_container_rtp_tcp_host_bind_port: "{{ matrix_jitsi_jvb_rtp_tcp_port }}"
-
-# Controls whether the matrix-jitsi-jvb container exposes its Colibri WebSocket port (tcp/9090 in the container).
-#
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:12090"), or empty string to not expose.
-matrix_jitsi_jvb_container_colibri_ws_host_bind_port: ''
-
-# Default max participants to the empty string
-#
-# The setting requires an integer to be set for usage and allows a user to specify the max number of particpants on a conference.
-matrix_prosody_jitsi_max_participants: ''
-
-# Allows abailty to set XMPP AUTH user if using JIGASI
-matrix_jitsi_jigasi_xmpp_user: ''
-# Allows abailty to set XMPP AUTH pasword if using JIGASI
-matrix_jitsi_jigasi_xmpp_password: ''
--- a/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml
+++ b/roles/custom/matrix-jitsi/tasks/init_additional_jvb.yml
@ -1,5 +0,0 @@
---
-
- ansible.builtin.set_fact:
-    devture_systemd_service_manager_services_list_auto: "{{ [{'name': 'matrix-jitsi-jvb.service', 'priority': 1000, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] }}"
-  when: matrix_jitsi_enabled | bool
--- a/roles/custom/matrix-jitsi/tasks/main.yml
+++ b/roles/custom/matrix-jitsi/tasks/main.yml
@ -1,75 +0,0 @@
---
-
- tags:
-    - setup-additional-jitsi-jvb
-    - install-additional-jitsi-jvb
-  block:
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/init_additional_jvb.yml"
-
- tags:
-    - setup-all
-    - setup-jitsi
-    - setup-additional-jitsi-jvb
-    - install-all
-    - install-jitsi
-    - install-additional-jitsi-jvb
-  block:
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
-
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_base.yml"
-
- tags:
-    - setup-all
-    - setup-jitsi
-    - install-all
-    - install-jitsi
-  block:
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_install.yml"
-
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_install.yml"
-
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_install.yml"
-
- tags:
-    - setup-all
-    - setup-jitsi
-  block:
-    - when: not matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_web_uninstall.yml"
-
-    - when: not matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_prosody_uninstall.yml"
-
-    - when: not matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jicofo_uninstall.yml"
-
- tags:
-    - setup-all
-    - setup-jitsi
-    - setup-additional-jitsi-jvb
-    - install-all
-    - install-jitsi
-    - install-additional-jitsi-jvb
-  block:
-    - when: matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_install.yml"
-
- tags:
-    - setup-all
-    - setup-jitsi
-    - setup-additional-jitsi-jvb
-  block:
-    - when: not matrix_jitsi_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_jitsi_jvb_uninstall.yml"
-
- tags:
-    - self-check
-  block:
-    - when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix'
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_matrix_auth.yml"
--- a/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml
+++ b/roles/custom/matrix-jitsi/tasks/self_check_matrix_auth.yml
@ -1,63 +0,0 @@
---
-
- ansible.builtin.set_fact:
-    matrix_jitsi_prosody_self_check_uvs_health_url: "{{ matrix_jitsi_prosody_auth_matrix_uvs_location }}/health"
-    matrix_jitsi_element_jitsi_well_known_url: "{{ matrix_jitsi_web_public_url }}/.well-known/element/jitsi"
-
- name: Check if jitsi serves the .well-known/element/jitsi
-  ansible.builtin.uri:
-    url: "{{ matrix_jitsi_element_jitsi_well_known_url }}"
-    follow_redirects: none
-    return_content: true
-    validate_certs: "{{ matrix_jitsi_self_check_validate_certificates }}"
-    headers:
-      Origin: example.com
-  check_mode: false
-  register: result_well_known_jitsi_element_jitsi
-  ignore_errors: true
-
- name: Fail if .well-known not working
-  ansible.builtin.fail:
-    msg: |
-      Failed checking that the Jitsi well-known file for Element auth is configured at `{{ matrix_jitsi_element_jitsi_well_known_url }}`
-      Full error: {{ result_well_known_jitsi_element_jitsi }}
-  when: "result_well_known_jitsi_element_jitsi.failed"
-
- name: Parse JSON for well-known payload at the matrix hostname
-  ansible.builtin.set_fact:
-    well_known_matrix_payload: "{{ result_well_known_jitsi_element_jitsi.content | from_json }}"
-
- name: Fail if .well-known not CORS-aware
-  ansible.builtin.fail:
-    msg: "The well-known file on `{{ matrix_jitsi_element_jitsi_well_known_url }}` is not CORS-aware. The file needs to be served with an Access-Control-Allow-Origin header set."
-  when: "'access_control_allow_origin' not in result_well_known_jitsi_element_jitsi"
-
- name: Report working .well-known
-  ansible.builtin.debug:
-    msg: "well-known is configured correctly at `{{ matrix_jitsi_element_jitsi_well_known_url }}`"
-
- name: Check if we can reach the user verification service and if it's healthy
-  ansible.builtin.command:
-    argv:
-      - "docker"
-      - "exec"
-      - "matrix-jitsi-prosody"
-      - "wget"
-      - "-O"
-      - "-"
-      - "--quiet"
-      - "{{ matrix_jitsi_prosody_self_check_uvs_health_url | quote }}"
-  register: matrix_jitsi_prosody_self_check_uvs_result
-  changed_when: false
-  ignore_errors: true
-
- name: Fail if user verification service is not (reachable and healthy)
-  ansible.builtin.fail:
-    msg: |
-      Failed checking user verification service is up (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`).
-      Full error: {{ matrix_jitsi_prosody_self_check_uvs_result }}
-  when: "matrix_jitsi_prosody_self_check_uvs_result.failed"
-
- name: Report healthy user verification service
-  ansible.builtin.debug:
-    msg: "User verification service is working (checked endpoint: `{{ matrix_jitsi_prosody_self_check_uvs_health_url }}`)"
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_base.yml
@ -1,16 +0,0 @@
---
-
- ansible.builtin.include_role:
-    name: custom/matrix-base
-    tasks_from: ensure_openssl_installed
-
- name: Ensure Matrix jitsi base path exists
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {path: "{{ matrix_jitsi_base_path }}", when: true}
-  when: item.when | bool
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_install.yml
@ -1,51 +0,0 @@
---
-
- name: Ensure Matrix jitsi-jicofo path exists
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0777
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {path: "{{ matrix_jitsi_jicofo_base_path }}", when: true}
-    - {path: "{{ matrix_jitsi_jicofo_config_path }}", when: true}
-  when: item.when | bool
-
- name: Ensure jitsi-jicofo Docker image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_jitsi_jicofo_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_jitsi_jicofo_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jicofo_docker_image_force_pull }}"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
- name: Ensure jitsi-jicofo environment variables file created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jicofo/env.j2"
-    dest: "{{ matrix_jitsi_jicofo_base_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0640
-  when: matrix_jitsi_enabled | bool
-
- name: Ensure jitsi-jicofo configuration files created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jicofo/{{ item }}.j2"
-    dest: "{{ matrix_jitsi_jicofo_config_path }}/{{ item }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0644
-  with_items:
-    - sip-communicator.properties
-    - logging.properties
-
- name: Ensure matrix-jitsi-jicofo.service installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jicofo/matrix-jitsi-jicofo.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
-    mode: 0644
-  register: matrix_jitsi_jicofo_systemd_service_result
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jicofo_uninstall.yml
@ -1,25 +0,0 @@
---
-
- name: Check existence of matrix-jitsi-jicofo service
-  ansible.builtin.stat:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
-  register: matrix_jitsi_jicofo_service_stat
-
- when: matrix_jitsi_jicofo_service_stat.stat.exists | bool
-  block:
-    - name: Ensure matrix-jitsi-jicofo is stopped
-      ansible.builtin.service:
-        name: matrix-jitsi-jicofo
-        state: stopped
-        enabled: false
-        daemon_reload: true
-
-    - name: Ensure matrix-jitsi-jicofo.service doesn't exist
-      ansible.builtin.file:
-        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jicofo.service"
-        state: absent
-
-    - name: Ensure Matrix jitsi-jicofo paths doesn't exist
-      ansible.builtin.file:
-        path: "{{ matrix_jitsi_jicofo_base_path }}"
-        state: absent
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_install.yml
@ -1,49 +0,0 @@
---
-
- name: Ensure Matrix jitsi-jvb path exists
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0777
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {path: "{{ matrix_jitsi_jvb_base_path }}", when: true}
-    - {path: "{{ matrix_jitsi_jvb_config_path }}", when: true}
-  when: item.when | bool
-
- name: Ensure jitsi-jvb Docker image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_jitsi_jvb_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_jitsi_jvb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_jvb_docker_image_force_pull }}"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
- name: Ensure jitsi-jvb configuration files created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jvb/{{ item }}.j2"
-    dest: "{{ matrix_jitsi_jvb_config_path }}/{{ item }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0644
-  with_items:
-    - custom-sip-communicator.properties
-    - logging.properties
-
- name: Ensure jitsi-jvb environment variables file created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jvb/env.j2"
-    dest: "{{ matrix_jitsi_jvb_base_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0640
-
- name: Ensure matrix-jitsi-jvb.service installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/jvb/matrix-jitsi-jvb.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
-    mode: 0644
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_jvb_uninstall.yml
@ -1,25 +0,0 @@
---
-
- name: Check existence of matrix-jitsi-jvb service
-  ansible.builtin.stat:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
-  register: matrix_jitsi_jvb_service_stat
-
- when: matrix_jitsi_jvb_service_stat.stat.exists | bool
-  block:
-    - name: Ensure matrix-jitsi-jvb is stopped
-      ansible.builtin.service:
-        name: matrix-jitsi-jvb
-        state: stopped
-        enabled: false
-        daemon_reload: true
-
-    - name: Ensure matrix-jitsi-jvb.service doesn't exist
-      ansible.builtin.file:
-        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-jvb.service"
-        state: absent
-
-    - name: Ensure Matrix jitsi-jvb paths doesn't exist
-      ansible.builtin.file:
-        path: "{{ matrix_jitsi_jvb_base_path }}"
-        state: absent
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_install.yml
@ -1,85 +0,0 @@
---
-
- name: Ensure Matrix jitsi-prosody environment exists
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0777
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {path: "{{ matrix_jitsi_prosody_base_path }}", when: true}
-    - {path: "{{ matrix_jitsi_prosody_config_path }}", when: true}
-    - {path: "{{ matrix_jitsi_prosody_plugins_path }}", when: true}
-    - {path: "{{ matrix_jitsi_prosody_ext_path }}", when: true}
-  when: item.when | bool
-
- name: Ensure jitsi-prosody Docker image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_jitsi_prosody_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_jitsi_prosody_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
- name: Ensure jitsi-prosody environment variables file is created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/prosody/env.j2"
-    dest: "{{ matrix_jitsi_prosody_base_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0640
-
-# Configure matrix authentication.
- name: Install user verification plugin
-  ansible.builtin.include_tasks:
-    file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_install.yml"
-  when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
-
- name: Manage Jitsi .well-known
-  when: matrix_jitsi_require_well_known | bool
-  block:
-    - name: Ensure .well-known directories exist
-      ansible.builtin.file:
-        path: "{{ item.path }}"
-        state: directory
-        mode: 0775
-        owner: "{{ matrix_user_username }}"
-        group: "{{ matrix_user_groupname }}"
-      with_items:
-        - {path: "{{ matrix_static_files_base_path }}/.well-known/element", when: "{{ matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == 'matrix' }}"}
-      when: item.when | bool
-
-    # Create .well-known/element/jitsi in the static file directory for nginx-proxy.
-    - name: Ensure Jitsi /.well-known/element/jitsi configured
-      ansible.builtin.copy:
-        content: "{{ matrix_jitsi_wellknown_element_jitsi_json }}"
-        dest: "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
-        mode: 0644
-        owner: "{{ matrix_user_username }}"
-        group: "{{ matrix_user_groupname }}"
-      when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "matrix"
-# END Block
-
-# Remove matrix authentication if disabled
- name: Ensure user verification plugin is not present if matrix auth is disabled
-  ansible.builtin.include_tasks:
-    file: "{{ role_path }}/tasks/util/setup_jitsi_auth_uvs_uninstall.yml"
-  when: (not matrix_jitsi_enable_auth | bool) or (matrix_jitsi_auth_type != "matrix")
-
- name: Ensure matrix-jitsi-prosody.service file is installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
-    mode: 0644
-  register: matrix_jitsi_prosody_systemd_service_result
-
-# Tasks that require a running prosody container are called in this file.
- name: Run prosody related tasks, that require a running container.
-  ansible.builtin.include_tasks:
-    file: "{{ role_path }}/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml"
-  when:
-    - matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_prosody_uninstall.yml
@ -1,25 +0,0 @@
---
-
- name: Check if matrix-jitsi-prosody.service file exists
-  ansible.builtin.stat:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
-  register: matrix_jitsi_prosody_service_stat
-
- when: matrix_jitsi_prosody_service_stat.stat.exists | bool
-  block:
-    - name: Ensure matrix-jitsi-prosody is stopped
-      ansible.builtin.service:
-        name: matrix-jitsi-prosody
-        state: stopped
-        enabled: false
-        daemon_reload: true
-
-    - name: Ensure matrix-jitsi-prosody.service file doesn't exist
-      ansible.builtin.file:
-        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-prosody.service"
-        state: absent
-
-    - name: Ensure Matrix jitsi-prosody paths doesn't exist
-      ansible.builtin.file:
-        path: "{{ matrix_jitsi_prosody_base_path }}"
-        state: absent
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_install.yml
@ -1,52 +0,0 @@
---
-
- name: Ensure Matrix jitsi-web path exists
-  ansible.builtin.file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0777
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - {path: "{{ matrix_jitsi_web_base_path }}", when: true}
-    - {path: "{{ matrix_jitsi_web_config_path }}", when: true}
-    - {path: "{{ matrix_jitsi_web_transcripts_path }}", when: true}
-    - {path: "{{ matrix_jitsi_web_crontabs_path }}", when: true}
-  when: item.when | bool
-
- name: Ensure jitsi-web Docker image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_jitsi_web_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_jitsi_web_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_web_docker_image_force_pull }}"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
- name: Ensure jitsi-web environment variables file created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/web/env.j2"
-    dest: "{{ matrix_jitsi_web_base_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0640
-
- name: Ensure jitsi-web configuration files created
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/web/{{ item }}.j2"
-    dest: "{{ matrix_jitsi_web_config_path }}/{{ item }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-    mode: 0644
-  with_items:
-    - custom-config.js
-    - custom-interface_config.js
-
- name: Ensure matrix-jitsi-web.service installed
-  ansible.builtin.template:
-    src: "{{ role_path }}/templates/web/matrix-jitsi-web.service.j2"
-    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
-    mode: 0644
-  register: matrix_jitsi_web_systemd_service_result
--- a/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/setup_jitsi_web_uninstall.yml
@ -1,25 +0,0 @@
---
-
- name: Check existence of matrix-jitsi-web service
-  ansible.builtin.stat:
-    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
-  register: matrix_jitsi_web_service_stat
-
- when: matrix_jitsi_web_service_stat.stat.exists | bool
-  block:
-    - name: Ensure matrix-jitsi-web is stopped
-      ansible.builtin.service:
-        name: matrix-jitsi-web
-        state: stopped
-        enabled: false
-        daemon_reload: true
-
-    - name: Ensure matrix-jitsi-web.service doesn't exist
-      ansible.builtin.file:
-        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-jitsi-web.service"
-        state: absent
-
-    - name: Ensure Matrix jitsi-web paths doesn't exist
-      ansible.builtin.file:
-        path: "{{ matrix_jitsi_web_base_path }}"
-        state: absent
--- a/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml
@ -1,17 +0,0 @@
---
-#
-# Tasks related to configuring Jitsi internal authentication on a running prosody instance.
-#
-
- name: Ensure Jitsi internal authentication users are configured
-  ansible.builtin.shell: "{{ devture_systemd_docker_base_host_command_docker }} exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
-  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
-  when:
-    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
-  register: matrix_jitsi_user_configuration_result
-  changed_when: matrix_jitsi_user_configuration_result.rc == 0
-  no_log: true
-
-#
-# Tasks related to clean up after configuring internal authentication.
-#
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_install.yml
@ -1,20 +0,0 @@
---
-
- name: Checkout Prosody Auth Matrix User Verification Plugin Repo
-  ansible.builtin.git:
-    repo: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_location }}"
-    dest: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
-    version: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_version }}"
-  become: true
-  become_user: "{{ matrix_user_username }}"
-
- name: Install Prosody Auth Matrix User Verification Plugin
-  ansible.builtin.copy:
-    remote_src: true
-    src: "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}/{{ item.path }}"
-    dest: "{{ matrix_jitsi_prosody_plugins_path }}/{{ item.path }}"
-    mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items: "{{ matrix_jitsi_prosody_auth_matrix_files }}"
-  when: item.when | bool
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_auth_uvs_uninstall.yml
@ -1,20 +0,0 @@
---
-
- name: Remove all files regarding prosody mod auth_matrix_user_verification and .well-known/element/jitsi
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  with_flattened:
-    - "{{ matrix_static_files_base_path }}/.well-known/element/jitsi"
-    - "{{ matrix_jitsi_prosody_auth_matrix_user_verification_repo_target }}"
-    - "{{ matrix_jitsi_prosody_auth_matrix_files | map(attribute='path') | map('regex_replace', '^', matrix_jitsi_prosody_plugins_path+'/') | list }}"
-  register: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled
-
- when: matrix_jitsi_prosody_auth_matrix_user_verification_uninstalled.changed
-  block:
-    - name: Populate service facts
-      ansible.builtin.service_facts:
-
-    - name: Ensure prosody is restarted later on if currently running
-      ansible.builtin.set_fact:
-        matrix_jitsi_prosody_require_restart: "{{ true if ansible_facts.services['matrix-jitsi-prosody.service']['state'] == 'running' else false }}"
--- a/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml
+++ b/roles/custom/matrix-jitsi/tasks/util/setup_jitsi_prosody_post_setup_hooks.yml
@ -1,49 +0,0 @@
---
-#####
-#
-# This tasks file starts and stops (if state before was stopped) a prosody container during setup to run commands,
-# that require a running prosody container.
-# The task is called in ../setup_jitsi_prosody_install.yml.
-#
-# Important: The task is called conditionally, as to only start if really needed.
-# So if you add or change anything - remember to also change the 'when' in:  ../setup_jitsi_prosody_install.yml
-#
-#####
-
-#
-# Start Necessary Services
-#
-
- name: Ensure matrix-jitsi-prosody container is running
-  ansible.builtin.systemd:
-    state: "{{ 'restarted' if matrix_jitsi_prosody_require_restart | default(false) | bool else 'started' }}"
-    name: matrix-jitsi-prosody
-  register: matrix_jitsi_prosody_start_result
-
-# If the flag was set, we can safely disable now.
- name: Disable require restart flag
-  ansible.builtin.set_fact:
-    matrix_jitsi_prosody_require_restart: false
-
-#
-# Tasks related to configuring Jitsi internal authentication
-#
-
- name: Ensure internal authentication is properly configured
-  ansible.builtin.include_tasks:
-    file: "{{ role_path }}/tasks/util/prosody_post_setup_hooks/setup_jitsi_auth_internal.yml"
-  when: matrix_jitsi_enable_auth | bool and matrix_jitsi_auth_type == "internal"
-
-#
-# Tasks related to ...
-#
-
-
-#
-# Stop Necessary Services
-#
- name: Ensure matrix-jitsi-prosody container is stopped if necessary
-  ansible.builtin.systemd:
-    state: stopped
-    name: matrix-jitsi-prosody
-  when: matrix_jitsi_prosody_start_result.changed | bool
--- a/Show More
+++ b/Show More