meta: move inventory structure to be more usable

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>

.codespellrc

@@ -0,0 +1,2 @@
+[codespell]
+ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr

.github/renovate.json

@@ -9,8 +9,8 @@
 	"customManagers": [
 		{
 			"customType": "regex",
-			"fileMatch": [
-				"defaults/main.yml$"
+			"managerFilePatterns": [
+				"/defaults/main.yml$/"
 			],
 			"matchStrings": [
 				"# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?(?:_version|_tag)\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
@@ -28,5 +28,8 @@
 	],
 	"ignoreDeps": [
 		"ghcr.io/matrixgpt/matrix-chatgpt-bot"
-	]
+	],
+	"pre-commit": {
+		"enabled": true
+	}
 }

.github/workflows/matrix.yml

@@ -7,9 +7,7 @@
 ---
 name: Matrix CI
 
-on:  # yamllint disable-line rule:truthy
-  push:
-  pull_request:
+on: [push, pull_request]  # yamllint disable-line rule:truthy
 
 jobs:
   yamllint:
@@ -30,3 +28,11 @@ jobs:
         uses: ansible-community/ansible-lint-action@v6.17.0
         with:
           path: roles/custom
+  precommit:
+    name: Run pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run pre-commit
+        uses: pre-commit/action@v3.0.1

.github/workflows/reuse.yml

@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2022 Free Software Foundation Europe e.V. <https://fsfe.org>
-#
-# SPDX-License-Identifier: CC0-1.0
----
-name: REUSE Compliance Check
-
-on: [push, pull_request]  # yamllint disable-line rule:truthy
-
-permissions:
-  contents: read
-
-jobs:
-  reuse-compliance-check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@v5

.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+---
+default_install_hook_types: [pre-push]
+
+exclude: "LICENSES/"
+
+# See: https://pre-commit.com/hooks.html
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      # - id: check-executables-have-shebangs
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-toml
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.1
+    hooks:
+      - id: codespell
+        args: ["--skip=*.po,*.pot,i18n/"]
+  - repo: https://github.com/fsfe/reuse-tool  # https://reuse.software/dev/#pre-commit-hook
+    rev: v5.0.2
+    hooks:
+      - id: reuse

CHANGELOG.md

@@ -156,7 +156,7 @@ To **completely eliminate the problem** of DDoS amplification attacks done throu
 
 The playbook now **only exposes the Coturn STUN port (`3478`) over TCP by default**.
 
-💡 Users may wish to further remove the (now unnnecessary) firewall rule allowing access to `3478/udp`.
+💡 Users may wish to further remove the (now unnecessary) firewall rule allowing access to `3478/udp`.
 
 If you'd like the Coturn STUN port to be exposed over UDP like before, you can revert to the previous behavior by using the following configuration in your `vars.yml` file:
 
@@ -170,7 +170,7 @@ matrix_coturn_container_stun_plain_host_bind_port_udp: "3478"
 
 # 2025-02-17
 
-## FluffyChat Web suport
+## FluffyChat Web support
 
 Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [FluffyChat Web](https://github.com/krille-chan/fluffychat) as an additional Matrix client you can self-host.
 
@@ -192,7 +192,7 @@ The playbook will let you know if you're using any `matrix_mautrix_hangouts_*` v
 
 ## Redis and KeyDB are no longer part of the playbook
 
-**TLDR**: The playbook now exclusively uses Valkey as its Redis-compatible memorystore implementation, removing support for Redis and KeyDB. Most users are unaffected by this change unless they explicitly configured Redis or KeyDB variables. Only users that were explicitly definining `redis_*` or `keydb_*` variables will need to update their configuration to use `valkey_*` variables instead.
+**TLDR**: The playbook now exclusively uses Valkey as its Redis-compatible memorystore implementation, removing support for Redis and KeyDB. Most users are unaffected by this change unless they explicitly configured Redis or KeyDB variables. Only users that were explicitly defining `redis_*` or `keydb_*` variables will need to update their configuration to use `valkey_*` variables instead.
 
 The playbook has gone through several iterations of memorystore implementations:
 
@@ -745,7 +745,7 @@ For people building commercial products on top of Synapse, they may have to eith
 
 We're no lawyers and this changelog entry does not aim to give you the best legal advice, so please research on your own!
 
-If you'd like to continue using the old Apache-2.0-licensed Synapse (for a while longer anyway), the playbook makes it possible by intruducing a new Ansible variable. You can do it like this:
+If you'd like to continue using the old Apache-2.0-licensed Synapse (for a while longer anyway), the playbook makes it possible by introducing a new Ansible variable. You can do it like this:
 
 ```yaml
 # Switch the organization that Synapse container images (or source code for self-building) are pulled from.
@@ -828,7 +828,7 @@ Despite these downsides (which the playbook manages automatically), we believe i
 
 People running the default Traefik setup do not need to do anything to make Traefik take on this extra job. Your Traefik configuration will be updated automatically.
 
-**People runnning their own Traefik reverse-proxy need to do [minor adjustments](#people-managing-their-own-traefik-instance-need-to-do-minor-changes)**, as described in the section below.
+**People running their own Traefik reverse-proxy need to do [minor adjustments](#people-managing-their-own-traefik-instance-need-to-do-minor-changes)**, as described in the section below.
 
 You may disable Traefik acting as an intermediary by explicitly setting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled` to `false`. Services would then be configured to talk to the homeserver directly, giving you a slight performance boost and a "simpler" Traefik setup. However, such a configuration is less tested and will cause troubles, especially if you enable more services (like `matrix-media-repo`, etc.) in the future. As such, it's not recommended.
 
@@ -2851,7 +2851,7 @@ As always, re-running the playbook is enough to get the updated bits.
 
 ## SMS bridging requires db reset
 
-The current version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) needs you to delete the database to work as expected. Just remove `/matrix/matrix-sms-bridge/database/*`. It also adds a new requried var `matrix_sms_bridge_default_region`.
+The current version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) needs you to delete the database to work as expected. Just remove `/matrix/matrix-sms-bridge/database/*`. It also adds a new required var `matrix_sms_bridge_default_region`.
 
 To reuse your existing rooms, invite `@smsbot:yourServer` to the room or write a message. You are also able to use automated room creation with telephonenumers by writing `sms send -t 01749292923 "Hello World"` in a room with `@smsbot:yourServer`. See [the docs](https://github.com/benkuly/matrix-sms-bridge) for more information.
 
@@ -2883,7 +2883,7 @@ Until the issue gets fixed, we're making User Directory search not go to ma1sd b
 
 This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0. Upstream
 made a change to how you define manual mappings. If you added a
-`mapping` to your configuration, you will need to update it accoring
+`mapping` to your configuration, you will need to update it according
 to the [upstream
 instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05). If you did not include `mappings` in your configuration for IRC, no
 change is necessary. `mappings` is not part of the default
@@ -3046,7 +3046,7 @@ As per this [advisory blog post](https://matrix.org/blog/2019/11/09/avoiding-unw
 
 Our general goal is to favor privacy and security when running personal (family & friends) and corporate homeservers. Both of these likely benefit from having a more secure default of **not showing the room directory without authentication** and **not publishing the room directory over federation**.
 
-As with anything else, these new defaults can be overriden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively.
+As with anything else, these new defaults can be overridden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively.
 
 
 # 2019-10-05
@@ -3600,7 +3600,7 @@ The following changes had to be done:
 
 - glue variables had to be introduced to the playbook, so it can wire together the various components. Those glue vars are stored in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file. When overriding variables for a given component (role), you need to be aware of both the role defaults (`role/ROLE/defaults/main.yml`) and the role's corresponding section in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file.
 
-- `matrix_postgres_use_external` has been superceeded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement.
+- `matrix_postgres_use_external` has been superseded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement.
 
 - Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're not enabling the `matrix-postgres` role (`matrix_postgres_enabled: false`)
 
@@ -3789,7 +3789,7 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://dimension.t2bot.io/widge
 
 There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. Its default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse.
 
-You may wish to reenable TLSv1 if you need to access Riot in older browsers.
+You may wish to re-enable TLSv1 if you need to access Riot in older browsers.
 
 Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github.com/nginxinc/docker-nginx/issues/190 for more details.
 

README.md

@@ -1,4 +1,4 @@
-[![Support room on Matrix](https://img.shields.io/matrix/matrix-docker-ansible-deploy:devture.com.svg?label=%23matrix-docker-ansible-deploy%3Adevture.com&logo=matrix&style=for-the-badge&server_fqdn=matrix.devture.com)](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) [![donate](https://liberapay.com/assets/widgets/donate.svg)](https://liberapay.com/s.pantaleev/donate) [![REUSE status](https://api.reuse.software/badge/github.com/spantaleev/matrix-docker-ansible-deploy)](https://api.reuse.software/info/github.com/spantaleev/matrix-docker-ansible-deploy)
+[![Support room on Matrix](https://img.shields.io/matrix/matrix-docker-ansible-deploy:devture.com.svg?label=%23matrix-docker-ansible-deploy%3Adevture.com&logo=matrix&style=for-the-badge&server_fqdn=matrix.devture.com&fetchMode=summary)](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) [![donate](https://liberapay.com/assets/widgets/donate.svg)](https://liberapay.com/s.pantaleev/donate) [![REUSE status](https://api.reuse.software/badge/github.com/spantaleev/matrix-docker-ansible-deploy)](https://api.reuse.software/info/github.com/spantaleev/matrix-docker-ansible-deploy)
 
 # Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
 

REUSE.toml

@@ -13,10 +13,12 @@ path = [
     "i18n/PUBLISHED_LANGUAGES",
     "i18n/requirements.txt",
     "roles/custom/**/*.repo",
+    ".codespellrc",
     ".editorconfig",
     ".envrc",
     ".gitattributes",
     ".gitignore",
+    ".pre-commit-config.yaml",
     ".yamllint",
     "ansible.cfg",
     "flake.lock",

YEAR-IN-REVIEW.md

@@ -11,7 +11,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 2023 is probably [the year of AI](https://journal.everypixel.com/2023-the-year-of-ai), with millions of people jumping aboard [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/chatgpt) train. matrix-docker-ansible-deploy is no stranger to this and 2023 began with a PR from [bertybuttface](https://github.com/bertybuttface) who added support for [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#chatgpt-support)). While OpenAI's chat GPT website was frequently overloaded in the past, their API was up which made using this bot both convenient and more reliable.
 
-AI aside, with the playbook's focus being containers, we're **doubling down on being "container native"** and becoming more interoperable for people hosting other containers on the Matrix server. In [2022](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/YEAR-IN-REVIEW.md#2022), we've announced a few sibling Ansible playbooks, their use of [Traefik](https://doc.traefik.io/traefik/) and the possiblity of matrix-docker-ansible-deploy also switching to this reverse-proxy. This prediction materialized quickly. The **largest change** in the playbook in 2023 happened way back in February - matrix-docker-ansible-deploy [starting the switch from nginx to Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support) and then quickly [making Treafik the default reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now). As noted in the changelog entries, we envisioned a quick and complete elimination of `matrix-nginx-proxy`, but at the end of 2023, it hasn't happened yet. The playbook is already using Traefik as the front-most reverse-proxy, but nginx (via `matrix-nginx-proxy`) is still around - it has taken a step back and is only used internally for new setups. Work got to a stall due to:
+AI aside, with the playbook's focus being containers, we're **doubling down on being "container native"** and becoming more interoperable for people hosting other containers on the Matrix server. In [2022](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/YEAR-IN-REVIEW.md#2022), we've announced a few sibling Ansible playbooks, their use of [Traefik](https://doc.traefik.io/traefik/) and the possibility of matrix-docker-ansible-deploy also switching to this reverse-proxy. This prediction materialized quickly. The **largest change** in the playbook in 2023 happened way back in February - matrix-docker-ansible-deploy [starting the switch from nginx to Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support) and then quickly [making Treafik the default reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now). As noted in the changelog entries, we envisioned a quick and complete elimination of `matrix-nginx-proxy`, but at the end of 2023, it hasn't happened yet. The playbook is already using Traefik as the front-most reverse-proxy, but nginx (via `matrix-nginx-proxy`) is still around - it has taken a step back and is only used internally for new setups. Work got to a stall due to:
 
 *   complexity: untangling the overly large and messy `matrix-nginx-proxy` component is difficult
 *   the current setup became "good enough" because nginx has become an internal implementation detail for those who have migrated to Traefik. Traefik is already the default public reverse-proxy and gives better possibilities to people wishing to run other web-exposed containers on their Matrix server via [Docker Compose](https://docs.docker.com/compose/), other Ansible playbooks like [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) (more about this one, below) or any other way.

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 result_format = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/README.md

@@ -9,7 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 # Table of Contents
 
-## ⬇️ Installaton guides <!-- NOTE: the 🚀 emoji is used by "Getting started" on README.md -->
+## ⬇️ Installation guides <!-- NOTE: the 🚀 emoji is used by "Getting started" on README.md -->
 
 There are two installation guides available for beginners and advanced users.
 

docs/ansible.md

@@ -117,7 +117,7 @@ Then, to be asked for the password whenever running an `ansible-playbook` comman
 
 #### Resolve directory ownership issues
 
-Because you're `root` in the container running Ansible and this likely differs fom the owner (your regular user account) of the playbook directory outside of the container, certain playbook features which use `git` locally may report warnings such as:
+Because you're `root` in the container running Ansible and this likely differs from the owner (your regular user account) of the playbook directory outside of the container, certain playbook features which use `git` locally may report warnings such as:
 
 > fatal: unsafe repository ('/work' is owned by someone else)
 > To add an exception for this directory, call:

docs/configuring-playbook-appservice-draupnir-for-all.md

@@ -95,13 +95,13 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 
 ## Usage
 
-If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have succesfully installed Draupnir for All and can now start using it.
+If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it.
 
 The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode.
 
 ### Granting Users the ability to use D4A
 
-Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended.
+Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended.
 
 The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))
 

docs/configuring-playbook-bot-baibot.md

@@ -242,7 +242,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: "YOUR_
 # matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
 
 # If you'd like to use another text-generation agent, uncomment and adjust:
-# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4o
+# matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4.1
 ```
 
 Because this is a [statically](https://github.com/etkecc/baibot/blob/main/docs/configuration/README.md#static-configuration)-defined agent, it will be given a `static/` ID prefix and will be named `static/openai`.

docs/configuring-playbook-bot-chatgpt.md

@@ -57,7 +57,7 @@ matrix_bot_chatgpt_openai_api_key: 'API_KEY_HERE'
 
 matrix_bot_chatgpt_matrix_access_token: 'ACCESS_TOKEN_HERE'
 
-# Configuring the system promt used, needed if the bot is used for special tasks.
+# Configuring the system prompt used, needed if the bot is used for special tasks.
 # More information: https://github.com/mustvlad/ChatGPT-System-Prompts
 matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.'
 ```

docs/configuring-playbook-bot-draupnir.md

@@ -145,6 +145,20 @@ The bot can intercept the report API endpoint of the client-server API, which re
 matrix_bot_draupnir_config_web_abuseReporting: true
 ```
 
+### Enabling synapse-http-antispam support
+
+Certain protections in Draupnir require the [synapse-http-antispam](https://github.com/maunium/synapse-http-antispam) module and a Synapse homeserver plus homeserver admin status to function. This module can be enabled in the playbook via setting `matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled` to `true` and making sure that Draupnir admin API access is enabled.
+
+```yaml
+# Enables the integration between Draupnir and synapse-http-antispam module.
+matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: true
+
+# Enables draupnir to access Synapse admin APIs. This is required for the module functionality to take full effect.
+matrix_bot_draupnir_admin_api_enabled: true
+```
+
+These protections need to be manually activated and consulting the [enabling protections](#enabling-built-in-protections) guide can be helpful or consulting upstream documentation.
+
 <!--
 NOTE: this is unsupported by the playbook due to the admin API being inaccessible from containers currently.
 
@@ -228,7 +242,7 @@ For Draupnir to do its job, you need to [give it permissions](https://the-draupn
 
 We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
 
-Polcy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
+Policy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
 
 You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
 

docs/configuring-playbook-bot-matrix-registration-bot.md

@@ -77,7 +77,7 @@ Send `help` to the bot to see the available commands.
 
 You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands).
 
-If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
+If you have any questions, or if you need help setting it up, read the [troubleshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
 
 To clean the cache (session & encryption data) after you changed the bot's username, changed the login method from access_token to password etc… you can use:
 

docs/configuring-playbook-bridge-hookshot.md

@@ -103,7 +103,6 @@ Unless indicated otherwise, the following endpoints are reachable on your `matri
 | github oauth | `/hookshot/webhooks/oauth` | `matrix_hookshot_github_oauth_endpoint` | GitHub "Callback URL" |
 | jira oauth | `/hookshot/webhooks/jira/oauth` | `matrix_hookshot_jira_oauth_endpoint` | Jira OAuth |
 | figma endpoint | `/hookshot/webhooks/figma/webhook` | `matrix_hookshot_figma_endpoint` | Figma |
-| provisioning | `/hookshot/v1/` | `matrix_hookshot_provisioning_endpoint` | Dimension [provisioning](#provisioning-api) |
 | appservice | `/hookshot/_matrix/app/` | `matrix_hookshot_appservice_endpoint` | Matrix server |
 | widgets | `/hookshot/widgetapi/` | `matrix_hookshot_widgets_endpoint` | Widgets |
 
@@ -126,16 +125,12 @@ aux_file_definitions:
   - dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
     content: "{{ lookup('file', '/path/to/your-github-private-key.pem') }}"
     mode: '0400'
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 ```
 
 For more information, see the documentation in the [default configuration of the aux role](https://github.com/mother-of-all-self-hosting/ansible-role-aux/blob/main/defaults/main.yml).
 
-### Provisioning API
-
-The provisioning API will be enabled automatically if you set `matrix_dimension_enabled: true` and provided a `matrix_hookshot_provisioning_secret`, unless you override it either way. To use hookshot with Dimension, you will need to enter as "Provisioning URL": `http://matrix-hookshot:9002`, which is made up of the variables `matrix_hookshot_container_url` and `matrix_hookshot_provisioning_port`.
-
 ### Collision with matrix-appservice-webhooks
 
 If you are also running [matrix-appservice-webhooks](configuring-playbook-bridge-appservice-webhooks.md), it reserves its namespace by the default setting `matrix_appservice_webhooks_user_prefix: '_webhook_'`. You should take care if you modify its or hookshot's prefix that they do not collide with each other's namespace (default `matrix_hookshot_generic_userIdPrefix: '_webhooks_'`).
@@ -172,7 +167,7 @@ To `matrix_hookshot_container_labels_metrics_middleware_basic_auth_users`, set t
 
 #### Enable Grafana (optional)
 
-Probably you wish to enable Grafana along with Prometheus for generating graphs of the metics.
+Probably you wish to enable Grafana along with Prometheus for generating graphs of the metrics.
 
 To enable Grafana, see [this section](configuring-playbook-prometheus-grafana.md#adjusting-the-playbook-configuration-grafana) for instructions.
 

docs/configuring-playbook-bridge-mautrix-wsproxy.md

@@ -70,7 +70,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 
 ## Usage
 
-Follow the [mautrix-imessage documenation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s).
+Follow the [mautrix-imessage documentation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s).
 
 ## Troubleshooting
 

docs/configuring-playbook-element-call.md

@@ -30,7 +30,7 @@ These **clients will use their own embedded Element Call frontend**, so **self-h
 
 💡 A reason you may wish to continue installing the Element Call frontend (despite Matrix clients not making use of it), is if you need to use it standalone - directly via a browser (without a Matrix client). Note that unless you [allow guest accounts to use Element Call](#allowing-guests-to-use-element-call-optional), you will still need a Matrix user account **on the same homeserver** to be able to use Element Call.
 
-The playbook makes a distiction between enabling Element Call (`matrix_element_call_enabled`) and enabling the Matrix RTC Stack (`matrix_rtc_enabled`). Enabling Element Call automatically enables the Matrix RTC stack. Because installing the Element Call frontend is now unnecessary, **we recommend only installing the Matrix RTC stack, without the Element Call frontend**.
+The playbook makes a distinction between enabling Element Call (`matrix_element_call_enabled`) and enabling the Matrix RTC Stack (`matrix_rtc_enabled`). Enabling Element Call automatically enables the Matrix RTC stack. Because installing the Element Call frontend is now unnecessary, **we recommend only installing the Matrix RTC stack, without the Element Call frontend**.
 
 | Description / Variable | Element Call frontend | [LiveKit Server](configuring-playbook-livekit-server.md) | [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) |
 |------------------------|-----------------------|----------------|---------------------|

docs/configuring-playbook-matrix-authentication-service.md

@@ -41,7 +41,7 @@ Below, we'll try to **highlight some potential reasons for switching** to Matrix
 
 ## Prerequisites
 
-- ⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
+- ⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating with Matrix Authentication Service yet.
 
 - ❌ **disabling all password providers** for Synapse (things like [shared-secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-playbook-ldap-auth.md), etc.) More details about this are available in the [Expectations](#expectations) section below.
 
@@ -55,15 +55,13 @@ This section details what you can expect when switching to the Matrix Authentica
 
 - ❌ **Some services experience issues when authenticating via MAS**:
 
-  - [Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first time around, but it consistently fails after restarting:
-
-    > cannot initialize matrix bot error="olm account is marked as shared, keys seem to have disappeared from the server"
+  - [Reminder bot](configuring-playbook-bot-matrix-reminder-bot.md) seems to be losing some of its state on each restart and may reschedule old reminders once again
 
 - ❌ **Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting).
 
 - ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
 
-- ⚠️ Delegating user authentication to MAS causes **your Synapse server to be completely dependant on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
+- ⚠️ Delegating user authentication to MAS causes **your Synapse server to be completely dependent on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
 
 - ⚠️ If you've got [OIDC configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on), you will need to migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 configuration](#upstream-oauth2-configuration).
 
@@ -87,7 +85,7 @@ For new homeservers (which don't have any users in their Synapse database yet),
 
 ### Existing homeserver
 
-Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
+Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating with Matrix Authentication Service yet.
 
 For existing Synapse homeservers:
 
@@ -159,6 +157,10 @@ matrix_authentication_service_config_upstream_oauth2_providers:
   - # A unique identifier for the provider
     # Must be a valid ULID
     id: 01HFVBY12TMNTYTBV8W921M5FA
+    # This can be set if you're migrating an existing (legacy) Synapse OIDC configuration.
+    # The value used here would most likely be "oidc" or "oidc-provider".
+    # See: https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers
+    synapse_idp_id: null
     # The issuer URL, which will be used to discover the provider's configuration.
     # If discovery is enabled, this *must* exactly match the `issuer` field
     # advertised in `<issuer>/.well-known/openid-configuration`.
@@ -306,7 +308,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 
 Our migration guide is loosely based on the upstream [Migrating an existing homeserver](https://element-hq.github.io/matrix-authentication-service/setup/migration.html) guide.
 
-Migration is done via a tool called `syn2mas`, which the playbook could run for you (in a container).
+Migration is done via a sub-command called `syn2mas`, which the playbook could run for you (in a container).
 
 The installation + migration steps are like this:
 
@@ -322,7 +324,7 @@ The installation + migration steps are like this:
 
     - The `matrix-user-creator` role would be suppressed, so that it doesn't automatically attempt to create users (for bots, etc.) in the MAS database. These user accounts likely already exist in Synapse's user database and could be migrated over (via syn2mas, as per the steps below), so creating them in the MAS database would have been unnecessary and potentially problematic (conflicts during the syn2mas migration).
 
-3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration tool does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
+3. Consider taking a full [backup of your Postgres database](./maintenance-postgres.md#backing-up-postgresql). This is done just in case. The **syn2mas migration command does not delete any data**, so it should be possible to revert to your previous setup by merely disabling MAS and re-running the playbook (no need to restore a Postgres backup). However, do note that as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
 
 4. [Migrate your data from Synapse to Matrix Authentication Service using syn2mas](#migrate-your-data-from-synapse-to-matrix-authentication-service-using-syn2mas)
 
@@ -342,9 +344,7 @@ The installation + migration steps are like this:
 
 ### Migrate your data from Synapse to Matrix Authentication Service using syn2mas
 
-We **don't** ask you to [run the `syn2mas` migration advisor command](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#run-the-migration-advisor), because it only gives you the green light if your Synapse configuration (`homeserver.yaml`) is configured in a way that's compatible with MAS (delegating authentication to MAS; disabling Synapse's password config; etc.). Until we migrate your data with the `syn2mas` tool, we intentionally avoid doing these changes to allow existing user sessions to work.
-
-You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration).
+You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration).
 
 #### Configuring syn2mas
 
@@ -356,26 +356,9 @@ When you're done with potentially configuring `syn2mas`, proceed to doing a [dry
 
 ##### Configuring upstream OIDC provider mapping for syn2mas
 
-If you have existing OIDC users in your Synapse user database (which will be the case if when using [OIDC with Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on)), you may need to pass an additional `--upstreamProviderMapping` argument to the `syn2mas` tool to tell it which provider (on the Synapse side) maps to which other provider on the MAS side.
+Since Matrix Authentication Service v0.16.0 (which replaced the standalone `syn2mas` tool with a `mas-cli syn2mas` sub-command), OIDC configuration (mapping from your old OIDC configuration to your new one, etc) is meant to be configured in the Matrix Authentication Service configuration (via `matrix_authentication_service_config_upstream_oauth2_providers`) as a `synapse_idp_id` property for each provider.
 
-If you don't do this, `syn2mas` would report errors like this one:
-
-> [FATAL] migrate - [Failed to import external id 4264b0f0-4f11-4ddd-aedb-b500e4d07c25 with oidc-keycloak for user @alice:example.com: Error: Unknown upstream provider oidc-keycloak]
-
-Below is an example situation and a guide for how to solve it.
-
-If in `matrix_synapse_oidc_providers` your provider `idp_id` is (was) named `keycloak`, in the Synapse database users would be associated with the `oidc-keycloak` provider (note the `oidc-` prefix that was added automatically by Synapse to your `idp_id` value).
-
-The same OIDC provider may have an `id` of `01HFVBY12TMNTYTBV8W921M5FA` on the MAS side, as defined in `matrix_authentication_service_config_upstream_oauth2_providers` (see the [Upstream OAuth2 configuration](#upstream-oauth2-configuration) section above).
-
-To tell `syn2mas` how the Synapse-configured OIDC provider maps to the new MAS-configured OIDC provider, add this additional configuration to your `vars.yml` file:
-
-```yaml
-# Adjust the mapping below to match your provider IDs on the Synapse side and the MAS side.
-# Don't forget that Synapse automatically adds an `oidc-` prefix to provider ids defined in its configuration.
-matrix_authentication_service_syn2mas_process_extra_arguments:
-  - "--upstreamProviderMapping oidc-keycloak:01HFVBY12TMNTYTBV8W921M5FA"
-```
+You can refer to the [Map any upstream SSO providers](https://element-hq.github.io/matrix-authentication-service/setup/migration.html#map-any-upstream-sso-providers) section of the MAS documentation for figuring out how to set the `synapse_idp_id` value in `matrix_authentication_service_config_upstream_oauth2_providers` correctly.
 
 #### Performing a syn2mas dry-run
 
@@ -386,7 +369,7 @@ A dry-run would not cause downtime, because it avoids stopping Synapse.
 To perform a dry-run, run:
 
 ```sh
-just run-tags matrix-authentication-service-syn2mas -e matrix_authentication_service_syn2mas_dry_run=true
+just run-tags matrix-authentication-service-mas-cli-syn2mas -e matrix_authentication_service_syn2mas_migrate_dry_run=true
 ```
 
 Observe the command output (especially the last line of the the syn2mas output). If you are confident that the migration will work out as expected, you can proceed with a [real migration](#performing-a-real-syn2mas-migration).
@@ -405,13 +388,13 @@ Before performing a real migration make sure:
 
 - you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and don't see any issues in its output
 
-To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:
+To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:
 
 ```sh
-just run-tags matrix-authentication-service-syn2mas
+just run-tags matrix-authentication-service-mas-cli-syn2mas
 ```
 
-Having performed a `syn2mas` migration once, trying to do it again will report errors for users that were already migrated (e.g. "Error: Unknown upstream provider oauth-delegated").
+Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again.").
 
 ## Verify that Matrix Authentication Service is installed correctly
 

docs/configuring-playbook-matrix-corporal.md

@@ -13,7 +13,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you.
 
-In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
+In short, it's a sort of automation and firewalling service, which is helpful if you're installing Matrix services in a controlled corporate environment.
 
 See the project's [documentation](https://github.com/devture/matrix-corporal/blob/main/README.md) to learn what it does and why it might be useful to you.
 

docs/configuring-playbook-matrix-media-repo.md

@@ -60,7 +60,7 @@ To `matrix_media_repo_container_labels_traefik_metrics_middleware_basic_auth_use
 
 #### Enable Grafana (optional)
 
-Probably you wish to enable Grafana along with Prometheus for generating graphs of the metics.
+Probably you wish to enable Grafana along with Prometheus for generating graphs of the metrics.
 
 To enable Grafana, see [this section](configuring-playbook-prometheus-grafana.md#adjusting-the-playbook-configuration-grafana) for instructions.
 

docs/configuring-playbook-ntfy.md

@@ -115,7 +115,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 
 ## Usage
 
-To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.
+To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distributor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notifications are "distributed" from it.
 
 For details about installing and configuring the ntfy Android app, take a look at [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ntfy/blob/main/docs/configuring-ntfy.md#install-the-ntfy-androidios-app) on the role's documentation.
 

docs/configuring-playbook-prometheus-grafana.md

@@ -258,4 +258,4 @@ As with all other services, you can find the logs in [systemd-journald](https://
 - [The Prometheus scraping rules](https://github.com/element-hq/synapse/tree/master/contrib/prometheus) (we use v2)
 - [The Synapse Grafana dashboard](https://github.com/element-hq/synapse/tree/master/contrib/grafana)
 - [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs)
-- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic Postgres dashboard)
+- [The PostgreSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic Postgres dashboard)

docs/configuring-playbook-s3.md

@@ -22,13 +22,11 @@ Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring
 
 ## Choosing an Object Storage provider
 
-You can create [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object storage like [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html), [Storj](https://storj.io), [Wasabi](https://wasabi.com), [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces), etc.
+You can create [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object storage like [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html), [Wasabi](https://wasabi.com), [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces), [Storj](https://storj.io), etc.
 
-Amazon S3, Backblaze B2, and Storj are pay-as-you with no minimum charges for storing too little data.
+Amazon S3 and Backblaze B2 are pay-as-you with no minimum charges for storing too little data. Note that Backblaze egress is free, but for only certain users for up to 3x the amount of data stored. Beyond that you will pay $0.01/GB of egress.
 
-All these providers have different prices, with Storj appearing to be the cheapest (as of 2024-10, storage fee is $0.004 per GB/month, and egress fee is $0.007 per GB; check actual pricing [here](https://storj.dev/dcs/pricing)). Backblaze egress is free, but for only certain users for up to 3x the amount of data stored. Beyond that you will pay $0.01/GB of egress.
-
-Wasabi has a minimum charge of 1TB if you're storing less than 1TB, which becomes expensive if you need to store less data than that. Likewise, Digital Ocean Spaces has also a minimum charge of 250GB ($5/month as of 2022-10).
+Wasabi has a minimum charge of 1TB if you're storing less than 1TB, which becomes expensive if you need to store less data than that. Likewise, Digital Ocean Spaces has also a minimum charge of 250GB ($5/month as of 2022-10). Though Storj does not set minimum amount of data to be stored, it also charges $5 minimum monthly usage fee since July 1, 2025, if your monthly usage (storage, bandwidth, and segments) totals less than $5.
 
 Here are some of the important aspects of choosing the right provider:
 

docs/configuring-playbook-ssl-certificates.md

@@ -15,7 +15,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
 
 **Notes**:
 - This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
-- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiriation notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
+- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
 
   The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
 

docs/configuring-playbook-sygnal.md

@@ -49,8 +49,8 @@ aux_file_definitions:
       content
       here
     mode: '0600'
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 ```
 
 Configuring [GCM/FCM](https://firebase.google.com/docs/cloud-messaging/) is easier, as it only requires that you provide some config values.

docs/configuring-playbook-synapse-simple-antispam.md

@@ -9,7 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 The playbook can install and configure [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) for you.
 
-It lets you fight invite-spam by automatically blocking invitiations from a list of servers specified by you (blacklisting).
+It lets you fight invite-spam by automatically blocking invitations from a list of servers specified by you (blacklisting).
 
 See the project's [documentation](https://github.com/t2bot/synapse-simple-antispam/blob/master/README.md) to learn what it does and why it might be useful to you.
 

docs/configuring-playbook-synapse.md

@@ -53,7 +53,7 @@ You may also consider [tweaking the number of workers of each type](#controlling
 
 ##### Specialized workers
 
-The playbook now supports a smarter **specialized load-balancing** inspired by [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). Instead of routing requests to one or more [generic workers](#generic-workers) based only on the requestor's IP adddress, specialized load-balancing routes to **4 different types of specialized workers** based on **smarter criteria** — the access token (username) of the requestor and/or on the resource (room, etc.) being requested.
+The playbook now supports a smarter **specialized load-balancing** inspired by [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). Instead of routing requests to one or more [generic workers](#generic-workers) based only on the requester's IP address, specialized load-balancing routes to **4 different types of specialized workers** based on **smarter criteria** — the access token (username) of the requester and/or on the resource (room, etc.) being requested.
 
 The playbook supports these **4 types** of specialized workers:
 

docs/faq.md

@@ -235,7 +235,7 @@ Running Matrix on a server with 1GB of memory is possible (especially if you dis
 
 **We recommend starting with a server having at least 2GB of memory** and even then using it sparingly. If you know for sure you'll be joining various large rooms, etc., then going for 4GB of memory or more is a good idea.
 
-Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferrably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage.
+Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage.
 
 ### Can I run this in an LXC container?
 
@@ -362,7 +362,7 @@ Configuration variables are defined in multiple places in this playbook and are
 
 You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`).
 
-As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`.
+As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overridden by values defined in `group_vars/matrix_servers`.
 
 Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.example.com/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features).
 

docs/howto-srv-server-delegation.md

@@ -42,7 +42,7 @@ This is because with SRV federation, some servers / tools (one of which being th
 
 ### Tell Traefik which certificate to serve for the federation endpoint
 
-Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.
+Now that the federation endpoint is not bound to a domain anymore we need to explicitly tell Traefik to use a wildcard certificate in addition to one containing the base name.
 
 This is because the Matrix specification expects the federation endpoint to be served using a certificate compatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
 

docs/installing.md

@@ -157,6 +157,8 @@ The upstream projects, which this playbook makes use of, occasionally if not oft
 
 Since it is unsafe to keep outdated services running on the server connected to the internet, please consider to update the playbook and re-run it periodically, in order to keep the services up-to-date.
 
+Also, do not forget to update your system regularly. While this playbook may install basic services, such as Docker, it will not interfere further with system maintenance. Keeping the system itself up-to-date is out of scope for this playbook.
+
 For more information about upgrading or maintaining services with the playbook, take a look at this page: [Upgrading the Matrix services](maintenance-upgrading-services.md)
 
 Feel free to **re-run the setup command any time** you think something is wrong with the server configuration. Ansible will take your configuration and update your server to match.

docs/prerequisites.md

@@ -49,7 +49,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
 
 - [Python](https://www.python.org/). Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`)
 
-- [sudo](https://www.sudo.ws/), even when you've configured Ansible to log in as `root`. Some distributions, like a minimal Debian net install, do not include the `sudo` package by default.
+- [sudo](https://www.sudo.ws/), even when you've configured Ansible to log in as `root`, because this Ansible playbook sometimes uses the Ansible [become](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html) module to perform tasks as another user (e.g. `matrix`) and the `become` module's default implementation uses `sudo`. Some distributions, like a minimal Debian net install, do not include the `sudo` package by default.
 
 - An HTTPS-capable web server at the base domain name (`example.com`) which is capable of serving static files. Unless you decide to [Serve the base domain from the Matrix server](configuring-playbook-base-domain-serving.md) or alternatively, to use DNS SRV records for [Server Delegation](howto-server-delegation.md).
 
@@ -60,7 +60,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
   - `80/tcp`: HTTP webserver
   - `443/tcp` and `443/udp`: HTTPS webserver
   - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
-  - `3478/udp`: STUN/TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
+  - `3478/udp`: STUN/TURN over UDP (used by [coturn](./configuring-playbook-turn.md))
   - `5349/tcp`: TURN over TCP (used by [coturn](./configuring-playbook-turn.md))
   - `5349/udp`: TURN over UDP (used by [coturn](./configuring-playbook-turn.md))
   - `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**.

examples/reverse-proxies/nginx-proxy-manager/README.md

@@ -23,7 +23,7 @@ If Matrix federation is enabled, then you will need to make changes to [NPM's Do
 
 You'll need to create two proxy hosts in NPM for Matrix web and federation traffic.
 
-Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for Matrix web traffic. Apply the proxys configuration like this:
+Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for Matrix web traffic. Apply the proxy's configuration like this:
 
 ```md
 # Details
@@ -44,7 +44,7 @@ Custom Nginx Configuration:
 	client_max_body_size 50M;
 ```
 
-Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxys configuration like this:
+Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxy's configuration like this:
 
 ```md
 # Details

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -73,11 +73,11 @@ matrix_federation_traefik_entrypoint_tls: "{{ traefik_config_entrypoint_web_secu
 #                                                                      #
 ########################################################################
 
-aux_directory_default_owner: "{{ matrix_user_username }}"
-aux_directory_default_group: "{{ matrix_user_groupname }}"
+aux_directory_default_owner: "{{ matrix_user_name }}"
+aux_directory_default_group: "{{ matrix_group_name }}"
 
-aux_file_default_owner: "{{ matrix_user_username }}"
-aux_file_default_group: "{{ matrix_user_groupname }}"
+aux_file_default_owner: "{{ matrix_user_name }}"
+aux_file_default_group: "{{ matrix_group_name }}"
 
 ########################################################################
 #                                                                      #
@@ -688,8 +688,6 @@ matrix_authentication_service_config_email_from_address: "{{ exim_relay_sender_a
 
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 
-matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}"
-
 matrix_authentication_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 
 matrix_authentication_service_container_network: "{{ matrix_homeserver_container_network }}"
@@ -2319,7 +2317,6 @@ matrix_hookshot_container_http_host_bind_ports_defaultmapping:
   - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_appservice_port }}:{{ matrix_hookshot_appservice_port }}"
   - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_metrics_port }}:{{ matrix_hookshot_metrics_port }}"
   - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_webhook_port }}:{{ matrix_hookshot_webhook_port }}"
-  - "{{ matrix_playbook_service_host_bind_interface_prefix }}{{ matrix_hookshot_provisioning_port }}:{{ matrix_hookshot_provisioning_port }}"
 
 matrix_hookshot_container_http_host_bind_ports: "{{ matrix_hookshot_container_http_host_bind_ports_defaultmapping if matrix_playbook_service_host_bind_interface_prefix else [] }}"
 
@@ -2328,8 +2325,6 @@ matrix_hookshot_container_labels_traefik_docker_network: "{{ matrix_playbook_rev
 matrix_hookshot_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_hookshot_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
-matrix_hookshot_provisioning_enabled: "{{ matrix_hookshot_provisioning_secret and matrix_dimension_enabled }}"
-
 matrix_hookshot_metrics_enabled: "{{ prometheus_enabled or matrix_metrics_exposure_enabled }}"
 
 matrix_hookshot_metrics_proxying_enabled: "{{ matrix_hookshot_metrics_enabled and matrix_metrics_exposure_enabled }}"
@@ -3204,6 +3199,9 @@ matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook
 matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
 matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
+#The salt is size restricted here as a maximum salt size of 16 characters exists due to the functions used.
+matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'draupnir.httpmod', rounds=655555) | to_uuid }}" # noqa var-naming
+
 ######################################################################
 #
 # /matrix-bot-draupnir
@@ -3314,7 +3312,7 @@ backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
 
 backup_borg_base_path: "{{ matrix_base_data_path }}/backup-borg"
 
-backup_borg_username: "{{ matrix_user_username }}"
+backup_borg_username: "{{ matrix_user_name }}"
 backup_borg_uid: "{{ matrix_user_uid }}"
 backup_borg_gid: "{{ matrix_user_gid }}"
 
@@ -3743,7 +3741,7 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
 jitsi_uid: "{{ matrix_user_uid }}"
 jitsi_gid: "{{ matrix_user_gid }}"
 
-jitsi_user_username: "{{ matrix_user_username }}"
+jitsi_user_username: "{{ matrix_user_name }}"
 
 jitsi_web_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else jitsi_web_container_image_registry_prefix_upstream_default }}"
 
@@ -4795,7 +4793,7 @@ matrix_client_fluffychat_self_check_validate_certificates: "{{ matrix_playbook_s
 
 matrix_synapse_enabled: "{{ matrix_homeserver_implementation == 'synapse' }}"
 
-matrix_synapse_username: "{{ matrix_user_username }}"
+matrix_synapse_username: "{{ matrix_user_name }}"
 matrix_synapse_uid: "{{ matrix_user_uid }}"
 matrix_synapse_gid: "{{ matrix_user_gid }}"
 
@@ -4837,6 +4835,8 @@ matrix_synapse_container_additional_networks_auto: |
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
       +
       ([matrix_ma1sd_container_network] if (matrix_ma1sd_enabled and matrix_synapse_account_threepid_delegates_msisdn == matrix_synapse_account_threepid_delegates_msisdn_mas1sd_url and matrix_synapse_container_network != matrix_ma1sd_container_network) else [])
+      +
+      ([matrix_bot_draupnir_container_network] if (matrix_synapse_ext_synapse_http_antispam_enabled and matrix_synapse_ext_synapse_http_antispam_config_base_url == matrix_bot_draupnir_synapse_http_antispam_config_base_url and matrix_bot_draupnir_container_network != matrix_synapse_container_network) else [])
     ) | unique
   }}
 
@@ -4932,6 +4932,13 @@ matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_
 # Disable creation of media repository Synapse worker when using media-repo
 matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
 
+matrix_synapse_ext_synapse_http_antispam_enabled: "{{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"
+matrix_synapse_ext_synapse_http_antispam_config_base_url: "{{ matrix_bot_draupnir_synapse_http_antispam_config_base_url if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}"
+matrix_synapse_ext_synapse_http_antispam_config_authorization: "{{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else '' }}"
+matrix_synapse_ext_synapse_http_antispam_config_enabled_callbacks: "{{ matrix_bot_draupnir_synapse_http_antispam_config_enabled_callbacks if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else [] }}"
+matrix_synapse_ext_synapse_http_antispam_config_fail_open: "{{ matrix_bot_draupnir_synapse_http_antispam_config_fail_open if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else {} }}"
+matrix_synapse_ext_synapse_http_antispam_config_async: "{{ matrix_bot_draupnir_synapse_http_antispam_config_async if matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled else {} }}"
+
 # Enable Synapse statistics reporting when using synapse-usage-exporter
 matrix_synapse_report_stats: "{{ matrix_synapse_usage_exporter_enabled }}"
 matrix_synapse_report_stats_endpoint: "{{ (('http://' + matrix_synapse_usage_exporter_identifier + ':' + matrix_synapse_usage_exporter_container_port | string + '/report-usage-stats/push') if matrix_synapse_usage_exporter_enabled else '') }}"
@@ -5338,7 +5345,7 @@ prometheus_node_exporter_gid: "{{ matrix_user_gid }}"
 
 prometheus_node_exporter_hostname: "{{ matrix_server_fqn_matrix }}"
 
-prometheus_node_exporter_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else prometheus_node_exporter_docker_image_registry_prefix_upstream_default }}"
+prometheus_node_exporter_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else prometheus_node_exporter_container_image_registry_prefix_upstream_default }}"
 
 prometheus_node_exporter_container_network: "{{ matrix_monitoring_container_network }}"
 
@@ -5376,7 +5383,7 @@ prometheus_postgres_exporter_gid: "{{ matrix_user_gid }}"
 
 prometheus_postgres_exporter_hostname: "{{ matrix_server_fqn_matrix }}"
 
-prometheus_postgres_exporter_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else prometheus_postgres_exporter_docker_image_registry_prefix_upstream_default }}"
+prometheus_postgres_exporter_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else prometheus_postgres_exporter_container_image_registry_prefix_upstream_default }}"
 
 prometheus_postgres_exporter_container_network: "{{ matrix_monitoring_container_network }}"
 
@@ -6332,6 +6339,8 @@ matrix_element_call_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'htt
 
 matrix_element_call_container_network: "{{ matrix_addons_container_network }}"
 
+matrix_element_call_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_element_call_container_image_registry_prefix_upstream_default }}"
+
 matrix_element_call_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_element_call_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
 
 matrix_element_call_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
@@ -6367,6 +6376,8 @@ livekit_server_path_prefix: "/livekit-server"
 
 livekit_server_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
+livekit_server_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else livekit_server_container_image_registry_prefix_upstream_default }}"
+
 livekit_server_container_network: "{{ matrix_addons_container_network }}"
 livekit_server_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if (livekit_server_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else [] }}"
 
@@ -6470,6 +6481,8 @@ matrix_livekit_jwt_service_path_prefix: "/livekit-jwt-service"
 
 matrix_livekit_jwt_service_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 
+matrix_livekit_jwt_service_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_livekit_jwt_service_container_image_registry_prefix_upstream_default }}"
+
 matrix_livekit_jwt_service_container_network: "{{ matrix_addons_container_network }}"
 
 matrix_livekit_jwt_service_container_additional_networks_auto: |

i18n/README.md

@@ -20,7 +20,7 @@ Currently, we support translation of:
 Organization of this `i18n` directory is as follows:
 
 - [PUBLISHED_LANGUAGES](PUBLISHED_LANGUAGES): a list of languages that we publish translations for (in the [translations/](translations/) directory)
-- [.gitignore](.gitignore): a list of files and directories to ignore in the `i18n` directory. We intentionaly ignore translated results (`translations/<language>` directories) for languages taht are still in progress. We only [publish translations in a new language](#publish-translations-in-a-new-language) when the translation progresses beyond a certain threshold.
+- [.gitignore](.gitignore): a list of files and directories to ignore in the `i18n` directory. We intentionally ignore translated results (`translations/<language>` directories) for languages that are still in progress. We only [publish translations in a new language](#publish-translations-in-a-new-language) when the translation progresses beyond a certain threshold.
 - [justfile](justfile): a list of recipes for [just](https://github.com/casey/just) command runner
 - [requirements.txt](requirements.txt): a list of Python packages required to work with translations
 - [translation-templates/](translation-templates/): a list of English translation templates - strings extracted from Markdown files

i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po

@@ -435,7 +435,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
-msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
+msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@@ -535,7 +535,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
-msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
+msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

i18n/locales/jp/LC_MESSAGES/docs/configuring-playbook-matrix-authentication-service.po

@@ -434,7 +434,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
-msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
+msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@@ -534,7 +534,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
-msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
+msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

i18n/requirements.txt

@@ -1,8 +1,8 @@
 alabaster==1.0.0
 babel==2.17.0
-certifi==2025.4.26
-charset-normalizer==3.4.1
-click==8.1.8
+certifi==2025.6.15
+charset-normalizer==3.4.2
+click==8.2.1
 docutils==0.21.2
 idna==3.10
 imagesize==1.4.1
@@ -16,9 +16,9 @@ myst-parser==4.0.1
 packaging==25.0
 Pygments==2.19.1
 PyYAML==6.0.2
-requests==2.32.3
-setuptools==79.0.1
-snowballstemmer==2.2.0
+requests==2.32.4
+setuptools==80.9.0
+snowballstemmer==3.0.1
 Sphinx==8.2.3
 sphinx-intl==2.3.1
 sphinx-markdown-builder==0.6.8
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.4.0
+urllib3==2.5.0

i18n/translation-templates/docs/configuring-playbook-matrix-authentication-service.pot

@@ -430,7 +430,7 @@ msgid "We **don't** ask you to [run the `syn2mas` migration advisor command](htt
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:340
-msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
+msgid "You can invoke the `syn2mas` tool via the playbook by running the playbook's `matrix-authentication-service-mas-cli-syn2mas` tag. We recommend first doing a [dry-run](#performing-a-syn2mas-dry-run) and then a [real migration](#performing-a-real-syn2mas-migration)."
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:342
@@ -530,7 +530,7 @@ msgid "you've performed a [syn2mas dry-run](#performing-a-syn2mas-dry-run) and d
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:401
-msgid "To perform a real migration, run the `matrix-authentication-service-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_dry_run` variable:"
+msgid "To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2mas` tag **without** the `matrix_authentication_service_syn2mas_migrate_dry_run` variable:"
 msgstr ""
 
 #: ../../../docs/configuring-playbook-matrix-authentication-service.md:407

inventory/host_vars/matrix.finallycoffee.eu/postgresql.yml

@@ -0,0 +1,17 @@
+---
+postgres_max_connections: 400
+postgres_shared_buffers: 3145728 # (3072 MiB)
+postgres_effective_cache_size: 8388608 # (8192 MiB)
+postgres_container_shm_size: 1G
+postgres_maintenance_work_mem: 786432 # (768 MiB)
+postgres_wal_buffers: 16384 # (16 MiB)
+postgres_random_page_cost: 1.3
+postgres_work_mem: 4096
+postgres_huge_pages: try
+postgres_min_wal_size: 524288 # (512 MiB)
+postgres_max_wal_size: 4194304 # (4GiB)
+postgres_max_worker_processes: 8
+postgres_max_parallel_workers: 8
+postgres_max_parallel_workers_per_gather: 4
+postgres_max_parallel_maintenance_workers: 4
+

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,386 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+matrix_playbook_ssl_enabled: true
+traefik_config_entrypoint_web_secure_enabled: false
+traefik_container_web_host_bind_port: '127.0.10.1:8080'
+traefik_config_entrypoint_web_forwardedHeaders_insecure: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.10.2:8448'
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
+  forwardedHeaders:
+    insecure: true
+
+matrix_synapse_metrics_proxying_enabled: true
+matrix_sliding_sync_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 300
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+#matrix_synapse_rc_federation:
+#  window_size: 1000
+#  sleep_limit: 50
+#  sleep_delay: 500
+#  reject_limit: 50
+#  concurrent: 10
+#matrix_synapse_rc_message:
+#  per_second: 0.5
+#  burst_count: 25
+#matrix_synapse_rc_joins:
+#  local:
+#    per_second: 0.5
+#    burst_count: 20
+#  remote:
+#    per_second: 0.05
+#    burst_count: 20
+#matrix_synapse_rc_joins_per_room:
+#  per_second: 1
+#  burst_count: 10
+#matrix_synapse_rc_invites:
+#  per_room:
+#    per_second: 0.5
+#    burst_count: 10
+#  per_user:
+#    per_second: 0.006
+#    burst_count: 10
+#  per_issuer:
+#    per_second: 2
+#    burst_count: 20
+
+## Synapse cache tuning
+#matrix_synapse_caches_global_factor: 1.5
+#matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 1
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+#matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+#matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+#matrix_synapse_ext_password_provider_rest_auth_enabled: true
+#matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+#matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+#matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+#matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_min: 10
+      cp_max: 30
+      cp_reconnect: True
+
+#  caches:
+#    per_cache_factors:
+#      device_id_exists: 3
+#      get_users_in_room: 4
+#      _get_joined_users_from_context: 4
+#      _get_joined_profile_from_event_id: 3
+#      "*stateGroupMembersCache*": 2
+#      _matches_user_in_member_list: 3
+#      get_users_who_share_room_with_user: 3
+#      is_interested_in_room: 2
+#      get_user_by_id: 1.5
+#      room_push_rule_cache: 1.5
+#    expire_caches: true
+#    cache_entry_ttl: 45m
+#    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+#matrix_synapse_admin_enabled: true
+#matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: false
+#matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+#matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+#matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+#matrix_dimension_configuration_extension_yaml: |
+#    telegram:
+#        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+matrix_bridges_encryption_enabled: true
+matrix_bridges_encryption_default: true
+matrix_appservice_double_puppet_enabled: true
+
+matrix_mautrix_slack_enabled: true
+matrix_mautrix_slack_appservice_bot_username: slack
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: false
+#matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+#matrix_mx_puppet_instagram_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_instagram_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    presence:
+#        enabled: true
+#        interval: 3000
+#
+#
+##
+## mx-puppet-discord configuration
+##
+matrix_mx_puppet_discord_enabled: false
+#matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+#matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+#matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+#matrix_mx_puppet_discord_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_discord_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: false
+#matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+#matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+#matrix_mx_puppet_slack_oauth_redirect_path: '/bridge/slack/oauth'
+#matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+#matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+#matrix_mx_puppet_slack_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+#matrix_mx_puppet_slack_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
+matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_room_directory_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+#matrix_ma1sd_configuration_extension_yaml: |
+#    hashing:
+#      enabled: true
+#      pepperLength: 20
+#      rotationPolicy: per_requests
+#      requests: 10
+#      hashStorageType: sql
+#      algorithms:
+#          - none
+#          - sha256
+
+
+# Matrix mail notification relay setup
+exim_relay_enabled: true
+exim_relay_sender_address: "system-matrix@{{ matrix_domain }}"
+exim_relay_relay_use: true
+exim_relay_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+exim_relay_relay_host_port: 587
+exim_relay_relay_auth: true
+exim_relay_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+exim_relay_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,105 @@
+$ANSIBLE_VAULT;1.1;AES256
+61626165616330663863393762663031623164636666346339343636363035663463636135656533
+3338383762633130346536613334626164306464333835380a353264386431326437616234393165
+61323266623432353731373634353339393936643130346434346530336563326533386331646533
+3030663037666664360a346636343966663733663836633736316630663230613137663166336336
+62383131343934353635633261323036613231646439626162306238313132316664653237653533
+34376464633335626133376138343139653561613232333133393535393137653964633561313761
+62653632663432313936336231613832626362343737383863343562636437646439666638383733
+63313538616430393536356534303164633332653538643264353834393465373538643963343039
+31366661636263353936363931343938323563626538303133366263363533393564386466666361
+38666264643931336563633663663538616431313231336364653631383261326537336162313837
+32373730343538653862326636303264353737353139663161393762383138393531363264633531
+32383661396537636635666665316630663032333932393131336235663938623932383230343830
+31613563656663343830353438396535663864306531333239623738653838633331386465353466
+37366363643334623165373562363465636161396437333966303864663033636665623564613565
+39643635333636363132633462386536393634303838343835363633626162363236653839376230
+34666430363933336335323330386339656339356637653931643565303166303436333562333361
+38633838636337316137343564613338346239663933356130396562306164376430363233373632
+66303430303034353262343565373139333535636231623062633537653636376136656138623637
+34396562376233643234643436323433336436393163363935643033643833386631633762343162
+33633136316635326532343430383437366139333830373731636265386234356164393066333663
+37663934633437653364356231383934313132343162323436373339393964656336646164333533
+37626336616565323237633736653433316238366261303465343466643363303131376665346231
+62623133336561313732393837323330643138663830353662366139373366383436323530333732
+38623633666537643038636163303164653866343934616236343733386533663936303637326462
+63633137626632613736313333643363373963306161353431396261646635383930366166363135
+66353962643638616635376137346439383339303236323761366439306638623762343966623035
+30323435396533633238313962306366343362393339616131393839653565666666313833313433
+66386362353061323465666563616230336565663339646162623634643330646239343934373636
+33363061316637613266373831376133303337616639643239393835636138323266613134633633
+65356634636562313961643865353334306131333030373566666535373039343337613964306465
+32393163666232383266363763336132653765316162663961653933633832626533646537376136
+64613133373135616531343837616264656461313963646565656465656165303534343834663734
+62313865366634656265613264623234653165633839323030643333643139323531643637393439
+61656561303732663834336334643765616234373063306236303538646663316131663933323236
+63396263663034613832653361383061336132663032646133323931386562653661346264363439
+35636463613635316239363061363836623564303933373964363365626133373039643264666530
+30343165366365333339366639353033666634613162363164333433633563613461666532323566
+63303836353331326439646139653738633866356463303264623166306262393766346338373537
+62373865303264633663666333323135343530323434383835393763363739636135646538336364
+33376438636264393635383163353431336463396263333239626566653262373434316532343633
+61363061623430636462393135316564636536633963393338383334643134366232396564316635
+31373963633164653235643665653863303831663065383433363036633962633462393839363235
+36323562323634643639643561636261643136313633656236656566353539343063386162383234
+38653461633561353639336531353333393262633065386539353031386332343739656261653238
+31326434386130336465613233663563323035666631303137313665336566363134306638663265
+62353430353934633965316636643566653235366230323139656539646539626236616138313362
+31643437366563383164306331303662356562616366366237613633666534623765323034396534
+38326537376265343065313738316433353266633539313134323735383864623663323662633662
+65613862623766343736343031636238356161343036363566646635643334373030386434646135
+64336263356663376564333935623135396231623165326437393563333361356435346634616665
+66376231666633643936323264323565346637343538366138616631383964376632613437323163
+30366537326533363939643237376538366230313263623139323662396633343239343066313564
+63356533373338653030313038653137666434323737323763623136666530313035356634666633
+35643530333632633664643361633964666432336631636561343739646266653634353963323534
+35663731616539646332393837633566393734643033623937316661653839663937303666376339
+65653036373565323435636637373231316265393231333734356462356635346531366530316262
+37643632346164366561353236373633623464643536373361666263303739356335333934313537
+31373035633333313065613162346133663736313265376230393135353431343765306539633032
+63353338656231376666613138353235613362643334653537353237653139396533363630303033
+36363039613232666266333535343466336263663762623865376532326262666332303361356266
+65646337323037383564666639363636333135323265633932333264346363326466343234653936
+65656535343663356562613064323138656338633064633462313864616665653230626638373939
+61623862386364396335323836396664653731633365623936383435383330643038386665653238
+62643961626464313666343431303064303338396135643432383730613161336435306262653132
+38373432393564333562363761386239343366343465386638643737663561633837303734333835
+66366465633164346365356637313534376136303630666432613664363030323336316639393339
+61383565316432383633383832363439316366373536336639643961333663303631633464633238
+31396331386163386261393565346266636436386465326639326363663930666665306637393263
+65363763336561316566363164626466643637343731666530386432343431653634353336376461
+33366233366533656334666138346661323463633133303933626163343666623761613961346231
+35383232306336386665313264393933646631656333613138353532666133366339656564353865
+35353330393131366137663466333363653866323936353734306361633163626537363561346332
+65363231623766666638383661323964633034366261633035303861383135383235656465373738
+66373762626130356633626436366533626633353836346239666333353262656665636330626561
+66613165313137373766623464646330643662393033396266643662653136393233336265353430
+38376130663634333133353763383264623133373230323938316638323864643430386633376564
+65356264623766666637353866326638613435663830623063343439373030663663623432393863
+33343134626465313230646239646537653938613938633736346235323438393237363639373932
+61376231386265366132333965333133343737623066383534666633396635356537623432623132
+62656431323033633265626265613736383435376132613532333037613834313130626361373533
+39653361323366636335343865343737346264636433386332666332376662343634356630316135
+30366163333561353338663666363738313732303031333637636266623530623261306335616233
+31346436346663643464626134313338346439323838343663613135663834666632653866346431
+64376566343963346664366363353636636231386530363961333131383133323163396265313563
+35393534343664336237336231313831333739633662306636373338663434613231306538343865
+61613063306432623932616534363865333639396232383562396161383539363336303463323731
+63313239666538306239663864653839616132363662336331636262353061663136386331306131
+66336361396239383638623463663635613364366433343739356331633330633561653038633530
+38303832363663656432396636613134613965373639353731366138323435326135626339353263
+39313032333966376135653664623666626233613530646534636362646237303465653931666563
+65343936623462633162343334643335623834323364646362633232346237306337303430616363
+61633930343132303962653432636230343331343332616434323035633963623138653737306566
+34353135623134626237653165663738633435656439393234643432353535646439313638653664
+39326437393166633937663261336330656266303431383437626163623163303133323139313563
+39383664633739373664653131326665306533633162373535396464663637653662336237656161
+39633138383166316437313237303733336365343066366462643165643865653039343037633263
+61613730393666636530633231396165363033313161663463323861663262383234643236643038
+61633138323664613061663538383333323566393262303633623136613166636361306562356163
+66363033373262396461316438643238396633353962616362623363303035353765393164616230
+35303664616539363639373830623337396239626539613761613839363638326664306465313762
+34646634326338306430653065343231366430666534306331336532346535663737633639363834
+34623539616339363535633365306230663264626234363637366436353833663136303032623338
+32633761333165393231303165393234643363313839373339666433666130313035643836626531
+63356638666264333163

inventory/hosts

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+37366366376266633033656235333633346134336666323465356666353363323130366365393534
+3365373534643965613139656465323663393862336163640a623663366631323035346632353030
+37396264356137336535363663323935646464333138653035623562346438643139323439366132
+3364356364353738660a616638393635333938373838316631396536386134333831613831343732
+39333066363566643864343661646633326134633039316636306332303063366665373638353735
+34386339633566663038613538316233306238383734623363623666346261336562663039373264
+31313061616432643761633139643039636164613136643264663131666166646531366335346164
+34303339393334616434633736383763653035386333363137336431363034653263306261646661
+37323563373436333736633836666563646162303232393932346430373039346431356166393930
+37616639333038653936633163323139396666303638663039623633633832333737633764643863
+61383763613865323061636662663837656339373335643066333964393362303766366533303332
+63646335356639366130393530373936636330633132356639626531303839656166346263613733
+31333362316537323934306434393630656161353465636434303538643835396361613563663437
+34383765626235356530396433643037306233663263623664636163326132316237386231323165
+65643235356434626161396136303563633836313961343664653339623862633338313963333237
+63663961636661383634343532356234626531373938313164373561386139366338393066623036
+36633137623361626161313961386630623635323336353036623165316632353333383162623531
+61353138613030343636326166303762656264643834396330313563616439323265333039323566
+64356538346662613836356462613536656636373065643734346166353466363266353939393535
+66333739623735656463373530646663303535643562363534306438323135353763303363376135
+37653566306461396563333135633235626130313231636165383438376237383663373939353637
+30366661303131333438376363366131613361326635366264363064633034376230353137663030
+346238306532363635623732396366633538

requirements.txt

@@ -0,0 +1,11 @@
+ansible==11.3.0
+ansible-core==2.18.3
+cffi==1.17.1
+cryptography==44.0.2
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+packaging==24.2
+passlib==1.7.4
+pycparser==2.22
+PyYAML==6.0.2
+resolvelib==1.0.1

requirements.yml

@@ -22,13 +22,13 @@
   version: v4.98.1-r0-2-0
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.0-security-01-0
+  version: v11.6.3-0
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10184-0
+  version: v10314-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.8.4-5
+  version: v1.9.0-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.11.0-5
@@ -49,13 +49,13 @@
   version: v17-3
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v2.55.1-3
+  version: v3.4.1-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-0
+  version: v1.9.1-3
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.14.0-9
+  version: v0.17.1-1
   name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.4.0-0
@@ -67,11 +67,11 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.3.6-0
+  version: v3.4.1-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-0
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v8.0.1-3
+  version: v8.1.2-0
   name: valkey

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.4.23
+matrix_alertmanager_receiver_version: 2025.5.21
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-alertmanager-receiver/tasks/install.yml

@@ -10,8 +10,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - path: "{{ matrix_alertmanager_receiver_base_path }}"
       when: true
@@ -26,16 +26,16 @@
     content: "{{ matrix_alertmanager_receiver_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_alertmanager_receiver_config_path }}/config.yml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-alertmanager-receiver support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_alertmanager_receiver_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 
@@ -60,7 +60,7 @@
         dest: "{{ matrix_alertmanager_receiver_container_src_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_alertmanager_receiver_git_pull_results
 
     - name: Ensure matrix-alertmanager-receiver container image is built

roles/custom/matrix-appservice-double-puppet/tasks/install.yml

@@ -9,8 +9,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - path: "{{ matrix_appservice_double_puppet_base_path }}"
       when: true
@@ -23,5 +23,5 @@
     content: "{{ matrix_appservice_double_puppet_registration_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_double_puppet_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.2.0"
+matrix_appservice_draupnir_for_all_version: "v2.3.1"
 
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -50,7 +50,7 @@ matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
-# This room is diffrent for Appservice Mode compared to normal mode.
+# This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming
 

roles/custom/matrix-appservice-draupnir-for-all/tasks/setup_install.yml

@@ -16,8 +16,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_appservice_draupnir_for_all_base_path }}", when: true}
     - {path: "{{ matrix_appservice_draupnir_for_all_config_path }}", when: true}
@@ -44,7 +44,7 @@
     version: "{{ matrix_appservice_draupnir_for_all_docker_image.split(':')[1] }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_appservice_draupnir_for_all_git_pull_results
   when: "matrix_appservice_draupnir_for_all_container_image_self_build | bool"
 
@@ -64,24 +64,24 @@
     content: "{{ matrix_appservice_draupnir_for_all_configuration_appservice | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_draupnir_for_all_config_path }}/production-appservice.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-draupnir-for-all bot config installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_draupnir_for_all_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_draupnir_for_all_config_path }}/production-bots.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-draupnir-for-all registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_draupnir_for_all_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_draupnir_for_all_config_path }}/draupnir-for-all-registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-draupnir-for-all container network is created
   community.general.docker_network:

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 0.15.0
+matrix_authentication_service_version: 0.17.1
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -559,29 +559,34 @@ matrix_authentication_service_container_labels_additional_labels: ''
 
 matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
 
-matrix_authentication_service_syn2mas_dry_run: false
+# The syn2mas sub-command to run.
+# Valid values: migrate, check
+matrix_authentication_service_syn2mas_subcommand: migrate
 
-# renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service/syn2mas
-matrix_authentication_service_syn2mas_version: 0.15.0
-matrix_authentication_service_syn2mas_container_image: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix }}element-hq/matrix-authentication-service/syn2mas:{{ matrix_authentication_service_syn2mas_version }}"
-matrix_authentication_service_syn2mas_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream }}"
-matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}"
-matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default: ghcr.io/
-matrix_authentication_service_syn2mas_container_image_force_pull: "{{ matrix_authentication_service_syn2mas_container_image.endswith(':latest') }}"
-
-matrix_authentication_service_syn2mas_container_image_self_build: "{{ matrix_authentication_service_container_image_self_build }}"
-
-matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
+# Whether to pass a `--dry-run` flag to the 'migrate' sub-command.
+# See `matrix_authentication_service_syn2mas_subcommand`
+matrix_authentication_service_syn2mas_migrate_dry_run: false
 
 # Path to Synapse's homeserver.yaml configuration file.
 matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
 
-# Additional arguments passed to the syn2mas process.
+matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
+
+# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
+# Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
 #
 # Example:
-# matrix_authentication_service_syn2mas_process_extra_arguments:
-#   - "--upstreamProviderMapping oidc-keycloak:01H8PKNWKKRPCBW4YGH1RWV279"
-matrix_authentication_service_syn2mas_process_extra_arguments: []
+# matrix_authentication_service_syn2mas_command_extra_options:
+#   - "--something"
+matrix_authentication_service_syn2mas_command_extra_options: []
+
+# Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas migrate|check [OPTIONS]`).
+# Also see: `matrix_authentication_service_syn2mas_command_extra_options`
+#
+# Example:
+# matrix_authentication_service_syn2mas_subcommand_extra_options:
+#   - "--dry-run"
+matrix_authentication_service_syn2mas_subcommand_extra_options: []
 
 ########################################################################################
 #                                                                                      #

roles/custom/matrix-authentication-service/tasks/install.yml

@@ -9,8 +9,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_authentication_service_base_path }}", when: true}
     - {path: "{{ matrix_authentication_service_bin_path }}", when: true}
@@ -38,16 +38,16 @@
     content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_authentication_service_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure Matrix Authentication Service support files created
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - src: "{{ role_path }}/templates/env.j2"
       dest: "{{ matrix_authentication_service_config_path }}/env"
@@ -83,7 +83,7 @@
         dest: "{{ matrix_authentication_service_container_src_files_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
 
     - name: Ensure Matrix Authentication Service container image is built
       ansible.builtin.command:

roles/custom/matrix-authentication-service/tasks/main.yml

@@ -9,18 +9,33 @@
     - setup-matrix-authentication-service
     - install-all
     - install-matrix-authentication-service
+    - matrix-authentication-service-mas-cli-syn2mas
   block:
     - when: matrix_authentication_service_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 
+- tags:
+    - setup-all
+    - setup-matrix-authentication-service
+    - install-all
+    - install-matrix-authentication-service
+  block:
     - when: matrix_authentication_service_enabled | bool
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
 
+# The tag 'matrix-authentication-service-syn2mas' has been replaced by the tag 'matrix-authentication-service-mas-cli-syn2mas'.
 - tags:
     - matrix-authentication-service-syn2mas
+  block:
+    - name: Warn about deprecated tag
+      ansible.builtin.fail:
+        msg: "WARNING: The 'matrix-authentication-service-syn2mas' tag has been replaced by 'matrix-authentication-service-mas-cli-syn2mas'. Please update your command."
+
+- tags:
+    - matrix-authentication-service-mas-cli-syn2mas
   block:
     - when: matrix_authentication_service_enabled | bool
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/syn2mas.yml"
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/mas_cli_syn2mas.yml"
 
 - tags:
     - matrix-authentication-service-mas-cli-doctor

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -6,7 +6,7 @@
 ---
 
 - ansible.builtin.set_fact:
-    matrix_authentication_service_syn2mas_dry_run: "{{ matrix_authentication_service_syn2mas_dry_run | bool }}"
+    matrix_authentication_service_syn2mas_migrate_dry_run: "{{ matrix_authentication_service_syn2mas_migrate_dry_run | bool }}"
 
 - name: Abort, if not using Synapse
   when: not matrix_synapse_enabled | bool
@@ -33,41 +33,8 @@
     msg: "The Synapse homeserver config file does not exist at the specified path: {{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }}"
   when: not matrix_authentication_service_syn2mas_synapse_config_stat.stat.exists
 
-- name: Ensure Matrix Authentication Service syn2mas container image is pulled
-  community.docker.docker_image:
-    name: "{{ matrix_authentication_service_syn2mas_container_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_authentication_service_syn2mas_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_authentication_service_syn2mas_container_image_force_pull }}"
-  when: "not matrix_authentication_service_syn2mas_container_image_self_build | bool"
-  register: result
-  retries: "{{ devture_playbook_help_container_retries_count }}"
-  delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
-
-- when: "matrix_authentication_service_syn2mas_container_image_self_build | bool"
-  block:
-    - name: Ensure Matrix Authentication Service repository is present on self-build
-      ansible.builtin.git:
-        repo: "{{ matrix_authentication_service_container_repo }}"
-        version: "{{ matrix_authentication_service_container_repo_version }}"
-        dest: "{{ matrix_authentication_service_container_src_files_path }}"
-        force: "yes"
-      become: true
-      become_user: "{{ matrix_user_username }}"
-      register: matrix_authentication_service_git_pull_results
-
-    - name: Ensure Matrix Authentication Service syn2mas container image is built
-      ansible.builtin.command:
-        cmd: |-
-          {{ devture_systemd_docker_base_host_command_docker }} buildx build
-          --tag={{ matrix_authentication_service_syn2mas_container_image }}
-          --file={{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas/Dockerfile
-          {{ matrix_authentication_service_container_src_files_path }}/tools/syn2mas
-      changed_when: true
-
 - name: Ensure Synapse is stopped
-  when: not matrix_authentication_service_syn2mas_dry_run | bool
+  when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool
   ansible.builtin.service:
     name: matrix-synapse
     state: stopped
@@ -81,14 +48,19 @@
 #
 # Still, it's probably safer to stop it anyway.
 - name: Ensure Matrix Authentication Service is stopped
+  when: not matrix_authentication_service_syn2mas_migrate_dry_run | bool
   ansible.builtin.service:
     name: matrix-authentication-service
     state: stopped
   register: matrix_authentication_service_mas_ensure_stopped_result
 
+# This is similar to the command found in the systemd service file.
+#
+# We cannot use `docker exec` with the existing Matrix Authentication Service container here,
+# because we need an additional mount (the Synapse homeserver config).
 - name: Generate syn2mas migration command
   ansible.builtin.set_fact:
-    matrix_authentication_service_syn2mas_migration_command: >-
+    matrix_authentication_service_mas_cli_syn2mas_command: >-
       {{ devture_systemd_docker_base_host_command_docker }} run
       --rm
       --name=matrix-authentication-service-syn2mas
@@ -96,14 +68,16 @@
       --user={{ matrix_authentication_service_uid }}:{{ matrix_authentication_service_gid }}
       --cap-drop=ALL
       --network={{ matrix_authentication_service_syn2mas_container_network }}
+      --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro
+      --mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro
       --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
-      --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/mas-config.yaml,ro
-      {{ matrix_authentication_service_syn2mas_container_image }}
-      --command=migrate
-      --synapseConfigFile=/homeserver.yaml
-      --masConfigFile=/mas-config.yaml
-      {{ matrix_authentication_service_syn2mas_process_extra_arguments | join(' ') }}
-      {% if matrix_authentication_service_syn2mas_dry_run | bool %}--dryRun{% endif %}
+      {{ matrix_authentication_service_container_image }}
+      syn2mas
+      --synapse-config=/homeserver.yaml
+      {{ matrix_authentication_service_syn2mas_command_extra_options | join(' ') }}
+      {{ matrix_authentication_service_syn2mas_subcommand }}
+      {{ '--dry-run' if matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_syn2mas_subcommand == 'migrate' else '' }}
+      {{ matrix_authentication_service_syn2mas_subcommand_extra_options | join(' ') }}
   tags:
     - skip_ansible_lint
 
@@ -111,33 +85,33 @@
 # See: https://ansibledaily.com/print-to-standard-output-without-escaping/
 #
 # We want to run `debug: msg=".."`, but that dumps it as JSON and escapes double quotes within it,
-# which ruins the command (`matrix_authentication_service_syn2mas_migration_command`).
+# which ruins the command (`matrix_authentication_service_mas_cli_syn2mas_command`).
 - name: Note about syn2mas migration
   ansible.builtin.set_fact:
     dummy: true
   with_items:
     - >-
-        Running syn2mas migration using the following command: `{{ matrix_authentication_service_syn2mas_migration_command }}`.
-        If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`) and run the command manually.
+        Running syn2mas migration using the following command: `{{ matrix_authentication_service_mas_cli_syn2mas_command }}`.
+        If this crashes, you can stop Synapse (`systemctl stop matrix-synapse`), start Matrix Authentication Service (`systemctl start matrix-authentication-service`) and run the command manually.
 
 - name: Perform syn2mas migration
   ansible.builtin.command:
-    cmd: "{{ matrix_authentication_service_syn2mas_migration_command }}"
-  register: matrix_authentication_service_syn2mas_migration_command_result
-  changed_when: matrix_authentication_service_syn2mas_migration_command_result.rc == 0
+    cmd: "{{ matrix_authentication_service_mas_cli_syn2mas_command }}"
+  register: matrix_authentication_service_mas_cli_syn2mas_command_result
+  changed_when: matrix_authentication_service_mas_cli_syn2mas_command_result.rc == 0
 
 - name: Print syn2mas migration command result
   ansible.builtin.debug:
-    var: matrix_authentication_service_syn2mas_migration_command_result
+    var: matrix_authentication_service_mas_cli_syn2mas_command_result
 
 - name: Ensure Synapse is started (if it previously was)
-  when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_synapse_ensure_stopped_result.changed"
+  when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed"
   ansible.builtin.service:
     name: matrix-synapse
     state: started
 
 - name: Ensure Matrix Authentication Service is started (if it previously was)
-  when: "not matrix_authentication_service_syn2mas_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
+  when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"
   ansible.builtin.service:
     name: matrix-authentication-service
     state: started

roles/custom/matrix-authentication-service/tasks/util/prepare_key.yml

@@ -13,4 +13,4 @@
     cmd: "{{ private_key_definition.generation_command | replace('__KEY_FILE_PATH__', matrix_authentication_service_private_key_file_path) }}"
     creates: "{{ matrix_authentication_service_private_key_file_path }}"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"

roles/custom/matrix-authentication-service/tasks/validate_config.yml

@@ -44,3 +44,11 @@
   with_items:
     - {'old': 'matrix_authentication_service_container_image_name_prefix', 'new': 'matrix_authentication_service_container_image_registry_prefix'}
     - {'old': 'matrix_authentication_service_syn2mas_container_image_name_prefix', 'new': 'matrix_authentication_service_syn2mas_container_image_registry_prefix'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image_force_pull', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_container_image_self_build', 'new': '<removed>'}
+    - {'old': 'matrix_authentication_service_syn2mas_process_extra_arguments', 'new': 'matrix_authentication_service_syn2mas_command_extra_options or matrix_authentication_service_syn2mas_subcommand_extra_options'}
+    - {'old': 'matrix_authentication_service_syn2mas_dry_run', 'new': 'matrix_authentication_service_syn2mas_migrate_dry_run'}

roles/custom/matrix-base/defaults/main.yml

@@ -175,11 +175,15 @@ matrix_debian_arch: "{{ 'armhf' if matrix_architecture == 'arm32' else matrix_ar
 # Example value: "registry.example.com/" (note the trailing `/`).
 matrix_container_global_registry_prefix_override: ""
 
-matrix_user_username: "matrix"
-matrix_user_groupname: "matrix"
+matrix_user_name: "matrix"
+matrix_user_system: true
+matrix_user_shell: /sbin/nologin
 
-# By default, the playbook creates the user (`matrix_user_username`)
-# and group (`matrix_user_groupname`) with a random ID.
+matrix_group_name: "matrix"
+matrix_group_system: true
+
+# By default, the playbook creates the user (`matrix_user_name`)
+# and group (`matrix_group_name`) with a random ID.
 # To use a specific user/group ID, override these variables.
 matrix_user_uid: ~
 matrix_user_gid: ~
@@ -213,7 +217,7 @@ matrix_homeserver_container_url: "http://{{ matrix_homeserver_container_client_a
 
 # Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
 # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
-# This likely gets overriden elsewhere.
+# This likely gets overridden elsewhere.
 matrix_homeserver_container_client_api_endpoint: ""
 
 # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
@@ -221,7 +225,7 @@ matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_contain
 
 # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
 # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
-# This likely gets overriden elsewhere.
+# This likely gets overridden elsewhere.
 matrix_homeserver_container_federation_api_endpoint: ""
 
 # Specifies the public url of the Sync v3 (sliding-sync) API.

roles/custom/matrix-base/tasks/setup_matrix_base.yml

@@ -17,8 +17,8 @@
     path: "{{ item }}"
     state: directory
     mode: "{{ matrix_base_data_path_mode }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - "{{ matrix_base_data_path }}"
     - "{{ matrix_bin_path }}"

roles/custom/matrix-base/tasks/setup_matrix_user.yml

@@ -7,20 +7,22 @@
 
 - name: Ensure Matrix group is created
   ansible.builtin.group:
-    name: "{{ matrix_user_groupname }}"
+    name: "{{ matrix_group_name }}"
     gid: "{{ omit if matrix_user_gid is none else matrix_user_gid }}"
     state: present
+    system: "{{ matrix_group_system }}"
   register: matrix_group
 
 - name: Ensure Matrix user is created
   ansible.builtin.user:
-    name: "{{ matrix_user_username }}"
+    name: "{{ matrix_user_name }}"
     uid: "{{ omit if matrix_user_uid is none else matrix_user_uid }}"
     state: present
-    group: "{{ matrix_user_groupname }}"
+    group: "{{ matrix_group_name }}"
     home: "{{ matrix_base_data_path }}"
     create_home: false
-    system: true
+    system: "{{ matrix_user_system }}"
+    shell: "{{ matrix_user_shell }}"
   register: matrix_user
 
 - name: Initialize matrix_user_uid and matrix_user_gid

roles/custom/matrix-base/tasks/validate_config.yml

@@ -32,6 +32,8 @@
     - {'old': 'matrix_client_element_e2ee_secure_backup_required', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_required'}
     - {'old': 'matrix_client_element_e2ee_secure_backup_setup_methods', 'new': 'matrix_static_files_file_matrix_client_property_io_element_e2ee_secure_backup_setup_methods'}
     - {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
+    - {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
+    - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
 
 # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
 - name: Fail if matrix_homeserver_generic_secret_key is undefined
@@ -102,7 +104,7 @@
     msg: >-
       Your configuration enables both the old mautrix-instagram bridge and the new mautrix-meta-instagram bridge.
       By default, both bridges are configured to use the same bridge bot username (`@{{ matrix_mautrix_meta_instagram_appservice_username }}:{{ matrix_domain }}`) which is a conflict.
-      We recommend that you disable at least one of the bridges (preferrably the old mautrix-instagram bridge), or to resolve the conflict in another way.
+      We recommend that you disable at least one of the bridges (preferably the old mautrix-instagram bridge), or to resolve the conflict in another way.
       To resolve the conflict without disabling a bridge, consider adjusting one of `matrix_mautrix_instagram_appservice_bot_username` or `matrix_mautrix_meta_instagram_appservice_username` - they both have a value of {{ matrix_mautrix_meta_instagram_appservice_username }} right now.
   when:
     - matrix_mautrix_instagram_enabled | bool

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.6.0
+matrix_bot_baibot_version: v1.7.4
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -389,9 +389,10 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_response_format: opus
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_enabled: true
-matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: dall-e-3
-matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style: vivid
-matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size: 1024x1024
+matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1
+matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style: null
+matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size: null
+matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_quality: null
 
 ########################################################################################
 #                                                                                      #

roles/custom/matrix-bot-baibot/tasks/install.yml

@@ -10,8 +10,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_baibot_base_path }}", when: true}
     - {path: "{{ matrix_bot_baibot_config_path }}", when: true}
@@ -24,15 +24,15 @@
     content: "{{ matrix_bot_baibot_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_bot_baibot_config_path }}/config.yml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure baibot environment variables file created
   ansible.builtin.template:
     src: "{{ role_path }}/templates/env.j2"
     dest: "{{ matrix_bot_baibot_config_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0640
 
 - name: Ensure baibot container image is pulled
@@ -56,7 +56,7 @@
         dest: "{{ matrix_bot_baibot_container_src_files_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_bot_baibot_git_pull_results
 
     - name: Ensure baibot container image is built

roles/custom/matrix-bot-baibot/templates/provider/openai-config.yml.j2

@@ -35,4 +35,5 @@ image_generation:
   model_id: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id | to_json }}
   style: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style | to_json }}
   size: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size | to_json }}
+  quality: {{ matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_quality | to_json }}
 {% endif %}

roles/custom/matrix-bot-buscarron/tasks/setup_install.yml

@@ -39,8 +39,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_buscarron_config_path }}", when: true}
     - {path: "{{ matrix_bot_buscarron_data_path }}", when: true}
@@ -52,8 +52,8 @@
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_bot_buscarron_config_path }}/{{ item }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0640
   with_items:
     - env
@@ -78,7 +78,7 @@
     dest: "{{ matrix_bot_buscarron_docker_src_files_path }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_bot_buscarron_git_pull_results
   when: "matrix_bot_buscarron_container_image_self_build | bool"
 

roles/custom/matrix-bot-chatgpt/tasks/install.yml

@@ -10,8 +10,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_chatgpt_config_path }}", when: true}
     - {path: "{{ matrix_bot_chatgpt_data_path }}", when: true}
@@ -22,8 +22,8 @@
   ansible.builtin.template:
     src: "{{ role_path }}/templates/env.j2"
     dest: "{{ matrix_bot_chatgpt_config_path }}/env"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0640
 
 - name: Ensure chatgpt container image is pulled
@@ -47,7 +47,7 @@
         dest: "{{ matrix_bot_chatgpt_container_src_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_bot_chatgpt_git_pull_results
 
     - name: Ensure chatgpt container image is built

roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml

@@ -20,7 +20,7 @@
 - name: Fail if OpenAI configuration not up-to-date.
   ansible.builtin.fail:
     msg: >-
-      Your configuration contains a varible that is no longer used.
+      Your configuration contains a variable that is no longer used.
       Please change your configuration to remove the variable (`{{ item.name }}`).
   when: "item.name in vars"
   with_items:

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.2.0"
+matrix_bot_draupnir_version: "v2.3.1"
 
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -28,8 +28,18 @@ matrix_bot_draupnir_config_path: "{{ matrix_bot_draupnir_base_path }}/config"
 matrix_bot_draupnir_data_path: "{{ matrix_bot_draupnir_base_path }}/data"
 matrix_bot_draupnir_docker_src_files_path: "{{ matrix_bot_draupnir_base_path }}/docker-src"
 
+matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting or matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled }}"  # noqa var-naming
+
 matrix_bot_draupnir_config_web_abuseReporting: false  # noqa var-naming
-matrix_bot_draupnir_config_web_enabled: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming
+
+matrix_bot_draupnir_config_web_port: 8080
+
+# These variables are used for turning on the integration between the synapseHTTPAntispam module and Draupnir.
+# Authorisation is a shared secret between Draupnir and the module just like is used by Appservices and the homeserver
+# therefore the same creation mechanism is used here too.
+matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled: false  # noqa var-naming
+matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization: ''  # noqa var-naming
+
 matrix_bot_draupnir_config_displayReports: "{{ matrix_bot_draupnir_config_web_abuseReporting }}"  # noqa var-naming
 
 matrix_bot_draupnir_container_network: ""
@@ -129,6 +139,27 @@ matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand: false  # noqa var-n
 # This config option has diminished improvements for bots on extremely fast homeservers or very very small bots on fast homeservers.
 matrix_bot_draupnir_config_roomStateBackingStore_enabled: true  # noqa var-naming
 
+matrix_bot_draupnir_web_url: 'http://matrix-bot-draupnir'
+
+# This controls the URL that the module targets in Draupnir.
+matrix_bot_draupnir_synapse_http_antispam_config_base_url: "{{ matrix_bot_draupnir_web_url }}:{{ matrix_bot_draupnir_config_web_port }}/api/1/spam_check"
+
+# These variables control the configuration of the Synapse module as the configuration is highly consumer dependent.
+# Therefore the module is configured from Draupnir because the consumer of the module determines what settings are relevant.
+
+matrix_bot_draupnir_synapse_http_antispam_config_enabled_callbacks:
+  - check_event_for_spam
+  - user_may_invite
+  - user_may_join_room
+
+matrix_bot_draupnir_synapse_http_antispam_config_fail_open:
+  check_event_for_spam: true
+  user_may_invite: true
+  user_may_join_room: true
+
+matrix_bot_draupnir_synapse_http_antispam_config_async:
+  check_event_for_spam: true
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #

roles/custom/matrix-bot-draupnir/tasks/setup_install.yml

@@ -16,8 +16,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_draupnir_base_path }}", when: true}
     - {path: "{{ matrix_bot_draupnir_config_path }}", when: true}
@@ -29,8 +29,8 @@
   ansible.builtin.template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0644
   with_items:
     - src: "{{ role_path }}/templates/labels.j2"
@@ -55,7 +55,7 @@
     version: "{{ matrix_bot_draupnir_docker_image.split(':')[1] }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_bot_draupnir_git_pull_results
   when: "matrix_bot_draupnir_container_image_self_build | bool"
 
@@ -75,8 +75,8 @@
     content: "{{ matrix_bot_draupnir_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_bot_draupnir_config_path }}/production.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-bot-draupnir container network is created
   community.general.docker_network:

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -63,7 +63,7 @@
   ansible.builtin.fail:
     msg: >-
       Your configuration is trying to enable matrix_bot_draupnir_config_experimentalRustCrypto and matrix_bot_draupnir_pantalaimon_use at the same time.
-      These settings are mutually incompatible and therefore cant be used at the same time.
+      These settings are mutually incompatible and therefore can't be used at the same time.
   when:
     - matrix_bot_draupnir_pantalaimon_use
     - matrix_bot_draupnir_config_experimentalRustCrypto

roles/custom/matrix-bot-draupnir/templates/labels.j2

@@ -12,7 +12,7 @@ traefik.enable=true
 traefik.docker.network={{ matrix_bot_draupnir_container_labels_traefik_docker_network }}
 {% endif %}
 
-traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port=8080
+traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port={{ matrix_bot_draupnir_config_web_port }}
 
 {% if matrix_bot_draupnir_config_web_abuseReporting %}
 ############################################################

roles/custom/matrix-bot-draupnir/templates/production.yaml.j2

@@ -7,7 +7,8 @@ SPDX-FileCopyrightText: 2024 Suguru Hirahara
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-# Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
+# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API),
+# set this to the pantalaimon URL if you're using that.
 homeserverUrl: {{ matrix_bot_draupnir_config_homeserverUrl | to_json }}
 
 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
@@ -22,7 +23,10 @@ accessToken: {{ matrix_bot_draupnir_config_accessToken | to_json }}
 {% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
 # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
 pantalaimon:
-  # Set to `true` when the bot is to login and fetch the access token on its own.
+  # Whether or not Draupnir will use pantalaimon to access the matrix homeserver,
+  # set to `true` if you're using pantalaimon.
+  #
+  # Be sure to point homeserverUrl to the pantalaimon instance.
   #
   # Draupnir will log in using the given username and password once,
   # then store the resulting access token in a file under dataPath.
@@ -34,13 +38,14 @@ pantalaimon:
   # The password Draupnir will login with.
   #
   # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
-  # This option can be loaded from a file by passing "--password-path <path>" at the command line,
+  # This option can be loaded from a file by passing "--pantalaimon-password-path <path>" at the command line,
   # which would allow using secret management systems such as systemd's service credentials.
   password: {{ matrix_bot_draupnir_password | to_json }}
 {% endif %}
 
-# Experimental usage of the matrix-bot-sdk rust crypto. This can not be used with Pantalaimon.
-# Make sure Pantalaimon is disabled in Draupnir's configuration.
+# Experimental usage of the matrix-bot-sdk rust crypto.
+# This can not be used with Pantalaimon.
+# Make sure to setup the bot as if you are not using pantalaimon for this.
 #
 # Warning: At this time this is not considered production safe.
 experimentalRustCrypto: {{ matrix_bot_draupnir_config_experimentalRustCrypto | to_json }}
@@ -68,22 +73,12 @@ recordIgnoredInvites: false
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
 
-# Deprecated and will be removed in a future version.
-# Running with verboseLogging is unsupported.
-# Whether Draupnir should log a lot more messages in the room,
-# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
-verboseLogging: false
-
 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
 #
 # This should be at INFO or DEBUG in order to get support for Draupnir problems.
 logLevel: "INFO"
 
-# Whether or not Draupnir should synchronize policy lists immediately after startup.
-# Equivalent to running '!draupnir sync'.
-syncOnStartup: true
-
 # Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
 # Equivalent to running `!draupnir verify`.
 verifyPermissionsOnStartup: true
@@ -131,11 +126,13 @@ protectAllJoinedRooms: false
 # of the homeserver may be more impacted.
 backgroundDelayMS: 500
 
-# Server administration commands, these commands will only work if Draupnir is
+# Server administrative features. These will only work if Draupnir is
 # a global server administrator, and the bot's server is a Synapse instance.
+# Please review https://the-draupnir-project.github.io/draupnir-documentation/bot/homeserver-administration
 admin:
-  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
-  # (with enough permissions) to "make" a user an admin.
+  # Whether to enable the make admin command.
+  # This command allows Draupnir can temporarily take control of any eligible account
+  # from the local homeserver in the target room (with enough permissions) to "make" another user an admin.
   #
   # This only works if a local user with enough admin permissions is present in the room.
   enableMakeRoomAdminCommand: {{ matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand | to_json }}
@@ -266,7 +263,7 @@ web:
   enabled: true
 
   # The port to expose the webserver on. Defaults to 8080.
-  port: 8080
+  port: {{ matrix_bot_draupnir_config_web_port | to_json }}
 
   # The address to listen for requests on. Defaults to only the current
   # computer.
@@ -286,15 +283,24 @@ web:
   abuseReporting:
     # Whether to enable this feature.
     enabled: {{ matrix_bot_draupnir_config_web_abuseReporting | to_json }}
+  # Whether to setup a endpoints for synapse-http-antispam
+  # https://github.com/maunium/synapse-http-antispam
+  # this is required for some features of Draupnir,
+  # such as support for room takedown policies.
+  #
+  # Please FOLLOW the instructions here:
+  # https://the-draupnir-project.github.io/draupnir-documentation/bot/synapse-http-antispam
+  synapseHTTPAntispam:
+    enabled: {{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_enabled | to_json }}
+    # This is a secret that you must place into your synapse module config
+    # https://github.com/maunium/synapse-http-antispam?tab=readme-ov-file#configuration
+    authorization: {{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization | to_json }}
 {% endif %}
 
-# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
-# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
-# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 # Whether or not to actively poll synapse for abuse reports, to be used
 # instead of intercepting client calls to synapse's abuse endpoint, when that
 # isn't possible/practical.
-#pollReports: false
+pollReports: false
 
 # Whether or not new reports, received either by webapi or polling,
 # should be printed to our managementRoom.

roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2

@@ -25,7 +25,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--network={{ matrix_bot_draupnir_container_network }} \
 			{% if matrix_bot_draupnir_container_http_host_bind_port %}
-			-p {{ matrix_bot_draupnir_container_http_host_bind_port }}:8080 \
+			-p {{ matrix_bot_draupnir_container_http_host_bind_port }}:{{ matrix_bot_draupnir_config_web_port }} \
 			{% endif %}
 			--label-file={{ matrix_bot_draupnir_base_path }}/labels \
 			--mount type=bind,src={{ matrix_bot_draupnir_config_path }},dst=/data/config,ro \

roles/custom/matrix-bot-go-neb/tasks/install.yml

@@ -15,8 +15,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_go_neb_config_path }}", when: true}
     - {path: "{{ matrix_bot_go_neb_data_path }}", when: true}
@@ -28,16 +28,16 @@
     content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_bot_go_neb_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure go-neb support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - env
     - labels

roles/custom/matrix-bot-honoroit/tasks/setup_install.yml

@@ -41,8 +41,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_honoroit_config_path }}", when: true}
     - {path: "{{ matrix_bot_honoroit_data_path }}", when: true}
@@ -54,8 +54,8 @@
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_bot_honoroit_config_path }}/{{ item }}"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0640
   with_items:
     - env
@@ -80,7 +80,7 @@
     dest: "{{ matrix_bot_honoroit_docker_src_files_path }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_bot_honoroit_git_pull_results
   when: "matrix_bot_honoroit_container_image_self_build | bool"
 

roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml

@@ -9,8 +9,8 @@
     state: "{{ item }}"
     path: "{{ matrix_bot_matrix_registration_bot_data_path }}"
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - absent
     - directory

roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml

@@ -13,8 +13,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true}
     - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true}
@@ -25,8 +25,8 @@
   ansible.builtin.template:
     src: "{{ role_path }}/templates/config.yaml.j2"
     dest: "{{ matrix_bot_matrix_registration_bot_config_path }}/config.yaml"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: 0640
 
 - name: Ensure matrix-registration-bot image is pulled
@@ -50,7 +50,7 @@
         dest: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_bot_matrix_registration_bot_git_pull_results
 
     - name: Ensure matrix-registration-bot image is built

roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml

@@ -43,8 +43,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_matrix_reminder_bot_config_path }}", when: true}
     - {path: "{{ matrix_bot_matrix_reminder_bot_data_path }}", when: true}
@@ -71,7 +71,7 @@
     dest: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_bot_matrix_reminder_bot_git_pull_results
   when: "matrix_bot_matrix_reminder_bot_container_image_self_build | bool"
 
@@ -92,8 +92,8 @@
     content: "{{ matrix_bot_matrix_reminder_bot_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_bot_matrix_reminder_bot_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-reminder-bot container network is created
   community.general.docker_network:

roles/custom/matrix-bot-maubot/defaults/main.yml

@@ -30,7 +30,7 @@ matrix_bot_maubot_docker_repo: "https://mau.dev/maubot/maubot.git"
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/maubot/maubot
-matrix_bot_maubot_version: v0.5.1
+matrix_bot_maubot_version: v0.5.2
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_registry_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else matrix_bot_maubot_docker_image_registry_prefix_upstream }}"
 matrix_bot_maubot_docker_image_registry_prefix_upstream: "{{ matrix_bot_maubot_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-maubot/tasks/setup_install.yml

@@ -14,8 +14,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0755
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_maubot_base_path }}", when: true}
     - {path: "{{ matrix_bot_maubot_config_path }}", when: true}
@@ -31,8 +31,8 @@
   ansible.builtin.template:
     src: "{{ role_path }}/templates/config.yaml.j2"
     dest: "{{ matrix_bot_maubot_config_path }}/config.yaml"
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
     mode: "u=rwx"
 
 - name: Ensure maubot image is pulled
@@ -56,7 +56,7 @@
         dest: "{{ matrix_bot_maubot_docker_src_files_path }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_bot_maubot_git_pull_results
 
     - name: Ensure maubot image is built
@@ -76,8 +76,8 @@
       ansible.builtin.template:
         src: "{{ role_path }}/templates/customizations/Dockerfile.j2"
         dest: "{{ matrix_bot_maubot_customized_docker_src_files_path }}/Dockerfile"
-        owner: "{{ matrix_user_username }}"
-        group: "{{ matrix_user_groupname }}"
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
         mode: 0640
       register: matrix_bot_maubot_container_image_customizations_dockerfile_result
 
@@ -96,8 +96,8 @@
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_bot_maubot_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 

roles/custom/matrix-bot-mjolnir/defaults/main.yml

@@ -17,7 +17,7 @@
 matrix_bot_mjolnir_enabled: true
 
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_bot_mjolnir_version: "v1.9.2"
+matrix_bot_mjolnir_version: "v1.10.0"
 
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

roles/custom/matrix-bot-mjolnir/tasks/setup_install.yml

@@ -18,8 +18,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_bot_mjolnir_base_path }}", when: true}
     - {path: "{{ matrix_bot_mjolnir_config_path }}", when: true}
@@ -46,7 +46,7 @@
     version: "{{ matrix_bot_mjolnir_docker_image.split(':')[1] }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_bot_mjolnir_git_pull_results
   when: "matrix_bot_mjolnir_container_image_self_build | bool"
 
@@ -66,8 +66,8 @@
     content: "{{ matrix_bot_mjolnir_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_bot_mjolnir_config_path }}/production.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-bot-mjolnir container network is created
   community.general.docker_network:

roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml

@@ -56,8 +56,8 @@
     path: "{{ item }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - "{{ matrix_appservice_discord_base_path }}"
     - "{{ matrix_appservice_discord_config_path }}"
@@ -93,16 +93,16 @@
     content: "{{ matrix_appservice_discord_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure AppService Discord registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_discord_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
 # We intentionally suppress Ansible changes.

roles/custom/matrix-bridge-appservice-discord/templates/config.yaml.j2

@@ -2,7 +2,7 @@
 bridge:
   # Domain part of the bridge, e.g. matrix.org
   domain: {{ matrix_appservice_discord_bridge_domain|to_json }}
-  # This should be your publically facing URL because Discord may use it to
+  # This should be your publicly facing URL because Discord may use it to
   # fetch media from the media store.
   homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl|to_json }}
   # Interval at which to process users in the 'presence queue'. If you have

roles/custom/matrix-bridge-appservice-irc/defaults/main.yml

@@ -358,7 +358,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # not apply an idle timeout. This value is ignored if this IRC server is
 #       # mirroring Matrix membership lists to IRC. Default: 172800 (48 hours)
 #       idleTimeout: 10800
-#       # The number of millseconds to wait between consecutive reconnections if a
+#       # The number of milliseconds to wait between consecutive reconnections if a
 #       # client gets disconnected. Setting to 0 will cause the scheduling to be
 #       # disabled, i.e. it will be scheduled immediately (with jitter.
 #       # Otherwise, the scheduling interval will be used such that one client

roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -22,8 +22,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_appservice_irc_base_path }}", when: true}
     - {path: "{{ matrix_appservice_irc_config_path }}", when: true}
@@ -97,7 +97,7 @@
     dest: "{{ matrix_appservice_irc_docker_src_files_path }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_appservice_irc_git_pull_results
   when: "matrix_appservice_irc_enabled | bool and matrix_appservice_irc_container_image_self_build | bool"
 
@@ -118,15 +118,15 @@
     content: "{{ matrix_appservice_irc_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_irc_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Generate Appservice IRC passkey if it doesn't exist
   ansible.builtin.shell:
     cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
     creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
 
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
@@ -134,8 +134,8 @@
   ansible.builtin.file:
     path: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 # Ideally, we'd like to generate the final registration.yaml file by ourselves.
 #
@@ -198,8 +198,8 @@
     content: "{{ matrix_appservice_irc_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-irc container network is created
   community.general.docker_network:

roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml

@@ -35,8 +35,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_appservice_kakaotalk_base_path }}", when: true}
     - {path: "{{ matrix_appservice_kakaotalk_config_path }}", when: true}
@@ -51,7 +51,7 @@
     version: "{{ matrix_appservice_kakaotalk_container_image_self_build_repo_version }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_appservice_kakaotalk_git_pull_results
   when: "matrix_appservice_kakaotalk_container_image_self_build | bool"
 
@@ -84,24 +84,24 @@
     content: "{{ matrix_appservice_kakaotalk_node_configuration | to_nice_json }}"
     dest: "{{ matrix_appservice_kakaotalk_config_path }}/node-config.json"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-kakaotalk config.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_kakaotalk_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_kakaotalk_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-kakaotalk registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_kakaotalk_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_kakaotalk_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-kakaotalk container network is created
   community.general.docker_network:

roles/custom/matrix-bridge-appservice-slack/tasks/setup_install.yml

@@ -17,8 +17,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_appservice_slack_base_path }}", when: true}
     - {path: "{{ matrix_appservice_slack_config_path }}", when: true}
@@ -62,7 +62,7 @@
     dest: "{{ matrix_appservice_slack_docker_src_files_path }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_appservice_slack_git_pull_results
   when: "matrix_appservice_slack_container_image_self_build | bool"
 
@@ -83,16 +83,16 @@
     content: "{{ matrix_appservice_slack_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_slack_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure appservice-slack registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_slack_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-slack container network is created
   community.general.docker_network:
@@ -106,8 +106,8 @@
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_appservice_slack_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 

roles/custom/matrix-bridge-appservice-webhooks/tasks/setup_install.yml

@@ -17,8 +17,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_appservice_webhooks_base_path }}", when: true}
     - {path: "{{ matrix_appservice_webhooks_config_path }}", when: true}
@@ -47,7 +47,7 @@
         version: "{{ matrix_appservice_webhooks_container_image_self_build_repo_version }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_appservice_webhooks_git_pull_results
 
     - name: Ensure matrix-appservice-webhooks container image is built
@@ -66,32 +66,32 @@
     content: "{{ matrix_appservice_webhooks_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-webhooks schema.yml template exists
   ansible.builtin.template:
     src: "{{ role_path }}/templates/schema.yml.j2"
     dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-webhooks database.json template exists
   ansible.builtin.template:
     src: "{{ role_path }}/templates/database.json.j2"
     dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure appservice-webhooks registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_appservice_webhooks_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-appservice-webhooks container network is created
   community.general.docker_network:
@@ -105,8 +105,8 @@
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_appservice_webhooks_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 

roles/custom/matrix-bridge-beeper-linkedin/tasks/setup_install.yml

@@ -16,8 +16,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_beeper_linkedin_base_path }}", when: true}
     - {path: "{{ matrix_beeper_linkedin_config_path }}", when: true}
@@ -30,16 +30,16 @@
     content: "{{ matrix_beeper_linkedin_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_beeper_linkedin_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure beeper-linkedin registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_beeper_linkedin_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_beeper_linkedin_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure Beeper LinkedIn container image is pulled
   community.docker.docker_image:
@@ -62,7 +62,7 @@
         version: "{{ matrix_beeper_linkedin_container_image_self_build_branch }}"
         force: "yes"
       become: true
-      become_user: "{{ matrix_user_username }}"
+      become_user: "{{ matrix_user_name }}"
       register: matrix_beeper_linkedin_git_pull_results
 
     # Building the container image (using the default Dockerfile) requires that a docker-requirements.txt file be generated.

roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml

@@ -40,8 +40,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_go_skype_bridge_base_path }}", when: true}
     - {path: "{{ matrix_go_skype_bridge_config_path }}", when: true}
@@ -68,7 +68,7 @@
     version: "{{ matrix_go_skype_bridge_container_image_self_build_branch }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_go_skype_bridge_git_pull_results
   when: "matrix_go_skype_bridge_container_image_self_build | bool"
 
@@ -122,16 +122,16 @@
     content: "{{ matrix_go_skype_bridge_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_go_skype_bridge_config_path }}/config.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure go-skype-bridge registration.yaml installed
   ansible.builtin.copy:
     content: "{{ matrix_go_skype_bridge_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_go_skype_bridge_config_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure matrix-go-skype-bridge container network is created
   community.general.docker_network:

roles/custom/matrix-bridge-go-skype-bridge/templates/config.yaml.j2

@@ -224,7 +224,7 @@ logging:
     # The directory for log files. Will be created if not found.
     directory: ./logs
     # Available variables: .Date for the file date and .Index for different log files on the same day.
-    # empy/null = journal logging only
+    # empty/null = journal logging only
     file_name_format:
     # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants
     file_date_format: "2006-01-02"

roles/custom/matrix-bridge-heisenbridge/tasks/setup_install.yml

@@ -26,8 +26,8 @@
     path: "{{ item }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - "{{ matrix_heisenbridge_base_path }}"
 
@@ -36,16 +36,16 @@
     content: "{{ matrix_heisenbridge_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_heisenbridge_base_path }}/registration.yaml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure Heisenbridge support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_heisenbridge_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 6.0.3
+matrix_hookshot_version: 7.0.0
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -74,7 +74,7 @@ matrix_hookshot_cache_redisUri: "{{ ('redis://' + matrix_hookshot_cache_redis_ho
 # - support to also be enabled in the homeserver, see the documentation of Hookshot.
 # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
-matrix_hookshot_encryption_enabled: false
+matrix_hookshot_encryption_enabled: "{{ matrix_bridges_encryption_enabled }}"
 
 # Controls whether metrics are enabled in the bridge configuration.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
@@ -187,16 +187,6 @@ matrix_hookshot_feeds_enabled: true
 matrix_hookshot_feeds_pollIntervalSeconds: 600  # noqa var-naming
 matrix_hookshot_feeds_pollTimeoutSeconds: 30  # noqa var-naming
 
-
-matrix_hookshot_provisioning_enabled: false
-# There is no need to edit ports. use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
-matrix_hookshot_provisioning_port: 9002
-matrix_hookshot_provisioning_secret: ''
-# Provisioning will be automatically enabled if Dimension is enabled and you have provided a provisioning secret, unless you override it
-matrix_hookshot_provisioning_internal: "/v1"
-matrix_hookshot_provisioning_hostname: "{{ matrix_hookshot_public_hostname }}"
-matrix_hookshot_provisioning_endpoint: "{{ matrix_hookshot_public_endpoint }}{{ matrix_hookshot_provisioning_internal }}"
-
 # Valid values: error, warn, info, debug
 matrix_hookshot_logging_level: warn
 
@@ -289,15 +279,7 @@ matrix_hookshot_container_labels_widgets_traefik_entrypoints: "{{ matrix_hooksho
 matrix_hookshot_container_labels_widgets_traefik_tls: "{{ matrix_hookshot_container_labels_widgets_traefik_entrypoints != 'web' }}"
 matrix_hookshot_container_labels_widgets_traefik_tls_certResolver: "{{ matrix_hookshot_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 
-# Controls whether labels will be added that expose Hookshot's provisioning endpoint
-matrix_hookshot_container_labels_provisioning_enabled: "{{ matrix_hookshot_provisioning_enabled }}"
-matrix_hookshot_container_labels_provisioning_traefik_rule: "Host(`{{ matrix_hookshot_provisioning_hostname }}`) && PathPrefix(`{{ matrix_hookshot_provisioning_endpoint }}`)"
-matrix_hookshot_container_labels_provisioning_traefik_priority: 0
-matrix_hookshot_container_labels_provisioning_traefik_entrypoints: "{{ matrix_hookshot_container_labels_traefik_entrypoints }}"
-matrix_hookshot_container_labels_provisioning_traefik_tls: "{{ matrix_hookshot_container_labels_provisioning_traefik_entrypoints != 'web' }}"
-matrix_hookshot_container_labels_provisioning_traefik_tls_certResolver: "{{ matrix_hookshot_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
-
-# Controls whether labels will be added that expose Hookshot's provisioning endpoint
+# Controls whether labels will be added that expose Hookshot's metrics endpoint
 matrix_hookshot_container_labels_metrics_enabled: "{{ matrix_hookshot_metrics_enabled and matrix_hookshot_metrics_proxying_enabled }}"
 matrix_hookshot_container_labels_metrics_traefik_rule: "Host(`{{ matrix_hookshot_metrics_proxying_hostname }}`) && PathPrefix(`{{ matrix_hookshot_metrics_proxying_path_prefix }}`)"
 matrix_hookshot_container_labels_metrics_traefik_priority: 0

roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml

@@ -21,8 +21,8 @@
     path: "{{ item.path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - {path: "{{ matrix_hookshot_base_path }}", when: true}
     - {path: "{{ matrix_hookshot_docker_src_files_path }}", when: "{{ matrix_hookshot_container_image_self_build }}"}
@@ -47,7 +47,7 @@
     version: "{{ matrix_hookshot_container_image_self_build_branch }}"
     force: "yes"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   register: matrix_hookshot_git_pull_results
   when: "matrix_hookshot_container_image_self_build | bool"
 
@@ -73,7 +73,7 @@
     cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096"
     creates: "{{ matrix_hookshot_base_path }}/passkey.pem"
   become: true
-  become_user: "{{ matrix_user_username }}"
+  become_user: "{{ matrix_user_name }}"
   when: "not hookshot_passkey_file.stat.exists"
 
 - name: Ensure hookshot config.yml installed if provided
@@ -81,8 +81,8 @@
     content: "{{ matrix_hookshot_configuration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_hookshot_base_path }}/config.yml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Validate hookshot config.yml
   ansible.builtin.command:
@@ -107,16 +107,16 @@
     content: "{{ matrix_hookshot_registration | to_nice_yaml(indent=2, width=999999) }}"
     dest: "{{ matrix_hookshot_base_path }}/registration.yml"
     mode: 0644
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
 
 - name: Ensure hookshot github private key file installed if github is enabled
   ansible.builtin.copy:
     content: "{{ matrix_hookshot_github_private_key }}"
     dest: "{{ matrix_hookshot_base_path }}/{{ matrix_hookshot_github_private_key_file }}"
     mode: 0400
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   when: matrix_hookshot_github_enabled | bool and matrix_hookshot_github_private_key|length > 0
 
 - name: Ensure matrix-hookshot container network is created
@@ -131,8 +131,8 @@
     src: "{{ role_path }}/templates/{{ item }}.j2"
     dest: "{{ matrix_hookshot_base_path }}/{{ item }}"
     mode: 0640
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
   with_items:
     - labels
 

roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml

@@ -39,6 +39,13 @@
     - {'old': 'matrix_hookshot_queue_port', 'new': 'matrix_hookshot_cache_redis_port'}
     - {'old': 'matrix_hookshot_experimental_encryption_enabled', 'new': 'matrix_hookshot_encryption_enabled'}
     - {'old': 'matrix_hookshot_docker_image_name_prefix', 'new': 'matrix_hookshot_docker_image_registry_prefix'}
+    - {'old': 'matrix_hookshot_provisioning_enabled', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_provisioning_port', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_provisioning_secret', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_provisioning_internal', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_provisioning_hostname', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_provisioning_endpoint', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
+    - {'old': 'matrix_hookshot_container_labels_provisioning_enabled', 'new': '<removed - see https://github.com/matrix-org/matrix-hookshot/pull/931 and the `matrix_hookshot_widgets_*` variables>'}
 
 - name: Fail if required Hookshot settings not defined
   ansible.builtin.fail:
@@ -92,14 +99,6 @@
       You need to define at least one Figma instance in `matrix_hookshot_figma_instances` to enable Figma.
   when: "matrix_hookshot_figma_enabled and matrix_hookshot_figma_instances | length == 0"
 
-- name: Fail if required provisioning settings not defined
-  ansible.builtin.fail:
-    msg: >-
-      You need to define a required configuration setting (`{{ item }}`) to enable provisioning.
-  when: "matrix_hookshot_provisioning_enabled and vars[item] == ''"
-  with_items:
-    - "matrix_hookshot_provisioning_secret"
-
 - name: Fail if no Redis queue enabled when Hookshot encryption is enabled
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2

@@ -89,12 +89,6 @@ feeds:
   pollIntervalSeconds: {{ matrix_hookshot_feeds_pollIntervalSeconds | to_json }}
   pollTimeoutSeconds: {{ matrix_hookshot_feeds_pollTimeoutSeconds | to_json }}
 {% endif %}
-{% if matrix_hookshot_provisioning_enabled %}
-provisioning:
-  # (Optional) Provisioning API for integration managers
-  #
-  secret: {{ matrix_hookshot_provisioning_secret | to_json }}
-{% endif %}
 passFile:
   # A passkey used to encrypt tokens stored inside the bridge.
   # Run openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096 to generate
@@ -143,7 +137,7 @@ permissions: {{ matrix_hookshot_permissions | to_json }}
 listeners:
   # (Optional) HTTP Listener configuration.
   # Bind resource endpoints to ports and addresses.
-  # 'resources' may be any of webhooks, widgets, metrics, provisioning, appservice
+  # 'resources' may be any of webhooks, widgets, metrics
   #
 {# always enabled since all services need it #}
   - port: {{ matrix_hookshot_webhook_port }}
@@ -156,12 +150,6 @@ listeners:
     resources:
       - metrics
 {% endif %}
-{% if matrix_hookshot_provisioning_enabled %}
-  - port: {{ matrix_hookshot_provisioning_port }}
-    bindAddress: 0.0.0.0
-    resources:
-      - provisioning
-{% endif %}
 {% if matrix_hookshot_widgets_enabled %}
   - port: {{ matrix_hookshot_widgets_port }}
     bindAddress: 0.0.0.0