chore: update to 1.79.0

chore: bump synapse version to 1.73.0
fixup: add appservice worker!
2024-01-15 12:17:16 +01:00 · 2024-01-15 12:17:11 +01:00 · 2024-01-15 12:17:06 +01:00 · 2024-01-15 12:17:01 +01:00 · 2024-01-15 12:16:56 +01:00 · 2024-01-15 12:16:51 +01:00
251 changed files with 3898 additions and 2108 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
 * text=auto eol=lf
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -0,0 +1,24 @@
 {
 	"$schema": "https://docs.renovatebot.com/renovate-schema.json",
 	"extends": [
 		"config:base"
 	],
 	"regexManagers": [
 		{
 			"fileMatch": ["defaults/main.yml$"],
 			"matchStrings": [
 				"# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[a-z-0-9]+?))?\\s+[A-Za-z0-9_]+?(?:_version|_tag)\\s*:\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
 			]
 		}
 	],
 	"packageRules": [
 		{
 			"matchSourceUrlPrefixes": [
 				"https://github.com/devture/com.devture.ansible.role",
 				"https://gitlab.com/etke.cc/roles",
 				"https://github.com/mother-of-all-self-hosting"
 			],
 			"ignoreUnstable": false
 		}
 	]
 }
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@ -13,7 +13,7 @@ jobs:
      - name: Check out
        uses: actions/checkout@v4
      - name: Run yamllint
-        uses: frenck/action-yamllint@v1.4.1
+        uses: frenck/action-yamllint@v1.4.2
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,4 @@
-/inventory/*
+/inventory
 !/inventory/.gitkeep
 !/inventory/host_vars/.gitkeep
 !/inventory/scripts
 /roles/**/files/scratchpad
 .DS_Store
 .python-version
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,151 @@
 # 2024-01-14
 ## (Backward Compatibility) Configuration changes required for people fronting the integrated reverse-proxy webserver with another reverse-proxy
 If you're on the default setup (using the Traefik reverse-proxy as installed by the playbook), you don't need to do anything.
 People who are [Fronting the integrated Traefik reverse-proxy webserver with another reverse-proxy](./docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy), as per our previous instructions are redefining `devture_traefik_additional_entrypoints_auto` in their `vars.yml` configuration.
 Such a full variable redefinion is intrustive, because it prevents the playbook from injecting additional entrypoints into the Traefik webserver. In the future, the playbook may have a need to do so.
 For this reason, we no longer recommend completely redefining `devture_traefik_additional_entrypoints_auto`.
 The playbook now defines [various `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables in the `defaults/main.yml` file](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/custom/matrix-base/defaults/main.yml) of the `matrix-base` role which can be used as a safer alternative to `devture_traefik_additional_entrypoints_auto`.
 Adapt your configuration as seen below:
 ```diff
 -devture_traefik_additional_entrypoints_auto:
 -  - name: matrix-federation
 -    port: 8449
 -    host_bind_port: '127.0.0.1:8449'
 -    config: {}
 -    # If your reverse-proxy runs on another machine, remove the config above and use this config instead:
 -    # config:
 -    #   forwardedHeaders:
 -    #     insecure: true
 -    #     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 +# Uncomment and tweak the variable below if the name of your federation entrypoint is different
 +# than the default value (matrix-federation).
 +# matrix_federation_traefik_entrypoint: matrix-federation
 +
 +# Uncomment and tweak the variable below if you really wish to change the internal port number
 +# that the federation endpoint uses. Changing it is generally not necessary.
 +# Usually, changing `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` below is enough.
 +#matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: 8449
 +
 +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: 127.0.0.1:8449
 +
 +# Adapt the variable below based on where your reverse-proxy runs:
 +# - if it's on the Matrix server: keep `forwardedHeaders` and `insecure: true` as is
 +# - if it's on another machine: remove `forwardedHeaders` and `insecure: true` and enable/configure `trustedIPs`
 +matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
 +  forwardedHeaders:
 +    insecure: true
 +  # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```
 Also, feel free to read the [Fronting the integrated Traefik reverse-proxy webserver with another reverse-proxy](./docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) documentation section again for additional details.
 # 2024-01-13
 ## matrix-reminder-bot update with more secure (backward-incompatible) default settings
 **TLDR**: your updated (to [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0)) [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) is now more secure. By default, like other bridges/bots managed by the playbook, it will only provide its services to users of your own server (not to anyone, even across the Matrix Federation). If that's fine, there's nothing you need to do.
 Maintenance of [matrix-reminder-bot](./docs/configuring-playbook-bot-matrix-reminder-bot.md) has been picked up by [Kim Brose](https://github.com/HarHarLinks) and [@svierne](https://github.com/svierne).
 Thanks to them, a new [v0.3.0](https://github.com/anoadragon453/matrix-reminder-bot/releases/tag/v0.3.0) release is out. The new version is now available for the ARM64 architecture, so playbook users on this architecture will no longer need to wait for [self-building](./docs/self-building.md) to happen.
 The new version also comes with new `allowlist` and `blocklist` settings, which make it possible to restrict who can use the bot. Previously anyone, even across the Matrix Federation could talk to it and schedule reminders.
 The playbook defaults all bridges and bots (where possible) to only be exposed to users of the current homeserver, not users across federation.
 Thanks to the new version of this bot making such a restriction possible, we're now making use of it. The playbook (via its `group_vars/matrix_servers` file) automatically enables the `allowlist` (`matrix_bot_matrix_reminder_bot_allowlist_enabled: true`) and configures it in such a way (`matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) so as to restrict the bot to your homeserver's users.
 If you need **to undo or tweak these security improvements**, you can change your `vars.yml` file to:
 - disable the allowlist (`matrix_bot_matrix_reminder_bot_allowlist_enabled: false`), making the bot allow usage by anyone, anywhere
 - inject additional allowed servers or users by adding **additional** (on top of the default allowlist in `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`) custom regexes in the `matrix_bot_matrix_reminder_bot_allowlist_regexes_custom` list variable (see the [syntax reference](https://github.com/anoadragon453/matrix-reminder-bot/blob/1e910c0aa3469d280d93ee7e6c6d577227a3460c/sample.config.yaml#L43-L49))
 - override the default allowlist (in the `group_vars/matrix_servers` file) by redefining `matrix_bot_matrix_reminder_bot_allowlist_regexes_auto`
 # 2024-01-05
 ## matrix-mailer has been replaced by the exim-relay external role
 We're continuing our effort to make [the playbook use external roles for some things](#the-playbook-now-uses-external-roles-for-some-things), so as to avoid doing everything ourselves and to facilitate code re-use.
 The `matrix-mailer` role has been moved to its own repository ([ansible-role-exim-relay](https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay)) that this playbook now includes.
 To migrate:
 - pull the playbook changes, as usual
 - update your roles (run `just roles` or `make roles`)
 - update your `vars.yml`, renaming `matrix_mailer`-prefixed variables to `exim_relay`-prefixed ones (e.g. `matrix_mailer_sender_address` -> `exim_relay_sender_address`). If you find none, it means you're using the default configuration and your migraiton job is even simpler.
 - re-run the playbook (`install-all` or `setup-all`)
 The playbook will take care of stopping the old `matrix-mailer` systemd service, relocating its directory and restarting it under the new name (`matrix-exim-relay.service`).
 # 2024-01-02
 ## mautrix-signal now powered by the new Go-based bridge
 The old Python-based [mautrix-signal](https://github.com/mautrix/signal) bridge is no longer maintained upstream. It's also known to have issues linking new devices.
 It seems like the path forward is to switch to the new mautrix-signal bridge written in Golang, which we did thanks to [PR #3031](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3041) by [Pierre 'McFly' Marty](https://github.com/pm-McFly).
 The playbook should **automatically migrate your mautrix-signal installation to the new bridge code**.
 You will **need to relink all your devices** to continue your bridged conversations.
 # 2023-10-23
 ## Enabling `allow_public_rooms_over_federation` by default for Synapse
 **TDLR**: if your Matrix server is federating (which it mostly likely is, unless you've [disabled federation](docs/configuring-playbook-federation.md#disabling-federation)), your public rooms will not only be joinable across federation (as they've always been), but from now on will be discoverable (made available as a list across federation). We're changing this by flipping the value for Synapse's `allow_public_rooms_over_federation` setting to `true`, going against the upstream default. Servers that disable federation are not affected. Servers that have public rooms which are not published to the room directory are also not affected.
 We generally try to stick to the default configuration for Synapse (and all other components), unless these defaults seem wrong or harmful. One such previous case from a few months ago was us [Enabling `forget_rooms_on_leave` by default for Synapse](#enabling-forget_rooms_on_leave-by-default-for-synapse) - the default value was making Synapse more wasteful of resources by default.
 Today, we're going against upstream defaults again and flipping the `allow_public_rooms_over_federation` configuration option to `true`.
 This way, public rooms on your server will be made discoverable by others via federation, using the [`GET /_matrix/federation/v1/publicRooms` of the Server-Server API](https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1publicrooms).
 The upstream Synapse default is `false` (disabled), so that public rooms are not exposed for other servers to discover (learn about their existence). Nevertheless, even if these rooms are not exposed (listed) for discovery, they are **still joinable** by anyone who knows their address or is invited to the room by an existing member.
 **We go against the upstream default** in an effort to make Matrix federation more useful - a public room should be globally public - not only joinable, but also discoverable across federation.
 The **historical reasoning** behind this change is as follows:
 - `allow_public_rooms_over_federation` seems to have been enabled by default for Synapse until v1.7.0 (~2019), just like we believe it should be for a globally-federating network - rooms should be joinable and discoverable across federation.
 - In Synapse v1.7.0 (~2019), `allow_public_rooms_over_federation` [got disabled](https://github.com/matrix-org/synapse/blob/e9069c9f919685606506f04527332e83fbfa44d9/docs/upgrade.md?plain=1#L1877-L1891) by default in a [security-by-obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) workaround for misconfigured servers. See the [Avoiding unwelcome visitors on private Matrix servers](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers/) `matrix.org` blog article. We believe that people wishing for a truly private server, should [disable federation](docs/configuring-playbook-federation.md#disabling-federation), instead of having a fully-federating server and trying to hide its public rooms. We also provide other workarounds below. We (and the Synapse team, obviously) believe that Matrix should federate by default, so federating the public room list seems to make sense.
 - [etke.cc](https://etke.cc/) has been developing the free-software [Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) project for a while now. One public (demo) instance of it is hosted at [matrixrooms.info](https://matrixrooms.info/). This search engine tries to go through the Matrix federation and discover & index public rooms to allow people to find them. We believe it's vital for Matrix (and any chat or social network for that matter) to be more discoverable, so that people can find communities and others to talk to. Today (on 23rd of October 2023), `matrixrooms.info` is indexing `23066` Matrix servers. Of these, only `1567` servers (7%) are making their public rooms discoverable. Who knows what wonderful communities and rooms are available on these 93% other Matrix servers that are supposedly federating, but are still gate-keeping their public room list. Indubitably, many of these servers are hosted via matrix-docker-ansible-deploy, so we feel partially responsible for making Matrix federation less useful.
 Here are **actions you may wish to take** as a result of this change:
 - (recommended) embrace the new default. If your Matrix server is federating, your public rooms have always been joinable across federation anyway. Exposing the list of public rooms does no harm and more-so does good by contributing to the usefulness of the Matrix network by facilitating room discovery.
 - (switch to a better way of doings things on your semi-private server) The problem that the Synapse team appears to have solved by flipping the `allow_public_rooms_over_federation` default in Synapse v1.7.0 seems to for "mostly private" servers, which federate and have a bunch of rooms made public (and published in their room directory) in an effort to allow people on the same homeserver to easily find and join them (self-onboarding). With the introduction of Matrix Spaces, you can reorganize your flow around spaces - you can auto-join your users to a Matrix Space (via Synapse's `auto_join_rooms` setting - controlled by our `matrix_synapse_auto_join_rooms` variable), then add a bunch of rooms to the space and make them joinable by people belonging to the space. That is to say, do not make rooms public and do not publish them to the room directory unless they are really public. Instead, use other mechanisms for semi-public rooms or private rooms. One alternative is to stick to what you're doing (public rooms published to your rooms directory) but having a `m.federate: true` flag set during creation (clients like Element have a nice UI checkbox for this) to explicitly disable federation for them.
 - (keeping the old behavior) if you wish to keep doing what you're doing (keeping your Matrix server federating, but hiding its public rooms list), add `matrix_synapse_allow_public_rooms_over_federation: false` to your `vars.yml` configuration. This restores the old behavior. You may also consider [disabling federation](docs/configuring-playbook-federation.md#disabling-federation) completely instead of relying on security-by-obscurity measures.
 # 2023-10-18
 ## Postgres parameters are automatically tuned now
 The playbook has provided some hints about [Tuning PostgreSQL](docs/maintenance-postgres.md#tuning-postgresql) for quite a while now.
 From now on, the [Postgres Ansible role](https://github.com/devture/com.devture.ansible.role.postgres) automatically tunes your Postgres configuration with the same [calculation logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) that powers https://pgtune.leopard.in.ua/.
 Our [Tuning PostgreSQL](docs/maintenance-postgres.md#tuning-postgresql) documentation page has details about how you can turn auto-tuning off or adjust the automatically-determined Postgres configuration parameters manually.
 People who [enable load-balancing with Synapse workers](docs/configuring-playbook-synapse.md#load-balancing-with-workers) no longer need to increase the maximum number of Postgres connections manually (previously done via `devture_postgres_process_extra_arguments`). There's a new variable (`devture_postgres_max_connections`) for controlling this number and the playbook automatically raises its value from `200` to `500` for setups which enable workers.
 # 2023-08-31
 ## SchildiChat support
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ We run all services in [Docker](https://www.docker.com/) containers (see [the co
 This Ansible playbook tries to make self-hosting and maintaining a Matrix server fairly easy. Still, running any service smoothly requires knowledge, time and effort.
-If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc/) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease.
+If you like the [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) spirit of this Ansible playbook, but prefer to put the responsibility on someone else, you can also [get a managed Matrix server from etke.cc](https://etke.cc?utm_source=github&utm_medium=readme&utm_campaign=mdad) - a service built on top of this Ansible playbook, which can help you run a Matrix server with ease.
 If you like learning and experimentation, but would rather reduce future maintenance effort, you can even go for a hybrid approach - self-hosting manually using this Ansible playbook at first and then transferring server maintenance to etke.cc at a later time.
@ -48,7 +48,7 @@ Web clients for matrix that you can host on your own domains.
 | Name | Default? | Description | Documentation |
 | ---- | -------- | ----------- | ------------- |
 | [Element](https://app.element.io/) | ✓ | Web UI, which is configured to connect to your own Synapse server by default | [Link](docs/configuring-playbook-client-element.md) |
-| [Hydrogen](https://github.com/vector-im/hydrogen-web) | x | Lightweight matrix client with legacy and mobile browser support | [Link](docs/configuring-playbook-client-hydrogen.md) |
+| [Hydrogen](https://github.com/element-hq/hydrogen-web) | x | Lightweight matrix client with legacy and mobile browser support | [Link](docs/configuring-playbook-client-hydrogen.md) |
 | [Cinny](https://github.com/ajbura/cinny) |  x | Simple, elegant and secure web client | [Link](docs/configuring-playbook-client-cinny.md) |
 | [SchildiChat](https://schildi.chat/) | x | Based on Element, with a more traditional instant messaging experience | [Link](docs/configuring-playbook-client-schildichat.md) |
@ -197,14 +197,6 @@ When updating the playbook, refer to [the changelog](CHANGELOG.md) to catch up w
 ## Related
-You may also be interested in these other Ansible playbooks:
+You may also be interested in [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) - another Ansible playbook for self-hosting non-Matrix services (see its [List of supported services](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md)).
- [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy) - for deploying a [Gitea](https://gitea.io/) git version-control server
+mash-playbook also makes use of [Traefik](./docs/configuring-playbook-traefik.md) as its reverse-proxy, so with minor [interoperability adjustments](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md), you can make matrix-docker-ansible-deploy and mash-playbook co-exist and host Matrix and non-Matrix services on the same server.
 - [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy) - for deploying a [Nextcloud](https://nextcloud.com/) server
 - [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy) - for deploying a [PeerTube](https://joinpeertube.org/) video-platform server
 - [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy) - for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server)
 They're all making use of Traefik as their reverse-proxy, so it should be easy to host all these services on the same server. Follow the `docs/configuring-playbook-interoperability.md` documentation in each playbook.
--- a/YEAR-IN-REVIEW.md
+++ b/YEAR-IN-REVIEW.md
@ -0,0 +1,106 @@
 # 2023
 2023 was a year filled with many changes for matrix-docker-ansible-deploy. In this post, we're looking backward at some of the major changes that happened this year, as well as taking a glimpse of what's ahead in 2024.
 2023 is probably [the year of AI](https://journal.everypixel.com/2023-the-year-of-ai), with millions of people jumping aboard [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/chatgpt) train. matrix-docker-ansible-deploy is no stranger to this and 2023 began with a PR from [bertybuttface](https://github.com/bertybuttface) who added support for [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#chatgpt-support)). While OpenAI's chat GPT website was frequently overloaded in the past, their API was up which made using this bot both convenient and more reliable.
 AI aside, with the playbook's focus being containers, we're **doubling down on being "container native"** and becoming more interoperable for people hosting other containers on the Matrix server. In [2022](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/YEAR-IN-REVIEW.md#2022), we've announced a few sibling Ansible playbooks, their use of [Traefik](https://doc.traefik.io/traefik/) and the possiblity of matrix-docker-ansible-deploy also switching to this reverse-proxy. This prediction materialized quickly. The **largest change** in the playbook in 2023 happened way back in February - matrix-docker-ansible-deploy [starting the switch from nginx to Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support) and then quickly [making Treafik the default reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now). As noted in the changelog entries, we envisioned a quick and complete elimination of `matrix-nginx-proxy`, but at the end of 2023, it hasn't happened yet. The playbook is already using Traefik as the front-most reverse-proxy, but nginx (via `matrix-nginx-proxy`) is still around - it has taken a step back and is only used internally for new setups. Work got to a stall due to:
 *   complexity: untangling the overly large and messy `matrix-nginx-proxy` component is difficult
 *   the current setup became "good enough" because nginx has become an internal implementation detail for those who have migrated to Traefik. Traefik is already the default public reverse-proxy and gives better possibilities to people wishing to run other web-exposed containers on their Matrix server via [Docker Compose](https://docs.docker.com/compose/), other Ansible playbooks like [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) (more about this one, below) or any other way.
 `matrix-nginx-proxy` is no longer in the way of us being interoperable, but its ugly internal details are still there. It is one more proxy in the long chain of reverse-proxies we have and we'd like to cut it out. This would both make things simpler and also boost performance.
 The delay in eliminating `matrix-nginx-proxy` has probably been welcome by many existing users who decided to postpone the Traefik migration a bit longer. In 2024, work on eliminating `matrix-nginx-proxy` will continue with rapid pace. People who are still using `matrix-nginx-proxy` as their front-most reverse-proxy will need to rework their setup. About a year of putting it off has been long enough.
 This large Traefik reverse-proxy change was also accompanied by another internal change which began in 2022, but continued in 2023 - **moving non-Matrix-related roles from being internal to the playbook to living their own life outside of it**. Various roles were made more decoupled and moved outside of the playbook, so that other projects (like the [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook or other Ansible playbooks) could benefit from them. This led to the **death of a few sibling playbooks** ([gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy), [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy), [peertube-docker-ansible-deploy](https://github.com/spantaleev/peertube-docker-ansible-deploy), [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy)), but brought life to something better, which supports all these services and more.
 [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) is a new Ansible playbook that a few of us (matrix-docker-ansible-deploy contributors) have launched in 2023. It has quickly grown to supports [60+ services](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/supported-services.md) and aims to do the same for [FOSS](https://en.wikipedia.org/wiki/Free_and_open-source_software) service hosting, as matrix-docker-ansible-deploy has done for Matrix - providing a clean and secure way to run a bunch of services in containers on a regular server (that is to say, without Kubernetes, etc.). Thanks to Traefik and Ansible role reuse, it's easy to host both mash-playbook services and matrix-docker-ansible-deploy services on the same server - see mash-playbook's [interoperability](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/interoperability.md) documentation page. If you've been looking for a holiday project or your New Year's Resolutions list contains "self-hosting more services", then you're welcome to give this new playbook a try and join its Matrix room ([#mash-playbook:devture.com](https://matrix.to/#/#mash-playbook:devture.com)).
 Because many of the roles are now external to this playbook (defined in the [requirements.yml](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/da27655ef34999fa924bc0a5e641dbd9ba06f133/requirements.yml) file), running `make roles` (or better yet `just roles` via the [just tool](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#support-for-running-commands-via-just)) becomes a necessity each time one pulls playbook updates (`git pull`). Pulling external roles happens via the [ansible-galaxy](https://docs.ansible.com/ansible/latest/cli/ansible-galaxy.html) command-line tool, but if available, the playbook would also use the much faster [agru](https://gitlab.com/etke.cc/tools/agru) tool (developed by [Aine](https://gitlab.com/etke.cc) from [etke.cc](https://etke.cc/) this year).
 With the internal (but important) details out of the way, we can now talk more about **new features that landed in matrix-docker-ansible-deploy in 2023**.
 The following **new** **bridges** were added to the playbook in 2023:
 *   (2023-01-11) [mautrix-slack](https://mau.dev/mautrix/slack), thanks to a PR by [Cody Neiman](https://github.com/xangelix) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#mautrix-slack-support))
 *   (2023-07-21) [mautrix-gmessages](https://github.com/mautrix/gmessages), thanks to a PR by [Shreyas Ajjarapu](https://github.com/shreyasajj) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#mautrix-gmessages-support))
 *   (2023-08-23) [mautrix-wsproxy](https://github.com/mautrix/wsproxy) for Apple iMessage bridging (when combined with the [mautrix-imessage](https://github.com/mautrix/imessage) bridge running on your Mac or Android phone), thanks to a PR by [Johan Swetzén](https://github.com/jswetzen)
 This brings the total number of **[bridges that the playbook supports](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/docs/configuring-playbook.md#bridging-other-networks) up to 30**. There are alternative bridge implementations for various networks and protocols, so the number of "unique bridged networks" is surely much smaller.
 A few other **major components and changes** landed in 2023:
 *   (2023-02-10) The [Draupnir](https://github.com/the-draupnir-project/Draupnir) moderation tool (successor to [Mjolnir](https://github.com/matrix-org/mjolnir)), thanks to a PR by [FSG-Cat](https://github.com/FSG-Cat) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#draupnir-moderation-tool-bot-support))
 *   (2023-02-10) [Matrix User Verification Service](https://github.com/matrix-org/matrix-user-verification-service) to add Matrix Authentication Support to our Jitsi setup, thanks to a PR by [Jakob S.](https://github.com/jakicoll) from [zakk gGmbH](https://github.com/zakk-it) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#matrix-authentication-support-for-jitsi))
 *   (2023-02-25) The [Rageshake](https://github.com/matrix-org/rageshake) bug report server, thanks to a PR by [Benjamin Kampmann](https://github.com/gnunicorn) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#rageshake-support))
 *   (2023-03-07) [Sliding Sync Proxy](https://github.com/matrix-org/sliding-sync) (currently a necessary component for [Element X](https://element.io/labs/element-x) to work), thanks to: [Benjamin Kampmann](https://github.com/gnunicorn) and [FSG-Cat](https://github.com/FSG-Cat) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#sliding-sync-proxy-element-x-support))
 *   (2023-03-12) synapse-auto-compressor to periodically and automatically run [rust-synapse-compress-state](https://github.com/matrix-org/rust-synapse-compress-state), thanks to a PR by [Aine](https://gitlab.com/etke.cc) from [etke.cc](https://etke.cc/) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#synapse-auto-compressor-support))
 *   (2023-07-17) [matrix-media-repo](https://github.com/turt2live/matrix-media-repo),  thanks to a PR by [Michael Hollister](https://github.com/Michael-Hollister) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#matrix-media-repo-support))
 *   (2023-08-31) [SchildiChat](https://github.com/SchildiChat/schildichat-desktop) client app (fork of [element-web)](https://github.com/element-hq/element-web), thanks to a PR by [Aine](https://gitlab.com/etke.cc) from [etke.cc](https://etke.cc/) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#schildichat-support))
 *   (2023-10-18) Postgres parameters auto-tuning, thanks to a PR by [Aine](https://gitlab.com/etke.cc) from [etke.cc](https://etke.cc/) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#postgres-parameters-are-automatically-tuned-now))
 *   (2023-10-23) Enabling federation of the room directory for Synapse (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#enabling-allow_public_rooms_over_federation-by-default-for-synapse))
 The most recent change in the list above (Enabling federation of the room directory for Synapse) has been somewhat **controversial** as it goes against upstream defaults for Synapse. Nevertheless, we believe it **promotes the well-being of the Matrix Federation by improving room discovery**.
 **Matrix Federation Stats** (containing the percentage of servers publishing their room directory publicly) are posted to [TWIM](https://matrix.org/category/this-week-in-matrix/) each week by [Aine](https://gitlab.com/etke.cc) from [etke.cc](https://etke.cc/). The number of servers which [currently published their room directory publicly](https://matrix.org/blog/2023/12/2/this-week-in-matrix-2023-12-22/#matrix-federation-stats) stands at `26.6%`, which is:
 - **2.4% more** than when it was when [first published to TWIM](https://matrix.org/blog/2023/11/03/this-week-in-matrix-2023-11-03/#matrix-federation-stats) (1 month earlier, in November)
 - likely about **15+% more** than from before we flipped the switch (in October)
 Hopefully, Synapse defaults would also change the same way and we'd see the number of servers publicly listing their room directory grow faster.
 With this configuration change in place, projects like [MatrixRooms.info](https://matrixrooms.info/) (made by [etke.cc](https://etke.cc/)) and potentially others in the future, can discover, index the metadata (room address, title, topic, number of users, etc.) and make public rooms browsable & searchable across the whole Matrix Federation. It'd be great if users joining Matrix could more easily find interesting communities that match their interests!
 On the **media side of things**, besides Jitsi getting better Matrix integration (via the aforementioned Matrix User Verification Service), we've also had some [Coturn security tightening](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-tightening-coturn-security-can-lead-to-connectivity-issues) as well as [performance optimizations](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#coturn-can-now-use-host-networking) for configurations exposing lots of network ports.
 [Element Call](https://github.com/element-hq/element-call) seems to have become a nice and polished product lately (as proclaimed in [The Matrix Holiday Update 2023](https://matrix.org/blog/2023/12/25/the-matrix-holiday-update-2023/)), so 2024 is likely the year we'll see support for it in the playbook. Element Call depends on the [LiveKit](https://livekit.io/) streaming server (which is also useful to developers even by itself), so the first step is likely to see LiveKit support in mash-playbook via a reusable Ansible role. Such a LiveKit Ansible role could later easily land in matrix-docker-ansible-deploy and an Element Call static website could be hooked to it.
 Besides these highlights, there were many other relatively large changes announced in our [CHANGELOG](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md) and hundreds of other more minor (but still important) playbook changes that didn't get a mention.
 We have **hundreds of contributors to thank for their hard work** on making Matrix self-hosting better for all of us! It should be noted that **support comes in many shapes**, not only in raw code commits and financial help (via [donations](https://liberapay.com/s.pantaleev) or using the [etke.cc managed Matrix hosting service](https://etke.cc/) which is based on matrix-docker-ansible-deploy). It also comes in the shape of code reviews, helping others with [issues](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues), reporting new issues, participating in our support room on Matrix ([#matrix-docker-ansible-deploy:devture.com](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com)), etc. To everyone who has been there to make matrix-docker-ansible-deploy better in 2023, thank you! 🙇‍♂️
 # 2022
 For [matrix-docker-ansible-deploy](https://github.com/spantaleev/matrix-docker-ansible-deploy/), 2022 started with **breaking the** [**Synapse**](https://github.com/matrix-org/synapse) **monopoly** by [adding support](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#dendrite-support) for the [Dendrite](https://github.com/matrix-org/dendrite) Matrix homeserver in early January. This required various internal changes so that the [Ansible](https://www.ansible.com/) playbook would not be Synapse-centric anymore. This groundwork paved the way for continuing in this direction and we [added support](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#conduit-support) for [Conduit](https://conduit.rs/) in August.
 When it comes to the `matrix-docker-ansible-deploy` Ansible playbook, 2022 was the year of the non-Synapse homeserver implementation. In practice, none of these homeserver implementations seem ready for prime-time yet and there is no migration path when coming from Synapse. Having done our job of adding support for these alternative homeserver implementations, we can say that we're not getting in the way of future progress. It's time for the Dendrite developers to push harder (development-wise) and for the Synapse developers to take a well-deserved long (infinite) break, and we may get to see more people migrating away from Synapse in the next year(s).
 Support for the following new **bridges** was added:
 *   [Postmoogle](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#postmoogle-email-bridge-support) for bi-directional email bridging, which supersedes my old and simplistic [email2matrix](https://github.com/devture/email2matrix) one-way bridge-bot
 *   [mautrix-discord](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#mautrix-discord-support)
 *   [go-skype-bridge](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#go-skype-bridge-bridging-support)
 *   [matrix-appservice-kakaotalk](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#matrix-appservice-kakaotalk-support)
 Support for the following new **bots** was added:
 *   [buscarron bot](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#buscarron-bot-support)
 *   [Honoroit bot](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#honoroit-bot-support)
 *   [matrix-registration-bot](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#matrix-registration-bot-support)
 *   [matrix-hookshot](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#matrix-hookshot-bridging-support)
 *   [maubot](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#maubot-support)
 Support for the following new **components and services** was added:
 *   [Borg backup](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#borg-backup-support)
 *   [Cactus Comments](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#cactus-comments-support)
 *   [Cinny](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#cinny-support) client support
 *   [ntfy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#ntfy-push-notifications-support) notifications
 *   [matrix-ldap-registration-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#matrix-ldap-registration-proxy-support)
 *   [matrix\_encryption\_disabler support](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#matrix_encryption_disabler-support)
 *   [synapse-s3-storage-provider](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#synapse-s3-storage-provider-support) to stop the Synapse media store from being a scalability problem. This brought along [another feature](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#synapse-container-image-customization-support) - an easier way to customize the Synapse container image without having to fork and self-build all of it from scratch
 Besides these major user-visible changes, a lot of work also happened **under the hood**:
 *   we made [major improvements to Synapse workers](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#potential-backward-compatibility-break-major-improvements-to-synapse-workers) - adding support for stream writers and for running multiple workers of various kinds (federation senders, pushers, background task processing workers, etc.)
 *   we [improved the compatibility of (Synapse + workers) with the rest of the playbook](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#backward-compatibility-break-changing-how-reverse-proxying-to-synapse-works---now-via-a-matrix-synapse-reverse-proxy-companion-service) by introducing a new `matrix-synapse-reverse-proxy-companion-service` service
 *   we started [splitting various Ansible roles out of the Matrix playbook and into independent roles](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#the-playbook-now-uses-external-roles-for-some-things) (e.g. `matrix-postgres` -> [com.devture.ansible.role.postgres](https://github.com/devture/com.devture.ansible.role.postgres)), which could be included in other Ansible playbooks. In fact, these roles already power a few **interesting other sibling playbooks**:
    *   [gitea-docker-ansible-deploy](https://github.com/spantaleev/gitea-docker-ansible-deploy), for deploying a [Gitea](https://gitea.io/) (self-hosted [Git](https://git-scm.com/) service) server
    *   [nextcloud-docker-ansible-deploy](https://github.com/spantaleev/nextcloud-docker-ansible-deploy), for deploying a [Nextcloud](https://nextcloud.com/) groupware server
    *   [vaultwarden-docker-ansible-deploy](https://github.com/spantaleev/vaultwarden-docker-ansible-deploy), for deploying a [Vaultwarden](https://github.com/dani-garcia/vaultwarden) password manager server (unofficial [Bitwarden](https://bitwarden.com/) compatible server)
 These sibling playbooks co-exist nicely with one another due to using [Traefik](https://traefik.io/) for reverse-proxying, instead of trying to overtake the whole server by running their own [nginx](https://nginx.org/) reverse-proxy. Hopefully soon, the Matrix playbook will follow suit and be powered by Traefik by default.
 Last, but not least, to optimize our [etke.cc managed Matrix hosting service](https://etke.cc/)'s performance (but also individual Ansible playbook runs for people self-hosting by themselves using the playbook), we've [improved playbook runtime 2-5x](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/ba09705f7fbaf0108652ecbe209793b1d935eba7/CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) by employing various Ansible tricks.
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,6 +1,11 @@
 [defaults]
 vault_password_file = gpg/open_vault.sh
 retry_files_enabled = False
 stdout_callback = yaml
 inventory = inventory/hosts
 [connection]
 pipelining = True
--- a/inventory/scripts/ansible-all-hosts.sh
+++ b/inventory/scripts/ansible-all-hosts.sh
@ -4,7 +4,7 @@
 # It defaults to ansible tags "setup-all,start". You can pass alternative tags
 # to this script as arguments, e.g.
 #
-#     ./inventory/scripts/ansible-all-hosts.sh self-check
+#     ./bin/ansible-all-hosts.sh self-check
 #
 # set playbook root path
--- a/docs/ansible.md
+++ b/docs/ansible.md
@ -65,7 +65,7 @@ docker run -it --rm \
 -w /work \
 -v `pwd`:/work \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.13.6-r0-3
+docker.io/devture/ansible:2.16.1-r0-0
 ```
 Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
@ -86,7 +86,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.13.6-r0-3
+docker.io/devture/ansible:2.16.1-r0-0
 ```
 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@ -56,7 +56,7 @@ When setting up a SRV record, if you are asked for a service and protocol instea
 As the table above illustrates, you need to create 2 subdomains (`matrix.<your-domain>` and `element.<your-domain>`) and point both of them to your new server's IP address (DNS `A` record or `CNAME` record is fine).
-The `element.<your-domain>` subdomain may be necessary, because this playbook installs the [Element](https://github.com/vector-im/element-web) web client for you.
+The `element.<your-domain>` subdomain may be necessary, because this playbook installs the [Element](https://github.com/element-hq/element-web) web client for you.
 If you'd rather instruct the playbook not to install Element (`matrix_client_element_enabled: false` when [Configuring the playbook](configuring-playbook.md) later), feel free to skip the `element.<your-domain>` DNS record.
 The `dimension.<your-domain>` subdomain may be necessary, because this playbook could install the [Dimension integrations manager](http://dimension.t2bot.io/) for you. Dimension installation is disabled by default, because it's only possible to install it after the other Matrix services are working (see [Setting up Dimension](configuring-playbook-dimension.md) later). If you do not wish to set up Dimension, feel free to skip the `dimension.<your-domain>` DNS record.
@ -73,7 +73,7 @@ The `ntfy.<your-domain>` subdomain may be necessary, because this playbook could
 The `etherpad.<your-domain>` subdomain may be necessary, because this playbook could install the [Etherpad](https://etherpad.org/) a highly customizable open source online editor providing collaborative editing in really real-time. The installation of etherpad is disabled by default, it is not a core required component. To learn how to install it, see our [configuring etherpad guide](configuring-playbook-etherpad.md). If you do not wish to set up etherpad, feel free to skip the `etherpad.<your-domain>` DNS record.
-The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/vector-im/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
+The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook could install the [Hydrogen](https://github.com/element-hq/hydrogen-web) web client. The installation of Hydrogen is disabled by default, it is not a core required component. To learn how to install it, see our [configuring Hydrogen guide](configuring-playbook-client-hydrogen.md). If you do not wish to set up Hydrogen, feel free to skip the `hydrogen.<your-domain>` DNS record.
 The `cinny.<your-domain>` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.<your-domain>` DNS record.
--- a/docs/configuring-playbook-bot-draupnir.md
+++ b/docs/configuring-playbook-bot-draupnir.md
@ -20,7 +20,7 @@ You can use the playbook to [register a new user](registering-users.md):
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
-If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
+If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ([see below](#abuse-reports)), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
 ## 2. Get an access token
@ -77,7 +77,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ## Usage
-You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
+You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/the-draupnir-project/Draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
 You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file.
@ -94,3 +94,17 @@ matrix_bot_draupnir_configuration_extension_yaml: |
  # completely redefining `matrix_bot_draupnir_configuration_yaml`.
  recordIgnoredInvites: true
 ```
 ## Abuse Reports
 Draupnir supports two methods to receive reports in the management room.
 The first method intercepts the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver.
 While this playbook uses reverse proxies, it does not yet implement this.
 The other method polls an synapse admin API endpoint and is hence only available when using synapse and when the Draupnir user is an admin user (see step 1).
 To enable it, set `pollReports: true` in Draupnir's config:
 ```yaml
 matrix_bot_draupnir_configuration_extension_yaml: |
  pollReports: true
 ```
--- a/docs/configuring-playbook-bot-matrix-registration-bot.md
+++ b/docs/configuring-playbook-bot-matrix-registration-bot.md
@ -17,9 +17,8 @@ To enable the bot, add the following configuration to your `inventory/host_vars/
 ```yaml
 matrix_bot_matrix_registration_bot_enabled: true
-#By default, the playbook will set use the bot with a username like 
+# By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`.
-## this: `@bot.matrix-registration-bot:DOMAIN`.
+# To use a different username, uncomment & adjust the variable below:
 # To use a different username, uncomment & adjust the variable.
 # matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot
 # Generate a strong password here. Consider generating it with `pwgen -s 64 1`
@ -32,16 +31,11 @@ matrix_synapse_enable_registration: true
 matrix_synapse_registration_requires_token: true
 ```
-The bot account will be automatically created.
+The bot account will be created automatically.
 ## Installing
-After configuring the playbook, run the [installation](installing.md) command again:
+After configuring the playbook, re-run the [installation](installing.md) command again: `just install-all` or `just setup-all`
 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 ## Usage
--- a/docs/configuring-playbook-bridge-beeper-linkedin.md
+++ b/docs/configuring-playbook-bridge-beeper-linkedin.md
@ -32,14 +32,10 @@ You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/co
 ## Set up Double Puppeting
-If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
+If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth.
 ### Method 1: automatically, by enabling Shared Secret Auth
 The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
 This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
 ## Usage
--- a/docs/configuring-playbook-bridge-hookshot.md
+++ b/docs/configuring-playbook-bridge-hookshot.md
@ -23,6 +23,11 @@ Other configuration options are available via the `matrix_hookshot_configuration
 Finally, run the playbook (see [installing](installing.md)).
 ### End-to-bridge encryption
 You can enable [experimental encryption](https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html) for Hookshot by adding `matrix_hookshot_experimental_encryption_enabled: true` to your configuration (`vars.yml`) and [executing the playbook](installing.md) again.
 Should the crypto store be corrupted, you can reset it by executing this Ansible playbook with the tag `reset-hookshot-encryption` added, for example `ansible-playbook -i inventory/hosts setup.yml -K --tags=reset-hookshot-encryption`).
 ## Usage
--- a/docs/configuring-playbook-bridge-mautrix-signal.md
+++ b/docs/configuring-playbook-bridge-mautrix-signal.md
@ -6,6 +6,8 @@ See the project's [documentation](https://docs.mau.fi/bridges/python/signal/inde
 **Note/Prerequisite**: If you're running with the Postgres database server integrated by the playbook (which is the default), you don't need to do anything special and can easily proceed with installing. However, if you're [using an external Postgres server](configuring-playbook-external-postgres.md), you'd need to manually prepare a Postgres database for this bridge and adjust the variables related to that (`matrix_mautrix_signal_database_*`).
 **Note**: This revamped version of the [mautrix-signal (legacy)](configuring-playbook-bridge-mautrix-signal.md) may increase the CPU usage of your homeserver.
 Use the following playbook configuration:
 ```yaml
@ -14,14 +16,7 @@ matrix_mautrix_signal_enabled: true
 There are some additional things you may wish to configure about the bridge before you continue.
 The relay bot functionality is off by default. If you would like to enable the relay bot, add the following to your `vars.yml` file:
 ```yaml
 matrix_mautrix_signal_relaybot_enabled: true
 ```
 If you want to activate the relay bot in a room, use `!signal set-relay`.
 Use `!signal unset-relay` to deactivate.
 By default, any user on your homeserver will be able to use the bridge.
 If you enable the relay bot functionality, it will relay every user's messages in a portal room - no matter which homeserver they're from.
 Different levels of permission can be granted to users:
@ -46,7 +41,7 @@ matrix_mautrix_signal_configuration_extension_yaml: |
      '@YOUR_USERNAME:YOUR_DOMAIN': admin
 ```
-This will add the admin permission to the specific user, while keepting the default permissions.
+This will add the admin permission to the specific user, while keeping the default permissions.
 In case you want to replace the default permissions settings **completely**, populate the following item within your `vars.yml` file:
 ```yaml
--- a/docs/configuring-playbook-bridge-mautrix-whatsapp.md
+++ b/docs/configuring-playbook-bridge-mautrix-whatsapp.md
@ -21,8 +21,8 @@ By default, only admins are allowed to set themselves as relay users. To allow a
 matrix_mautrix_whatsapp_bridge_relay_admin_only: false
 ```
-If you want to activate the relay bot in a room, use `!whatsapp set-relay`.
+If you want to activate the relay bot in a room, use `!wa set-relay`.
-Use `!whatsapp unset-relay` to deactivate.
+Use `!wa unset-relay` to deactivate.
 ## Enable backfilling history
 This requires a server with MSC2716 support, which is currently an experimental feature in synapse.
--- a/docs/configuring-playbook-client-element.md
+++ b/docs/configuring-playbook-client-element.md
@ -1,6 +1,6 @@
 # Configuring Element (optional)
-By default, this playbook installs the [Element](https://github.com/vector-im/element-web) Matrix client web application.
+By default, this playbook installs the [Element](https://github.com/element-hq/element-web) Matrix client web application.
 If that's okay, you can skip this document.
--- a/docs/configuring-playbook-client-hydrogen.md
+++ b/docs/configuring-playbook-client-hydrogen.md
@ -1,6 +1,6 @@
 # Configuring Hydrogen (optional)
-This playbook can install the [Hydrogen](https://github.com/vector-im/hydrogen-web) Matrix web client for you.
+This playbook can install the [Hydrogen](https://github.com/element-hq/hydrogen-web) Matrix web client for you.
 Hydrogen is a lightweight web client that supports mobile and legacy web browsers.
 Hydrogen can be installed alongside or instead of Element.
--- a/docs/configuring-playbook-email.md
+++ b/docs/configuring-playbook-email.md
@ -5,9 +5,9 @@ By default, this playbook sets up an [Exim](https://www.exim.org/) email server
 The email server would attempt to deliver emails directly to their final destination.
 This may or may not work, depending on your domain configuration (SPF settings, etc.)
-By default, emails are sent from `matrix@<your-domain-name>` (as specified by the `matrix_mailer_sender_address` playbook variable).
+By default, emails are sent from `matrix@<your-domain-name>` (as specified by the `exim_relay_sender_address` playbook variable).
-**Note**: If you are using a Google Cloud instance, [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so you need to relay email through another SMTP server as described below.   
+**Note**: If you are using a Google Cloud instance, [port 25 is always blocked](https://cloud.google.com/compute/docs/tutorials/sending-mail/), so you need to relay email through another SMTP server as described below.
 ## Firewall settings
@ -21,35 +21,35 @@ If you'd like to relay email through another SMTP server, feel free to redefine
 Example:
 ```yaml
-matrix_mailer_sender_address: "another.sender@example.com"
+exim_relay_sender_address: "another.sender@example.com"
-matrix_mailer_relay_use: true
+exim_relay_relay_use: true
-matrix_mailer_relay_host_name: "mail.example.com"
+exim_relay_relay_host_name: "mail.example.com"
-matrix_mailer_relay_host_port: 587
+exim_relay_relay_host_port: 587
-matrix_mailer_relay_auth: true
+exim_relay_relay_auth: true
-matrix_mailer_relay_auth_username: "another.sender@example.com"
+exim_relay_relay_auth_username: "another.sender@example.com"
-matrix_mailer_relay_auth_password: "some-password"
+exim_relay_relay_auth_password: "some-password"
 ```
 **Note**: only the secure submission protocol (using `STARTTLS`, usually on port `587`) is supported. **SMTPS** (encrypted SMTP, usually on port `465`) **is not supported**.
 ### Configuations for sending emails using Sendgrid
-An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `matrix_mailer_sender_address`.
+An easy and free SMTP service to set up is [Sendgrid](https://sendgrid.com/), the free tier allows for up to 100 emails per day to be sent. In the settings below you can provide any email for `exim_relay_sender_address`.
-The only other thing you need to change is the `matrix_mailer_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`.
+The only other thing you need to change is the `exim_relay_relay_auth_password`, which you can generate at https://app.sendgrid.com/settings/api_keys. The API key password looks something like `SG.955oW1mLSfwds7i9Yd6IA5Q.q8GTaB8q9kGDzasegdG6u95fQ-6zkdwrPP8bOeuI`.
-Note that the `matrix_mailer_relay_auth_username` is literally the string `apikey`, it's always the same for Sendgrid.
+Note that the `exim_relay_relay_auth_username` is literally the string `apikey`, it's always the same for Sendgrid.
 ```yaml
-matrix_mailer_sender_address: "arbitrary@email.com"
+exim_relay_sender_address: "arbitrary@email.com"
-matrix_mailer_relay_use: true
+exim_relay_relay_use: true
-matrix_mailer_relay_host_name: "smtp.sendgrid.net"
+exim_relay_relay_host_name: "smtp.sendgrid.net"
-matrix_mailer_relay_host_port: 587
+exim_relay_relay_host_port: 587
-matrix_mailer_relay_auth: true
+exim_relay_relay_auth: true
-matrix_mailer_relay_auth_username: "apikey"
+exim_relay_relay_auth_username: "apikey"
-matrix_mailer_relay_auth_password: "<your api key password>" 
+exim_relay_relay_auth_password: "<your api key password>"
 ```
 ## Troubleshooting
-If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-mailer`.
+If you're having trouble with email not being delivered, it may be useful to inspect the mailer logs: `journalctl -f -u matrix-exim-relay`.
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -286,7 +286,7 @@ You can use the self-hosted Jitsi server in multiple ways:
 - **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN`
-**Note**: Element apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support).
+**Note**: Element apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/element-hq/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support).
 ## Troubleshooting
--- a/docs/configuring-playbook-matrix-media-repo.md
+++ b/docs/configuring-playbook-matrix-media-repo.md
@ -1,14 +1,20 @@
 # Setting up matrix-media-repo (optional)
-[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification.
+[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) (often abbreviated "MMR") is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification.
 Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption. Please do your research before deploying this as this project may not be useful for your environment.
 For a simpler alternative (which allows you to offload your media repository storage to S3, etc.), you can [configure S3 storage](configuring-playbook-s3.md) instead of setting up matrix-media-repo.
 | **Table of Contents**                                                                       |
 | :------------------------------------------------------------------------------------------ |
 | [Quickstart](#quickstart)                                                                   |
 | [Additional configuration options](#configuring-the-media-repo)                             |
 | [Importing data from an existing media store](#importing-data-from-an-existing-media-store) |
 ## Quickstart
-Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file and [re-run the installation process](./installing.md) for the playbook:
 ```yaml
 matrix_media_repo_enabled: true
@ -37,70 +43,100 @@ matrix_media_repo_database_max_connections: 25
 matrix_media_repo_database_max_idle_connections: 5
 # These users have full access to the administrative functions of the media repository.
-# See https://github.com/turt2live/matrix-media-repo/blob/release-v1.2.8/docs/admin.md for information on what these people can do. They must belong to one of the
+# See docs/admin.md for information on what these people can do. They must belong to one of the
 # configured homeservers above.
-matrix_media_repo_admins:
+# matrix_media_repo_admins: [
-  admins: []
+#   "@your_username:example.org"
-# admins:
+# ]
 #   - "@your_username:example.org"
-# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
+matrix_media_repo_admins: []
 # thumbnails and other misc data is also stored in these places. The media repo, when looking
 # for a datastore to use, will always use the smallest datastore first.
 matrix_media_repo_datastores:
  datastores:
    - type: file
      enabled: true # Enable this to set up data storage.
      # Datastores can be split into many areas when handling uploads. Media is still de-duplicated
      # across all datastores (local content which duplicates remote content will re-use the remote
      # content's location). This option is useful if your datastore is becoming very large, or if
      # you want faster storage for a particular kind of media.
      #
      # The kinds available are:
      #   thumbnails    - Used to store thumbnails of media (local and remote).
      #   remote_media  - Original copies of remote media (servers not configured by this repo).
      #   local_media   - Original uploads for local media.
      #   archives      - Archives of content (GDPR and similar requests).
      forKinds: ["thumbnails", "remote_media", "local_media", "archives"]
      opts:
        path: /data/media
-    - type: s3
+# Datastores can be split into many areas when handling uploads. Media is still de-duplicated
-      enabled: false # Enable this to set up s3 uploads
+# across all datastores (local content which duplicates remote content will re-use the remote
-      forKinds: ["thumbnails", "remote_media", "local_media", "archives"]
+# content's location). This option is useful if your datastore is becoming very large, or if
-      opts:
+# you want faster storage for a particular kind of media.
-        # The s3 uploader needs a temporary location to buffer files to reduce memory usage on
+#
-        # small file uploads. If the file size is unknown, the file is written to this location
+# To disable this datastore, making it readonly, specify `forKinds: []`.
-        # before being uploaded to s3 (then the file is deleted). If you aren't concerned about
+#
-        # memory usage, set this to an empty string.
+# The kinds available are:
-        tempPath: "/tmp/mediarepo_s3_upload"
+#   thumbnails    - Used to store thumbnails of media (local and remote).
-        endpoint: sfo2.digitaloceanspaces.com
+#   remote_media  - Original copies of remote media (servers not configured by this repo).
-        accessKeyId: ""
+#   local_media   - Original uploads for local media.
-        accessSecret: ""
+#   archives      - Archives of content (GDPR and similar requests).
-        ssl: true
+matrix_media_repo_datastore_file_for_kinds: ["thumbnails", "remote_media", "local_media", "archives"]
-        bucketName: "your-media-bucket"
+matrix_media_repo_datastore_s3_for_kinds: []
        # An optional region for where this S3 endpoint is located. Typically not needed, though
        # some providers will need this (like Scaleway). Uncomment to use.
        #region: "sfo2"
        # An optional storage class for tuning how the media is stored at s3.
        # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use.
        #storageClass: STANDARD
-    # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If
+# The s3 uploader needs a temporary location to buffer files to reduce memory usage on
-    # the feature is not enabled, this will not work. Note that IPFS support is experimental at
+# small file uploads. If the file size is unknown, the file is written to this location
-    # the moment and not recommended for general use.
+# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
-    #
+# memory usage, set this to an empty string.
-    # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo
+matrix_media_repo_datastore_s3_opts_temp_path: ""
-    # puts authentication on the download endpoints. Only use this option for cases where you
+matrix_media_repo_datastore_s3_opts_endpoint: "sfo2.digitaloceanspaces.com"
-    # expect your media to be publicly accessible.
+matrix_media_repo_datastore_s3_opts_access_key_id: ""
-    - type: ipfs
+matrix_media_repo_datastore_s3_opts_access_secret: ""
-      enabled: false # Enable this to use IPFS support
+matrix_media_repo_datastore_s3_opts_ssl: true
-      forKinds: ["local_media"]
+matrix_media_repo_datastore_s3_opts_bucket_name: "your-media-bucket"
-      # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured
+
-      # in the IPFS section of your main config.
+# An optional region for where this S3 endpoint is located. Typically not needed, though
-      opts: {}
+# some providers will need this (like Scaleway). Uncomment to use.
 # matrix_media_repo_datastore_s3_opts_region: "sfo2"
 # An optional storage class for tuning how the media is stored at s3.
 # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use.
 # matrix_media_repo_datastore_s3_opts_storage_class: "STANDARD"
 ```
-Full list of configuration options with documentation can be found in `roles/custom/matrix-media-repo/templates/defaults/main.yml`
+Full list of configuration options with documentation can be found in [`roles/custom/matrix-media-repo/defaults/main.yml`](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/roles/custom/matrix-media-repo/defaults/main.yml)
 ## Importing data from an existing media store
 If you want to add this repo to an existing homeserver managed by the playbook, you will need to import existing media into MMR's database or you will lose access to older media while it is active. MMR versions up to `v1.3.3` only support importing from Synapse, but newer versions (at time of writing: only `latest`) also support importing from Dendrite.
 **Before importing**: ensure you have an initial matrix-media-repo deployment by following the [quickstart](#quickstart) guide above
 Depending on the homeserver implementation yu're using (Synapse, Dendrite), you'll need to use a different import tool (part of matrix-media-repo) and point it to the homeserver's database.
 ### Importing data from the Synapse media store
 To import the Synapse media store, you're supposed to invoke the `import_synapse` tool which is part of the matrix-media-repo container image. Your Synapse database is called `synapse` by default, unless you've changed it by modifying `matrix_synapse_database_database`.
 This guide here is adapted from the [upstream documentation about the import_synapse script](https://github.com/turt2live/matrix-media-repo#importing-media-from-synapse).
 Run the following command on the server (after replacing `devture_postgres_connection_password` in it with the value found in your `vars.yml` file):
 ```sh
 docker exec -it matrix-media-repo \
    /usr/local/bin/import_synapse \
        -dbName synapse \
        -dbHost matrix-postgres \
        -dbPort 5432 \
        -dbUsername matrix \
        -dbPassword devture_postgres_connection_password
 ```
 Enter `1` for the Machine ID when prompted (you are not doing any horizontal scaling) unless you know what you're doing.
 This should output a `msg="Import completed"` when finished successfully!
 ### Importing data from the Dendrite media store
 If you're using the [Dendrite](configuring-playbook-dendrite.md) homeserver instead of the default for this playbook (Synapse), follow this importing guide here.
 To import the Dendrite media store, you're supposed to invoke the `import_dendrite` tool which is part of the matrix-media-repo container image. Your Dendrite database is called `dendrite_mediaapi` by default, unless you've changed it by modifying `matrix_dendrite_media_api_database`.
 Run the following command on the server (after replacing `devture_postgres_connection_password` in it with the value found in your `vars.yml` file):
 ```sh
 docker exec -it matrix-media-repo \
    /usr/local/bin/import_dendrite \
        -dbName dendrite_mediaapi \
        -dbHost matrix-postgres \
        -dbPort 5432 \
        -dbUsername matrix \
        -dbPassword devture_postgres_connection_password
 ```
 Enter `1` for the Machine ID when prompted (you are not doing any horizontal scaling) unless you know what you're doing.
 This should output a `msg="Import completed"` when finished successfully!
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -1,21 +1,18 @@
 # Using your own webserver, instead of this playbook's Traefik reverse-proxy (optional, advanced)
-**Note**: the playbook is [in the process of moving to Traefik](../CHANGELOG.md#reverse-proxy-configuration-changes-and-initial-traefik-support). The **documentation below may be incomplete or misleading**.
+By default, this playbook installs its own [Traefik](https://traefik.io/) reverse-proxy server (in a Docker container) which listens on ports 80 and 443.
 By default, this playbook installs its own nginx webserver (called `matrix-nginx-proxy`, in a Docker container) which listens on ports 80 and 443.
 If that's alright, you can skip this.
 Soon, this default will change and the playbook will install its own [Traefik](https://traefik.io/) reverse-proxy instead.
 ## Traefik
-[Traefik](https://traefik.io/) will be the default reverse-proxy for the playbook in the near future.
+[Traefik](https://traefik.io/) is the default reverse-proxy for the playbook since [2023-02-26](../CHANGELOG.md/#2023-02-26).
 There are 2 ways to use Traefik with this playbook, as described below.
 ### Traefik managed by the playbook
-To switch to Traefik now, use configuration like this:
+To have the playbook install and use Traefik, use configuration like this (as seen in `examples/vars.yml`):
 ```yaml
 matrix_playbook_reverse_proxy_type: playbook-managed-traefik
@ -23,9 +20,9 @@ matrix_playbook_reverse_proxy_type: playbook-managed-traefik
 devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
 ```
-This will install Traefik in the place of `matrix-nginx-proxy`. Traefik will manage SSL certificates for all services seamlessly.
+Traefik will manage SSL certificates for all services seamlessly.
-**Note**: during the transition period, `matrix-nginx-proxy` will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the future, we'll be able to run without nginx, but we're not there yet.
+**Note**: for a while longer, our old reverse-proxy (`matrix-nginx-proxy`) will still be installed in local-only mode. Do not be alarmed to see `matrix-nginx-proxy` running even when you've chosen Traefik as your reverse-proxy. In the near future, we'll be able to run without nginx, but we're not there yet.
 ### Traefik managed by you
@ -35,6 +32,10 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
 matrix_playbook_reverse_proxyable_services_additional_network: your-traefik-network
 devture_traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
 # Uncomment and tweak the variable below if the name of your federation entrypoint is different
 # than the default value (matrix-federation).
 # matrix_federation_traefik_entrypoint: matrix-federation
 ```
 In this mode all roles will still have Traefik labels attached. You will, however, need to configure your Traefik instance and its entrypoints.
@ -84,7 +85,7 @@ services:
      - "--providers.docker.network=traefik"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web-secure.address=:443"
-      - "--entrypoints.federation.address=:8448"
+      - "--entrypoints.matrix-federation.address=:8448"
      - "--certificatesresolvers.default.acme.tlschallenge=true"
      - "--certificatesresolvers.default.acme.email=YOUR EMAIL"
      - "--certificatesresolvers.default.acme.storage=/letsencrypt/acme.json"
@ -102,7 +103,7 @@ networks:
 ## Another webserver
-If you don't wish to use Traefik or `matrix-nginx-proxy`, you can also use your own webserver.
+If you don't wish to use Traefik, you can also use your own webserver.
 Doing this is possible, but requires manual work.
@ -139,25 +140,28 @@ devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
 # We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
 # a reverse-proxy running on the local machine is safe enough.
 # If you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interface:
 # - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition below
 # - uncomment and adjust the `devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs` line below
 devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
 # Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces:
 # - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above
 # - uncomment and adjust the line below
 # devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
-# Likewise (to `devture_traefik_container_web_host_bind_port` above),
+# Expose the federation entrypoint on a custom port (other than port 8448, which is normally used publicly).
-# if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below.
+#
-devture_traefik_additional_entrypoints_auto:
+# We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
-  - name: matrix-federation
+# a reverse-proxy running on the local machine is safe enough.
-    port: 8449
+#
-    host_bind_port: '127.0.0.1:8449'
+# If your reverse-proxy runs on another machine, consider:
-    config: {}
+# - using `0.0.0.0:8449`, just `8449` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:8449` below
-    # If your reverse-proxy runs on another machine, remove the config above and use this config instead:
+# - adjusting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom` (below) - removing `insecure: true` and enabling/configuring `trustedIPs`
-    # config:
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: 127.0.0.1:8449
-    #   forwardedHeaders:
+
-    #     insecure: true
+# Depending on the value of `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port` above,
-    #     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
+# this may need to be reconfigured. See the comments above.
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
  forwardedHeaders:
    insecure: true
  # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```
 For an example where the playbook's Traefik reverse-proxy is fronted by another reverse-proxy running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md) or [Caddy reverse-proxy fronting the playbook's Traefik](../examples/caddy2/README.md).
@ -173,7 +177,7 @@ If your webserver is on the same machine, sure your web server user (something l
 #### Using your own nginx reverse-proxy running on the same machine
-**WARNING**: this type of setup is not maintained and will be removed in the future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead.
+**WARNING**: this type of setup is not maintained and will be removed in the near future. We recommend that you go for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instead.
 If you'll be using `nginx` running on the same machine (not in a container), you can make the playbook help you generate configuration for `nginx` with this configuration:
--- a/docs/configuring-playbook-riot-web.md
+++ b/docs/configuring-playbook-riot-web.md
@ -1,6 +1,6 @@
 # Configuring Riot-web (optional)
-By default, this playbook **used to install** the [Riot-web](https://github.com/vector-im/riot-web) Matrix client web application.
+By default, this playbook **used to install** the [Riot-web](https://github.com/element-hq/riot-web) Matrix client web application.
 Riot has since been [renamed to Element](https://element.io/blog/welcome-to-element/).
--- a/docs/configuring-playbook-sliding-sync-proxy.md
+++ b/docs/configuring-playbook-sliding-sync-proxy.md
@ -2,13 +2,13 @@
 The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you.
-Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)).
+Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/element-hq/element-x-ios) and [Element X Android](https://github.com/element-hq/element-x-android)).
 See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more.
 Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi).
-Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version.
+Element X Android is [available on the Github Releases page](https://github.com/element-hq/element-x-android/releases).
 **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@ -68,21 +68,21 @@ aux_file_definitions:
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
    src: /path/on/your/Ansible/computer/to/privkey.pem
-	# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
+    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
-	# Note the indentation level.
+    # Note the indentation level.
-	# content: |
+    # content: |
-	#   FILE CONTENT
+    #   FILE CONTENT
-	#   HERE
+    #   HERE
  # Create the cert.pem file on the server
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
    src: /path/on/your/Ansible/computer/to/cert.pem
-	# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
+    # Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
-	# Note the indentation level.
+    # Note the indentation level.
-	# content: |
+    # content: |
-	#   FILE CONTENT
+    #   FILE CONTENT
-	#   HERE
+    #   HERE
  # Create the custom Traefik configuration.
  # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
--- a/docs/configuring-playbook-synapse-admin.md
+++ b/docs/configuring-playbook-synapse-admin.md
@ -15,7 +15,7 @@ Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.
 matrix_synapse_admin_enabled: true
 ```
-**Note**: Synapse Admin requires Synapse's [Admin APIs](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`).
+**Note**: Synapse Admin requires Synapse's [Admin APIs](https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/index.html) to function. Access to them is restricted with a valid access token, so exposing them publicly should not be a real security concern. Still, for additional security, we normally leave them unexposed, following [official Synapse reverse-proxying recommendations](https://github.com/matrix-org/synapse/blob/master/docs/reverse_proxy.md#synapse-administration-endpoints). Because Synapse Admin needs these APIs to function, when installing Synapse Admin, we **automatically** exposes them publicly for you (equivalent to `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true`).
 ## Installing
--- a/docs/configuring-playbook-synapse.md
+++ b/docs/configuring-playbook-synapse.md
@ -34,13 +34,7 @@ We support a few configuration presets (`matrix_synapse_workers_preset: one-of-e
 If you'd like more customization power, you can start with one of the presets and tweak various `matrix_synapse_workers_*_count` variables manually.
-If you increase worker counts too much, you may need to increase the maximum number of Postgres connections too (example):
+When Synapse workers are enabled, the integrated [Postgres database is tuned](maintenance-postgres.md#tuning-postgresql), so that the maximum number of Postgres connections are increased from `200` to `500`. If you need to decrease or increase the number of maximum Postgres connections further, use the `devture_postgres_max_connections` variable.
 ```yaml
 devture_postgres_process_extra_arguments: [
  "-c 'max_connections=200'"
 ]
 ```
 In case any problems occur, make sure to have a look at the [list of synapse issues about workers](https://github.com/matrix-org/synapse/issues?q=workers+in%3Atitle) and your `journalctl --unit 'matrix-*'`.
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@ -16,13 +16,24 @@ matrix_coturn_enabled: false
 In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail.
 ## Manually defining your public IP
 In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn.
 If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server.
 ```yaml
 matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
 ```
 If you'd like to rely on external IP address auto-detection (not recommended unless you need it), set `matrix_coturn_turn_external_ip_address` to an empty value. The playbook will automatically contact an [EchoIP](https://github.com/mpolden/echoip)-compatible service (`https://ifconfig.co/json` by default) to determine your server's IP address. This API endpoint is configurable via the `matrix_coturn_turn_external_ip_address_auto_detection_echoip_service_url` variable.
 If your server has multiple external IP addresses, the Coturn role offers a different variable for specifying them:
 ```yaml
 # Note: matrix_coturn_turn_external_ip_addresses is different than matrix_coturn_turn_external_ip_address
 matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']
 ```
 ## Using your own external Coturn server
 If you'd like to use another TURN server (be it Coturn or some other one), you can configure the playbook like this:
@ -49,4 +60,4 @@ jitsi_web_stun_servers:
 You can put multiple host/port combinations if you like.
 ## Further variables and configuration options
-To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml 
+To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -18,7 +18,9 @@ You can then follow these steps inside the playbook directory:
 1. edit the inventory hosts file (`inventory/hosts`) to your liking
-1. (optional, advanced) to run Ansible against multiple servers with different `sudo` credentials, you can copy the sample inventory hosts yaml file for each of your hosts: (`cp examples/host.yml inventory/my_host1.yml` …) and use the [`ansible-all-hosts.sh`](../inventory/scripts/ansible-all-hosts.sh) script [in the installation step](installing.md).
+2. (optional, advanced) you may wish to keep your `inventory` directory under version control with [git](https://git-scm.com/) or any other version-control system.
 3. (optional, advanced) to run Ansible against multiple servers with different `sudo` credentials, you can copy the sample inventory hosts yaml file for each of your hosts: (`cp examples/host.yml inventory/my_host1.yml` …) and use the [`ansible-all-hosts.sh`](../bin/ansible-all-hosts.sh) script [in the installation step](installing.md).
 For a basic Matrix installation, that's all you need.
 For a more custom setup, see the [Other configuration options](#other-configuration-options) below.
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@ -38,28 +38,25 @@ To learn how to set it up, read the Installing section below.
 ## (Optional) Introduction to Homeserver Admin Contact and Support page
-[MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service.
+[MSC 1929](https://github.com/matrix-org/matrix-spec-proposals/pull/1929) specifies a way to add contact details of admins, as well as a link to a support page for users who are having issues with the service. Automated services may also index this information and use it for abuse reports, etc.
 This MSC did not get accepted yet, but we think it might already be useful to Homeserver admins who wish to provide this information to end-users.
 The two playbook variables that you could look for, if you're interested in being an early adopter, are: `matrix_homeserver_admin_contacts` and `matrix_homeserver_support_url`.
 Example snippet for `vars.yml`:
 ```
 # Enable generation of `/.well-known/matrix/support`.
 # This needs to be enabled explicitly for now, because MSC 1929 is not yet accepted.
 matrix_well_known_matrix_support_enabled: true
 # Homeserver admin contacts as per MSC 1929 https://github.com/matrix-org/matrix-spec-proposals/pull/1929
 matrix_homeserver_admin_contacts:
  - matrix_id: "@admin1:{{ matrix_domain }}"
    email_address: admin@domain.tld
-    role: admin
+    role: m.role.admin
  - matrix_id: "@admin2:{{ matrix_domain }}"
    email_address: admin2@domain.tld
-    role: admin
+    role: m.role.admin
  - email_address: security@domain.tld
-    role: security
+    role: m.role.security
 matrix_homeserver_support_url: "https://example.domain.tld/support"
 ```
@ -123,6 +120,7 @@ server {
 	location /.well-known/matrix {
 		proxy_pass https://matrix.example.com/.well-known/matrix;
 		proxy_set_header X-Forwarded-For $remote_addr;
        proxy_ssl_server_name on;
 	}
 	# other configuration
@ -172,10 +170,9 @@ backend matrix-backend
 	rsprep ^Location:\ (http|https)://matrix.example.com\/(.*) Location:\ \1://matrix.example.com/.well-known/matrix/\2 if response-is-redirect
 ```
-**For Netlify**, it would be something like this:
+**For Netlify**, configure a [redirect](https://docs.netlify.com/routing/redirects/) using a `_redirects` file in the [publish directory](https://docs.netlify.com/configure-builds/overview/#definitions) with contents like this:
 ```
 # In the _redirects file in the website's root
 /.well-known/matrix/* https://matrix.example.com/.well-known/matrix/:splat 200!
 ```
--- a/docs/faq.md
+++ b/docs/faq.md
@ -285,7 +285,7 @@ You can disable some not-so-important services to save on memory.
 matrix_ma1sd_enabled: false
 # Disabling this will prevent email-notifications and other such things from working.
-matrix_mailer_enabled: false
+exim_relay_enabled: false
 # You can also disable this to save more RAM,
 # at the expense of audio/video calls being unreliable.
--- a/docs/maintenance-postgres.md
+++ b/docs/maintenance-postgres.md
@ -87,7 +87,7 @@ This playbook can upgrade your existing Postgres setup with the following comman
 just run-tags upgrade-postgres
 ```
-**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 15 support yet.**
+**Warning: If you're using Borg Backup keep in mind that there is no official Postgres 16 support yet.**
 **The old Postgres data directory is backed up** automatically, by renaming it to `/matrix/postgres/data-auto-upgrade-backup`.
 To rename to a different path, pass some extra flags to the command above, like this: `--extra-vars="postgres_auto_upgrade_backup_data_path=/another/disk/matrix-postgres-before-upgrade"`
@ -106,63 +106,15 @@ Example: `--extra-vars="postgres_dump_name=matrix-postgres-dump.sql"`
 ## Tuning PostgreSQL
-PostgreSQL can be tuned to make it run faster. This is done by passing extra arguments to Postgres with the `devture_postgres_process_extra_arguments` variable. You should use a website like https://pgtune.leopard.in.ua/ or information from https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server to determine what Postgres settings you should change.
+PostgreSQL can be [tuned](https://wiki.postgresql.org/wiki/Tuning_Your_PostgreSQL_Server) to make it run faster. This is done by passing extra arguments to the Postgres process.
-**Note**: the configuration generator at https://pgtune.leopard.in.ua/ adds spaces around the `=` sign, which is invalid. You'll need to remove it manually (`max_connections = 300` -> `max_connections=300`)
+The [Postgres Ansible role](https://github.com/devture/com.devture.ansible.role.postgres) **already does some tuning by default**, which matches the [tuning logic](https://github.com/le0pard/pgtune/blob/master/src/features/configuration/configurationSlice.js) done by websites like https://pgtune.leopard.in.ua/.
 You can manually influence some of the tuning variables . These parameters (variables) are injected via the `devture_postgres_postgres_process_extra_arguments_auto` variable.
-### Here are some examples:
+Most users should be fine with the automatically-done tuning. However, you may wish to:
-These are not recommended values and they may not work well for you. This is just to give you an idea of some of the options that can be set. If you are an experienced PostgreSQL admin feel free to update this documentation with better examples.
+- **adjust the automatically-deterimned tuning parameters manually**: change the values for the tuning variables defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) (see `devture_postgres_max_connections`, `devture_postgres_data_storage` etc). These variables are ultimately passed to Postgres via a `devture_postgres_postgres_process_extra_arguments_auto` variable
-Here is an example config for a small 2 core server with 4GB of RAM and SSD storage:
+- **turn automatically-performed tuning off**: override it like this: `devture_postgres_postgres_process_extra_arguments_auto: []`
 ```
 devture_postgres_process_extra_arguments: [
  "-c shared_buffers=128MB",
  "-c effective_cache_size=2304MB",
  "-c effective_io_concurrency=100",
  "-c random_page_cost=2.0",
  "-c min_wal_size=500MB",
 ]
 ```
-Here is an example config for a 4 core server with 8GB of RAM on a Virtual Private Server (VPS); the paramters have been configured using https://pgtune.leopard.in.ua with the following setup: PostgreSQL version 12, OS Type: Linux, DB Type: Mixed type of application, Data Storage: SSD storage:
+- **add additional tuning parameters**: define your additional Postgres configuration parameters in `devture_postgres_postgres_process_extra_arguments_custom`. See `devture_postgres_postgres_process_extra_arguments_auto` defined in the Postgres role's [default configuration file](https://github.com/devture/com.devture.ansible.role.postgres/blob/main/defaults/main.yml) for inspiration
 ```
 devture_postgres_process_extra_arguments: [
  "-c max_connections=100",
  "-c shared_buffers=2GB",
  "-c effective_cache_size=6GB",
  "-c maintenance_work_mem=512MB",
  "-c checkpoint_completion_target=0.9",
  "-c wal_buffers=16MB",
  "-c default_statistics_target=100",
  "-c random_page_cost=1.1",
  "-c effective_io_concurrency=200",
  "-c work_mem=5242kB",
  "-c min_wal_size=1GB",
  "-c max_wal_size=4GB",
  "-c max_worker_processes=4",
  "-c max_parallel_workers_per_gather=2",
  "-c max_parallel_workers=4",
  "-c max_parallel_maintenance_workers=2",
 ]
 ```
 Here is an example config for a large 6 core server with 24GB of RAM:
 ```
 devture_postgres_process_extra_arguments: [
  "-c max_connections=40",
  "-c shared_buffers=1536MB",
  "-c checkpoint_completion_target=0.7",
  "-c wal_buffers=16MB",
  "-c default_statistics_target=100",
  "-c random_page_cost=1.1",
  "-c effective_io_concurrency=100",
  "-c work_mem=2621kB",
  "-c min_wal_size=1GB",
  "-c max_wal_size=4GB",
  "-c max_worker_processes=6",
  "-c max_parallel_workers_per_gather=3",
  "-c max_parallel_workers=6",
  "-c max_parallel_maintenance_workers=3",
 ]
 ```
--- a/docs/maintenance-synapse.md
+++ b/docs/maintenance-synapse.md
@ -72,8 +72,10 @@ You should then be able to browse the adminer database administration GUI at htt
 Synapse's presence feature which tracks which users are online and which are offline can use a lot of processing power. You can disable presence by adding `matrix_synapse_presence_enabled: false` to your `vars.yml` file.
 If you have enough compute resources (CPU & RAM), you can make Synapse better use of them by [enabling load-balancing with workers](configuring-playbook-synapse.md#load-balancing-with-workers).
 Tuning Synapse's cache factor can help reduce RAM usage. [See the upstream documentation](https://github.com/matrix-org/synapse#help-synapse-is-slow-and-eats-all-my-ram-cpu) for more information on what value to set the cache factor to. Use the variable `matrix_synapse_caches_global_factor` to set the cache factor.
-Tuning your PostgreSQL database will also make Synapse run significantly faster. See [maintenance-postgres.md##tuning-postgresql](maintenance-postgres.md##tuning-postgresql).
+[Tuning your PostgreSQL database](maintenance-postgres.md#tuning-postgresql) could also improve Synapse performance. The playbook tunes the integrated Postgres database automatically, but based on your needs you may wish to adjust tuning variables manually. If you're using an [external Postgres database](configuring-playbook-external-postgres.md), you will aslo need to tune Postgres manually.
 See also [How do I optimize this setup for a low-power server?](faq.md#how-do-i-optimize-this-setup-for-a-low-power-server).
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@ -18,6 +18,8 @@ If your distro runs within an [LXC container](https://linuxcontainers.org/), you
 - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`)
 - [sudo](https://www.sudo.ws/) being installed on the server, even when you've configured Ansible to log in as `root`. Some distributions, like a minimal Debian net install, do not include the `sudo` package by default.
 - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.
 - the [passlib](https://passlib.readthedocs.io/en/stable/index.html) Python library installed on the computer you run Ansible. On most distros, you need to install some `python-passlib` or `py3-passlib` package, etc.
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -21,7 +21,7 @@ Possibly outdated list of roles where self-building the Docker image is currentl
 - `matrix-corporal`
 - `matrix-dimension`
 - `matrix-ma1sd`
- `matrix-mailer`
+- `exim-relay`
 - `matrix-bridge-hookshot`
 - `matrix-bridge-appservice-irc`
 - `matrix-bridge-appservice-slack`
--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -37,6 +37,7 @@
 	# Keep some URIs free for different proxy/location
 	ProxyPassMatch ^/.well-known/matrix/client !
 	ProxyPassMatch ^/.well-known/matrix/server !
 	ProxyPassMatch ^/.well-known/matrix/support !
 	ProxyPassMatch ^/_matrix/identity !
 	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !
@ -46,11 +47,11 @@
 	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
 	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
 	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
-	
+
 	# Proxy Admin API (necessary for Synapse-Admin)
 	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
 	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
-	
+
 	# Proxy Synapse-Admin
 	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
 	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
@ -64,6 +65,7 @@
 		Header always set Content-Type "application/json"
 		Header always set Access-Control-Allow-Origin "*"
 	</Location>
 	# Map /.well-known/matrix/server for server discovery
 	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
 	<Files "/matrix/static-files/.well-known/matrix/server">
@ -72,6 +74,16 @@
 	<Location "/.well-known/matrix/server">
 		Header always set Content-Type "application/json"
 	</Location>
 	# Map /.well-known/matrix/support for support discovery
 	Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
 	<Files "/matrix/static-files/.well-known/matrix/support">
 		Require all granted
 	</Files>
 	<Location "/.well-known/matrix/support">
 		Header always set Content-Type "application/json"
 	</Location>
 	<Directory /matrix/static-files/.well-known/matrix/>
 		AllowOverride All
 		# Apache 2.4:
--- a/examples/host.yml
+++ b/examples/host.yml
@ -1,6 +1,6 @@
 ---
-# This is a host file for usage with the `ansible-all-hosts.sh` script,
+# This is a host file for usage with the `../bin/ansible-all-hosts.sh` script,
 # which runs Ansible against a bunch of hosts, each with its own `sudo` password.
 matrix_servers:
  hosts:
--- a/examples/vars.yml
+++ b/examples/vars.yml
@ -41,3 +41,19 @@ devture_traefik_config_certificatesResolvers_acme_email: ''
 # The playbook creates additional Postgres users and databases (one for each enabled service)
 # using this superuser account.
 devture_postgres_connection_password: ''
 # By default, we configure Coturn's external IP address using the value specified for `ansible_host` in your `inventory/hosts` file.
 # If this value is an external IP address, you can skip this section.
 #
 # If `ansible_host` is not the server's external IP address, you have 2 choices:
 # 1. Uncomment the line below, to allow IP address auto-detection to happen (more on this below)
 # 2. Uncomment and adjust the line below to specify an IP address manually
 #
 # By default, auto-detection will be attempted using the `https://ifconfig.co/json` API.
 # Default values for this are specified in `matrix_coturn_turn_external_ip_address_auto_detection_*` variables in the Coturn role
 # (see `roles/custom/matrix-coturn/defaults/main.yml`).
 #
 # If your server has multiple IP addresses, you may define them in another variable which allows a list of addresses.
 # Example: `matrix_coturn_turn_external_ip_addresses: ['1.2.3.4', '4.5.6.7']`
 #
 # matrix_coturn_turn_external_ip_address: ''
--- a/gpg/open_vault.sh
+++ b/gpg/open_vault.sh
@ -0,0 +1,5 @@
 #!/bin/bash
 set -e -u
 gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null
--- a/gpg/vault_passphrase.gpg
+++ b/gpg/vault_passphrase.gpg
@ -0,0 +1,18 @@
 -----BEGIN PGP MESSAGE-----
 hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
 iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
 foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
 C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
 luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
 +rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
 RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
 4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
 0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
 eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
 ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
 jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
 anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
 yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
 =Cecg
 -----END PGP MESSAGE-----
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -31,6 +31,9 @@ matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_cert
 matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}"
 # A separate Matrix Federation entrypoint is always enabled, unless the federation port matches one of the ports for existing (default) entrypoints
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: "{{ matrix_federation_public_port not in [devture_traefik_config_entrypoint_web_port, devture_traefik_config_entrypoint_web_secure_port] }}"
 ########################################################################
 #                                                                      #
 # /Playbook                                                            #
@ -274,9 +277,7 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-mautrix-instagram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-instagram']}] if matrix_mautrix_instagram_enabled else [])
    +
-    ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else [])
+    ([{'name': 'matrix-mautrix-signal.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal']}] if matrix_mautrix_signal_enabled else [])
    +
    ([{'name': 'matrix-mautrix-signal-daemon.service', 'priority': 1900, 'groups': ['matrix', 'bridges', 'mautrix-signal', 'mautrix-signal-daemon']}] if matrix_mautrix_signal_enabled else [])
    +
    ([{'name': 'matrix-mautrix-telegram.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-telegram']}] if matrix_mautrix_telegram_enabled else [])
    +
@ -348,9 +349,9 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else [])
    +
-    ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else [])
+    ([{'name': (exim_relay_identifier ~ '.service'), 'priority': 2000, 'groups': ['matrix', 'mailer', 'exim-relay']}] if exim_relay_enabled else [])
    +
-    ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else [])
+    ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'nginx-proxy', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else [])
    +
    (matrix_ssl_renewal_systemd_units_list | selectattr('applicable') | selectattr('enableable') | list )
    +
@ -797,6 +798,8 @@ matrix_mautrix_discord_systemd_required_services_list: |
 matrix_mautrix_discord_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.as.tok', rounds=655555) | to_uuid }}"
 matrix_mautrix_discord_homeserver_public_address: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_server_fqn_matrix }}"
 matrix_mautrix_discord_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maudisc.hs.tok', rounds=655555) | to_uuid }}"
 matrix_mautrix_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
@ -1038,7 +1041,6 @@ matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_
 #
 ######################################################################
 ######################################################################
 #
 # matrix-bridge-mautrix-signal
@ -1048,6 +1050,8 @@ matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_homeserver_
 # We don't enable bridges by default.
 matrix_mautrix_signal_enabled: false
 matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 matrix_mautrix_signal_systemd_required_services_list: |
  {{
    ['docker.service']
@ -1057,8 +1061,6 @@ matrix_mautrix_signal_systemd_required_services_list: |
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
    +
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
    +
    ['matrix-mautrix-signal-daemon.service']
  }}
 matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
@ -1077,13 +1079,10 @@ matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provi
 # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
 matrix_mautrix_signal_metrics_enabled: "{{ prometheus_enabled }}"
-matrix_mautrix_signal_database_engine: 'postgres'
+matrix_mautrix_signal_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_mautrix_signal_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mau.signal.db', rounds=655555) | to_uuid }}"
 matrix_mautrix_signal_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 matrix_mautrix_signal_daemon_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 ######################################################################
 #
 # /matrix-bridge-mautrix-signal
@ -1385,6 +1384,18 @@ matrix_hookshot_systemd_wanted_services_list: |
    (['matrix-' + matrix_homeserver_implementation + '.service'])
    +
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
    +
    ([(redis_identifier + '.service')] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else [])
  }}
 # Hookshot's experimental encryption feature (and possibly others) may benefit from Redis, if available.
 # We only connect to Redis if encryption is enabled (not for everyone who has Redis enabled),
 # because connectivity is still potentially troublesome and is to be investigated.
 matrix_hookshot_queue_host: "{{ redis_identifier if redis_enabled and matrix_hookshot_experimental_encryption_enabled else '' }}"
 matrix_hookshot_container_additional_networks_auto: |
  {{
    ([redis_container_network] if redis_enabled and matrix_hookshot_queue_host == redis_identifier else [])
  }}
 matrix_hookshot_container_http_host_bind_ports_defaultmapping:
@ -1673,11 +1684,16 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}
 matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 # Postgres is the default, except if not using internal Postgres server
 matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
 matrix_bot_matrix_reminder_bot_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'reminder.bot.db', rounds=655555) | to_uuid }}"
-matrix_bot_matrix_reminder_bot_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 matrix_bot_matrix_reminder_bot_allowlist_enabled: true
 matrix_bot_matrix_reminder_bot_allowlist_regexes_auto:
  - "@[a-z0-9-_.]+:{{ matrix_domain }}"
 ######################################################################
 #
@ -2101,7 +2117,7 @@ backup_borg_gid: "{{ matrix_user_gid }}"
 backup_borg_container_network: "{{ devture_postgres_container_network if devture_postgres_enabled else backup_borg_identifier }}"
-backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/com.devture.ansible.role.postgres' if devture_postgres_enabled else '' }}"
+backup_borg_postgresql_version_detection_devture_postgres_role_name: "{{ 'galaxy/postgres' if devture_postgres_enabled else '' }}"
 backup_borg_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
@ -2148,7 +2164,7 @@ matrix_cactus_comments_enabled: false
 matrix_cactus_comments_as_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.as.token', rounds=655555) | to_uuid }}"
 matrix_cactus_comments_hs_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'cactus.hs.token', rounds=655555) | to_uuid }}"
-matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
+matrix_cactus_comments_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
 matrix_cactus_comments_systemd_required_services_list: |
  {{
    (['docker.service'])
@ -2182,6 +2198,20 @@ matrix_corporal_container_image_self_build: "{{ matrix_architecture not in ['amd
 matrix_corporal_container_http_gateway_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41080') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_corporal_container_http_api_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '41081') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_corporal_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_corporal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_corporal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_corporal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_corporal_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_corporal_container_network else [])
    ) | unique
  }}
 matrix_corporal_systemd_required_services_list: |
  {{
    (['docker.service'])
@ -2245,6 +2275,9 @@ matrix_coturn_enabled: true
 matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
 # We make the assumption that `ansible_host` points to an external IP address, which may not always be the case.
 # Users are free to set `matrix_coturn_turn_external_ip_address` to an empty string
 # to allow auto-detection (via an EchoIP service) to happen at runtime.
 matrix_coturn_turn_external_ip_address: "{{ ansible_host }}"
 matrix_coturn_turn_static_auth_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'coturn.sas', rounds=655555) | to_uuid }}"
@ -2488,6 +2521,8 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
 jitsi_uid: "{{ matrix_user_uid }}"
 jitsi_gid: "{{ matrix_user_gid }}"
 jitsi_user_username: "{{ matrix_user_username }}"
 # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the Jitsi HTTP port to the local host.
@ -2548,6 +2583,7 @@ jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
 jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
 # Allow verification using JWT and matrix-UVS
 jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_service_enabled }}"
 jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
 jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"
@ -2579,24 +2615,36 @@ matrix_ldap_registration_proxy_enabled: false
 #
 ######################################################################
 ######################################################################
 #
 # matrix-mailer
 #
 ######################################################################
-# By default, this playbook sets up an exim mailer server (running in a container).
+########################################################################
-# This is so that Synapse can send email reminders for unread messages.
+#                                                                      #
-# Other services (like ma1sd), also use the mailer.
+# exim-relay                                                           #
-matrix_mailer_enabled: true
+#                                                                      #
 ########################################################################
-matrix_mailer_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
+# We set up an Exim email relay by default.
 # This is so that the homeserver and various other services can send emails through it.
 # To completely disable this service, use: `exim_relay_enabled: false`
 exim_relay_identifier: "matrix-exim-relay"
 exim_relay_base_path: "{{ matrix_base_data_path }}/exim-relay"
 exim_relay_uid: "{{ matrix_user_uid }}"
 exim_relay_gid: "{{ matrix_user_gid }}"
 exim_relay_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
 exim_relay_hostname: "{{ matrix_server_fqn_matrix }}"
 exim_relay_sender_address: "matrix@{{ matrix_domain }}"
 ########################################################################
 #                                                                      #
 # /exim-relay                                                          #
 #                                                                      #
 ########################################################################
 ######################################################################
 #
 # /matrix-mailer
 #
 ######################################################################
 ######################################################################
 #
@ -2622,6 +2670,12 @@ matrix_ma1sd_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
 # ma1sd's web-server port.
 matrix_ma1sd_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '' ~ matrix_ma1sd_container_port | string) if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_ma1sd_container_additional_networks: |
 {{
  (
    ([exim_relay_container_network] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier and matrix_ma1sd_container_network != exim_relay_container_network) else [])
  ) | unique
 }}
 # We enable Synapse integration via its Postgres database by default.
 # When using another Identity store, you might wish to disable this and define
@ -2636,26 +2690,24 @@ matrix_ma1sd_dns_overwrite_homeserver_client_name: "{{ matrix_server_fqn_matrix
 # but may be inaccurate if matrix-corporal is enabled.
 matrix_ma1sd_dns_overwrite_homeserver_client_value: "{{ matrix_homeserver_container_url }}"
-# By default, we send mail through the `matrix-mailer` service.
+# By default, we send mail through the exim relay service.
-matrix_ma1sd_threepid_medium_email_identity_from: "{{ matrix_mailer_sender_address }}"
+matrix_ma1sd_threepid_medium_email_identity_from: "{{ exim_relay_sender_address }}"
-matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "matrix-mailer"
+matrix_ma1sd_threepid_medium_email_connectors_smtp_host: "{{ exim_relay_identifier }}"
 matrix_ma1sd_threepid_medium_email_connectors_smtp_port: 8025
 matrix_ma1sd_threepid_medium_email_connectors_smtp_tls: 0
 matrix_ma1sd_self_check_validate_certificates: "{{ false if matrix_playbook_ssl_retrieval_method == 'self-signed' else true }}"
-matrix_ma1sd_systemd_required_services_list: |
+matrix_ma1sd_systemd_required_services_list_auto: |
  {{
-    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+    ([devture_postgres_identifier ~ '.service'] if (devture_postgres_enabled and matrix_ma1sd_database_hostname == devture_postgres_connection_hostname) else [])
  }}
-matrix_ma1sd_systemd_wanted_services_list: |
+matrix_ma1sd_systemd_wanted_services_list_auto: |
  {{
    (['matrix-corporal.service'] if matrix_corporal_enabled else ['matrix-' + matrix_homeserver_implementation + '.service'])
    +
-    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+    ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_ma1sd_threepid_medium_email_connectors_smtp_host == exim_relay_identifier) else [])
    +
    (['matrix-mailer.service'] if matrix_mailer_enabled else [])
  }}
 # Postgres is the default, except if not using internal Postgres server
@ -2676,9 +2728,19 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr
 ######################################################################
 matrix_media_repo_enabled: false
 matrix_media_repo_container_network: "{{ matrix_docker_network }}"
-matrix_media_repo_container_labels_traefik_enabled: false
+matrix_media_repo_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else matrix_media_repo_identifier }}"
 matrix_media_repo_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_media_repo_container_network else [])
    ) | unique
  }}
 matrix_media_repo_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_media_repo_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
@ -2695,6 +2757,27 @@ matrix_media_repo_systemd_required_services_list: |
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else [])
  }}
 # Auto configured server setup by the playbook
 matrix_media_repo_homeservers_auto:
  -  # Keep the dash from this line.
    # This should match the server_name of your homeserver, and the Host header
    # provided to the media repo.
    name: "{{ matrix_domain }}"
    # The base URL to where the homeserver can actually be reached by MMR.
    csApi: "http://{{ matrix_nginx_proxy_proxy_matrix_client_api_addr_with_container }}"
    # The number of consecutive failures in calling this homeserver before the
    # media repository will start backing off. This defaults to 10 if not given.
    backoffAt: 10
    # The admin API interface supported by the homeserver. MMR uses a subset of the admin API
    # during certain operations, like attempting to purge media from a room or validating server
    # admin status. This should be set to one of "synapse", "dendrite", or "matrix". When set
    # to "matrix", most functionality requiring the admin API will not work.
    adminApiKind: "{{ 'synapse' if matrix_homeserver_implementation == 'synapse' else ('dendrite' if matrix_homeserver_implementation == 'dendrite' else 'matrix') }}"
 ######################################################################
 #
 # /matrix-media-repo
@ -2775,7 +2858,7 @@ matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefi
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
-matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
+matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_with_container: "matrix-corporal:41081"
 matrix_nginx_proxy_proxy_matrix_corporal_api_addr_sans_container: "127.0.0.1:41081"
@ -2783,6 +2866,8 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"
 # NOTE: we cannot disable this, even though matrix-media-repo is already natively exposed at the Traefik level.
 # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3045#issuecomment-1867327001
 matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
 matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}"
 matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"
@ -2961,6 +3046,8 @@ devture_postgres_db_name: matrix
 devture_postgres_systemd_services_to_stop_for_maintenance_list_auto: "{{ devture_systemd_service_manager_services_list_auto | map(attribute='name') | reject('equalto', (devture_postgres_identifier + '.service')) }}"
 devture_postgres_max_connections: "{{ 500 if matrix_synapse_workers_enabled else 200 }}"
 devture_postgres_managed_databases_auto: |
  {{
    ([{
@ -3264,6 +3351,7 @@ devture_postgres_backup_connection_username: "{{ devture_postgres_connection_use
 devture_postgres_backup_connection_password: "{{ devture_postgres_connection_password if devture_postgres_enabled else '' }}"
 devture_postgres_backup_postgres_data_path: "{{ devture_postgres_data_path if devture_postgres_enabled else '' }}"
 devture_postgres_backup_postgres_role_include_name: galaxy/postgres
 devture_postgres_backup_databases: "{{ devture_postgres_managed_databases | map(attribute='name') if devture_postgres_enabled else [] }}"
@ -3350,7 +3438,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
 #
 ######################################################################
-redis_enabled: "{{ matrix_synapse_workers_enabled }}"
+redis_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_experimental_encryption_enabled) }}"
 redis_identifier: matrix-redis
@ -3571,7 +3659,11 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ (matrix_playbook_servic
 matrix_synapse_container_additional_networks: |
  {{
-    ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else [])
+    (
      ([redis_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == redis_identifier else [])
      +
      ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
    ) | unique
  }}
 # For exposing the Synapse worker (and metrics) ports to the local host.
@ -3593,11 +3685,11 @@ matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_
 # If someone instals Prometheus via the playbook, they most likely wish to monitor Synapse.
 matrix_synapse_metrics_enabled: "{{ prometheus_enabled }}"
-matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
+matrix_synapse_email_enabled: "{{ exim_relay_enabled }}"
-matrix_synapse_email_smtp_host: "matrix-mailer"
+matrix_synapse_email_smtp_host: "{{ exim_relay_identifier }}"
 matrix_synapse_email_smtp_port: 8025
 matrix_synapse_email_smtp_require_transport_security: false
-matrix_synapse_email_notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
+matrix_synapse_email_notif_from: "Matrix <{{ exim_relay_sender_address }}>"
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
@ -3639,7 +3731,7 @@ matrix_synapse_systemd_wanted_services_list: |
  {{
    (['matrix-coturn.service'] if matrix_coturn_enabled else [])
    +
-    (['matrix-mailer.service'] if matrix_mailer_enabled else [])
+    ([exim_relay_identifier ~ '.service'] if exim_relay_enabled else [])
  }}
 # Synapse workers (used for parallel load-scaling) need Redis for IPC.
@ -3775,9 +3867,7 @@ prometheus_node_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-node
 prometheus_node_exporter_uid: "{{ matrix_user_uid }}"
 prometheus_node_exporter_gid: "{{ matrix_user_gid }}"
-# _server_fqn is the old var, _hostname - the new one. Seamless migration
+prometheus_node_exporter_hostname: "{{ matrix_server_fqn_matrix }}"
 prometheus_node_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
 prometheus_node_exporter_hostname: "{{ prometheus_node_exporter_server_fqn }}"
 prometheus_node_exporter_container_network: "{{ matrix_docker_network }}"
@ -3810,7 +3900,7 @@ prometheus_postgres_exporter_base_path: "{{ matrix_base_data_path }}/prometheus-
 prometheus_postgres_exporter_uid: "{{ matrix_user_uid }}"
 prometheus_postgres_exporter_gid: "{{ matrix_user_gid }}"
-prometheus_postgres_exporter_server_fqn: "{{ matrix_server_fqn_matrix }}"
+prometheus_postgres_exporter_hostname: "{{ matrix_server_fqn_matrix }}"
 prometheus_postgres_exporter_container_network: "{{ matrix_docker_network }}"
@ -4231,6 +4321,29 @@ matrix_dendrite_app_service_config_files_auto: "{{ matrix_homeserver_app_service
 matrix_conduit_enabled: "{{ matrix_homeserver_implementation == 'conduit' }}"
 # Even if TURN doesn't support TLS (it does by default),
 # it doesn't hurt to try a secure connection anyway.
 #
 # When Let's Encrypt certificates are used (the default case),
 # we don't enable `turns` endpoints, because WebRTC in Element can't talk to them.
 # Learn more here: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1145
 matrix_conduit_turn_uris: |
  {{
    []
    +
    [
      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
    ] if matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_playbook_ssl_retrieval_method != 'lets-encrypt' else []
    +
    [
      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
    ] if matrix_coturn_enabled else []
  }}
 matrix_conduit_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if matrix_coturn_enabled else '' }}"
 matrix_conduit_systemd_required_services_list: |
  {{
    (['docker.service'])
@ -4257,6 +4370,12 @@ matrix_user_creator_users_auto: |
      'initial_type': 'admin',
    }] if matrix_bot_matrix_registration_bot_enabled else [])
    +
    ([{
      'username': matrix_bot_chatgpt_matrix_bot_username_localpart,
      'initial_password': matrix_bot_chatgpt_matrix_bot_password,
      'initial_type': 'bot',
    }] if matrix_bot_chatgpt_enabled and matrix_bot_chatgpt_matrix_bot_password | length > 0 else [])
    +
    ([{
      'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart,
      'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password,
@ -4295,9 +4414,6 @@ matrix_user_creator_users_auto: |
 #
 ######################################################################
 ## FIXME: Needs to be updated when there is a proper release by upstream.
 matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270"
 matrix_user_verification_service_enabled: false
 matrix_user_verification_service_systemd_required_services_list: |
  {{
@ -4376,22 +4492,16 @@ devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik"
 devture_traefik_uid: "{{ matrix_user_uid }}"
 devture_traefik_gid: "{{ matrix_user_gid }}"
 devture_traefik_federation_entrypoint:
  name: matrix-federation
  port: "{{ matrix_federation_public_port }}"
  host_bind_port: "{{ matrix_federation_public_port }}"
  config: {}
 devture_traefik_additional_entrypoints_auto: |
  {{
-    ([devture_traefik_federation_entrypoint] if (matrix_federation_public_port != devture_traefik_config_entrypoint_web_port) and (matrix_federation_public_port != devture_traefik_config_entrypoint_web_secure_port) else [])
+    ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else [])
  }}
 devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
 devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
-devture_traefik_container_additional_networks: |
+devture_traefik_container_additional_networks_auto: |
  {{
    ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
  }}
--- a/inventory/.gitkeep
+++ b/inventory/.gitkeep
--- a/inventory/host_vars/.gitkeep
+++ b/inventory/host_vars/.gitkeep
--- a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
@ -0,0 +1,411 @@
 #
 # General config
 # Domain of the matrix server and SSL config
 #
 matrix_domain: finallycoffee.eu
 matrix_ssl_retrieval_method: none
 matrix_nginx_proxy_enabled: true
 matrix_nginx_proxy_https_enabled: false
 matrix_nginx_proxy_container_http_host_bind_port: "127.0.10.1:8080"
 matrix_nginx_proxy_container_federation_host_bind_port: "127.0.10.1:8448"
 matrix_nginx_proxy_trust_forwarded_proto: true
 matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
 #matrix_nginx_proxy_proxy_synapse_metrics: true
 matrix_nginx_proxy_proxy_matrix_metrics_enabled: true
 matrix_synapse_metrics_enabled: true
 matrix_synapse_metrics_proxying_enabled: true
 matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
 matrix_server_fqn_element: "chat.{{ matrix_domain }}"
 matrix_playbook_docker_installation_enabled: false
 #matrix_client_element_version: v1.8.4
 #matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
 #matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.77.0"
 #matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages"
 #matrix_synapse_default_room_version: "10"
 #matrix_mautrix_telegram_version: v0.10.0
 matrix_dimension_scheme: https
 devture_timesync_installation_enabled: false
 matrix_playbook_reverse_proxy_type: playbook-managed-nginx
 # per https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#adapting-the-configuration-for-existing-synapse-installations
 #matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"
 matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
 devture_systemd_service_manager_up_verification_delay_seconds: 120
 web_user: "web"
 revproxy_autoload_dir: "/vault/services/web/sites.d"
 postgres_dump_dir: /vault/temp
 #
 # General Synapse config
 #
 #matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
 devture_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
 # A secret used to protect access keys issued by the server.
 # matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
 # Make synapse accept larger media aswell
 matrix_synapse_max_upload_size_mb: 200
 # Enable metrics at (default) :9100/_synapse/metrics
 matrix_synapse_metrics_enabled: true
 matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
 matrix_synapse_turn_uris:
  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
 # Auto-join all users into those rooms
 matrix_synapse_auto_join_rooms:
  - "#welcome:finallycoffee.eu"
  - "#announcements:finallycoffee.eu"
 ## Synapse rate limits
 matrix_synapse_rc_federation:
  window_size: 1000
  sleep_limit: 50
  sleep_delay: 500
  reject_limit: 50
  concurrent: 10
 matrix_synapse_rc_message:
  per_second: 0.5
  burst_count: 25
 matrix_synapse_rc_joins:
  local:
    per_second: 0.5
    burst_count: 20
  remote:
    per_second: 0.05
    burst_count: 20
 matrix_synapse_rc_joins_per_room:
  per_second: 1
  burst_count: 10
 matrix_synapse_rc_invites:
  per_room:
    per_second: 0.5
    burst_count: 10
  per_user:
    per_second: 0.006
    burst_count: 10
  per_issuer:
    per_second: 2
    burst_count: 20
 ## Synapse cache tuning
 matrix_synapse_caches_global_factor: 1.5
 matrix_synapse_event_cache_size: "300K"
 ## Synapse workers
 matrix_synapse_workers_enabled: true
 matrix_synapse_workers_preset: "little-federation-helper"
 matrix_synapse_workers_generic_workers_count: 1
 matrix_synapse_workers_media_repository_workers_count: 2
 matrix_synapse_workers_federation_sender_workers_count: 2
 matrix_synapse_workers_pusher_workers_count: 1
 matrix_synapse_workers_appservice_workers_count: 1
 # Static secret auth for matrix-synapse-shared-secret-auth
 matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
 matrix_synapse_ext_password_provider_rest_auth_enabled: true
 matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
 matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
 matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
 matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
 # Enable experimental spaces support
 matrix_synapse_configuration_extension_yaml: |
  database:
    args:
      cp_max: 20
  experimental_features:
    spaces_enabled: true
  caches:
    per_cache_factors:
      device_id_exists: 3
      get_users_in_room: 4
      _get_joined_users_from_context: 4
      _get_joined_profile_from_event_id: 3
      "*stateGroupMembersCache*": 2
      _matches_user_in_member_list: 3
      get_users_who_share_room_with_user: 3
      is_interested_in_room: 2
      get_user_by_id: 1.5
      room_push_rule_cache: 1.5
    expire_caches: true
    cache_entry_ttl: 45m
    sync_response_cache_duration: 2m
 #
 # synapse-admin tool
 #
 matrix_synapse_admin_enabled: true
 matrix_synapse_admin_container_http_host_bind_port: 8985
 #
 # VoIP / CoTURN config
 #
 # A shared secret (between Synapse and Coturn) used for authentication.
 matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
 # Disable coturn, as we use own instance
 matrix_coturn_enabled: false
 #
 # dimension (integration manager) config
 #
 matrix_dimension_enabled: true
 matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
 matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
 matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
 matrix_dimension_configuration_extension_yaml: |
    telegram:
        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
 #
 # mautrix-whatsapp config
 #
 matrix_mautrix_whatsapp_enabled: true
 matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
 matrix_mautrix_whatsapp_bridge_mute_bridging: true
 matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
 matrix_mautrix_whatsapp_bridge_allow_user_invite: true
 matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
 matrix_mautrix_whatsapp_container_extra_arguments:
  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
 matrix_mautrix_whatsapp_configuration_extension_yaml: |
    bridge:
        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
        max_connection_attempts: 5
        connection_timeout: 30
        contact_wait_delay: 5
        private_chat_portal_meta: true
        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
    logging:
        print_level: info
    metrics:
        enabled: true
        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
    whatsapp:
        os_name: Linux mautrix-whatsapp
        browser_name: Chrome
 #
 # mautrix-telegram config
 #
 matrix_mautrix_telegram_enabled: true
 matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
 matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
 matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
 matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
 matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
 matrix_mautrix_telegram_container_extra_arguments:
  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
 matrix_mautrix_telegram_configuration_extension_yaml: |
    bridge:
        displayname_template: "{displayname} (via Telegram)"
        parallel_file_transfer: false
        inline_images: false
        image_as_file_size: 20
        delivery_receipts: true
        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
        animated_sticker:
            target: webm
        encryption:
            allow: true
            default: true
        permissions:
            "@transcaffeine:finallycoffee.eu": "admin"
            "gruenhage.xyz": "full"
            "boobies.software": "full"
    logging:
        root:
            level: INFO
    metrics:
        enabled: true
        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
 #        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
 #
 # mautrix-signal config
 #
 matrix_mautrix_signal_enabled: true
 matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
 matrix_mautrix_signal_container_extra_arguments:
    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
 matrix_mautrix_signal_configuration_extension_yaml: |
    bridge:
        displayname_template: "{displayname} (via Signal)"
        community_id: "+signal:finallycoffee.eu"
        encryption:
            allow: true
            default: true
            key_sharing:
                allow: true
                require_verification: false
        delivery_receipts: true
        permissions:
          "@ilosai:fairydust.space": "user"
    logging:
        root:
            level: INFO
    metrics:
        enabled: true
        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
 #
 # mx-puppet-instagram configuration
 #
 matrix_mx_puppet_instagram_enabled: true
 matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
 matrix_mx_puppet_instagram_container_extra_arguments:
  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
 matrix_mx_puppet_instagram_configuration_extension_yaml: |
    bridge:
        enableGroupSync: true
        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
    metrics:
        enabled: true
        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
        path: /metrics
    presence:
        enabled: true
        interval: 3000
 #
 # mx-puppet-skype configuration
 #
 #matrix_mx_puppet_skype_enabled: false
 matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
 # matrix_mx_puppet_skype_container_extra_arguments:
 #   - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
 # matrix_mx_puppet_skype_configuration_extension_yaml: |
 #     bridge:
 #         enableGroupSync: true
 #         avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
 #     metrics:
 #         enabled: true
 #         port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
 #         path: /metrics
 #
 # mx-puppet-discord configuration
 #
 matrix_mx_puppet_discord_enabled: false
 matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
 matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
 matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
 matrix_mx_puppet_discord_container_extra_arguments:
  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
 matrix_mx_puppet_discord_configuration_extension_yaml: |
    bridge:
        enableGroupSync: true
        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
    metrics:
        enabled: true
        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
        path: /metrics
    limits:
        maxAutojoinUsers: 500
        roomUserAutojoinDelay: 50
    presence:
        enabled: true
        interval: 3000
 #
 # mx-puppet-slack configuration
 #
 matrix_mx_puppet_slack_enabled: true
 matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
 matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
 matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
 matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
 matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
 matrix_mx_puppet_slack_container_extra_arguments:
  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
 matrix_mx_puppet_slack_configuration_extension_yaml: |
    bridge:
        enableGroupSync: true
    metrics:
        enabled: true
        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
        path: /metrics
    limits:
        maxAutojoinUsers: 500
        roomUserAutojoinDelay: 50
    presence:
        enabled: true
        interval: 3000
 #
 # Element web configuration
 #
 # Branding config
 matrix_client_element_brand: "Chat"
 matrix_client_element_default_theme: "dark"
 matrix_client_element_themes_enabled: true
 matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
 matrix_client_element_welcome_text: |
    Decentralised, encrypted chat &amp; collaboration,<br />
    hosted on finallycoffee.eu, powered by element.io &amp;
    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
    </a>
 matrix_client_element_welcome_logo: "welcome/images/logo.png"
 matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
 matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
 matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
 matrix_client_element_container_extra_arguments:
  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
 # Integration and capabilites config
 matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
 matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
 matrix_client_element_integrations_widgets_urls:
  - "https://{{ matrix_server_fqn_dimension }}/widgets"
  - "https://scalar.vector.im/api"
 matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
 matrix_client_element_disable_custom_urls: false
 matrix_client_element_room_directory_servers:
  - "matrix.org"
  - "finallycoffee.eu"
  - "entropia.de"
 matrix_client_element_enable_presence_by_hs_url:
  https://matrix.org: false
 # Matrix ma1sd extended configuration
 matrix_ma1sd_configuration_extension_yaml: |
    hashing:
      enabled: true
      pepperLength: 20
      rotationPolicy: per_requests
      requests: 10
      hashStorageType: sql
      algorithms:
          - none
          - sha256
 # Matrix mail notification relay setup
 matrix_mailer_enabled: true
 matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
 matrix_mailer_relay_use: true
 matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
 matrix_mailer_relay_host_port: 587
 matrix_mailer_relay_auth: true
 matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
 matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"
--- a/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
@ -0,0 +1,100 @@
 $ANSIBLE_VAULT;1.1;AES256
 39366364363633336238333130353832663162393038633665396333343732353964333363666539
 6562346632343235623835643735386434316666393234360a383634616537393134613631383836
 61333835363666623033306166376232303930306433343366373463653234623736643633383734
 3330333665383539650a383132353032386230393031626361343764323034386230363066306331
 34646236336262623435633566363033613737373064616266336237343233663066396163373034
 62303765353066653737366539626461636531636438323932333134363136363134646164646531
 63656638666233313437663261396665653736373164323433306435323336633938313164646264
 33653661633965363833393031616463633761356234633630643562306366653133366637346166
 38636433343736343461613731623538633361363934343764326466313261353633646230353065
 37366134303164356433333961346663313963626165323966656536313532376162326565383539
 65363333633964323838663461373666353665643236623839646664653661613838353239613137
 39353061323131306365656261343630313665356165623064616436653566373663343733316237
 34393666383465323463313838393465643830373632373938633763666636346539666233303265
 38353337633833373331356663633936326334366337393135653030333531613565643666633038
 64393862303765366632393137313432376563353335353231323464633637343334346634306534
 35613330373336633031376263306466306437656635396133613335386130346163663438386136
 61646437343938663431343736363564376238316666373531616231366132643864346538363866
 35396433366137356162313963666134383134306462313336613735386639363936326131383939
 66623833643433663039623837623133303336666233623935313438366136353332313165333936
 31386632336535383533646639636164313331346630633366383739623261366465656632393062
 63373332623738303364623437666531396331646666336230353333366261653438363861656466
 39333762633037383336393164616563396564383232636533363864636230616664303330323932
 66666234633362346132303932643464366466323535303835363430333737666661373534333934
 61393362616438626636383564613335363634626231663234616438343464383461303632363033
 39336362396339316661323662393665383031643931626333646335643335353661653939363538
 38666561313539613566386132336630643237333432656236356132616230663561343665353938
 33366663353834356434366335373265373439363430636533303933656264366338623232613435
 35356662383232386137313064313363303861326635333435393737643663336534363234623430
 32376432353330613666396337303935376366613564353039396164383361616337656535346166
 34396635356266326461613135303639643935363261396363636338636564643838313262326266
 31663139343336376233303637373864363835313839326433656235616332333134306139623239
 37636639356263646437373362333931613262363363313462666534643765313139386461623731
 33376635653133353033333733613464396632636634313063326363313030376632643863336237
 61636638353237313764313435626463633964643665313536326235343639663137373436303564
 30636232626137376339303238653664346538356430306238633037366332316263623666373062
 63646533646131303466653637346463613237323161313265613834383634626237323563653733
 38656435303264346663663465333966376631666530333833353233376263336436613065366362
 36366263343438393132326661623031316663663231663464383732343064383234616636306530
 66613634626362316533303034393063666632343262613431613635663866636433623535363238
 30643933613731363236346234336662613633323831633437613435326465383530653765616262
 63373538396364316563343365303134373466663639386137663564356532353531343636613135
 63316463353264316164306566326462333732316431643939626161346530636638636662303037
 34346461313961613063336332333934383363373335616636363661396362613661383762663866
 64303834636264376461396266663763336665356561376161333136336638646363313133353161
 31643061623833623239373432633537663664636334623534326639616633616361333834366131
 30376361656238353332656666316637643133623433333861653265636266376639666135383638
 37363337326231656530363536393737383565666266306532626361633633353539363866376534
 61303737326632303762626666306134343837376566343035386663613336626332383035383035
 37633462373066373062313862323766316362393832666466396637363562353865303366323062
 39346332383966313437646138623364656234663066663639663138626163656433363038323166
 65613862386665643438323061323763306635666162303366323131363436633335356332393366
 63373966383132303434633835333438333337303664346335643066623839343835643364306561
 34643336346564363462396330643263653931376664386335313433376332653832323437376135
 35383231386133363236653334393433306638303131323064343931623538323130343666653061
 36353536383632333964343730346265626433303131346531303133663832363036333261386237
 30363361356265356139323761623563396565336137333733656431636531333234323061343862
 33623935346663333735613661363234646234356331323636386637343661373363363261646231
 33643233343235323230393933616664623166666266333862323631653835666135303233653635
 63373061656163353762636531613632366638383366303864343132376162643963366564363563
 61336338613935613532636165383463633866633036393533313433643562313737383431353163
 37623165373933376236393931363939633963666636303136373065376635623761346537643530
 35363464313630376233633863306238616138666464316534363332333937343362343233346431
 34643032323934353939666364323239653932363735373061633434653062326336353239633261
 38306237336266663038656534393664646138343038323335633064616431386666613739326630
 34383963666534313530376331366238343836303036306336343533666332386163643033643138
 33336333333338353733383165306139623964303035653439623131633566356136386431613135
 63616462386639303230343866346631346532353531373132613433363239646330653666633532
 65393766333238383531313132633537633833363335303630376239396565373730646331313633
 30383861303739343265623934643635633361623262356433323035393062353630346430646262
 63303434353038646361353661616339313937323336303566303536366163623362356332383862
 37326333393761633732653264646333653439363039323238383361336233323232613336303464
 34393635633131313135313665363161306466643364393734346264633030373234306466653862
 32336163666435636162343465386633653863363533616339636531306130383331376563393533
 65366136626662343065383164646665613035393636373565346235656439303933343563366339
 36643838393033353033396535613331303031646162316361613564323163633434633861356135
 62343461616335323565636633383962316531316362396165366533346166336163623232366261
 39376230376562626135346333326437373733373266393236383435343562653034313133376236
 61666138346562613330633630373837653465393233613261353937336666646231366666393335
 35393463333936323664323831396639333462626238613164616435363664643438653763623431
 32663237363134353061373563396535653565636431366565386337653863316333343738343432
 62303132636338303462313439376535363063333833363632613832303436353834376561333330
 66633632383135646263626333643230343630326539663762633934316261633062663732373932
 30306438386263626335373838343236643562326135663366353638353163346365396261313133
 36333634306133353235316237343738623263333732343063356238333162323931346664346539
 66323733643061386334306130633537353630663336313966663538373963313435666564316539
 63613030366332363432303036396232306537663765653938353736376135316539613135623632
 66356639623635663365323635646635383638346539323438336261393332373935383536333831
 61306639343061333639336162366536366438356166396266666132303932333037613632623666
 63616662343830303664353931306632323630316162643432653835313962633735626163366332
 34373637633066333432383533316363613031393963373963386161663430623533383165653561
 38343439633066366663643138326264653539336530393932386236366533663935353664343966
 39323161646231353234633961633732613065323039663062313661386565366534623430356632
 64343732336238393262363338363734643639353830646163343361653761633134303163616562
 35633436393832393137383534613031303963613339333566343065336530623964636662353065
 32366630353538383339346465376661323666333234373665613164633866363364613066643034
 37616630366232353166366535633936366536626462353831643335306337353564316461653564
 66663133373466333431336366346435623436656230376232613665633466333463636263373464
 30386434336538303061666566383033616563303564666362346432663130306531613063363537
 646635613236636563666161666630653836
--- a/inventory/hosts
+++ b/inventory/hosts
@ -0,0 +1,24 @@
 $ANSIBLE_VAULT;1.1;AES256
 34373565633762393838366465623964356238366661386638373937363563613036646662333330
 3436326333353462346464656136363131376565386433620a613965643930313137353134616134
 39656164373331383333613630323531646132626263626661313735313136326132343866313733
 3737323866333566320a376564393337306438636261393535623435326139393830613765646630
 63363538343963636231623031346539363937383363376133333562376339343361303337343133
 39323431653963613134376465333762653038393839313137323832313633343639623665393263
 34623034353564613665333037366231613261343336613730666130396437363332373463313137
 39326237626130323336626265653431383332303065323536316634353735313565633862633937
 65303032306434663962653866366538636133623530343836633233636664386230366165356462
 35623536356462623261666533626436613465346461313733356531386338626263376561363131
 30373534653437363165623138656636323638393734323836396536336364376131333066343432
 38653564623432623461353266623263643430383965373138663361646665616566613337663837
 63343766303936383330643561356233333961303436656564363061393136356163393463383033
 66343034633230373362343332613338646537353934373264633965636431373630326632356535
 36393363356261616234386266333462373065646436653430653561366330353732616135346165
 30306164633666666339336261306264306133616263623430376536346364306336373332326463
 37333735376365373536613734653961326434653665356436323635373863636266663130303431
 39396534633064383566306133363431323537313639383464303433373761363333303936626366
 37383637336631663931303265393562356336623861613161663738393038353263616662633634
 37373932306261666531303265646365323464363930313238343537343433636639383764343139
 35303831646166376365363536656239346630346561356464653362363637306234353761653432
 61323865663266613433343639343762363437333562346633396462623436346364363033383739
 646230333738313565356339346435656331
--- a/requirements.yml
+++ b/requirements.yml
@ -1,53 +1,74 @@
 ---
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
-  version: v1.0.0-1
+  version: v1.0.0-3
  name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.5-1.8.2-1
+  version: v1.2.7-1.8.6-0
  name: backup_borg
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
-  version: v0.1.1-2
+  version: v0.1.1-3
  name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
  version: 7.0.2
  name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
  version: 129c8590e106b83e6f4c259649a613c6279e937a
- src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
+  name: docker_sdk_for_python
  version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: v16.0-5
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
  version: a0cc7c1c696872ba8880d9c5e5a54098de825030
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
  version: v1.0.0-1
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.10.4-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
-  version: v1.9.3-0
+  version: v1.9.6-0
- src: git+https://github.com/geerlingguy/ansible-role-docker
+  name: etherpad
-  version: 7.0.1
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  name: geerlingguy.docker
+  version: v4.97-r0-0-1
  name: exim_relay
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v10.1.4-0
+  version: v10.2.3-0
  name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v8960-1
+  version: v9111-1
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
-  version: v2.7.0-2
+  version: v2.8.0-1
  name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
  name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
  version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
  name: playbook_runtime_messages
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
  name: playbook_state_preserver
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: v16.1-4
  name: postgres
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
  version: 7eadc992ca952fc29bf3fab5aa6335fa82ff01e5
  name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v2.47.0-0
+  version: v2.48.1-0
  name: prometheus
- src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
+- src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.6.1-0
+  version: v1.7.0-2
  name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.14.0-0
+  version: v0.14.0-3
  name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
-  version: v7.2.0-0
+  version: v7.2.3-2
  name: redis
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.0.0-2
  name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
  version: v1.0.0-3
  name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
  name: timesync
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
  version: v2.10.7-0
  name: traefik
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.3-1
  name: traefik_certs_dumper
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@ -108,6 +108,7 @@ matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
 matrix_federation_public_port: 8448
 # The name of the Traefik entrypoint for handling Matrix Federation
 # Also see the `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_*` variables.
 matrix_federation_traefik_entrypoint: matrix-federation
 # The architecture that your server runs.
@ -169,22 +170,22 @@ matrix_integration_manager_ui_url: ~
 # The domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
-# See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
+# See: https://github.com/element-hq/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
 matrix_client_element_jitsi_preferred_domain: ''  # noqa var-naming
 # Controls whether Element should use End-to-End Encryption by default.
 # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
-# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
+# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_default: true
 # Controls whether Element should require a secure backup set up before Element can be used.
 # Setting this to true will update `/.well-known/matrix/client` and tell Element require a secure backup.
-# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
+# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_secure_backup_required: false
 # Controls which backup methods from ["key", "passphrase"] should be used, both is the default.
 # Setting this to other then empty will update `/.well-known/matrix/client` and tell Element which method to use
-# See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
+# See: https://github.com/element-hq/element-web/blob/develop/docs/e2ee.md
 matrix_well_known_matrix_client_io_element_e2ee_secure_backup_setup_methods: []
 # Controls whether element related entries should be added to the client well-known. Override this to false to hide
@ -285,9 +286,9 @@ matrix_docker_network: "matrix"
 matrix_well_known_matrix_server_enabled: true
 # Controls whether a `/.well-known/matrix/support` file is generated and used at all.
 # For details about this file, see the spec: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
 #
-# This is not enabled by default, until the MSC gets accepted: https://github.com/matrix-org/matrix-spec-proposals/pull/1929
+# This is not enabled by default, as for it to be useful, other information is necessary.
 #
 # See `matrix_homeserver_admin_contacts`, `matrix_homeserver_support_url`, etc.
 matrix_well_known_matrix_support_enabled: false
@ -341,6 +342,23 @@ matrix_playbook_reverse_proxy_type: ''
 matrix_playbook_service_host_bind_interface_prefix: "{{ '' if matrix_playbook_reverse_proxy_type not in ['other-nginx-non-container', 'other-on-same-host', 'other-on-another-host'] else ('0.0.0.0:' if matrix_playbook_reverse_proxy_type == 'other-on-another-host' else '127.0.0.1:') }}"
 # Controls whether to enable an additional Traefik entrypoint for the purpose of serving Matrix Federation.
 # By default, federation is served on a special port (8448), so a separate entrypoint is necessary.
 # Group variables may influence whether this is enabled based on the port number and on the default entrypoints of the Traefik reverse-proxy.
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name: "{{ matrix_federation_traefik_entrypoint }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom: {}
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition:
  name: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_name }}"
  port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"
  host_bind_port: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}"
  config: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config }}"
 # Variables to Control which parts of our roles run.
 run_postgres_import: true
 run_postgres_upgrade: true
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-support.j2
@ -1,6 +1,6 @@
 #jinja2: lstrip_blocks: "True"
 {
-    "admins": {{ matrix_homeserver_admin_contacts|to_json }}
+    "contacts": {{ matrix_homeserver_admin_contacts|to_json }}
    {% if matrix_homeserver_support_url %},
        "support_page": {{ matrix_homeserver_support_url|to_json }}
    {% endif %}
--- a/roles/custom/matrix-bot-buscarron/defaults/main.yml
+++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml
@ -5,6 +5,7 @@
 matrix_bot_buscarron_enabled: true
 # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/buscarron
 matrix_bot_buscarron_version: v1.3.1
 # The hostname at which Buscarron is served.
@ -40,14 +41,13 @@ matrix_bot_buscarron_container_network: matrix-bot-buscarron
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_buscarron_container_additional_networks: []
-# enable basic auth for metrics
+# /metrics login
-matrix_bot_buscarron_basicauth_enabled: false
+matrix_bot_buscarron_metrics_login: ''
-# temporary file name on the host that runs ansible
+# /metrics password
-matrix_bot_buscarron_basicauth_file: "/tmp/matrix_bot_buscarron_htpasswd"
+matrix_bot_buscarron_metrics_password: ''
-# username
+# /metrics allowed ips
-matrix_bot_buscarron_basicauth_user: ''
+matrix_bot_buscarron_metrics_ips: []
-# password
+
 matrix_bot_buscarron_basicauth_password: ''
 # matrix_bot_buscarron_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
--- a/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-buscarron/tasks/setup_install.yml
@ -40,21 +40,6 @@
    - {path: "{{ matrix_bot_buscarron_docker_src_files_path }}", when: true}
  when: "item.when | bool"
 - name: Determine basicauth filename
  ansible.builtin.set_fact:
    matrix_bot_buscarron_basicauth_file_tmp: "{{ matrix_bot_buscarron_basicauth_file }}_{{ inventory_hostname }}"
  when: matrix_bot_buscarron_basicauth_enabled | bool
 - name: Generate basic auth file
  community.general.htpasswd:
    path: "{{ matrix_bot_buscarron_basicauth_file }}"
    name: "{{ matrix_bot_buscarron_basicauth_user }}"
    password: "{{ matrix_bot_buscarron_basicauth_password }}"
    mode: 0640
  become: false
  delegate_to: 127.0.0.1
  when: matrix_bot_buscarron_basicauth_enabled | bool
 - name: Ensure buscarron support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
@ -66,14 +51,6 @@
    - env
    - labels
 - name: Ensure temporary basic auth file is removed
  ansible.builtin.file:
    path: "{{ matrix_bot_buscarron_basicauth_file }}"
    state: absent
  become: false
  delegate_to: 127.0.0.1
  when: matrix_bot_buscarron_basicauth_enabled | bool
 - name: Ensure buscarron image is pulled
  community.docker.docker_image:
    name: "{{ matrix_bot_buscarron_docker_image }}"
@ -102,7 +79,7 @@
    name: "{{ matrix_bot_buscarron_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_buscarron_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_buscarron_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_bot_buscarron_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-buscarron/templates/env.j2
+++ b/roles/custom/matrix-bot-buscarron/templates/env.j2
@ -17,6 +17,9 @@ BUSCARRON_PM_REPLYTO={{ matrix_bot_buscarron_pm_replyto }}
 BUSCARRON_SMTP_FROM={{ matrix_bot_buscarron_smtp_from }}
 BUSCARRON_SMTP_VALIDATION={{ matrix_bot_buscarron_smtp_validation }}
 BUSCARRON_NOENCRYPTION={{ matrix_bot_buscarron_noencryption }}
 BUSCARRON_METRICS_LOGIN={{ matrix_bot_buscarron_metrics_login }}
 BUSCARRON_METRICS_PASSWORD={{ matrix_bot_buscarron_metrics_password }}
 BUSCARRON_METRICS_IPS={{ matrix_bot_buscarron_metrics_ips|default([])|join(" ") }}
 {% set forms = [] %}
 {% for form in matrix_bot_buscarron_forms -%}{{- forms.append(form.name) -}}
 BUSCARRON_{{ form.name|upper }}_ROOM={{ form.room|default('') }}
--- a/roles/custom/matrix-bot-buscarron/templates/labels.j2
+++ b/roles/custom/matrix-bot-buscarron/templates/labels.j2
@ -19,11 +19,6 @@ traefik.http.middlewares.matrix-bot-buscarron-strip-prefix.stripprefix.prefixes=
 {% set middlewares = middlewares + ['matrix-bot-buscarron-strip-prefix'] %}
 {% endif %}
 {% if matrix_bot_buscarron_basicauth_enabled %}
 traefik.http.middlewares.matrix-bot-buscarron-auth.basicauth.users={{ lookup('ansible.builtin.file', matrix_bot_buscarron_basicauth_file) }}
 {% set middlewares_metrics = middlewares + ['matrix-bot-buscarron-auth'] %}
 {% endif %}
 {% if matrix_bot_buscarron_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in matrix_bot_buscarron_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.matrix-bot-buscarron-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
@ -46,21 +41,6 @@ traefik.http.routers.matrix-bot-buscarron.tls.certResolver={{ matrix_bot_buscarr
 {% endif %}
 traefik.http.services.matrix-bot-buscarron.loadbalancer.server.port=8080
 {% if middlewares_metrics | length > 0 %}
 traefik.http.routers.matrix-bot-buscarron-metrics.rule={{ matrix_bot_buscarron_container_labels_traefik_metrics_rule }}
 {% if matrix_bot_buscarron_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-buscarron-metrics.priority={{ matrix_bot_buscarron_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-buscarron-metrics.service=matrix-bot-buscarron
 traefik.http.routers.matrix-bot-buscarron-metrics.middlewares={{ middlewares_metrics | join(',') }}
 traefik.http.routers.matrix-bot-buscarron-metrics.entrypoints={{ matrix_bot_buscarron_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-buscarron-metrics.tls={{ matrix_bot_buscarron_container_labels_traefik_tls | to_json }}
 {% if matrix_bot_buscarron_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-buscarron-metrics.tls.certResolver={{ matrix_bot_buscarron_container_labels_traefik_tls_certResolver }}
 {% endif %}
 traefik.http.services.matrix-bot-buscarron-metrics.loadbalancer.server.port=8080
 {% endif %}
 {% endif %}
 {{ matrix_bot_buscarron_container_labels_additional_labels }}
--- a/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2
+++ b/roles/custom/matrix-bot-buscarron/templates/systemd/matrix-bot-buscarron.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-buscarron 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true'
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
@ -38,7 +38,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-buscarron
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-buscarron 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-buscarron 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-buscarron 2>/dev/null || true'
 Restart=always
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@ -4,7 +4,8 @@
 matrix_bot_chatgpt_enabled: true
-matrix_bot_chatgpt_version: 3.1.2
+# renovate: datasource=docker depName=ghcr.io/matrixgpt/matrix-chatgpt-bot
 matrix_bot_chatgpt_version: 3.1.4
 matrix_bot_chatgpt_container_image_self_build: false
 matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
@ -21,6 +22,10 @@ matrix_bot_chatgpt_config_path: "{{ matrix_bot_chatgpt_base_path }}/config"
 matrix_bot_chatgpt_data_path: "{{ matrix_bot_chatgpt_base_path }}/data"
 matrix_bot_chatgpt_container_src_path: "{{ matrix_bot_chatgpt_base_path }}/container-src"
 # Controls how long to wait for the container to stop gracefully before killing it.
 # We use a small value here, because this container does not seem to handle the SIGTERM signal.
 matrix_bot_chatgpt_container_stop_grace_time_seconds: 1
 # A list of extra arguments to pass to the container
 matrix_bot_chatgpt_container_extra_arguments: []
--- a/roles/custom/matrix-bot-chatgpt/tasks/install.yml
+++ b/roles/custom/matrix-bot-chatgpt/tasks/install.yml
@ -50,7 +50,7 @@
        name: "{{ matrix_bot_chatgpt_container_image }}"
        source: build
        force_source: "{{ matrix_bot_chatgpt_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_chatgpt_git_pull_results.changed }}"
        build:
          dockerfile: Dockerfile
          path: "{{ matrix_bot_chatgpt_container_src_path }}"
--- a/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2
+++ b/roles/custom/matrix-bot-chatgpt/templates/systemd/matrix-bot-chatgpt.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ matrix_bot_chatgpt_container_stop_grace_time_seconds }} matrix-bot-chatgpt 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
@ -33,7 +33,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
 			{% endfor %}
 			{{ matrix_bot_chatgpt_container_image }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-chatgpt 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ matrix_bot_chatgpt_container_stop_grace_time_seconds }} matrix-bot-chatgpt 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-chatgpt 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@ -4,6 +4,7 @@
 matrix_bot_draupnir_enabled: true
 # renovate: datasource=docker depName=gnuxie/draupnir
 matrix_bot_draupnir_version: "v1.85.1"
 matrix_bot_draupnir_container_image_self_build: false
--- a/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2
@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Draupnir bot
-{% for service in matrix_bot_draupnir_systemd_required_services_list %}
+{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-draupnir 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -32,7 +32,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{% endfor %}
 			{{ matrix_bot_draupnir_docker_image }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-draupnir 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-draupnir 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-draupnir 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-go-neb/defaults/main.yml
+++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml
@ -5,6 +5,7 @@
 matrix_bot_go_neb_enabled: true
 # renovate: datasource=docker depName=matrixdotorg/go-neb
 matrix_bot_go_neb_version: latest
 matrix_bot_go_neb_scheme: https
--- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2
+++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-go-neb 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
@ -44,7 +44,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-go-neb 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
 Restart=always
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@ -20,6 +20,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/honoroit
 matrix_bot_honoroit_version: v0.9.19
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}"
--- a/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-honoroit/tasks/setup_install.yml
@ -102,7 +102,7 @@
    name: "{{ matrix_bot_honoroit_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_honoroit_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_honoroit_container_image_self_build.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_bot_honoroit_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2
+++ b/roles/custom/matrix-bot-honoroit/templates/systemd/matrix-bot-honoroit.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-honoroit 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true'
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
@ -38,7 +38,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network conne
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-honoroit
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-honoroit 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-honoroit 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-honoroit 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
@ -8,6 +8,7 @@ matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matri
 matrix_bot_matrix_registration_bot_docker_repo_version: "{{ 'main' if matrix_bot_matrix_registration_bot_version == 'latest' else ('v' + matrix_bot_matrix_registration_bot_version) }}"
 matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src"
 # renovate: datasource=docker depName=moanos/matrix-registration-bot
 matrix_bot_matrix_registration_bot_version: 1.3.0
 matrix_bot_matrix_registration_bot_docker_iteration: 0
 matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}"
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
@ -49,7 +49,7 @@
    name: "{{ matrix_bot_matrix_registration_bot_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_matrix_registration_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_registration_bot_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2
+++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/systemd/matrix-bot-matrix-registration-bot.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-matrix-registration-bot 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-matrix-registration-bot 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-matrix-registration-bot 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-matrix-registration-bot \
@ -27,7 +27,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			--network={{ matrix_docker_network }} \
 			{{ matrix_bot_matrix_registration_bot_docker_image }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-matrix-registration-bot 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-matrix-registration-bot 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-matrix-registration-bot 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/defaults/main.yml
@ -9,8 +9,10 @@ matrix_bot_matrix_reminder_bot_docker_repo: "https://github.com/anoadragon453/ma
 matrix_bot_matrix_reminder_bot_docker_repo_version: "{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_src_files_path: "{{ matrix_base_data_path }}/matrix-reminder-bot/docker-src"
-matrix_bot_matrix_reminder_bot_version: release-v0.2.1
+# renovate: datasource=docker depName=ghcr.io/anoadragon453/matrix-reminder-bot
-matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_container_global_registry_prefix }}anoa/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
+matrix_bot_matrix_reminder_bot_version: v0.3.0
 matrix_bot_matrix_reminder_bot_docker_image: "{{ matrix_bot_matrix_reminder_bot_docker_image_name_prefix }}anoadragon453/matrix-reminder-bot:{{ matrix_bot_matrix_reminder_bot_version }}"
 matrix_bot_matrix_reminder_bot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_matrix_reminder_bot_container_image_self_build else 'ghcr.io/' }}"
 matrix_bot_matrix_reminder_bot_docker_image_force_pull: "{{ matrix_bot_matrix_reminder_bot_docker_image.endswith(':latest') }}"
 matrix_bot_matrix_reminder_bot_base_path: "{{ matrix_base_data_path }}/matrix-reminder-bot"
@ -73,6 +75,17 @@ matrix_bot_matrix_reminder_bot_matrix_homeserver_url: "{{ matrix_homeserver_cont
 # Examples: 'Europe/London', 'Etc/UTC'
 matrix_bot_matrix_reminder_bot_reminders_timezone: ''
 matrix_bot_matrix_reminder_bot_allowlist_enabled: false
 matrix_bot_matrix_reminder_bot_allowlist_regexes: "{{ matrix_bot_matrix_reminder_bot_allowlist_regexes_auto + matrix_bot_matrix_reminder_bot_allowlist_regexes_custom }}"
 matrix_bot_matrix_reminder_bot_allowlist_regexes_auto: []
 matrix_bot_matrix_reminder_bot_allowlist_regexes_custom: []
 # If both the blocklist and whitelist are enabled at the same time, the blocklist takes precedence.
 matrix_bot_matrix_reminder_bot_blocklist_enabled: false
 matrix_bot_matrix_reminder_bot_blocklist_regexes: "{{ matrix_bot_matrix_reminder_bot_blocklist_regexes_auto + matrix_bot_matrix_reminder_bot_blocklist_regexes_custom }}"
 matrix_bot_matrix_reminder_bot_blocklist_regexes_auto: []
 matrix_bot_matrix_reminder_bot_blocklist_regexes_custom: []
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
--- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/setup_install.yml
@ -69,7 +69,7 @@
    name: "{{ matrix_bot_matrix_reminder_bot_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_matrix_reminder_bot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_matrix_reminder_bot_git_pull_results.changed }}"
    build:
      dockerfile: docker/Dockerfile
      path: "{{ matrix_bot_matrix_reminder_bot_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/templates/config.yaml.j2
@ -33,6 +33,33 @@ reminders:
  # If not set, UTC will be used
  timezone: {{ matrix_bot_matrix_reminder_bot_reminders_timezone }}
 # Restrict the bot to only respond to certain MXIDs
 allowlist:
  # Set to true to enable the allowlist
  enabled: {{ matrix_bot_matrix_reminder_bot_allowlist_enabled | to_json }}
  # A list of MXID regexes to be allowed
  # To allow a certain homeserver:
  #     regexes: ["@[a-z0-9-_.]+:myhomeserver.tld"]
  # To allow a set of users:
  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
  # To allow nobody (same as blocking every MXID):
  #     regexes: []
  regexes: {{ matrix_bot_matrix_reminder_bot_allowlist_regexes | to_json }}
 # Prevent the bot from responding to certain MXIDs
 # If both allowlist and blocklist are enabled, blocklist entries takes precedence
 blocklist:
  # Set to true to enable the blocklist
  enabled: {{ matrix_bot_matrix_reminder_bot_blocklist_enabled | to_json }}
  # A list of MXID regexes to be blocked
  # To block a certain homeserver:
  #     regexes: [".*:myhomeserver.tld"]
  # To block a set of users:
  #     regexes: ["@alice:someserver.tld", "@bob:anotherserver.tld"]
  # To block absolutely everyone (same as allowing nobody):
  #     regexes: [".*"]
  regexes: {{ matrix_bot_matrix_reminder_bot_blocklist_regexes | to_json }}
 # Logging setup
 logging:
  # Logging level
--- a/roles/custom/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-matrix-reminder-bot 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-matrix-reminder-bot \
@ -32,7 +32,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_bot_matrix_reminder_bot_docker_image }} \
 			-c "matrix-reminder-bot /config/config.yaml"
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-matrix-reminder-bot 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-matrix-reminder-bot 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-matrix-reminder-bot 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-maubot/defaults/main.yml
+++ b/roles/custom/matrix-bot-maubot/defaults/main.yml
@ -10,7 +10,8 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
-matrix_bot_maubot_version: v0.4.1
+# renovate: datasource=docker depName=dock.mau.dev/maubot/maubot
 matrix_bot_maubot_version: v0.4.2
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
+++ b/roles/custom/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-maubot 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-maubot 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-maubot 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-maubot \
@ -33,7 +33,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_bot_maubot_docker_image }} \
 			python3 -m maubot -c /config/config.yaml --no-update
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-maubot 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-maubot 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-maubot 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-mjolnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-mjolnir/defaults/main.yml
@ -4,7 +4,8 @@
 matrix_bot_mjolnir_enabled: true
-matrix_bot_mjolnir_version: "v1.6.4"
+# renovate: datasource=docker depName=matrixdotorg/mjolnir
 matrix_bot_mjolnir_version: "v1.6.5"
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
--- a/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2
+++ b/roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2
@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mjolnir bot
-{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
+{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-mjolnir 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -32,7 +32,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{% endfor %}
 			{{ matrix_bot_mjolnir_docker_image }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-mjolnir 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-mjolnir 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-mjolnir 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@ -9,6 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git"
 matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 # renovate: datasource=docker depName=registry.gitlab.com/etke.cc/postmoogle
 matrix_bot_postmoogle_version: v0.9.16
 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}"
--- a/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-postmoogle/tasks/setup_install.yml
@ -72,7 +72,7 @@
    name: "{{ matrix_bot_postmoogle_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_postmoogle_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_postmoogle_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_bot_postmoogle_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2
+++ b/roles/custom/matrix-bot-postmoogle/templates/systemd/matrix-bot-postmoogle.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-postmoogle 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-postmoogle 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-postmoogle 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-postmoogle \
@ -36,7 +36,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{% endfor %}
 			{{ matrix_bot_postmoogle_docker_image }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-postmoogle 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-bot-postmoogle 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-postmoogle 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-discord/defaults/main.yml
@ -5,6 +5,7 @@
 matrix_appservice_discord_enabled: false
 matrix_appservice_discord_container_image_self_build: false
 # renovate: datasource=docker depName=ghcr.io/matrix-org/matrix-appservice-discord
 matrix_appservice_discord_version: v4.0.0
 matrix_appservice_discord_docker_image: "{{ matrix_appservice_discord_docker_image_name_prefix }}matrix-org/matrix-appservice-discord:{{ matrix_appservice_discord_version }}"
 matrix_appservice_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_appservice_discord_container_image_self_build else 'ghcr.io/' }}"
--- a/roles/custom/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
+++ b/roles/custom/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-discord 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-discord 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-discord 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_discord_docker_image }} \
 			node /build/src/discordas.js -p 9005 -c /cfg/config.yaml -f /cfg/registration.yaml
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-discord 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-discord 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-discord 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@ -11,6 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
 matrix_appservice_irc_version: 1.0.1
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
--- a/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-irc 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-irc 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-irc 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -36,7 +36,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_irc_docker_image }} \
 			-c 'node app.js -c /config/config.yaml -f /config/registration.yaml -p 9999'
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-irc 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-irc 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-irc 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/systemd/matrix-appservice-kakaotalk-node.service.j2
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/systemd/matrix-appservice-kakaotalk-node.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-kakaotalk-node 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-kakaotalk-node 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-kakaotalk-node 2>/dev/null || true'
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-appservice-kakaotalk-node \
@ -28,7 +28,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_kakaotalk_node_docker_image }} \
 			node src/main.js --config /config.json
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-kakaotalk-node 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-kakaotalk-node 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-kakaotalk-node 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/systemd/matrix-appservice-kakaotalk.service.j2
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/systemd/matrix-appservice-kakaotalk.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-kakaotalk 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-kakaotalk 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-kakaotalk 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -32,7 +32,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_kakaotalk_docker_image }} \
 			python3 -m matrix_appservice_kakaotalk -c /config/config.yaml --no-update
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-kakaotalk 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-kakaotalk 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-kakaotalk 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
@ -11,6 +11,7 @@ matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/apps
 # matrix_appservice_slack_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-slack
 matrix_appservice_slack_version: 2.1.2
 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_docker_image_tag }}"
 matrix_appservice_slack_docker_image_tag: "{{ 'latest' if matrix_appservice_slack_version == 'latest' else ('release-' + matrix_appservice_slack_version) }}"
--- a/roles/custom/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
+++ b/roles/custom/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-slack 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-slack 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-slack 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_slack_docker_image }} \
 			node app.js -p {{matrix_appservice_slack_matrix_port}} -c /config/config.yaml -f /config/slack-registration.yaml
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-slack 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-slack 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-slack 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
+++ b/roles/custom/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-webhooks 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -35,7 +35,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_appservice_webhooks_docker_image }} \
 			node index.js -p {{ matrix_appservice_webhooks_matrix_port }} -c /config/config.yaml -f /config/webhooks-registration.yaml
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-appservice-webhooks 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-appservice-webhooks 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-appservice-webhooks 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@ -4,6 +4,7 @@
 matrix_beeper_linkedin_enabled: true
 # renovate: datasource=docker depName=ghcr.io/beeper/linkedin
 matrix_beeper_linkedin_version: latest
 # See: https://github.com/beeper/linkedin/pkgs/container/linkedin
--- a/roles/custom/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2
+++ b/roles/custom/matrix-bridge-beeper-linkedin/templates/systemd/matrix-beeper-linkedin.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-beeper-linkedin 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -32,7 +32,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_beeper_linkedin_docker_image }} \
                        python3 -m linkedin_matrix -c /data/config.yaml -r /data/registration.yaml
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-beeper-linkedin 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-beeper-linkedin 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-beeper-linkedin 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
@ -8,6 +8,7 @@ matrix_go_skype_bridge_container_image_self_build: false
 matrix_go_skype_bridge_container_image_self_build_repo: "https://github.com/kelaresg/go-skype-bridge.git"
 matrix_go_skype_bridge_container_image_self_build_branch: "{{ 'master' if matrix_go_skype_bridge_version == 'latest' else matrix_go_skype_bridge_version }}"
 # renovate: datasource=docker depName=nodefyme/go-skype-bridge
 matrix_go_skype_bridge_version: latest
 matrix_go_skype_bridge_docker_image: "{{ matrix_go_skype_bridge_docker_image_name_prefix }}nodefyme/go-skype-bridge:{{ matrix_go_skype_bridge_version }}"
 matrix_go_skype_bridge_docker_image_name_prefix: "{{ 'localhost/' if matrix_go_skype_bridge_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-go-skype-bridge/templates/systemd/matrix-go-skype-bridge.service.j2
+++ b/roles/custom/matrix-bridge-go-skype-bridge/templates/systemd/matrix-go-skype-bridge.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-go-skype-bridge 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-go-skype-bridge 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-go-skype-bridge 2>/dev/null || true'
 # Intentional delay, so that the homeserver (we likely depend on) can manage to start.
@ -33,7 +33,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{{ matrix_go_skype_bridge_docker_image }} \
 			/usr/bin/matrix-skype -c /config/config.yaml -r /config/registration.yaml
-ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-go-skype-bridge 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-go-skype-bridge 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-go-skype-bridge 2>/dev/null || true'
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
@ -4,7 +4,8 @@
 matrix_heisenbridge_enabled: true
-matrix_heisenbridge_version: 1.14.5
+# renovate: datasource=docker depName=hif1/heisenbridge
 matrix_heisenbridge_version: 1.14.6
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
@ -16,6 +17,10 @@ matrix_heisenbridge_identd_enabled: false
 matrix_heisenbridge_base_path: "{{ matrix_base_data_path }}/heisenbridge"
 # Controls how long to wait for the container to stop gracefully before killing it.
 # We use a small value here, because this container does not seem to handle the SIGTERM signal.
 matrix_heisenbridge_container_stop_grace_time_seconds: 1
 # A list of extra arguments to pass to the container
 matrix_heisenbridge_container_extra_arguments: []
@ -30,7 +35,15 @@ matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}"
 matrix_heisenbridge_appservice_token: ''
 matrix_heisenbridge_homeserver_token: ''
-# Default registration file
+matrix_heisenbridge_config_media_url: "{{ matrix_homeserver_url }}"
 matrix_heisenbridge_config_displayname: "Heisenbridge"
 matrix_heisenbridge_registration_yaml_heisenbridge:
  media_url: "{{ matrix_heisenbridge_config_media_url }}"
  displayname: "{{ matrix_heisenbridge_config_displayname }}"
 # Default registration file consumed by both the homeserver and Heisenbridge.
 # Besides registration information, it contains configuration (see the heisenbridge key).
 matrix_heisenbridge_registration_yaml:
  id: heisenbridge
  url: http://matrix-heisenbridge:9898
@ -44,5 +57,6 @@ matrix_heisenbridge_registration_yaml:
        exclusive: true
    aliases: []
    rooms: []
  heisenbridge: "{{ matrix_heisenbridge_registration_yaml_heisenbridge }}"
 matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml | from_yaml }}"
--- a/roles/custom/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2
+++ b/roles/custom/matrix-bridge-heisenbridge/templates/systemd/matrix-heisenbridge.service.j2
@ -13,7 +13,7 @@ DefaultDependencies=no
 [Service]
 Type=simple
 Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
-ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-heisenbridge
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ matrix_heisenbridge_container_stop_grace_time_seconds }} matrix-heisenbridge
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-heisenbridge
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-heisenbridge \
@ -41,7 +41,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
          --listen-port 9898 \
          {{ matrix_heisenbridge_homeserver_url }}
-ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} kill matrix-heisenbridge
+ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} stop --time={{ matrix_heisenbridge_container_stop_grace_time_seconds }} matrix-heisenbridge
 ExecStop=-{{ devture_systemd_docker_base_host_command_docker }} rm matrix-heisenbridge
 Restart=always
 RestartSec=30
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@ -5,12 +5,19 @@
 matrix_hookshot_enabled: true
 matrix_hookshot_ident: matrix-hookshot
 matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
-matrix_hookshot_version: 4.5.1
+# Specifies additional networks for the Hookshot container to connect with
 matrix_hookshot_container_additional_networks: "{{ matrix_hookshot_container_additional_networks_auto + matrix_hookshot_container_additional_networks_custom }}"
 matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
 matrix_hookshot_version: 5.1.2
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
@ -29,6 +36,17 @@ matrix_hookshot_public_endpoint: /hookshot
 matrix_hookshot_appservice_port: 9993
 matrix_hookshot_appservice_endpoint: "{{ matrix_hookshot_public_endpoint }}/_matrix/app"
 # The variables below control the queue parameters and may optionally be pointed to a Redis instance.
 # These are required when experimental encryption is enabled (`matrix_hookshot_experimental_encryption_enabled`).
 matrix_hookshot_queue_host: ''
 matrix_hookshot_queue_port: 6739
 # Controls whether the experimental end-to-bridge encryption support is enabled.
 # This requires that:
 # - support to also be enabled in the homeserver, see the documentation of Hookshot.
 # - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_queue_*` variables.
 matrix_hookshot_experimental_encryption_enabled: false
 # Controls whether metrics are enabled in the bridge configuration.
 # Enabling them is usually enough for a local (in-container) Prometheus to consume them.
 # If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_hookshot_metrics_proxying_enabled`.
@ -40,7 +58,7 @@ matrix_hookshot_metrics_enabled: false
 matrix_hookshot_metrics_proxying_enabled: false
 # There is no need to edit ports.
-# Read the documentation to learn about using hookshot metrics with external Prometheus
+# Read the documentation to learn about using Hookshot metrics with external Prometheus
 # If you still want something different, use matrix_hookshot_container_http_host_bind_ports below to expose ports instead.
 matrix_hookshot_metrics_port: 9001
--- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml
@ -9,6 +9,12 @@
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
 - tags:
    - reset-hookshot-encryption
  block:
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/reset_encryption.yml"
 - tags:
    - setup-all
    - setup-hookshot
--- a/roles/custom/matrix-bridge-hookshot/tasks/reset_encryption.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/reset_encryption.yml
@ -0,0 +1,14 @@
 ---
 - name: Resetting Hookshot's crypto store
  ansible.builtin.command:
    cmd: |
      {{ devture_systemd_docker_base_host_command_docker }} run
      --rm
      --name={{ matrix_hookshot_ident }}-reset-crypto
      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
      --cap-drop=ALL
      --mount type=bind,src={{ matrix_hookshot_base_path }}/config.yml,dst=/config.yml
      {{ matrix_hookshot_docker_image }}
      yarn start:resetcrypto
  changed_when: true
--- a/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml
@ -87,6 +87,12 @@
  with_items:
    - "matrix_hookshot_provisioning_secret"
 - name: Fail if no Redis queue enabled when Hookshot encryption is enabled
  ansible.builtin.fail:
    msg: >-
      You need to define a required configuration setting (`{{ item }}`) to enable Hookshot encryption.
  when: "matrix_hookshot_experimental_encryption_enabled and matrix_hookshot_queue_host == ''"
 - name: (Deprecation) Catch and report old metrics usage
  ansible.builtin.fail:
    msg: >-
--- a/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/config.yml.j2
@ -107,6 +107,16 @@ metrics:
  # (Optional) Prometheus metrics support
  #
  enabled: {{ matrix_hookshot_metrics_enabled | to_json }}
 {% if matrix_hookshot_queue_host != '' %}
 queue:
  monolithic: true
  port: {{ matrix_hookshot_queue_port }}
  host: {{ matrix_hookshot_queue_host | to_json }}
 {% endif %}
 {% if matrix_hookshot_experimental_encryption_enabled %}
 experimentalEncryption:
  storagePath: /data/encryption
 {% endif %}
 logging:
  # (Optional) Logging settings. You can have a severity debug,info,warn,error
  #
--- a/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2
+++ b/roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2
@ -28,3 +28,9 @@ namespaces:
 sender_localpart: hookshot
 url: "http://{{ matrix_hookshot_container_url }}:{{ matrix_hookshot_appservice_port }}" # This should match the bridge.port in your config file
 rate_limited: false
 {% if matrix_hookshot_experimental_encryption_enabled %}
 de.sorunome.msc2409.push_ephemeral: true
 push_ephemeral: true
 org.matrix.msc3202: true
 {% endif %}
--- a/Show More
+++ b/Show More