update: synapse to 1.131.0, element-web to 1.11.102

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>

.codespellrc

@@ -0,0 +1,2 @@
+[codespell]
+ignore-words-list = aNULL,brose,doub,Udo,re-use,re-used,registr

.github/renovate.json

@@ -28,5 +28,8 @@
 	],
 	"ignoreDeps": [
 		"ghcr.io/matrixgpt/matrix-chatgpt-bot"
-	]
+	],
+	"pre-commit": {
+		"enabled": true
+	}
 }

.github/workflows/matrix.yml

@@ -7,9 +7,7 @@
 ---
 name: Matrix CI
 
-on:  # yamllint disable-line rule:truthy
-  push:
-  pull_request:
+on: [push, pull_request]  # yamllint disable-line rule:truthy
 
 jobs:
   yamllint:
@@ -30,3 +28,11 @@ jobs:
         uses: ansible-community/ansible-lint-action@v6.17.0
         with:
           path: roles/custom
+  precommit:
+    name: Run pre-commit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Run pre-commit
+        uses: pre-commit/action@v3.0.1

.github/workflows/reuse.yml

@@ -1,20 +0,0 @@
-# SPDX-FileCopyrightText: 2022 Free Software Foundation Europe e.V. <https://fsfe.org>
-#
-# SPDX-License-Identifier: CC0-1.0
----
-name: REUSE Compliance Check
-
-on: [push, pull_request]  # yamllint disable-line rule:truthy
-
-permissions:
-  contents: read
-
-jobs:
-  reuse-compliance-check:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: REUSE Compliance Check
-        uses: fsfe/reuse-action@v5

.pre-commit-config.yaml

@@ -0,0 +1,26 @@
+---
+default_install_hook_types: [pre-push]
+
+exclude: "LICENSES/"
+
+# See: https://pre-commit.com/hooks.html
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v5.0.0
+    hooks:
+      # - id: check-executables-have-shebangs
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-toml
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+  - repo: https://github.com/codespell-project/codespell
+    rev: v2.4.1
+    hooks:
+      - id: codespell
+        args: ["--skip=*.po,*.pot,i18n/"]
+  - repo: https://github.com/fsfe/reuse-tool  # https://reuse.software/dev/#pre-commit-hook
+    rev: v5.0.2
+    hooks:
+      - id: reuse

CHANGELOG.md

@@ -156,7 +156,7 @@ To **completely eliminate the problem** of DDoS amplification attacks done throu
 
 The playbook now **only exposes the Coturn STUN port (`3478`) over TCP by default**.
 
-💡 Users may wish to further remove the (now unnnecessary) firewall rule allowing access to `3478/udp`.
+💡 Users may wish to further remove the (now unnecessary) firewall rule allowing access to `3478/udp`.
 
 If you'd like the Coturn STUN port to be exposed over UDP like before, you can revert to the previous behavior by using the following configuration in your `vars.yml` file:
 
@@ -170,7 +170,7 @@ matrix_coturn_container_stun_plain_host_bind_port_udp: "3478"
 
 # 2025-02-17
 
-## FluffyChat Web suport
+## FluffyChat Web support
 
 Thanks to [Aine](https://gitlab.com/etke.cc) of [etke.cc](https://etke.cc/), the playbook now supports [FluffyChat Web](https://github.com/krille-chan/fluffychat) as an additional Matrix client you can self-host.
 
@@ -192,7 +192,7 @@ The playbook will let you know if you're using any `matrix_mautrix_hangouts_*` v
 
 ## Redis and KeyDB are no longer part of the playbook
 
-**TLDR**: The playbook now exclusively uses Valkey as its Redis-compatible memorystore implementation, removing support for Redis and KeyDB. Most users are unaffected by this change unless they explicitly configured Redis or KeyDB variables. Only users that were explicitly definining `redis_*` or `keydb_*` variables will need to update their configuration to use `valkey_*` variables instead.
+**TLDR**: The playbook now exclusively uses Valkey as its Redis-compatible memorystore implementation, removing support for Redis and KeyDB. Most users are unaffected by this change unless they explicitly configured Redis or KeyDB variables. Only users that were explicitly defining `redis_*` or `keydb_*` variables will need to update their configuration to use `valkey_*` variables instead.
 
 The playbook has gone through several iterations of memorystore implementations:
 
@@ -745,7 +745,7 @@ For people building commercial products on top of Synapse, they may have to eith
 
 We're no lawyers and this changelog entry does not aim to give you the best legal advice, so please research on your own!
 
-If you'd like to continue using the old Apache-2.0-licensed Synapse (for a while longer anyway), the playbook makes it possible by intruducing a new Ansible variable. You can do it like this:
+If you'd like to continue using the old Apache-2.0-licensed Synapse (for a while longer anyway), the playbook makes it possible by introducing a new Ansible variable. You can do it like this:
 
 ```yaml
 # Switch the organization that Synapse container images (or source code for self-building) are pulled from.
@@ -828,7 +828,7 @@ Despite these downsides (which the playbook manages automatically), we believe i
 
 People running the default Traefik setup do not need to do anything to make Traefik take on this extra job. Your Traefik configuration will be updated automatically.
 
-**People runnning their own Traefik reverse-proxy need to do [minor adjustments](#people-managing-their-own-traefik-instance-need-to-do-minor-changes)**, as described in the section below.
+**People running their own Traefik reverse-proxy need to do [minor adjustments](#people-managing-their-own-traefik-instance-need-to-do-minor-changes)**, as described in the section below.
 
 You may disable Traefik acting as an intermediary by explicitly setting `matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled` to `false`. Services would then be configured to talk to the homeserver directly, giving you a slight performance boost and a "simpler" Traefik setup. However, such a configuration is less tested and will cause troubles, especially if you enable more services (like `matrix-media-repo`, etc.) in the future. As such, it's not recommended.
 
@@ -2851,7 +2851,7 @@ As always, re-running the playbook is enough to get the updated bits.
 
 ## SMS bridging requires db reset
 
-The current version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) needs you to delete the database to work as expected. Just remove `/matrix/matrix-sms-bridge/database/*`. It also adds a new requried var `matrix_sms_bridge_default_region`.
+The current version of [matrix-sms-bridge](https://github.com/benkuly/matrix-sms-bridge) needs you to delete the database to work as expected. Just remove `/matrix/matrix-sms-bridge/database/*`. It also adds a new required var `matrix_sms_bridge_default_region`.
 
 To reuse your existing rooms, invite `@smsbot:yourServer` to the room or write a message. You are also able to use automated room creation with telephonenumers by writing `sms send -t 01749292923 "Hello World"` in a room with `@smsbot:yourServer`. See [the docs](https://github.com/benkuly/matrix-sms-bridge) for more information.
 
@@ -2883,7 +2883,7 @@ Until the issue gets fixed, we're making User Directory search not go to ma1sd b
 
 This upgrades matrix-appservice-irc from 0.14.1 to 0.16.0. Upstream
 made a change to how you define manual mappings. If you added a
-`mapping` to your configuration, you will need to update it accoring
+`mapping` to your configuration, you will need to update it according
 to the [upstream
 instructions](https://github.com/matrix-org/matrix-appservice-irc/blob/master/CHANGELOG.md#0150-2020-02-05). If you did not include `mappings` in your configuration for IRC, no
 change is necessary. `mappings` is not part of the default
@@ -3046,7 +3046,7 @@ As per this [advisory blog post](https://matrix.org/blog/2019/11/09/avoiding-unw
 
 Our general goal is to favor privacy and security when running personal (family & friends) and corporate homeservers. Both of these likely benefit from having a more secure default of **not showing the room directory without authentication** and **not publishing the room directory over federation**.
 
-As with anything else, these new defaults can be overriden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively.
+As with anything else, these new defaults can be overridden by changing the `matrix_synapse_allow_public_rooms_without_auth` and `matrix_synapse_allow_public_rooms_over_federation` variables, respectively.
 
 
 # 2019-10-05
@@ -3600,7 +3600,7 @@ The following changes had to be done:
 
 - glue variables had to be introduced to the playbook, so it can wire together the various components. Those glue vars are stored in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file. When overriding variables for a given component (role), you need to be aware of both the role defaults (`role/ROLE/defaults/main.yml`) and the role's corresponding section in the [`group_vars/matrix-servers`](group_vars/matrix-servers) file.
 
-- `matrix_postgres_use_external` has been superceeded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement.
+- `matrix_postgres_use_external` has been superseded by the more consistently named `matrix_postgres_enabled` variable and a few other `matrix_synapse_database_` variables. See the [Using an external PostgreSQL server (optional)](docs/configuring-playbook-external-postgres.md) documentation page for an up-to-date replacement.
 
 - Postgres tools (`matrix-postgres-cli` and `matrix-make-user-admin`) are no longer installed if you're not enabling the `matrix-postgres` role (`matrix_postgres_enabled: false`)
 
@@ -3789,7 +3789,7 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://dimension.t2bot.io/widge
 
 There's now a new `matrix_nginx_proxy_ssl_protocols` playbook variable, which controls the SSL protocols used to serve Riot and Synapse. Its default value is `TLSv1.1 TLSv1.2`. This playbook previously used `TLSv1 TLSv1.1 TLSv1.2` to serve Riot and Synapse.
 
-You may wish to reenable TLSv1 if you need to access Riot in older browsers.
+You may wish to re-enable TLSv1 if you need to access Riot in older browsers.
 
 Note: Currently the dockerized nginx doesn't support TLSv1.3. See https://github.com/nginxinc/docker-nginx/issues/190 for more details.
 

REUSE.toml

@@ -13,10 +13,12 @@ path = [
     "i18n/PUBLISHED_LANGUAGES",
     "i18n/requirements.txt",
     "roles/custom/**/*.repo",
+    ".codespellrc",
     ".editorconfig",
     ".envrc",
     ".gitattributes",
     ".gitignore",
+    ".pre-commit-config.yaml",
     ".yamllint",
     "ansible.cfg",
     "flake.lock",

YEAR-IN-REVIEW.md

@@ -11,7 +11,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 2023 is probably [the year of AI](https://journal.everypixel.com/2023-the-year-of-ai), with millions of people jumping aboard [OpenAI](https://openai.com/)'s [ChatGPT](https://openai.com/chatgpt) train. matrix-docker-ansible-deploy is no stranger to this and 2023 began with a PR from [bertybuttface](https://github.com/bertybuttface) who added support for [matrix-chatgpt-bot](https://github.com/matrixgpt/matrix-chatgpt-bot) (see the [changelog entry](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#chatgpt-support)). While OpenAI's chat GPT website was frequently overloaded in the past, their API was up which made using this bot both convenient and more reliable.
 
-AI aside, with the playbook's focus being containers, we're **doubling down on being "container native"** and becoming more interoperable for people hosting other containers on the Matrix server. In [2022](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/YEAR-IN-REVIEW.md#2022), we've announced a few sibling Ansible playbooks, their use of [Traefik](https://doc.traefik.io/traefik/) and the possiblity of matrix-docker-ansible-deploy also switching to this reverse-proxy. This prediction materialized quickly. The **largest change** in the playbook in 2023 happened way back in February - matrix-docker-ansible-deploy [starting the switch from nginx to Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support) and then quickly [making Treafik the default reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now). As noted in the changelog entries, we envisioned a quick and complete elimination of `matrix-nginx-proxy`, but at the end of 2023, it hasn't happened yet. The playbook is already using Traefik as the front-most reverse-proxy, but nginx (via `matrix-nginx-proxy`) is still around - it has taken a step back and is only used internally for new setups. Work got to a stall due to:
+AI aside, with the playbook's focus being containers, we're **doubling down on being "container native"** and becoming more interoperable for people hosting other containers on the Matrix server. In [2022](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/YEAR-IN-REVIEW.md#2022), we've announced a few sibling Ansible playbooks, their use of [Traefik](https://doc.traefik.io/traefik/) and the possibility of matrix-docker-ansible-deploy also switching to this reverse-proxy. This prediction materialized quickly. The **largest change** in the playbook in 2023 happened way back in February - matrix-docker-ansible-deploy [starting the switch from nginx to Traefik](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#backward-compatibility-reverse-proxy-configuration-changes-and-initial-traefik-support) and then quickly [making Treafik the default reverse-proxy](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/850078b7e37401ce91a0f9b686f60b945f6c3a96/CHANGELOG.md#traefik-is-the-default-reverse-proxy-now). As noted in the changelog entries, we envisioned a quick and complete elimination of `matrix-nginx-proxy`, but at the end of 2023, it hasn't happened yet. The playbook is already using Traefik as the front-most reverse-proxy, but nginx (via `matrix-nginx-proxy`) is still around - it has taken a step back and is only used internally for new setups. Work got to a stall due to:
 
 *   complexity: untangling the overly large and messy `matrix-nginx-proxy` component is difficult
 *   the current setup became "good enough" because nginx has become an internal implementation detail for those who have migrated to Traefik. Traefik is already the default public reverse-proxy and gives better possibilities to people wishing to run other web-exposed containers on their Matrix server via [Docker Compose](https://docs.docker.com/compose/), other Ansible playbooks like [mash-playbook](https://github.com/mother-of-all-self-hosting/mash-playbook) (more about this one, below) or any other way.

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 result_format = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/README.md

@@ -9,7 +9,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 # Table of Contents
 
-## ⬇️ Installaton guides <!-- NOTE: the 🚀 emoji is used by "Getting started" on README.md -->
+## ⬇️ Installation guides <!-- NOTE: the 🚀 emoji is used by "Getting started" on README.md -->
 
 There are two installation guides available for beginners and advanced users.
 

docs/ansible.md

@@ -117,7 +117,7 @@ Then, to be asked for the password whenever running an `ansible-playbook` comman
 
 #### Resolve directory ownership issues
 
-Because you're `root` in the container running Ansible and this likely differs fom the owner (your regular user account) of the playbook directory outside of the container, certain playbook features which use `git` locally may report warnings such as:
+Because you're `root` in the container running Ansible and this likely differs from the owner (your regular user account) of the playbook directory outside of the container, certain playbook features which use `git` locally may report warnings such as:
 
 > fatal: unsafe repository ('/work' is owned by someone else)
 > To add an exception for this directory, call:

docs/configuring-playbook-appservice-draupnir-for-all.md

@@ -95,13 +95,13 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 
 ## Usage
 
-If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have succesfully installed Draupnir for All and can now start using it.
+If you made it through all the steps above and your main control room was joined by a user called `@draupnir-main:example.com` you have successfully installed Draupnir for All and can now start using it.
 
 The installation of Draupnir for all in this playbook is very much Alpha quality. Usage-wise, Draupnir for all is almost identical to Draupnir bot mode.
 
 ### Granting Users the ability to use D4A
 
-Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recomendation. Using the chat is recomended.
+Draupnir for all includes several security measures like that it only allows users that are on its allow list to ask for a bot. To add a user to this list we have 2 primary options. Using the chat to tell Draupnir to do this for us or if you want to automatically do it by sending `m.policy.rule.user` events that target the subject you want to allow provisioning for with the `org.matrix.mjolnir.allow` recommendation. Using the chat is recommended.
 
 The bot requires a powerlevel of 50 in the management room to control who is allowed to use the bot. The bot does currently not say anything if this is true or false. (This is considered a bug and is documented in issue [#297](https://github.com/the-draupnir-project/Draupnir/issues/297))
 

docs/configuring-playbook-bot-chatgpt.md

@@ -57,7 +57,7 @@ matrix_bot_chatgpt_openai_api_key: 'API_KEY_HERE'
 
 matrix_bot_chatgpt_matrix_access_token: 'ACCESS_TOKEN_HERE'
 
-# Configuring the system promt used, needed if the bot is used for special tasks.
+# Configuring the system prompt used, needed if the bot is used for special tasks.
 # More information: https://github.com/mustvlad/ChatGPT-System-Prompts
 matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.'
 ```

docs/configuring-playbook-bot-draupnir.md

@@ -242,7 +242,7 @@ For Draupnir to do its job, you need to [give it permissions](https://the-draupn
 
 We recommend **subscribing to a public [policy list](https://the-draupnir-project.github.io/draupnir-documentation/concepts/policy-lists)** using the [watch command](https://the-draupnir-project.github.io/draupnir-documentation/moderator/managing-policy-lists#using-draupnirs-watch-command-to-subscribe-to-policy-rooms).
 
-Polcy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
+Policy lists are maintained in Matrix rooms. A popular policy list is maintained in the public `#community-moderation-effort-bl:neko.dev` room.
 
 You can tell Draupnir to subscribe to it by sending the following command to the Management Room: `!draupnir watch #community-moderation-effort-bl:neko.dev`
 

docs/configuring-playbook-bot-matrix-registration-bot.md

@@ -77,7 +77,7 @@ Send `help` to the bot to see the available commands.
 
 You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands).
 
-If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
+If you have any questions, or if you need help setting it up, read the [troubleshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md) or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
 
 To clean the cache (session & encryption data) after you changed the bot's username, changed the login method from access_token to password etc… you can use:
 

docs/configuring-playbook-bridge-hookshot.md

@@ -167,7 +167,7 @@ To `matrix_hookshot_container_labels_metrics_middleware_basic_auth_users`, set t
 
 #### Enable Grafana (optional)
 
-Probably you wish to enable Grafana along with Prometheus for generating graphs of the metics.
+Probably you wish to enable Grafana along with Prometheus for generating graphs of the metrics.
 
 To enable Grafana, see [this section](configuring-playbook-prometheus-grafana.md#adjusting-the-playbook-configuration-grafana) for instructions.
 

docs/configuring-playbook-bridge-mautrix-wsproxy.md

@@ -70,7 +70,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 
 ## Usage
 
-Follow the [mautrix-imessage documenation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s).
+Follow the [mautrix-imessage documentation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s).
 
 ## Troubleshooting
 

docs/configuring-playbook-element-call.md

@@ -30,7 +30,7 @@ These **clients will use their own embedded Element Call frontend**, so **self-h
 
 💡 A reason you may wish to continue installing the Element Call frontend (despite Matrix clients not making use of it), is if you need to use it standalone - directly via a browser (without a Matrix client). Note that unless you [allow guest accounts to use Element Call](#allowing-guests-to-use-element-call-optional), you will still need a Matrix user account **on the same homeserver** to be able to use Element Call.
 
-The playbook makes a distiction between enabling Element Call (`matrix_element_call_enabled`) and enabling the Matrix RTC Stack (`matrix_rtc_enabled`). Enabling Element Call automatically enables the Matrix RTC stack. Because installing the Element Call frontend is now unnecessary, **we recommend only installing the Matrix RTC stack, without the Element Call frontend**.
+The playbook makes a distinction between enabling Element Call (`matrix_element_call_enabled`) and enabling the Matrix RTC Stack (`matrix_rtc_enabled`). Enabling Element Call automatically enables the Matrix RTC stack. Because installing the Element Call frontend is now unnecessary, **we recommend only installing the Matrix RTC stack, without the Element Call frontend**.
 
 | Description / Variable | Element Call frontend | [LiveKit Server](configuring-playbook-livekit-server.md) | [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) |
 |------------------------|-----------------------|----------------|---------------------|

docs/configuring-playbook-matrix-authentication-service.md

@@ -41,7 +41,7 @@ Below, we'll try to **highlight some potential reasons for switching** to Matrix
 
 ## Prerequisites
 
-- ⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
+- ⚠️ the [Synapse](configuring-playbook-synapse.md) homeserver implementation (which is the default for this playbook). Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating with Matrix Authentication Service yet.
 
 - ❌ **disabling all password providers** for Synapse (things like [shared-secret-auth](./configuring-playbook-shared-secret-auth.md), [rest-auth](./configuring-playbook-rest-auth.md), [LDAP auth](./configuring-playbook-ldap-auth.md), etc.) More details about this are available in the [Expectations](#expectations) section below.
 
@@ -61,7 +61,7 @@ This section details what you can expect when switching to the Matrix Authentica
 
 - ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.
 
-- ⚠️ Delegating user authentication to MAS causes **your Synapse server to be completely dependant on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
+- ⚠️ Delegating user authentication to MAS causes **your Synapse server to be completely dependent on one more service** for its operations. MAS is quick & lightweight and should be stable enough already, but this is something to keep in mind when making the switch.
 
 - ⚠️ If you've got [OIDC configured in Synapse](./configuring-playbook-synapse.md#synapse--openid-connect-for-single-sign-on), you will need to migrate your OIDC configuration to MAS by adding an [Upstream OAuth2 configuration](#upstream-oauth2-configuration).
 
@@ -85,7 +85,7 @@ For new homeservers (which don't have any users in their Synapse database yet),
 
 ### Existing homeserver
 
-Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating wtih Matrix Authentication Service yet.
+Other homeserver implementations ([Dendrite](./configuring-playbook-dendrite.md), [Conduit](./configuring-playbook-conduit.md), etc.) do not support integrating with Matrix Authentication Service yet.
 
 For existing Synapse homeservers:
 

docs/configuring-playbook-matrix-corporal.md

@@ -13,7 +13,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 The playbook can install and configure [matrix-corporal](https://github.com/devture/matrix-corporal) for you.
 
-In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
+In short, it's a sort of automation and firewalling service, which is helpful if you're installing Matrix services in a controlled corporate environment.
 
 See the project's [documentation](https://github.com/devture/matrix-corporal/blob/main/README.md) to learn what it does and why it might be useful to you.
 

docs/configuring-playbook-matrix-media-repo.md

@@ -60,7 +60,7 @@ To `matrix_media_repo_container_labels_traefik_metrics_middleware_basic_auth_use
 
 #### Enable Grafana (optional)
 
-Probably you wish to enable Grafana along with Prometheus for generating graphs of the metics.
+Probably you wish to enable Grafana along with Prometheus for generating graphs of the metrics.
 
 To enable Grafana, see [this section](configuring-playbook-prometheus-grafana.md#adjusting-the-playbook-configuration-grafana) for instructions.
 

docs/configuring-playbook-ntfy.md

@@ -115,7 +115,7 @@ The shortcut commands with the [`just` program](just.md) are also available: `ju
 
 ## Usage
 
-To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distrubutor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notitications are "distributed" from it.
+To receive push notifications with UnifiedPush from the ntfy server, you need to **install [the ntfy Android app](https://docs.ntfy.sh/subscribe/phone/)** which works as the Distributor, **log in to the account on the ntfy app** if you have enabled the access control, and then **configure a UnifiedPush-compatible Matrix client**. After setting up the ntfy Android app, the Matrix client listens to it, and push notifications are "distributed" from it.
 
 For details about installing and configuring the ntfy Android app, take a look at [this section](https://github.com/mother-of-all-self-hosting/ansible-role-ntfy/blob/main/docs/configuring-ntfy.md#install-the-ntfy-androidios-app) on the role's documentation.
 

docs/configuring-playbook-prometheus-grafana.md

@@ -258,4 +258,4 @@ As with all other services, you can find the logs in [systemd-journald](https://
 - [The Prometheus scraping rules](https://github.com/element-hq/synapse/tree/master/contrib/prometheus) (we use v2)
 - [The Synapse Grafana dashboard](https://github.com/element-hq/synapse/tree/master/contrib/grafana)
 - [The Node Exporter dashboard](https://github.com/rfrail3/grafana-dashboards) (for generic non-synapse performance graphs)
-- [The PostgresSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic Postgres dashboard)
+- [The PostgreSQL dashboard](https://grafana.com/grafana/dashboards/9628) (generic Postgres dashboard)

docs/configuring-playbook-s3.md

@@ -22,13 +22,11 @@ Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring
 
 ## Choosing an Object Storage provider
 
-You can create [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object storage like [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html), [Storj](https://storj.io), [Wasabi](https://wasabi.com), [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces), etc.
+You can create [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object storage like [Backblaze B2](https://www.backblaze.com/b2/cloud-storage.html), [Wasabi](https://wasabi.com), [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces), [Storj](https://storj.io), etc.
 
-Amazon S3, Backblaze B2, and Storj are pay-as-you with no minimum charges for storing too little data.
+Amazon S3 and Backblaze B2 are pay-as-you with no minimum charges for storing too little data. Note that Backblaze egress is free, but for only certain users for up to 3x the amount of data stored. Beyond that you will pay $0.01/GB of egress.
 
-All these providers have different prices, with Storj appearing to be the cheapest (as of 2024-10, storage fee is $0.004 per GB/month, and egress fee is $0.007 per GB; check actual pricing [here](https://storj.dev/dcs/pricing)). Backblaze egress is free, but for only certain users for up to 3x the amount of data stored. Beyond that you will pay $0.01/GB of egress.
-
-Wasabi has a minimum charge of 1TB if you're storing less than 1TB, which becomes expensive if you need to store less data than that. Likewise, Digital Ocean Spaces has also a minimum charge of 250GB ($5/month as of 2022-10).
+Wasabi has a minimum charge of 1TB if you're storing less than 1TB, which becomes expensive if you need to store less data than that. Likewise, Digital Ocean Spaces has also a minimum charge of 250GB ($5/month as of 2022-10). Though Storj does not set minimum amount of data to be stored, it also charges $5 minimum monthly usage fee since July 1, 2025, if your monthly usage (storage, bandwidth, and segments) totals less than $5.
 
 Here are some of the important aspects of choosing the right provider:
 

docs/configuring-playbook-ssl-certificates.md

@@ -15,7 +15,7 @@ By default, the playbook retrieves and automatically renews free SSL certificate
 
 **Notes**:
 - This guide is intended to be referred for configuring the integrated Traefik server with regard to SSL certificates retrieval. If you're using [your own webserver](configuring-playbook-own-webserver.md), consult its documentation about how to configure it.
-- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiriation notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
+- Let's Encrypt ends the expiration notification email service on June 4, 2025 (see: [the official announcement](https://letsencrypt.org/2025/01/22/ending-expiration-emails/)), and it recommends using a third party service for those who want to receive expiration notifications. If you are looking for a self-hosting service, you may be interested in a monitoring tool such as [Update Kuma](https://github.com/louislam/uptime-kuma/).
 
   The [Mother-of-All-Self-Hosting (MASH)](https://github.com/mother-of-all-self-hosting/mash-playbook) Ansible playbook can be used to install and manage an Uptime Kuma instance. See [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/services/uptime-kuma.md) for the instruction to install it with the MASH playbook. If you are wondering how to use the MASH playbook for your Matrix server, refer [this page](https://github.com/mother-of-all-self-hosting/mash-playbook/blob/main/docs/setting-up-services-on-mdad-server.md).
 

docs/configuring-playbook-synapse.md

@@ -53,7 +53,7 @@ You may also consider [tweaking the number of workers of each type](#controlling
 
 ##### Specialized workers
 
-The playbook now supports a smarter **specialized load-balancing** inspired by [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). Instead of routing requests to one or more [generic workers](#generic-workers) based only on the requestor's IP adddress, specialized load-balancing routes to **4 different types of specialized workers** based on **smarter criteria** — the access token (username) of the requestor and/or on the resource (room, etc.) being requested.
+The playbook now supports a smarter **specialized load-balancing** inspired by [Tom Foster](https://github.com/tcpipuk)'s [Synapse homeserver guide](https://tcpipuk.github.io/synapse/index.html). Instead of routing requests to one or more [generic workers](#generic-workers) based only on the requester's IP address, specialized load-balancing routes to **4 different types of specialized workers** based on **smarter criteria** — the access token (username) of the requester and/or on the resource (room, etc.) being requested.
 
 The playbook supports these **4 types** of specialized workers:
 

docs/faq.md

@@ -235,7 +235,7 @@ Running Matrix on a server with 1GB of memory is possible (especially if you dis
 
 **We recommend starting with a server having at least 2GB of memory** and even then using it sparingly. If you know for sure you'll be joining various large rooms, etc., then going for 4GB of memory or more is a good idea.
 
-Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferrably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage.
+Besides the regular Matrix stuff, we also support things like video-conferencing using [Jitsi](configuring-playbook-jitsi.md) and other additional services which (when installed) may use up a lot of memory. Things do add up. Besides the Synapse Matrix server, Jitsi is especially notorious for consuming a lot of resources. If you plan on running Jitsi, we recommend a server with at least 2GB of memory (preferably more). See our [Jitsi documentation page](configuring-playbook-jitsi.md) to learn how to optimize its memory/CPU usage.
 
 ### Can I run this in an LXC container?
 
@@ -362,7 +362,7 @@ Configuration variables are defined in multiple places in this playbook and are
 
 You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`).
 
-As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`.
+As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overridden by values defined in `group_vars/matrix_servers`.
 
 Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.example.com/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features).
 

docs/howto-srv-server-delegation.md

@@ -42,7 +42,7 @@ This is because with SRV federation, some servers / tools (one of which being th
 
 ### Tell Traefik which certificate to serve for the federation endpoint
 
-Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.
+Now that the federation endpoint is not bound to a domain anymore we need to explicitly tell Traefik to use a wildcard certificate in addition to one containing the base name.
 
 This is because the Matrix specification expects the federation endpoint to be served using a certificate compatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
 

examples/reverse-proxies/nginx-proxy-manager/README.md

@@ -23,7 +23,7 @@ If Matrix federation is enabled, then you will need to make changes to [NPM's Do
 
 You'll need to create two proxy hosts in NPM for Matrix web and federation traffic.
 
-Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for Matrix web traffic. Apply the proxys configuration like this:
+Open the 'Proxy Hosts' page in the NPM web interface and select `Add Proxy Host`, the first being for Matrix web traffic. Apply the proxy's configuration like this:
 
 ```md
 # Details
@@ -44,7 +44,7 @@ Custom Nginx Configuration:
 	client_max_body_size 50M;
 ```
 
-Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxys configuration like this:
+Again, under the 'Proxy Hosts' page select `Add Proxy Host`, this time for your federation traffic. Apply the proxy's configuration like this:
 
 ```md
 # Details

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

i18n/README.md

@@ -20,7 +20,7 @@ Currently, we support translation of:
 Organization of this `i18n` directory is as follows:
 
 - [PUBLISHED_LANGUAGES](PUBLISHED_LANGUAGES): a list of languages that we publish translations for (in the [translations/](translations/) directory)
-- [.gitignore](.gitignore): a list of files and directories to ignore in the `i18n` directory. We intentionaly ignore translated results (`translations/<language>` directories) for languages taht are still in progress. We only [publish translations in a new language](#publish-translations-in-a-new-language) when the translation progresses beyond a certain threshold.
+- [.gitignore](.gitignore): a list of files and directories to ignore in the `i18n` directory. We intentionally ignore translated results (`translations/<language>` directories) for languages that are still in progress. We only [publish translations in a new language](#publish-translations-in-a-new-language) when the translation progresses beyond a certain threshold.
 - [justfile](justfile): a list of recipes for [just](https://github.com/casey/just) command runner
 - [requirements.txt](requirements.txt): a list of Python packages required to work with translations
 - [translation-templates/](translation-templates/): a list of English translation templates - strings extracted from Markdown files

i18n/requirements.txt

@@ -17,7 +17,7 @@ packaging==25.0
 Pygments==2.19.1
 PyYAML==6.0.2
 requests==2.32.3
-setuptools==80.8.0
+setuptools==80.9.0
 snowballstemmer==3.0.1
 Sphinx==8.2.3
 sphinx-intl==2.3.1

inventory/host_vars/matrix.finallycoffee.eu/postgresql.yml

@@ -0,0 +1,16 @@
+---
+postgres_max_connections: 400
+postgres_shared_buffers: 3145728 # (3072 MiB)
+postgres_effective_cache_size: 8388608 # (8192 MiB)
+postgres_maintenance_work_mem: 786432 # (768 MiB)
+postgres_wal_buffers: 16384 # (16 MiB)
+postgres_random_page_cost: 1.3
+postgres_work_mem: 4096
+postgres_huge_pages: try
+postgres_min_wal_size: 524288 # (512 MiB)
+postgres_max_wal_size: 4194304 # (4GiB)
+postgres_max_worker_processes: 8
+postgres_max_parallel_workers: 8
+postgres_max_parallel_workers_per_gather: 4
+postgres_max_parallel_maintenance_workers: 4
+

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,386 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+matrix_playbook_ssl_enabled: true
+traefik_config_entrypoint_web_secure_enabled: false
+traefik_container_web_host_bind_port: '127.0.10.1:8080'
+traefik_config_entrypoint_web_forwardedHeaders_insecure: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.10.2:8448'
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
+  forwardedHeaders:
+    insecure: true
+
+matrix_synapse_metrics_proxying_enabled: true
+matrix_sliding_sync_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 300
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+#matrix_synapse_rc_federation:
+#  window_size: 1000
+#  sleep_limit: 50
+#  sleep_delay: 500
+#  reject_limit: 50
+#  concurrent: 10
+#matrix_synapse_rc_message:
+#  per_second: 0.5
+#  burst_count: 25
+#matrix_synapse_rc_joins:
+#  local:
+#    per_second: 0.5
+#    burst_count: 20
+#  remote:
+#    per_second: 0.05
+#    burst_count: 20
+#matrix_synapse_rc_joins_per_room:
+#  per_second: 1
+#  burst_count: 10
+#matrix_synapse_rc_invites:
+#  per_room:
+#    per_second: 0.5
+#    burst_count: 10
+#  per_user:
+#    per_second: 0.006
+#    burst_count: 10
+#  per_issuer:
+#    per_second: 2
+#    burst_count: 20
+
+## Synapse cache tuning
+#matrix_synapse_caches_global_factor: 1.5
+#matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 1
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+#matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+#matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+#matrix_synapse_ext_password_provider_rest_auth_enabled: true
+#matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+#matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+#matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+#matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_min: 10
+      cp_max: 30
+      cp_reconnect: True
+
+#  caches:
+#    per_cache_factors:
+#      device_id_exists: 3
+#      get_users_in_room: 4
+#      _get_joined_users_from_context: 4
+#      _get_joined_profile_from_event_id: 3
+#      "*stateGroupMembersCache*": 2
+#      _matches_user_in_member_list: 3
+#      get_users_who_share_room_with_user: 3
+#      is_interested_in_room: 2
+#      get_user_by_id: 1.5
+#      room_push_rule_cache: 1.5
+#    expire_caches: true
+#    cache_entry_ttl: 45m
+#    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+#matrix_synapse_admin_enabled: true
+#matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: false
+#matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+#matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+#matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+#matrix_dimension_configuration_extension_yaml: |
+#    telegram:
+#        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+matrix_bridges_encryption_enabled: true
+matrix_bridges_encryption_default: true
+matrix_appservice_double_puppet_enabled: true
+
+matrix_mautrix_slack_enabled: true
+matrix_mautrix_slack_appservice_bot_username: slack
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: false
+#matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+#matrix_mx_puppet_instagram_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_instagram_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    presence:
+#        enabled: true
+#        interval: 3000
+#
+#
+##
+## mx-puppet-discord configuration
+##
+matrix_mx_puppet_discord_enabled: false
+#matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+#matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+#matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+#matrix_mx_puppet_discord_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_discord_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: false
+#matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+#matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+#matrix_mx_puppet_slack_oauth_redirect_path: '/bridge/slack/oauth'
+#matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+#matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+#matrix_mx_puppet_slack_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+#matrix_mx_puppet_slack_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
+matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_room_directory_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+#matrix_ma1sd_configuration_extension_yaml: |
+#    hashing:
+#      enabled: true
+#      pepperLength: 20
+#      rotationPolicy: per_requests
+#      requests: 10
+#      hashStorageType: sql
+#      algorithms:
+#          - none
+#          - sha256
+
+
+# Matrix mail notification relay setup
+exim_relay_enabled: true
+exim_relay_sender_address: "system-matrix@{{ matrix_domain }}"
+exim_relay_relay_use: true
+exim_relay_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+exim_relay_relay_host_port: 587
+exim_relay_relay_auth: true
+exim_relay_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+exim_relay_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,105 @@
+$ANSIBLE_VAULT;1.1;AES256
+61626165616330663863393762663031623164636666346339343636363035663463636135656533
+3338383762633130346536613334626164306464333835380a353264386431326437616234393165
+61323266623432353731373634353339393936643130346434346530336563326533386331646533
+3030663037666664360a346636343966663733663836633736316630663230613137663166336336
+62383131343934353635633261323036613231646439626162306238313132316664653237653533
+34376464633335626133376138343139653561613232333133393535393137653964633561313761
+62653632663432313936336231613832626362343737383863343562636437646439666638383733
+63313538616430393536356534303164633332653538643264353834393465373538643963343039
+31366661636263353936363931343938323563626538303133366263363533393564386466666361
+38666264643931336563633663663538616431313231336364653631383261326537336162313837
+32373730343538653862326636303264353737353139663161393762383138393531363264633531
+32383661396537636635666665316630663032333932393131336235663938623932383230343830
+31613563656663343830353438396535663864306531333239623738653838633331386465353466
+37366363643334623165373562363465636161396437333966303864663033636665623564613565
+39643635333636363132633462386536393634303838343835363633626162363236653839376230
+34666430363933336335323330386339656339356637653931643565303166303436333562333361
+38633838636337316137343564613338346239663933356130396562306164376430363233373632
+66303430303034353262343565373139333535636231623062633537653636376136656138623637
+34396562376233643234643436323433336436393163363935643033643833386631633762343162
+33633136316635326532343430383437366139333830373731636265386234356164393066333663
+37663934633437653364356231383934313132343162323436373339393964656336646164333533
+37626336616565323237633736653433316238366261303465343466643363303131376665346231
+62623133336561313732393837323330643138663830353662366139373366383436323530333732
+38623633666537643038636163303164653866343934616236343733386533663936303637326462
+63633137626632613736313333643363373963306161353431396261646635383930366166363135
+66353962643638616635376137346439383339303236323761366439306638623762343966623035
+30323435396533633238313962306366343362393339616131393839653565666666313833313433
+66386362353061323465666563616230336565663339646162623634643330646239343934373636
+33363061316637613266373831376133303337616639643239393835636138323266613134633633
+65356634636562313961643865353334306131333030373566666535373039343337613964306465
+32393163666232383266363763336132653765316162663961653933633832626533646537376136
+64613133373135616531343837616264656461313963646565656465656165303534343834663734
+62313865366634656265613264623234653165633839323030643333643139323531643637393439
+61656561303732663834336334643765616234373063306236303538646663316131663933323236
+63396263663034613832653361383061336132663032646133323931386562653661346264363439
+35636463613635316239363061363836623564303933373964363365626133373039643264666530
+30343165366365333339366639353033666634613162363164333433633563613461666532323566
+63303836353331326439646139653738633866356463303264623166306262393766346338373537
+62373865303264633663666333323135343530323434383835393763363739636135646538336364
+33376438636264393635383163353431336463396263333239626566653262373434316532343633
+61363061623430636462393135316564636536633963393338383334643134366232396564316635
+31373963633164653235643665653863303831663065383433363036633962633462393839363235
+36323562323634643639643561636261643136313633656236656566353539343063386162383234
+38653461633561353639336531353333393262633065386539353031386332343739656261653238
+31326434386130336465613233663563323035666631303137313665336566363134306638663265
+62353430353934633965316636643566653235366230323139656539646539626236616138313362
+31643437366563383164306331303662356562616366366237613633666534623765323034396534
+38326537376265343065313738316433353266633539313134323735383864623663323662633662
+65613862623766343736343031636238356161343036363566646635643334373030386434646135
+64336263356663376564333935623135396231623165326437393563333361356435346634616665
+66376231666633643936323264323565346637343538366138616631383964376632613437323163
+30366537326533363939643237376538366230313263623139323662396633343239343066313564
+63356533373338653030313038653137666434323737323763623136666530313035356634666633
+35643530333632633664643361633964666432336631636561343739646266653634353963323534
+35663731616539646332393837633566393734643033623937316661653839663937303666376339
+65653036373565323435636637373231316265393231333734356462356635346531366530316262
+37643632346164366561353236373633623464643536373361666263303739356335333934313537
+31373035633333313065613162346133663736313265376230393135353431343765306539633032
+63353338656231376666613138353235613362643334653537353237653139396533363630303033
+36363039613232666266333535343466336263663762623865376532326262666332303361356266
+65646337323037383564666639363636333135323265633932333264346363326466343234653936
+65656535343663356562613064323138656338633064633462313864616665653230626638373939
+61623862386364396335323836396664653731633365623936383435383330643038386665653238
+62643961626464313666343431303064303338396135643432383730613161336435306262653132
+38373432393564333562363761386239343366343465386638643737663561633837303734333835
+66366465633164346365356637313534376136303630666432613664363030323336316639393339
+61383565316432383633383832363439316366373536336639643961333663303631633464633238
+31396331386163386261393565346266636436386465326639326363663930666665306637393263
+65363763336561316566363164626466643637343731666530386432343431653634353336376461
+33366233366533656334666138346661323463633133303933626163343666623761613961346231
+35383232306336386665313264393933646631656333613138353532666133366339656564353865
+35353330393131366137663466333363653866323936353734306361633163626537363561346332
+65363231623766666638383661323964633034366261633035303861383135383235656465373738
+66373762626130356633626436366533626633353836346239666333353262656665636330626561
+66613165313137373766623464646330643662393033396266643662653136393233336265353430
+38376130663634333133353763383264623133373230323938316638323864643430386633376564
+65356264623766666637353866326638613435663830623063343439373030663663623432393863
+33343134626465313230646239646537653938613938633736346235323438393237363639373932
+61376231386265366132333965333133343737623066383534666633396635356537623432623132
+62656431323033633265626265613736383435376132613532333037613834313130626361373533
+39653361323366636335343865343737346264636433386332666332376662343634356630316135
+30366163333561353338663666363738313732303031333637636266623530623261306335616233
+31346436346663643464626134313338346439323838343663613135663834666632653866346431
+64376566343963346664366363353636636231386530363961333131383133323163396265313563
+35393534343664336237336231313831333739633662306636373338663434613231306538343865
+61613063306432623932616534363865333639396232383562396161383539363336303463323731
+63313239666538306239663864653839616132363662336331636262353061663136386331306131
+66336361396239383638623463663635613364366433343739356331633330633561653038633530
+38303832363663656432396636613134613965373639353731366138323435326135626339353263
+39313032333966376135653664623666626233613530646534636362646237303465653931666563
+65343936623462633162343334643335623834323364646362633232346237306337303430616363
+61633930343132303962653432636230343331343332616434323035633963623138653737306566
+34353135623134626237653165663738633435656439393234643432353535646439313638653664
+39326437393166633937663261336330656266303431383437626163623163303133323139313563
+39383664633739373664653131326665306533633162373535396464663637653662336237656161
+39633138383166316437313237303733336365343066366462643165643865653039343037633263
+61613730393666636530633231396165363033313161663463323861663262383234643236643038
+61633138323664613061663538383333323566393262303633623136613166636361306562356163
+66363033373262396461316438643238396633353962616362623363303035353765393164616230
+35303664616539363639373830623337396239626539613761613839363638326664306465313762
+34646634326338306430653065343231366430666534306331336532346535663737633639363834
+34623539616339363535633365306230663264626234363637366436353833663136303032623338
+32633761333165393231303165393234643363313839373339666433666130313035643836626531
+63356638666264333163

inventory/hosts

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+37366366376266633033656235333633346134336666323465356666353363323130366365393534
+3365373534643965613139656465323663393862336163640a623663366631323035346632353030
+37396264356137336535363663323935646464333138653035623562346438643139323439366132
+3364356364353738660a616638393635333938373838316631396536386134333831613831343732
+39333066363566643864343661646633326134633039316636306332303063366665373638353735
+34386339633566663038613538316233306238383734623363623666346261336562663039373264
+31313061616432643761633139643039636164613136643264663131666166646531366335346164
+34303339393334616434633736383763653035386333363137336431363034653263306261646661
+37323563373436333736633836666563646162303232393932346430373039346431356166393930
+37616639333038653936633163323139396666303638663039623633633832333737633764643863
+61383763613865323061636662663837656339373335643066333964393362303766366533303332
+63646335356639366130393530373936636330633132356639626531303839656166346263613733
+31333362316537323934306434393630656161353465636434303538643835396361613563663437
+34383765626235356530396433643037306233663263623664636163326132316237386231323165
+65643235356434626161396136303563633836313961343664653339623862633338313963333237
+63663961636661383634343532356234626531373938313164373561386139366338393066623036
+36633137623361626161313961386630623635323336353036623165316632353333383162623531
+61353138613030343636326166303762656264643834396330313563616439323265333039323566
+64356538346662613836356462613536656636373065643734346166353466363266353939393535
+66333739623735656463373530646663303535643562363534306438323135353763303363376135
+37653566306461396563333135633235626130313231636165383438376237383663373939353637
+30366661303131333438376363366131613361326635366264363064633034376230353137663030
+346238306532363635623732396366633538

requirements.txt

@@ -0,0 +1,11 @@
+ansible==11.3.0
+ansible-core==2.18.3
+cffi==1.17.1
+cryptography==44.0.2
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+packaging==24.2
+passlib==1.7.4
+pycparser==2.22
+PyYAML==6.0.2
+resolvelib==1.0.1

requirements.yml

@@ -49,7 +49,7 @@
   version: v17-3
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.4.0-1
+  version: v3.4.1-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
   version: v1.9.1-3
@@ -67,7 +67,7 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.4.0-0
+  version: v3.4.1-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-0

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.2.0"
+matrix_appservice_draupnir_for_all_version: "v2.3.1"
 
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -50,7 +50,7 @@ matrix_appservice_draupnir_for_all_systemd_wanted_services_list: []
 # anyone in this room can use the bot - secure your room!
 # This should be a room alias - not a matrix.to URL.
 # Note: Draupnir is fairly verbose - expect a lot of messages from it.
-# This room is diffrent for Appservice Mode compared to normal mode.
+# This room is different for Appservice Mode compared to normal mode.
 # In Appservice mode it provides functions like user management.
 matrix_appservice_draupnir_for_all_config_adminRoom: ""  # noqa var-naming
 

roles/custom/matrix-base/defaults/main.yml

@@ -217,7 +217,7 @@ matrix_homeserver_container_url: "http://{{ matrix_homeserver_container_client_a
 
 # Specifies where the homeserver's Client-Server API is on the container network (matrix_homeserver_container_network).
 # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
-# This likely gets overriden elsewhere.
+# This likely gets overridden elsewhere.
 matrix_homeserver_container_client_api_endpoint: ""
 
 # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
@@ -225,7 +225,7 @@ matrix_homeserver_container_federation_url: "http://{{ matrix_homeserver_contain
 
 # Specifies where the homeserver's Federation API is on the container network (matrix_homeserver_container_network).
 # Where this is depends on whether there's a reverse-proxy in front of the homeserver, which homeserver it is, etc.
-# This likely gets overriden elsewhere.
+# This likely gets overridden elsewhere.
 matrix_homeserver_container_federation_api_endpoint: ""
 
 # Specifies the public url of the Sync v3 (sliding-sync) API.

roles/custom/matrix-base/tasks/validate_config.yml

@@ -104,7 +104,7 @@
     msg: >-
       Your configuration enables both the old mautrix-instagram bridge and the new mautrix-meta-instagram bridge.
       By default, both bridges are configured to use the same bridge bot username (`@{{ matrix_mautrix_meta_instagram_appservice_username }}:{{ matrix_domain }}`) which is a conflict.
-      We recommend that you disable at least one of the bridges (preferrably the old mautrix-instagram bridge), or to resolve the conflict in another way.
+      We recommend that you disable at least one of the bridges (preferably the old mautrix-instagram bridge), or to resolve the conflict in another way.
       To resolve the conflict without disabling a bridge, consider adjusting one of `matrix_mautrix_instagram_appservice_bot_username` or `matrix_mautrix_meta_instagram_appservice_username` - they both have a value of {{ matrix_mautrix_meta_instagram_appservice_username }} right now.
   when:
     - matrix_mautrix_instagram_enabled | bool

roles/custom/matrix-bot-chatgpt/tasks/validate_config.yml

@@ -20,7 +20,7 @@
 - name: Fail if OpenAI configuration not up-to-date.
   ansible.builtin.fail:
     msg: >-
-      Your configuration contains a varible that is no longer used.
+      Your configuration contains a variable that is no longer used.
       Please change your configuration to remove the variable (`{{ item.name }}`).
   when: "item.name in vars"
   with_items:

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.2.0"
+matrix_bot_draupnir_version: "v2.3.1"
 
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -63,7 +63,7 @@
   ansible.builtin.fail:
     msg: >-
       Your configuration is trying to enable matrix_bot_draupnir_config_experimentalRustCrypto and matrix_bot_draupnir_pantalaimon_use at the same time.
-      These settings are mutually incompatible and therefore cant be used at the same time.
+      These settings are mutually incompatible and therefore can't be used at the same time.
   when:
     - matrix_bot_draupnir_pantalaimon_use
     - matrix_bot_draupnir_config_experimentalRustCrypto

roles/custom/matrix-bot-draupnir/templates/production.yaml.j2

@@ -7,7 +7,8 @@ SPDX-FileCopyrightText: 2024 Suguru Hirahara
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-# Endpoint URL that Draupnir uses to interact with the Matrix homeserver (client-server API),
+# Endpoint URL that Draupnir uses to interact with the matrix homeserver (client-server API),
+# set this to the pantalaimon URL if you're using that.
 homeserverUrl: {{ matrix_bot_draupnir_config_homeserverUrl | to_json }}
 
 # Endpoint URL that Draupnir could use to fetch events related to reports (client-server API and /_synapse/),
@@ -22,7 +23,10 @@ accessToken: {{ matrix_bot_draupnir_config_accessToken | to_json }}
 {% if matrix_bot_draupnir_pantalaimon_use or matrix_bot_draupnir_login_native %}
 # Options related to Pantalaimon (https://github.com/matrix-org/pantalaimon)
 pantalaimon:
-  # Set to `true` when the bot is to login and fetch the access token on its own.
+  # Whether or not Draupnir will use pantalaimon to access the matrix homeserver,
+  # set to `true` if you're using pantalaimon.
+  #
+  # Be sure to point homeserverUrl to the pantalaimon instance.
   #
   # Draupnir will log in using the given username and password once,
   # then store the resulting access token in a file under dataPath.
@@ -34,13 +38,14 @@ pantalaimon:
   # The password Draupnir will login with.
   #
   # After successfully logging in once, this will be ignored, so this value can be blanked after first startup.
-  # This option can be loaded from a file by passing "--password-path <path>" at the command line,
+  # This option can be loaded from a file by passing "--pantalaimon-password-path <path>" at the command line,
   # which would allow using secret management systems such as systemd's service credentials.
   password: {{ matrix_bot_draupnir_password | to_json }}
 {% endif %}
 
-# Experimental usage of the matrix-bot-sdk rust crypto. This can not be used with Pantalaimon.
-# Make sure Pantalaimon is disabled in Draupnir's configuration.
+# Experimental usage of the matrix-bot-sdk rust crypto.
+# This can not be used with Pantalaimon.
+# Make sure to setup the bot as if you are not using pantalaimon for this.
 #
 # Warning: At this time this is not considered production safe.
 experimentalRustCrypto: {{ matrix_bot_draupnir_config_experimentalRustCrypto | to_json }}
@@ -68,22 +73,12 @@ recordIgnoredInvites: false
 # (see verboseLogging to adjust this a bit.)
 managementRoom: {{ matrix_bot_draupnir_config_managementRoom | to_json }}
 
-# Deprecated and will be removed in a future version.
-# Running with verboseLogging is unsupported.
-# Whether Draupnir should log a lot more messages in the room,
-# mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
-verboseLogging: false
-
 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
 #
 # This should be at INFO or DEBUG in order to get support for Draupnir problems.
 logLevel: "INFO"
 
-# Whether or not Draupnir should synchronize policy lists immediately after startup.
-# Equivalent to running '!draupnir sync'.
-syncOnStartup: true
-
 # Whether or not Draupnir should check moderation permissions in all protected rooms on startup.
 # Equivalent to running `!draupnir verify`.
 verifyPermissionsOnStartup: true
@@ -131,11 +126,13 @@ protectAllJoinedRooms: false
 # of the homeserver may be more impacted.
 backgroundDelayMS: 500
 
-# Server administration commands, these commands will only work if Draupnir is
+# Server administrative features. These will only work if Draupnir is
 # a global server administrator, and the bot's server is a Synapse instance.
+# Please review https://the-draupnir-project.github.io/draupnir-documentation/bot/homeserver-administration
 admin:
-  # Whether or not Draupnir can temporarily take control of any eligible account from the local homeserver who's in the room
-  # (with enough permissions) to "make" a user an admin.
+  # Whether to enable the make admin command.
+  # This command allows Draupnir can temporarily take control of any eligible account
+  # from the local homeserver in the target room (with enough permissions) to "make" another user an admin.
   #
   # This only works if a local user with enough admin permissions is present in the room.
   enableMakeRoomAdminCommand: {{ matrix_bot_draupnir_config_admin_enableMakeRoomAdminCommand | to_json }}
@@ -300,13 +297,10 @@ web:
     authorization: {{ matrix_bot_draupnir_config_web_synapseHTTPAntispam_authorization | to_json }}
 {% endif %}
 
-# FIXME: This configuration option is currently broken in the playbook as admin APIs cannot
-# be accessed from containers. See https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3389
-# and https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3308
 # Whether or not to actively poll synapse for abuse reports, to be used
 # instead of intercepting client calls to synapse's abuse endpoint, when that
 # isn't possible/practical.
-#pollReports: false
+pollReports: false
 
 # Whether or not new reports, received either by webapi or polling,
 # should be printed to our managementRoom.

roles/custom/matrix-bridge-appservice-discord/templates/config.yaml.j2

@@ -2,7 +2,7 @@
 bridge:
   # Domain part of the bridge, e.g. matrix.org
   domain: {{ matrix_appservice_discord_bridge_domain|to_json }}
-  # This should be your publically facing URL because Discord may use it to
+  # This should be your publicly facing URL because Discord may use it to
   # fetch media from the media store.
   homeserverUrl: {{ matrix_appservice_discord_bridge_homeserverUrl|to_json }}
   # Interval at which to process users in the 'presence queue'. If you have

roles/custom/matrix-bridge-appservice-irc/defaults/main.yml

@@ -358,7 +358,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # not apply an idle timeout. This value is ignored if this IRC server is
 #       # mirroring Matrix membership lists to IRC. Default: 172800 (48 hours)
 #       idleTimeout: 10800
-#       # The number of millseconds to wait between consecutive reconnections if a
+#       # The number of milliseconds to wait between consecutive reconnections if a
 #       # client gets disconnected. Setting to 0 will cause the scheduling to be
 #       # disabled, i.e. it will be scheduled immediately (with jitter.
 #       # Otherwise, the scheduling interval will be used such that one client

roles/custom/matrix-bridge-go-skype-bridge/templates/config.yaml.j2

@@ -224,7 +224,7 @@ logging:
     # The directory for log files. Will be created if not found.
     directory: ./logs
     # Available variables: .Date for the file date and .Index for different log files on the same day.
-    # empy/null = journal logging only
+    # empty/null = journal logging only
     file_name_format:
     # Date format for file names in the Go time format: https://golang.org/pkg/time/#pkg-constants
     file_date_format: "2006-01-02"

roles/custom/matrix-bridge-mautrix-slack/tasks/validate_config.yml

@@ -22,7 +22,7 @@
   when: matrix_appservice_slack_enabled | default(False) | bool and matrix_mautrix_slack_appservice_bot_username == matrix_appservice_slack_bot_name | default ('')
   ansible.builtin.fail:
     msg: |
-      The appservice-slack and mautrix-slack components are both enabled and use the same bot username ({{ matrix_mautrix_slack_appservice_bot_username }}), as per their default configuration, which causes a conflcit.
+      The appservice-slack and mautrix-slack components are both enabled and use the same bot username ({{ matrix_mautrix_slack_appservice_bot_username }}), as per their default configuration, which causes a conflict.
       To resolve the conflict, make one of these components use a different username.
       Consider either changing `matrix_mautrix_slack_appservice_bot_username` (the bot username for the mautrix-slack component) or `matrix_appservice_slack_bot_name` (the bot username for the appservice-slack component).
       We recommend that you change the username for the newly-added (and yet unused) component.

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -223,6 +223,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"

roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.101
+matrix_client_element_version: v1.11.102
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-element/tasks/setup_install.yml

@@ -101,6 +101,19 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: false
+    #when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element Web nginx.conf file is removed
   ansible.builtin.file:
     path: "{{ matrix_client_element_data_path }}/nginx.conf"

roles/custom/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/custom/matrix-conduit/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg
 matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}"
 matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixconduit/matrix-conduit
-matrix_conduit_docker_image_tag: "v0.10.3"
+matrix_conduit_docker_image_tag: "v0.10.4"
 matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}"
 
 matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit"

roles/custom/matrix-conduwuit/templates/conduwuit.toml.j2

@@ -586,7 +586,7 @@ trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }}
 # specifically on room joins. This option limits the exposure to a
 # compromised trusted server to room joins only. The join operation
 # requires gathering keys from many origin servers which can cause
-# significant delays. Therefor this defaults to true to mitigate
+# significant delays. Therefore this defaults to true to mitigate
 # unexpected delays out-of-the-box. The security-paranoid or those willing
 # to tolerate delays are advised to set this to false. Note that setting
 # query_trusted_key_servers_first to true causes this option to be
@@ -597,7 +597,7 @@ trusted_servers = {{ matrix_conduwuit_trusted_servers | to_json }}
 # Only query trusted servers for keys and never the origin server. This is
 # intended for clusters or custom deployments using their trusted_servers
 # as forwarding-agents to cache and deduplicate requests. Notary servers
-# do not act as forwarding-agents by default, therefor do not enable this
+# do not act as forwarding-agents by default, therefore do not enable this
 # unless you know exactly what you are doing.
 #
 #only_query_trusted_key_servers = false

roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2

@@ -586,7 +586,7 @@ trusted_servers = {{ matrix_continuwuity_trusted_servers | to_json }}
 # specifically on room joins. This option limits the exposure to a
 # compromised trusted server to room joins only. The join operation
 # requires gathering keys from many origin servers which can cause
-# significant delays. Therefor this defaults to true to mitigate
+# significant delays. Therefore this defaults to true to mitigate
 # unexpected delays out-of-the-box. The security-paranoid or those willing
 # to tolerate delays are advised to set this to false. Note that setting
 # query_trusted_key_servers_first to true causes this option to be
@@ -597,7 +597,7 @@ trusted_servers = {{ matrix_continuwuity_trusted_servers | to_json }}
 # Only query trusted servers for keys and never the origin server. This is
 # intended for clusters or custom deployments using their trusted_servers
 # as forwarding-agents to cache and deduplicate requests. Notary servers
-# do not act as forwarding-agents by default, therefor do not enable this
+# do not act as forwarding-agents by default, therefore do not enable this
 # unless you know exactly what you are doing.
 #
 #only_query_trusted_key_servers = false

roles/custom/matrix-coturn/defaults/main.yml

@@ -34,7 +34,7 @@ matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith('
 # The Docker network that coturn would be put into.
 #
 # Because coturn relays traffic to unvalidated IP addresses,
-# using a dedicated network, isolated from other Docker (and local) services is preferrable.
+# using a dedicated network, isolated from other Docker (and local) services is preferable.
 #
 # Setting up deny/allow rules with `matrix_coturn_allowed_peer_ips`/`matrix_coturn_denied_peer_ips` is also
 # possible for achieving such isolation, but is more complicated due to the dynamic nature of Docker networking.

roles/custom/matrix-dendrite/defaults/main.yml

@@ -355,7 +355,7 @@ matrix_dendrite_user_api_auto_join_rooms: []
 # name, number of active users and some information on your deployment config.
 matrix_dendrite_report_stats: false
 
-# Contorls whether thumbnails for media content are generated dynamically
+# Controls whether thumbnails for media content are generated dynamically
 matrix_dendrite_media_api_dynamic_thumbnails: false
 matrix_dendrite_media_api_max_thumbnail_generators: 10
 

roles/custom/matrix-dynamic-dns/defaults/main.yml

@@ -36,7 +36,7 @@ matrix_dynamic_dns_container_additional_networks: "{{ matrix_dynamic_dns_contain
 matrix_dynamic_dns_container_additional_networks_auto: []
 matrix_dynamic_dns_container_additional_networks_custom: []
 
-# List of extra arguments to pass to the ontainer mode
+# List of extra arguments to pass to the container mode
 matrix_dynamic_dns_container_extra_arguments: []
 
 # List of wanted services when running in mode

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.11.1
+matrix_element_call_version: v0.12.0
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-ma1sd/defaults/main.yml

@@ -150,7 +150,7 @@ matrix_ma1sd_database_name: 'matrix_ma1sd'
 matrix_ma1sd_database_connection_string: 'postgresql://{{ matrix_ma1sd_database_username }}:{{ matrix_ma1sd_database_password }}@{{ matrix_ma1sd_database_hostname }}:{{ matrix_ma1sd_database_port }}/{{ matrix_ma1sd_database_name }}'
 
 
-# ma1sd has serveral supported identity stores.
+# ma1sd has several supported identity stores.
 # One of them is storing identities directly in Synapse's database.
 # Learn more here: https://github.com/ma1uta/ma1sd/blob/master/docs/stores/synapse.md
 matrix_ma1sd_synapsesql_enabled: false

roles/custom/matrix-media-repo/templates/grafana/media-repo.json

@@ -131,7 +131,7 @@
           "refId": "B"
         }
       ],
-      "title": "HTTP Requsts",
+      "title": "HTTP Requests",
       "type": "timeseries"
     },
     {

roles/custom/matrix-prometheus-nginxlog-exporter/tasks/validate_config.yml

@@ -16,7 +16,7 @@
     - {'old': 'matrix_prometheus_nginxlog_exporter_container_hostname', 'new': 'matrix_prometheus_nginxlog_exporter_identifier'}
     - {'old': 'matrix_prometheus_nginxlog_exporter_docker_image_name_prefix', 'new': 'matrix_prometheus_nginxlog_exporter_docker_image_registry_prefix'}
 
-- name: Fail if docker image not availble for arch
+- name: Fail if docker image not available for arch
   ansible.builtin.fail:
     msg: >
       'prometheus-nginxlog-exporter' docker image is not available for your arch '{{ matrix_architecture }}'.

roles/custom/matrix-prometheus-nginxlog-exporter/templates/prometheus-nginxlog-exporter.yaml.j2

@@ -13,7 +13,7 @@ listen:
 namespaces:
   - name: matrix
     metrics_override:
-      preffix: "myprefix"
+      prefix: "myprefix"
     namespace_label: "namespace"
     format: "$log_source $server_name - $upstream_addr - $remote_addr - $remote_user [$time_local] $host \"$request\" $status \"$http_referer\" \"$http_user_agent\" \"$http_x_forwarded_for\""
     # enable to print to console

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.130.0
+matrix_synapse_version: v1.131.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -501,7 +501,7 @@ matrix_synapse_tls_federation_listener_enabled: true
 matrix_synapse_tls_certificate_path: "/data/{{ matrix_server_fqn_matrix }}.tls.crt"
 matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.key"
 
-# Resource names used by the unsecure HTTP listener. Here only the Client API
+# Resource names used by the insecure HTTP listener. Here only the Client API
 # is defined, see the homeserver config for a full list of valid resource
 # names.
 matrix_synapse_http_listener_resource_names: ["client"]
@@ -835,7 +835,7 @@ matrix_synapse_workers_enabled: false
 
 # Specifies worker configuration that should be used when workers are enabled.
 #
-# The posible values (as seen in `matrix_synapse_workers_presets`) are:
+# The possible values (as seen in `matrix_synapse_workers_presets`) are:
 # - "little-federation-helper" - a very minimal worker configuration to improve federation performance
 # - "one-of-each" - one worker of each supported type + a generic worker
 # - "specialized-workers" - one worker of each supported type + specialized workers
@@ -1458,7 +1458,7 @@ matrix_synapse_ext_encryption_disabler_deny_encryption_for_rooms_of: ["{{ matrix
 # Specifies whether the power levels event (setting) provided during room creation should be patched.
 # This makes it impossible for anybody (locally or over federation) from enabling room encryption
 # for the lifetime of rooms created while this setting is enabled (irreversible).
-# Enabling this may have incompatiblity consequences with servers / clients.
+# Enabling this may have incompatibility consequences with servers / clients.
 # Familiarize yourself with the caveats upstream: https://github.com/digitalentity/matrix_encryption_disabler
 matrix_synapse_ext_encryption_disabler_patch_power_levels: false
 matrix_synapse_ext_encryption_config: "{{ matrix_synapse_ext_encryption_config_yaml | from_yaml }}"

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -305,7 +305,7 @@ listeners:
         compress: false
 {% endif %}
 
-  # Unsecure HTTP listener (Client API): for when Matrix traffic passes through a reverse proxy
+  # Insecure HTTP listener (Client API): for when Matrix traffic passes through a reverse proxy
   # that unwraps TLS.
   - port: {{ matrix_synapse_container_client_api_port|to_json }}
     tls: false
@@ -318,7 +318,7 @@ listeners:
         compress: false
 
 {% if matrix_synapse_federation_port_enabled %}
-  # Unsecure HTTP listener (Federation API): for when Matrix traffic passes through a reverse proxy
+  # Insecure HTTP listener (Federation API): for when Matrix traffic passes through a reverse proxy
   # that unwraps TLS.
   - port: {{ matrix_synapse_container_federation_api_plain_port|to_json }}
     tls: false
@@ -1709,7 +1709,7 @@ old_signing_keys:
 # Additional security can be provided by configuring a `verify key`, which
 # will make synapse check that the response is signed by that key.
 #
-# This setting supercedes an older setting named `perspectives`. The old format
+# This setting supersedes an older setting named `perspectives`. The old format
 # is still supported for backwards-compatibility, but it is deprecated.
 #
 # 'trusted_key_servers' defaults to matrix.org, but using it will generate a

roles/custom/matrix-user-creator/tasks/main.yml

@@ -7,7 +7,7 @@
 
 - tags:
     # This role intentionally doesn't do work on a `setup-all` tag.
-    # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data,
+    # If it did, the initial installation (`--tags=setup-all`) would also potentially pollute the database with data,
     # which would make importing a database dump problematic.
     #
     # See the variable "matrix_user_creator_users_auto" on group_vars/matrix_servers for actual values of users which running these tags can create with this role by default.

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -81,7 +81,7 @@ matrix_playbook_migration_matrix_nginx_proxy_leftover_variable_validation_checks
 matrix_playbook_migration_matrix_ssl_leftover_variable_checks_enabled: true
 
 # Controls whether this role will delete old files left over from `matrix-nginx-proxy`.
-# Regardless of this value, if discovered, a `matrix-nginx-proxy.service` systemd serivce will be stopped and removed.
+# Regardless of this value, if discovered, a `matrix-nginx-proxy.service` systemd service will be stopped and removed.
 matrix_playbook_migration_matrix_nginx_proxy_uninstallation_enabled: true
 
 # Controls whether this role will try to detect and clean up the /matrix/ssl files.

roles/custom/matrix_playbook_migration/tasks/docker_daemon_options_file_cleanup.yml

@@ -15,7 +15,7 @@
 # Later, when they stopped setting these options, they were stuck with the configuration file that still retained them.
 #
 # Here, we make the file go away of no options are set.
-# Idealy, this task would be part of the `ansible-role-docker` role, but it's not (yet).
+# Ideally, this task would be part of the `ansible-role-docker` role, but it's not (yet).
 # See: https://github.com/geerlingguy/ansible-role-docker/pull/498
 - name: Ensure the Docker daemon options file is deleted when no longer needed
   when: matrix_playbook_docker_installation_daemon_options.keys() | length == 0

setup.yml

@@ -165,3 +165,4 @@
         - install-all
 
     - role: galaxy/playbook_runtime_messages
+

templates/Caddyfile.j2

@@ -0,0 +1,106 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /metrics/synapse/main-process
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /metrics/synapse/worker/appservice-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-0 {
+                uri replace /metrics/synapse/worker/federation-sender-0 /metrics/synapse/worker/federation-sender-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-1 {
+                uri replace /metrics/synapse/worker/federation-sender-1 /metrics/synapse/worker/federation-sender-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/federation-sender-2 {
+                uri replace /metrics/synapse/worker/federation-sender-2 /metrics/synapse/worker/federation-sender-2
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-0 {
+                uri replace /metrics/synapse/worker/generic-0 /metrics/synapse/worker/generic-worker-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/generic-1 {
+                uri replace /metrics/synapse/worker/generic-1 /metrics/synapse/worker/generic-worker-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-0 {
+                uri replace /metrics/synapse/worker/media-0 /metrics/synapse/worker/media-repository-0
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/synapse/worker/media-1 {
+                uri replace /metrics/synapse/worker/media-1 /metrics/synapse/worker/media-repository-1
+                reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /_matrix/federation/* http://{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port }}
+        reverse_proxy * http://{{ devture_traefik_container_web_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+        reverse_proxy * http://{{ matrix_nginx_proxy_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}