chore: update to 1.79.0

chore: bump synapse version to 1.73.0
fixup: add appservice worker!
2023-09-19 18:43:34 +02:00 · 2023-08-29 17:20:51 +02:00 · 2023-08-29 17:20:46 +02:00 · 2023-08-29 17:20:41 +02:00 · 2023-08-29 17:20:36 +02:00 · 2023-08-29 17:20:30 +02:00
154 changed files with 6038 additions and 410 deletions
--- a/.config/ansible-lint.yml
+++ b/.config/ansible-lint.yml
@ -9,6 +9,7 @@ skip_list:
  - schema
  - command-instead-of-shell
  - role-name
+  - var-naming[no-role-prefix]
  # We frequently load configuration from a template (into a variable), then merge that with another variable (configuration extension)
  # before finally dumping it to a file.
  - template-instead-of-copy
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@ -21,6 +21,6 @@ jobs:
      - name: Check out
        uses: actions/checkout@v3
      - name: Run ansible-lint
-        uses: ansible-community/ansible-lint-action@v6.16.0
+        uses: ansible-community/ansible-lint-action@v6.17.0
        with:
          path: roles/custom
--- a/.gitignore
+++ b/.gitignore
@ -5,6 +5,7 @@
 /roles/**/files/scratchpad
 .DS_Store
 .python-version
+.idea/
 flake.lock

 # ignore roles pulled by ansible-galaxy
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,40 @@
+# 2023-08-23
+
+## mautrix-wsproxy support
+
+Thanks to [Johan Swetzén](https://github.com/jswetzen)'s efforts (who finished what was started by [James Reilly](https://github.com/hanthor) and [Shreyas Ajjarapu](https://github.com/shreyasajj)), the playbook now supports bridging to Android SMS and Apple iMessage via the [mautrix-wsproxy](https://github.com/mautrix/wsproxy) service (in combination with a [mautrix-imessage](https://github.com/mautrix/imessage) bridge running on your Mac or Android phone).
+
+See our [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](docs/configuring-playbook-bridge-mautrix-wsproxy.md) documentation page for getting started.
+
+
+# 2023-07-24
+
+## matrix-registration-bot usage changed
+
+[matrix-registration-bot](docs/configuring-playbook-bot-matrix-registration-bot.md) got some updates and now supports password-only-based login. Therefore the bot now doesn't need any manual configuration except setting a password in your `vars.yml`. The bot will be registered as admin and access tokens will be obtained automatically by the bot.
+
+**For existing users** You need to set `matrix_bot_matrix_registration_bot_bot_password` if you previously only used `matrix_bot_matrix_registration_bot_bot_access_token`. Please also remove the following deprecated settings
+
+* `matrix_bot_matrix_registration_bot_bot_access_token`
+* `matrix_bot_matrix_registration_bot_api_token`
+
+
+# 2023-07-21
+
+## mautrix-gmessages support
+
+Thanks to [Shreyas Ajjarapu](https://github.com/shreyasajj)'s efforts, the playbook now supports bridging to [Google Messages](https://messages.google.com/) via the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge. See our [Setting up Mautrix Google Messages bridging](docs/configuring-playbook-bridge-mautrix-gmessages.md) documentation page for getting started.
+
+
+# 2023-07-17
+
+## matrix-media-repo support
+
+Thanks to [Michael Hollister](https://github.com/Michael-Hollister) from [FUTO](https://www.futo.org/), the creators of the [Circles app](https://circu.li/), the playbook can now set up [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) - an alternative way to store homeserver media files, powered by a homeserver-independent implementation which supports S3 storage, IPFS, deduplication and other advanced features.
+
+To learn more see our [Storing Matrix media files using matrix-media-repo](docs/configuring-playbook-matrix-media-repo.md) documentation page.
+
+
 # 2023-05-25

 ## Enabling `forget_rooms_on_leave` by default for Synapse
--- a/README.md
+++ b/README.md
@ -79,7 +79,7 @@ Extend and modify how users are authenticated on your homeserver.
 | ---- | -------- | ----------- | ------------- |
 | [matrix-synapse-rest-auth](https://github.com/ma1uta/matrix-synapse-rest-password-provider) (advanced) | x | REST authentication password provider module | [Link](docs/configuring-playbook-rest-auth.md) |
 |[matrix-synapse-shared-secret-auth](https://github.com/devture/matrix-synapse-shared-secret-auth) (advanced) | x | Password provider module | [Link](docs/configuring-playbook-shared-secret-auth.md) |
-| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](configuring-playbook-ldap-auth.md) |
+| [matrix-synapse-ldap3](https://github.com/matrix-org/matrix-synapse-ldap3) (advanced) | x | LDAP Auth password provider module | [Link](docs/configuring-playbook-ldap-auth.md) |
 | [matrix-ldap-registration-proxy](https://gitlab.com/activism.international/matrix_ldap_registration_proxy) (advanced) | x | A proxy that handles Matrix registration requests and forwards them to LDAP. | [Link](docs/configuring-playbook-matrix-ldap-registration-proxy.md) |
 | [matrix-registration](https://github.com/ZerataX/matrix-registration) | x | A simple python application to have a token based matrix registration | [Link](docs/configuring-playbook-matrix-registration.md) |

@ -92,6 +92,7 @@ Use alternative file storage to the default `media_store` folder.
 | ---- | -------- | ----------- | ------------- |
 | [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) |
 | [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) |
+| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-media-repo.md) |

 ### Bridges

@ -102,6 +103,7 @@ Bridges can be used to connect your matrix installation with third-party communi
 | [mautrix-discord](https://github.com/mautrix/discord) | x | Bridge for bridging your Matrix server to [Discord](https://discord.com/) | [Link](docs/configuring-playbook-bridge-mautrix-discord.md) |
 | [mautrix-slack](https://github.com/mautrix/slack) | x | Bridge for bridging your Matrix server to [Slack](https://slack.com/) | [Link](docs/configuring-playbook-bridge-mautrix-slack.md) |
 | [mautrix-telegram](https://github.com/mautrix/telegram) | x | Bridge for bridging your Matrix server to [Telegram](https://telegram.org/) | [Link](docs/configuring-playbook-bridge-mautrix-telegram.md) |
+| [mautrix-gmessages](https://github.com/mautrix/gmessages) | x | Bridge for bridging your Matrix server to [Google Messages](https://messages.google.com/) | [Link](docs/configuring-playbook-bridge-mautrix-gmessages.md) |
 | [mautrix-whatsapp](https://github.com/mautrix/whatsapp) | x | Bridge for bridging your Matrix server to [WhatsApp](https://www.whatsapp.com/) | [Link](docs/configuring-playbook-bridge-mautrix-whatsapp.md) |
 | [mautrix-facebook](https://github.com/mautrix/facebook) | x | Bridge for bridging your Matrix server to [Facebook](https://facebook.com/) | [Link](docs/configuring-playbook-bridge-mautrix-facebook.md) |
 | [mautrix-twitter](https://github.com/mautrix/twitter) | x | Bridge for bridging your Matrix server to [Twitter](https://twitter.com/) | [Link](docs/configuring-playbook-bridge-mautrix-twitter.md) |
--- a/ansible.cfg
+++ b/ansible.cfg
@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml

+inventory = inventory/hosts
+
 [connection]
 pipelining = True
--- a/docs/configuring-dns.md
+++ b/docs/configuring-dns.md
@ -42,6 +42,7 @@ When you're done configuring DNS, proceed to [Configuring the playbook](configur
 | [Etherpad](configuring-playbook-etherpad.md) collaborative text editor                                                  | CNAME | `etherpad`                     | -        | -      | -    | `matrix.<your-domain>`      |
 | [Hydrogen](configuring-playbook-client-hydrogen.md) web client                                                          | CNAME | `hydrogen`                     | -        | -      | -    | `matrix.<your-domain>`      |
 | [Cinny](configuring-playbook-client-cinny.md) web client                                                                | CNAME | `cinny`                        | -        | -      | -    | `matrix.<your-domain>`      |
+| [wsproxy](configuring-playbook-bridge-mautrix-wsproxy.md) sms bridge                                                    | CNAME | `wsproxy`                      | -        | -      | -    | `matrix.<your-domain>`      |
 | [Buscarron](configuring-playbook-bot-buscarron.md) helpdesk bot                                                         | CNAME | `buscarron`                    | -        | -      | -    | `matrix.<your-domain>`      |
 | [Postmoogle](configuring-playbook-bot-postmoogle.md)/[Email2Matrix](configuring-playbook-email2matrix.md) email bridges | MX    | `matrix`                       | 10       | 0      | -    | `matrix.<your-domain>`      |
 | [Postmoogle](configuring-playbook-bot-postmoogle.md) email bridge                                                       | TXT   | `matrix`                       | -        | -      | -    | `v=spf1 ip4:<your-ip> -all` |
@ -75,6 +76,8 @@ The `hydrogen.<your-domain>` subdomain may be necessary, because this playbook c

 The `cinny.<your-domain>` subdomain may be necessary, because this playbook could install the [Cinny](https://github.com/ajbura/cinny) web client. The installation of cinny is disabled by default, it is not a core required component. To learn how to install it, see our [configuring cinny guide](configuring-playbook-client-cinny.md). If you do not wish to set up cinny, feel free to skip the `cinny.<your-domain>` DNS record.

+The `wsproxy.<your-domain>` subdomain may be necessary, because this playbook could install the [wsproxy](https://github.com/mautrix/wsproxy) web client. The installation of wsproxy is disabled by default, it is not a core required component. To learn how to install it, see our [configuring wsproxy guide](configuring-playbook-bridge-mautrix-wsproxy.md). If you do not wish to set up wsproxy, feel free to skip the `wsproxy.<your-domain>` DNS record.
+
 The `buscarron.<your-domain>` subdomain may be necessary, because this playbook could install the [buscarron](https://gitlab.com/etke.cc/buscarron) bot. The installation of buscarron is disabled by default, it is not a core required component. To learn how to install it, see our [configuring buscarron guide](configuring-playbook-bot-buscarron.md). If you do not wish to set up buscarron, feel free to skip the `buscarron.<your-domain>` DNS record.

 ## `_matrix-identity._tcp` SRV record setup
--- a/docs/configuring-playbook-bot-chatgpt.md
+++ b/docs/configuring-playbook-bot-chatgpt.md
@ -43,6 +43,11 @@ matrix_bot_chatgpt_openai_api_key: ''
 # Matrix access token (from bot user above)
 # see: https://webapps.stackexchange.com/questions/131056/how-to-get-an-access-token-for-element-riot-matrix
 matrix_bot_chatgpt_matrix_access_token: ''
+
+# Configuring the system promt used, needed if the bot is used for special tasks.
+# More information: https://github.com/mustvlad/ChatGPT-System-Prompts
+matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.'
+
 ```

 You will need to get tokens for ChatGPT.
--- a/docs/configuring-playbook-bot-matrix-registration-bot.md
+++ b/docs/configuring-playbook-bot-matrix-registration-bot.md
@ -2,40 +2,28 @@

 The playbook can install and configure [matrix-registration-bot](https://github.com/moan0s/matrix-registration-bot) for you.

-The bot allows you to easily **create and manage registration tokens**. It can be used for an invitation-based server,
-where you invite someone by sending them a registration token. They can register as normal but have to provide a valid
-registration token in a final step  of the registration.
+The bot allows you to easily **create and manage registration tokens** aka. invitation codes.
+It can be used for an invitation-based server,
+where you invite someone by sending them a registration token (loook like this: `rbalQ0zkaDSRQCOp`). They can register as normal but have to provide a valid registration token in a final step of the registration.

 See the project's [documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands) to learn what it
 does and why it might be useful to you.


-## Registering the bot user
+## Configuration

-By default, the playbook will set use the bot with a username like this: `@bot.matrix-registration-bot:DOMAIN`.
-
-(to use a different username, adjust the `matrix_bot_matrix_registration_bot_matrix_user_id_localpart` variable).
-
-For [other bots supported by the playbook](configuring-playbook.md#bots), Matrix bot user accounts are created and put to use automatically. For `matrix-registration-bot`, however, this is not the case - you **need to register the bot user manually** before setting up the bot. You can use the playbook to [register a new user](registering-users.md):
-
-```
-ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.matrix-registration-bot password=PASSWORD_FOR_THE_BOT admin=yes' --tags=register-user
-```
-
-Choose a strong password for the bot. You can generate a good password with a command like this: `pwgen -s 64 1`.
-
-## Obtaining an admin access token
-
-In order to use the bot you need to add an admin user's access token token to the configuration. Refer to the documentation on [how to obtain an access token](obtaining-access-tokens.md).
-
-## Adjusting the playbook configuration
-
-Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+To enable the bot, add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:

 ```yaml
 matrix_bot_matrix_registration_bot_enabled: true
-# Token obtained via logging into the bot account (see above)
-matrix_bot_matrix_registration_bot_bot_access_token: "syt_bW9hbm9z_XXXXXXXXXXXXXr_2kuzbE"
+
+#By default, the playbook will set use the bot with a username like 
+## this: `@bot.matrix-registration-bot:DOMAIN`.
+# To use a different username, uncomment & adjust the variable.
+# matrix_bot_matrix_registration_bot_matrix_user_id_localpart: bot.matrix-registration-bot
+
+# Generate a strong password here. Consider generating it with `pwgen -s 64 1`
+matrix_bot_matrix_registration_bot_bot_password: PASSWORD_FOR_THE_BOT

 # Enables registration
 matrix_synapse_enable_registration: true
@ -44,6 +32,7 @@ matrix_synapse_enable_registration: true
 matrix_synapse_registration_requires_token: true
 ```

+The bot account will be automatically created.

 ## Installing

@ -56,10 +45,16 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start

 ## Usage

-To use the bot, create a **non-encrypted** room and invite `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain).
+To use the bot, message `@bot.matrix-registration-bot:DOMAIN` (where `DOMAIN` is your base domain, not the `matrix.` domain).

 In this room send `help` and the bot will reply with all options.

 You can also refer to the upstream [Usage documentation](https://github.com/moan0s/matrix-registration-bot#supported-commands).
 If you have any questions, or if you need help setting it up, read the [troublshooting guide](https://github.com/moan0s/matrix-registration-bot/blob/main/docs/troubleshooting.md)
 or join [#matrix-registration-bot:hyteck.de](https://matrix.to/#/#matrix-registration-bot:hyteck.de).
+
+To clean the cache (session&encryption data) after you changed the bot's username, changed the login methon form access_token to password etc.. you can use
+
+```bash
+just run-tags bot-matrix-registration-bot-clean-cache
+```
--- a/docs/configuring-playbook-bridge-appservice-discord.md
+++ b/docs/configuring-playbook-bridge-appservice-discord.md
@ -1,7 +1,7 @@
 # Setting up Appservice Discord (optional)

-**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) and [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridges supported by the playbook.   
- For using as a Bot we are recommend the Appservice Discord bridge (the one being discussed here), because it supports plumbing.  
+**Note**: bridging to [Discord](https://discordapp.com/) can also happen via the [mx-puppet-discord](configuring-playbook-bridge-mx-puppet-discord.md) and [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridges supported by the playbook.
+- For using as a Bot we are recommend the Appservice Discord bridge (the one being discussed here), because it supports plumbing.
 - For personal use we recommend the [mautrix-discord](configuring-playbook-bridge-mautrix-discord.md) bridge, because it is the most fully-featured and stable of the 3 Discord bridges supported by the playbook.

 The playbook can install and configure [matrix-appservice-discord](https://github.com/Half-Shot/matrix-appservice-discord) for you.
@ -23,8 +23,14 @@ matrix_appservice_discord_enabled: true
 matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID"
 matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
 ```
+5. As of Synapse 1.90.0, you will need to add the following to `matrix_synapse_configuration_extension_yaml` to enable the [backwards compatibility](https://matrix-org.github.io/synapse/latest/upgrade#upgrading-to-v1900) that this bridge needs:
+```yaml
+matrix_synapse_configuration_extension_yaml: |
+  use_appservice_legacy_authorization: true
+```
+*Note*: This deprecated method is considered insecure.

-5. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
+6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.

 Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.

--- a/docs/configuring-playbook-bridge-appservice-webhooks.md
+++ b/docs/configuring-playbook-bridge-appservice-webhooks.md
@ -26,22 +26,29 @@ you can adjust this in `inventory/host_vars/matrix.<domain-name>/vars.yml` as we
 matrix_appservice_webhooks_log_level: '<log_level>'
 ```

-3. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
+3. As of Synapse 1.90.0, you will need to add the following to `matrix_synapse_configuration_extension_yaml` to enable the [backwards compatibility](https://matrix-org.github.io/synapse/latest/upgrade#upgrading-to-v1900) that this bridge needs:
+```yaml
+matrix_synapse_configuration_extension_yaml: |
+  use_appservice_legacy_authorization: true
+```
+*Note*: This deprecated method is considered insecure.

-4. If you're using the [Dimension Integration Manager](configuring-playbook-dimension.md), you can configure the Webhooks bridge by opening the Dimension integration manager -> Settings -> Bridges and selecting edit action for "Webhook Bridge". Press "Add self-hosted Bridge" button and populate "Provisioning URL"  & "Shared Secret" values from `/matrix/appservice-webhooks/config/config.yaml` file's homeserver URL value and provisioning secret value, respectively. 
+4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.

-5. Invite the bridge bot user to your room:
+5. If you're using the [Dimension Integration Manager](configuring-playbook-dimension.md), you can configure the Webhooks bridge by opening the Dimension integration manager -> Settings -> Bridges and selecting edit action for "Webhook Bridge". Press "Add self-hosted Bridge" button and populate "Provisioning URL"  & "Shared Secret" values from `/matrix/appservice-webhooks/config/config.yaml` file's homeserver URL value and provisioning secret value, respectively.
+
+6. Invite the bridge bot user to your room:

    - either with `/invite @_webhook:<domain.name>` (*Note*: Make sure you have administration permissions in your room)

    - or simply add the bridge bot to a private channel (personal channels imply you being an administrator)

-6. Send a message to the bridge bot in order to receive a private message including the webhook link.
+7. Send a message to the bridge bot in order to receive a private message including the webhook link.
 ```
 !webhook
 ```

-7. The JSON body for posting messages will have to look like this:
+8. The JSON body for posting messages will have to look like this:
 ```json
 {
    "text": "Hello world!",
--- a/docs/configuring-playbook-bridge-mautrix-gmessages.md
+++ b/docs/configuring-playbook-bridge-mautrix-gmessages.md
@ -0,0 +1,38 @@
+# Setting up Mautrix gmessages (optional)
+
+The playbook can install and configure [mautrix-gmessages](https://github.com/mautrix/gmessages) for you, for bridging to [Google Messages](https://messages.google.com/).
+
+See the project's [documentation](https://docs.mau.fi/bridges/go/gmessages/index.html) to learn what it does and why it might be useful to you.
+
+Use the following playbook configuration:
+
+```yaml
+matrix_mautrix_gmessages_enabled: true
+```
+
+## Set up Double Puppeting
+
+If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
+
+### Method 1: automatically, by enabling Shared Secret Auth
+
+The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+
+This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+### Method 2: manually, by asking each user to provide a working access token
+
+**Note**: This method for enabling Double Puppeting can be configured only after you've already set up bridging (see [Usage](#usage)).
+
+When using this method, **each user** that wishes to enable Double Puppeting needs to follow the following steps:
+
+- retrieve a Matrix access token for yourself. Refer to the documentation on [how to do that](obtaining-access-tokens.md).
+
+- send the access token to the bot. Example: `login-matrix MATRIX_ACCESS_TOKEN_HERE`
+
+- make sure you don't log out the `Mautrix-gmessages` device some time in the future, as that would break the Double Puppeting feature
+
+
+## Usage
+
+You then need to start a chat with `@gmessagesbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
--- a/docs/configuring-playbook-bridge-mautrix-wsproxy.md
+++ b/docs/configuring-playbook-bridge-mautrix-wsproxy.md
@ -0,0 +1,33 @@
+# Setting up Mautrix wsproxy (optional)
+
+The playbook can install and configure [mautrix-wsproxy](https://github.com/mautrix/wsproxy) for you.
+
+See the project's [documentation](https://github.com/mautrix/wsproxy#readme) to learn what it does and why it might be useful to you.
+
+
+## DNS
+
+You need to create a `wsproxy.DOMAIN` DNS record pointing to your Matrix server (a `CNAME` pointing to `matrix.DOMAIN`) to use wsproxy.
+The hostname is configurable via a `matrix_mautrix_wsproxy_hostname` variable.
+
+
+## Configuration
+
+Use the following playbook configuration:
+
+```yaml
+matrix_mautrix_wsproxy_enabled: true
+
+matrix_mautrix_androidsms_appservice_token: 'secret token from bridge'
+matrix_mautrix_androidsms_homeserver_token: 'secret token from bridge'
+matrix_mautrix_imessage_appservice_token: 'secret token from bridge'
+matrix_mautrix_imessage_homeserver_token: 'secret token from bridge'
+matrix_mautrix_wsproxy_syncproxy_shared_secret: 'secret token from bridge'
+```
+
+Note that the tokens must match what is compiled into the [mautrix-imessage](https://github.com/mautrix/imessage) bridge running on your Mac or Android device.
+
+
+## Usage
+
+Follow the [matrix-imessage documenation](https://docs.mau.fi/bridges/go/imessage/index.html) for running `android-sms` and/or `matrix-imessage` on your device(s).
--- a/docs/configuring-playbook-client-element.md
+++ b/docs/configuring-playbook-client-element.md
@ -32,7 +32,7 @@ Alternatively, **if there is no pre-defined variable** for an Element setting yo

 ## Themes

-To change the look of Element, you can define your own themes manually by using the `matrix_client_element_settingDefaults_custom_themes` setting.
+To change the look of Element, you can define your own themes manually by using the `matrix_client_element_setting_defaults_custom_themes` setting.

 Or better yet, you can automatically pull it all themes provided by the [aaronraimist/element-themes](https://github.com/aaronraimist/element-themes) project by simply flipping a flag (`matrix_client_element_themes_enabled: true`).

--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -3,6 +3,8 @@
 **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.**
 If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.

+**Note**: Dimension is **[officially unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299)**. We recommend not bothering with installing it.
+
 **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).


--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -165,7 +165,7 @@ jitsi_prosody_max_participants: 4 # example value
 By default, a single JVB ([Jitsi VideoBridge](https://github.com/jitsi/jitsi-videobridge)) is deployed on the same host as the Matrix server. To allow more video-conferences to happen at the same time, you may need to provision additional JVB services on other hosts.

 There is an ansible playbook that can be run with the following tag:
-` ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`
+`ansible-playbook -i inventory/hosts --limit jitsi_jvb_servers jitsi_jvb.yml --tags=common,setup-additional-jitsi-jvb,start`

 For this role to work you will need an additional section in the ansible hosts file with the details of the JVB hosts, for example:
 ```
@ -208,21 +208,55 @@ However, it can also be set the ip address of the matrix server. This can be use
 jitsi_xmpp_server: "192.168.0.1"
 ```

-The nginx configuration will also need to be updated in order to deal with the additional JVB servers. This is achieved via its own configuration variable
-`matrix_nginx_proxy_proxy_jitsi_additional_jvbs`, which contains a dictionary of server ids to ip addresses.
+For the JVB to be able to contact the XMPP server, the latter must expose the XMPP port (5222). By default, the Matrix server does not expose the
+port; only the XMPP container exposes it internally inside the host, which means that the first JVB (which runs on the Matrix server) can reach it but
+the additional JVB cannot. The port is exposed by setting `jitsi_prosody_container_jvb_host_bind_port` like this:

-For example,
-
-``` yaml
-matrix_nginx_proxy_proxy_jitsi_additional_jvbs:
-   jvb-2: 192.168.0.2
-   jvb-3: 192.168.0.3
+```yaml
+jitsi_prosody_container_jvb_host_bind_port: 5222
 ```

+(The default is empty; if it's set then docker forwards the port.)

 Applied together this will allow you to provision extra JVB instances which will register themselves with the prosody service and be available for jicofo
 to route conferences too.

+To make Traefik reverse-proxy to these additional JVBs (living on other hosts), **you would need to add the following Traefik configuration extension**:
+
+```yaml
+# Traefik proxying for additional JVBs. These can't be configured using Docker
+# labels, like the first JVB is, because they run on different hosts, so we add
+# the necessary configuration to the file provider.
+devture_traefik_provider_configuration_extension_yaml: |
+  http:
+   routers:
+     {% for host in groups['jitsi_jvb_servers'] %}
+
+     additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-router:
+       entryPoints:
+         - "{{ devture_traefik_entrypoint_primary }}"
+       rule: "Host(`{{ jitsi_hostname }}`) && PathPrefix(`/colibri-ws/{{ hostvars[host]['jitsi_jvb_server_id'] }}/`)"
+       service: additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service
+       {% if devture_traefik_entrypoint_primary != 'web' %}
+
+       tls:
+         certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+       {% endif %}
+
+     {% endfor %}
+
+   services:
+     {% for host in groups['jitsi_jvb_servers'] %}
+
+     additional-{{ hostvars[host]['jitsi_jvb_server_id'] }}-service:
+       loadBalancer:
+         servers:
+           - url: "http://{{ host }}:9090/"
+
+     {% endfor %}
+```
+
 ## (Optional) Enable Gravatar

 In the default Jisti Meet configuration, gravatar.com is enabled as an avatar service. This results in third party request leaking data to gravatar.
--- a/docs/configuring-playbook-matrix-media-repo.md
+++ b/docs/configuring-playbook-matrix-media-repo.md
@ -0,0 +1,106 @@
+# Setting up matrix-media-repo (optional)
+
+[matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/) is a highly customizable multi-domain media repository for Matrix. Intended for medium to large environments consisting of several homeservers, this media repo de-duplicates media (including remote media) while being fully compliant with the specification.
+
+Smaller/individual homeservers can still make use of this project's features, though it may be difficult to set up or have higher than expected resource consumption. Please do your research before deploying this as this project may not be useful for your environment.
+
+For a simpler alternative (which allows you to offload your media repository storage to S3, etc.), you can [configure S3 storage](configuring-playbook-s3.md) instead of setting up matrix-media-repo.
+
+## Quickstart
+
+Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
+
+```yaml
+matrix_media_repo_enabled: true
+
+# (optional) Turned off by default
+# matrix_media_repo_metrics_enabled: true
+```
+
+The repo is pre-configured for integrating with the Postgres database, NGINX proxy and [Prometheus/Grafana](configuring-playbook-prometheus-grafana.md) (if metrics enabled) from this playbook for all the available homeserver roles. When the media repo is enabled, other media store roles should be disabled (if using Synapse with other media store roles).
+
+By default, the media-repo will use the local filesystem for data storage. Additional options include `s3` and `IPFS` (experimental). Access token caching is also enabled by default since the logout endpoints are proxied through the media repo.
+
+## Configuring the media-repo
+
+Additional common configuration options:
+```yaml
+
+# The postgres database pooling options
+
+# The maximum number of connects to hold open. More of these allow for more concurrent
+# processes to happen.
+matrix_media_repo_database_max_connections: 25
+
+# The maximum number of connects to leave idle. More of these reduces the time it takes
+# to serve requests in low-traffic scenarios.
+matrix_media_repo_database_max_idle_connections: 5
+
+# These users have full access to the administrative functions of the media repository.
+# See https://github.com/turt2live/matrix-media-repo/blob/release-v1.2.8/docs/admin.md for information on what these people can do. They must belong to one of the
+# configured homeservers above.
+matrix_media_repo_admins:
+  admins: []
+# admins:
+#   - "@your_username:example.org"
+
+# Datastores are places where media should be persisted. This isn't dedicated for just uploads:
+# thumbnails and other misc data is also stored in these places. The media repo, when looking
+# for a datastore to use, will always use the smallest datastore first.
+matrix_media_repo_datastores:
+  datastores:
+    - type: file
+      enabled: true # Enable this to set up data storage.
+      # Datastores can be split into many areas when handling uploads. Media is still de-duplicated
+      # across all datastores (local content which duplicates remote content will re-use the remote
+      # content's location). This option is useful if your datastore is becoming very large, or if
+      # you want faster storage for a particular kind of media.
+      #
+      # The kinds available are:
+      #   thumbnails    - Used to store thumbnails of media (local and remote).
+      #   remote_media  - Original copies of remote media (servers not configured by this repo).
+      #   local_media   - Original uploads for local media.
+      #   archives      - Archives of content (GDPR and similar requests).
+      forKinds: ["thumbnails", "remote_media", "local_media", "archives"]
+      opts:
+        path: /data/media
+
+    - type: s3
+      enabled: false # Enable this to set up s3 uploads
+      forKinds: ["thumbnails", "remote_media", "local_media", "archives"]
+      opts:
+        # The s3 uploader needs a temporary location to buffer files to reduce memory usage on
+        # small file uploads. If the file size is unknown, the file is written to this location
+        # before being uploaded to s3 (then the file is deleted). If you aren't concerned about
+        # memory usage, set this to an empty string.
+        tempPath: "/tmp/mediarepo_s3_upload"
+        endpoint: sfo2.digitaloceanspaces.com
+        accessKeyId: ""
+        accessSecret: ""
+        ssl: true
+        bucketName: "your-media-bucket"
+        # An optional region for where this S3 endpoint is located. Typically not needed, though
+        # some providers will need this (like Scaleway). Uncomment to use.
+        #region: "sfo2"
+        # An optional storage class for tuning how the media is stored at s3.
+        # See https://aws.amazon.com/s3/storage-classes/ for details; uncomment to use.
+        #storageClass: STANDARD
+
+    # The media repo does support an IPFS datastore, but only if the IPFS feature is enabled. If
+    # the feature is not enabled, this will not work. Note that IPFS support is experimental at
+    # the moment and not recommended for general use.
+    #
+    # NOTE: Everything you upload to IPFS will be publicly accessible, even when the media repo
+    # puts authentication on the download endpoints. Only use this option for cases where you
+    # expect your media to be publicly accessible.
+    - type: ipfs
+      enabled: false # Enable this to use IPFS support
+      forKinds: ["local_media"]
+      # The IPFS datastore currently has no options. It will use the daemon or HTTP API configured
+      # in the IPFS section of your main config.
+      opts: {}
+
+```
+
+Full list of configuration options with documentation can be found in `roles/custom/matrix-media-repo/templates/defaults/main.yml`
+
--- a/docs/configuring-playbook-mautrix-bridges.md
+++ b/docs/configuring-playbook-mautrix-bridges.md
@ -32,14 +32,18 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
      '@YOUR_USERNAME:{{ matrix_domain }}': admin
 ```

+## encryption
+
 Encryption support is off by default. If you would like to enable encryption, add the following to your `vars.yml` file:

 **for all bridges with encryption support**:
+
 ```yaml
 matrix_bridges_encryption_enabled: true
 ```

 **Alternatively**, for a specific bridge:
+
 ```yaml
 matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
  bridge:
@ -48,6 +52,24 @@ matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
      default: true
 ```

+## relay mode
+
+Relay mode is off by default. If you would like to enable relay mode, add the following to your `vars.yml` file:
+
+**for all bridges with relay mode support**:
+
+```yaml
+matrix_bridges_relay_enabled: true
+```
+
+**Alternatively**, for a specific bridge:
+
+```yaml
+matrix_mautrix_SERVICENAME_configuration_extension_yaml: |
+  bridge:
+    relay:
+      enabled: true
+```

 You can only have one `matrix_mautrix_SERVICENAME_configuration_extension_yaml` definition in `vars.yml` per bridge, so if you need multiple pieces of configuration there, just merge them like this:

--- a/docs/configuring-playbook-prometheus-grafana.md
+++ b/docs/configuring-playbook-prometheus-grafana.md
@ -83,6 +83,7 @@ Name | Description
 `matrix_bridge_hookshot_metrics_proxying_enabled`|Set this to `true` to expose the [Hookshot](configuring-playbook-bridge-hookshot.md) metrics on `https://matrix.DOMAIN/metrics/hookshot` (only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`)
 `matrix_SERVICE_metrics_proxying_enabled`|Various other services/roles may provide similar `_metrics_enabled` and `_metrics_proxying_enabled` variables for exposing their metrics. Refer to each role for details. Only takes effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`
 `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks`|Add nginx `location` blocks to this list if you'd like to expose additional exporters manually (see below)
+`matrix_media_repo_metrics_enabled`|Set this to `true` to make media-repo expose metrics (locally, on the container network)

 Example for how to make use of `matrix_nginx_proxy_proxy_matrix_metrics_additional_user_location_configuration_blocks` for exposing additional metrics locations:
 ```nginx
--- a/docs/configuring-playbook-s3.md
+++ b/docs/configuring-playbook-s3.md
@ -5,11 +5,13 @@ If that's alright, you can skip this.

 As an alternative to storing media files on the local filesystem, you can store them on [Amazon S3](https://aws.amazon.com/s3/) or another S3-compatible object store.

+You can do this either by sticking to Synapse's media repository and making that use S3 (read below for this method), or by switching to an external media storage implementation like [matrix-media-repo](configuring-playbook-matrix-media-repo.md).
+
 First, [choose an Object Storage provider](#choosing-an-object-storage-provider).

 Then, [create the S3 bucket](#bucket-creation-and-security-configuration).

-Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md) or [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md)).
+Finally, [set up S3 storage for Synapse](#setting-up) (with [Goofys](configuring-playbook-s3-goofys.md), [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md), or use s3 datastore with the [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)).


 ## Choosing an Object Storage provider
@ -105,3 +107,4 @@ To set up Synapse to store files in S3, follow the instructions for the method o

 - using [synapse-s3-storage-provider](configuring-playbook-synapse-s3-storage-provider.md) (recommended)
 - using [Goofys to mount the S3 store to the local filesystem](configuring-playbook-s3-goofys.md)
+- using [matrix-media-repo](https://docs.t2bot.io/matrix-media-repo/configuration/s3-datastore.html)
--- a/docs/configuring-playbook-sliding-sync-proxy.md
+++ b/docs/configuring-playbook-sliding-sync-proxy.md
@ -12,6 +12,7 @@ Element X Android requires manual compilation to get it working with a non-`matr

 **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.

+**NOTE**: The sliding-sync proxy is **not required** when using the **Conduit homeserver**. Starting from version `0.6.0` Conduit has native support for some sliding sync features. If there are issues with the native implementation, you might have a better experience when enabling the sliding-sync proxy anyway.

 ## Decide on a domain and path

--- a/docs/configuring-playbook-synapse-s3-storage-provider.md
+++ b/docs/configuring-playbook-synapse-s3-storage-provider.md
@ -30,13 +30,23 @@ After [creating the S3 bucket and configuring it](configuring-playbook-s3.md#buc

 ```yaml
 matrix_synapse_ext_synapse_s3_storage_provider_enabled: true
+
 matrix_synapse_ext_synapse_s3_storage_provider_config_bucket: your-bucket-name
 matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: some-region-name # e.g. eu-central-1
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: https://s3.REGION_NAME.amazonaws.com # adjust this
-matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
-matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
 matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD # or STANDARD_IA, etc.

+# Authentication Method 1 - (access key id + secret)
+# This works on all providers (AWS and other compatible systems).
+# Uncomment the variables below to use it.
+# matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: access-key-goes-here
+# matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: secret-key-goes-here
+
+# Authentication Method 2 - EC2 instance profile which grants permission to access S3
+# This only works on AWS when your server is hosted on an EC2 instance with the correct instance profile set.
+# Uncomment the variable below to use it.
+# matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile: true
+
 # For additional advanced settings, take a look at `roles/custom/matrix-synapse/defaults/main.yml`
 ```

@ -103,9 +113,17 @@ docker.io/amazon/aws-cli:2.9.16 \
 -c 'aws s3 sync /work/. s3://$BUCKET/'
 ```

+#### Copying data to an S3 alternative using the aws-s3 tool
+
+To copy to a provider other than AWS S3 (e.g. Wasabi, Digital Ocean Spaces, etc.), you can use the command for [Copying data to Amazon S3](#copying-data-to-amazon-s3) with an added `--endpoint-url=$ENDPOINT` argument.
+
+Add this argument to the command **as-is** (`$ENDPOINT` is an environment variable corresponding to `matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url`, so you don't need to touch it). Make sure to add the argument **before** the final quote (`'`) of the command.
+
 #### Copying data to Backblaze B2

-To copy to Backblaze B2, start a container on the Matrix server like this:
+You can copy files to Backblaze B2 either by following the [Copying data to an S3 alternative using the aws-s3 tool](#copying-data-to-an-s3-alternative-using-the-aws-s3-tool) or by using the B2-specific [b2 command-line tool](https://www.backblaze.com/b2/docs/quick_command_line.html) as described below.
+
+To copy the data using the `b2` tool, start a container on the Matrix server like this:

 ```sh
 docker run -it --rm \
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@ -15,6 +15,13 @@ matrix_coturn_enabled: false

 In that case, Synapse would not point to any Coturn servers and audio/video call functionality may fail.

+## Manually defining your public IP
+In the `hosts` file we explicitly ask for your server's external IP address when defining `ansible_host`, because the same value is used for configuring Coturn.
+If you'd rather use a local IP for `ansible_host`, make sure to set up `matrix_coturn_turn_external_ip_address` replacing `YOUR_PUBLIC_IP` with the pubic IP used by the server.
+
+```yaml
+matrix_coturn_turn_external_ip_address: "YOUR_PUBLIC_IP"
+```

 ## Using your own external Coturn server

@ -40,3 +47,6 @@ jitsi_web_stun_servers:
 - stun:HOSTNAME_OR_IP:PORT
 ```
 You can put multiple host/port combinations if you like.
+
+## Further variables and configuration options
+To see all the available configuration options, check roles/custom/matrix-coturn/defaults/main.yml 
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -30,7 +30,7 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 ### Additional useful services

- [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional, but recommended; after [installing](installing.md))
+- [Setting up the Dimension Integration Manager](configuring-playbook-dimension.md) (optional; [unmaintained](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2806#issuecomment-1673559299); after [installing](installing.md))

 - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md) (optional)

@ -51,6 +51,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Configuring Element](configuring-playbook-client-element.md) (optional)

+- [Storing Matrix media files using matrix-media-repo](configuring-playbook-matrix-media-repo.md) (optional)
+
 - [Storing Matrix media files on Amazon S3](configuring-playbook-s3.md) (optional)

 - [Using an external PostgreSQL server](configuring-playbook-external-postgres.md) (optional)
@ -112,6 +114,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up Mautrix Slack bridging](configuring-playbook-bridge-mautrix-slack.md) (optional)

+- [Setting up Mautrix Google Messages bridging](configuring-playbook-bridge-mautrix-gmessages.md) (optional)
+
 - [Setting up Mautrix Whatsapp bridging](configuring-playbook-bridge-mautrix-whatsapp.md) (optional)

 - [Setting up Mautrix Facebook bridging](configuring-playbook-bridge-mautrix-facebook.md) (optional)
@ -126,6 +130,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins

 - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional)

+- [Setting up Mautrix wsproxy for bridging Android SMS or Apple iMessage](configuring-playbook-bridge-mautrix-wsproxy.md) (optional)
+
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)

 - [Setting up Appservice Discord bridging](configuring-playbook-bridge-appservice-discord.md) (optional)
--- a/docs/container-images.md
+++ b/docs/container-images.md
@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [

 - [mautrix/telegram](https://mau.dev/mautrix/telegram/container_registry) - the [mautrix-telegram](https://github.com/mautrix/telegram) bridge to [Telegram](https://telegram.org/) (optional)

+- [mautrix/gmessages](https://mau.dev/mautrix/gmessages/container_registry) - the [mautrix-gmessages](https://github.com/mautrix/gmessages) bridge to [Google Messages](https://messages.google.com/) (optional)
+
 - [mautrix/whatsapp](https://mau.dev/mautrix/whatsapp/container_registry) - the [mautrix-whatsapp](https://github.com/mautrix/whatsapp) bridge to [Whatsapp](https://www.whatsapp.com/) (optional)

 - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional)
--- a/docs/howto-server-delegation.md
+++ b/docs/howto-server-delegation.md
@ -49,6 +49,7 @@ To use DNS SRV record validation, you need to:

 - ensure that you are serving the Matrix Federation API (tcp/8448) with a certificate for `<your-domain>` (not `matrix.<your-domain>`!). Getting this certificate to the `matrix.<your-domain>` server may be complicated. The playbook's automatic SSL obtaining/renewal flow will likely not work and you'll need to copy certificates around manually. See below.

+For more details on [how to configure the playbook to work with SRV delegation](howto-srv-server-delegation.md)

 ### Obtaining certificates

--- a/docs/howto-srv-server-delegation.md
+++ b/docs/howto-srv-server-delegation.md
@ -0,0 +1,206 @@
+# Server Delegation via a DNS SRV record (advanced)
+
+**Reminder** : unless you are affected by the [Downsides of well-known-based Server Delegation](howto-server-delegation.md#downsides-of-well-known-based-server-delegation), we suggest you **stay on the simple/default path**: [Server Delegation](howto-server-delegation.md) by [configuring well-known files](configuring-well-known.md) at the base domain. 
+
+This guide is about configuring Server Delegation using DNS SRV records (for the [Traefik](https://doc.traefik.io/traefik/) webserver). This method has special requirements when it comes to SSL certificates, so various changes are required.
+
+## Prerequisites
+
+SRV delegation while still using the playbook provided Traefik to get / renew the certificate requires a wildcard certificate.
+
+To obtain / renew one from [Let's Encrypt](https://letsencrypt.org/), one needs to use a [DNS-01 challenge](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) method instead of the default [HTTP-01](https://letsencrypt.org/docs/challenge-types/#http-01-challenge).
+
+This means that this is **limited to the list of DNS providers supported by Traefik**, unless you bring in your own certificate.
+
+The up-to-date list can be accessed on [traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers)
+
+## The changes
+
+### Federation Endpoint
+
+```yaml
+# To serve the federation from any domain, as long as the path match
+matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
+```
+
+This is because with SRV federation, some servers / tools (one of which being the federation tester) try to access the federation API using the resolved IP address instead of the domain name (or they are not using SNI). This change will make Traefik route all traffic for which the path match this rule go to the federation endpoint.
+
+### Tell Traefik which certificate to serve for the federation endpoint
+
+Now that the federation endpoint is not bound to a domain anymore we need to explicitely tell Traefik to use a wildcard certificate in addition to one containing the base name.
+
+This is because the matrix specification expects the federation endpoint to be served using a certificate comatible with the base domain, however, the other resources on the endpoint still need a valid certificate to work.
+
+```yaml
+# To let Traefik know which domains' certificates to serve
+matrix_nginx_proxy_container_labels_additional_labels: |
+  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
+  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
+```
+
+### Configure the DNS-01 challenge for let's encrypt
+
+Since we're now requesting a wildcard certificate, we need to change the ACME challenge method. To request a wildcard certificate from Let's Encrypt we are required to use the DNS-01 challenge.
+
+This will need 3 changes:
+1. Add a new certificate resolver that works with DNS-01
+2. Configure the resolver to allow access to the DNS zone to configure the records to answer the challenge (refer to [Traefik's documentation](https://doc.traefik.io/traefik/https/acme/#providers) to know which environment variables to set)
+3. Tell the playbook to use the new resolver as default
+
+We cannot just disable the default resolver as that would disable SSL in quite a few places in the playbook.
+
+```yaml
+# 1. Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
+devture_traefik_configuration_extension_yaml: |
+  certificatesResolvers:
+    dns:
+      acme:
+        # To use a staging endpoint for testing purposes, uncomment the line below.
+        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
+        dnsChallenge:
+          provider: cloudflare
+          resolvers: 
+            - "1.1.1.1:53"
+            - "8.8.8.8:53"
+        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
+
+# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
+devture_traefik_environment_variables: |
+  CF_API_EMAIL=redacted
+  CF_ZONE_API_TOKEN=redacted
+  CF_DNS_API_TOKEN=redacted
+  LEGO_DISABLE_CNAME_SUPPORT=true
+
+# 3. Instruct the playbook to use the new ACME configuration
+devture_traefik_certResolver_primary: dns
+```
+
+## Adjust Coturn's configuration
+
+The last step is to alter the generated Coturn configuration.
+
+By default, Coturn is configured to wait on the certificate for the `matrix.` subdomain using an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) using the domain name as the parameter for this service. However, we need to serve the wildcard certificate, which is incompatible with systemd, it will try to expand the `*`, which will break and prevent Coturn from starting.
+
+We also need to indicate to Coturn where the wildcard certificate is.
+
+**⚠ WARNING ⚠** : On first start of the services, Coturn might still fail to start because Traefik is still in the process of obtaining the certificates. If you still get an error, make sure Traefik obtained the certificates and restart the Coturn service (`just start-group coturn`).
+
+This should not happen again afterwards as Traefik will renew certificates well before their expiry date, and the Coturn service is setup to restart periodically.
+
+```yaml
+# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
+matrix_coturn_systemd_required_services_list: ['docker.service']
+
+# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
+matrix_coturn_container_additional_volumes: |
+  {{
+    (
+      [
+       {
+         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
+         'dst': '/fullchain.pem',
+         'options': 'ro',
+       },
+       {
+         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
+         'dst': '/privkey.pem',
+         'options': 'ro',
+       },
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
+    )
+    +
+    (
+      [
+       {
+         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'dst': '/certificate.crt',
+         'options': 'ro',
+       },
+       {
+         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'dst': '/privatekey.key',
+         'options': 'ro',
+       },
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
+    )
+  }}
+```
+
+## Full example of a working configuration
+
+```yaml
+# Choosing the reverse proxy implementation
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+devture_traefik_config_certificatesResolvers_acme_email: redacted@example.com
+
+# To serve the federation from any domain, as long as the path match
+matrix_nginx_proxy_container_labels_traefik_proxy_matrix_federation_rule: PathPrefix(`/_matrix`)
+
+# To let Traefik know which domains' certificates to serve
+matrix_nginx_proxy_container_labels_additional_labels: |
+  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.main="example.com"
+  traefik.http.routers.matrix-nginx-proxy-matrix-federation.tls.domains.sans="*.example.com"
+
+# Add a new ACME configuration without having to disable the default one, since it would have a wide range of side effects
+devture_traefik_configuration_extension_yaml: |
+  certificatesResolvers:
+    dns:
+      acme:
+        # To use a staging endpoint for testing purposes, uncomment the line below.
+        # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+        email: {{ devture_traefik_config_certificatesResolvers_acme_email | to_json }}
+        dnsChallenge:
+          provider: cloudflare
+          resolvers: 
+            - "1.1.1.1:53"
+            - "8.8.8.8:53"
+        storage: {{ devture_traefik_config_certificatesResolvers_acme_storage | to_json }}
+
+# Instruct thep laybook to use the new ACME configuration
+devture_traefik_certResolver_primary: "dns"
+
+# Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
+devture_traefik_environment_variables: |
+  CF_API_EMAIL=redacted
+  CF_ZONE_API_TOKEN=redacted
+  CF_DNS_API_TOKEN=redacted
+  LEGO_DISABLE_CNAME_SUPPORT=true
+
+# Only depend on docker.service, this removes the dependency on the certificate exporter, might imply the need to manually restart Coturn on the first installation once the certificates are obtained, afterwards, the reload service should handle things
+matrix_coturn_systemd_required_services_list: ['docker.service']
+
+# This changes the path of the loaded certificate, while maintaining the original functionality, we're now loading the wildcard certificate.
+matrix_coturn_container_additional_volumes: |
+  {{
+    (
+      [
+       {
+         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/fullchain.pem'),
+         'dst': '/fullchain.pem',
+         'options': 'ro',
+       },
+       {
+         'src': (matrix_ssl_config_dir_path + '/live/*.' + matrix_domain + '/privkey.pem'),
+         'dst': '/privkey.pem',
+         'options': 'ro',
+       },
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] and matrix_coturn_tls_enabled else []
+    )
+    +
+    (
+      [
+       {
+         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'dst': '/certificate.crt',
+         'options': 'ro',
+       },
+       {
+         'src': (devture_traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'dst': '/privatekey.key',
+         'options': 'ro',
+       },
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
+    )
+  }}
+```
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -32,6 +32,7 @@ Possibly outdated list of roles where self-building the Docker image is currentl
 - `matrix-bridge-mautrix-googlechat`
 - `matrix-bridge-mautrix-telegram`
 - `matrix-bridge-mautrix-signal`
+- `matrix-bridge-mautrix-gmessages`
 - `matrix-bridge-mautrix-whatsapp`
 - `matrix-bridge-mx-puppet-steam`
 - `matrix-bot-mjolnir`
--- a/examples/hosts
+++ b/examples/hosts
@ -2,7 +2,9 @@
 # If you'd rather use a local IP here, make sure to set up `matrix_coturn_turn_external_ip_address`.
 #
 # To connect using a non-root user (and elevate to root with sudo later),
-# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`
+# replace `ansible_ssh_user=root` with something like this: `ansible_ssh_user=username become=true become_user=root`.
+# If sudo requires a password, either add `become_password=PASSWORD_HERE` to the host line
+# or tell Ansible to ask you for the password interactively by adding a `--ask-become-pass` (`-K`) flag to all `ansible-playbook` (or `just`) commands.
 #
 # For improved Ansible performance, SSH pipelining is enabled by default in `ansible.cfg`.
 # If this causes SSH connection troubles, disable it by adding `ansible_ssh_pipelining=False`
--- a/gpg/open_vault.sh
+++ b/gpg/open_vault.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null
--- a/gpg/vault_passphrase.gpg
+++ b/gpg/vault_passphrase.gpg
@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
+rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----
--- a/group_vars/jitsi_jvb_servers
+++ b/group_vars/jitsi_jvb_servers
@ -0,0 +1,11 @@
+jitsi_architecture: "{{ matrix_architecture }}"
+jitsi_hostname: "{{ matrix_server_fqn_jitsi }}"
+jitsi_uid: "{{ matrix_user_uid }}"
+jitsi_gid: "{{ matrix_user_gid }}"
+
+devture_systemd_service_manager_services_list_auto: |
+  {{
+    ([{'name': (jitsi_identifier + '-jvb.service'), 'priority': 4100, 'groups': ['matrix', 'jitsi', 'jitsi-jvb']}] if jitsi_enabled else [])
+  }}
+
+matrix_playbook_docker_installation_enabled: true
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -101,8 +101,14 @@ matrix_homeserver_container_extra_arguments_auto: |
    +
    (['--mount type=bind,src=' + matrix_mautrix_twitter_config_path + '/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro'] if matrix_mautrix_twitter_enabled else [])
    +
+    (['--mount type=bind,src=' + matrix_mautrix_gmessages_config_path + '/registration.yaml,dst=/matrix-mautrix-gmessages-registration.yaml,ro'] if matrix_mautrix_gmessages_enabled else [])
+    +
    (['--mount type=bind,src=' + matrix_mautrix_whatsapp_config_path + '/registration.yaml,dst=/matrix-mautrix-whatsapp-registration.yaml,ro'] if matrix_mautrix_whatsapp_enabled else [])
    +
+    (['--mount type=bind,src=' + matrix_mautrix_wsproxy_config_path + '/androidsms-registration.yaml,dst=/matrix-mautrix-androidsms-registration.yaml,ro'] if matrix_mautrix_wsproxy_enabled else [])
+    +
+    (['--mount type=bind,src=' + matrix_mautrix_wsproxy_config_path + '/imessage-registration.yaml,dst=/matrix-mautrix-imessage-registration.yaml,ro'] if matrix_mautrix_wsproxy_enabled else [])
+    +
    (['--mount type=bind,src=' + matrix_mx_puppet_discord_config_path + '/registration.yaml,dst=/matrix-mx-puppet-discord-registration.yaml,ro'] if matrix_mx_puppet_discord_enabled else [])
    +
    (['--mount type=bind,src=' + matrix_mx_puppet_groupme_config_path + '/registration.yaml,dst=/matrix-mx-puppet-groupme-registration.yaml,ro'] if matrix_mx_puppet_groupme_enabled else [])
@ -158,8 +164,14 @@ matrix_homeserver_app_service_config_files_auto: |
    +
    (['/matrix-mautrix-twitter-registration.yaml'] if matrix_mautrix_twitter_enabled else [])
    +
+    (['/matrix-mautrix-gmessages-registration.yaml'] if matrix_mautrix_gmessages_enabled else [])
+    +
    (['/matrix-mautrix-whatsapp-registration.yaml'] if matrix_mautrix_whatsapp_enabled else [])
    +
+    (['/matrix-mautrix-androidsms-registration.yaml'] if matrix_mautrix_wsproxy_enabled else [])
+    +
+    (['/matrix-mautrix-imessage-registration.yaml'] if matrix_mautrix_wsproxy_enabled else [])
+    +
    (['/matrix-mx-puppet-discord-registration.yaml'] if matrix_mx_puppet_discord_enabled else [])
    +
    (['/matrix-mx-puppet-groupme-registration.yaml'] if matrix_mx_puppet_groupme_enabled else [])
@ -192,7 +204,7 @@ matrix_homeserver_app_service_config_files_auto: |

 # This list is not exhaustive and final.
 # Synapse workers are still injected into the list at runtime.
-# Additional JVB workers (playbooks/jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
+# Additional JVB workers (jitsi_jvb.yml -- roles/galaxy/jitsi/tasks/init_additional_jvb.yml) override this variable at runtime as well.
 #
 # Priority levels are like this:
 # - core services (the homeserver) get a level of ~1000
@ -270,8 +282,14 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-mautrix-twitter.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-twitter']}] if matrix_mautrix_twitter_enabled else [])
    +
+    ([{'name': 'matrix-mautrix-gmessages.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-gmessages']}] if matrix_mautrix_gmessages_enabled else [])
+    +
    ([{'name': 'matrix-mautrix-whatsapp.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-whatsapp']}] if matrix_mautrix_whatsapp_enabled else [])
    +
+    ([{'name': 'matrix-mautrix-wsproxy.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-wsproxy']}] if matrix_mautrix_wsproxy_enabled else [])
+    +
+    ([{'name': 'matrix-mautrix-wsproxy-syncproxy.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mautrix-wsproxy-syncproxy']}] if matrix_mautrix_wsproxy_enabled else [])
+    +
    ([{'name': 'matrix-mx-puppet-discord.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-discord']}] if matrix_mx_puppet_discord_enabled else [])
    +
    ([{'name': 'matrix-mx-puppet-groupme.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'mx-puppet-groupme']}] if matrix_mx_puppet_groupme_enabled else [])
@ -326,6 +344,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-ma1sd.service', 'priority': 2000, 'groups': ['matrix', 'ma1sd']}] if matrix_ma1sd_enabled else [])
    +
+    ([{'name': (matrix_media_repo_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'matrix-media-repo']}] if matrix_media_repo_enabled else [])
+    +
    ([{'name': 'matrix-mailer.service', 'priority': 2000, 'groups': ['matrix', 'mailer']}] if matrix_mailer_enabled else [])
    +
    ([{'name': 'matrix-nginx-proxy.service', 'priority': 3000, 'groups': ['matrix', 'nginx', 'reverse-proxies']}] if matrix_nginx_proxy_enabled else [])
@ -395,7 +415,6 @@ devture_systemd_service_manager_services_list_auto: |
 ########################################################################


-
 ######################################################################
 #
 # com.devture.ansible.role.playbook_state_preserver
@ -418,7 +437,6 @@ devture_playbook_state_preserver_commit_hash_preservation_dst: "{{ matrix_base_d
 ######################################################################


-
 ######################################################################
 #
 # matrix-base
@ -1153,6 +1171,98 @@ matrix_mautrix_twitter_database_password: "{{ '%s' | format(matrix_homeserver_ge
 #
 ######################################################################

+######################################################################
+#
+# matrix-bridge-mautrix-gmessages
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_mautrix_gmessages_enabled: false
+
+matrix_mautrix_gmessages_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
+
+matrix_mautrix_gmessages_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    ['matrix-' + matrix_homeserver_implementation + '.service']
+    +
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+  }}
+
+matrix_mautrix_gmessages_appservice_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.as.token', rounds=655555) | to_uuid }}"
+
+matrix_mautrix_gmessages_homeserver_token: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'gmessa.hs.token', rounds=655555) | to_uuid }}"
+
+matrix_mautrix_gmessages_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+
+# People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
+# - `matrix_mautrix_gmessages_metrics_enabled`
+# - `matrix_mautrix_gmessages_proxying_metrics_enabled`
+# - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
+matrix_mautrix_gmessages_metrics_enabled: "{{ prometheus_enabled }}"
+
+# Postgres is the default, except if not using internal Postgres server
+matrix_mautrix_gmessages_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
+matrix_mautrix_gmessages_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
+matrix_mautrix_gmessages_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'maugmessages.db', rounds=655555) | to_uuid }}"
+
+######################################################################
+#
+# /matrix-bridge-mautrix-gmessages
+#
+######################################################################
+
+######################################################################
+#
+# matrix-bridge-mautrix-wsproxy
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_mautrix_wsproxy_enabled: false
+
+matrix_mautrix_wsproxy_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    ['matrix-' + matrix_homeserver_implementation + '.service']
+    +
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+  }}
+
+matrix_mautrix_wsproxy_homeserver_domain: "{{ matrix_domain }}"
+
+matrix_mautrix_wsproxy_homeserver_address: "{{ matrix_homeserver_container_url }}"
+matrix_mautrix_wsproxy_hostname: "wsproxy.{{ matrix_mautrix_wsproxy_homeserver_domain }}"
+
+matrix_mautrix_wsproxy_container_additional_networks: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+      +
+      ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_mautrix_wsproxy_container_network else [])
+      +
+      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_mautrix_wsproxy_container_network else [])
+    ) | unique
+  }}
+
+matrix_mautrix_wsproxy_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_mautrix_wsproxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_mautrix_wsproxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+######################################################################
+#
+# /matrix-bridge-mautrix-wsproxy
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mautrix-whatsapp
@ -1182,10 +1292,10 @@ matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_homeserver_ge
 matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

 # People using an external Prometheus server will need to toggle all of these to be able to consume metrics remotely:
-# - `matrix_mautrix_twitter_metrics_enabled`
-# - `matrix_mautrix_twitter_proxying_metrics_enabled`
+# - `matrix_mautrix_whatsapp_metrics_enabled`
+# - `matrix_mautrix_whatsapp_proxying_metrics_enabled`
 # - `matrix_nginx_proxy_proxy_matrix_metrics_enabled`
-matrix_mautrix_twitter_metrics_enabled: "{{ prometheus_enabled }}"
+matrix_mautrix_whatsapp_metrics_enabled: "{{ prometheus_enabled }}"

 # Postgres is the default, except if not using internal Postgres server
 matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if devture_postgres_enabled else 'sqlite' }}"
@ -1949,7 +2059,7 @@ matrix_bot_mjolnir_systemd_required_services_list: |
 # We don't enable bots by default.
 matrix_bot_draupnir_enabled: false

-matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+matrix_bot_draupnir_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_bot_draupnir_systemd_required_services_list: |
  {{
@ -2557,6 +2667,37 @@ matrix_ma1sd_database_password: "{{ '%s' | format(matrix_homeserver_generic_secr
 #
 ######################################################################

+######################################################################
+#
+# matrix-media-repo
+#
+######################################################################
+
+matrix_media_repo_enabled: false
+matrix_media_repo_container_network: "{{ matrix_docker_network }}"
+
+matrix_media_repo_container_labels_traefik_enabled: false
+matrix_media_repo_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_media_repo_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
+matrix_media_repo_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
+
+matrix_media_repo_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
+matrix_media_repo_database_username: matrix_media_repo
+matrix_media_repo_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'mediarepo.db', rounds=655555) | to_uuid }}"
+matrix_media_repo_database_name: matrix_media_repo
+
+matrix_media_repo_systemd_required_services_list: |
+  {{
+    (['docker.service'])
+    +
+    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname else [])
+  }}
+
+######################################################################
+#
+# /matrix-media-repo
+#
+######################################################################

 ######################################################################
 #
@ -2616,6 +2757,7 @@ matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and mat
 matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
+matrix_nginx_proxy_proxy_mautrix_wsproxy_enabled: "{{ matrix_mautrix_wsproxy_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"

 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ jitsi_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"

@ -2638,6 +2780,10 @@ matrix_nginx_proxy_proxy_matrix_identity_api_enabled: "{{ matrix_ma1sd_enabled }
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

+matrix_nginx_proxy_proxy_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
+matrix_nginx_proxy_proxy_media_repo_addr_with_container: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_port }}"
+matrix_nginx_proxy_proxy_media_repo_addr_sans_container: "127.0.0.1:{{ matrix_media_repo_port }}"
+
 # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
 # Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy.
 matrix_nginx_proxy_proxy_matrix_federation_api_enabled: |-
@ -2696,6 +2842,8 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-ma1sd.service'] if matrix_ma1sd_enabled else [])
    +
+    ([(matrix_media_repo_identifier + '.service')] if matrix_media_repo_enabled else [])
+    +
    (['matrix-client-cinny.service'] if matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
    +
    (['matrix-bot-buscarron.service'] if matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] else [])
@ -2749,6 +2897,8 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_sygnal] if matrix_sygnal_enabled else [])
    +
+    ([matrix_server_fqn_mautrix_wsproxy] if matrix_mautrix_wsproxy_enabled else [])
+    +
    ([ntfy_hostname] if ntfy_enabled else [])
    +
    ([matrix_server_fqn_rageshake] if matrix_rageshake_enabled else [])
@ -2967,6 +3117,12 @@ devture_postgres_managed_databases_auto: |
      'password': matrix_mautrix_signal_database_password,
    }] if (matrix_mautrix_signal_enabled and matrix_mautrix_signal_database_engine == 'postgres' and matrix_mautrix_signal_database_hostname == devture_postgres_connection_hostname) else [])
    +
+    ([{
+      'name': matrix_mautrix_wsproxy_syncproxy_database_name,
+      'username': matrix_mautrix_wsproxy_syncproxy_database_username,
+      'password': matrix_mautrix_wsproxy_syncproxy_database_password,
+    }] if (matrix_mautrix_wsproxy_enabled and matrix_mautrix_wsproxy_syncproxy_database_engine == 'postgres' and matrix_mautrix_wsproxy_syncproxy_database_hostname == 'matrix-postgres') else [])
+    +
    ([{
      'name': matrix_mautrix_telegram_database_name,
      'username': matrix_mautrix_telegram_database_username,
@ -2979,6 +3135,12 @@ devture_postgres_managed_databases_auto: |
      'password': matrix_mautrix_twitter_database_password,
    }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == devture_postgres_connection_hostname) else [])
    +
+    ([{
+      'name': matrix_mautrix_gmessages_database_name,
+      'username': matrix_mautrix_gmessages_database_username,
+      'password': matrix_mautrix_gmessages_database_password,
+    }] if (matrix_mautrix_gmessages_enabled and matrix_mautrix_gmessages_database_engine == 'postgres' and matrix_mautrix_gmessages_database_hostname == devture_postgres_connection_hostname) else [])
+    +
    ([{
      'name': matrix_mautrix_whatsapp_database_name,
      'username': matrix_mautrix_whatsapp_database_username,
@ -3050,6 +3212,12 @@ devture_postgres_managed_databases_auto: |
      'username': prometheus_postgres_exporter_database_username,
      'password': prometheus_postgres_exporter_database_password,
    }] if (prometheus_postgres_exporter_enabled and prometheus_postgres_exporter_database_hostname == devture_postgres_connection_hostname) else [])
+    +
+    ([{
+      'name': matrix_media_repo_database_name,
+      'username': matrix_media_repo_database_username,
+      'password': matrix_media_repo_database_password,
+    }] if (matrix_media_repo_enabled and matrix_media_repo_database_hostname == devture_postgres_connection_hostname) else [])

   }}

@ -3241,7 +3409,7 @@ matrix_client_element_enable_presence_by_hs_url: |

 matrix_client_element_welcome_user_id: ~

-matrix_client_element_jitsi_preferredDomain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
+matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"

 ######################################################################
 #
@ -3424,6 +3592,9 @@ matrix_synapse_redis_password: "{{ redis_connection_password if redis_enabled el
 matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
 matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}"

+# Disable creation of media repository Synapse worker when using media-repo
+matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
+
 ######################################################################
 #
 # /matrix-synapse
@ -3653,6 +3824,8 @@ prometheus_container_additional_networks: |
      ([matrix_hookshot_container_network] if matrix_prometheus_services_connect_scraper_hookshot_enabled and matrix_hookshot_container_network != prometheus_container_network else [])
      +
      ([matrix_prometheus_nginxlog_exporter_container_network] if matrix_prometheus_services_connect_scraper_nginxlog_enabled and matrix_prometheus_nginxlog_exporter_container_network != prometheus_container_network else [])
+      +
+      ([matrix_media_repo_container_network] if matrix_prometheus_services_connect_scraper_media_repo_enabled and matrix_media_repo_container_network != prometheus_container_network else [])
    ) | unique
  }}

@ -3678,6 +3851,8 @@ prometheus_config_scrape_configs_auto: |
    (matrix_prometheus_services_connect_scraper_hookshot_scrape_configs if matrix_prometheus_services_connect_scraper_hookshot_enabled else [])
    +
    (matrix_prometheus_services_connect_scraper_nginxlog_scrape_configs if matrix_prometheus_services_connect_scraper_nginxlog_enabled else [])
+    +
+    (matrix_prometheus_services_connect_scraper_media_repo_scrape_configs if matrix_prometheus_services_connect_scraper_media_repo_enabled else [])
  }}

 ######################################################################
@ -3713,6 +3888,9 @@ matrix_prometheus_services_connect_scraper_hookshot_static_configs_target: "{{ m
 matrix_prometheus_services_connect_scraper_nginxlog_enabled: "{{ matrix_prometheus_nginxlog_exporter_enabled }}"
 matrix_prometheus_services_connect_scraper_nginxlog_static_configs_target: "{{ matrix_prometheus_nginxlog_exporter_container_hostname }}:{{ matrix_prometheus_nginxlog_exporter_container_metrics_port | string }}"

+matrix_prometheus_services_connect_scraper_media_repo_enabled: "{{ matrix_media_repo_enabled and matrix_media_repo_metrics_enabled }}"
+matrix_prometheus_services_connect_scraper_media_repo_static_configs_target: "{{ matrix_media_repo_identifier }}:{{ matrix_media_repo_metrics_port }}"
+
 ######################################################################
 #
 # /matrix-prometheus-services-connect
@ -3777,6 +3955,8 @@ grafana_dashboard_download_urls: |
    (prometheus_postgres_exporter_dashboard_urls if prometheus_postgres_exporter_enabled else [])
    +
    (matrix_prometheus_nginxlog_exporter_dashboard_urls if matrix_prometheus_nginxlog_exporter_enabled else [])
+    +
+    (matrix_media_repo_dashboard_urls if matrix_media_repo_metrics_enabled else [])
  }}

 grafana_provisioning_dashboard_template_files: |
@ -3785,6 +3965,11 @@ grafana_provisioning_dashboard_template_files: |
        'path': 'roles/custom/matrix-prometheus-nginxlog-exporter/templates/grafana/nginx-proxy.json',
        'name': 'nginx-proxy.json',
    }] if matrix_prometheus_nginxlog_exporter_enabled else [])
+    +
+    ([{
+        'path': 'roles/custom/matrix-media-repo/templates/grafana/media-repo.json',
+        'name': 'media-repo.json',
+    }] if matrix_media_repo_metrics_enabled else [])
  }}

 grafana_default_home_dashboard_path: |-
@ -3803,7 +3988,6 @@ grafana_default_home_dashboard_path: |-
 ######################################################################


-
 ######################################################################
 #
 # matrix-registration
@ -3853,7 +4037,6 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener
 ######################################################################


-
 ######################################################################
 #
 # matrix-sliding-sync
@ -3869,7 +4052,7 @@ matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}"

 matrix_sliding_sync_path_prefix: /sliding-sync

-matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
+matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"

 matrix_sliding_sync_container_additional_networks: |
  {{
@ -3903,6 +4086,9 @@ matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix
 matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}"

+# Starting from version `0.6.0` conduit natively supports some sync v3 (sliding-sync) features.
+matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else matrix_homeserver_url if matrix_conduit_enabled else '' }}"
+
 ######################################################################
 #
 # /matrix-sliding-sync
@ -3992,7 +4178,6 @@ matrix_conduit_systemd_required_services_list: |
    (['docker.service'])
  }}

-
 ######################################################################
 #
 # /matrix-conduit
@ -4008,6 +4193,12 @@ matrix_conduit_systemd_required_services_list: |

 matrix_user_creator_users_auto: |
  {{
+    ([{
+      'username': matrix_bot_matrix_registration_bot_matrix_user_id_localpart,
+      'initial_password': matrix_bot_matrix_registration_bot_bot_password,
+      'initial_type': 'admin',
+    }] if matrix_bot_matrix_registration_bot_enabled else [])
+    +
    ([{
      'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart,
      'initial_password': matrix_bot_matrix_reminder_bot_matrix_user_password,
@ -4051,13 +4242,20 @@ matrix_user_verification_service_docker_image: "{{ matrix_user_verification_serv

 matrix_user_verification_service_enabled: false
 matrix_user_verification_service_systemd_required_services_list: |
-      {{
-        ['docker.service']
-        +
-        (['matrix-synapse.service'] if matrix_synapse_enabled else [])
-        +
-        ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
-      }}
+  {{
+    ['docker.service']
+    +
+    (['matrix-' + matrix_homeserver_implementation + '.service'])
+  }}
+
+matrix_user_verification_service_container_additional_networks: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
+      +
+      ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_user_verification_service_container_network else [])
+    ) | unique
+  }}

 # If Jitsi is managed by this playbook we can use the docker network - no need to expose a port.
 # If Jitsi is not managed by this playbook, or you otherwise have a need for it, you can expose
--- a/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vars.yml
@ -0,0 +1,411 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: true
+matrix_nginx_proxy_https_enabled: false
+matrix_nginx_proxy_container_http_host_bind_port: "127.0.10.1:8080"
+matrix_nginx_proxy_container_federation_host_bind_port: "127.0.10.1:8448"
+matrix_nginx_proxy_trust_forwarded_proto: true
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
+#matrix_nginx_proxy_proxy_synapse_metrics: true
+matrix_nginx_proxy_proxy_matrix_metrics_enabled: true
+matrix_synapse_metrics_enabled: true
+matrix_synapse_metrics_proxying_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_client_element_version: v1.8.4
+#matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.21"
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.77.0"
+#matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.11/site-packages"
+#matrix_synapse_default_room_version: "10"
+#matrix_mautrix_telegram_version: v0.10.0
+matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_playbook_reverse_proxy_type: playbook-managed-nginx
+# per https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#adapting-the-configuration-for-existing-synapse-installations
+#matrix_homeserver_generic_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 120
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+#matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+devture_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 50
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 10
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+matrix_synapse_rc_joins:
+  local:
+    per_second: 0.5
+    burst_count: 20
+  remote:
+    per_second: 0.05
+    burst_count: 20
+matrix_synapse_rc_joins_per_room:
+  per_second: 1
+  burst_count: 10
+matrix_synapse_rc_invites:
+  per_room:
+    per_second: 0.5
+    burst_count: 10
+  per_user:
+    per_second: 0.006
+    burst_count: 10
+  per_issuer:
+    per_second: 2
+    burst_count: 20
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 1.5
+matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 2
+matrix_synapse_workers_federation_sender_workers_count: 2
+matrix_synapse_workers_pusher_workers_count: 1
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+# Enable experimental spaces support
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_max: 20
+  experimental_features:
+    spaces_enabled: true
+  caches:
+    per_cache_factors:
+      device_id_exists: 3
+      get_users_in_room: 4
+      _get_joined_users_from_context: 4
+      _get_joined_profile_from_event_id: 3
+      "*stateGroupMembersCache*": 2
+      _matches_user_in_member_list: 3
+      get_users_who_share_room_with_user: 3
+      is_interested_in_room: 2
+      get_user_by_id: 1.5
+      room_push_rule_cache: 1.5
+    expire_caches: true
+    cache_entry_ttl: 45m
+    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_mute_bridging: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_bridge_allow_user_invite: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+#matrix_mx_puppet_skype_enabled: false
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+# matrix_mx_puppet_skype_container_extra_arguments:
+#   - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+# matrix_mx_puppet_skype_configuration_extension_yaml: |
+#     bridge:
+#         enableGroupSync: true
+#         avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+#     metrics:
+#         enabled: true
+#         port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+#         path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: false
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
+matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_room_directory_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"
--- a/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
+++ b/inventory/host_vars/matrix.finallycoffee.eu/vault.yml
@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+39366364363633336238333130353832663162393038633665396333343732353964333363666539
+6562346632343235623835643735386434316666393234360a383634616537393134613631383836
+61333835363666623033306166376232303930306433343366373463653234623736643633383734
+3330333665383539650a383132353032386230393031626361343764323034386230363066306331
+34646236336262623435633566363033613737373064616266336237343233663066396163373034
+62303765353066653737366539626461636531636438323932333134363136363134646164646531
+63656638666233313437663261396665653736373164323433306435323336633938313164646264
+33653661633965363833393031616463633761356234633630643562306366653133366637346166
+38636433343736343461613731623538633361363934343764326466313261353633646230353065
+37366134303164356433333961346663313963626165323966656536313532376162326565383539
+65363333633964323838663461373666353665643236623839646664653661613838353239613137
+39353061323131306365656261343630313665356165623064616436653566373663343733316237
+34393666383465323463313838393465643830373632373938633763666636346539666233303265
+38353337633833373331356663633936326334366337393135653030333531613565643666633038
+64393862303765366632393137313432376563353335353231323464633637343334346634306534
+35613330373336633031376263306466306437656635396133613335386130346163663438386136
+61646437343938663431343736363564376238316666373531616231366132643864346538363866
+35396433366137356162313963666134383134306462313336613735386639363936326131383939
+66623833643433663039623837623133303336666233623935313438366136353332313165333936
+31386632336535383533646639636164313331346630633366383739623261366465656632393062
+63373332623738303364623437666531396331646666336230353333366261653438363861656466
+39333762633037383336393164616563396564383232636533363864636230616664303330323932
+66666234633362346132303932643464366466323535303835363430333737666661373534333934
+61393362616438626636383564613335363634626231663234616438343464383461303632363033
+39336362396339316661323662393665383031643931626333646335643335353661653939363538
+38666561313539613566386132336630643237333432656236356132616230663561343665353938
+33366663353834356434366335373265373439363430636533303933656264366338623232613435
+35356662383232386137313064313363303861326635333435393737643663336534363234623430
+32376432353330613666396337303935376366613564353039396164383361616337656535346166
+34396635356266326461613135303639643935363261396363636338636564643838313262326266
+31663139343336376233303637373864363835313839326433656235616332333134306139623239
+37636639356263646437373362333931613262363363313462666534643765313139386461623731
+33376635653133353033333733613464396632636634313063326363313030376632643863336237
+61636638353237313764313435626463633964643665313536326235343639663137373436303564
+30636232626137376339303238653664346538356430306238633037366332316263623666373062
+63646533646131303466653637346463613237323161313265613834383634626237323563653733
+38656435303264346663663465333966376631666530333833353233376263336436613065366362
+36366263343438393132326661623031316663663231663464383732343064383234616636306530
+66613634626362316533303034393063666632343262613431613635663866636433623535363238
+30643933613731363236346234336662613633323831633437613435326465383530653765616262
+63373538396364316563343365303134373466663639386137663564356532353531343636613135
+63316463353264316164306566326462333732316431643939626161346530636638636662303037
+34346461313961613063336332333934383363373335616636363661396362613661383762663866
+64303834636264376461396266663763336665356561376161333136336638646363313133353161
+31643061623833623239373432633537663664636334623534326639616633616361333834366131
+30376361656238353332656666316637643133623433333861653265636266376639666135383638
+37363337326231656530363536393737383565666266306532626361633633353539363866376534
+61303737326632303762626666306134343837376566343035386663613336626332383035383035
+37633462373066373062313862323766316362393832666466396637363562353865303366323062
+39346332383966313437646138623364656234663066663639663138626163656433363038323166
+65613862386665643438323061323763306635666162303366323131363436633335356332393366
+63373966383132303434633835333438333337303664346335643066623839343835643364306561
+34643336346564363462396330643263653931376664386335313433376332653832323437376135
+35383231386133363236653334393433306638303131323064343931623538323130343666653061
+36353536383632333964343730346265626433303131346531303133663832363036333261386237
+30363361356265356139323761623563396565336137333733656431636531333234323061343862
+33623935346663333735613661363234646234356331323636386637343661373363363261646231
+33643233343235323230393933616664623166666266333862323631653835666135303233653635
+63373061656163353762636531613632366638383366303864343132376162643963366564363563
+61336338613935613532636165383463633866633036393533313433643562313737383431353163
+37623165373933376236393931363939633963666636303136373065376635623761346537643530
+35363464313630376233633863306238616138666464316534363332333937343362343233346431
+34643032323934353939666364323239653932363735373061633434653062326336353239633261
+38306237336266663038656534393664646138343038323335633064616431386666613739326630
+34383963666534313530376331366238343836303036306336343533666332386163643033643138
+33336333333338353733383165306139623964303035653439623131633566356136386431613135
+63616462386639303230343866346631346532353531373132613433363239646330653666633532
+65393766333238383531313132633537633833363335303630376239396565373730646331313633
+30383861303739343265623934643635633361623262356433323035393062353630346430646262
+63303434353038646361353661616339313937323336303566303536366163623362356332383862
+37326333393761633732653264646333653439363039323238383361336233323232613336303464
+34393635633131313135313665363161306466643364393734346264633030373234306466653862
+32336163666435636162343465386633653863363533616339636531306130383331376563393533
+65366136626662343065383164646665613035393636373565346235656439303933343563366339
+36643838393033353033396535613331303031646162316361613564323163633434633861356135
+62343461616335323565636633383962316531316362396165366533346166336163623232366261
+39376230376562626135346333326437373733373266393236383435343562653034313133376236
+61666138346562613330633630373837653465393233613261353937336666646231366666393335
+35393463333936323664323831396639333462626238613164616435363664643438653763623431
+32663237363134353061373563396535653565636431366565386337653863316333343738343432
+62303132636338303462313439376535363063333833363632613832303436353834376561333330
+66633632383135646263626333643230343630326539663762633934316261633062663732373932
+30306438386263626335373838343236643562326135663366353638353163346365396261313133
+36333634306133353235316237343738623263333732343063356238333162323931346664346539
+66323733643061386334306130633537353630663336313966663538373963313435666564316539
+63613030366332363432303036396232306537663765653938353736376135316539613135623632
+66356639623635663365323635646635383638346539323438336261393332373935383536333831
+61306639343061333639336162366536366438356166396266666132303932333037613632623666
+63616662343830303664353931306632323630316162643432653835313962633735626163366332
+34373637633066333432383533316363613031393963373963386161663430623533383165653561
+38343439633066366663643138326264653539336530393932386236366533663935353664343966
+39323161646231353234633961633732613065323039663062313661386565366534623430356632
+64343732336238393262363338363734643639353830646163343361653761633134303163616562
+35633436393832393137383534613031303963613339333566343065336530623964636662353065
+32366630353538383339346465376661323666333234373665613164633866363364613066643034
+37616630366232353166366535633936366536626462353831643335306337353564316461653564
+66663133373466333431336366346435623436656230376232613665633466333463636263373464
+30386434336538303061666566383033616563303564666362346432663130306531613063363537
+646635613236636563666161666630653836
--- a/inventory/hosts
+++ b/inventory/hosts
@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+34373565633762393838366465623964356238366661386638373937363563613036646662333330
+3436326333353462346464656136363131376565386433620a613965643930313137353134616134
+39656164373331383333613630323531646132626263626661313735313136326132343866313733
+3737323866333566320a376564393337306438636261393535623435326139393830613765646630
+63363538343963636231623031346539363937383363376133333562376339343361303337343133
+39323431653963613134376465333762653038393839313137323832313633343639623665393263
+34623034353564613665333037366231613261343336613730666130396437363332373463313137
+39326237626130323336626265653431383332303065323536316634353735313565633862633937
+65303032306434663962653866366538636133623530343836633233636664386230366165356462
+35623536356462623261666533626436613465346461313733356531386338626263376561363131
+30373534653437363165623138656636323638393734323836396536336364376131333066343432
+38653564623432623461353266623263643430383965373138663361646665616566613337663837
+63343766303936383330643561356233333961303436656564363061393136356163393463383033
+66343034633230373362343332613338646537353934373264633965636431373630326632356535
+36393363356261616234386266333462373065646436653430653561366330353732616135346165
+30306164633666666339336261306264306133616263623430376536346364306336373332326463
+37333735376365373536613734653961326434653665356436323635373863636266663130303431
+39396534633064383566306133363431323537313639383464303433373761363333303936626366
+37383637336631663931303265393562356336623861613161663738393038353263616662633634
+37373932306261666531303265646365323464363930313238343537343433636639383764343139
+35303831646166376365363536656239346630346561356464653362363637306234353761653432
+61323865663266613433343639343762363437333562346633396462623436346364363033383739
+646230333738313565356339346435656331
--- a/jitsi_jvb.yml
+++ b/jitsi_jvb.yml
@ -0,0 +1,35 @@
+---
+- name: "Set up additional Jitsi JVB servers"
+  hosts: "jitsi_jvb_servers"
+  become: true
+
+  roles:
+    - role: galaxy/com.devture.ansible.role.playbook_help
+    - role: galaxy/com.devture.ansible.role.systemd_docker_base
+
+    - when: matrix_playbook_docker_installation_enabled | bool
+      role: galaxy/geerlingguy.docker
+      vars:
+        docker_install_compose: false
+      tags:
+        - setup-docker
+        - setup-all
+        - setup-additional-jitsi-jvb
+        - install-docker
+        - install-all
+
+    - when: devture_docker_sdk_for_python_installation_enabled | bool
+      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
+      tags:
+        - setup-docker
+        - setup-all
+        - setup-additional-jitsi-jvb
+        - install-docker
+        - install-all
+
+    - custom/matrix-base
+    - galaxy/jitsi
+    - custom/matrix-common-after
+
+    - when: devture_systemd_service_manager_enabled | bool
+      role: galaxy/com.devture.ansible.role.systemd_service_manager
--- a/playbooks/jitsi_jvb.yml
+++ b/playbooks/jitsi_jvb.yml
@ -1,12 +0,0 @@
---
- name: "Set up additional Jitsi JVB servers"
-  hosts: "jitsi_jvb_servers"
-  become: true
-
-  roles:
-    - role: galaxy/com.devture.ansible.role.playbook_help
-    - role: galaxy/com.devture.ansible.role.systemd_docker_base
-
-    - custom/matrix-base
-    - galaxy/jitsi
-    - custom/matrix-common-after
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -1,143 +0,0 @@
---
- name: "Set up a Matrix server"
-  hosts: "{{ target if target is defined else 'matrix_servers' }}"
-  become: true
-
-  roles:
-    # Most of the roles below are not distributed with the playbook, but downloaded separately using `ansible-galaxy` via the `just roles` command (see `justfile`).
-    - role: galaxy/com.devture.ansible.role.playbook_help
-
-    - role: galaxy/com.devture.ansible.role.systemd_docker_base
-
-    - role: custom/matrix_playbook_migration
-
-    - when: matrix_playbook_docker_installation_enabled | bool
-      role: galaxy/geerlingguy.docker
-      vars:
-        docker_install_compose: false
-      tags:
-        - setup-docker
-        - setup-all
-        - install-docker
-        - install-all
-
-    - when: devture_docker_sdk_for_python_installation_enabled | bool
-      role: galaxy/com.devture.ansible.role.docker_sdk_for_python
-      tags:
-        - setup-docker
-        - setup-all
-        - install-docker
-        - install-all
-
-    - when: devture_timesync_installation_enabled | bool
-      role: galaxy/com.devture.ansible.role.timesync
-      tags:
-        - setup-timesync
-        - setup-all
-        - install-timesync
-        - install-all
-
-    - custom/matrix-base
-    - custom/matrix-dynamic-dns
-    - custom/matrix-mailer
-
-    - role: galaxy/com.devture.ansible.role.postgres
-
-    - galaxy/redis
-    - custom/matrix-corporal
-    - custom/matrix-bridge-appservice-discord
-    - custom/matrix-bridge-appservice-slack
-    - custom/matrix-bridge-appservice-webhooks
-    - custom/matrix-bridge-appservice-irc
-    - custom/matrix-bridge-appservice-kakaotalk
-    - custom/matrix-bridge-beeper-linkedin
-    - custom/matrix-bridge-go-skype-bridge
-    - custom/matrix-bridge-mautrix-facebook
-    - custom/matrix-bridge-mautrix-twitter
-    - custom/matrix-bridge-mautrix-hangouts
-    - custom/matrix-bridge-mautrix-googlechat
-    - custom/matrix-bridge-mautrix-instagram
-    - custom/matrix-bridge-mautrix-signal
-    - custom/matrix-bridge-mautrix-telegram
-    - custom/matrix-bridge-mautrix-whatsapp
-    - custom/matrix-bridge-mautrix-discord
-    - custom/matrix-bridge-mautrix-slack
-    - custom/matrix-bridge-mx-puppet-discord
-    - custom/matrix-bridge-mx-puppet-groupme
-    - custom/matrix-bridge-mx-puppet-steam
-    - custom/matrix-bridge-mx-puppet-slack
-    - custom/matrix-bridge-mx-puppet-twitter
-    - custom/matrix-bridge-mx-puppet-instagram
-    - custom/matrix-bridge-sms
-    - custom/matrix-bridge-heisenbridge
-    - custom/matrix-bridge-hookshot
-    - custom/matrix-bot-matrix-reminder-bot
-    - custom/matrix-bot-matrix-registration-bot
-    - custom/matrix-bot-maubot
-    - custom/matrix-bot-buscarron
-    - custom/matrix-bot-honoroit
-    - custom/matrix-bot-postmoogle
-    - custom/matrix-bot-go-neb
-    - custom/matrix-bot-mjolnir
-    - custom/matrix-bot-draupnir
-    - custom/matrix-bot-chatgpt
-    - custom/matrix-cactus-comments
-    - custom/matrix-rageshake
-    - custom/matrix-synapse
-    - custom/matrix-synapse-auto-compressor
-    - custom/matrix-synapse-reverse-proxy-companion
-    - custom/matrix-dendrite
-    - custom/matrix-conduit
-    - custom/matrix-synapse-admin
-    - galaxy/prometheus_node_exporter
-    - galaxy/prometheus_postgres_exporter
-    - custom/matrix-prometheus-nginxlog-exporter
-    - galaxy/prometheus
-    - galaxy/grafana
-    - custom/matrix-prometheus-services-connect
-    - custom/matrix-prometheus-services-proxy-connect
-    - custom/matrix-registration
-    - custom/matrix-client-element
-    - custom/matrix-client-hydrogen
-    - custom/matrix-client-cinny
-    - galaxy/jitsi
-    - custom/matrix-user-verification-service
-    - custom/matrix-ldap-registration-proxy
-    - custom/matrix-ma1sd
-    - custom/matrix-dimension
-    - galaxy/etherpad
-    - custom/etherpad-proxy-connect
-    - custom/matrix-sliding-sync
-    - custom/matrix-email2matrix
-    - custom/matrix-sygnal
-    - galaxy/ntfy
-    - custom/matrix-nginx-proxy
-    - custom/matrix-coturn
-
-    - role: galaxy/aux
-
-    - role: galaxy/com.devture.ansible.role.postgres_backup
-
-    - role: galaxy/backup_borg
-
-    - custom/matrix-user-creator
-    - custom/matrix-common-after
-
-    - role: galaxy/com.devture.ansible.role.container_socket_proxy
-
-    - role: galaxy/com.devture.ansible.role.traefik
-
-    - role: galaxy/com.devture.ansible.role.traefik_certs_dumper
-
-    - when: devture_systemd_service_manager_enabled | bool
-      role: galaxy/com.devture.ansible.role.systemd_service_manager
-
-    # This is pretty much last, because we want it to better serve as a "last known good configuration".
-    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2217#issuecomment-1301487601
-    - when: devture_playbook_state_preserver_enabled | bool
-      role: galaxy/com.devture.ansible.role.playbook_state_preserver
-      tags:
-        - setup-all
-        - install-all
-
-    - role: galaxy/com.devture.ansible.role.playbook_runtime_messages
--- a/requirements.yml
+++ b/requirements.yml
@ -2,9 +2,9 @@

 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
  version: v1.0.0-1
-  name: aux
+  name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.4-1.7.13-0
+  version: v1.2.4-1.8.2-0
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
  version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@ -18,7 +18,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: v15.3-0
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
-  version: 8e9ec48a09284c84704d7a2dce17da35f181574d
+  version: a0cc7c1c696872ba8880d9c5e5a54098de825030
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
@ -26,28 +26,28 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.10.1-1
+  version: v2.10.4-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
-  version: v1.8.18-2
+  version: v1.9.2-0
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 6.1.0
+  version: 6.2.0
  name: geerlingguy.docker
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v9.5.2-0
+  version: v10.1.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v8615-0
+  version: v8615-2
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
-  version: v2.5.0-0
+  version: v2.7.0-2
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v2.44.0-0
+  version: v2.45.0-1
  name: prometheus
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
-  version: v1.6.0-0
+  version: v1.6.1-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.12.0-0
+  version: v0.13.2-0
  name: prometheus_postgres_exporter
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
-  version: v7.0.10-0
+  version: v7.2.0-0
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@ -16,6 +16,9 @@ matrix_admin: ''
 # Global var to enable/disable encryption across all bridges with encryption support
 matrix_bridges_encryption_enabled: false

+# Global var to enable/disable relay mode across all bridges with relay mode support
+matrix_bridges_relay_enabled: false
+
 # matrix_homeserver_enabled controls whether to enable the homeserver systemd service, etc.
 #
 # Unless you're wrapping this playbook in another one
@ -90,6 +93,9 @@ matrix_server_fqn_grafana: "stats.{{ matrix_domain }}"
 # This is where you access the Sygnal push gateway.
 matrix_server_fqn_sygnal: "sygnal.{{ matrix_domain }}"

+# This is where you access the mautrix wsproxy push gateway.
+matrix_server_fqn_mautrix_wsproxy: "wsproxy.{{ matrix_domain }}"
+
 # This is where you access the ntfy push notification service.
 matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"

@ -147,6 +153,12 @@ matrix_homeserver_container_url: ""
 # This likely gets overriden elsewhere.
 matrix_homeserver_container_federation_url: ""

+# Specifies the public url of the Sync v3 (sliding-sync) API.
+# This will be used to set the `org.matrix.msc3575.proxy` property in `/.well-known/matrix/client`.
+# Once the API is stabilized, this will no longer be required.
+# See MSC3575: https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md
+matrix_homeserver_sliding_sync_url: ""
+
 matrix_identity_server_url: ~

 matrix_integration_manager_rest_url: ~
@ -155,7 +167,7 @@ matrix_integration_manager_ui_url: ~
 # The domain name where a Jitsi server is self-hosted.
 # If set, `/.well-known/matrix/client` will suggest Element clients to use that Jitsi server.
 # See: https://github.com/vector-im/element-web/blob/develop/docs/jitsi.md#configuring-element-to-use-your-self-hosted-jitsi-server
-matrix_client_element_jitsi_preferredDomain: ''  # noqa var-naming
+matrix_client_element_jitsi_preferred_domain: ''  # noqa var-naming

 # Controls whether Element should use End-to-End Encryption by default.
 # Setting this to false will update `/.well-known/matrix/client` and tell Element clients to avoid E2EE.
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
@ -18,17 +18,17 @@
 		]
 	}
 	{% endif %}
-	{% if matrix_client_element_jitsi_preferredDomain %},
+	{% if matrix_client_element_jitsi_preferred_domain %},
 	"io.element.jitsi": {
-		"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
+		"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
 	},
 	"im.vector.riot.jitsi": {
-		"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
+		"preferredDomain": {{ matrix_client_element_jitsi_preferred_domain|to_json }}
 	}
 	{% endif %}
-	{% if matrix_sliding_sync_enabled %},
+	{% if matrix_homeserver_sliding_sync_url %},
 	"org.matrix.msc3575.proxy": {
-		"url": "{{ matrix_sliding_sync_base_url }}"
+		"url": "{{ matrix_homeserver_sliding_sync_url }}"
 	}
 	{% endif %}
 	{% if matrix_client_element_location_sharing_enabled %},
--- a/roles/custom/matrix-bot-buscarron/defaults/main.yml
+++ b/roles/custom/matrix-bot-buscarron/defaults/main.yml
@ -108,8 +108,9 @@ matrix_bot_buscarron_database_password: 'some-password'
 matrix_bot_buscarron_database_hostname: ''
 matrix_bot_buscarron_database_port: 5432
 matrix_bot_buscarron_database_name: 'buscarron'
+matrix_bot_buscarron_database_sslmode: disable

-matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode=disable'
+matrix_bot_buscarron_database_connection_string: 'postgres://{{ matrix_bot_buscarron_database_username }}:{{ matrix_bot_buscarron_database_password }}@{{ matrix_bot_buscarron_database_hostname }}:{{ matrix_bot_buscarron_database_port }}/{{ matrix_bot_buscarron_database_name }}?sslmode={{ matrix_bot_buscarron_database_sslmode }}'

 matrix_bot_buscarron_storage_database: "{{
 	{
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@ -88,3 +88,5 @@ matrix_bot_chatgpt_matrix_rich_text: true  # MATRIX_RICH_TEXT=true
 # matrix_bot_chatgpt_environment_variables_extension: |
 #   chatgpt_TEXT_DONE=Done
 matrix_bot_chatgpt_environment_variables_extension: ''
+
+matrix_bot_chatgpt_matrix_bot_prompt_prefix: 'Instructions:\nYou are ChatGPT, a large language model trained by OpenAI.'
--- a/roles/custom/matrix-bot-chatgpt/templates/env.j2
+++ b/roles/custom/matrix-bot-chatgpt/templates/env.j2
@ -25,6 +25,8 @@ MATRIX_ENCRYPTION={{ matrix_bot_chatgpt_matrix_encryption|lower }}
 MATRIX_THREADS={{ matrix_bot_chatgpt_matrix_threads|lower }}
 MATRIX_RICH_TEXT={{ matrix_bot_chatgpt_matrix_rich_text|lower }}

+CHATGPT_PROMPT_PREFIX={{ matrix_bot_chatgpt_matrix_bot_prompt_prefix }}
+
 DATA_PATH=/data/

 {{ matrix_bot_chatgpt_environment_variables_extension }}
--- a/roles/custom/matrix-bot-draupnir/defaults/main.yml
+++ b/roles/custom/matrix-bot-draupnir/defaults/main.yml
@ -4,7 +4,7 @@

 matrix_bot_draupnir_enabled: true

-matrix_bot_draupnir_version: "v1.83.0"
+matrix_bot_draupnir_version: "v1.84.0"

 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/Gnuxie/Draupnir.git"
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@ -20,7 +20,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"

-matrix_bot_honoroit_version: v0.9.17
+matrix_bot_honoroit_version: v0.9.18
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
@ -105,8 +105,9 @@ matrix_bot_honoroit_database_password: 'some-password'
 matrix_bot_honoroit_database_hostname: ''
 matrix_bot_honoroit_database_port: 5432
 matrix_bot_honoroit_database_name: 'honoroit'
+matrix_bot_honoroit_database_sslmode: disable

-matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode=disable'
+matrix_bot_honoroit_database_connection_string: 'postgres://{{ matrix_bot_honoroit_database_username }}:{{ matrix_bot_honoroit_database_password }}@{{ matrix_bot_honoroit_database_hostname }}:{{ matrix_bot_honoroit_database_port }}/{{ matrix_bot_honoroit_database_name }}?sslmode={{ matrix_bot_honoroit_database_sslmode }}'

 matrix_bot_honoroit_storage_database: "{{
 	{
--- a/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml
@ -8,8 +8,10 @@ matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matri
 matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}"
 matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src"

-matrix_bot_matrix_registration_bot_version: latest
-matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_version }}"
+matrix_bot_matrix_registration_bot_version: 1.3.0
+matrix_bot_matrix_registration_bot_docker_iteration: 0
+matrix_bot_matrix_registration_bot_docker_tag: "{{ matrix_bot_matrix_registration_bot_version }}-{{ matrix_bot_matrix_registration_bot_docker_iteration}}"
+matrix_bot_matrix_registration_bot_docker_image: "{{ matrix_container_global_registry_prefix }}moanos/matrix-registration-bot:{{ matrix_bot_matrix_registration_bot_docker_tag }}"
 matrix_bot_matrix_registration_bot_docker_image_force_pull: "{{ matrix_bot_matrix_registration_bot_docker_image.endswith(':latest') }}"

 matrix_bot_matrix_registration_bot_base_path: "{{ matrix_base_data_path }}/matrix-registration-bot"
@ -19,15 +21,15 @@ matrix_bot_matrix_registration_bot_data_path: "{{ matrix_bot_matrix_registration
 matrix_bot_matrix_registration_bot_bot_server: "https://{{ matrix_server_fqn_matrix }}"
 matrix_bot_matrix_registration_bot_api_base_url: "https://{{ matrix_server_fqn_matrix }}"

-# The access token that the bot uses to communicate in Matrix chats
-# This does not necessarily need to be a privileged (admin) access token.
-matrix_bot_matrix_registration_bot_bot_access_token: ''

-# The access token that the bot uses to call the Matrix API for creating registration tokens.
-# This needs to be a privileged (admin) access token.
-# By default, we assume `matrix_bot_matrix_registration_bot_bot_access_token` is such a privileged token and we use it as is.
-# If necessary, you can define your own other access token here, which might even be for a different Matrix user.
-matrix_bot_matrix_registration_bot_api_token: "{{ matrix_bot_matrix_registration_bot_bot_access_token }}"
+# The bot's password (can also be used to login via a client like element)
+matrix_bot_matrix_registration_bot_bot_password: ''
+
+# Optional variable that only needs to be set if the bot account is not admin
+# Needs to be a valid access token of an admin account
+matrix_bot_matrix_registration_bot_api_token: ''
+
+matrix_bot_matrix_registration_bot_device_id: "matrix-docker-ansible-deploy"

 matrix_bot_matrix_registration_bot_logging_level: info
 matrix_bot_matrix_registration_environment_variables_extension: ''
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/clean_cache.yml
@ -0,0 +1,12 @@
+---
+
+- name: Delete cache files
+  ansible.builtin.file:
+    state: "{{ item }}"
+    path: "{{ matrix_bot_matrix_registration_bot_data_path }}"
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - absent
+    - directory
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml
@ -18,3 +18,9 @@
  block:
    - when: not matrix_bot_matrix_registration_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+
+- tags:
+    - bot-matrix-registration-bot-clean-cache
+  block:
+    - when: matrix_bot_matrix_registration_bot_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/clean_cache.yml"
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/setup_install.yml
@ -9,7 +9,7 @@
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {path: "{{ matrix_bot_matrix_registration_bot_config_path }}", when: true}
-    - - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true}
+    - {path: "{{ matrix_bot_matrix_registration_bot_data_path }}", when: true}
    - {path: "{{ matrix_bot_matrix_registration_bot_docker_src_files_path }}", when: true}
  when: "item.when | bool"

--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml
@ -5,6 +5,13 @@
    msg: >-
      You need to define a required configuration setting (`{{ item }}`).
  when: "vars[item] == ''"
+  with_items:
+    - "matrix_bot_matrix_registration_bot_bot_password"
+
+- name: (Deprecation) Catch and report old settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which is deprecated - Please check the documentation on how to configure the matrix-registration-bot.
+  when: "item in vars"
  with_items:
    - "matrix_bot_matrix_registration_bot_bot_access_token"
-    - "matrix_bot_matrix_registration_bot_api_token"
--- a/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2
+++ b/roles/custom/matrix-bot-matrix-registration-bot/templates/config/config.yml.j2
@ -1,12 +1,16 @@
 bot:
  server: {{ matrix_bot_matrix_registration_bot_bot_server|to_json }}
  username: {{ matrix_bot_matrix_registration_bot_matrix_user_id_localpart|to_json }}
-  access_token: {{ matrix_bot_matrix_registration_bot_bot_access_token|to_json }}
+  password: {{ matrix_bot_matrix_registration_bot_bot_password|to_json }}
+
 api:
  # API endpoint of the registration tokens
  base_url: {{ matrix_bot_matrix_registration_bot_api_base_url|to_json }}
  # Access token of an administrator on the server
+{% if matrix_bot_matrix_registration_bot_api_token | length > 0 %}
  token: {{ matrix_bot_matrix_registration_bot_api_token|to_json }}
+{% endif %}
+
 logging:
  level: {{ matrix_bot_matrix_registration_bot_logging_level|to_json }}

--- a/roles/custom/matrix-bot-maubot/defaults/main.yml
+++ b/roles/custom/matrix-bot-maubot/defaults/main.yml
@ -31,8 +31,9 @@ matrix_bot_maubot_database_password: ~
 matrix_bot_maubot_database_hostname: ''
 matrix_bot_maubot_database_port: 5432
 matrix_bot_maubot_database_name: matrix_bot_maubot
+matrix_bot_maubot_database_sslmode: disable

-matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode=disable
+matrix_bot_maubot_database_connection_string: postgres://{{ matrix_bot_maubot_database_username }}:{{ matrix_bot_maubot_database_password }}@{{ matrix_bot_maubot_database_hostname }}:{{ matrix_bot_maubot_database_port }}/{{ matrix_bot_maubot_database_name }}?sslmode={{ matrix_bot_maubot_database_sslmode }}

 matrix_bot_maubot_database_uri: "{{
 	{
--- a/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2
+++ b/roles/custom/matrix-bot-maubot/templates/config/config.yaml.j2
@ -60,7 +60,7 @@ server:
 homeservers:
  {{  matrix_domain }}:
    # Client-server API URL
-        url: "https://{{ matrix_server_fqn_matrix }}"
+        url: {{ matrix_homeserver_container_url | to_json }}
    # registration_shared_secret from synapse config
    # You can leave this empty if you don't have access to the homeserver.
    # When this is empty, `mbc auth --register` won't work, but `mbc auth` (login) will.
--- a/roles/custom/matrix-bot-postmoogle/defaults/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/defaults/main.yml
@ -45,8 +45,9 @@ matrix_bot_postmoogle_database_password: 'some-password'
 matrix_bot_postmoogle_database_hostname: ''
 matrix_bot_postmoogle_database_port: 5432
 matrix_bot_postmoogle_database_name: 'postmoogle'
+matrix_bot_postmoogle_database_sslmode: disable

-matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode=disable'
+matrix_bot_postmoogle_database_connection_string: 'postgres://{{ matrix_bot_postmoogle_database_username }}:{{ matrix_bot_postmoogle_database_password }}@{{ matrix_bot_postmoogle_database_hostname }}:{{ matrix_bot_postmoogle_database_port }}/{{ matrix_bot_postmoogle_database_name }}?sslmode={{ matrix_bot_postmoogle_database_sslmode }}'

 matrix_bot_postmoogle_storage_database: "{{
 	{
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser

 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
-matrix_appservice_irc_version: 0.38.0
+matrix_appservice_irc_version: 1.0.1
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
@ -33,10 +33,11 @@ matrix_appservice_irc_database_password: 'some-password'
 matrix_appservice_irc_database_hostname: ''
 matrix_appservice_irc_database_port: 5432
 matrix_appservice_irc_database_name: matrix_appservice_irc
+matrix_appservice_irc_database_sslmode: disable

 # This is just the Postgres connection string, if Postgres is used.
 # Naming clashes with `matrix_appservice_irc_database_connectionString` somewhat.
-matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode=disable'
+matrix_appservice_irc_database_connection_string: 'postgresql://{{ matrix_appservice_irc_database_username }}:{{ matrix_appservice_irc_database_password }}@{{ matrix_appservice_irc_database_hostname }}:{{ matrix_appservice_irc_database_port }}/{{ matrix_appservice_irc_database_name }}?sslmode={{ matrix_appservice_irc_database_sslmode }}'

 # This is what actually goes into `database.connectionString` for the bridge.
 matrix_appservice_irc_database_connectionString: |-  # noqa var-naming
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml
@ -110,6 +110,8 @@ matrix_appservice_kakaotalk_login_shared_secret: ''

 matrix_appservice_kakaotalk_bridge_login_shared_secret_map: "{{ {matrix_appservice_kakaotalk_homeserver_domain: matrix_appservice_kakaotalk_login_shared_secret} if matrix_appservice_kakaotalk_login_shared_secret else {} }}"

+matrix_appservice_kakaotalk_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
+
 matrix_appservice_kakaotalk_bridge_permissions: |
  {{
    {matrix_appservice_kakaotalk_homeserver_domain: 'user'}
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/templates/config.yaml.j2
@ -220,7 +220,7 @@ bridge:
    relay:
        # Whether relay mode should be allowed. If allowed, `!kt set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
-        enabled: false
+        enabled: {{ matrix_appservice_kakaotalk_bridge_relay_enabled }}
        # The formats to use when sending messages to KakaoTalk via a relay user.
        #
        # Available variables:
--- a/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-slack/defaults/main.yml
@ -11,7 +11,7 @@ matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/apps

 # matrix_appservice_slack_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
-matrix_appservice_slack_version: 2.0.2
+matrix_appservice_slack_version: 2.1.2
 matrix_appservice_slack_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-slack:{{ matrix_appservice_slack_docker_image_tag }}"
 matrix_appservice_slack_docker_image_tag: "{{ 'latest' if matrix_appservice_slack_version == 'latest' else ('release-' + matrix_appservice_slack_version) }}"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"
@ -61,10 +61,11 @@ matrix_appservice_slack_database_password: 'some-passsword'
 matrix_appservice_slack_database_hostname: ''
 matrix_appservice_slack_database_port: 5432
 matrix_appservice_slack_database_name: matrix_appservice_slack
+matrix_appservice_slack_database_sslmode: disable

 # This is just the Postgres connection string, if Postgres is used.
 # Naming clashes with `matrix_appservice_slack_database_connectionString` somewhat.
-matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode=disable'
+matrix_appservice_slack_database_connection_string: 'postgresql://{{ matrix_appservice_slack_database_username }}:{{ matrix_appservice_slack_database_password }}@{{ matrix_appservice_slack_database_hostname }}:{{ matrix_appservice_slack_database_port }}/{{ matrix_appservice_slack_database_name }}?sslmode={{ matrix_appservice_slack_database_sslmode }}'

 # This is what actually goes into `database.connectionString` for the bridge.
 matrix_appservice_slack_database_connectionString: |-  # noqa var-naming
--- a/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml
@ -61,8 +61,9 @@ matrix_beeper_linkedin_database_password: 'some-password'
 matrix_beeper_linkedin_database_hostname: ''
 matrix_beeper_linkedin_database_port: 5432
 matrix_beeper_linkedin_database_name: 'matrix_beeper_linkedin'
+matrix_beeper_linkedin_database_sslmode: disable

-matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode=disable'
+matrix_beeper_linkedin_database_connection_string: 'postgresql://{{ matrix_beeper_linkedin_database_username }}:{{ matrix_beeper_linkedin_database_password }}@{{ matrix_beeper_linkedin_database_hostname }}:{{ matrix_beeper_linkedin_database_port }}/{{ matrix_beeper_linkedin_database_name }}?sslmode={{ matrix_beeper_linkedin_database_sslmode }}'

 matrix_beeper_linkedin_appservice_database_type: "{{
 	{
@ -111,7 +112,7 @@ matrix_beeper_linkedin_configuration_extension: "{{ matrix_beeper_linkedin_confi
 matrix_beeper_linkedin_configuration: "{{ matrix_beeper_linkedin_configuration_yaml | from_yaml | combine(matrix_beeper_linkedin_configuration_extension, recursive=True) }}"

 matrix_beeper_linkedin_registration_yaml: |
-  id: linkedin
+  id: beeper_linkedin
  url: {{ matrix_beeper_linkedin_appservice_address }}
  as_token: "{{ matrix_beeper_linkedin_appservice_token }}"
  hs_token: "{{ matrix_beeper_linkedin_homeserver_token }}"
--- a/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml
@ -59,8 +59,9 @@ matrix_go_skype_bridge_database_password: 'some-password'
 matrix_go_skype_bridge_database_hostname: ''
 matrix_go_skype_bridge_database_port: 5432
 matrix_go_skype_bridge_database_name: 'matrix_go_skype_bridge'
+matrix_go_skype_bridge_database_sslmode: disable

-matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode=disable'
+matrix_go_skype_bridge_database_connection_string: 'postgresql://{{ matrix_go_skype_bridge_database_username }}:{{ matrix_go_skype_bridge_database_password }}@{{ matrix_go_skype_bridge_database_hostname }}:{{ matrix_go_skype_bridge_database_port }}/{{ matrix_go_skype_bridge_database_name }}?sslmode={{ matrix_go_skype_bridge_database_sslmode }}'

 matrix_go_skype_bridge_appservice_database_type: "{{
 	{
--- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
@ -4,7 +4,7 @@

 matrix_heisenbridge_enabled: true

-matrix_heisenbridge_version: 1.14.2
+matrix_heisenbridge_version: 1.14.5
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"

-matrix_hookshot_version: 4.1.0
+matrix_hookshot_version: 4.4.1

 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_discord_container_image_self_build: false
 matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix/discord.git"
 matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"

-matrix_mautrix_discord_version: v0.4.0
+matrix_mautrix_discord_version: v0.6.1
 # See: https://mau.dev/mautrix/discord/container_registry
 matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_name_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
 matrix_mautrix_discord_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_discord_container_image_self_build else 'dock.mau.dev/' }}"
@ -70,8 +70,9 @@ matrix_mautrix_discord_database_password: 'some-password'
 matrix_mautrix_discord_database_hostname: ''
 matrix_mautrix_discord_database_port: 5432
 matrix_mautrix_discord_database_name: 'matrix_mautrix_discord'
+matrix_mautrix_discord_database_sslmode: disable

-matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode=disable'
+matrix_mautrix_discord_database_connection_string: 'postgresql://{{ matrix_mautrix_discord_database_username }}:{{ matrix_mautrix_discord_database_password }}@{{ matrix_mautrix_discord_database_hostname }}:{{ matrix_mautrix_discord_database_port }}/{{ matrix_mautrix_discord_database_name }}?sslmode={{ matrix_mautrix_discord_database_sslmode }}'

 matrix_mautrix_discord_appservice_database_type: "{{
 	{
--- a/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -103,6 +103,9 @@ matrix_mautrix_facebook_login_shared_secret: ''

 matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}"

+# Enable bridge relay bot functionality
+matrix_mautrix_facebook_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
+
 matrix_mautrix_facebook_appservice_bot_username: facebookbot

 matrix_mautrix_facebook_bridge_presence: true
--- a/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@ -206,7 +206,7 @@ bridge:
    relay:
        # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
        # authenticated user into a relaybot for that chat.
-        enabled: false
+        enabled: {{ matrix_mautrix_facebook_relay_enabled }}
        # The formats to use when sending messages to Messenger via a relay user.
        #
        # Available variables:
--- a/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml
@ -0,0 +1,152 @@
+---
+# mautrix-gmessages is a Matrix <-> gmessages bridge
+# Project source code URL: https://github.com/mautrix/gmessages
+
+matrix_mautrix_gmessages_enabled: true
+
+matrix_mautrix_gmessages_container_image_self_build: false
+matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/mautrix/gmessages.git"
+matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
+
+matrix_mautrix_gmessages_version: v0.1.0
+# See: https://mau.dev/mautrix/gmessages/container_registry
+matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_name_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"
+matrix_mautrix_gmessages_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_gmessages_container_image_self_build else 'dock.mau.dev/' }}"
+matrix_mautrix_gmessages_docker_image_force_pull: "{{ matrix_mautrix_gmessages_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_gmessages_base_path: "{{ matrix_base_data_path }}/mautrix-gmessages"
+matrix_mautrix_gmessages_config_path: "{{ matrix_mautrix_gmessages_base_path }}/config"
+matrix_mautrix_gmessages_data_path: "{{ matrix_mautrix_gmessages_base_path }}/data"
+matrix_mautrix_gmessages_docker_src_files_path: "{{ matrix_mautrix_gmessages_base_path }}/docker-src"
+
+matrix_mautrix_gmessages_homeserver_address: "{{ matrix_homeserver_container_url }}"
+matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
+matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
+
+matrix_mautrix_gmessages_command_prefix: "!gm"
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_gmessages_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-gmessages.service depends on.
+matrix_mautrix_gmessages_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-mautrix-gmessages.service wants
+matrix_mautrix_gmessages_systemd_wanted_services_list: []
+
+matrix_mautrix_gmessages_appservice_token: ''
+matrix_mautrix_gmessages_homeserver_token: ''
+
+matrix_mautrix_gmessages_appservice_bot_username: gmessagesbot
+
+# Minimum severity of journal log messages.
+# Options: debug, info, warn, error, fatal
+matrix_mautrix_gmessages_logging_level: 'warn'
+
+# Whether or not created rooms should have federation enabled.
+# If false, created portal rooms will never be federated.
+matrix_mautrix_gmessages_federate_rooms: true
+
+# Whether or not metrics endpoint should be enabled.
+# Enabling them is usually enough for a local (in-container) Prometheus to consume them.
+# If metrics need to be consumed by another (external) Prometheus server, consider exposing them via `matrix_mautrix_gmessages_metrics_proxying_enabled`.
+matrix_mautrix_gmessages_metrics_enabled: false
+
+# Controls whether metrics should be proxied (exposed) on `matrix.DOMAIN/metrics/mautrix-gmessages`.
+# This will only work take effect if `matrix_nginx_proxy_proxy_matrix_metrics_enabled: true`.
+# See the `matrix-nginx-proxy` role for details about enabling `matrix_nginx_proxy_proxy_matrix_metrics_enabled`.
+matrix_mautrix_gmessages_metrics_proxying_enabled: false
+
+# Database-related configuration fields.
+#
+# To use SQLite, stick to these defaults.
+#
+# To use Postgres:
+# - change the engine (`matrix_mautrix_gmessages_database_engine: 'postgres'`)
+# - adjust your database credentials via the `matrix_mautrix_gmessages_database_*` variables
+matrix_mautrix_gmessages_database_engine: 'sqlite'
+
+matrix_mautrix_gmessages_sqlite_database_path_local: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db"
+matrix_mautrix_gmessages_sqlite_database_path_in_container: "/data/mautrix-gmessages.db"
+
+matrix_mautrix_gmessages_database_username: 'matrix_mautrix_gmessages'
+matrix_mautrix_gmessages_database_password: 'some-password'
+matrix_mautrix_gmessages_database_hostname: ''
+matrix_mautrix_gmessages_database_port: 5432
+matrix_mautrix_gmessages_database_name: 'matrix_mautrix_gmessages'
+matrix_mautrix_gmessages_database_sslmode: disable
+
+matrix_mautrix_gmessages_database_connection_string: 'postgresql://{{ matrix_mautrix_gmessages_database_username }}:{{ matrix_mautrix_gmessages_database_password }}@{{ matrix_mautrix_gmessages_database_hostname }}:{{ matrix_mautrix_gmessages_database_port }}/{{ matrix_mautrix_gmessages_database_name }}?sslmode={{ matrix_mautrix_gmessages_database_sslmode }}'
+
+matrix_mautrix_gmessages_appservice_database_type: "{{
+	{
+		'sqlite': 'sqlite3',
+		'postgres':'postgres',
+	}[matrix_mautrix_gmessages_database_engine]
+}}"
+
+matrix_mautrix_gmessages_appservice_database_uri: "{{
+	{
+		'sqlite': matrix_mautrix_gmessages_sqlite_database_path_in_container,
+		'postgres': matrix_mautrix_gmessages_database_connection_string,
+	}[matrix_mautrix_gmessages_database_engine]
+}}"
+
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+matrix_mautrix_gmessages_login_shared_secret: ''
+matrix_mautrix_gmessages_bridge_login_shared_secret_map:
+  "{{ {matrix_mautrix_gmessages_homeserver_domain: matrix_mautrix_gmessages_login_shared_secret} if matrix_mautrix_gmessages_login_shared_secret else {} }}"
+
+# Enable End-to-bridge encryption
+matrix_mautrix_gmessages_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
+matrix_mautrix_gmessages_bridge_encryption_default: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}"
+matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow: "{{ matrix_mautrix_gmessages_bridge_encryption_allow }}"
+
+matrix_mautrix_gmessages_bridge_personal_filtering_spaces: true
+matrix_mautrix_gmessages_bridge_mute_bridging: true
+
+matrix_mautrix_gmessages_bridge_permissions: |
+  {{
+    {matrix_mautrix_gmessages_homeserver_domain: 'user'}
+    | combine({matrix_admin: 'admin'} if matrix_admin else {})
+  }}
+
+# Default mautrix-gmessages configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_gmessages_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_gmessages_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_mautrix_gmessages_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_gmessages_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_gmessages_configuration_yaml`.
+
+matrix_mautrix_gmessages_configuration_extension: "{{ matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml if matrix_mautrix_gmessages_configuration_extension_yaml | from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_gmessages_configuration_yaml`.
+matrix_mautrix_gmessages_configuration: "{{ matrix_mautrix_gmessages_configuration_yaml | from_yaml | combine(matrix_mautrix_gmessages_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_gmessages_registration_yaml: |
+  id: gmessages
+  url: {{ matrix_mautrix_gmessages_appservice_address }}
+  as_token: "{{ matrix_mautrix_gmessages_appservice_token }}"
+  hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}"
+  # See https://github.com/mautrix/signal/issues/43
+  sender_localpart: _bot_{{ matrix_mautrix_gmessages_appservice_bot_username }}
+  rate_limited: false
+  namespaces:
+      users:
+      - regex: '^@gmessages_.+:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$'
+        exclusive: true
+      - exclusive: true
+        regex: '^@{{ matrix_mautrix_gmessages_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$'
+  de.sorunome.msc2409.push_ephemeral: true
+
+matrix_mautrix_gmessages_registration: "{{ matrix_mautrix_gmessages_registration_yaml | from_yaml }}"
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/inject_into_nginx_proxy.yml
@ -0,0 +1,35 @@
+---
+
+- name: Fail if matrix-nginx-proxy role already executed
+  ansible.builtin.fail:
+    msg: >-
+      Trying to append mautrix-gmessages-metrics's reverse-proxying configuration to matrix-nginx-proxy,
+      but it's pointless since the matrix-nginx-proxy role had already executed.
+      To fix this, please change the order of roles in your playbook,
+      so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-gmessages role.
+  when: matrix_nginx_proxy_role_executed | default(False) | bool
+
+- when: matrix_mautrix_gmessages_metrics_proxying_enabled | bool
+  block:
+    - name: Generate mautrix-gmessages metrics proxying configuration for matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages)
+      ansible.builtin.set_fact:
+        matrix_mautrix_gmessages_nginx_metrics_configuration_block: |
+          location /metrics/mautrix-gmessages {
+            {% if matrix_nginx_proxy_enabled | default(False) %}
+              {# Use the embedded DNS resolver in Docker containers to discover the service #}
+              resolver 127.0.0.11 valid=5s;
+              set $backend "matrix-mautrix-gmessages:8001";
+              proxy_pass http://$backend/metrics;
+            {% else %}
+              return 404 "matrix-nginx-proxy is disabled and no host port was bound to the container, so metrics are unavailable";
+            {% endif %}
+          }
+
+    - name: Register mautrix-gmessages metrics proxying configuration with matrix-nginx-proxy (matrix.DOMAIN/metrics/mautrix-gmessages)
+      ansible.builtin.set_fact:
+        matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks: |
+          {{
+            matrix_nginx_proxy_proxy_matrix_metrics_additional_system_location_configuration_blocks | default([])
+            +
+            [matrix_mautrix_gmessages_nginx_metrics_configuration_block]
+          }}
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/main.yml
@ -0,0 +1,29 @@
+---
+
+- tags:
+    - setup-all
+    - setup-nginx-proxy
+    - install-all
+    - install-nginx-proxy
+  block:
+    - when: matrix_mautrix_gmessages_enabled | bool and matrix_mautrix_gmessages_metrics_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
+
+- tags:
+    - setup-all
+    - setup-mautrix-gmessages
+    - install-all
+    - install-mautrix-gmessages
+  block:
+    - when: matrix_mautrix_gmessages_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_mautrix_gmessages_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-mautrix-gmessages
+  block:
+    - when: not matrix_mautrix_gmessages_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_install.yml
@ -0,0 +1,140 @@
+---
+
+- ansible.builtin.set_fact:
+    matrix_mautrix_gmessages_requires_restart: false
+
+- when: "matrix_mautrix_gmessages_database_engine == 'postgres'"
+  block:
+    - name: Check if an SQLite database already exists
+      ansible.builtin.stat:
+        path: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}"
+      register: matrix_mautrix_gmessages_sqlite_database_path_local_stat_result
+
+    - when: "matrix_mautrix_gmessages_sqlite_database_path_local_stat_result.stat.exists | bool"
+      block:
+        - ansible.builtin.include_role:
+            name: galaxy/com.devture.ansible.role.postgres
+            tasks_from: migrate_db_to_postgres
+          vars:
+            devture_postgres_db_migration_request:
+              src: "{{ matrix_mautrix_gmessages_sqlite_database_path_local }}"
+              dst: "{{ matrix_mautrix_gmessages_database_connection_string }}"
+              caller: "{{ role_path | basename }}"
+              engine_variable_name: 'matrix_mautrix_gmessages_database_engine'
+              engine_old: 'sqlite'
+              systemd_services_to_stop: ['matrix-mautrix-gmessages.service']
+              pgloader_options: ['--with "quote identifiers"']
+
+        - ansible.builtin.set_fact:
+            matrix_mautrix_gmessages_requires_restart: true
+
+- name: Ensure Mautrix gmessages paths exists
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {path: "{{ matrix_mautrix_gmessages_base_path }}", when: true}
+    - {path: "{{ matrix_mautrix_gmessages_config_path }}", when: true}
+    - {path: "{{ matrix_mautrix_gmessages_data_path }}", when: true}
+    - {path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}", when: "{{ matrix_mautrix_gmessages_container_image_self_build }}"}
+  when: item.when | bool
+
+- name: Ensure Mautrix gmessages image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_mautrix_gmessages_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_gmessages_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_docker_image_force_pull }}"
+  when: not matrix_mautrix_gmessages_container_image_self_build
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure Mautrix gmessages repository is present on self-build
+  ansible.builtin.git:
+    repo: "{{ matrix_mautrix_gmessages_container_image_self_build_repo }}"
+    dest: "{{ matrix_mautrix_gmessages_docker_src_files_path }}"
+    version: "{{ matrix_mautrix_gmessages_container_image_self_build_branch }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  register: matrix_mautrix_gmessages_git_pull_results
+  when: "matrix_mautrix_gmessages_container_image_self_build | bool"
+
+- name: Ensure Mautrix gmessages Docker image is built
+  community.docker.docker_image:
+    name: "{{ matrix_mautrix_gmessages_docker_image }}"
+    source: build
+    force_source: "{{ matrix_mautrix_gmessages_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_gmessages_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_mautrix_gmessages_docker_src_files_path }}"
+      pull: true
+  when: "matrix_mautrix_gmessages_container_image_self_build | bool"
+
+- name: Check if an old database file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db"
+  register: matrix_mautrix_gmessages_stat_database
+
+- name: Check if an old matrix state file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json"
+  register: matrix_mautrix_gmessages_stat_mx_state
+
+- name: (Data relocation) Ensure matrix-mautrix-gmessages.service is stopped
+  ansible.builtin.service:
+    name: matrix-mautrix-gmessages
+    state: stopped
+    enabled: false
+    daemon_reload: true
+  failed_when: false
+  when: "matrix_mautrix_gmessages_stat_database.stat.exists"
+
+- name: (Data relocation) Move mautrix-gmessages database file to ./data directory
+  ansible.builtin.command:
+    cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db {{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db"
+    creates: "{{ matrix_mautrix_gmessages_data_path }}/mautrix-gmessages.db"
+    removes: "{{ matrix_mautrix_gmessages_base_path }}/mautrix-gmessages.db"
+  when: "matrix_mautrix_gmessages_stat_database.stat.exists"
+
+- name: (Data relocation) Move mautrix-gmessages mx-state file to ./data directory
+  ansible.builtin.command:
+    cmd: "mv {{ matrix_mautrix_gmessages_base_path }}/mx-state.json {{ matrix_mautrix_gmessages_data_path }}/mx-state.json"
+    creates: "{{ matrix_mautrix_gmessages_data_path }}/mx-state.json"
+    removes: "{{ matrix_mautrix_gmessages_base_path }}/mx-state.json"
+  when: "matrix_mautrix_gmessages_stat_mx_state.stat.exists"
+
+- name: Ensure mautrix-gmessages config.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_mautrix_gmessages_configuration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_mautrix_gmessages_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-gmessages registration.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_mautrix_gmessages_registration | to_nice_yaml(indent=2, width=999999) }}"
+    dest: "{{ matrix_mautrix_gmessages_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-mautrix-gmessages.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-gmessages.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service"
+    mode: 0644
+
+- name: Ensure matrix-mautrix-gmessages.service restarted, if necessary
+  ansible.builtin.service:
+    name: "matrix-mautrix-gmessages.service"
+    state: restarted
+    daemon_reload: true
+  when: "matrix_mautrix_gmessages_requires_restart | bool"
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/setup_uninstall.yml
@ -0,0 +1,20 @@
+---
+
+- name: Check existence of matrix-mautrix-gmessages service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service"
+  register: matrix_mautrix_gmessages_service_stat
+
+- when: matrix_mautrix_gmessages_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-mautrix-gmessages is stopped
+      ansible.builtin.service:
+        name: matrix-mautrix-gmessages
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure matrix-mautrix-gmessages.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-gmessages.service"
+        state: absent
--- a/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/tasks/validate_config.yml
@ -0,0 +1,20 @@
+---
+
+- name: Fail if required mautrix-gmessages settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_mautrix_gmessages_appservice_token', when: true}
+    - {'name': 'matrix_mautrix_gmessages_homeserver_token', when: true}
+    - {'name': 'matrix_mautrix_gmessages_database_hostname', when: "{{ matrix_mautrix_gmessages_database_engine == 'postgres' }}"}
+
+- name: (Deprecation) Catch and report renamed settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_mautrix_gmessages_log_level', 'new': 'matrix_mautrix_gmessages_logging_level'}
--- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2
@ -0,0 +1,292 @@
+#jinja2: lstrip_blocks: "True"
+# Homeserver details.
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: {{ matrix_mautrix_gmessages_homeserver_address }}
+    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
+    domain: {{ matrix_mautrix_gmessages_homeserver_domain }}
+
+    # What software is the homeserver running?
+    # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
+    software: standard
+    # The URL to push real-time bridge status to.
+    # If set, the bridge will make POST requests to this URL whenever a user's google messages connection state changes.
+    # The bridge will use the appservice as_token to authorize requests.
+    status_endpoint: null
+    # Endpoint for reporting per-message status.
+    message_send_checkpoint_endpoint: null
+    # Does the homeserver support https://github.com/matrix-org/matrix-spec-proposals/pull/2246?
+    async_media: false
+
+    # Should the bridge use a websocket for connecting to the homeserver?
+    # The server side is currently not documented anywhere and is only implemented by mautrix-wsproxy,
+    # mautrix-asmux (deprecated), and hungryserv (proprietary).
+    websocket: false
+    # How often should the websocket be pinged? Pinging will be disabled if this is zero.
+    ping_interval_seconds: 0
+
+# Application service host/registration related details.
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: {{ matrix_mautrix_gmessages_appservice_address }}
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 8080
+
+    # Database config.
+    database:
+        # The database type. "sqlite3-fk-wal" and "postgres" are supported.
+        type: postgres
+        # The database URI.
+        #   SQLite: A raw file path is supported, but `file:<path>?_txlock=immediate` is recommended.
+        #           https://github.com/mattn/go-sqlite3#connection-string
+        #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
+        #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
+        uri: {{ matrix_mautrix_gmessages_appservice_database_uri|to_json }}
+        # Maximum number of connections. Mostly relevant for Postgres.
+        max_open_conns: 20
+        max_idle_conns: 2
+        # Maximum connection idle time and lifetime before they're closed. Disabled if null.
+        # Parsed with https://pkg.go.dev/time#ParseDuration
+        max_conn_idle_time: null
+        max_conn_lifetime: null
+
+    # The unique ID of this appservice.
+    id: gmessages
+    # Appservice bot details.
+    bot:
+        # Username of the appservice bot.
+        username: {{ matrix_mautrix_gmessages_appservice_bot_username|to_json }}
+        # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+        # to leave display name/avatar as-is.
+        displayname: Google Messages bridge bot
+        avatar: mxc://maunium.net/yGOdcrJcwqARZqdzbfuxfhzb
+
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    ephemeral_events: true
+
+    # Should incoming events be handled asynchronously?
+    # This may be necessary for large public instances with lots of messages going through.
+    # However, messages will not be guaranteed to be bridged in the same order they were sent in.
+    async_transactions: false
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix_mautrix_gmessages_appservice_token }}"
+    hs_token: "{{ matrix_mautrix_gmessages_homeserver_token }}"
+
+# Segment API key to track some events, like provisioning API login and encryption errors.
+segment_key: null
+# Optional user_id to use when sending Segment events. If null, defaults to using mxID.
+segment_user_id: null
+
+# Prometheus config.
+metrics:
+    # Enable prometheus metrics?
+    enabled: {{ matrix_mautrix_gmessages_metrics_enabled | to_json }}
+    # IP and port where the metrics listener should be. The path is always /metrics
+    listen: 127.0.0.1:8001
+
+google_messages:
+    # OS name to tell the phone. This is the name that shows up in the paired devices list.
+    os: mautrix-gmessages
+    # Browser type to tell the phone. This decides which icon is shown.
+    # Valid types: OTHER, CHROME, FIREFOX, SAFARI, OPERA, IE, EDGE
+    browser: OTHER
+
+    # Should the bridge aggressively set itself as the active device if the user opens Google Messages in a browser?
+    # If this is disabled, the user must manually use the `reconnect` command to reactivate the bridge.
+    aggressive_reconnect: false
+
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for SMS users.
+    # {{ '{{.}}' }} is replaced with an identifier of the recipient.
+    username_template: "{{ 'gmessages_{{.}}' }}"
+    # Displayname template for SMS users.
+    # {{ '{{.FullName}}' }} - Full name provided by the phone
+    # {{ '{{.FirstName}}' }} - First name provided by the phone
+    # {{ '{{.PhoneNumber}}' }} - Formatted phone number provided by the phone
+    displayname_template: "{{ '{{or .FullName .PhoneNumber}}' }}"
+    # Should the bridge create a space for each logged-in user and add bridged rooms to it?
+    personal_filtering_spaces: {{ matrix_mautrix_gmessages_bridge_personal_filtering_spaces | to_json }}
+    # Should the bridge send a read receipt from the bridge bot when a message has been sent to the phone?
+    delivery_receipts: false
+    # Whether the bridge should send the message status as a custom com.beeper.message_send_status event.
+    message_status_events: false
+    # Whether the bridge should send error notices via m.notice events when a message fails to bridge.
+    message_error_notices: true
+
+    portal_message_buffer: 128
+
+    # Should the bridge update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Number of chats to sync when connecting to Google Messages.
+    initial_chat_sync_count: 25
+    # Backfill settings
+    backfill:
+        # Number of messages to backfill in new chats.
+        initial_limit: 50
+        # Number of messages to backfill on startup if the last message ID in the chat sync doesn't match the last bridged message.
+        missed_limit: 100
+
+    # Servers to always allow double puppeting from
+    double_puppet_server_map:
+        "{{ matrix_mautrix_gmessages_homeserver_domain }}": {{ matrix_mautrix_gmessages_homeserver_address }}
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, double puppeting will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    login_shared_secret_map: {{ matrix_mautrix_gmessages_bridge_login_shared_secret_map|to_json }}
+
+    # Whether to explicitly set the avatar and room name for private chat portal rooms.
+    # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
+    # If set to `always`, all DM rooms will have explicit names and avatars set.
+    # If set to `never`, DM rooms will never have names and avatars set.
+    private_chat_portal_meta: default
+    # Should Matrix m.notice-type messages be bridged?
+    bridge_notices: true
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it, except if the config file is not writable.
+    resend_bridge_info: false
+    # When using double puppeting, should muted chats be muted in Matrix?
+    mute_bridging: {{ matrix_mautrix_gmessages_bridge_mute_bridging | to_json }}
+    # When using double puppeting, should archived chats be moved to a specific tag in Matrix?
+    # This can be set to a tag (e.g. m.lowpriority), or null to disable.
+    archive_tag: null
+    # Same as above, but for pinned chats. The favorite tag is called m.favourite
+    pinned_tag: null
+    # Should mute status and tags only be bridged when the portal room is created?
+    tag_only_on_create: true
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: {{ matrix_mautrix_gmessages_federate_rooms|to_json }}
+    # Should the bridge never send alerts to the bridge management room?
+    # These are mostly things like the user being logged out.
+    disable_bridge_alerts: false
+    # Send captions in the same message as images. This will send data compatible with both MSC2530 and MSC3552.
+    # This is currently not supported in most clients.
+    caption_in_message: false
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!gm"
+
+    # Messages sent upon joining a management room.
+    # Markdown is supported. The defaults are listed below.
+    management_room_text:
+        # Sent when joining a room.
+        welcome: "Hello, I'm a Google Messages bridge bot."
+        # Sent when joining a management room and the user is already logged in.
+        welcome_connected: "Use `help` for help."
+        # Sent when joining a management room and the user is not logged in.
+        welcome_unconnected: "Use `help` for help or `login` to log in."
+        # Optional extra text sent when joining a management room.
+        additional_help: ""
+
+    # End-to-bridge encryption support options.
+    #
+    # See https://docs.mau.fi/bridges/general/end-to-bridge-encryption.html for more info.
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: {{ matrix_mautrix_gmessages_bridge_encryption_allow|to_json }}
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: {{ matrix_mautrix_gmessages_bridge_encryption_default|to_json }}
+        # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
+        appservice: false
+        # Require encryption, drop any unencrypted messages.
+        require: false
+        # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+        # You must use a client that supports requesting keys from other users to use this feature.
+        allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow|to_json }}
+        # Options for deleting megolm sessions from the bridge.
+        delete_keys:
+            # Beeper-specific: delete outbound sessions when hungryserv confirms
+            # that the user has uploaded the key to key backup.
+            delete_outbound_on_ack: false
+            # Don't store outbound sessions in the inbound table.
+            dont_store_outbound: false
+            # Ratchet megolm sessions forward after decrypting messages.
+            ratchet_on_decrypt: false
+            # Delete fully used keys (index >= max_messages) after decrypting messages.
+            delete_fully_used_on_decrypt: false
+            # Delete previous megolm sessions from same device when receiving a new one.
+            delete_prev_on_new_session: false
+            # Delete megolm sessions received from a device when the device is deleted.
+            delete_on_device_delete: false
+            # Periodically delete megolm sessions when 2x max_age has passed since receiving the session.
+            periodically_delete_expired: false
+            # Delete inbound megolm sessions that don't have the received_at field used for
+            # automatic ratcheting and expired session deletion. This is meant as a migration
+            # to delete old keys prior to the bridge update.
+            delete_outdated_inbound: false
+        # What level of device verification should be required from users?
+        #
+        # Valid levels:
+        #   unverified - Send keys to all device in the room.
+        #   cross-signed-untrusted - Require valid cross-signing, but trust all cross-signing keys.
+        #   cross-signed-tofu - Require valid cross-signing, trust cross-signing keys on first use (and reject changes).
+        #   cross-signed-verified - Require valid cross-signing, plus a valid user signature from the bridge bot.
+        #                           Note that creating user signatures from the bridge bot is not currently possible.
+        #   verified - Require manual per-device verification
+        #              (currently only possible by modifying the `trust` column in the `crypto_device` database table).
+        verification_levels:
+            # Minimum level for which the bridge should send keys to when bridging messages from SMS to Matrix.
+            receive: unverified
+            # Minimum level that the bridge should accept for incoming Matrix messages.
+            send: unverified
+            # Minimum level that the bridge should require for accepting key requests.
+            share: cross-signed-tofu
+        # Options for Megolm room key rotation. These options allow you to
+        # configure the m.room.encryption event content. See:
+        # https://spec.matrix.org/v1.3/client-server-api/#mroomencryption for
+        # more information about that event.
+        rotation:
+            # Enable custom Megolm room key rotation settings. Note that these
+            # settings will only apply to rooms created after this option is
+            # set.
+            enable_custom: false
+            # The maximum number of milliseconds a session should be used
+            # before changing it. The Matrix spec recommends 604800000 (a week)
+            # as the default.
+            milliseconds: 604800000
+            # The maximum number of messages that should be sent with a given a
+            # session before changing it. The Matrix spec recommends 100 as the
+            # default.
+            messages: 100
+
+            # Disable rotating keys when a user's devices change?
+            # You should not enable this option unless you understand all the implications.
+            disable_device_change_key_rotation: false
+
+    # Settings for provisioning API
+    provisioning:
+        # Prefix for the provisioning API paths.
+        prefix: /_matrix/provision
+        # Shared secret for authentication. If set to "generate", a random secret will be generated,
+        # or if set to "disable", the provisioning API will be disabled.
+        shared_secret: generate
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #     user - Access to use the bridge to link their own Google Messages on android.
+    #    admin - User level and some additional administration tools
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions: {{ matrix_mautrix_gmessages_bridge_permissions|to_json }}
+
+# Logging config. See https://github.com/tulir/zeroconfig for details.
+logging:
+    min_level: {{ matrix_mautrix_gmessages_logging_level }}
+    writers:
+        - type: stdout
+          format: pretty-colored
--- a/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-gmessages/templates/systemd/matrix-mautrix-gmessages.service.j2
@ -0,0 +1,43 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix gmessages bridge
+{% for service in matrix_mautrix_gmessages_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_mautrix_gmessages_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true'
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-gmessages \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_gmessages_config_path }}:/config:z \
+			-v {{ matrix_mautrix_gmessages_data_path }}:/data:z \
+			--workdir=/data \
+			{% for arg in matrix_mautrix_gmessages_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_gmessages_docker_image }} \
+			/usr/bin/mautrix-gmessages -c /config/config.yaml -r /config/registration.yaml
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-gmessages 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-gmessages 2>/dev/null || true'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-gmessages
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false
 matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git"
 matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}"

-matrix_mautrix_googlechat_version: v0.4.0
+matrix_mautrix_googlechat_version: v0.5.0
 # See: https://mau.dev/mautrix/googlechat/container_registry
 matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}"
 matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml
@ -83,6 +83,9 @@ matrix_mautrix_instagram_login_shared_secret: ''

 matrix_mautrix_instagram_bridge_login_shared_secret_map: "{{ {matrix_mautrix_instagram_homeserver_domain: matrix_mautrix_instagram_login_shared_secret} if matrix_mautrix_instagram_login_shared_secret else {} }}"

+# Enable bridge relay bot functionality
+matrix_mautrix_instagram_relay_enabled: "{{ matrix_bridges_relay_enabled }}"
+
 matrix_mautrix_instagram_appservice_bot_username: instagrambot

 matrix_mautrix_instagram_bridge_presence: true
--- a/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-instagram/templates/config.yaml.j2
@ -143,15 +143,15 @@ bridge:
  # application service.
  encryption:
    # Allow encryption, work in group chat rooms with e2ee enabled
-    allow: {{ matrix_mautrix_discord_bridge_encryption_allow|to_json }}
+    allow: {{ matrix_mautrix_instagram_bridge_encryption_allow|to_json }}
    # Default to encryption, force-enable encryption in all portals the bridge creates
    # This will cause the bridge bot to be in private chats for the encryption to work properly.
-    default: {{ matrix_mautrix_discord_bridge_encryption_default|to_json }}
+    default: {{ matrix_mautrix_instagram_bridge_encryption_default|to_json }}
    # Options for automatic key sharing.
    key_sharing:
      # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
      # You must use a client that supports requesting keys from other users to use this feature.
-      allow: {{ matrix_mautrix_discord_bridge_encryption_key_sharing_allow|to_json }}
+      allow: {{ matrix_mautrix_instagram_bridge_encryption_key_sharing_allow|to_json }}
      # Require the requesting device to have a valid cross-signing signature?
      # This doesn't require that the bridge has verified the device, only that the user has verified it.
      # Not yet implemented.
@ -196,6 +196,23 @@ bridge:
    # The shared secret to authorize users of the API.
    # Set to "generate" to generate and save a new token.
    shared_secret: generate
+  relay:
+    # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any
+    # authenticated user into a relaybot for that chat.
+    enabled: {{ matrix_mautrix_instagram_relay_enabled }}
+    # The formats to use when sending messages to Instagram via a relay user.
+    #
+    # Available variables:
+    #   $sender_displayname - The display name of the sender (e.g. Example User)
+    #   $sender_username    - The username (Matrix ID localpart) of the sender (e.g. exampleuser)
+    #   $sender_mxid        - The Matrix ID of the sender (e.g. @exampleuser:example.com)
+    #   $message            - The message content
+    #
+    # Note that Instagram doesn't support captions for images, so images won't include any indication of being relayed.
+    message_formats:
+      m.text: '$sender_displayname: $message'
+      m.notice: '$sender_displayname: $message'
+      m.emote: '* $sender_displayname $message'

 # Python logging configuration.
 #
--- a/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml
@ -104,7 +104,7 @@ matrix_mautrix_signal_appservice_database: "{{
 matrix_mautrix_signal_login_shared_secret: ''

 # Enable bridge relay bot functionality
-matrix_mautrix_signal_relaybot_enabled: false
+matrix_mautrix_signal_relaybot_enabled: "{{ matrix_bridges_relay_enabled }}"

 # Permissions for using the bridge.
 # Permitted values:
--- a/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml
@ -66,8 +66,9 @@ matrix_mautrix_slack_database_password: 'some-password'
 matrix_mautrix_slack_database_hostname: ''
 matrix_mautrix_slack_database_port: 5432
 matrix_mautrix_slack_database_name: 'matrix_mautrix_slack'
+matrix_mautrix_slack_database_sslmode: disable

-matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode=disable'
+matrix_mautrix_slack_database_connection_string: 'postgresql://{{ matrix_mautrix_slack_database_username }}:{{ matrix_mautrix_slack_database_password }}@{{ matrix_mautrix_slack_database_hostname }}:{{ matrix_mautrix_slack_database_port }}/{{ matrix_mautrix_slack_database_name }}?sslmode={{ matrix_mautrix_slack_database_sslmode }}'

 matrix_mautrix_slack_appservice_database_type: "{{
 	{
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"

-matrix_mautrix_telegram_version: v0.14.0
+matrix_mautrix_telegram_version: v0.14.1
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
@ -136,6 +136,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"

+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
  id: telegram
  as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@ -154,6 +156,7 @@ matrix_mautrix_telegram_registration_yaml: |
  url: {{ matrix_mautrix_telegram_appservice_address }}
  rate_limited: false
  de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"

 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml | from_yaml }}"

--- a/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml
@ -8,7 +8,7 @@ matrix_mautrix_whatsapp_container_image_self_build: false
 matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautrix/whatsapp.git"
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"

-matrix_mautrix_whatsapp_version: v0.8.5
+matrix_mautrix_whatsapp_version: v0.10.0
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_name_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
 matrix_mautrix_whatsapp_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_whatsapp_container_image_self_build else 'dock.mau.dev/' }}"
@ -74,8 +74,9 @@ matrix_mautrix_whatsapp_database_password: 'some-password'
 matrix_mautrix_whatsapp_database_hostname: ''
 matrix_mautrix_whatsapp_database_port: 5432
 matrix_mautrix_whatsapp_database_name: 'matrix_mautrix_whatsapp'
+matrix_mautrix_whatsapp_database_sslmode: disable

-matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode=disable'
+matrix_mautrix_whatsapp_database_connection_string: 'postgresql://{{ matrix_mautrix_whatsapp_database_username }}:{{ matrix_mautrix_whatsapp_database_password }}@{{ matrix_mautrix_whatsapp_database_hostname }}:{{ matrix_mautrix_whatsapp_database_port }}/{{ matrix_mautrix_whatsapp_database_name }}?sslmode={{ matrix_mautrix_whatsapp_database_sslmode }}'

 matrix_mautrix_whatsapp_appservice_database_type: "{{
 	{
@ -113,7 +114,7 @@ matrix_mautrix_whatsapp_bridge_permissions: |
  }}

 # Enable bridge relay functionality
-matrix_mautrix_whatsapp_bridge_relay_enabled: false
+matrix_mautrix_whatsapp_bridge_relay_enabled: "{{ matrix_bridges_relay_enabled }}"

 # Only allow admins on this home server to set themselves as a relay user
 matrix_mautrix_whatsapp_bridge_relay_admin_only: true
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/defaults/main.yml
@ -0,0 +1,155 @@
+---
+# mautrix-wsproxy is a Matrix <-> websocket bridge
+# See: https://github.com/mautrix/wsproxy
+
+matrix_mautrix_wsproxy_enabled: true
+
+matrix_mautrix_wsproxy_version: latest
+# See: https://mau.dev/mautrix/wsproxy/container_registry
+matrix_mautrix_wsproxy_docker_image: "dock.mau.dev/mautrix/wsproxy:{{ matrix_mautrix_wsproxy_version }}"
+matrix_mautrix_wsproxy_docker_image_force_pull: "{{ matrix_mautrix_wsproxy_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_wsproxy_base_path: "{{ matrix_base_data_path }}/wsproxy"
+matrix_mautrix_wsproxy_config_path: "{{ matrix_mautrix_wsproxy_base_path }}/config"
+
+matrix_mautrix_wsproxy_homeserver_address: "{{ matrix_homeserver_container_url }}"
+matrix_mautrix_wsproxy_homeserver_domain: "{{ matrix_domain }}"
+
+matrix_mautrix_wsproxy_bind_port: false
+matrix_mautrix_wsproxy_port: 29331
+
+matrix_mautrix_wsproxy_appservice_address: "http://matrix-mautrix-wsproxy:{{ matrix_mautrix_wsproxy_port }}"
+
+matrix_mautrix_wsproxy_hostname: ""
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_mautrix_wsproxy_container_network: matrix-mautrix-wsproxy
+
+# matrix_mautrix_wsproxy_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_mautrix_wsproxy_container_labels_additional_labels`.
+matrix_mautrix_wsproxy_container_labels_traefik_enabled: true
+matrix_mautrix_wsproxy_container_labels_traefik_docker_network: "{{ matrix_mautrix_wsproxy_container_network }}"
+matrix_mautrix_wsproxy_container_labels_traefik_hostname: "{{ matrix_mautrix_wsproxy_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/wsproxy`).
+matrix_mautrix_wsproxy_container_labels_traefik_rule: "Host(`{{ matrix_mautrix_wsproxy_container_labels_traefik_hostname }}`)"
+matrix_mautrix_wsproxy_container_labels_traefik_priority: 0
+matrix_mautrix_wsproxy_container_labels_traefik_entrypoints: web-secure
+matrix_mautrix_wsproxy_container_labels_traefik_tls: "{{ matrix_mautrix_wsproxy_container_labels_traefik_entrypoints != 'web' }}"
+matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own headers, use `matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom`
+matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_auto: {}
+matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom: {}
+matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers: "{{ matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_auto | combine(matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers_custom) }}"
+
+# matrix_mautrix_wsproxy_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_mautrix_wsproxy_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_mautrix_wsproxy_container_labels_additional_labels: ''
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_wsproxy_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-wsproxy.service depends on.
+matrix_mautrix_wsproxy_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-mautrix-wsproxy.service wants
+matrix_mautrix_wsproxy_systemd_wanted_services_list: []
+
+matrix_mautrix_androidsms_appservice_token: ''
+matrix_mautrix_androidsms_homeserver_token: ''
+
+matrix_mautrix_imessage_appservice_token: ''
+matrix_mautrix_imessage_homeserver_token: ''
+
+matrix_mautrix_androidsms_appservice_bot_username: androidsmsbot
+matrix_mautrix_imessage_appservice_bot_username: imessagebot
+
+# Default mautrix-wsproxy configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_wsproxy_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_wsproxy_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_mautrix_wsproxy_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_wsproxy_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_wsproxy_configuration_yaml`.
+
+matrix_mautrix_wsproxy_configuration_extension: "{{ matrix_mautrix_wsproxy_configuration_extension_yaml|from_yaml if matrix_mautrix_wsproxy_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_wsproxy_configuration_yaml`.
+matrix_mautrix_wsproxy_configuration: "{{ matrix_mautrix_wsproxy_configuration_yaml|from_yaml|combine(matrix_mautrix_wsproxy_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_androidsms_registration_yaml: |
+  id: androidsms
+  url: {{ matrix_mautrix_wsproxy_appservice_address }}
+  as_token: "{{ matrix_mautrix_androidsms_appservice_token }}"
+  hs_token: "{{ matrix_mautrix_androidsms_homeserver_token }}"
+  sender_localpart: _bot_{{ matrix_mautrix_androidsms_appservice_bot_username }}
+  rate_limited: false
+  namespaces:
+      users:
+      - regex: '@androidsms_.+:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$'
+        exclusive: true
+      - exclusive: true
+        regex: '^@{{ matrix_mautrix_androidsms_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$'
+
+matrix_mautrix_androidsms_registration: "{{ matrix_mautrix_androidsms_registration_yaml|from_yaml }}"
+
+matrix_mautrix_imessage_registration_yaml: |
+  id: imessage
+  url: {{ matrix_mautrix_wsproxy_appservice_address }}
+  as_token: "{{ matrix_mautrix_imessage_appservice_token }}"
+  hs_token: "{{ matrix_mautrix_imessage_homeserver_token }}"
+  sender_localpart: _bot_{{ matrix_mautrix_imessage_appservice_bot_username }}
+  rate_limited: false
+  namespaces:
+      users:
+      - regex: '@imessage_.+:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$'
+        exclusive: true
+      - exclusive: true
+        regex: '^@{{ matrix_mautrix_imessage_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_wsproxy_homeserver_domain|regex_escape }}$'
+
+matrix_mautrix_imessage_registration: "{{ matrix_mautrix_imessage_registration_yaml|from_yaml }}"
+
+# Syncproxy-related configuration fields
+matrix_mautrix_wsproxy_syncproxy_version: latest
+# See: https://mau.dev/mautrix/wsproxy/container_registry
+matrix_mautrix_wsproxy_syncproxy_docker_image: "dock.mau.dev/mautrix/syncproxy:{{ matrix_mautrix_wsproxy_syncproxy_version }}"
+matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image.endswith(':latest') }}"
+matrix_mautrix_wsproxy_syncproxy_container_extra_arguments: []
+
+matrix_mautrix_wsproxy_syncproxy_systemd_required_services_list: ['docker.service', 'matrix-mautrix-wsproxy.service']
+matrix_mautrix_wsproxy_syncproxy_systemd_wanted_services_list: []
+
+matrix_mautrix_wsproxy_syncproxy_shared_secret: ''
+matrix_mautrix_wsproxy_syncproxy_port: 29332
+matrix_mautrix_wsproxy_syncproxy_appservice_address: "http://matrix-mautrix-wsproxy-syncproxy:{{ matrix_mautrix_wsproxy_syncproxy_port }}"
+
+# Database-related configuration fields
+#
+# This bridge supports Postgres and SQLite.
+#
+matrix_mautrix_wsproxy_syncproxy_database_engine: 'postgres'
+
+matrix_mautrix_wsproxy_syncproxy_database_username: 'matrix_mautrix_wsproxy_syncproxy'
+matrix_mautrix_wsproxy_syncproxy_database_password: 'some-password'
+matrix_mautrix_wsproxy_syncproxy_database_hostname: 'matrix-postgres'
+matrix_mautrix_wsproxy_syncproxy_database_port: 5432
+matrix_mautrix_wsproxy_syncproxy_database_name: 'matrix_mautrix_wsproxy_syncproxy'
+
+matrix_mautrix_signal_wsproxy_syncproxy_connection_string: 'postgres://{{ matrix_mautrix_wsproxy_syncproxy_database_username }}:{{ matrix_mautrix_wsproxy_syncproxy_database_password }}@{{ matrix_mautrix_wsproxy_syncproxy_database_hostname }}:{{ matrix_mautrix_wsproxy_syncproxy_database_port }}/{{ matrix_mautrix_wsproxy_syncproxy_database_name }}'
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/inject_into_nginx_proxy.yml
@ -0,0 +1,48 @@
+---
+
+- name: Fail if matrix-nginx-proxy role already executed
+  ansible.builtin.fail:
+    msg: >-
+      Trying to append Mautrix Wsproxy reverse-proxying configuration to matrix-nginx-proxy,
+      but it's pointless since the matrix-nginx-proxy role had already executed.
+      To fix this, please change the order of roles in your playbook,
+      so that the matrix-nginx-proxy role would run after the matrix-bridge-mautrix-wsproxy role.
+  when: matrix_nginx_proxy_role_executed | default(False) | bool
+
+- tags:
+    - always
+  when: matrix_mautrix_wsproxy_enabled|bool
+  block:
+    - name: Generate Mautrix Wsproxy proxying configuration for matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_mautrix_wsproxy_matrix_nginx_proxy_configuration: |
+          location ~ ^/(_matrix/wsproxy/.*) {
+          {% if matrix_nginx_proxy_enabled|default(False) %}
+            {# Use the embedded DNS resolver in Docker containers to discover the service #}
+            resolver 127.0.0.11 valid=5s;
+            set $backend "matrix-mautrix-wsproxy:29331";
+            proxy_pass http://$backend;
+          {% else %}
+            {# Generic configuration for use outside of our container setup #}
+            proxy_pass http://127.0.0.1:29331;
+          {% endif %}
+          }
+
+    - name: Register Mautrix Wsproxy proxying configuration with matrix-nginx-proxy
+      ansible.builtin.set_fact:
+        matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks: |
+          {{
+            matrix_nginx_proxy_proxy_matrix_additional_server_configuration_blocks|default([])
+            +
+            [matrix_mautrix_wsproxy_matrix_nginx_proxy_configuration]
+          }}
+
+- name: Warn about reverse-proxying if matrix-nginx-proxy not used
+  ansible.builtin.debug:
+    msg: >-
+      NOTE: You've enabled the Mautrix wsproxy bridge but are not using the matrix-nginx-proxy
+      reverse proxy.
+      Please make sure that you're proxying the `{{ matrix_mautrix_wsproxy_public_endpoint }}`
+      URL endpoint to the matrix-mautrix-wsproxy container.
+      You can expose the container's port using the `matrix_mautrix_wsproxy_container_http_host_bind_port` variable.
+  when: "matrix_mautrix_wsproxy_enabled|bool and matrix_nginx_proxy_enabled is not defined"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/main.yml
@ -0,0 +1,29 @@
+---
+
+- tags:
+    - setup-all
+    - setup-nginx-proxy
+    - install-all
+    - install-nginx-proxy
+  block:
+    - when: matrix_mautrix_wsproxy_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
+
+- tags:
+    - setup-all
+    - setup-mautrix-wsproxy
+    - install-all
+    - install-mautrix-wsproxy
+  block:
+    - when: matrix_mautrix_wsproxy_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_mautrix_wsproxy_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
+
+- tags:
+    - setup-all
+    - setup-mautrix-wsproxy
+  block:
+    - when: not matrix_mautrix_wsproxy_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml
@ -0,0 +1,121 @@
+---
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  ansible.builtin.fail:
+    msg: >-
+      The matrix-bridge-mautrix-wsproxy role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- ansible.builtin.set_fact:
+    matrix_mautrix_wsproxy_requires_restart: false
+
+- ansible.builtin.set_fact:
+    matrix_mautrix_wsproxy_syncproxy_requires_restart: false
+
+- name: Ensure Mautrix wsproxy support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_mautrix_wsproxy_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - syncproxy-env
+    - wsproxy-labels
+
+- name: Ensure Mautrix wsproxy image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_mautrix_wsproxy_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_wsproxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_wsproxy_docker_image_force_pull }}"
+
+- name: Ensure Mautrix syncproxy image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_wsproxy_syncproxy_docker_image_force_pull }}"
+
+- name: Ensure Mautrix wsproxy paths exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - "{{ matrix_mautrix_wsproxy_base_path }}"
+    - "{{ matrix_mautrix_wsproxy_config_path }}"
+
+- name: Check if an old matrix state file exists
+  ansible.builtin.stat:
+    path: "{{ matrix_mautrix_wsproxy_base_path }}/mx-state.json"
+  register: matrix_mautrix_wsproxy_stat_mx_state
+
+- name: Ensure mautrix-wsproxy config.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_mautrix_wsproxy_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_wsproxy_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-androidsms registration.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_mautrix_androidsms_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_wsproxy_config_path }}/androidsms-registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-imessage registration.yaml installed
+  ansible.builtin.copy:
+    content: "{{ matrix_mautrix_imessage_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_wsproxy_config_path }}/imessage-registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-wsproxy container network is created
+  community.general.docker_network:
+    name: "{{ matrix_mautrix_wsproxy_container_network }}"
+    driver: bridge
+
+- name: Ensure matrix-mautrix-wsproxy.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-wsproxy.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service"
+    mode: 0644
+  register: matrix_mautrix_wsproxy_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-wsproxy.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-wsproxy.service restarted, if necessary
+  ansible.builtin.service:
+    name: "matrix-mautrix-wsproxy.service"
+    state: restarted
+  when: "matrix_mautrix_wsproxy_requires_restart|bool"
+
+- name: Ensure matrix-mautrix-wsproxy-syncproxy.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service"
+    mode: 0644
+  register: matrix_mautrix_wsproxy_syncproxy_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-wsproxy-syncproxy.service installation
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_syncproxy_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-wsproxy-syncproxy.service restarted, if necessary
+  ansible.builtin.service:
+    name: "matrix-mautrix-wsproxy-syncproxy.service"
+    state: restarted
+  when: "matrix_mautrix_wsproxy_syncproxy_requires_restart|bool"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_uninstall.yml
@ -0,0 +1,47 @@
+---
+
+- name: Check existence of matrix-mautrix-wsproxy service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service"
+  register: matrix_mautrix_wsproxy_service_stat
+
+- name: Ensure matrix-mautrix-wsproxy is stopped
+  ansible.builtin.service:
+    name: matrix-mautrix-wsproxy
+    state: stopped
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-wsproxy.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy.service"
+    state: absent
+  when: "matrix_mautrix_wsproxy_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-mautrix-wsproxy.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_service_stat.stat.exists"
+
+- name: Check existence of matrix-mautrix-wsproxy-syncproxy service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service"
+  register: matrix_mautrix_wsproxy_syncproxy_service_stat
+
+- name: Ensure matrix-mautrix-wsproxy-syncproxy is stopped
+  ansible.builtin.service:
+    name: matrix-mautrix-wsproxy-syncproxy
+    state: stopped
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-wsproxy-syncproxy.service doesn't exist
+  ansible.builtin.file:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-mautrix-wsproxy-syncproxy.service"
+    state: absent
+  when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-mautrix-wsproxy-syncproxy.service removal
+  ansible.builtin.service:
+    daemon_reload: true
+  when: "matrix_mautrix_wsproxy_syncproxy_service_stat.stat.exists"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml
@ -0,0 +1,13 @@
+---
+
+- name: Fail if required settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_mautrix_androidsms_appservice_token"
+    - "matrix_mautrix_androidsms_homeserver_token"
+    - "matrix_mautrix_imessage_appservice_token"
+    - "matrix_mautrix_imessage_homeserver_token"
+    - "matrix_mautrix_wsproxy_syncproxy_shared_secret"
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/config.yaml.j2
@ -0,0 +1,14 @@
+listen_address: 0.0.0.0:29331
+appservices:
+  - id: androidsms
+    as: {{ matrix_mautrix_androidsms_appservice_token | to_json }}
+    hs: {{ matrix_mautrix_androidsms_homeserver_token | to_json }}
+  - id: imessage
+    as: {{ matrix_mautrix_imessage_appservice_token | to_json }}
+    hs: {{ matrix_mautrix_imessage_homeserver_token | to_json }}
+sync_proxy:
+  # The URL that mautrix-wsproxy can use to reach mautrix-syncproxy
+  url: {{ matrix_mautrix_wsproxy_syncproxy_appservice_address | to_json }}
+  # The URL that mautrix-syncproxy can use to reach mautrix-wsproxy
+  wsproxy_url: {{ matrix_mautrix_wsproxy_appservice_address | to_json }}
+  shared_secret: {{ matrix_mautrix_wsproxy_syncproxy_shared_secret | to_json }}
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/syncproxy-env.j2
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/syncproxy-env.j2
@ -0,0 +1,3 @@
+DATABASE_URL={{ matrix_mautrix_signal_wsproxy_syncproxy_connection_string }}
+HOMESERVER_URL={{ matrix_homeserver_container_url  }}
+SHARED_SECRET={{ matrix_mautrix_wsproxy_syncproxy_shared_secret }}
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy-syncproxy.service.j2
@ -0,0 +1,40 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix wsproxy syncproxy
+{% for service in matrix_mautrix_wsproxy_syncproxy_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_mautrix_wsproxy_syncproxy_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy-syncproxy 2>/dev/null'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy-syncproxy 2>/dev/null'
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-mautrix-wsproxy-syncproxy \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			--env-file={{ matrix_mautrix_wsproxy_base_path }}/syncproxy-env \
+			{% for arg in matrix_mautrix_wsproxy_syncproxy_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_wsproxy_syncproxy_docker_image }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy-syncproxy 2>/dev/null'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy-syncproxy 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-wsproxy-syncproxy
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy.service.j2
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/systemd/matrix-mautrix-wsproxy.service.j2
@ -0,0 +1,51 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix wsproxy bridge
+{% for service in matrix_mautrix_wsproxy_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_mautrix_wsproxy_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy 2>/dev/null'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy 2>/dev/null'
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create --rm --name matrix-mautrix-wsproxy \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			{% if matrix_mautrix_wsproxy_bind_port %}
+			-p {{ matrix_mautrix_wsproxy_port }}:29331 \
+			{% endif %}
+			--mount type=bind,src={{ matrix_mautrix_wsproxy_config_path }},dst=/data \
+			--label-file={{ matrix_mautrix_wsproxy_base_path }}/wsproxy-labels \
+			{% for arg in matrix_mautrix_wsproxy_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_wsproxy_docker_image }} \
+			/usr/bin/mautrix-wsproxy -config /data/config.yaml
+
+{% for network in matrix_mautrix_wsproxy_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-mautrix-wsproxy
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-mautrix-wsproxy
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-mautrix-wsproxy 2>/dev/null'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-mautrix-wsproxy 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-wsproxy
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/custom/matrix-bridge-mautrix-wsproxy/templates/wsproxy-labels.j2
+++ b/roles/custom/matrix-bridge-mautrix-wsproxy/templates/wsproxy-labels.j2
@ -0,0 +1,34 @@
+{% if matrix_mautrix_wsproxy_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_mautrix_wsproxy_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_mautrix_wsproxy_container_labels_traefik_docker_network }}
+{% endif %}
+
+{% set middlewares = [] %}
+
+{% if matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_mautrix_wsproxy_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.matrix-mautrix-wsproxy-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + ['matrix-mautrix-wsproxy-add-headers'] %}
+{% endif %}
+
+traefik.http.routers.matrix-mautrix-wsproxy.rule={{ matrix_mautrix_wsproxy_container_labels_traefik_rule }}
+{% if matrix_mautrix_wsproxy_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-mautrix-wsproxy.priority={{ matrix_mautrix_wsproxy_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.matrix-mautrix-wsproxy.service=matrix-mautrix-wsproxy
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-mautrix-wsproxy.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.matrix-mautrix-wsproxy.entrypoints={{ matrix_mautrix_wsproxy_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-mautrix-wsproxy.tls={{ matrix_mautrix_wsproxy_container_labels_traefik_tls | to_json }}
+{% if matrix_mautrix_wsproxy_container_labels_traefik_tls %}
+traefik.http.routers.matrix-mautrix-wsproxy.tls.certResolver={{ matrix_mautrix_wsproxy_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+traefik.http.services.matrix-mautrix-wsproxy.loadbalancer.server.port={{ matrix_mautrix_wsproxy_port }}
+{% endif %}
+
+{{ matrix_mautrix_wsproxy_container_labels_additional_labels }}
--- a/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml
@ -69,8 +69,9 @@ matrix_mx_puppet_discord_database_password: ~
 matrix_mx_puppet_discord_database_hostname: ''
 matrix_mx_puppet_discord_database_port: 5432
 matrix_mx_puppet_discord_database_name: matrix_mx_puppet_discord
+matrix_mx_puppet_discord_database_sslmode: disable

-matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode=disable'
+matrix_mx_puppet_discord_database_connection_string: 'postgresql://{{ matrix_mx_puppet_discord_database_username }}:{{ matrix_mx_puppet_discord_database_password }}@{{ matrix_mx_puppet_discord_database_hostname }}:{{ matrix_mx_puppet_discord_database_port }}/{{ matrix_mx_puppet_discord_database_name }}?sslmode={{ matrix_mx_puppet_discord_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
+++ b/roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2
@ -70,7 +70,7 @@ namePatterns:
  #
  # name: username of the user
  # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"

  # A user's guild-specific displayname - if they've set a custom nick in
  # a guild
@ -82,7 +82,7 @@ namePatterns:
  # displayname: the user's custom group-specific nick
  # channel: the name of the channel
  # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"

  # Room names for bridged Discord channels
  #
@ -90,7 +90,7 @@ namePatterns:
  #
  # name: name of the channel
  # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"

  # Group names for bridged Discord servers
  #
--- a/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml
@ -65,8 +65,9 @@ matrix_mx_puppet_groupme_database_password: ~
 matrix_mx_puppet_groupme_database_hostname: ''
 matrix_mx_puppet_groupme_database_port: 5432
 matrix_mx_puppet_groupme_database_name: matrix_mx_puppet_groupme
+matrix_mx_puppet_groupme_database_sslmode: disable

-matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode=disable'
+matrix_mx_puppet_groupme_database_connection_string: 'postgresql://{{ matrix_mx_puppet_groupme_database_username }}:{{ matrix_mx_puppet_groupme_database_password }}@{{ matrix_mx_puppet_groupme_database_hostname }}:{{ matrix_mx_puppet_groupme_database_port }}/{{ matrix_mx_puppet_groupme_database_name }}?sslmode={{ matrix_mx_puppet_groupme_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml
@ -59,8 +59,9 @@ matrix_mx_puppet_instagram_database_password: ~
 matrix_mx_puppet_instagram_database_hostname: ''
 matrix_mx_puppet_instagram_database_port: 5432
 matrix_mx_puppet_instagram_database_name: matrix_mx_puppet_instagram
+matrix_mx_puppet_instagram_database_sslmode: disable

-matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode=disable'
+matrix_mx_puppet_instagram_database_connection_string: 'postgresql://{{ matrix_mx_puppet_instagram_database_username }}:{{ matrix_mx_puppet_instagram_database_password }}@{{ matrix_mx_puppet_instagram_database_hostname }}:{{ matrix_mx_puppet_instagram_database_port }}/{{ matrix_mx_puppet_instagram_database_name }}?sslmode={{ matrix_mx_puppet_instagram_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml
@ -73,8 +73,9 @@ matrix_mx_puppet_slack_database_password: ~
 matrix_mx_puppet_slack_database_hostname: ''
 matrix_mx_puppet_slack_database_port: 5432
 matrix_mx_puppet_slack_database_name: matrix_mx_puppet_slack
+matrix_mx_puppet_slack_database_sslmode: disable

-matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode=disable'
+matrix_mx_puppet_slack_database_connection_string: 'postgresql://{{ matrix_mx_puppet_slack_database_username }}:{{ matrix_mx_puppet_slack_database_password }}@{{ matrix_mx_puppet_slack_database_hostname }}:{{ matrix_mx_puppet_slack_database_port }}/{{ matrix_mx_puppet_slack_database_name }}?sslmode={{ matrix_mx_puppet_slack_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml
@ -65,8 +65,9 @@ matrix_mx_puppet_steam_database_password: ~
 matrix_mx_puppet_steam_database_hostname: ''
 matrix_mx_puppet_steam_database_port: 5432
 matrix_mx_puppet_steam_database_name: matrix_mx_puppet_steam
+matrix_mx_puppet_steam_database_sslmode: disable

-matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode=disable'
+matrix_mx_puppet_steam_database_connection_string: 'postgresql://{{ matrix_mx_puppet_steam_database_username }}:{{ matrix_mx_puppet_steam_database_password }}@{{ matrix_mx_puppet_steam_database_hostname }}:{{ matrix_mx_puppet_steam_database_port }}/{{ matrix_mx_puppet_steam_database_name }}?sslmode={{ matrix_mx_puppet_steam_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml
@ -74,8 +74,9 @@ matrix_mx_puppet_twitter_database_password: ~
 matrix_mx_puppet_twitter_database_hostname: ''
 matrix_mx_puppet_twitter_database_port: 5432
 matrix_mx_puppet_twitter_database_name: matrix_mx_puppet_twitter
+matrix_mx_puppet_twitter_database_sslmode: disable

-matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode=disable'
+matrix_mx_puppet_twitter_database_connection_string: 'postgresql://{{ matrix_mx_puppet_twitter_database_username }}:{{ matrix_mx_puppet_twitter_database_password }}@{{ matrix_mx_puppet_twitter_database_hostname }}:{{ matrix_mx_puppet_twitter_database_port }}/{{ matrix_mx_puppet_twitter_database_name }}?sslmode={{ matrix_mx_puppet_twitter_database_sslmode }}'

 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
--- a/Show More
+++ b/Show More