meta: move inventory structure to be more usable

* migration ownership fix

* lint fix

* lint fixes

CHANGELOG.md

@@ -1,3 +1,45 @@
+# 2025-04-26
+
+## Continuwuity support
+
+Thanks to [Virkkunen](https://github.com/Virkkunen), we now have optional experimental [Continuwuity](./docs/configuring-playbook-continuwuity.md) homeserver support.
+
+Continuwuity is a fork of [conduwuit](./docs/configuring-playbook-conduwuit.md), which the playbook also supports. It appears that conduwuit has been abandoned and various forks (like Continuwuity, [Tuwunel](https://github.com/matrix-construct/tuwunel) and possibly others) are continuing in its path.
+
+Existing installations do **not** need to be updated. **Synapse is still the default homeserver implementation** installed by the playbook.
+
+People that used to run conduwuit, may wish to:
+
+- either [migrate from conduwuit to Continuwuity](./docs/configuring-playbook-continuwuity.md#migrating-from-conduwuit)
+- or wait for some of the other forks to progress and for support for them to get added to the playbook
+
+**The homeserver implementation of an existing server cannot be changed** (e.g. from Synapse/Conduit/Dendrite to Continuwuity) without data loss.
+
+
+# 2025-04-09
+
+## Element Call frontend installation is now optional
+
+Because all Element clients (Element Web and Element X mobile) now embed and use their own Element Call frontend application (and not the one hosted via the playbook), it makes little sense for the playbook to self-host the Element Call frontend for you. Setting up the frontend requires an additional hostname (DNS setup) and it won't be used by Element clients anyway, so **we now recommend not installing the Element Call frontend**.
+
+💡 A reason you may wish to continue installing the Element Call frontend (despite Matrix clients not making use of it), is if you need to use it standalone - directly via a browser (without a Matrix client).
+
+The playbook now lets you [Decide between Element Call vs just the Matrix RTC stack](./docs/configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack).
+
+If you've already installed Element Call (via `matrix_element_call_enabled: true`), you can switch to installing just the [Matrix RTC (Real-Time Communication) stack](./docs/configuring-playbook-matrix-rtc.md) (all supporting services **without the Element Call frontend**) by:
+
+1. Adjusting your `vars.yml` configuration like this:
+
+```diff
+-matrix_element_call_enabled: true
++matrix_rtc_enabled: true
+```
+
+2. [Re-running the playbook](./docs/installing.md) with the `setup-all` Ansible tag (e.g. `just setup-all`)
+
+3. Getting rid of the `call.element.example.com` DNS record
+
+
 # 2025-03-15
 
 ## Element Call support

README.md

@@ -53,6 +53,7 @@ The homeserver is the backbone of your Matrix system. Choose one from the follow
 | [Synapse](https://github.com/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network | [Link](docs/configuring-playbook-synapse.md) |
 | [Conduit](https://conduit.rs) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements | [Link](docs/configuring-playbook-conduit.md) |
 | [conduwuit](https://conduwuit.puppyirl.gay/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. | [Link](docs/configuring-playbook-conduwuit.md) |
+| [continuwuity](https://continuwuity.org) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. | [Link](docs/configuring-playbook-continuwuity.md) |
 | [Dendrite](https://github.com/element-hq/dendrite) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. | [Link](docs/configuring-playbook-dendrite.md) |
 
 ### Clients

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 result_format = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/configuring-playbook-conduit.md

@@ -65,6 +65,7 @@ Find the `registration.yaml` in the `/matrix` directory, for example `/matrix/ma
     ```
     as_token: <token>
     de.sorunome.msc2409.push_ephemeral: true
+    receive_ephemeral: true
     hs_token: <token>
     id: signal
     namespaces:

docs/configuring-playbook-conduwuit.md

@@ -18,6 +18,7 @@ By default, the playbook installs [Synapse](https://github.com/element-hq/synaps
 > [!WARNING]
 > - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> conduwuit). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
 > - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding
+> - **the Conduwuit project appears to have been abandoned**. You may wish to install [Conduit](./configuring-playbook-conduit.md), or one of the Conduwuit successors (like [Continuwuity](configuring-playbook-continuwuity.md))
 
 ## Adjusting the playbook configuration
 
@@ -83,6 +84,7 @@ Then, send its content to the existing admin room:
     ```
     as_token: <token>
     de.sorunome.msc2409.push_ephemeral: true
+    receive_ephemeral: true
     hs_token: <token>
     id: signal
     namespaces:

docs/configuring-playbook-continuwuity.md

@@ -0,0 +1,117 @@
+<!--
+SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+SPDX-FileCopyrightText: 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Configuring Continuwuity (optional)
+
+The playbook can install and configure the [Continuwuity](https://continuwuity.org) Matrix server for you.
+
+See the project's [documentation](https://continuwuity.org) to learn what it does and why it might be useful to you.
+
+By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document.
+
+💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports.
+
+> [!WARNING]
+> - **You can't switch an existing Matrix server's implementation** (e.g. Synapse -> Continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet.
+> - **Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding
+
+## Adjusting the playbook configuration
+
+To use Continuwuity, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:
+
+```yaml
+matrix_homeserver_implementation: continuwuity
+
+# Registering users can only happen via the API,
+# so it makes sense to enable it, at least initially.
+matrix_continuwuity_config_allow_registration: true
+
+# Generate a strong registration token to protect the registration endpoint from abuse.
+# You can create one with a command like `pwgen -s 64 1`.
+matrix_continuwuity_config_registration_token: ''
+```
+
+### Extending the configuration
+
+There are some additional things you may wish to configure about the server.
+
+Take a look at:
+
+- `roles/custom/matrix-continuwuity/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
+- `roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2` for the server's default configuration
+
+There are various Ansible variables that control settings in the `continuwuity.toml` file.
+
+If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:
+
+```yaml
+matrix_continuwuity_environment_variables_extension: |
+  continuwuity_MAX_REQUEST_SIZE=50000000
+  continuwuity_REQUEST_TIMEOUT=60
+```
+
+## Creating the first user account
+
+Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook.
+
+If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token.
+
+This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users.
+
+The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**.
+
+
+## Configuring bridges / appservices
+
+For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver.
+
+For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices.html#set-up-the-appservice---general-instructions) sent to the server bot account.
+
+The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy.
+Your first user account would already have been invited to an admin room with this bot.
+
+Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`.
+
+Then, send its content to the existing admin room:
+
+    !admin appservices register
+
+    ```
+    as_token: <token>
+    de.sorunome.msc2409.push_ephemeral: true
+    receive_ephemeral: true
+    hs_token: <token>
+    id: signal
+    namespaces:
+      aliases:
+      - exclusive: true
+        regex: ^#signal_.+:example\.org$
+      users:
+      - exclusive: true
+        regex: ^@signal_.+:example\.org$
+      - exclusive: true
+        regex: ^@signalbot:example\.org$
+    rate_limited: false
+    sender_localpart: _bot_signalbot
+    url: http://matrix-mautrix-signal:29328
+    ```
+
+## Migrating from conduwuit
+
+Since Continuwuity is a drop-in replacement for [conduwuit](configuring-playbook-conduwuit.md), migration is possible.
+
+1. Make sure that Continuwuity is properly set up on your `vars.yml` as described above
+
+2. Make sure that Conduwuit references are removed from your `vars.yml` file
+
+3. Run the installation in a way that installs new services and uninstalls old ones (e.g. `just setup-all`)
+
+4. Run the playbook with the `continuwuity-migrate-from-conduwuit` tag (e.g. `just run-tags continuwuity-migrate-from-conduwuit`). This migrates data from `/matrix/conduwuit` to `/matrix/continuwuity`
+
+## Troubleshooting
+
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-continuwuity`.

docs/configuring-playbook-element-call.md

@@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 # Setting up Element Call (optional)
 
-The playbook can install and configure [Element Call](https://github.com/element-hq/element-call) for you.
+The playbook can install and configure [Element Call](https://github.com/element-hq/element-call) and its supporting components that are part of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md).
 
 Element Call is a native Matrix video conferencing application developed by [Element](https://element.io), designed for secure, scalable, privacy-respecting, and decentralized video and voice calls over the Matrix protocol. Built on MatrixRTC ([MSC4143](https://github.com/matrix-org/matrix-spec-proposals/pull/4143)), it utilizes [MSC4195](https://github.com/hughns/matrix-spec-proposals/blob/hughns/matrixrtc-livekit/proposals/4195-matrixrtc-livekit.md) with [LiveKit Server](configuring-playbook-livekit-server.md) as its backend.
 
@@ -16,18 +16,34 @@ See the project's [documentation](https://github.com/element-hq/element-call) to
 ## Prerequisites
 
 - A [Synapse](configuring-playbook-synapse.md) homeserver (see the warning below)
-- [Federation](configuring-playbook-federation.md) being enabled for your Matrix homeserver (federation is enabled by default, unless you've explicitly disabled it), because [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) currently [requires it](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562#issuecomment-2725250554) ([relevant source code](https://github.com/element-hq/lk-jwt-service/blob/f5f5374c4bdcc00a4fb13d27c0b28e20e4c62334/main.go#L135-L146))
+- The [Matrix RTC (Real-Time Communication) stack](configuring-playbook-matrix-rtc.md) (automatically done when Element Call is enabled)
-- Various experimental features for the Synapse homeserver which Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) (automatically done when Element Call is enabled)
-- A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when Element Call is enabled)
-- The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when Element Call is enabled)
 - A client compatible with Element Call. As of 2025-03-15, that's just [Element Web](configuring-playbook-client-element-web.md) and the Element X mobile clients (iOS and Android).
+- (Optional) Guest accounts being enabled for your Matrix server, if you'd like guests to be able to use Element Call. See [Allowing guests to use Element Call](#allowing-guests-to-use-element-call-optional)
 
 > [!WARNING]
 >  Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**.
 
+## Decide between Element Call vs just the Matrix RTC stack
+
+All clients that can currently use Element Call (Element Web and Element X on mobile) already embed the Element Call frontend within them.
+These **clients will use their own embedded Element Call frontend**, so **self-hosting the Element Call frontend by the playbook is largely unnecessary**.
+
+💡 A reason you may wish to continue installing the Element Call frontend (despite Matrix clients not making use of it), is if you need to use it standalone - directly via a browser (without a Matrix client). Note that unless you [allow guest accounts to use Element Call](#allowing-guests-to-use-element-call-optional), you will still need a Matrix user account **on the same homeserver** to be able to use Element Call.
+
+The playbook makes a distiction between enabling Element Call (`matrix_element_call_enabled`) and enabling the Matrix RTC Stack (`matrix_rtc_enabled`). Enabling Element Call automatically enables the Matrix RTC stack. Because installing the Element Call frontend is now unnecessary, **we recommend only installing the Matrix RTC stack, without the Element Call frontend**.
+
+| Description / Variable | Element Call frontend | [LiveKit Server](configuring-playbook-livekit-server.md) | [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) |
+|------------------------|-----------------------|----------------|---------------------|
+| Description | Static website that provides the Element Call UI (but often embedded by clients) | Scalable, multi-user conferencing solution based on WebRTC | A helper component that allows Element Call to integrate with LiveKit Server |
+| Required for Element Call to function | No | Yes | Yes |
+| `matrix_element_call_enabled` | ✅ Installed | ✅ Installed | ✅ Installed |
+| `matrix_rtc_enabled` | ❌ Not Installed, but usually unnecessary | ✅ Installed | ✅ Installed |
+
+All documentation below assumes that you've decided to install Element Call and not just the Matrix RTC stack.
+
 ## Decide on a domain and path
 
-By default, Element Call is configured to be served on the `call.element.example.com` domain.
+By default, the Element Call frontend is configured to be served on the `call.element.example.com` domain.
 
 If you'd like to run Element Call on another hostname, see the [Adjusting the Element Call URL](#adjusting-the-element-call-url-optional) section below.
 
@@ -48,6 +64,8 @@ In addition to the HTTP/HTTPS ports (which you've already exposed as per the [pr
 Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
 ```yaml
+# Enable the Element Call frontend UI to allow standalone use of Element Call.
+# Enabling this also auto-enables the Matrix RTC stack.
 matrix_element_call_enabled: true
 ```
 
@@ -64,6 +82,28 @@ matrix_element_call_hostname: element-call.example.com
 > [!WARNING]
 > A `matrix_element_call_path_prefix` variable is also available and mean to let you configure a path prefix for the Element Call service, but [Element Call does not support running under a sub-path yet](https://github.com/element-hq/element-call/issues/3084).
 
+### Allowing guests to use Element Call (optional)
+
+By default, Element Call can only be used by people having accounts on your Matrix server.
+
+If you'd like guests to be able to use Element Call as well, you need to enable guest accounts support for your homeserver.
+
+> [!WARNING]
+> Enabling guest accounts means that your homeserver's user database may get polluted with guest account signups (potentially made by bots).
+> Guest accounts should be limited in what (damage) they can do to your server and the rest of the Matrix ecosystem, but it's better to not enable them unless necessary.
+
+For [Synapse](configuring-playbook-synapse.md) (the default homeserver implementation), the configuration is like this:
+
+```yml
+matrix_synapse_allow_guest_access: true
+```
+
+For [Dendrite](configuring-playbook-dendrite.md), the configuration is like this:
+
+```yml
+matrix_dendrite_guests_disabled: false
+```
+
 ## Installing
 
 After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:

docs/configuring-playbook-livekit-jwt-service.md

@@ -8,9 +8,9 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 
 The playbook can install and configure [LiveKit JWT Service](https://github.com/element-hq/lk-jwt-service/) for you.
 
-This is a helper component that allows [Element Call](configuring-playbook-element-call.md) to integrate with [LiveKit Server](configuring-playbook-livekit-server.md).
+This is a helper component which is part of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) that allows [Element Call](configuring-playbook-element-call.md) to integrate with [LiveKit Server](configuring-playbook-livekit-server.md).
 
-💡 LiveKit JWT Service is automatically installed and configured when [Element Call](configuring-playbook-element-call.md) is enabled, so you don't need to do anything extra.
+💡 LiveKit JWT Service is automatically installed and configured when either [Element Call](configuring-playbook-element-call.md) or the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) is enabled, so you don't need to do anything extra.
 
 Take a look at:
 

docs/configuring-playbook-livekit-server.md

@@ -11,7 +11,7 @@ The playbook can install and configure [LiveKit Server](https://github.com/livek
 
 LiveKit Server is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications.
 
-💡 LiveKit Server is automatically installed and configured when [Element Call](configuring-playbook-element-call.md) is enabled, so you don't need to do anything extra.
+💡 LiveKit Server is automatically installed and configured when either [Element Call](configuring-playbook-element-call.md) or the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) is enabled, so you don't need to do anything extra.
 
 The [Ansible role for LiveKit Server](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server) is developed and maintained by [the MASH (mother-of-all-self-hosting) project](https://github.com/mother-of-all-self-hosting). For details about configuring LiveKit Server, you can check them via:
 - 🌐 [the role's documentation at the MASH project](https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server/blob/main/docs/configuring-livekit-server.md) online

docs/configuring-playbook-matrix-rtc.md

@@ -0,0 +1,59 @@
+<!--
+SPDX-FileCopyrightText: 2024 wjbeckett
+SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Setting up the Matrix RTC stack (optional)
+
+The playbook can install and configure the Matrix RTC (Real-Time Communication) stack.
+
+The Matrix RTC stack is a set of supporting components ([LiveKit Server](configuring-playbook-livekit-server.md) and [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md)) that allow the new [Element Call](configuring-playbook-element-call.md) audio/video calls to function.
+
+💡 If you only plan on doing audio/video calls via Matrix client (which typically embed the Element Call frontend UI within them), you only need to install the Matrix RTC stack and don't necessarily need to install [Element Call](configuring-playbook-element-call.md). See the [Decide between Element Call vs just the Matrix RTC stack](configuring-playbook-element-call.md#decide-between-element-call-vs-just-the-matrix-rtc-stack) section of the [Element Call documentation](configuring-playbook-element-call.md) for more details.
+
+## Prerequisites
+
+- A [Synapse](configuring-playbook-synapse.md) homeserver (see the warning below)
+- [Federation](configuring-playbook-federation.md) being enabled for your Matrix homeserver (federation is enabled by default, unless you've explicitly disabled it), because [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) currently [requires it](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/3562#issuecomment-2725250554) ([relevant source code](https://github.com/element-hq/lk-jwt-service/blob/f5f5374c4bdcc00a4fb13d27c0b28e20e4c62334/main.go#L135-L146))
+- Various experimental features for the Synapse homeserver which Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) (automatically done when Element Call is enabled)
+- A [LiveKit Server](configuring-playbook-livekit-server.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
+- The [LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (automatically installed when [Element Call or the Matrix RTC stack is enabled](#decide-between-element-call-vs-just-the-matrix-rtc-stack))
+- A client compatible with Element Call. As of 2025-03-15, that's just [Element Web](configuring-playbook-client-element-web.md) and the Element X mobile clients (iOS and Android).
+
+> [!WARNING]
+>  Because Element Call [requires](https://github.com/element-hq/element-call/blob/93ae2aed9841e0b066d515c56bd4c122d2b591b2/docs/self-hosting.md#a-matrix-homeserver) a few experimental features in the Matrix protocol, it's **very likely that it only works with the Synapse homeserver**.
+
+## Adjusting the playbook configuration
+
+Add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+# Enable the Matrix RTC stack.
+# This provides all supporting services for Element Call, without the Element Call frontend.
+matrix_rtc_enabled: true
+```
+
+## Adjusting firewall rules
+
+In addition to the HTTP/HTTPS ports (which you've already exposed as per the [prerequisites](prerequisites.md) document), you'll also need to open ports required by [LiveKit Server](configuring-playbook-livekit-server.md) as described in its own [Adjusting firewall rules](configuring-playbook-livekit-server.md#adjusting-firewall-rules) section.
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records) and [adjusting firewall rules](#adjusting-firewall-rules), run the playbook with [playbook tags](playbook-tags.md) as below:
+
+<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
+
+`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
+
+## Usage
+
+Once installed, Matrix clients which support Element Call (like [Element Web](configuring-playbook-client-element-web.md) and Element X on mobile (iOS and Android)) will automatically use the Matrix RTC stack.
+
+These clients typically embed the Element Call frontend UI within them, so installing [Element Call](configuring-playbook-element-call.md) is only necessary if you'd like to use it standalone - directly via a browser.

docs/configuring-playbook.md

@@ -53,6 +53,8 @@ For a more custom setup, see the [Other configuration options](#other-configurat
 
   - [Configuring conduwuit](configuring-playbook-conduwuit.md), if you've switched to the [conduwuit](https://conduwuit.puppyirl.gay/) homeserver implementation
 
+  - [Configuring continuwuity](configuring-playbook-continuwuity.md), if you've switched to the [continuwuity](https://continuwuity.org) homeserver implementation
+
   - [Configuring Dendrite](configuring-playbook-dendrite.md), if you've switched to the [Dendrite](https://matrix-org.github.io/dendrite) homeserver implementation
 
 - Server components:
@@ -237,11 +239,13 @@ Services that help you in administrating and monitoring your Matrix installation
 
 Various services that don't fit any other categories.
 
-- [Setting up Element Call](configuring-playbook-element-call.md) — a native Matrix video conferencing application (optional)
+- [Setting up Element Call](configuring-playbook-element-call.md) — a native Matrix video conferencing application, built on top of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)
 
-- [Setting up LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) (optional)
+- [Setting up LiveKit JWT Service](configuring-playbook-livekit-jwt-service.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)
 
-- [Setting up LiveKit Server](configuring-playbook-livekit-server.md) (optional)
+- [Setting up LiveKit Server](configuring-playbook-livekit-server.md) - a component of the [Matrix RTC stack](configuring-playbook-matrix-rtc.md) (optional)
+
+- [Setting up Matrix RTC](configuring-playbook-matrix-rtc.md) (optional)
 
 - [Setting up Synapse Auto Invite Accept](configuring-playbook-synapse-auto-accept-invite.md)
 

docs/container-images.md

@@ -28,6 +28,7 @@ We try to stick to official images (provided by their respective projects) as mu
 | [Synapse](configuring-playbook-synapse.md) | [element-hq/synapse](https://ghcr.io/element-hq/synapse) | ✅ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network |
 | [Conduit](configuring-playbook-conduit.md) | [matrixconduit/matrix-conduit](https://hub.docker.com/r/matrixconduit/matrix-conduit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Conduit is a lightweight open-source server implementation of the Matrix Specification with a focus on easy setup and low system requirements |
 | [conduwuit](configuring-playbook-conduwuit.md) | [girlbossceo/conduwuit](https://ghcr.io/girlbossceo/conduwuit) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. conduwuit is a fork of Conduit. |
+| [continuwuity](configuring-playbook-continuwuity.md) | [continuwuation/continuwuity](https://forgejo.ellis.link/continuwuation/continuwuity) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. continuwuity is a continuation of conduwuit. |
 | [Dendrite](configuring-playbook-dendrite.md) | [matrixdotorg/dendrite-monolith](https://hub.docker.com/r/matrixdotorg/dendrite-monolith/) | ❌ | Storing your data and managing your presence in the [Matrix](http://matrix.org/) network. Dendrite is a second-generation Matrix homeserver written in Go, an alternative to Synapse. |
 
 ## Clients

docs/howto-srv-server-delegation.md

@@ -26,7 +26,7 @@ The up-to-date list can be accessed on [traefik's documentation](https://doc.tra
 
 **Note**: the changes below instruct you how to do this for a basic Synapse installation. You will need to adapt the variable name and the content of the labels:
 
-- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md) or [Dendrite](./configuring-playbook-dendrite.md))
+- if you're using another homeserver implementation (e.g. [Conduit](./configuring-playbook-conduit.md), [conduwuit](./configuring-playbook-conduwuit.md), [continuwuity](./configuring-playbook-continuwuity.md) or [Dendrite](./configuring-playbook-dendrite.md))
 - if you're using [Synapse with workers enabled](./configuring-playbook-synapse.md#load-balancing-with-workers) (`matrix_synapse_workers_enabled: true`). In that case, it's actually the `matrix-synapse-reverse-proxy-companion` service which has Traefik labels attached
 
 Also, all instructions below are from an older version of the playbook and may not work anymore.
@@ -79,7 +79,7 @@ traefik_configuration_extension_yaml: |
             - "8.8.8.8:53"
         storage: {{ traefik_config_certificatesResolvers_acme_storage | to_json }}
 
-# 2. Configure the environment variables needed by Rraefik to automate the ACME DNS Challenge (example for Cloudflare)
+# 2. Configure the environment variables needed by Traefik to automate the ACME DNS Challenge (example for Cloudflare)
 traefik_environment_variables: |
   CF_API_EMAIL=redacted
   CF_ZONE_API_TOKEN=redacted

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -243,7 +243,7 @@ matrix_addons_homeserver_client_api_url: "{{ ('http://' + matrix_playbook_revers
 matrix_addons_homeserver_systemd_services_list: "{{ ([traefik_identifier + '.service'] if matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' else []) if matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled else matrix_homeserver_systemd_services_list }}"
 
 # Starting from version `0.6.0` Conduit natively supports some sync v3 (sliding-sync) features.
-matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit'] else '') }}"
+matrix_homeserver_sliding_sync_url: "{{ matrix_sliding_sync_base_url if matrix_sliding_sync_enabled else (matrix_homeserver_url if matrix_homeserver_implementation in ['conduit', 'conduwuit', 'continuwuity'] else '') }}"
 
 ########################################################################
 #                                                                      #
@@ -567,6 +567,7 @@ matrix_homeserver_container_client_api_endpoint: |-
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
       'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
+      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -577,6 +578,7 @@ matrix_homeserver_container_federation_api_endpoint: |-
       'dendrite': ('matrix-dendrite:' + matrix_dendrite_http_bind_port | default('8008') | string),
       'conduit': ('matrix-conduit:' + matrix_conduit_port_number | default('8008') | string),
       'conduwuit': ('matrix-conduwuit:' + matrix_conduwuit_config_port_number | default('8008') | string),
+      'continuwuity': ('matrix-continuwuity:' + matrix_continuwuity_config_port_number | default('8008') | string),
     }[matrix_homeserver_implementation]
   }}
 
@@ -3199,8 +3201,8 @@ matrix_bot_draupnir_config_rawHomeserverUrl: "{{ matrix_addons_homeserver_client
 
 matrix_bot_draupnir_container_labels_traefik_enabled: "{{ matrix_bot_draupnir_config_web_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-matrix_bot_draupnir_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-matrix_bot_draupnir_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
 
 ######################################################################
 #
@@ -4537,7 +4539,7 @@ ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
 #
 ######################################################################
 
-valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_encryption_enabled) or matrix_element_call_enabled }}"
+valkey_enabled: "{{ matrix_synapse_workers_enabled or (matrix_hookshot_enabled and matrix_hookshot_encryption_enabled) }}"
 
 valkey_identifier: matrix-valkey
 
@@ -4609,9 +4611,9 @@ matrix_client_element_enable_presence_by_hs_url: |-
 
 matrix_client_element_jitsi_preferred_domain: "{{ matrix_server_fqn_jitsi if jitsi_enabled else '' }}"
 
-matrix_client_element_features_feature_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_video_rooms: "{{ matrix_rtc_enabled }}"
-matrix_client_element_features_feature_group_calls: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_group_calls: "{{ matrix_rtc_enabled }}"
-matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_element_call_enabled }}"
+matrix_client_element_features_feature_element_call_video_rooms: "{{ matrix_rtc_enabled }}"
 matrix_client_element_features_feature_oidc_native_flow: "{{ matrix_authentication_service_enabled }}"
 
 matrix_client_element_element_call_enabled: "{{ matrix_element_call_enabled }}"
@@ -4934,7 +4936,7 @@ matrix_synapse_ext_media_repo_enabled: "{{ matrix_media_repo_enabled }}"
 matrix_synapse_report_stats: "{{ matrix_synapse_usage_exporter_enabled }}"
 matrix_synapse_report_stats_endpoint: "{{ (('http://' + matrix_synapse_usage_exporter_identifier + ':' + matrix_synapse_usage_exporter_container_port | string + '/report-usage-stats/push') if matrix_synapse_usage_exporter_enabled else '') }}"
 
-matrix_synapse_experimental_features_msc3266_enabled: "{{ matrix_element_call_enabled }}"
+matrix_synapse_experimental_features_msc3266_enabled: "{{ matrix_rtc_enabled }}"
 
 matrix_synapse_experimental_features_msc3861_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
 matrix_synapse_experimental_features_msc3861_issuer: "{{ matrix_authentication_service_http_base_container_url if matrix_authentication_service_enabled else '' }}"
@@ -4944,9 +4946,9 @@ matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_
 
 matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
 
-matrix_synapse_experimental_features_msc4140_enabled: "{{ matrix_element_call_enabled }}"
+matrix_synapse_experimental_features_msc4140_enabled: "{{ matrix_rtc_enabled }}"
 
-matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_element_call_enabled }}"
+matrix_synapse_experimental_features_msc4222_enabled: "{{ matrix_rtc_enabled }}"
 
 # Disable password authentication when delegating authentication to Matrix Authentication Service.
 # Unless this is done, Synapse fails on startup with:
@@ -5640,6 +5642,7 @@ grafana_default_home_dashboard_path: |-
       'dendrite': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
       'conduit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
       'conduwuit': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
+      'continuwuity': ('/etc/grafana/dashboards/node-exporter-full.json' if prometheus_node_exporter_enabled else ''),
     }[matrix_homeserver_implementation]
   }}
 
@@ -5700,6 +5703,7 @@ matrix_registration_shared_secret: |-
       'dendrite': matrix_dendrite_client_api_registration_shared_secret | default (''),
       'conduit': '',
       'conduwuit': '',
+      'continuwuity': '',
     }[matrix_homeserver_implementation]
   }}
 
@@ -5977,6 +5981,58 @@ matrix_conduwuit_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabl
 ######################################################################
 
 
+######################################################################
+#
+# matrix-continuwuity
+#
+######################################################################
+
+matrix_continuwuity_enabled: "{{ matrix_homeserver_implementation == 'continuwuity' }}"
+
+matrix_continuwuity_hostname: "{{ matrix_server_fqn_matrix }}"
+
+matrix_continuwuity_config_allow_federation: "{{ matrix_homeserver_federation_enabled }}"
+
+matrix_continuwuity_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_continuwuity_docker_image_registry_prefix_upstream_default }}"
+
+matrix_continuwuity_container_network: "{{ matrix_homeserver_container_network }}"
+
+matrix_continuwuity_container_additional_networks_auto: |
+  {{
+    (
+      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_continuwuity_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
+    ) | unique
+  }}
+
+matrix_continuwuity_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and not matrix_synapse_workers_enabled }}"
+matrix_continuwuity_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_continuwuity_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_continuwuity_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+matrix_continuwuity_container_labels_public_client_root_redirection_enabled: "{{ matrix_continuwuity_container_labels_public_client_root_redirection_url != '' }}"
+matrix_continuwuity_container_labels_public_client_root_redirection_url: "{{ (('https://' if matrix_playbook_ssl_enabled else 'http://') + matrix_server_fqn_element) if matrix_client_element_enabled else '' }}"
+
+matrix_continuwuity_container_labels_public_federation_api_traefik_hostname: "{{ matrix_server_fqn_matrix_federation }}"
+matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints: "{{ matrix_federation_traefik_entrypoint_name }}"
+matrix_continuwuity_container_labels_public_federation_api_traefik_tls: "{{ matrix_federation_traefik_entrypoint_tls }}"
+
+matrix_continuwuity_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
+matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
+
+matrix_continuwuity_config_turn_uris: "{{ matrix_coturn_turn_uris if matrix_coturn_enabled else [] }}"
+matrix_continuwuity_config_turn_secret: "{{ matrix_coturn_turn_static_auth_secret if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'auth-secret') else '' }}"
+matrix_continuwuity_config_turn_username: "{{ matrix_coturn_lt_cred_mech_username if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+matrix_continuwuity_config_turn_password: "{{ matrix_coturn_lt_cred_mech_password if (matrix_coturn_enabled and matrix_coturn_authentication_method == 'lt-cred-mech') else '' }}"
+
+matrix_continuwuity_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled }}"
+
+######################################################################
+#
+# /matrix-continuwuity
+#
+######################################################################
+
+
 ######################################################################
 #
 # matrix-user-creator
@@ -6140,7 +6196,7 @@ matrix_static_files_file_matrix_client_property_m_tile_server_map_style_url: "{{
 # See: https://github.com/etkecc/synapse-admin/pull/126
 matrix_static_files_file_matrix_client_property_cc_etke_synapse_admin_auto: "{{ matrix_synapse_admin_configuration if matrix_homeserver_implementation == 'synapse' else {} }}"
 
-matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_element_call_enabled }}"
+matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_enabled: "{{ matrix_livekit_jwt_service_enabled }}"
 matrix_static_files_file_matrix_client_property_org_matrix_msc4143_rtc_foci_auto: |-
   {{
     (
@@ -6297,7 +6353,7 @@ matrix_element_call_config_livekit_livekit_service_url: "{{ matrix_livekit_jwt_s
 #                                                                      #
 ########################################################################
 
-livekit_server_enabled: "{{ matrix_element_call_enabled }}"
+livekit_server_enabled: "{{ matrix_rtc_enabled }}"
 
 livekit_server_identifier: matrix-livekit-server
 
@@ -6405,7 +6461,7 @@ livekit_server_systemd_required_services_list_auto: |
 #                                                                      #
 ########################################################################
 
-matrix_livekit_jwt_service_enabled: "{{ matrix_element_call_enabled and livekit_server_enabled }}"
+matrix_livekit_jwt_service_enabled: "{{ matrix_rtc_enabled and livekit_server_enabled }}"
 
 matrix_livekit_jwt_service_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 

i18n/locales/bg/LC_MESSAGES/docs/configuring-playbook-continuwuity.po

@@ -0,0 +1,134 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) 2018-2025, Slavi Pantaleev, Aine Etke, MDAD community
+# members
+# This file is distributed under the same license as the
+# matrix-docker-ansible-deploy package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, 2025.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: matrix-docker-ansible-deploy \n"
+"Report-Msgid-Bugs-To: \n"
+"POT-Creation-Date: 2025-01-27 09:54+0200\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language: bg\n"
+"Language-Team: bg <LL@li.org>\n"
+"Plural-Forms: nplurals=2; plural=(n != 1);\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=utf-8\n"
+"Content-Transfer-Encoding: 8bit\n"
+"Generated-By: Babel 2.16.0\n"
+
+#: ../../../docs/configuring-playbook-continuwuity.md:1
+msgid "Configuring continuwuity (optional)"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:3
+msgid "The playbook can install and configure the [continuwuity](https://continuwuity.org/) Matrix server for you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:5
+msgid "See the project's [documentation](https://continuwuity.org/) to learn what it does and why it might be useful to you."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:7
+msgid "By default, the playbook installs [Synapse](https://github.com/element-hq/synapse) as it's the only full-featured Matrix server at the moment. If that's okay, you can skip this document."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:9
+msgid "💡 **Note**: continuwuity is a fork of [conduwuit](./configuring-playbook-conduwuit.md), which the playbook also supports."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:11
+msgid "⚠️ **Warnings**:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:13
+msgid "**You can't switch an existing Matrix server's implementation** (e.g. Synapse -> continuwuity). Proceed below only if you're OK with losing data or you're dealing with a server on a new domain name, which hasn't participated in the Matrix federation yet."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:15
+msgid "**Homeserver implementations other than Synapse may not be fully functional**. The playbook may also not assist you in an optimal way (like it does with Synapse). Make yourself familiar with the downsides before proceeding"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:17
+msgid "Adjusting the playbook configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:19
+msgid "To use continuwuity, you **generally** need to adjust the `matrix_homeserver_implementation: synapse` configuration on your `inventory/host_vars/matrix.example.com/vars.yml` file as below:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:33
+msgid "Extending the configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:35
+msgid "There are some additional things you may wish to configure about the server."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:37
+msgid "Take a look at:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:39
+msgid "`roles/custom/matrix-continuwuity/defaults/main.yml` for some variables that you can customize via your `vars.yml` file"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:40
+msgid "`roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2` for the server's default configuration"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:42
+msgid "There are various Ansible variables that control settings in the `continuwuity.toml` file."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:44
+msgid "If a specific setting you'd like to change does not have a dedicated Ansible variable, you can either submit a PR to us to add it, or you can [override the setting using an environment variable](https://continuwuity.org/configuration#environment-variables) using `matrix_continuwuity_environment_variables_extension`. For example:"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:52
+msgid "Creating the first user account"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:54
+msgid "Unlike other homeserver implementations (like Synapse and Dendrite), continuwuity does not support creating users via the command line or via the playbook."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:56
+msgid "If you followed the instructions above (see [Adjusting the playbook configuration](#adjusting-the-playbook-configuration)), you should have registration enabled and protected by a registration token."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:58
+msgid "This should allow you to create the first user account via any client (like [Element Web](./configuring-playbook-client-element-web.md)) which supports creating users."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:60
+msgid "The **first user account that you create will be marked as an admin** and **will be automatically invited to an admin room**."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:63
+msgid "Configuring bridges / appservices"
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:65
+msgid "For other homeserver implementations (like Synapse and Dendrite), the playbook automatically registers appservices (for bridges, bots, etc.) with the homeserver."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:67
+msgid "For continuwuity, you will have to manually register appservices using the [`!admin appservices register` command](https://continuwuity.org/appservices#set-up-the-appservice---general-instructions) sent to the server bot account."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:69
+msgid "The server's bot account has a Matrix ID of `@conduit:example.com` (not `@continuwuity:example.com`!) due to continuwuity's historical legacy. Your first user account would already have been invited to an admin room with this bot."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:72
+msgid "Find the appservice file you'd like to register. This can be any `registration.yaml` file found in the `/matrix` directory, for example `/matrix/mautrix-signal/bridge/registration.yaml`."
+msgstr ""
+
+#: ../../../docs/configuring-playbook-continuwuity.md:74
+msgid "Then, send its content to the existing admin room:"
+msgstr ""

i18n/requirements.txt

@@ -1,6 +1,6 @@
 alabaster==1.0.0
 babel==2.17.0
-certifi==2025.1.31
+certifi==2025.4.26
 charset-normalizer==3.4.1
 click==8.1.8
 docutils==0.21.2
@@ -13,11 +13,11 @@ MarkupSafe==3.0.2
 mdit-py-plugins==0.4.2
 mdurl==0.1.2
 myst-parser==4.0.1
-packaging==24.2
+packaging==25.0
 Pygments==2.19.1
 PyYAML==6.0.2
 requests==2.32.3
-setuptools==78.1.0
+setuptools==79.0.1
 snowballstemmer==2.2.0
 Sphinx==8.2.3
 sphinx-intl==2.3.1
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.3.0
+urllib3==2.4.0

inventory/host_vars/matrix.finallycoffee.eu/postgresql.yml

@@ -0,0 +1,16 @@
+---
+postgres_max_connections: 400
+postgres_shared_buffers: 3145728 # (3072 MiB)
+postgres_effective_cache_size: 8388608 # (8192 MiB)
+postgres_maintenance_work_mem: 786432 # (768 MiB)
+postgres_wal_buffers: 16384 # (16 MiB)
+postgres_random_page_cost: 1.3
+postgres_work_mem: 4096
+postgres_huge_pages: try
+postgres_min_wal_size: 524288 # (512 MiB)
+postgres_max_wal_size: 4194304 # (4GiB)
+postgres_max_worker_processes: 8
+postgres_max_parallel_workers: 8
+postgres_max_parallel_workers_per_gather: 4
+postgres_max_parallel_maintenance_workers: 4
+

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,386 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+
+matrix_playbook_reverse_proxy_type: playbook-managed-traefik
+matrix_playbook_ssl_enabled: true
+traefik_config_entrypoint_web_secure_enabled: false
+traefik_container_web_host_bind_port: '127.0.10.1:8080'
+traefik_config_entrypoint_web_forwardedHeaders_insecure: true
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: '127.0.10.2:8448'
+matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom:
+  forwardedHeaders:
+    insecure: true
+
+matrix_synapse_metrics_proxying_enabled: true
+matrix_sliding_sync_enabled: true
+
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+matrix_playbook_docker_installation_enabled: false
+
+#matrix_dimension_scheme: https
+
+devture_timesync_installation_enabled: false
+matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+devture_systemd_service_manager_up_verification_delay_seconds: 300
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+postgres_dump_dir: /vault/temp
+
+
+#
+# General Synapse config
+#
+postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+# matrix_homeserver_generic_secret_key: "{{ vault_homeserver_generic_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 200
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turn:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turn:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+#matrix_synapse_rc_federation:
+#  window_size: 1000
+#  sleep_limit: 50
+#  sleep_delay: 500
+#  reject_limit: 50
+#  concurrent: 10
+#matrix_synapse_rc_message:
+#  per_second: 0.5
+#  burst_count: 25
+#matrix_synapse_rc_joins:
+#  local:
+#    per_second: 0.5
+#    burst_count: 20
+#  remote:
+#    per_second: 0.05
+#    burst_count: 20
+#matrix_synapse_rc_joins_per_room:
+#  per_second: 1
+#  burst_count: 10
+#matrix_synapse_rc_invites:
+#  per_room:
+#    per_second: 0.5
+#    burst_count: 10
+#  per_user:
+#    per_second: 0.006
+#    burst_count: 10
+#  per_issuer:
+#    per_second: 2
+#    burst_count: 20
+
+## Synapse cache tuning
+#matrix_synapse_caches_global_factor: 1.5
+#matrix_synapse_event_cache_size: "300K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_workers_count: 1
+matrix_synapse_workers_media_repository_workers_count: 1
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+#matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+#matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+#matrix_synapse_ext_password_provider_rest_auth_enabled: true
+#matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+#matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+#matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+#matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+matrix_synapse_configuration_extension_yaml: |
+  database:
+    args:
+      cp_min: 10
+      cp_max: 30
+      cp_reconnect: True
+
+#  caches:
+#    per_cache_factors:
+#      device_id_exists: 3
+#      get_users_in_room: 4
+#      _get_joined_users_from_context: 4
+#      _get_joined_profile_from_event_id: 3
+#      "*stateGroupMembersCache*": 2
+#      _matches_user_in_member_list: 3
+#      get_users_who_share_room_with_user: 3
+#      is_interested_in_room: 2
+#      get_user_by_id: 1.5
+#      room_push_rule_cache: 1.5
+#    expire_caches: true
+#    cache_entry_ttl: 45m
+#    sync_response_cache_duration: 2m
+  
+
+#
+# synapse-admin tool
+#
+#matrix_synapse_admin_enabled: true
+#matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: false
+#matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+#matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+#matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+#matrix_dimension_configuration_extension_yaml: |
+#    telegram:
+#        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_bridge_personal_filtering_spaces: true
+matrix_mautrix_whatsapp_bridge_enable_status_broadcast: false
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "boobies.software": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+        permissions:
+          "@ilosai:fairydust.space": "user"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+matrix_bridges_encryption_enabled: true
+matrix_bridges_encryption_default: true
+matrix_appservice_double_puppet_enabled: true
+
+matrix_mautrix_slack_enabled: true
+matrix_mautrix_slack_appservice_bot_username: slack
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: false
+#matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+#matrix_mx_puppet_instagram_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_instagram_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    presence:
+#        enabled: true
+#        interval: 3000
+#
+#
+##
+## mx-puppet-discord configuration
+##
+matrix_mx_puppet_discord_enabled: false
+#matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+#matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+#matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+#matrix_mx_puppet_discord_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+#matrix_mx_puppet_discord_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: false
+#matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+#matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+#matrix_mx_puppet_slack_oauth_redirect_path: '/bridge/slack/oauth'
+#matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+#matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+#matrix_mx_puppet_slack_container_extra_arguments:
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+#  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+#matrix_mx_puppet_slack_configuration_extension_yaml: |
+#    bridge:
+#        enableGroupSync: true
+#    metrics:
+#        enabled: true
+#        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+#        path: /metrics
+#    limits:
+#        maxAutojoinUsers: 500
+#        roomUserAutojoinDelay: 50
+#    presence:
+#        enabled: true
+#        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_auth_header_logo_url: "welcome/images/logo.png"
+matrix_client_element_branding_welcome_background_url: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcome_background_url }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_auth_header_logo_url }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_room_directory_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+#matrix_ma1sd_configuration_extension_yaml: |
+#    hashing:
+#      enabled: true
+#      pepperLength: 20
+#      rotationPolicy: per_requests
+#      requests: 10
+#      hashStorageType: sql
+#      algorithms:
+#          - none
+#          - sha256
+
+
+# Matrix mail notification relay setup
+exim_relay_enabled: true
+exim_relay_sender_address: "system-matrix@{{ matrix_domain }}"
+exim_relay_relay_use: true
+exim_relay_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+exim_relay_relay_host_port: 587
+exim_relay_relay_auth: true
+exim_relay_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+exim_relay_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,105 @@
+$ANSIBLE_VAULT;1.1;AES256
+61626165616330663863393762663031623164636666346339343636363035663463636135656533
+3338383762633130346536613334626164306464333835380a353264386431326437616234393165
+61323266623432353731373634353339393936643130346434346530336563326533386331646533
+3030663037666664360a346636343966663733663836633736316630663230613137663166336336
+62383131343934353635633261323036613231646439626162306238313132316664653237653533
+34376464633335626133376138343139653561613232333133393535393137653964633561313761
+62653632663432313936336231613832626362343737383863343562636437646439666638383733
+63313538616430393536356534303164633332653538643264353834393465373538643963343039
+31366661636263353936363931343938323563626538303133366263363533393564386466666361
+38666264643931336563633663663538616431313231336364653631383261326537336162313837
+32373730343538653862326636303264353737353139663161393762383138393531363264633531
+32383661396537636635666665316630663032333932393131336235663938623932383230343830
+31613563656663343830353438396535663864306531333239623738653838633331386465353466
+37366363643334623165373562363465636161396437333966303864663033636665623564613565
+39643635333636363132633462386536393634303838343835363633626162363236653839376230
+34666430363933336335323330386339656339356637653931643565303166303436333562333361
+38633838636337316137343564613338346239663933356130396562306164376430363233373632
+66303430303034353262343565373139333535636231623062633537653636376136656138623637
+34396562376233643234643436323433336436393163363935643033643833386631633762343162
+33633136316635326532343430383437366139333830373731636265386234356164393066333663
+37663934633437653364356231383934313132343162323436373339393964656336646164333533
+37626336616565323237633736653433316238366261303465343466643363303131376665346231
+62623133336561313732393837323330643138663830353662366139373366383436323530333732
+38623633666537643038636163303164653866343934616236343733386533663936303637326462
+63633137626632613736313333643363373963306161353431396261646635383930366166363135
+66353962643638616635376137346439383339303236323761366439306638623762343966623035
+30323435396533633238313962306366343362393339616131393839653565666666313833313433
+66386362353061323465666563616230336565663339646162623634643330646239343934373636
+33363061316637613266373831376133303337616639643239393835636138323266613134633633
+65356634636562313961643865353334306131333030373566666535373039343337613964306465
+32393163666232383266363763336132653765316162663961653933633832626533646537376136
+64613133373135616531343837616264656461313963646565656465656165303534343834663734
+62313865366634656265613264623234653165633839323030643333643139323531643637393439
+61656561303732663834336334643765616234373063306236303538646663316131663933323236
+63396263663034613832653361383061336132663032646133323931386562653661346264363439
+35636463613635316239363061363836623564303933373964363365626133373039643264666530
+30343165366365333339366639353033666634613162363164333433633563613461666532323566
+63303836353331326439646139653738633866356463303264623166306262393766346338373537
+62373865303264633663666333323135343530323434383835393763363739636135646538336364
+33376438636264393635383163353431336463396263333239626566653262373434316532343633
+61363061623430636462393135316564636536633963393338383334643134366232396564316635
+31373963633164653235643665653863303831663065383433363036633962633462393839363235
+36323562323634643639643561636261643136313633656236656566353539343063386162383234
+38653461633561353639336531353333393262633065386539353031386332343739656261653238
+31326434386130336465613233663563323035666631303137313665336566363134306638663265
+62353430353934633965316636643566653235366230323139656539646539626236616138313362
+31643437366563383164306331303662356562616366366237613633666534623765323034396534
+38326537376265343065313738316433353266633539313134323735383864623663323662633662
+65613862623766343736343031636238356161343036363566646635643334373030386434646135
+64336263356663376564333935623135396231623165326437393563333361356435346634616665
+66376231666633643936323264323565346637343538366138616631383964376632613437323163
+30366537326533363939643237376538366230313263623139323662396633343239343066313564
+63356533373338653030313038653137666434323737323763623136666530313035356634666633
+35643530333632633664643361633964666432336631636561343739646266653634353963323534
+35663731616539646332393837633566393734643033623937316661653839663937303666376339
+65653036373565323435636637373231316265393231333734356462356635346531366530316262
+37643632346164366561353236373633623464643536373361666263303739356335333934313537
+31373035633333313065613162346133663736313265376230393135353431343765306539633032
+63353338656231376666613138353235613362643334653537353237653139396533363630303033
+36363039613232666266333535343466336263663762623865376532326262666332303361356266
+65646337323037383564666639363636333135323265633932333264346363326466343234653936
+65656535343663356562613064323138656338633064633462313864616665653230626638373939
+61623862386364396335323836396664653731633365623936383435383330643038386665653238
+62643961626464313666343431303064303338396135643432383730613161336435306262653132
+38373432393564333562363761386239343366343465386638643737663561633837303734333835
+66366465633164346365356637313534376136303630666432613664363030323336316639393339
+61383565316432383633383832363439316366373536336639643961333663303631633464633238
+31396331386163386261393565346266636436386465326639326363663930666665306637393263
+65363763336561316566363164626466643637343731666530386432343431653634353336376461
+33366233366533656334666138346661323463633133303933626163343666623761613961346231
+35383232306336386665313264393933646631656333613138353532666133366339656564353865
+35353330393131366137663466333363653866323936353734306361633163626537363561346332
+65363231623766666638383661323964633034366261633035303861383135383235656465373738
+66373762626130356633626436366533626633353836346239666333353262656665636330626561
+66613165313137373766623464646330643662393033396266643662653136393233336265353430
+38376130663634333133353763383264623133373230323938316638323864643430386633376564
+65356264623766666637353866326638613435663830623063343439373030663663623432393863
+33343134626465313230646239646537653938613938633736346235323438393237363639373932
+61376231386265366132333965333133343737623066383534666633396635356537623432623132
+62656431323033633265626265613736383435376132613532333037613834313130626361373533
+39653361323366636335343865343737346264636433386332666332376662343634356630316135
+30366163333561353338663666363738313732303031333637636266623530623261306335616233
+31346436346663643464626134313338346439323838343663613135663834666632653866346431
+64376566343963346664366363353636636231386530363961333131383133323163396265313563
+35393534343664336237336231313831333739633662306636373338663434613231306538343865
+61613063306432623932616534363865333639396232383562396161383539363336303463323731
+63313239666538306239663864653839616132363662336331636262353061663136386331306131
+66336361396239383638623463663635613364366433343739356331633330633561653038633530
+38303832363663656432396636613134613965373639353731366138323435326135626339353263
+39313032333966376135653664623666626233613530646534636362646237303465653931666563
+65343936623462633162343334643335623834323364646362633232346237306337303430616363
+61633930343132303962653432636230343331343332616434323035633963623138653737306566
+34353135623134626237653165663738633435656439393234643432353535646439313638653664
+39326437393166633937663261336330656266303431383437626163623163303133323139313563
+39383664633739373664653131326665306533633162373535396464663637653662336237656161
+39633138383166316437313237303733336365343066366462643165643865653039343037633263
+61613730393666636530633231396165363033313161663463323861663262383234643236643038
+61633138323664613061663538383333323566393262303633623136613166636361306562356163
+66363033373262396461316438643238396633353962616362623363303035353765393164616230
+35303664616539363639373830623337396239626539613761613839363638326664306465313762
+34646634326338306430653065343231366430666534306331336532346535663737633639363834
+34623539616339363535633365306230663264626234363637366436353833663136303032623338
+32633761333165393231303165393234643363313839373339666433666130313035643836626531
+63356638666264333163

inventory/hosts

@@ -0,0 +1,24 @@
+$ANSIBLE_VAULT;1.1;AES256
+37366366376266633033656235333633346134336666323465356666353363323130366365393534
+3365373534643965613139656465323663393862336163640a623663366631323035346632353030
+37396264356137336535363663323935646464333138653035623562346438643139323439366132
+3364356364353738660a616638393635333938373838316631396536386134333831613831343732
+39333066363566643864343661646633326134633039316636306332303063366665373638353735
+34386339633566663038613538316233306238383734623363623666346261336562663039373264
+31313061616432643761633139643039636164613136643264663131666166646531366335346164
+34303339393334616434633736383763653035386333363137336431363034653263306261646661
+37323563373436333736633836666563646162303232393932346430373039346431356166393930
+37616639333038653936633163323139396666303638663039623633633832333737633764643863
+61383763613865323061636662663837656339373335643066333964393362303766366533303332
+63646335356639366130393530373936636330633132356639626531303839656166346263613733
+31333362316537323934306434393630656161353465636434303538643835396361613563663437
+34383765626235356530396433643037306233663263623664636163326132316237386231323165
+65643235356434626161396136303563633836313961343664653339623862633338313963333237
+63663961636661383634343532356234626531373938313164373561386139366338393066623036
+36633137623361626161313961386630623635323336353036623165316632353333383162623531
+61353138613030343636326166303762656264643834396330313563616439323265333039323566
+64356538346662613836356462613536656636373065643734346166353466363266353939393535
+66333739623735656463373530646663303535643562363534306438323135353763303363376135
+37653566306461396563333135633235626130313231636165383438376237383663373939353637
+30366661303131333438376363366131613361326635366264363064633034376230353137663030
+346238306532363635623732396366633538

requirements.txt

@@ -0,0 +1,11 @@
+ansible==11.3.0
+ansible-core==2.18.3
+cffi==1.17.1
+cryptography==44.0.2
+Jinja2==3.1.6
+MarkupSafe==3.0.2
+packaging==24.2
+passlib==1.7.4
+pycparser==2.22
+PyYAML==6.0.2
+resolvelib==1.0.1

requirements.yml

@@ -4,7 +4,7 @@
   version: v1.0.0-5
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.0-1.9.13-1
+  version: v1.4.1-1.9.14-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.3.0-4
@@ -22,10 +22,10 @@
   version: v4.98.1-r0-2-0
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.0-0
+  version: v11.6.0-security-01-0
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10169-0
+  version: v10184-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
   version: v1.8.4-5
@@ -67,7 +67,7 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.3.5-0
+  version: v3.3.6-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-0

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.3.26
+matrix_alertmanager_receiver_version: 2025.4.23
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 0.14.1
+matrix_authentication_service_version: 0.15.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -562,7 +562,7 @@ matrix_authentication_service_syn2mas_start_wait_time_seconds: 5
 matrix_authentication_service_syn2mas_dry_run: false
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service/syn2mas
-matrix_authentication_service_syn2mas_version: 0.14.1
+matrix_authentication_service_syn2mas_version: 0.15.0
 matrix_authentication_service_syn2mas_container_image: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix }}element-hq/matrix-authentication-service/syn2mas:{{ matrix_authentication_service_syn2mas_version }}"
 matrix_authentication_service_syn2mas_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_syn2mas_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-base/defaults/main.yml

@@ -48,6 +48,9 @@ matrix_bridges_encryption_enabled: false
 # Global var to make encryption default/optional across all bridges with encryption support
 matrix_bridges_encryption_default: "{{ matrix_bridges_encryption_enabled }}"
 
+# Global var for enabling msc4190 ( On supported bridges)
+matrix_bridges_msc4190_enabled: "{{ matrix_authentication_service_enabled and matrix_bridges_encryption_enabled and matrix_synapse_experimental_features_msc3202_device_masquerading_enabled }}"
+
 # Global var to enable/disable relay mode across all bridges with relay mode support
 matrix_bridges_relay_enabled: false
 
@@ -78,7 +81,7 @@ matrix_monitoring_container_network: matrix-monitoring
 matrix_homeserver_enabled: true
 
 # This will contain the homeserver implementation that is in use.
-# Valid values: synapse, dendrite, conduit, conduwuit
+# Valid values: synapse, dendrite, conduit, conduwuit, continuwuity
 #
 # By default, we use Synapse, because it's the only full-featured Matrix server at the moment.
 #

roles/custom/matrix-base/tasks/validate_config.yml

@@ -13,7 +13,7 @@
 - name: Fail if invalid homeserver implementation
   ansible.builtin.fail:
     msg: "You need to set a valid homeserver implementation in `matrix_homeserver_implementation`"
-  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit']"
+  when: "matrix_homeserver_implementation not in ['synapse', 'dendrite', 'conduit', 'conduwuit', 'continuwuity']"
 
 - name: (Deprecation) Catch and report renamed settings
   ansible.builtin.fail:

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.5.1
+matrix_bot_baibot_version: v1.6.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -368,7 +368,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4o
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-4.1
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -157,13 +157,13 @@ matrix_bot_draupnir_configuration: "{{ matrix_bot_draupnir_configuration_yaml |
 # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
 matrix_bot_draupnir_container_labels_traefik_enabled: false
 matrix_bot_draupnir_container_labels_traefik_docker_network: "{{ matrix_draupnir_bot_container_network }}"
-matrix_bot_draupnir_container_labels_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_path_regexp: "^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_path_regexp: "^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$"  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_rule: "Host(`{{ matrix_bot_draupnir_container_labels_traefik_hostname }}`) && PathRegexp(`{{ matrix_bot_draupnir_container_labels_traefik_path_regexp }}`)"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_rule: "Host(`{{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_hostname }}`) && PathRegexp(`{{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_path_regexp }}`)"  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_priority: 0
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_priority: 0  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints: "{{ matrix_synapse_container_labels_traefik_entrypoints }}"  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_tls: "{{ matrix_bot_draupnir_container_labels_traefik_entrypoints != 'web' }}"
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls: "{{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints != 'web' }}"  # noqa var-naming
-matrix_bot_draupnir_container_labels_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver: "{{ matrix_synapse_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
 # matrix_bot_draupnir_container_labels_traefik_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -24,6 +24,13 @@
     - {'old': 'matrix_bot_draupnir_web_enabled', 'new': 'matrix_bot_draupnir_config_web_enabled'}
     - {'old': 'matrix_bot_draupnir_abuse_reporting_enabled', 'new': 'matrix_bot_draupnir_config_web_abuseReporting'}
     - {'old': 'matrix_bot_draupnir_display_reports', 'new': 'matrix_bot_draupnir_config_displayReports'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_hostname', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_hostname'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_path_regexp', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_path_regexp'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_rule', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_rule'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_priority', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_priority'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_entrypoints', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_tls', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls'}
+    - {'old': 'matrix_bot_draupnir_container_labels_traefik_tls_certResolver', 'new': 'matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver'}
 
 - name: Fail if required matrix-bot-draupnir variables are undefined
   ansible.builtin.fail:

roles/custom/matrix-bot-draupnir/templates/labels.j2

@@ -1,5 +1,6 @@
 {#
 SPDX-FileCopyrightText: 2024 MDAD project contributors
+SPDX-FileCopyrightText: 2025 Catalan Lover <catalanlover@protonmail.com>
 
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
@@ -13,6 +14,7 @@ traefik.docker.network={{ matrix_bot_draupnir_container_labels_traefik_docker_ne
 
 traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port=8080
 
+{% if matrix_bot_draupnir_config_web_abuseReporting %}
 ############################################################
 #                                                          #
 # Abuse Reports (/_matrix/client/../rooms/../report)       #
@@ -21,32 +23,32 @@ traefik.http.services.matrix-bot-draupnir.loadbalancer.server.port=8080
 
 {% set middlewares = [] %}
 
-traefik.http.middlewares.matrix-bot-draupnir-redirect.replacepathregex.regex=^/_matrix/client/(r0|v3)/rooms/([^/]*)/report/(.*)$
+traefik.http.middlewares.matrix-bot-draupnir-web-abuseReporting-redirect.replacepathregex.regex={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_path_regexp }}
-traefik.http.middlewares.matrix-bot-draupnir-redirect.replacepathregex.replacement=/api/1/report/$2/$3
+traefik.http.middlewares.matrix-bot-draupnir-web-abuseReporting-redirect.replacepathregex.replacement=/api/1/report/$2/$3
 
-{% set middlewares = middlewares + ['matrix-bot-draupnir-redirect'] %}
+{% set middlewares = middlewares + ['matrix-bot-draupnir-web-abuseReporting-redirect'] %}
 
-traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolalloworiginlist=*
+traefik.http.middlewares.matrix-bot-draupnir-web-abuseReporting-cors.headers.accesscontrolalloworiginlist=*
-traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolallowheaders=Content-Type,Authorization
+traefik.http.middlewares.matrix-bot-draupnir-web-abuseReporting-cors.headers.accesscontrolallowheaders=Content-Type,Authorization
-traefik.http.middlewares.matrix-bot-draupnir-cors.headers.accesscontrolallowmethods=POST,OPTIONS
+traefik.http.middlewares.matrix-bot-draupnir-web-abuseReporting-cors.headers.accesscontrolallowmethods=POST,OPTIONS
 
-{% set middlewares = middlewares + ['matrix-bot-draupnir-cors'] %}
+{% set middlewares = middlewares + ['matrix-bot-draupnir-web-abuseReporting-cors'] %}
 
-traefik.http.routers.matrix-bot-draupnir.rule={{ matrix_bot_draupnir_container_labels_traefik_rule }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.rule={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_rule }}
 
-{% if matrix_bot_draupnir_container_labels_traefik_priority | int > 0 %}
+{% if matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_priority | int > 0 %}
-traefik.http.routers.matrix-bot-draupnir.priority={{ matrix_bot_draupnir_container_labels_traefik_priority }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.priority={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_priority }}
 {% endif %}
 {% if middlewares | length > 0 %}
-traefik.http.routers.matrix-bot-draupnir.middlewares={{ middlewares | join(',') }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.middlewares={{ middlewares | join(',') }}
 {% endif %}
 
-traefik.http.routers.matrix-bot-draupnir.service=matrix-bot-draupnir
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.service=matrix-bot-draupnir
-traefik.http.routers.matrix-bot-draupnir.entrypoints={{ matrix_bot_draupnir_container_labels_traefik_entrypoints }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.entrypoints={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_entrypoints }}
-traefik.http.routers.matrix-bot-draupnir.tls={{ matrix_bot_draupnir_container_labels_traefik_tls | to_json }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.tls={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls | to_json }}
 
-{% if matrix_bot_draupnir_container_labels_traefik_tls %}
+{% if matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls %}
-traefik.http.routers.matrix-bot-draupnir.tls.certResolver={{ matrix_bot_draupnir_container_labels_traefik_tls_certResolver }}
+traefik.http.routers.matrix-bot-draupnir-web-abuseReporting.tls.certResolver={{ matrix_bot_draupnir_container_labels_web_abuseReporting_traefik_tls_certResolver }}
 {% endif %}
 
 ############################################################
@@ -55,5 +57,6 @@ traefik.http.routers.matrix-bot-draupnir.tls.certResolver={{ matrix_bot_draupnir
 #                                                          #
 ############################################################
 {% endif %}
+{% endif %}
 
 {{ matrix_bot_draupnir_container_labels_traefik_labels_additional_labels }}

roles/custom/matrix-bot-honoroit/defaults/main.yml

@@ -30,7 +30,7 @@ matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.27
+matrix_bot_honoroit_version: v0.9.28
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_docker_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_docker_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-beeper-linkedin/defaults/main.yml

@@ -167,5 +167,6 @@ matrix_beeper_linkedin_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_beeper_linkedin_appservice_bot_username | regex_escape }}:{{ matrix_beeper_linkedin_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_beeper_linkedin_registration: "{{ matrix_beeper_linkedin_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-beeper-linkedin/templates/config.yaml.j2

@@ -67,7 +67,7 @@ appservice:
     bot_username: {{ matrix_beeper_linkedin_appservice_bot_username | to_json }}
     # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
     # to leave display name/avatar as-is.
-    bot_displayname: {{ matrix_beeper_linkedin_appservice_bot_displayname | to_json }}
+    bot_displayname: {{ matrix_beeper_linkedin_appservice_bot_displayname | to_json(ensure_ascii=False) }}
     bot_avatar: {{ matrix_beeper_linkedin_appservice_bot_avatar | to_json }}
 
     # Whether or not to receive ephemeral events via appservice transactions.

roles/custom/matrix-bridge-go-skype-bridge/defaults/main.yml

@@ -159,5 +159,6 @@ matrix_go_skype_bridge_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_go_skype_bridge_appservice_bot_username | regex_escape }}:{{ matrix_go_skype_bridge_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_go_skype_bridge_registration: "{{ matrix_go_skype_bridge_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-heisenbridge/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_heisenbridge_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_heisenbridge_path_prefix: "/heisenbridge"
 
 # renovate: datasource=docker depName=hif1/heisenbridge
-matrix_heisenbridge_version: 1.15.2
+matrix_heisenbridge_version: 1.15.3
 matrix_heisenbridge_docker_image: "{{ matrix_heisenbridge_docker_image_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_registry_prefix: "{{ matrix_heisenbridge_docker_image_registry_prefix_upstream }}"
 matrix_heisenbridge_docker_image_registry_prefix_upstream: "{{ matrix_heisenbridge_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2

@@ -103,7 +103,7 @@ passFile:
 bot:
   # (Optional) Define profile information for the bot user
   #
-  displayname: {{ matrix_hookshot_bot_displayname | to_json }}
+  displayname: {{ matrix_hookshot_bot_displayname | to_json(ensure_ascii=False) }}
   avatar: {{ matrix_hookshot_bot_avatar | to_json }}
 metrics:
   # (Optional) Prometheus metrics support

roles/custom/matrix-bridge-hookshot/templates/registration.yml.j2

@@ -32,5 +32,6 @@ rate_limited: false
 {% if matrix_hookshot_encryption_enabled %}
 de.sorunome.msc2409.push_ephemeral: true
 push_ephemeral: true
+receive_ephemeral: true
 org.matrix.msc3202: true
 {% endif %}

roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml

@@ -31,6 +31,8 @@ matrix_mautrix_bluesky_homeserver_address: ""
 matrix_mautrix_bluesky_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_bluesky_appservice_address: 'http://matrix-mautrix-bluesky:29340'
 
+matrix_mautrix_bluesky_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 # A public address that external services can use to reach this appservice.
 matrix_mautrix_bluesky_appservice_public_address: ''
 
@@ -187,6 +189,7 @@ matrix_mautrix_bluesky_registration_yaml: |
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
   receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_bluesky_msc4190_enabled | to_json }}
 
 matrix_mautrix_bluesky_registration: "{{ matrix_mautrix_bluesky_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2

@@ -199,7 +199,7 @@ appservice:
         username: {{ matrix_mautrix_bluesky_appservice_bot_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
-        displayname: {{ matrix_mautrix_bluesky_appservice_bot_displayname | to_json }}
+        displayname: {{ matrix_mautrix_bluesky_appservice_bot_displayname | to_json(ensure_ascii=False) }}
         avatar: {{ matrix_mautrix_bluesky_appservice_bot_avatar | to_json }}
 
     # Whether to receive ephemeral events via appservice transactions.
@@ -209,10 +209,6 @@ appservice:
     # However, messages will not be guaranteed to be bridged in the same order they were sent in.
     # This value doesn't affect the registration file.
     async_transactions: false
-    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
-    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
-    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
-    msc4190: false
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: {{ matrix_mautrix_bluesky_appservice_token | to_json }}
@@ -358,6 +354,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: {{ matrix_mautrix_bluesky_bridge_encryption_appservice | to_json }}
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_bluesky_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_bluesky_bridge_encryption_key_sharing_allow | to_json }}

roles/custom/matrix-bridge-mautrix-discord/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_mautrix_discord_container_image_self_build_repo: "https://mau.dev/mautrix
 matrix_mautrix_discord_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_discord_version == 'latest' else matrix_mautrix_discord_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/discord
-matrix_mautrix_discord_version: v0.7.2
+matrix_mautrix_discord_version: v0.7.3
 
 # See: https://mau.dev/mautrix/discord/container_registry
 matrix_mautrix_discord_docker_image: "{{ matrix_mautrix_discord_docker_image_registry_prefix }}mautrix/discord:{{ matrix_mautrix_discord_version }}"
@@ -224,6 +224,7 @@ matrix_mautrix_discord_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_mautrix_discord_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_discord_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mautrix_discord_registration: "{{ matrix_mautrix_discord_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-discord/templates/config.yaml.j2

@@ -61,7 +61,7 @@ appservice:
         username: {{ matrix_mautrix_discord_appservice_bot_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
-        displayname: {{ matrix_mautrix_discord_appservice_bot_displayname | to_json }}
+        displayname: {{ matrix_mautrix_discord_appservice_bot_displayname | to_json(ensure_ascii=False) }}
         avatar: {{ matrix_mautrix_discord_appservice_bot_avatar | to_json }}
 
     # Whether or not to receive ephemeral events via appservice transactions.

roles/custom/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -214,6 +214,7 @@ matrix_mautrix_facebook_registration_yaml: |
   sender_localpart: _bot_{{ matrix_mautrix_facebook_appservice_bot_username }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mautrix_facebook_registration: "{{ matrix_mautrix_facebook_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -36,6 +36,8 @@ matrix_mautrix_gmessages_homeserver_address: ""
 matrix_mautrix_gmessages_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_gmessages_appservice_address: "http://matrix-mautrix-gmessages:8080"
 
+matrix_mautrix_gmessages_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 matrix_mautrix_gmessages_backfill_enabled: true
 matrix_mautrix_gmessages_backfill_max_initial_messages: 50
 matrix_mautrix_gmessages_backfill_max_catchup_messages: 500
@@ -212,5 +214,7 @@ matrix_mautrix_gmessages_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_mautrix_gmessages_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_gmessages_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_gmessages_msc4190_enabled | to_json }}
 
 matrix_mautrix_gmessages_registration: "{{ matrix_mautrix_gmessages_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mautrix-gmessages/templates/config.yaml.j2

@@ -354,6 +354,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: {{ matrix_mautrix_gmessages_bridge_encryption_appservice | to_json }}
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_gmessages_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_gmessages_bridge_encryption_key_sharing_allow | to_json }}

roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml

@@ -199,6 +199,7 @@ matrix_mautrix_googlechat_registration_yaml: |
   sender_localpart: _bot_{{ matrix_mautrix_googlechat_appservice_bot_username }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mautrix_googlechat_registration: "{{ matrix_mautrix_googlechat_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-instagram/defaults/main.yml

@@ -183,6 +183,7 @@ matrix_mautrix_instagram_registration_yaml: |
   sender_localpart: _bot_{{ matrix_mautrix_instagram_appservice_bot_username }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mautrix_instagram_registration: "{{ matrix_mautrix_instagram_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.4.5
+matrix_mautrix_meta_instagram_version: v0.4.6
 
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"
@@ -123,6 +123,8 @@ matrix_mautrix_meta_instagram_appservice_address: "http://{{ matrix_mautrix_meta
 
 matrix_mautrix_meta_instagram_appservice_id: "{{ matrix_mautrix_meta_instagram_meta_mode }}"
 
+matrix_mautrix_meta_instagram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 # For Facebook/Messenger, we use the same `@messengerbot:example.com` username regardless of how bridging happens for multiple reasons:
 # - it's consistent - regardless of how bridging happens, the bridged service is actually Messenger
 # - it's easy for users - you may change the mode, but the bot is always at `@messengerbot:example.com`
@@ -297,5 +299,7 @@ matrix_mautrix_meta_instagram_registration_yaml: |
   sender_localpart: _bot_{{ matrix_mautrix_meta_instagram_appservice_username }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_meta_instagram_msc4190_enabled | to_json }}
 
 matrix_mautrix_meta_instagram_registration: "{{ matrix_mautrix_meta_instagram_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mautrix-meta-instagram/templates/config.yaml.j2

@@ -212,7 +212,7 @@ appservice:
         username: {{ matrix_mautrix_meta_instagram_appservice_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
-        displayname: {{ matrix_mautrix_meta_instagram_appservice_displayname | to_json }}
+        displayname: {{ matrix_mautrix_meta_instagram_appservice_displayname | to_json(ensure_ascii=False) }}
         avatar: {{ matrix_mautrix_meta_instagram_appservice_avatar | to_json }}
 
     # Whether to receive ephemeral events via appservice transactions.
@@ -367,6 +367,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: {{ matrix_mautrix_meta_instagram_bridge_encryption_appservice | to_json }}
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_meta_instagram_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_meta_instagram_bridge_encryption_allow_key_sharing | to_json }}

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.4.5
+matrix_mautrix_meta_messenger_version: v0.4.6
 
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"
@@ -123,6 +123,8 @@ matrix_mautrix_meta_messenger_appservice_address: "http://{{ matrix_mautrix_meta
 
 matrix_mautrix_meta_messenger_appservice_id: "{{ matrix_mautrix_meta_messenger_meta_mode }}"
 
+matrix_mautrix_meta_messenger_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 # For Facebook/Messenger, we use the same `@messengerbot:example.com` username regardless of how bridging happens for multiple reasons:
 # - it's consistent - regardless of how bridging happens, the bridged service is actually Messenger
 # - it's easy for users - you may change the mode, but the bot is always at `@messengerbot:example.com`
@@ -297,5 +299,7 @@ matrix_mautrix_meta_messenger_registration_yaml: |
   sender_localpart: _bot_{{ matrix_mautrix_meta_messenger_appservice_username }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_meta_messenger_msc4190_enabled | to_json }}
 
 matrix_mautrix_meta_messenger_registration: "{{ matrix_mautrix_meta_messenger_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mautrix-meta-messenger/templates/config.yaml.j2

@@ -212,7 +212,7 @@ appservice:
         username: {{ matrix_mautrix_meta_messenger_appservice_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
-        displayname: {{ matrix_mautrix_meta_messenger_appservice_displayname | to_json }}
+        displayname: {{ matrix_mautrix_meta_messenger_appservice_displayname | to_json(ensure_ascii=False) }}
         avatar: {{ matrix_mautrix_meta_messenger_appservice_avatar | to_json }}
 
     # Whether to receive ephemeral events via appservice transactions.
@@ -367,6 +367,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: {{ matrix_mautrix_meta_messenger_bridge_encryption_appservice | to_json }}
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_meta_messenger_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_meta_messenger_bridge_encryption_allow_key_sharing | to_json }}

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.8.1
+matrix_mautrix_signal_version: v0.8.2
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -44,6 +44,8 @@ matrix_mautrix_signal_homeserver_address: ""
 matrix_mautrix_signal_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 
+matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 matrix_mautrix_signal_command_prefix: "!signal"
 
 matrix_mautrix_signal_bridge_permissions: |
@@ -210,6 +212,8 @@ matrix_mautrix_signal_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_mautrix_signal_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_signal_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_signal_msc4190_enabled | to_json }}
 
 matrix_mautrix_signal_registration: "{{ matrix_mautrix_signal_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -334,6 +334,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: false
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_signal_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_signal_bridge_encryption_key_sharing_allow | to_json }}

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2.0
+matrix_mautrix_slack_version: v0.2.1
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"
@@ -34,6 +34,8 @@ matrix_mautrix_slack_homeserver_address: ""
 matrix_mautrix_slack_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080"
 
+matrix_mautrix_slack_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 matrix_mautrix_slack_command_prefix: "!slack"
 
 matrix_mautrix_slack_bridge_permissions: |
@@ -151,6 +153,8 @@ matrix_mautrix_slack_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_mautrix_slack_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_slack_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_slack_msc4190_enabled | to_json }}
 
 matrix_mautrix_slack_registration: "{{ matrix_mautrix_slack_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2

@@ -371,6 +371,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: false
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_slack_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_slack_bridge_encryption_key_sharing_allow | to_json }}

roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -84,6 +84,8 @@ matrix_mautrix_telegram_appservice_public_external: '{{ matrix_mautrix_telegram_
 
 matrix_mautrix_telegram_appservice_bot_username: telegrambot
 
+matrix_mautrix_telegram_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 # Specifies the default log level for all bridge loggers.
 matrix_mautrix_telegram_logging_level: WARNING
 
@@ -221,6 +223,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml | from_yaml | combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -239,6 +243,8 @@ matrix_mautrix_telegram_registration_yaml: |
   url: {{ matrix_mautrix_telegram_appservice_address }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_telegram_msc4190_enabled | to_json }}
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-telegram/templates/config.yaml.j2

@@ -269,6 +269,11 @@ bridge:
         default: {{ matrix_mautrix_telegram_bridge_encryption_default|to_json }}
         # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
         appservice: false
+        # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+        # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+        # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+        # Changing this option requires updating the appservice registration file.
+        msc4190:  {{ matrix_mautrix_telegram_msc4190_enabled | to_json }}
         # Require encryption, drop any unencrypted messages.
         require: false
         # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.3.0
+matrix_mautrix_twitter_version: v0.4.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"
@@ -39,6 +39,8 @@ matrix_mautrix_twitter_homeserver_address: ""
 matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}'
 matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
 
+matrix_mautrix_twitter_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 # A public address that external services can use to reach this appservice.
 matrix_mautrix_twitter_appservice_public_address: ''
 
@@ -196,6 +198,7 @@ matrix_mautrix_twitter_registration_yaml: |
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
   receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_twitter_msc4190_enabled | to_json }}
 
 matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml | from_yaml }}"
 

roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2

@@ -199,7 +199,7 @@ appservice:
         username: {{ matrix_mautrix_twitter_appservice_bot_username | to_json }}
         # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
         # to leave display name/avatar as-is.
-        displayname: {{ matrix_mautrix_twitter_appservice_bot_displayname | to_json }}
+        displayname: {{ matrix_mautrix_twitter_appservice_bot_displayname | to_json(ensure_ascii=False) }}
         avatar: {{ matrix_mautrix_twitter_appservice_bot_avatar | to_json }}
 
     # Whether to receive ephemeral events via appservice transactions.
@@ -212,7 +212,8 @@ appservice:
     # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
     # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
     # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
-    msc4190: false
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_twitter_msc4190_enabled | to_json }}
 
     # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
     as_token: {{ matrix_mautrix_twitter_appservice_token | to_json }}

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.11.4
+matrix_mautrix_whatsapp_version: v0.12.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"
@@ -46,6 +46,8 @@ matrix_mautrix_whatsapp_homeserver_address: ""
 matrix_mautrix_whatsapp_homeserver_domain: "{{ matrix_domain }}"
 matrix_mautrix_whatsapp_appservice_address: "http://matrix-mautrix-whatsapp:8080"
 
+matrix_mautrix_whatsapp_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
+
 matrix_mautrix_whatsapp_extev_polls: false
 
 matrix_mautrix_whatsapp_command_prefix: "!wa"
@@ -224,10 +226,12 @@ matrix_mautrix_whatsapp_registration_yaml: |
   rate_limited: false
   namespaces:
       users:
-      - regex: '^@whatsapp_[0-9]+:{{ matrix_mautrix_whatsapp_homeserver_domain | regex_escape }}$'
+      - regex: '^@whatsapp_.*:{{ matrix_mautrix_whatsapp_homeserver_domain | regex_escape }}$'
         exclusive: true
       - exclusive: true
         regex: '^@{{ matrix_mautrix_whatsapp_appservice_bot_username | regex_escape }}:{{ matrix_mautrix_whatsapp_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
+  io.element.msc4190: {{ matrix_mautrix_whatsapp_msc4190_enabled | to_json }}
 
 matrix_mautrix_whatsapp_registration: "{{ matrix_mautrix_whatsapp_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -445,6 +445,11 @@ encryption:
     # Whether to use MSC2409/MSC3202 instead of /sync long polling for receiving encryption-related data.
     # This option is not yet compatible with standard Matrix servers like Synapse and should not be used.
     appservice: false
+    # Whether to use MSC4190 instead of appservice login to create the bridge bot device.
+    # Requires the homeserver to support MSC4190 and the device masquerading parts of MSC3202.
+    # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
+    # Changing this option requires updating the appservice registration file.
+    msc4190: {{ matrix_mautrix_whatsapp_msc4190_enabled | to_json }}
     # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
     # You must use a client that supports requesting keys from other users to use this feature.
     allow_key_sharing: {{ matrix_mautrix_whatsapp_bridge_encryption_key_sharing_allow | to_json }}

roles/custom/matrix-bridge-mx-puppet-discord/defaults/main.yml

@@ -139,5 +139,6 @@ matrix_mx_puppet_discord_registration_yaml: |
   sender_localpart: _discordpuppet_bot
   url: {{ matrix_mx_puppet_discord_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_discord_registration: "{{ matrix_mx_puppet_discord_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/custom/matrix-bridge-mx-puppet-groupme/defaults/main.yml

@@ -133,5 +133,6 @@ matrix_mx_puppet_groupme_registration_yaml: |
   sender_localpart: _groupmepuppet_bot
   url: {{ matrix_mx_puppet_groupme_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_groupme_registration: "{{ matrix_mx_puppet_groupme_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mx-puppet-instagram/defaults/main.yml

@@ -127,5 +127,6 @@ matrix_mx_puppet_instagram_registration_yaml: |
   sender_localpart: _instagrampuppet_bot
   url: {{ matrix_mx_puppet_instagram_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_instagram_registration: "{{ matrix_mx_puppet_instagram_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mx-puppet-slack/defaults/main.yml

@@ -179,5 +179,6 @@ matrix_mx_puppet_slack_registration_yaml: |
   sender_localpart: _slackpuppet_bot
   url: {{ matrix_mx_puppet_slack_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_slack_registration: "{{ matrix_mx_puppet_slack_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mx-puppet-steam/defaults/main.yml

@@ -134,5 +134,6 @@ matrix_mx_puppet_steam_registration_yaml: |
   sender_localpart: _steampuppet_bot
   url: {{ matrix_mx_puppet_steam_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_steam_registration: "{{ matrix_mx_puppet_steam_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-mx-puppet-twitter/defaults/main.yml

@@ -179,5 +179,6 @@ matrix_mx_puppet_twitter_registration_yaml: |
   sender_localpart: "{{ matrix_mx_puppet_twitter_bot_localpart }}"
   url: {{ matrix_mx_puppet_twitter_appservice_address }}
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_mx_puppet_twitter_registration: "{{ matrix_mx_puppet_twitter_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-wechat/defaults/main.yml

@@ -150,6 +150,7 @@ matrix_wechat_registration_yaml: |
       - exclusive: true
         regex: '^@{{ matrix_wechat_appservice_bot_username | regex_escape }}:{{ matrix_wechat_homeserver_domain | regex_escape }}$'
   de.sorunome.msc2409.push_ephemeral: true
+  receive_ephemeral: true
 
 matrix_wechat_registration: "{{ matrix_wechat_registration_yaml | from_yaml }}"
 

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.97
+matrix_client_element_version: v1.11.99
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-element/tasks/setup_install.yml

@@ -101,6 +101,19 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: false
+    #when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element Web nginx.conf file is removed
   ansible.builtin.file:
     path: "{{ matrix_client_element_data_path }}/nginx.conf"

roles/custom/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -0,0 +1,195 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+# continuwuity is a continuation of conduwuit (https://conduwuit.puppyirl.gay/).
+# Project source code URL: https://forgejo.ellis.link/continuwuation/continuwuity/
+# See: https://continuwuity.org/
+
+matrix_continuwuity_enabled: true
+
+matrix_continuwuity_hostname: ''
+
+matrix_continuwuity_docker_image: "{{ matrix_continuwuity_docker_image_registry_prefix }}/continuwuation/continuwuity:{{ matrix_continuwuity_docker_image_tag }}"
+# renovate: datasource=docker depName=forgejo.ellis.link/continuwuation/-/packages/container/continuwuity/
+matrix_continuwuity_docker_image_tag: main
+matrix_continuwuity_docker_image_force_pull: "{{ matrix_continuwuity_docker_image.endswith(':latest') }}"
+matrix_continuwuity_docker_image_registry_prefix: "{{ matrix_continuwuity_docker_image_registry_prefix_upstream }}"
+matrix_continuwuity_docker_image_registry_prefix_upstream: "{{ matrix_continuwuity_docker_image_registry_prefix_upstream_default }}"
+matrix_continuwuity_docker_image_registry_prefix_upstream_default: forgejo.ellis.link
+
+matrix_continuwuity_base_path: "{{ matrix_base_data_path }}/continuwuity"
+matrix_continuwuity_config_path: "{{ matrix_continuwuity_base_path }}/config"
+matrix_continuwuity_data_path: "{{ matrix_continuwuity_base_path }}/data"
+
+matrix_continuwuity_config_port_number: 6167
+
+matrix_continuwuity_tmp_directory_size_mb: 500
+
+# List of systemd services that matrix-continuwuity.service depends on
+matrix_continuwuity_systemd_required_services_list: "{{ matrix_continuwuity_systemd_required_services_list_default + matrix_continuwuity_systemd_required_services_list_auto + matrix_continuwuity_systemd_required_services_list_custom }}"
+matrix_continuwuity_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_continuwuity_systemd_required_services_list_auto: []
+matrix_continuwuity_systemd_required_services_list_custom: []
+
+# List of systemd services that matrix-continuwuity.service wants
+matrix_continuwuity_systemd_wanted_services_list: []
+
+# Controls how long to sleep for after starting the matrix-synapse container.
+#
+# Delaying, so that the homeserver can manage to fully start and various services
+# that depend on it (`matrix_continuwuity_systemd_required_services_list` and `matrix_continuwuity_systemd_wanted_services_list`)
+# may only start after the homeserver is up and running.
+#
+# This can be set to 0 to remove the delay.
+matrix_continuwuity_systemd_service_post_start_delay_seconds: 3
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_continuwuity_container_network: ""
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to another reverse proxy, which runs in a different container network.
+matrix_continuwuity_container_additional_networks: "{{ matrix_continuwuity_container_additional_networks_auto + matrix_continuwuity_container_additional_networks_custom }}"
+matrix_continuwuity_container_additional_networks_auto: []
+matrix_continuwuity_container_additional_networks_custom: []
+
+# matrix_continuwuity_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_continuwuity_container_labels_additional_labels`.
+matrix_continuwuity_container_labels_traefik_enabled: true
+matrix_continuwuity_container_labels_traefik_docker_network: "{{ matrix_continuwuity_container_network }}"
+matrix_continuwuity_container_labels_traefik_entrypoints: web-secure
+matrix_continuwuity_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether labels will be added for handling the root (/) path on a public Traefik entrypoint.
+matrix_continuwuity_container_labels_public_client_root_enabled: true
+matrix_continuwuity_container_labels_public_client_root_traefik_hostname: "{{ matrix_continuwuity_hostname }}"
+matrix_continuwuity_container_labels_public_client_root_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_client_root_traefik_hostname }}`) && Path(`/`)"
+matrix_continuwuity_container_labels_public_client_root_traefik_priority: 0
+matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}"
+matrix_continuwuity_container_labels_public_client_root_traefik_tls: "{{ matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints != 'web' }}"
+matrix_continuwuity_container_labels_public_client_root_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+matrix_continuwuity_container_labels_public_client_root_redirection_enabled: false
+matrix_continuwuity_container_labels_public_client_root_redirection_url: ""
+
+# Controls whether labels will be added that expose the Client-Server API on a public Traefik entrypoint.
+matrix_continuwuity_container_labels_public_client_api_enabled: true
+matrix_continuwuity_container_labels_public_client_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}"
+matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix: /_matrix
+matrix_continuwuity_container_labels_public_client_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_client_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix }}`)"
+matrix_continuwuity_container_labels_public_client_api_traefik_priority: 0
+matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}"
+matrix_continuwuity_container_labels_public_client_api_traefik_tls: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints != 'web' }}"
+matrix_continuwuity_container_labels_public_client_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose the Client-Server API on the internal Traefik entrypoint.
+# This is similar to `matrix_continuwuity_container_labels_public_client_api_enabled`, but the entrypoint and intent is different.
+matrix_continuwuity_container_labels_internal_client_api_enabled: false
+matrix_continuwuity_container_labels_internal_client_api_traefik_path_prefix: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_path_prefix }}"
+matrix_continuwuity_container_labels_internal_client_api_traefik_rule: "PathPrefix(`{{ matrix_continuwuity_container_labels_internal_client_api_traefik_path_prefix }}`)"
+matrix_continuwuity_container_labels_internal_client_api_traefik_priority: "{{ matrix_continuwuity_container_labels_public_client_api_traefik_priority }}"
+matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints: ""
+
+# Controls whether labels will be added that expose the Server-Server API (Federation API) on a public Traefik entrypoint.
+matrix_continuwuity_container_labels_public_federation_api_enabled: "{{ matrix_continuwuity_config_allow_federation }}"
+matrix_continuwuity_container_labels_public_federation_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}"
+matrix_continuwuity_container_labels_public_federation_api_traefik_path_prefix: /_matrix
+matrix_continuwuity_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_federation_api_traefik_path_prefix }}`)"
+matrix_continuwuity_container_labels_public_federation_api_traefik_priority: 0
+matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints: ''
+# TLS is force-enabled here, because the spec (https://spec.matrix.org/v1.9/server-server-api/#tls) says that the federation API must use HTTPS.
+matrix_continuwuity_container_labels_public_federation_api_traefik_tls: true
+matrix_continuwuity_container_labels_public_federation_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# Controls whether labels will be added that expose the `/_continuwuity` path prefix on a public Traefik entrypoint.
+matrix_continuwuity_container_labels_public_continuwuity_api_enabled: true
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_hostname: "{{ matrix_continuwuity_hostname }}"
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_path_prefix: /_continuwuity
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_rule: "Host(`{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_path_prefix }}`)"
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority: 0
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints: "{{ matrix_continuwuity_container_labels_traefik_entrypoints }}"
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls: "{{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints != 'web' }}"
+matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls_certResolver: "{{ matrix_continuwuity_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix_continuwuity_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_continuwuity_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_continuwuity_container_labels_additional_labels: ''
+
+# Extra arguments for the Docker container
+matrix_continuwuity_container_extra_arguments: []
+
+# Specifies which template files to use when configuring continuwuity.
+# If you'd like to have your own different configuration, feel free to copy and paste
+# the original files into your inventory (e.g. in `inventory/host_vars/matrix.example.com/`)
+# and then change the specific host's `vars.yml` file like this:
+# matrix_continuwuity_template_continuwuity_config: "{{ playbook_dir }}/inventory/host_vars/matrix.example.com/continuwuity.toml.j2"
+matrix_continuwuity_template_continuwuity_config: "{{ role_path }}/templates/continuwuity.toml.j2"
+
+# Max size for uploads, in bytes
+matrix_continuwuity_config_server_name: "{{ matrix_domain }}"
+
+# Max size for uploads, in bytes
+matrix_continuwuity_config_max_request_size: 20_000_000
+
+# Enables registration. If set to false, no users can register on this server.
+matrix_continuwuity_config_allow_registration: false
+
+# Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
+# This is only used when `matrix_continuwuity_config_allow_registration` is set to true and no registration token is configured.
+matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
+
+# Controls the `registration_token` setting.
+# When registration is enabled (`matrix_continuwuity_config_allow_registration`) you:
+# - either need to set a token to protect registration from abuse
+# - or you need to enable the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting
+#   (see `matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`),
+#   to allow registration without any form of 2nd-step.
+matrix_continuwuity_config_registration_token: ''
+
+# Controls the `new_user_displayname_suffix` setting.
+# This is the suffix that will be added to the displayname of new users.
+# Upstream defaults this to "🏳️‍⚧️", but we keep this consistent across all homeserver implementations and do not enable a suffix.
+matrix_continuwuity_config_new_user_displayname_suffix: ""
+
+# Controls the `allow_check_for_updates` setting.
+matrix_continuwuity_config_allow_check_for_updates: false
+
+# Controls the `emergency_password` setting.
+matrix_continuwuity_config_emergency_password: ''
+
+# Controls the `allow_federation` setting.
+matrix_continuwuity_config_allow_federation: true
+
+matrix_continuwuity_trusted_servers:
+ - "matrix.org"
+
+matrix_continuwuity_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
+
+# TURN integration.
+# See: https://continuwuity.org/turn
+matrix_continuwuity_config_turn_uris: []
+matrix_continuwuity_config_turn_secret: ''
+matrix_continuwuity_config_turn_username: ''
+matrix_continuwuity_config_turn_password: ''
+
+# Controls whether the self-check feature should validate SSL certificates.
+matrix_continuwuity_self_check_validate_certificates: true
+
+# Additional environment variables to pass to the container.
+#
+# Environment variables take priority over settings in the configuration file.
+#
+# Example:
+# matrix_continuwuity_environment_variables_extension: |
+#   continuwuity_MAX_REQUEST_SIZE=50000000
+#   continuwuity_REQUEST_TIMEOUT=60
+matrix_continuwuity_environment_variables_extension: ''

roles/custom/matrix-continuwuity/tasks/install.yml

@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure continuwuity config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_continuwuity_config_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_continuwuity_data_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_continuwuity_template_continuwuity_config }}"
+    dest: "{{ matrix_continuwuity_config_path }}/continuwuity.toml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_continuwuity_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+    - env
+
+- name: Ensure continuwuity container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_continuwuity_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure continuwuity container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_continuwuity_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_continuwuity_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-continuwuity.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+    mode: 0644

roles/custom/matrix-continuwuity/tasks/main.yml

@@ -0,0 +1,40 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- tags:
+    - setup-all
+    - setup-continuwuity
+    - install-all
+    - install-continuwuity
+  block:
+    - when: matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+
+    - when: matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- tags:
+    - setup-all
+    - setup-continuwuity
+  block:
+    - when: not matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
+
+- tags:
+    - self-check
+  block:
+    - when: matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_client_api.yml"
+
+    - when: matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check_federation_api.yml"
+
+- tags:
+    - continuwuity-migrate-from-conduwuit
+  block:
+    - when: matrix_continuwuity_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/migrate_from_conduwuit.yml"

roles/custom/matrix-continuwuity/tasks/migrate_from_conduwuit.yml

@@ -0,0 +1,83 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+# This migrates the conduwuit server implementation (`/matrix/conduwuit`) to continuwuity (`/matrix/continuwuity`),
+#
+# Here, we merely backup the fresh continuwuity folder, relocate conduwuit directory to continuwuity (`/matrix/conduwuit`)
+#
+# and restore continuwuity labels.
+
+- name: Check existence of conduwuit directory
+  ansible.builtin.stat:
+    path: "{{ matrix_base_data_path }}/conduwuit"
+  register: matrix_conduwuit_directory_stat
+
+- name: Check existence of continuwuity directory
+  ansible.builtin.stat:
+    path: "{{ matrix_base_data_path }}/continuwuity"
+  register: matrix_continuwuity_directory_stat
+
+- when: >
+        matrix_conduwuit_directory_stat.stat.exists | bool and
+        matrix_continuwuity_directory_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-continuwuity.service systemd service is stopped
+      ansible.builtin.systemd:
+        name: matrix-continuwuity
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure continuwuity directory is backed up
+      ansible.builtin.command:
+        cmd: "mv {{ matrix_base_data_path }}/continuwuity {{ matrix_base_data_path }}/continuwuity_old"
+        creates: "{{ matrix_base_data_path }}/continuwuity_old"
+        removes: "{{ matrix_base_data_path }}/continuwuity"
+
+    - name: Ensure conduwuit directory contents are copied to continuwuity
+      ansible.builtin.copy:
+        src: "{{ matrix_base_data_path }}/conduwuit/"
+        dest: "{{ matrix_base_data_path }}/continuwuity"
+        remote_src: true
+        mode: preserve
+
+    - name: Ensure conduwuit.toml file is renamed
+      ansible.builtin.command:
+        cmd: "mv {{ matrix_base_data_path }}/continuwuity/config/conduwuit.toml {{ matrix_base_data_path }}/continuwuity/config/continuwuity.toml"
+        removes: "{{ matrix_base_data_path }}/continuwuity/config/conduwuit.toml"
+
+    - name: Ensure continuwuity labels are restored
+      ansible.builtin.copy:
+        src: "{{ matrix_base_data_path }}/continuwuity_old/labels"
+        dest: "{{ matrix_base_data_path }}/continuwuity/labels"
+        remote_src: true
+        force: true
+        mode: preserve
+
+    - name: Ensure directories ownership is set
+      block:
+        - name: Set continuwuity ownership
+          ansible.builtin.file:
+            path: "{{ matrix_base_data_path }}/continuwuity"
+            state: directory
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+            recurse: true
+
+        - name: Set continuwuity_old ownership
+          ansible.builtin.file:
+            path: "{{ matrix_base_data_path }}/continuwuity_old"
+            state: directory
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+            recurse: true
+
+    - name: Ensure matrix-continuwuity.service systemd service is started
+      ansible.builtin.systemd:
+        name: matrix-continuwuity
+        state: started
+        enabled: true
+        daemon_reload: true

roles/custom/matrix-continuwuity/tasks/self_check_client_api.yml

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check Matrix Client API
+  ansible.builtin.uri:
+    url: "{{ matrix_continuwuity_client_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_continuwuity_self_check_validate_certificates }}"
+  register: result_matrix_continuwuity_client_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_continuwuity_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Client API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Client API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_continuwuity_client_api_url_endpoint_public }}`). Is continuwuity running? Is port 443 open in your firewall? Full error: {{ result_matrix_continuwuity_client_api }}"
+  when: "matrix_continuwuity_enabled | bool and (result_matrix_continuwuity_client_api.failed or 'json' not in result_matrix_continuwuity_client_api)"
+
+- name: Report working Matrix Client API
+  ansible.builtin.debug:
+    msg: "The Matrix Client API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_continuwuity_client_api_url_endpoint_public }}`) is working"
+  when: matrix_continuwuity_enabled | bool

roles/custom/matrix-continuwuity/tasks/self_check_federation_api.yml

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check Matrix Federation API
+  ansible.builtin.uri:
+    url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
+    follow_redirects: none
+    validate_certs: "{{ matrix_synapse_self_check_validate_certificates }}"
+  register: result_matrix_synapse_federation_api
+  ignore_errors: true
+  check_mode: false
+  when: matrix_synapse_enabled | bool
+  delegate_to: 127.0.0.1
+  become: false
+
+- name: Fail if Matrix Federation API not working
+  ansible.builtin.fail:
+    msg: "Failed checking Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port {{ matrix_federation_public_port }} open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool and (result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api)"
+
+- name: Fail if Matrix Federation API unexpectedly enabled
+  ansible.builtin.fail:
+    msg: "Matrix Federation API is up at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) despite being disabled."
+  when: "matrix_synapse_enabled | bool and not matrix_synapse_federation_enabled | bool and not result_matrix_synapse_federation_api.failed"
+
+- name: Report working Matrix Federation API
+  ansible.builtin.debug:
+    msg: "The Matrix Federation API at `{{ matrix_server_fqn_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"
+  when: "matrix_synapse_enabled | bool and matrix_synapse_federation_enabled | bool"

roles/custom/matrix-continuwuity/tasks/setup_install.yml

@@ -0,0 +1,63 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure continuwuity config path exists
+  ansible.builtin.file:
+    path: "{{ matrix_continuwuity_config_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity data path exists
+  ansible.builtin.file:
+    path: "{{ matrix_continuwuity_data_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity configuration installed
+  ansible.builtin.template:
+    src: "{{ matrix_continuwuity_template_continuwuity_config }}"
+    dest: "{{ matrix_continuwuity_config_path }}/continuwuity.toml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure continuwuity support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_continuwuity_base_path }}/{{ item }}"
+    mode: 0640
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - labels
+
+- name: Ensure continuwuity container network is created
+  community.general.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_continuwuity_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure continuwuity container image is pulled
+  community.docker.docker_image:
+    name: "{{ matrix_continuwuity_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_continuwuity_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_docker_image_force_pull }}"
+  register: result
+  retries: "{{ devture_playbook_help_container_retries_count }}"
+  delay: "{{ devture_playbook_help_container_retries_delay }}"
+  until: result is not failed
+
+- name: Ensure matrix-continuwuity.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+    mode: 0644

roles/custom/matrix-continuwuity/tasks/setup_uninstall.yml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check existence of matrix-continuwuity service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+  register: matrix_continuwuity_service_stat
+
+- when: matrix_continuwuity_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-continuwuity is stopped
+      ansible.builtin.systemd:
+        name: matrix-continuwuity
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-continuwuity.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+        state: absent

roles/custom/matrix-continuwuity/tasks/uninstall.yml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Check existence of matrix-continuwuity service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+  register: matrix_continuwuity_service_stat
+
+- when: matrix_continuwuity_service_stat.stat.exists | bool
+  block:
+    - name: Ensure matrix-continuwuity is stopped
+      ansible.builtin.systemd:
+        name: matrix-continuwuity
+        state: stopped
+        daemon_reload: true
+
+    - name: Ensure matrix-continuwuity.service doesn't exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
+        state: absent

roles/custom/matrix-continuwuity/tasks/validate_config.yml

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if required continuwuity settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item.name }}`).
+  when: "item.when | bool and vars[item.name] == ''"
+  with_items:
+    - {'name': 'matrix_continuwuity_hostname', when: true}
+    - {'name': 'matrix_continuwuity_container_network', when: true}
+    - {'name': 'matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_continuwuity_container_labels_internal_client_api_enabled }}"}

roles/custom/matrix-continuwuity/templates/env.j2

@@ -0,0 +1 @@
+{{ matrix_continuwuity_environment_variables_extension }}

roles/custom/matrix-continuwuity/templates/env.j2.license

@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-continuwuity/templates/labels.j2

@@ -0,0 +1,173 @@
+{#
+SPDX-FileCopyrightText: 2025 MDAD project contributors
+SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+SPDX-FileCopyrightText: 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_continuwuity_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_continuwuity_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_continuwuity_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-continuwuity.loadbalancer.server.port={{ matrix_continuwuity_config_port_number }}
+
+
+{% if matrix_continuwuity_container_labels_public_client_root_enabled %}
+############################################################
+#                                                          #
+# Public Root path (/)                                     #
+#                                                          #
+############################################################
+
+{% set client_root_middlewares = [] %}
+
+{% if matrix_continuwuity_container_labels_public_client_root_redirection_enabled %}
+{% set client_root_middlewares = client_root_middlewares + ['matrix-continuwuity-client-root-redirect'] %}
+traefik.http.middlewares.matrix-continuwuity-client-root-redirect.redirectregex.regex=(.*)
+traefik.http.middlewares.matrix-continuwuity-client-root-redirect.redirectregex.replacement={{ matrix_continuwuity_container_labels_public_client_root_redirection_url }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-public-client-root.rule={{ matrix_continuwuity_container_labels_public_client_root_traefik_rule }}
+
+traefik.http.routers.matrix-continuwuity-public-client-root.middlewares={{ client_root_middlewares | join(',') }}
+
+{% if matrix_continuwuity_container_labels_public_client_root_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-continuwuity-public-client-root.priority={{ matrix_continuwuity_container_labels_public_client_root_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-public-client-root.service=matrix-continuwuity
+traefik.http.routers.matrix-continuwuity-public-client-root.entrypoints={{ matrix_continuwuity_container_labels_public_client_root_traefik_entrypoints }}
+traefik.http.routers.matrix-continuwuity-public-client-root.tls={{ matrix_continuwuity_container_labels_public_client_root_traefik_tls | to_json }}
+
+{% if matrix_continuwuity_container_labels_public_client_root_traefik_tls %}
+traefik.http.routers.matrix-continuwuity-public-client-root.tls.certResolver={{ matrix_continuwuity_container_labels_public_client_root_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Root path (/)                                    #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_continuwuity_container_labels_public_client_api_enabled %}
+############################################################
+#                                                          #
+# Public Client-API (/_matrix)                             #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-continuwuity-public-client-api.rule={{ matrix_continuwuity_container_labels_public_client_api_traefik_rule }}
+
+{% if matrix_continuwuity_container_labels_public_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-continuwuity-public-client-api.priority={{ matrix_continuwuity_container_labels_public_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-public-client-api.service=matrix-continuwuity
+traefik.http.routers.matrix-continuwuity-public-client-api.entrypoints={{ matrix_continuwuity_container_labels_public_client_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-continuwuity-public-client-api.tls={{ matrix_continuwuity_container_labels_public_client_api_traefik_tls | to_json }}
+{% if matrix_continuwuity_container_labels_public_client_api_traefik_tls %}
+traefik.http.routers.matrix-continuwuity-public-client-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_client_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Client-API (/_matrix)                            #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_continuwuity_container_labels_internal_client_api_enabled %}
+############################################################
+#                                                          #
+# Internal Client-API (/_matrix)                           #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-continuwuity-internal-client-api.rule={{ matrix_continuwuity_container_labels_internal_client_api_traefik_rule }}
+
+{% if matrix_continuwuity_container_labels_internal_client_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-continuwuity-internal-client-api.priority={{ matrix_continuwuity_container_labels_internal_client_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-internal-client-api.service=matrix-continuwuity
+traefik.http.routers.matrix-continuwuity-internal-client-api.entrypoints={{ matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints }}
+
+############################################################
+#                                                          #
+# /Internal Client-API (/_matrix)                          #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% if matrix_continuwuity_container_labels_public_federation_api_enabled %}
+############################################################
+#                                                          #
+# Public Federation-API (/_matrix)                         #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-continuwuity-public-federation-api.rule={{ matrix_continuwuity_container_labels_public_federation_api_traefik_rule }}
+
+{% if matrix_continuwuity_container_labels_public_federation_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-continuwuity-public-federation-api.priority={{ matrix_continuwuity_container_labels_public_federation_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-public-federation-api.service=matrix-continuwuity
+traefik.http.routers.matrix-continuwuity-public-federation-api.entrypoints={{ matrix_continuwuity_container_labels_public_federation_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-continuwuity-public-federation-api.tls={{ matrix_continuwuity_container_labels_public_federation_api_traefik_tls | to_json }}
+{% if matrix_continuwuity_container_labels_public_federation_api_traefik_tls %}
+traefik.http.routers.matrix-continuwuity-public-federation-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_federation_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public Federation-API (/_matrix)                        #
+#                                                          #
+############################################################
+{% endif %}
+
+
+
+
+{% if matrix_continuwuity_container_labels_public_continuwuity_api_enabled %}
+############################################################
+#                                                          #
+# Public continuwuity-API (/_continuwuity)                       #
+#                                                          #
+############################################################
+
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.rule={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_rule }}
+
+{% if matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.priority={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.service=matrix-continuwuity
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.entrypoints={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_entrypoints }}
+
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.tls={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls | to_json }}
+{% if matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls %}
+traefik.http.routers.matrix-continuwuity-public-continuwuity-api.tls.certResolver={{ matrix_continuwuity_container_labels_public_continuwuity_api_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /Public continuwuity-API (/_continuwuity)                      #
+#                                                          #
+############################################################
+{% endif %}
+
+
+{% endif %}
+
+{{ matrix_continuwuity_container_labels_additional_labels }}

roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2

@@ -0,0 +1,52 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=continuwuity Matrix homeserver
+{% for service in matrix_continuwuity_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-continuwuity 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-continuwuity 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+			--rm \
+			--name=matrix-continuwuity \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--read-only \
+			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_continuwuity_tmp_directory_size_mb }}m \
+			--network={{ matrix_continuwuity_container_network }} \
+			--env CONDUWUIT_CONFIG=/etc/continuwuity/continuwuity.toml \
+			--env CONDUWUIT_DATABASE_PATH=/var/lib/continuwuity \
+			--label-file={{ matrix_continuwuity_base_path }}/labels \
+			--mount type=bind,src={{ matrix_continuwuity_data_path }},dst=/var/lib/continuwuity \
+			--mount type=bind,src={{ matrix_continuwuity_config_path }},dst=/etc/continuwuity,ro \
+			{% for arg in matrix_continuwuity_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_continuwuity_docker_image }}
+
+{% for network in matrix_continuwuity_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-continuwuity
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-continuwuity
+
+{% if matrix_continuwuity_systemd_service_post_start_delay_seconds != 0 %}
+ExecStartPost=-{{ matrix_host_command_sleep }} {{ matrix_continuwuity_systemd_service_post_start_delay_seconds }}
+{% endif %}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} matrix-continuwuity 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-continuwuity 2>/dev/null || true'
+ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-continuwuity /bin/sh -c 'kill -HUP 1'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-continuwuity
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-continuwuity/templates/systemd/matrix-continuwuity.service.j2.license

@@ -0,0 +1,4 @@
+SPDX-FileCopyrightText: 2025 MDAD project contributors
+SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later

roles/custom/matrix-continuwuity/vars/main.yml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2025 MDAD project contributors
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+matrix_continuwuity_client_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}/_matrix/client/versions"
+matrix_continuwuity_federation_api_url_endpoint_public: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}://{{ matrix_continuwuity_hostname }}:{{ matrix_federation_public_port }}/_matrix/federation/v1/version"

roles/custom/matrix-dendrite/defaults/main.yml

@@ -240,6 +240,9 @@ matrix_dendrite_client_api_rate_limiting_cooloff_ms: 500
 # Controls whether people with access to the homeserver can register by themselves.
 matrix_dendrite_client_api_registration_disabled: true
 
+# Controls whether guest accounts are disabled
+matrix_dendrite_guests_disabled: true
+
 # reCAPTCHA API for validating registration attempts
 matrix_dendrite_client_api_enable_registration_captcha: false
 matrix_dendrite_client_api_recaptcha_public_key: ""

roles/custom/matrix-dendrite/templates/dendrite.yaml.j2

@@ -189,7 +189,7 @@ client_api:
 
   # Prevents new guest accounts from being created. Guest registration is also
   # disabled implicitly by setting 'registration_disabled' above.
-  guests_disabled: true
+  guests_disabled: {{ matrix_dendrite_guests_disabled | to_json }}
 
   # If set, allows registration by anyone who knows the shared secret, regardless of
   # whether registration is otherwise disabled.

roles/custom/matrix-element-call/defaults/main.yml

@@ -11,8 +11,17 @@
 
 matrix_element_call_enabled: false
 
+# Controls whether the Element Call stack (various services around Element Call, without the Element Call frontend itself) are to be installed.
+# This affects enablement of other services around Element Call.
+#
+# By default, we enable the rest of the stack when Element Call itself is enabled,
+# but people may wish to enable the stack by itself and avoid installing the Element Call frontend.
+# This is useful to do, because self-hosting the Element Call frontend is mostly useless, because
+# various clients tend to embed and preferusing their own embedded Element Call frontend, instead of a self-hosted one.
+matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
+
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.9.0
+matrix_element_call_version: v0.10.0
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.10.3-etke38
+matrix_synapse_admin_version: v0.10.3-etke39
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml

@@ -24,7 +24,7 @@
 matrix_synapse_reverse_proxy_companion_enabled: true
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.27.4-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.28.0-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

roles/custom/matrix-user-creator/tasks/util/ensure_user_registered_continuwuity.yml

@@ -0,0 +1,10 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Ensure continuwuity user registered - {{ user.username | quote }}
+  ansible.builtin.debug:
+    msg: "Not registering user. To register continuwuity users, message the continuwuity bot"