feat: add automatic creation of reverse-proxy routing

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1480

Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1242

.github/workflows/ansible-lint.yml

@@ -0,0 +1,22 @@
+name: Ansible Lint
+
+on: [push, pull_request]
+
+jobs:
+  build:
+  
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Lint Ansible Playbook
+      uses: ansible/ansible-lint-action@c37fb7b4bda2c8cb18f4942716bae9f11b0dc9bc
+      with:
+        # Paths to ansible files (i.e., playbooks, tasks, handlers etc..)
+        targets: "./"
+
+        override-deps: |
+          ansible-lint==5.3.1
+          
+        args: "-x metadata, formatting"

.gitignore

@@ -1,7 +1,3 @@
-/inventory/*
-!/inventory/.gitkeep
-!/inventory/host_vars/.gitkeep
-!/inventory/scripts
 /roles/*/files/scratchpad
 .DS_Store
 .python-version

CHANGELOG.md

@@ -1,3 +1,19 @@
+# 2021-12-22
+
+## Twitter bridging support via mautrix-twitter
+
+Thanks to [Matthew Cengia](https://github.com/mattcen) and [Shreyas Ajjarapu](https://github.com/shreyasajj), besides [mx-puppet-twitter](docs/configuring-playbook-bridge-mx-puppet-twitter.md), bridging to [Twitter](https://twitter.com/) can now also happen with [mautrix-twitter](docs/configuring-playbook-bridge-mautrix-twitter.md).
+
+
+# 2021-12-14
+
+## (Security) Users of the Signal bridge may wish to upgrade it to work around log4j vulnerability
+
+Recently, a security vulnerability affecting the Java logging package `log4j` [has been discovered](https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java). Software that uses this Java package is potentially vulnerable.
+
+One such piece of software that is part of the playbook is the [mautrix-signal bridge](./docs/configuring-playbook-bridge-mautrix-signal.md), which [has been patched already](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1452). If you're running this bridge, you may wish to [upgrade](./docs/maintenance-upgrading-services.md).
+
+
 # 2021-11-11
 
 ## Dropped support for Postgres v9.6

README.md

@@ -51,6 +51,8 @@ Using this playbook, you can get the following services configured on your serve
 
 - (optional) the [mautrix-facebook](https://github.com/mautrix/facebook) bridge for bridging your Matrix server to [Facebook](https://facebook.com/)
 
+- (optional) the [mautrix-twitter](https://github.com/mautrix/twitter) bridge for bridging your Matrix server to [Twitter](https://twitter.com/)
+
 - (optional) the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge for bridging your Matrix server to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts)
 
 - (optional) the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge for bridging your Matrix server to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat)

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

docs/ansible.md

@@ -51,7 +51,7 @@ docker run -it --rm \
 -v `pwd`:/work \
 -v $HOME/.ssh/id_rsa:/root/.ssh/id_rsa:ro \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.10.7-r0
+docker.io/devture/ansible:2.11.6-r1
 ```
 
 The above command tries to mount an SSH key (`$HOME/.ssh/id_rsa`) into the container (at `/root/.ssh/id_rsa`).

docs/configuring-playbook-bridge-mautrix-twitter.md

@@ -0,0 +1,37 @@
+# Setting up Mautrix Twitter (optional)
+
+**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mx-puppet-twitter](configuring-playbook-bridge-mx-puppet-twitter.md) bridge supported by the playbook.
+
+The playbook can install and configure [mautrix-twitter](https://github.com/tulir/mautrix-twitter) for you.
+
+See the project's [documentation](https://github.com/tulir/mautrix-twitter/wiki#usage) to learn what it does and why it might be useful to you.
+
+```yaml
+matrix_mautrix_twitter_enabled: true
+```
+
+
+## Set up Double Puppeting
+
+If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-twitter/wiki/Authentication#double-puppeting) (hint: you most likely do), you have 2 ways of going about it.
+
+### Method 1: automatically, by enabling Shared Secret Auth
+
+The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.
+
+This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
+
+### Method 2: manually, by asking each user to provide a working access token
+
+This method is currently not available for the Mautrix-Twitter bridge, but is on the [roadmap](https://github.com/tulir/mautrix-twitter/blob/master/ROADMAP.md) under Misc/Manual login with `login-matrix`
+
+## Usage
+
+1. You then need to start a chat with `@twitterbot:YOUR_DOMAIN` (where `YOUR_DOMAIN` is your base domain, not the `matrix.` domain).
+2. Send login-cookie to start the login. The bot should respond with instructions on how to proceed.
+
+You can learn more here about authentication from the bridge's [official documentation on Authentication](https://docs.mau.fi/bridges/python/twitter/authentication.html).
+
+If you run into trouble, check the [Troubleshooting](#troubleshooting) section below.
+
+After successfully enabling bridging, you may wish to [set up Double Puppeting](#set-up-double-puppeting), if you haven't already done so.

docs/configuring-playbook-bridge-mx-puppet-twitter.md

@@ -1,5 +1,7 @@
 # Setting up MX Puppet Twitter (optional)
 
+**Note**: bridging to [Twitter](https://twitter.com/) can also happen via the [mautrix-twitter](configuring-playbook-bridge-mautrix-twitter.md) bridge supported by the playbook.
+
 The playbook can install and configure
 [mx-puppet-twitter](https://github.com/Sorunome/mx-puppet-twitter) for you.
 

docs/configuring-playbook-jitsi.md

@@ -41,13 +41,23 @@ If you're fine with such an open Jitsi instance, please skip to [Apply changes](
 
 If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
 
-Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
+Add these lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 
 ```yaml
 matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
+matrix_jitsi_prosody_auth_internal_accounts:
+  - username: "jitsi-moderator"
+    password: "secret-password"
+  - username: "another-user"
+    password: "another-password"
 ```
 
+**Caution:** Accounts added here and subsquently removed will not be automatically removed from the Prosody server until user account cleaning is integrated into the playbook.
+
+**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
+
+
 ### (Optional) LDAP authentication
 
 The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
@@ -122,19 +132,6 @@ You may want to **limit the maximum video resolution**, to save up resources on
 
 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
 
-## Required if configuring Jitsi with internal authentication: register new users
-
-Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
-Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
-
-```bash
-docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register <USERNAME> meet.jitsi <PASSWORD>
-```
-
-Run this command for each user you would like to create, replacing `<USERNAME>` and `<PASSWORD>` accordingly. After you've finished, please exit the host.
-
-**If you get an error** like this: "Error: Account creation/modification not supported.", it's likely that you had previously installed Jitsi without auth/guest support. In such a case, you should look into [Rebuilding your Jitsi installation](#rebuilding-your-jitsi-installation).
-
 
 ## Usage
 

docs/configuring-playbook.md

@@ -102,6 +102,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 
 - [Setting up Mautrix Instagram bridging](configuring-playbook-bridge-mautrix-instagram.md) (optional)
 
+- [Setting up Mautrix Twitter bridging](configuring-playbook-bridge-mautrix-twitter.md) (optional)
+
 - [Setting up Mautrix Signal bridging](configuring-playbook-bridge-mautrix-signal.md) (optional)
 
 - [Setting up Appservice IRC bridging](configuring-playbook-bridge-appservice-irc.md) (optional)

docs/container-images.md

@@ -46,6 +46,8 @@ These services are not part of our default installation, but can be enabled by [
 
 - [mautrix/facebook](https://mau.dev/mautrix/facebook/container_registry) - the [mautrix-facebook](https://github.com/mautrix/facebook) bridge to [Facebook](https://facebook.com/) (optional)
 
+- [tulir/mautrix-twitter](https://mau.dev/mautrix/twitter/container_registry) - the [mautrix-twitter](https://github.com/tulir/mautrix-twitter) bridge to [Twitter](https://twitter.com/) (optional)
+
 - [mautrix/hangouts](https://mau.dev/mautrix/hangouts/container_registry) - the [mautrix-hangouts](https://github.com/mautrix/hangouts) bridge to [Google Hangouts](https://en.wikipedia.org/wiki/Google_Hangouts) (optional)
 
 - [mautrix/googlechat](https://mau.dev/mautrix/googlechat/container_registry) - the [mautrix-googlechat](https://github.com/mautrix/googlechat) bridge to [Google Chat](https://en.wikipedia.org/wiki/Google_Chat) (optional)

docs/self-building.md

@@ -18,11 +18,13 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-registration`
 - `matrix-coturn`
 - `matrix-corporal`
+- `matrix-dimension`
 - `matrix-ma1sd`
 - `matrix-mailer`
 - `matrix-bridge-appservice-irc`
 - `matrix-bridge-appservice-slack`
 - `matrix-bridge-appservice-webhooks`
+- `matrix-bridge-beeper-linkedin`
 - `matrix-bridge-mautrix-facebook`
 - `matrix-bridge-mautrix-hangouts`
 - `matrix-bridge-mautrix-googlechat`

examples/caddy2/Caddyfile

@@ -27,6 +27,10 @@ matrix.DOMAIN.tld {
         not path /matrix/static-files/*
   }
 
+  @wellknown {
+        path /.well-known/matrix/*
+  }
+
   header {
         # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
         Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
@@ -69,6 +73,15 @@ matrix.DOMAIN.tld {
         }
   }
 
+  handle @wellknown {
+        encode zstd gzip
+        root * /matrix/static-files
+	header Cache-Control max-age=14400
+        header Content-Type application/json
+        header Access-Control-Allow-Origin *
+        file_server
+  }
+
   handle {
         encode zstd gzip
 
@@ -102,17 +115,17 @@ element.DOMAIN.tld {
       # tls your@email.com
 
       header {
-         	# Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
-        	Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
-        	# Enable cross-site filter (XSS) and tell browser to block detected attacks
-        	X-XSS-Protection "1; mode=block"
-        	# Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
-        	X-Content-Type-Options "nosniff"
-        	# Disallow the site to be rendered within a frame (clickjacking protection)
-        	X-Frame-Options "DENY"
-        	# X-Robots-Tag
-        	X-Robots-Tag "noindex, noarchive, nofollow"
-  	}
+                # Enable HTTP Strict Transport Security (HSTS) to force clients to always connect via HTTPS
+                Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+                # Enable cross-site filter (XSS) and tell browser to block detected attacks
+                X-XSS-Protection "1; mode=block"
+                # Prevent some browsers from MIME-sniffing a response away from the declared Content-Type
+                X-Content-Type-Options "nosniff"
+                # Disallow the site to be rendered within a frame (clickjacking protection)
+                X-Frame-Options "DENY"
+                # X-Robots-Tag
+                X-Robots-Tag "noindex, noarchive, nofollow"
+        }
 
         handle {
               encode zstd gzip

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -113,7 +113,7 @@ matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx
 
 matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
 
-matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
+matrix_appservice_webhooks_homeserver_url: "{{ matrix_homeserver_container_url }}"
 matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
 
 matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
@@ -152,7 +152,7 @@ matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_pr
 
 matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}"
 
-matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
+matrix_appservice_slack_homeserver_url: "{{ matrix_homeserver_container_url }}"
 matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
 
 matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}"
@@ -229,6 +229,8 @@ matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaro
 # We don't enable bridges by default.
 matrix_beeper_linkedin_enabled: false
 
+matrix_beeper_linkedin_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
+
 matrix_beeper_linkedin_systemd_required_services_list: |
   {{
     ['docker.service']
@@ -511,6 +513,45 @@ matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_maca
 #
 ######################################################################
 
+######################################################################
+#
+# matrix-bridge-mautrix-twitter
+#
+######################################################################
+
+# We don't enable bridges by default.
+matrix_mautrix_twitter_enabled: false
+
+matrix_mautrix_twitter_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
+
+matrix_mautrix_twitter_systemd_required_services_list: |
+  {{
+    ['docker.service']
+    +
+    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
+    +
+    (['matrix-postgres.service'] if matrix_postgres_enabled else [])
+    +
+    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
+  }}
+
+matrix_mautrix_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.as.token') | to_uuid }}"
+
+matrix_mautrix_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'twt.hs.token') | to_uuid }}"
+
+matrix_mautrix_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
+
+# We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
+# and point them to a migration path.
+matrix_mautrix_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else '' }}"
+matrix_mautrix_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.twt.db') | to_uuid }}"
+
+######################################################################
+#
+# /matrix-bridge-mautrix-twitter
+#
+######################################################################
+
 ######################################################################
 #
 # matrix-bridge-mautrix-whatsapp
@@ -1045,6 +1086,8 @@ matrix_coturn_container_additional_volumes: |
 
 matrix_dimension_enabled: false
 
+matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the Dimension HTTP port to the local host.
@@ -1509,6 +1552,12 @@ matrix_postgres_additional_databases: |
       'password': matrix_mautrix_telegram_database_password,
     }] if (matrix_mautrix_telegram_enabled and matrix_mautrix_telegram_database_engine == 'postgres' and matrix_mautrix_telegram_database_hostname == 'matrix-postgres') else [])
     +
+    ([{
+      'name': matrix_mautrix_twitter_database_name,
+      'username': matrix_mautrix_twitter_database_username,
+      'password': matrix_mautrix_twitter_database_password,
+    }] if (matrix_mautrix_twitter_enabled and matrix_mautrix_twitter_database_engine == 'postgres' and matrix_mautrix_twitter_database_hostname == 'matrix-postgres') else [])
+    +
     ([{
       'name': matrix_mautrix_whatsapp_database_name,
       'username': matrix_mautrix_whatsapp_database_username,

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,339 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: false
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+
+#matrix_client_element_version: v1.8.4
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
+#matrix_mautrix_telegram_version: v0.10.0
+
+#
+# General Synapse config
+#
+matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+matrix_synapse_macaroon_secret_key: "{{ vault_matrix_synapse_macaroon_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 100
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_enable_group_creation: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turns:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turns:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 25
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 5
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 0.7
+matrix_synapse_event_cache_size: "200K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_worker_client_server_count: 0
+matrix_synapse_workers_media_repository_workers_count: 0
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+# Enable experimental spaces support
+matrix_synapse_configuration_extension_yaml: |
+  experimental_features:
+    spaces_enabled: true
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+matrix_mx_puppet_skype_enabled: true
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+matrix_mx_puppet_skype_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_skype_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+        path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: true
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
+matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_roomdir_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+64343261653838626666353837393238353033353632393763363634303466613033376235386235
+6333386536323034643139656232636133386463393264300a663333333237656337343562366336
+66663064393930656566396636333430373233373362346339383866623066316133323366663961
+3732666162363238300a636230346163656334393063343030333064393962663431326461653239
+36653030393234623335313335383832646463663835653035303765633064666435373464653336
+31323433373734633531353562333065623039623633633163376235353737343935623133326663
+65333761383130336165356439623066363964313033666433316231663533393532333738333430
+36633463343335366364343565353862363531376539626237613263303331323631333366363830
+33613937346531323139343166613839366233383663363732353561643238383362353964373135
+61633430353037316266343962376238383238366562323764373135646365383030626130383433
+32313263663165656366313633653431663332636532656465623465353062643934343738633434
+63346333326331633830363663666631326466353138646233383235313532383864633233613134
+39363734353165653065343938643861646630376334303832613163663265373839323765396234
+38633336393739666565346565343865346233373639363530383533386533616337373033613865
+66353434653262663263326237626265636430646630313866383532376264383933343933326264
+65316337323863343935306138343462336666313332396439656234613831356262663630663038
+31376539653638333263333933633134303734656662343039396563343636366433396130653830
+33326539636432646438613236356430343435623539333062666630373265306635343233646333
+39653934323738303239643834663463396165656235393437396635623131316532333465316231
+65373130393463383932383837383830656637653963666638653665356437303239376262613062
+34613830613164323365636461303035616136636330323531383164376334363862383762366665
+62643839333662373461363038326436616639326264633735316139346536373839666236653634
+30376536386137636336363562376339393261373739333162373461656364353139626339346637
+30366431336534663037653438376330346238636562383932653561306134626566333861333630
+39633536653233393161333136316564623631313839633461333438633166363064303238663464
+65353338353464313635333934623833303965393462373530303666643537336662376266613434
+37356664616539323631373535316434383361323935376638666437646538316537613030653231
+62636263663935646466383663306535626465633239366562373038356366366331333537333663
+64363130386535306362646533393161643737366662313631623132356465636565313530353363
+35366165383837326564623363636632616331393834313130303937303664353436363266323033
+61373532383962393937666261626263666631346235646237656337363831633734623733633835
+39613736373031633263396530626566303665343039663866333632636565633034376366356635
+35383633336465636331306232353434653739653339396437363163313630393035366665383263
+34353238656563306366336466376363316430636666353965356535653334343630633532313034
+64626436643030656335616337653564653331326463383461643739333163613361333133633639
+66656137313937356134646362623536363065633564633166343766356436313130373663663334
+63626138356562303761323336646332383761646663383032386261623936633661653735343637
+35326137343532333635353436376665326633633135656537623631326336353138346136636239
+37396135326362613039663136333964626237353562343966383764613231363061333534316233
+38636130313261643061613138656235396530656366313132346362383430333734663866383666
+61633631353830643565313437306664636262666135353133656531623563616335643737373438
+63633235363566616466663262333466383939373336383139643362376365623763386137666332
+39353363636437393236303764343337633233386236303563636634353836363537383632306434
+33653632373064646361616364323133343138363437373436636232373261663639616330666465
+37333130393435613134366437396361363830656137663963643132303334633331633661363061
+38356439666161643431356532353334383539353566386333666461663562613231383331623063
+33336435636239343663663937353864306363363264663033303539616434333436353134383034
+64663533366134306462366565333236383235373233656132396538663437616333343534333166
+66646566623734636532666230326530633538656639353262343665316235386534376534386634
+65663032303930353661363162373533363762353237393030346238306532326264303636383264
+63363063326265396166313533663362346539333532386665316466386131623161313738623239
+66386236656561396539356634636234393436323239396330366237333539343761393431336138
+66396230656435356365356530343132373861376336346532653063666331343366393761373131
+66313864373362326139316461666232386132306535616561663566623963353034313961666266
+34373534363834626334386139653532656564333863323363343165643538336430386434613235
+64386564643564636530313565326433623365303738386433323463396437653066636134313564
+33383035393436393163373864353331376163653137316136376564643066636335313735396664
+33623735353438643237333734353766363863313763653737633135353332363066336232363131
+33333532653737633033666336326331376561636330643935323636626562303439346338633135
+33663035366461336339666665663835373235633338613664636439393837303932643363643830
+63333862643430383235663836653161376637373265646463313538386531666362376532663738
+62333536383537613562336235666431393164616263303863323834343735326133646131303063
+62623836313730363832313764363562306666383337396561633865336561396632303539333166
+35623063336534653531303134653630666264333133393864626665623564313466363731316339
+36646666653062326665346332373963376439396538396663656130616333316533623331346461
+39643862356663316338333662646464353233356635303931626366323831303136366462366133
+34303234343064393265303866636137646461336530653733623264383261653864633332346435
+62383065353662303564633239326664356364366365626466666266326466333834316437383134
+35383261373437643261623533623533326335393932356632653634326432376235393038333464
+33626361366565316533663537343237316563343730363632663639623930313963316665663965
+33386435663462626435383733383336343064333935356364623436626632356535333430343262
+62363136353562633631613965353062363231343037626166363035376530646537646136363730
+35303530343361616230383662333139333533333138613834323437636238656538656436623433
+38353363336665346637643631663934633061626532376330633731316565336166313936393533
+35323535376539633937376532333536323234376632306362633438626565376234353235353836
+37663735366165393963313536356437653361306232313736356164656635616333306332356637
+39353465633536313539366264646364343231653466346165313863623365333465623336376635
+37396663333638356565306439636365653438623935363361356464316663613465303933346537
+61303863323631343264613665323866363935383265323562326364346364343133393965333135
+33306434646533333662613930666337646330303439333938326433376161613836663237303534
+63636139636338656664333034356635653330666362633563366663616661303266326135643036
+34383939613035323331366261356531343961303239626365383332313633393561623963643134
+30353239356234336635616663313830396133643035663838653837613262616364623637616237
+37363662663466396330323830343963366262643339316162643164353430663763613634346233
+62303539336433313066346339363163336236373334613938613061613038613466636632336335
+35326133373061323164623436623338316466396261393630623466313164393736353566356237
+34396530383361613464643461313336663331643438313136353039386263633134616534666464
+33373536326637316635326461656130383333613832386662643431666435663565343565616266
+35303738656362663266653735373833613765356366626436336437326665396635636335616566
+32663733396432656430356335383262613133623066636238623166613839393833616436653936
+34306536343664643732356262663435623834313732373564613337373765373130653734386632
+35623038623639346564393466393463613238363231663965633037353337353332663464336539
+33616131353734663463336436303866306334336339316364313962346430383338306161636462
+64303064313135346236346434316333346434303764356237636530663239633631383561393537
+66383836326634666362613661353533363432303437663235393336396331356465633031326430
+35333263633731626564326430613937343136633562386432396537363663653438333333366135
+33333339376165303736643661343535356561353938346131653662363966643839653262363537
+38373331353539313463363236383633326138366534313064303739626337343962653830653663
+626263633730663932376165333438323835

inventory/hosts

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31336566376336626265653165306635633033376662656164383037383834653239656136333734
+3833666339393037323035343565343235396163636166370a643933333933386133366564396465
+30393637613164356564393337633361653432333232383664303739363736633435363764343530
+3532313739363963660a343434356534316230623133636366386334323465376139363162616238
+39396638366262313531653635326361616537396338363533303961623165343931373939306239
+31336632643166633662653765333231393461643933306464303165633037343061323636313034
+34376631656563646665373566633431366638383863666130323264316337663237343135306236
+66323536346164663239343139623430303230333466633437643337343930363530653964626163
+38336363633730393136333637383631636266396636646533356262376630646139303636666538
+32366437353163663865623234643061313639646162643965393535353938313133326237313265
+66646163333535396539646461356334633532313530653834623263386265383765356130333466
+30373531306137393935363030313739666536363138363962646565306439393239303030643162
+33333166663430393866666439653532623034396130313066383035396535646633366237303264
+36356665366461323664373038366364623937386233313039323837666333653764616462333365
+31326264633236373937313537633961633164323138356135633765663639323537656263633766
+38653836323263386333376131333330326237393666363064326463663961633839393039323835
+61306265333232623037356465393133323733363634646364336261326333366239346565366338
+61646132333033373866623739343830336164316461646366666237313565626639323537623732
+38323830656136323137323530343764666433633432366136643538323832653130376363653135
+64376261386635636533353961613335663962306337353866616464613636303735336230623962
+3336

roles/matrix-awx/defaults/main.yml

@@ -1 +1,6 @@
 matrix_awx_enabled: true
+
+# Defaults for 'Customise Website + Access Export' template
+awx_sftp_auth_method: 'Disabled'
+awx_sftp_password: ''
+awx_sftp_public_key: ''

roles/matrix-awx/tasks/purge_database_main.yml

@@ -29,9 +29,9 @@
   when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
   register: awx_synapse_container_ip
 
-- name: Collect access token for @_janitor user
+- name: Collect access token for @admin-janitor user
   shell: |
-    curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
+    curl -X POST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
   when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
   register: awx_janitors_token
   no_log: True

roles/matrix-awx/tasks/purge_media_main.yml

@@ -21,9 +21,9 @@
   shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
   register: awx_synapse_container_ip
 
-- name: Collect access token for @_janitor user
+- name: Collect access token for @admin-janitor user
   shell: |
-    curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
+    curl -XPOST -d '{"type":"m.login.password", "user":"admin-janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
   register: awx_janitors_token
   no_log: True
 

roles/matrix-awx/tasks/self_check.yml

@@ -50,12 +50,14 @@
 - name: Calculate size of local media repository
   shell: du -sh /matrix/synapse/storage/media-store/local*
   register: awx_local_media_size_stat
+  async: 600
   ignore_errors: yes
   no_log: True
 
 - name: Calculate size of remote media repository
   shell: du -sh /matrix/synapse/storage/media-store/remote*
   register: awx_remote_media_size_stat
+  async: 600
   ignore_errors: yes
   no_log: True
 

roles/matrix-awx/tasks/set_variables_dimension.yml

@@ -12,9 +12,9 @@
       - curl
     state: present
 
-- name: Collect access token of @_dimension user
+- name: Collect access token of @admin-dimension user
   shell: |
-    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
+    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "admin-dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
   register: awx_dimension_user_access_token
 
 - name: Record Synapse variables locally on AWX

roles/matrix-bot-mjolnir/defaults/main.yml

@@ -3,14 +3,13 @@
 
 matrix_bot_mjolnir_enabled: true
 
-matrix_bot_mjolnir_version: "v1.1.20"
+matrix_bot_mjolnir_version: "v1.2.1"
 
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"
 
 matrix_bot_mjolnir_docker_image: "{{ matrix_bot_mjolnir_docker_image_name_prefix }}matrixdotorg/mjolnir:{{ matrix_bot_mjolnir_version }}"
 matrix_bot_mjolnir_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_mjolnir_container_image_self_build else matrix_container_global_registry_prefix }}"
-
 matrix_bot_mjolnir_docker_image_force_pull: "{{ matrix_bot_mjolnir_docker_image.endswith(':latest') }}"
 
 matrix_bot_mjolnir_base_path: "{{ matrix_base_data_path }}/mjolnir"

roles/matrix-bridge-appservice-discord/defaults/main.yml

@@ -48,7 +48,7 @@ matrix_appservice_discord_bridge_enableSelfServiceBridging: false
 #
 # To use Postgres:
 # - change the engine (`matrix_appservice_discord_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_appservice_discord_postgres_*` variables
+# - adjust your database credentials via the `matrix_appservice_discord_database_*` variables
 matrix_appservice_discord_database_engine: 'sqlite'
 
 matrix_appservice_discord_sqlite_database_path_local: "{{ matrix_appservice_discord_data_path }}/discord.db"

roles/matrix-bridge-appservice-webhooks/defaults/main.yml

@@ -22,8 +22,6 @@ matrix_appservice_webhooks_docker_src_files_path: "{{ matrix_appservice_webhooks
 matrix_appservice_webhooks_public_endpoint: /appservice-webhooks
 matrix_appservice_webhooks_inbound_uri_prefix: "{{ matrix_homeserver_url }}{{ matrix_appservice_webhooks_public_endpoint }}"
 
-# Once you make a control room in Matrix, you can get its ID by typing any message and checking its source
-matrix_appservice_webhooks_control_room_id: ''
 matrix_appservice_webhooks_bot_name: 'webhookbot'
 matrix_appservice_webhooks_user_prefix: '_webhook'
 

roles/matrix-bridge-beeper-linkedin/defaults/main.yml

@@ -4,13 +4,21 @@
 matrix_beeper_linkedin_enabled: true
 
 matrix_beeper_linkedin_version: v0.5.1
+
 # See: https://gitlab.com/beeper/linkedin/container_registry
-matrix_beeper_linkedin_docker_image: "registry.gitlab.com/beeper/linkedin:{{ matrix_beeper_linkedin_version }}-amd64"
-matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image.endswith(':latest-amd64') }}"
+matrix_beeper_linkedin_docker_image: "{{ matrix_beeper_linkedin_docker_image_name_prefix }}beeper/linkedin:{{ matrix_beeper_linkedin_docker_image_tag }}"
+matrix_beeper_linkedin_docker_image_force_pull: "{{ matrix_beeper_linkedin_docker_image_tag.startswith('latest') }}"
+matrix_beeper_linkedin_docker_image_name_prefix: "{{ 'localhost/' if matrix_beeper_linkedin_container_image_self_build else 'registry.gitlab.com/' }}"
+matrix_beeper_linkedin_docker_image_tag: "{{ 'latest' if matrix_beeper_linkedin_version == 'master' else matrix_beeper_linkedin_version }}-{{ matrix_architecture }}"
+
+matrix_beeper_linkedin_container_image_self_build: false
+matrix_beeper_linkedin_container_image_self_build_repo: "https://gitlab.com/beeper/linkedin"
+matrix_beeper_linkedin_container_image_self_build_branch: "{{ matrix_beeper_linkedin_version }}"
 
 matrix_beeper_linkedin_base_path: "{{ matrix_base_data_path }}/beeper-linkedin"
 matrix_beeper_linkedin_config_path: "{{ matrix_beeper_linkedin_base_path }}/config"
 matrix_beeper_linkedin_data_path: "{{ matrix_beeper_linkedin_base_path }}/data"
+matrix_beeper_linkedin_docker_src_files_path: "{{ matrix_beeper_linkedin_base_path }}/docker-src"
 
 matrix_beeper_linkedin_homeserver_address: "{{ matrix_homeserver_container_url }}"
 matrix_beeper_linkedin_homeserver_domain: "{{ matrix_domain }}"

roles/matrix-bridge-beeper-linkedin/tasks/setup_install.yml

@@ -7,6 +7,20 @@
     msg: >-
       The matrix-bridge-beeper-linkedin role needs to execute before the matrix-synapse role.
   when: "matrix_synapse_role_executed|default(False)"
+- name: Ensure Beeper LinkedIn paths exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_beeper_linkedin_base_path }}", when: true }
+    - { path: "{{ matrix_beeper_linkedin_config_path }}", when: true }
+    - { path: "{{ matrix_beeper_linkedin_data_path }}", when: true }
+    - { path: "{{ matrix_beeper_linkedin_docker_src_files_path }}", when: "{{ matrix_beeper_linkedin_container_image_self_build }}" }
+  when: "item.when|bool"
+
 
 - name: Ensure Beeper LinkedIn image is pulled
   docker_image:
@@ -14,18 +28,42 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_beeper_linkedin_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_docker_image_force_pull }}"
+  when: "not matrix_beeper_linkedin_container_image_self_build|bool"
 
-- name: Ensure Beeper LinkedIn paths exists
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - "{{ matrix_beeper_linkedin_base_path }}"
-    - "{{ matrix_beeper_linkedin_config_path }}"
-    - "{{ matrix_beeper_linkedin_data_path }}"
+- block:
+  - name: Ensure Beeper LinkedIn repository is present on self-build
+    git:
+      repo: "{{ matrix_beeper_linkedin_container_image_self_build_repo }}"
+      dest: "{{ matrix_beeper_linkedin_docker_src_files_path }}"
+      version: "{{ matrix_beeper_linkedin_container_image_self_build_branch }}"
+      force: "yes"
+    register: matrix_beeper_linkedin_git_pull_results
+
+  # Building the container image (using the default Dockerfile) requires that a docker-requirements.txt file be generated.
+  # See: https://gitlab.com/beeper/linkedin/-/blob/94442db17ccb9769b377cdb8e4bf1cb3955781d7/.gitlab-ci.yml#L30-40
+  - name: Ensure docker-requirements.txt is generated before building Beeper LinkedIn Docker Image
+    command: |
+      {{ matrix_host_command_docker }} run \
+      --rm \
+      --entrypoint=/bin/sh \
+      --mount type=bind,src={{ matrix_beeper_linkedin_docker_src_files_path }},dst=/work \
+      -w /work \
+      docker.io/python:3.9.6-buster \
+      -c "pip install poetry && poetry export --without-hashes -E e2be -E images -E metrics | sed 's/==.*//g' > docker-requirements.txt"
+
+  - name: Ensure Beeper LinkedIn Docker image is built
+    docker_image:
+      name: "{{ matrix_beeper_linkedin_docker_image }}"
+      source: build
+      force_source: "{{ matrix_beeper_linkedin_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+      force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_beeper_linkedin_git_pull_results.changed }}"
+      build:
+        dockerfile: Dockerfile
+        path: "{{ matrix_beeper_linkedin_docker_src_files_path }}"
+        pull: yes
+        args:
+          TARGETARCH: "{{ matrix_architecture }}"
+  when: "matrix_beeper_linkedin_container_image_self_build|bool"
 
 - name: Ensure beeper-linkedin config.yaml installed
   copy:

roles/matrix-bridge-heisenbridge/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_heisenbridge_enabled: true
 
-matrix_heisenbridge_version: 1.7.1
+matrix_heisenbridge_version: 1.8.0
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"
 

roles/matrix-bridge-mautrix-facebook/defaults/main.yml

@@ -42,7 +42,7 @@ matrix_mautrix_facebook_homeserver_token: ''
 # - plan your migration to Postgres, as this bridge does not support SQLite anymore (and neither will the playbook in the future).
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_facebook_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_facebook_database_*` variables
 matrix_mautrix_facebook_database_engine: 'postgres'
 
 matrix_mautrix_facebook_sqlite_database_path_local: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"

roles/matrix-bridge-mautrix-googlechat/defaults/main.yml

@@ -47,7 +47,7 @@ matrix_mautrix_googlechat_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_googlechat_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_googlechat_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_googlechat_database_*` variables
 matrix_mautrix_googlechat_database_engine: 'sqlite'
 
 matrix_mautrix_googlechat_sqlite_database_path_local: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"

roles/matrix-bridge-mautrix-hangouts/defaults/main.yml

@@ -47,7 +47,7 @@ matrix_mautrix_hangouts_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_hangouts_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_hangouts_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_hangouts_database_*` variables
 matrix_mautrix_hangouts_database_engine: 'sqlite'
 
 matrix_mautrix_hangouts_sqlite_database_path_local: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"

roles/matrix-bridge-mautrix-instagram/defaults/main.yml

@@ -37,7 +37,7 @@ matrix_mautrix_instagram_homeserver_token: ''
 # Database-related configuration fields.
 #
 # To use Postgres:
-# - adjust your database credentials via the `matrix_mautrix_instagram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_instagram_database_*` variables
 matrix_mautrix_instagram_database_engine: 'postgres'
 
 matrix_mautrix_instagram_database_username: 'matrix_mautrix_instagram'

roles/matrix-bridge-mautrix-instagram/templates/config.yaml.j2

@@ -43,7 +43,7 @@ appservice:
   bot_username: {{ matrix_mautrix_instagram_appservice_bot_username|to_json }}
   # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
   # to leave display name/avatar as-is.
-  bot_displayname: instagram bridge bot
+  bot_displayname: Instagram bridge bot
   bot_avatar: mxc://maunium.net/JxjlbZUlCPULEeHZSwleUXQv
 
   # Community ID for bridged users (changes registration file) and rooms.

roles/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_signal_daemon_container_self_build: false
 matrix_mautrix_signal_daemon_docker_repo: "https://mau.dev/maunium/signald.git"
 matrix_mautrix_signal_daemon_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-signald/docker-src"
 
-matrix_mautrix_signal_daemon_docker_image: "dock.mau.dev/maunium/signald:{{ matrix_mautrix_signal_daemon_version }}"
+matrix_mautrix_signal_daemon_docker_image: "docker.io/signald/signald:{{ matrix_mautrix_signal_daemon_version }}"
 matrix_mautrix_signal_daemon_docker_image_force_pull: "{{ matrix_mautrix_signal_daemon_docker_image.endswith(':latest') }}"
 
 matrix_mautrix_signal_base_path: "{{ matrix_base_data_path }}/mautrix-signal"

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -63,7 +63,7 @@ matrix_mautrix_telegram_homeserver_token: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_telegram_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_telegram_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_telegram_database_*` variables
 matrix_mautrix_telegram_database_engine: 'sqlite'
 
 matrix_mautrix_telegram_sqlite_database_path_local: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
@@ -110,6 +110,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml|from_yaml|combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -123,10 +125,10 @@ matrix_mautrix_telegram_registration_yaml: |
       aliases:
       - exclusive: true
         regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
-  # See https://github.com/mautrix/signal/issues/43
   sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
   url: {{ matrix_mautrix_telegram_appservice_address }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"

roles/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -0,0 +1,103 @@
+# mautrix-twitter is a Matrix <-> Twitter bridge
+# See: https://github.com/tulir/mautrix-twitter
+
+matrix_mautrix_twitter_enabled: true
+
+matrix_mautrix_twitter_container_image_self_build: false
+matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/tulir/mautrix-twitter.git"
+
+matrix_mautrix_twitter_version: latest
+# See: https://mau.dev/tulir/mautrix-twitter/container_registry
+matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_name_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
+matrix_mautrix_twitter_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else 'dock.mau.dev/' }}"
+matrix_mautrix_twitter_docker_image_force_pull: "{{ matrix_mautrix_twitter_docker_image.endswith(':latest') }}"
+
+matrix_mautrix_twitter_base_path: "{{ matrix_base_data_path }}/mautrix-twitter"
+matrix_mautrix_twitter_config_path: "{{ matrix_mautrix_twitter_base_path }}/config"
+matrix_mautrix_twitter_data_path: "{{ matrix_mautrix_twitter_base_path }}/data"
+matrix_mautrix_twitter_docker_src_files_path: "{{ matrix_mautrix_twitter_base_path }}/docker-src"
+
+matrix_mautrix_twitter_homeserver_address: "{{ matrix_homeserver_container_url }}"
+matrix_mautrix_twitter_homeserver_domain: '{{ matrix_domain }}'
+matrix_mautrix_twitter_appservice_address: 'http://matrix-mautrix-twitter:29327'
+
+# A list of extra arguments to pass to the container
+matrix_mautrix_twitter_container_extra_arguments: []
+
+# List of systemd services that matrix-mautrix-twitter.service depends on.
+matrix_mautrix_twitter_systemd_required_services_list: ['docker.service']
+
+# List of systemd services that matrix-mautrix-twitter.service wants
+matrix_mautrix_twitter_systemd_wanted_services_list: []
+
+matrix_mautrix_twitter_appservice_token: ''
+matrix_mautrix_twitter_homeserver_token: ''
+
+
+# Database-related configuration fields.
+#
+# To use Postgres:
+# - adjust your database credentials via the `matrix_mautrix_twitter_postgres_*` variables
+matrix_mautrix_twitter_database_engine: 'postgres'
+
+matrix_mautrix_twitter_database_username: 'matrix_mautrix_twitter'
+matrix_mautrix_twitter_database_password: 'some-password'
+matrix_mautrix_twitter_database_hostname: 'matrix-postgres'
+matrix_mautrix_twitter_database_port: 5432
+matrix_mautrix_twitter_database_name: 'matrix_mautrix_twitter'
+
+matrix_mautrix_twitter_database_connection_string: 'postgres://{{ matrix_mautrix_twitter_database_username }}:{{ matrix_mautrix_twitter_database_password }}@{{ matrix_mautrix_twitter_database_hostname }}:{{ matrix_mautrix_twitter_database_port }}/{{ matrix_mautrix_twitter_database_name }}'
+
+matrix_mautrix_twitter_appservice_database: "{{
+	{
+		'postgres': matrix_mautrix_twitter_database_connection_string,
+	}[matrix_mautrix_twitter_database_engine]
+}}"
+
+
+# Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
+matrix_mautrix_twitter_login_shared_secret: ''
+
+matrix_mautrix_twitter_bridge_login_shared_secret_map: "{{ {matrix_mautrix_twitter_homeserver_domain: matrix_mautrix_twitter_login_shared_secret} if matrix_mautrix_twitter_login_shared_secret else {} }}"
+
+matrix_mautrix_twitter_appservice_bot_username: twitterbot
+
+# Default configuration template which covers the generic use case.
+# You can customize it by controlling the various variables inside it.
+#
+# For a more advanced customization, you can extend the default (see `matrix_mautrix_twitter_configuration_extension_yaml`)
+# or completely replace this variable with your own template.
+matrix_mautrix_twitter_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"
+
+matrix_mautrix_twitter_configuration_extension_yaml: |
+  # Your custom YAML configuration goes here.
+  # This configuration extends the default starting configuration (`matrix_mautrix_twitter_configuration_yaml`).
+  #
+  # You can override individual variables from the default configuration, or introduce new ones.
+  #
+  # If you need something more special, you can take full control by
+  # completely redefining `matrix_mautrix_twitter_configuration_yaml`.
+
+matrix_mautrix_twitter_configuration_extension: "{{ matrix_mautrix_twitter_configuration_extension_yaml|from_yaml if matrix_mautrix_twitter_configuration_extension_yaml|from_yaml is mapping else {} }}"
+
+# Holds the final configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_mautrix_twitter_configuration_yaml`.
+matrix_mautrix_twitter_configuration: "{{ matrix_mautrix_twitter_configuration_yaml|from_yaml|combine(matrix_mautrix_twitter_configuration_extension, recursive=True) }}"
+
+matrix_mautrix_twitter_registration_yaml: |
+  id: twitter
+  as_token: "{{ matrix_mautrix_twitter_appservice_token }}"
+  hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}"
+  namespaces:
+    users:
+    - exclusive: true
+      regex: '^@twitter_.+:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$'
+    - exclusive: true
+      regex: '^@{{ matrix_mautrix_twitter_appservice_bot_username|regex_escape }}:{{ matrix_mautrix_twitter_homeserver_domain|regex_escape }}$'
+  url: {{ matrix_mautrix_twitter_appservice_address }}
+  # See https://github.com/tulir/mautrix-signal/issues/43
+  sender_localpart: _bot_{{ matrix_mautrix_twitter_appservice_bot_username }}
+  rate_limited: false
+  de.sorunome.msc2409.push_ephemeral: true
+
+matrix_mautrix_twitter_registration: "{{ matrix_mautrix_twitter_registration_yaml|from_yaml }}"

roles/matrix-bridge-mautrix-twitter/tasks/init.yml

@@ -0,0 +1,23 @@
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-twitter.service'] }}"
+  when: matrix_mautrix_twitter_enabled|bool
+
+# If the matrix-synapse role is not used, these variables may not exist.
+- set_fact:
+    matrix_synapse_container_extra_arguments: >
+      {{ matrix_synapse_container_extra_arguments|default([]) }}
+      +
+      ["--mount type=bind,src={{ matrix_mautrix_twitter_config_path }}/registration.yaml,dst=/matrix-mautrix-twitter-registration.yaml,ro"]
+
+    matrix_synapse_app_service_config_files: >
+      {{ matrix_synapse_app_service_config_files|default([]) }}
+      +
+      {{ ["/matrix-mautrix-twitter-registration.yaml"] }}
+  when: matrix_mautrix_twitter_enabled|bool
+
+# ansible lower than 2.8, does not support docker_image build parameters
+# for self buildig it is explicitly needed, so we rather fail here
+- name: Fail if running on Ansible lower than 2.8 and trying self building
+  fail:
+    msg: "To self build Mautrix Twitter image, you should usa ansible 2.8 or higher. E.g. pip contains such packages."
+  when: "ansible_version.major == 2 and ansible_version.minor < 8 and matrix_mautrix_twitter_container_image_self_build"

roles/matrix-bridge-mautrix-twitter/tasks/main.yml

@@ -0,0 +1,21 @@
+- import_tasks: "{{ role_path }}/tasks/init.yml"
+  tags:
+    - always
+
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-twitter
+
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_mautrix_twitter_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-twitter
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_mautrix_twitter_enabled|bool"
+  tags:
+    - setup-all
+    - setup-mautrix-twitter

roles/matrix-bridge-mautrix-twitter/tasks/setup_install.yml

@@ -0,0 +1,88 @@
+---
+
+# If the matrix-synapse role is not used, `matrix_synapse_role_executed` won't exist.
+# We don't want to fail in such cases.
+- name: Fail if matrix-synapse role already executed
+  fail:
+    msg: >-
+      The matrix-bridge-mautrix-twitter role needs to execute before the matrix-synapse role.
+  when: "matrix_synapse_role_executed|default(False)"
+
+- set_fact:
+    matrix_mautrix_twitter_requires_restart: false
+
+- name: Ensure Mautrix Twitter image is pulled
+  docker_image:
+    name: "{{ matrix_mautrix_twitter_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_mautrix_twitter_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_twitter_docker_image_force_pull }}"
+  when: matrix_mautrix_twitter_enabled|bool and not matrix_mautrix_twitter_container_image_self_build
+
+- name: Ensure Mautrix Twitter paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_mautrix_twitter_base_path }}", when: true }
+    - { path: "{{ matrix_mautrix_twitter_config_path }}", when: true }
+    - { path: "{{ matrix_mautrix_twitter_data_path }}", when: true }
+    - { path: "{{ matrix_mautrix_twitter_docker_src_files_path }}", when: "{{ matrix_mautrix_twitter_container_image_self_build }}" }
+  when: item.when|bool
+
+- name: Ensure Mautrix Twitter repository is present on self-build
+  git:
+    repo: "{{ matrix_mautrix_twitter_container_image_self_build_repo }}"
+    dest: "{{ matrix_mautrix_twitter_docker_src_files_path }}"
+#    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
+    force: "yes"
+  register: matrix_mautrix_twitter_git_pull_results
+  when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build"
+
+- name: Ensure Mautrix Twitter Docker image is built
+  docker_image:
+    name: "{{ matrix_mautrix_twitter_docker_image }}"
+    source: build
+    force_source: "{{ matrix_mautrix_twitter_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_mautrix_twitter_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_mautrix_twitter_enabled|bool and matrix_mautrix_twitter_container_image_self_build|bool"
+
+- name: Ensure mautrix-twitter config.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_twitter_configuration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_twitter_config_path }}/config.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure mautrix-twitter registration.yaml installed
+  copy:
+    content: "{{ matrix_mautrix_twitter_registration|to_nice_yaml }}"
+    dest: "{{ matrix_mautrix_twitter_config_path }}/registration.yaml"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure matrix-mautrix-twitter.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-mautrix-twitter.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service"
+    mode: 0644
+  register: matrix_mautrix_twitter_systemd_service_result
+
+- name: Ensure systemd reloaded after matrix-mautrix-twitter.service installation
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_twitter_systemd_service_result.changed"
+
+- name: Ensure matrix-mautrix-twitter.service restarted, if necessary
+  service:
+    name: "matrix-mautrix-twitter.service"
+    state: restarted
+  when: "matrix_mautrix_twitter_requires_restart|bool"

roles/matrix-bridge-mautrix-twitter/tasks/setup_uninstall.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Check existence of matrix-mautrix-twitter service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service"
+  register: matrix_mautrix_twitter_service_stat
+
+- name: Ensure matrix-mautrix-twitter is stopped
+  service:
+    name: matrix-mautrix-twitter
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_mautrix_twitter_service_stat.stat.exists"
+
+- name: Ensure matrix-mautrix-twitter.service doesn't exist
+  file:
+    path: "{{ matrix_systemd_path }}/matrix-mautrix-twitter.service"
+    state: absent
+  when: "matrix_mautrix_twitter_service_stat.stat.exists"
+
+- name: Ensure systemd reloaded after matrix-mautrix-twitter.service removal
+  service:
+    daemon_reload: yes
+  when: "matrix_mautrix_twitter_service_stat.stat.exists"

roles/matrix-bridge-mautrix-twitter/tasks/validate_config.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Fail if required settings not defined
+  fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_mautrix_twitter_appservice_token"
+    - "matrix_mautrix_twitter_homeserver_token"
+
+- name: Fail if database is not defined
+  fail:
+    msg: >-
+      You need to define a need to set `matrix_mautrix_twitter_database_engine: postgres` and redefine the other `matrix_mautrix_twitter_database_*` variables
+  when: "vars[item] == ''"
+  with_items:
+    - "matrix_mautrix_twitter_database_engine"

roles/matrix-bridge-mautrix-twitter/templates/config.yaml.j2

@@ -0,0 +1,209 @@
+#jinja2: lstrip_blocks: "True"
+# Homeserver details
+homeserver:
+    # The address that this appservice can use to connect to the homeserver.
+    address: {{ matrix_mautrix_twitter_homeserver_address }}
+    # The domain of the homeserver (for MXIDs, etc).
+    domain: {{ matrix_mautrix_twitter_homeserver_domain }}
+    # Whether or not to verify the SSL certificate of the homeserver.
+    # Only applies if address starts with https://
+    verify_ssl: true
+    asmux: false
+
+# Application service host/registration related details
+# Changing these values requires regeneration of the registration.
+appservice:
+    # The address that the homeserver can use to connect to this appservice.
+    address: {{ matrix_mautrix_twitter_appservice_address }}
+    # When using https:// the TLS certificate and key files for the address.
+    tls_cert: false
+    tls_key: false
+
+    # The hostname and port where this appservice should listen.
+    hostname: 0.0.0.0
+    port: 29327
+    # The maximum body size of appservice API requests (from the homeserver) in mebibytes
+    # Usually 1 is enough, but on high-traffic bridges you might need to increase this to avoid 413s
+    max_body_size: 1
+
+    # The full URI to the database. Only Postgres is currently supported.
+    database: {{ matrix_mautrix_twitter_appservice_database|to_json }}
+    # Additional arguments for asyncpg.create_pool()
+    # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
+    database_opts:
+        min_size: 5
+        max_size: 10
+
+    # Provisioning API part of the web server for automated portal creation and fetching information.
+    # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
+    provisioning:
+        # Whether or not the provisioning API should be enabled.
+        enabled: true
+        # The prefix to use in the provisioning API endpoints.
+        prefix: /_matrix/provision/v1
+        # The shared secret to authorize users of the API.
+        # Set to "generate" to generate and save a new token.
+        shared_secret: generate
+
+    # The unique ID of this appservice.
+    id: twitter
+    # Username of the appservice bot.
+    bot_username: {{ matrix_mautrix_twitter_appservice_bot_username|to_json }}
+    # Display name and avatar for bot. Set to "remove" to remove display name/avatar, leave empty
+    # to leave display name/avatar as-is.
+    bot_displayname: Twitter bridge bot
+    bot_avatar: mxc://maunium.net/HVHcnusJkQcpVcsVGZRELLCn
+
+    # Community ID for bridged users (changes registration file) and rooms.
+    # Must be created manually.
+    #
+    # Example: "+twitter:example.com". Set to false to disable.
+    community_id: false
+
+    # Whether or not to receive ephemeral events via appservice transactions.
+    # Requires MSC2409 support (i.e. Synapse 1.22+).
+    # You should disable bridge -> sync_with_custom_puppets when this is enabled.
+    ephemeral_events: false
+
+    # Authentication tokens for AS <-> HS communication. Autogenerated; do not modify.
+    as_token: "{{ matrix_mautrix_twitter_appservice_token }}"
+    hs_token: "{{ matrix_mautrix_twitter_homeserver_token }}"
+
+# Prometheus telemetry config. Requires prometheus-client to be installed.
+metrics:
+    enabled: false
+    listen_port: 8000
+
+# Bridge config
+bridge:
+    # Localpart template of MXIDs for Twitter users.
+    # {userid} is replaced with the user ID of the Twitter user.
+    username_template: "twitter_{userid}"
+    # Displayname template for Twitter users.
+    # {displayname} is replaced with the display name of the Twitter user.
+    # {username} is replaced with the username of the Twitter user.
+    displayname_template: "{displayname} (Twitter)"
+
+    # Maximum length of displayname
+    displayname_max_length: 100
+
+    # Number of conversations to sync (and create portals for) on login.
+    # Set 0 to disable automatic syncing.
+    initial_conversation_sync: 10
+    # Whether or not to use /sync to get read receipts and typing notifications
+    # when double puppeting is enabled
+    sync_with_custom_puppets: true
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
+    double_puppet_server_map: {}
+    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
+    #
+    # If set, custom puppets will be enabled automatically for local users
+    # instead of users having to find an access token and run `login-matrix`
+    # manually.
+    # If using this for other servers than the bridge's server,
+    # you must also set the URL in the double_puppet_server_map.
+    login_shared_secret_map: {{ matrix_mautrix_twitter_bridge_login_shared_secret_map|to_json }}
+    # Whether or not created rooms should have federation enabled.
+    # If false, created portal rooms will never be federated.
+    federate_rooms: true
+    # Settings for backfilling messages from Twitter.
+    #
+    # Missed message backfilling is currently based on receiving them from the Twitter polling API,
+    # rather than manually asking for messages in each conversation. Due to this, there's no way to
+    # set a limit for missed message backfilling.
+    backfill:
+        # Whether or not the Twitter users of logged in Matrix users should be
+        # invited to private chats when backfilling history from Twitter. This is
+        # usually needed to prevent rate limits and to allow timestamp massaging.
+        invite_own_puppet: true
+        # Maximum number of messages to backfill initially.
+        # Set to 0 to disable backfilling when creating portal.
+        initial_limit: 0
+        # If using double puppeting, should notifications be disabled
+        # while the initial backfill is in progress?
+        disable_notifications: true
+    # End-to-bridge encryption support options. You must install the e2be optional dependency for
+    # this to work. See https://github.com/tulir/mautrix-telegram/wiki/End‐to‐bridge-encryption
+    encryption:
+        # Allow encryption, work in group chat rooms with e2ee enabled
+        allow: false
+        # Default to encryption, force-enable encryption in all portals the bridge creates
+        # This will cause the bridge bot to be in private chats for the encryption to work properly.
+        default: false
+        # Options for automatic key sharing.
+        key_sharing:
+            # Enable key sharing? If enabled, key requests for rooms where users are in will be fulfilled.
+            # You must use a client that supports requesting keys from other users to use this feature.
+            allow: false
+            # Require the requesting device to have a valid cross-signing signature?
+            # This doesn't require that the bridge has verified the device, only that the user has verified it.
+            # Not yet implemented.
+            require_cross_signing: false
+            # Require devices to be verified by the bridge?
+            # Verification by the bridge is not yet implemented.
+            require_verification: true
+    # Whether or not to explicitly set the avatar and room name for private
+    # chat portal rooms. This will be implicitly enabled if encryption.default is true.
+    private_chat_portal_meta: false
+    # Whether or not the bridge should send a read receipt from the bridge bot when a message has
+    # been sent to Twitter.
+    delivery_receipts: false
+    # Whether or not delivery errors should be reported as messages in the Matrix room.
+    delivery_error_reports: false
+    # Whether or not non-fatal polling errors should send notices to the notice room.
+    temporary_disconnect_notices: true
+    # Number of seconds to sleep more than the previous error when a polling error occurs.
+    # Growth is capped at 15 minutes.
+    error_sleep: 5
+    # Maximum number of polling errors before giving up. Set to -1 to retry forever.
+    max_poll_errors: 12
+    # Set this to true to tell the bridge to re-send m.bridge events to all rooms on the next run.
+    # This field will automatically be changed back to false after it,
+    # except if the config file is not writable.
+    resend_bridge_info: false
+
+    # The prefix for commands. Only required in non-management rooms.
+    command_prefix: "!tw"
+
+    # Permissions for using the bridge.
+    # Permitted values:
+    #       user - Use the bridge with puppeting.
+    #      admin - Use and administrate the bridge.
+    # Permitted keys:
+    #        * - All Matrix users
+    #   domain - All users on that homeserver
+    #     mxid - Specific user
+    permissions:
+      '{{ matrix_mautrix_twitter_homeserver_domain }}': user
+
+
+# Python logging configuration.
+#
+# See section 16.7.2 of the Python documentation for more info:
+# https://docs.python.org/3.6/library/logging.config.html#configuration-dictionary-schema
+logging:
+    version: 1
+    formatters:
+        colored:
+            (): mautrix_twitter.util.ColorFormatter
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+        normal:
+            format: "[%(asctime)s] [%(levelname)s@%(name)s] %(message)s"
+    handlers:
+        console:
+            class: logging.StreamHandler
+            formatter: colored
+    loggers:
+        mau:
+            level: DEBUG
+        aiohttp:
+            level: INFO
+    root:
+        level: DEBUG
+        handlers: [console]

roles/matrix-bridge-mautrix-twitter/templates/systemd/matrix-mautrix-twitter.service.j2

@@ -0,0 +1,42 @@
+#jinja2: lstrip_blocks: "True"
+[Unit]
+Description=Matrix Mautrix Twitter bridge
+{% for service in matrix_mautrix_twitter_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_mautrix_twitter_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null'
+ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null'
+
+# Intentional delay, so that the homeserver (we likely depend on) can manage to start.
+ExecStartPre={{ matrix_host_command_sleep }} 5
+
+ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-twitter \
+			--log-driver=none \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
+			--network={{ matrix_docker_network }} \
+			-v {{ matrix_mautrix_twitter_config_path }}:/config:z \
+			-v {{ matrix_mautrix_twitter_data_path }}:/data:z \
+			{% for arg in matrix_mautrix_twitter_container_extra_arguments %}
+			{{ arg }} \
+			{% endfor %}
+			{{ matrix_mautrix_twitter_docker_image }} \
+			python3 -m mautrix_twitter -c /config/config.yaml --no-update
+
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} kill matrix-mautrix-twitter 2>/dev/null'
+ExecStop=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }} rm matrix-mautrix-twitter 2>/dev/null'
+Restart=always
+RestartSec=30
+SyslogIdentifier=matrix-mautrix-twitter
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -42,7 +42,7 @@ matrix_mautrix_whatsapp_appservice_bot_username: whatsappbot
 #
 # To use Postgres:
 # - change the engine (`matrix_mautrix_whatsapp_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_mautrix_whatsapp_postgres_*` variables
+# - adjust your database credentials via the `matrix_mautrix_whatsapp_database_*` variables
 matrix_mautrix_whatsapp_database_engine: 'sqlite'
 
 matrix_mautrix_whatsapp_sqlite_database_path_local: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"

roles/matrix-bridge-mx-puppet-discord/defaults/main.yml

@@ -27,6 +27,8 @@ matrix_mx_puppet_discord_homeserver_address: "{{ matrix_homeserver_container_url
 matrix_mx_puppet_discord_homeserver_domain: '{{ matrix_domain }}'
 matrix_mx_puppet_discord_appservice_address: 'http://matrix-mx-puppet-discord:{{ matrix_mx_puppet_discord_appservice_port }}'
 
+matrix_mx_puppet_discord_bridge_mediaUrl: "https:/{{ matrix_server_fqn_matrix }}"
+
 # "@user:server.com" to allow specific user
 # "@.*:yourserver.com" to allow users on a specific homeserver
 # "@.*" to allow anyone

roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -9,23 +9,23 @@ bridge:
   domain: {{ matrix_mx_puppet_discord_homeserver_domain }}
   # Reachable URL of the Matrix homeserver
   homeserverUrl: {{ matrix_mx_puppet_discord_homeserver_address }}
+  # Optionally specify a different media URL used for the media store
+  #
+  # This is where Discord will download user profile pictures and media
+  # from
+  mediaUrl: {{ matrix_mx_puppet_discord_bridge_mediaUrl }}
   {% if matrix_mx_puppet_discord_login_shared_secret != '' %}
   loginSharedSecretMap:
     {{ matrix_domain }}: {{ matrix_mx_puppet_discord_login_shared_secret }}
   {% endif %}
   # Display name of the bridge bot
   displayname: Discord Puppet Bridge
-  # Optionally specify a different media URL used for the media store
-  #
-  # This is where Discord will download user profile pictures and media
-  # from
-  #mediaUrl: https://external-url.org
 
 presence:
   # Bridge Discord online/offline status
   enabled: true
   # How often to send status to the homeserver in milliseconds
-  interval: 500
+  interval: 10000
 
 provisioning:
   # Regex of Matrix IDs allowed to use the puppet bridge
@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/matrix-client-element/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
-matrix_client_element_version: v1.9.5
+matrix_client_element_version: v1.9.8
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/matrix-client-element/tasks/setup_install.yml

@@ -76,6 +76,18 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element config files removed
   file:
     path: "{{ matrix_client_element_data_path }}/{{ item.name }}"

roles/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/matrix-common-after/tasks/awx_post.yml

@@ -1,11 +1,11 @@
 ---
 
-- name: Create user account @_janitor
+- name: Create user account @admin-janitor
   command: |
-    /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1
+    /usr/local/bin/matrix-synapse-register-user admin-janitor {{ awx_janitor_user_password | quote }} 1
   register: cmd
   when: not awx_janitor_user_created|bool
-  no_log: True
+  no_log: false
     
 - name: Update AWX janitor user created variable
   delegate_to: 127.0.0.1
@@ -18,12 +18,12 @@
     'awx_janitor_user_created': 'true'
   when: not awx_janitor_user_created|bool
 
-- name: Create user account @_dimension
+- name: Create user account @admin-dimension
   command: |
-    /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user admin-dimension {{ awx_dimension_user_password | quote }} 0
   register: cmd
   when: not awx_dimension_user_created|bool
-  no_log: True
+  no_log: false
   
 - name: Update AWX dimension user created variable
   delegate_to: 127.0.0.1
@@ -36,12 +36,12 @@
     'awx_dimension_user_created': 'true'
   when: not awx_dimension_user_created|bool
 
-- name: Create user account @_mjolnir
+- name: Create user account @admin-mjolnir
   command: |
-    /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user admin-mjolnir {{ awx_mjolnir_user_password | quote }} 0
   register: cmd
   when: not awx_mjolnir_user_created|bool
-  no_log: True
+  no_log: false
   
 - name: Update AWX dimension user created variable
   delegate_to: 127.0.0.1

roles/matrix-coturn/defaults/main.yml

@@ -5,7 +5,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
-matrix_coturn_version: 4.5.2-r4
+matrix_coturn_version: 4.5.2-r8
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

roles/matrix-dimension/defaults/main.yml

@@ -10,10 +10,16 @@ matrix_dimension_admins: []
 # Whether to allow Dimension widgets serve websites with invalid or self signed SSL certificates
 matrix_dimension_widgets_allow_self_signed_ssl_certificates: false
 
+matrix_dimension_container_image_self_build: false
+matrix_dimension_container_image_self_build_repo: "https://github.com/turt2live/matrix-dimension.git"
+matrix_dimension_container_image_self_build_branch: master
+
 matrix_dimension_base_path: "{{ matrix_base_data_path }}/dimension"
+matrix_dimension_docker_src_files_path: "{{ matrix_base_data_path }}/docker-src/dimension"
 
 matrix_dimension_version: latest
-matrix_dimension_docker_image: "{{ matrix_container_global_registry_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image: "{{ matrix_dimension_docker_image_name_prefix }}turt2live/matrix-dimension:{{ matrix_dimension_version }}"
+matrix_dimension_docker_image_name_prefix: "{{ 'localhost/' if matrix_dimension_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_dimension_docker_image_force_pull: "{{ matrix_dimension_docker_image.endswith(':latest') }}"
 
 # List of systemd services that matrix-dimension.service depends on.
@@ -48,7 +54,7 @@ matrix_dimension_homeserver_federationUrl: ""
 #
 # To use Postgres:
 # - change the engine (`matrix_dimension_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_dimension_postgres_*` variables
+# - adjust your database credentials via the `matrix_dimension_database_*` variables
 matrix_dimension_database_engine: 'sqlite'
 
 matrix_dimension_sqlite_database_path_local: "{{ matrix_dimension_base_path }}/dimension.db"

roles/matrix-dimension/tasks/setup_install.yml

@@ -90,6 +90,29 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_dimension_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_docker_image_force_pull }}"
+  when: "not matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_pull_results
+
+- name: Ensure dimension repository is present on self-build
+  git:
+    repo: "{{ matrix_dimension_container_image_self_build_repo }}"
+    dest: "{{ matrix_dimension_docker_src_files_path }}"
+    version: "{{ matrix_dimension_container_image_self_build_branch }}"
+    force: "yes"
+  when: "matrix_dimension_container_image_self_build|bool"
+  register: matrix_dimension_git_pull_results
+
+- name: Ensure Dimension Docker image is built
+  docker_image:
+    name: "{{ matrix_dimension_docker_image }}"
+    source: build
+    force_source: "{{ matrix_dimension_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dimension_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_dimension_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_dimension_container_image_self_build|bool"
 
 - name: Ensure matrix-dimension.service installed
   template:

roles/matrix-grafana/defaults/main.yml

@@ -3,7 +3,7 @@
 
 matrix_grafana_enabled: false
 
-matrix_grafana_version: 8.3.0
+matrix_grafana_version: 8.3.3
 matrix_grafana_docker_image: "{{ matrix_container_global_registry_prefix }}grafana/grafana:{{ matrix_grafana_version }}"
 matrix_grafana_docker_image_force_pull: "{{ matrix_grafana_docker_image.endswith(':latest') }}"
 

roles/matrix-jitsi/defaults/main.yml

@@ -8,11 +8,25 @@ matrix_jitsi_enable_recording: false
 matrix_jitsi_enable_transcriptions: false
 matrix_jitsi_enable_p2p: true
 matrix_jitsi_enable_av_moderation: true
+matrix_jitsi_enable_breakout_rooms: true
 
-# Authentication type, must be one of internal, jwt or ldap. Currently only
-# internal and ldap are supported by this playbook.
+# Authentication type, must be one of internal, jwt or ldap.
+# Currently only internal and ldap mechanisms are supported by this playbook.
 matrix_jitsi_auth_type: internal
 
+# A list of Jitsi (Prosody) accounts to create using the internal authentication mechanism.
+#
+# Accounts added here and subsquently removed will not be automatically removed
+# from the Prosody server until user account cleaning is integrated into the playbook.
+#
+# Example:
+# matrix_jitsi_prosody_auth_internal_accounts:
+#  - username: "jitsi-moderator"
+#    password: "secret-password"
+#  - username: "another-user"
+#    password: "another-password"
+matrix_jitsi_prosody_auth_internal_accounts: []
+
 # Configuration options for LDAP authentication. For details see upstream:
 #   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
 # Defaults are taken from:
@@ -54,7 +68,7 @@ matrix_jitsi_jibri_recorder_password: ''
 
 matrix_jitsi_enable_lobby: false
 
-matrix_jitsi_version: stable-6173
+matrix_jitsi_version: stable-6726-1
 matrix_jitsi_container_image_tag: "{{ matrix_jitsi_version }}" # for backward-compatibility
 
 matrix_jitsi_web_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/web:{{ matrix_jitsi_container_image_tag }}"
@@ -63,6 +77,7 @@ matrix_jitsi_web_docker_image_force_pull: "{{ matrix_jitsi_web_docker_image.ends
 matrix_jitsi_web_base_path: "{{ matrix_base_data_path }}/jitsi/web"
 matrix_jitsi_web_config_path: "{{ matrix_jitsi_web_base_path }}/config"
 matrix_jitsi_web_transcripts_path: "{{ matrix_jitsi_web_base_path }}/transcripts"
+matrix_jitsi_web_crontabs_path: "{{ matrix_jitsi_web_base_path }}/crontabs"
 
 matrix_jitsi_web_public_url: "https://{{ matrix_server_fqn_jitsi }}"
 
@@ -205,7 +220,6 @@ matrix_jitsi_jicofo_component_secret: ''
 matrix_jitsi_jicofo_auth_user: focus
 matrix_jitsi_jicofo_auth_password: ''
 
-
 matrix_jitsi_jvb_docker_image: "{{ matrix_container_global_registry_prefix }}jitsi/jvb:{{ matrix_jitsi_container_image_tag }}"
 matrix_jitsi_jvb_docker_image_force_pull: "{{ matrix_jitsi_jvb_docker_image.endswith(':latest') }}"
 

roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml

@@ -4,7 +4,7 @@
 # Tasks related to setting up jitsi-prosody
 #
 
-- name: Ensure Matrix jitsi-prosody path exists
+- name: Ensure Matrix jitsi-prosody environment exists
   file:
     path: "{{ item.path }}"
     state: directory
@@ -25,14 +25,14 @@
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_jitsi_prosody_docker_image_force_pull }}"
   when: matrix_jitsi_enabled|bool
 
-- name: Ensure jitsi-prosody environment variables file created
+- name: Ensure jitsi-prosody environment variables file is created
   template:
     src: "{{ role_path }}/templates/prosody/env.j2"
     dest: "{{ matrix_jitsi_prosody_base_path }}/env"
     mode: 0640
   when: matrix_jitsi_enabled|bool
 
-- name: Ensure matrix-jitsi-prosody.service installed
+- name: Ensure matrix-jitsi-prosody.service file is installed
   template:
     src: "{{ role_path }}/templates/prosody/matrix-jitsi-prosody.service.j2"
     dest: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
@@ -40,16 +40,24 @@
   register: matrix_jitsi_prosody_systemd_service_result
   when: matrix_jitsi_enabled|bool
 
-- name: Ensure systemd reloaded after matrix-jitsi-prosody.service installation
+- name: Ensure systemd service is reloaded after matrix-jitsi-prosody.service installation
   service:
     daemon_reload: yes
   when: "matrix_jitsi_enabled and matrix_jitsi_prosody_systemd_service_result.changed"
 
+- name: Ensure authentication is properly configured
+  include_tasks:
+    file: "{{ role_path }}/tasks/util/setup_jitsi_auth.yml"
+  when:
+    - matrix_jitsi_enabled|bool
+    - matrix_jitsi_enable_auth|bool
+
+
 #
 # Tasks related to getting rid of jitsi-prosody (if it was previously enabled)
 #
 
-- name: Check existence of matrix-jitsi-prosody service
+- name: Ensure matrix-jitsi-prosody.service file exists
   stat:
     path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
   register: matrix_jitsi_prosody_service_stat
@@ -64,13 +72,13 @@
   register: stopping_result
   when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
 
-- name: Ensure matrix-jitsi-prosody.service doesn't exist
+- name: Ensure matrix-jitsi-prosody.service file doesn't exist
   file:
     path: "{{ matrix_systemd_path }}/matrix-jitsi-prosody.service"
     state: absent
   when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"
 
-- name: Ensure systemd reloaded after matrix-jitsi-prosody.service removal
+- name: Ensure systemd is reloaded after matrix-jitsi-prosody.service removal
   service:
     daemon_reload: yes
   when: "not matrix_jitsi_enabled|bool and matrix_jitsi_prosody_service_stat.stat.exists"

roles/matrix-jitsi/tasks/setup_jitsi_web.yml

@@ -15,6 +15,7 @@
     - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
     - { path: "{{ matrix_jitsi_web_config_path }}", when: true }
     - { path: "{{ matrix_jitsi_web_transcripts_path }}", when: true }
+    - { path: "{{ matrix_jitsi_web_crontabs_path }}", when: true }
   when: matrix_jitsi_enabled|bool and item.when
 
 - name: Ensure jitsi-web Docker image is pulled

roles/matrix-jitsi/tasks/util/setup_jitsi_auth.yml

@@ -0,0 +1,43 @@
+---
+#
+# Start Necessary Services
+#
+
+- name: Ensure matrix-jitsi-prosody container is running
+  systemd:
+    state: started
+    name: matrix-jitsi-prosody
+  register: matrix_jitsi_prosody_start_result
+
+
+#
+# Tasks related to configuring Jitsi internal authentication
+#
+
+- name: Ensure Jitsi internal authentication users are configured
+  shell: "docker exec matrix-jitsi-prosody prosodyctl --config /config/prosody.cfg.lua register {{ item.username | quote }} meet.jitsi {{ item.password | quote }}"
+  with_items: "{{ matrix_jitsi_prosody_auth_internal_accounts }}"
+  when:
+    - matrix_jitsi_auth_type == "internal"
+    - matrix_jitsi_prosody_auth_internal_accounts|length > 0
+
+
+#
+# Tasks related to configuring other Jitsi authentication mechanisms
+#
+
+
+
+#
+# Tasks related to cleaning after Jitsi authentication configuration
+#
+
+
+#
+# Stop Necessary Services
+#
+- name: Ensure matrix-jitsi-prosody container is stopped if necessary
+  systemd:
+    state: stopped
+    name: matrix-jitsi-prosody
+  when: matrix_jitsi_prosody_start_result.changed|bool

roles/matrix-jitsi/tasks/validate_config.yml

@@ -3,14 +3,14 @@
 - name: Fail if required Jitsi settings not defined
   fail:
     msg: >-
-      You need to define a required configuration setting (`{{ item }}`) for using Jitsi.
+      You need to define a required configuration setting (`{{ item }}`) to properly configure Jitsi.
 
       If you're setting up Jitsi for the first time, you may have missed a step.
       Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
 
-      If you had setup Jitsi successfully before and it's just now that you're observing this failure,
-      it means that your installation may be using some default passwords that the playbook used to define until now.
-      This is not secure and we urge you to rebuild your Jitsi setup.
+      If you had previously setup Jitsi successfully and are only now facing this error,
+      it means that your installation is most likely using default passwords previously defined by the playbook.
+      These defaults are insecure. Jitsi should be rebuilt with secure values.
       Refer to the "Rebuilding your Jitsi installation" section in our setup instructions (docs/configuring-playbook-jitsi.md).
   when: "vars[item] == ''"
   with_items:
@@ -19,6 +19,20 @@
     - "matrix_jitsi_jicofo_auth_password"
     - "matrix_jitsi_jvb_auth_password"
 
+
+- name: Fail if a Jitsi internal authentication account is not defined
+  fail:
+    msg: >-
+      At least one Jitsi user needs to be defined in `matrix_jitsi_prosody_auth_internal_accounts` when using internal authentication.
+      
+      If you're setting up Jitsi for the first time, you may have missed a step.
+      Refer to our setup instructions (docs/configuring-playbook-jitsi.md).
+  when:
+    - matrix_jitsi_enable_auth|bool
+    - matrix_jitsi_auth_type == 'internal'
+    - matrix_jitsi_prosody_auth_internal_accounts|length == 0
+
+
 - name: (Deprecation) Catch and report renamed settings
   fail:
     msg: >-

roles/matrix-jitsi/templates/jicofo/env.j2

@@ -9,6 +9,7 @@ ENABLE_CODEC_H264
 ENABLE_OCTO
 ENABLE_RECORDING
 ENABLE_SCTP
+ENABLE_AUTO_LOGIN
 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
 JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
 JICOFO_ENABLE_BRIDGE_HEALTH_CHECKS
@@ -26,6 +27,9 @@ JIGASI_SIP_URI
 JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
 MAX_BRIDGE_PARTICIPANTS
 OCTO_BRIDGE_SELECTION_STRATEGY
+SENTRY_DSN="${JICOFO_SENTRY_DSN:-0}"
+SENTRY_ENVIRONMENT
+SENTRY_RELEASE
 TZ={{ matrix_jitsi_timezone }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}

roles/matrix-jitsi/templates/jicofo/logging.properties.j2

@@ -1,4 +1,10 @@
+{% raw %}
+{{ if .Env.SENTRY_DSN | default "0" | toBool }}
+handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
+{{ else }}
 handlers= java.util.logging.ConsoleHandler
+{{ end }}
+{% endraw %}
 
 java.util.logging.ConsoleHandler.level = ALL
 java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
@@ -10,6 +16,7 @@ net.sf.level=SEVERE
 net.java.sip.communicator.plugin.reconnectplugin.level=FINE
 org.ice4j.level=SEVERE
 org.jitsi.impl.neomedia.level=SEVERE
+io.sentry.jul.SentryHandler.level=WARNING
 
 # Do not worry about missing strings
 net.java.sip.communicator.service.resources.AbstractResourcesService.level=SEVERE

roles/matrix-jitsi/templates/jvb/env.j2

@@ -1,9 +1,6 @@
+DOCKER_HOST_ADDRESS
 ENABLE_COLIBRI_WEBSOCKET
 ENABLE_OCTO
-DOCKER_HOST_ADDRESS
-XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
-XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
-XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
 JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
 JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
 JVB_BREWERY_MUC={{ matrix_jitsi_jvb_brewery_muc }}
@@ -14,14 +11,21 @@ JVB_TCP_MAPPED_PORT={{ matrix_jitsi_jvb_rtp_tcp_port }}
 {% if matrix_jitsi_jvb_stun_servers|length > 0 %}
 JVB_STUN_SERVERS={{ matrix_jitsi_jvb_stun_servers|join(',') }}
 {% endif %}
-JVB_ENABLE_APIS
-JVB_WS_DOMAIN
-JVB_WS_SERVER_ID
-PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 JVB_OCTO_BIND_ADDRESS
 JVB_OCTO_PUBLIC_ADDRESS
 JVB_OCTO_BIND_PORT
 JVB_OCTO_REGION
+JVB_WS_DOMAIN
+JVB_WS_SERVER_ID
+PUBLIC_URL={{ matrix_jitsi_web_public_url }}
+SENTRY_DSN="${JVB_SENTRY_DSN:-0}"
+SENTRY_ENVIRONMENT
+SENTRY_RELEASE
+COLIBRI_REST_ENABLED
+SHUTDOWN_REST_ENABLED
 TZ={{ matrix_jitsi_timezone }}
+XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
+XMPP_INTERNAL_MUC_DOMAIN={{ matrix_jitsi_xmpp_internal_muc_domain }}
+XMPP_SERVER={{ matrix_jitsi_xmpp_server }}
 
 {{ matrix_jitsi_jvb_environment_variables_extension }}

roles/matrix-jitsi/templates/jvb/logging.properties.j2

@@ -1,4 +1,10 @@
+{% raw %}
+{{ if .Env.SENTRY_DSN | default "0" | toBool }}
+handlers=java.util.logging.ConsoleHandler,io.sentry.jul.SentryHandler
+{{ else }}
 handlers= java.util.logging.ConsoleHandler
+{{ end }}
+{% endraw %}
 
 java.util.logging.ConsoleHandler.level = ALL
 java.util.logging.ConsoleHandler.formatter = net.java.sip.communicator.util.ScLogFormatter
@@ -8,6 +14,7 @@ net.java.sip.communicator.util.ScLogFormatter.programname=JVB
 .level=INFO
 
 org.jitsi.videobridge.xmpp.ComponentImpl.level=FINE
+io.sentry.jul.SentryHandler.level=WARNING
 
 # All of the INFO level logs from MediaStreamImpl are unnecessary in the context of jitsi-videobridge.
 org.jitsi.impl.neomedia.MediaStreamImpl.level=WARNING

roles/matrix-jitsi/templates/prosody/env.j2

@@ -1,24 +1,53 @@
 AUTH_TYPE={{ matrix_jitsi_auth_type }}
+DISABLE_POLLS
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}}
+ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
 ENABLE_LOBBY={{ 1 if matrix_jitsi_enable_lobby else 0 }}
-ENABLE_AV_MODERATION={{1 if matrix_jitsi_enable_av_moderation else 0}}
 ENABLE_XMPP_WEBSOCKET
-GLOBAL_MODULES
 GLOBAL_CONFIG
-LDAP_URL={{ matrix_jitsi_ldap_url }}
+GLOBAL_MODULES
+JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
+JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
+JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
+JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
+JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
+JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
+JICOFO_COMPONENT_SECRET
+JIGASI_XMPP_USER=
+JIGASI_XMPP_PASSWORD=
+JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
+JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
+JWT_APP_ID
+JWT_APP_SECRET
+JWT_ACCEPTED_ISSUERS
+JWT_ACCEPTED_AUDIENCES
+JWT_ASAP_KEYSERVER
+JWT_ALLOW_EMPTY
+JWT_AUTH_TYPE
+JWT_TOKEN_AUTH_MODULE
+LOG_LEVEL
+LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
 LDAP_BASE={{ matrix_jitsi_ldap_base }}
 LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
 LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
 LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
-LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
 LDAP_VERSION={{ matrix_jitsi_ldap_version }}
-LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
 LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
 LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
 LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
 LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
 LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
+LDAP_URL={{ matrix_jitsi_ldap_url }}
+LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
+PUBLIC_URL={{ matrix_jitsi_web_public_url }}
+TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }}
+TURN_HOST={{ matrix_jitsi_turn_host }}
+TURNS_HOST={{ matrix_jitsi_turns_host }}
+TURN_PORT={{ matrix_jitsi_turn_port }}
+TURNS_PORT={{ matrix_jitsi_turns_port }}
+TZ={{ matrix_jitsi_timezone }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
@@ -29,29 +58,3 @@ XMPP_MUC_MODULES=
 XMPP_INTERNAL_MUC_MODULES=
 XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
 XMPP_CROSS_DOMAIN=true
-JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
-JICOFO_AUTH_PASSWORD={{ matrix_jitsi_jicofo_auth_password }}
-JVB_AUTH_USER={{ matrix_jitsi_jvb_auth_user }}
-JVB_AUTH_PASSWORD={{ matrix_jitsi_jvb_auth_password }}
-JIGASI_XMPP_USER=
-JIGASI_XMPP_PASSWORD=
-JIBRI_XMPP_USER={{ matrix_jitsi_jibri_xmpp_user }}
-JIBRI_XMPP_PASSWORD={{ matrix_jitsi_jibri_xmpp_password }}
-JIBRI_RECORDER_USER={{ matrix_jitsi_jibri_recorder_user }}
-JIBRI_RECORDER_PASSWORD={{ matrix_jitsi_jibri_recorder_password }}
-JWT_APP_ID
-JWT_APP_SECRET
-JWT_ACCEPTED_ISSUERS
-JWT_ACCEPTED_AUDIENCES
-JWT_ASAP_KEYSERVER
-JWT_ALLOW_EMPTY
-JWT_AUTH_TYPE
-JWT_TOKEN_AUTH_MODULE
-LOG_LEVEL
-PUBLIC_URL={{ matrix_jitsi_web_public_url }}
-TURN_CREDENTIALS={{ matrix_jitsi_turn_credentials }}
-TURN_HOST={{ matrix_jitsi_turn_host }}
-TURNS_HOST={{ matrix_jitsi_turns_host }}
-TURN_PORT={{ matrix_jitsi_turn_port }}
-TURNS_PORT={{ matrix_jitsi_turns_port }}
-TZ={{ matrix_jitsi_timezone }}

roles/matrix-jitsi/templates/web/env.j2

@@ -1,16 +1,3 @@
-ENABLE_COLIBRI_WEBSOCKET
-ENABLE_FLOC=0
-ENABLE_LETSENCRYPT=0
-ENABLE_HTTP_REDIRECT=0
-ENABLE_HSTS=0
-ENABLE_XMPP_WEBSOCKET
-DISABLE_HTTPS=0
-DISABLE_DEEP_LINKING
-LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }}
-LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }}
-LETSENCRYPT_USE_STAGING=0
-PUBLIC_URL={{ matrix_jitsi_web_public_url }}
-TZ={{ matrix_jitsi_timezone }}
 AMPLITUDE_ID
 ANALYTICS_SCRIPT_URLS
 ANALYTICS_WHITELISTED_EVENTS
@@ -26,23 +13,37 @@ DEPLOYMENTINFO_ENVIRONMENT_TYPE
 DEPLOYMENTINFO_REGION
 DEPLOYMENTINFO_SHARD
 DEPLOYMENTINFO_USERREGION
+DESKTOP_SHARING_FRAMERATE_MIN
+DESKTOP_SHARING_FRAMERATE_MAX
 DIALIN_NUMBERS_URL
 DIALOUT_AUTH_URL
 DIALOUT_CODES_URL
+DISABLE_AUDIO_LEVELS
+DISABLE_DEEP_LINKING
+DISABLE_HTTPS=0
+DISABLE_POLLS
+DISABLE_REACTIONS
 DROPBOX_APPKEY
 DROPBOX_REDIRECT_URI
 DYNAMIC_BRANDING_URL
 ENABLE_AUDIO_PROCESSING
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
+ENABLE_BREAKOUT_ROOMS={{1 if matrix_jitsi_enable_breakout_rooms else 0}}
 ENABLE_CALENDAR
+ENABLE_COLIBRI_WEBSOCKET
 ENABLE_FILE_RECORDING_SERVICE
 ENABLE_FILE_RECORDING_SERVICE_SHARING
+ENABLE_FLOC=0
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
+ENABLE_HSTS=0
+ENABLE_HTTP_REDIRECT=0
 ENABLE_IPV6
+ENABLE_LETSENCRYPT=0
 ENABLE_LIPSYNC
 ENABLE_NO_AUDIO_DETECTION
-ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }}
+ENABLE_NOISY_MIC_DETECTION
 ENABLE_PREJOIN_PAGE
+ENABLE_P2P={{ 1 if matrix_jitsi_enable_p2p else 0 }}
 ENABLE_WELCOME_PAGE
 ENABLE_CLOSE_PAGE
 ENABLE_RECORDING={{ 1 if matrix_jitsi_enable_recording else 0 }}
@@ -55,12 +56,16 @@ ENABLE_SUBDOMAINS
 ENABLE_TALK_WHILE_MUTED
 ENABLE_TCC
 ENABLE_TRANSCRIPTIONS={{ 1 if matrix_jitsi_enable_transcriptions else 0 }}
+ENABLE_XMPP_WEBSOCKET
 ETHERPAD_PUBLIC_URL
 ETHERPAD_URL_BASE={{ (matrix_jitsi_etherpad_base + '/') if matrix_jitsi_etherpad_enabled else ''}}
 GOOGLE_ANALYTICS_ID
 GOOGLE_API_APP_CLIENT_ID
 INVITE_SERVICE_URL
 JICOFO_AUTH_USER={{ matrix_jitsi_jicofo_auth_user }}
+LETSENCRYPT_DOMAIN={{ matrix_server_fqn_jitsi }}
+LETSENCRYPT_EMAIL={{ matrix_ssl_lets_encrypt_support_email }}
+LETSENCRYPT_USE_STAGING=0
 MATOMO_ENDPOINT
 MATOMO_SITE_ID
 MICROSOFT_API_APP_CLIENT_ID
@@ -68,29 +73,38 @@ NGINX_RESOLVER
 NGINX_WORKER_PROCESSES
 NGINX_WORKER_CONNECTIONS
 PEOPLE_SEARCH_URL
+PUBLIC_URL={{ matrix_jitsi_web_public_url }}
 RESOLUTION={{ matrix_jitsi_web_config_resolution_height_ideal_and_max }}
 RESOLUTION_MIN={{ matrix_jitsi_web_config_resolution_height_min }}
 RESOLUTION_WIDTH={{ matrix_jitsi_web_config_resolution_width_ideal_and_max }}
 RESOLUTION_WIDTH_MIN={{ matrix_jitsi_web_config_resolution_width_min }}
-START_AUDIO_ONLY
 START_AUDIO_MUTED={{ matrix_jitsi_web_config_start_audio_muted_after_nth_participant }}
-START_WITH_AUDIO_MUTED
-START_SILENT
-DISABLE_AUDIO_LEVELS
-ENABLE_NOISY_MIC_DETECTION
+START_AUDIO_ONLY
 START_BITRATE
-DESKTOP_SHARING_FRAMERATE_MIN
-DESKTOP_SHARING_FRAMERATE_MAX
+START_SILENT
+START_WITH_AUDIO_MUTED
 START_VIDEO_MUTED={{ matrix_jitsi_web_config_start_video_muted_after_nth_participant }}
 START_WITH_VIDEO_MUTED
 TESTING_CAP_SCREENSHARE_BITRATE
 TESTING_OCTO_PROBABILITY
+TOKEN_AUTH_URL
+TZ={{ matrix_jitsi_timezone }}
+VIDEOQUALITY_BITRATE_H264_LOW
+VIDEOQUALITY_BITRATE_H264_STANDARD
+VIDEOQUALITY_BITRATE_H264_HIGH
+VIDEOQUALITY_BITRATE_VP8_LOW
+VIDEOQUALITY_BITRATE_VP8_STANDARD
+VIDEOQUALITY_BITRATE_VP8_HIGH
+VIDEOQUALITY_BITRATE_VP9_LOW
+VIDEOQUALITY_BITRATE_VP9_STANDARD
+VIDEOQUALITY_BITRATE_VP9_HIGH
+VIDEOQUALITY_ENFORCE_PREFERRED_CODEC
+VIDEOQUALITY_PREFERRED_CODEC
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_BOSH_URL_BASE={{ matrix_jitsi_xmpp_bosh_url_base }}
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
 XMPP_MUC_DOMAIN={{ matrix_jitsi_xmpp_muc_domain }}
 XMPP_RECORDER_DOMAIN={{ matrix_jitsi_recorder_domain }}
-TOKEN_AUTH_URL
 
 {{ matrix_jitsi_web_environment_variables_extension }}

roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2

@@ -23,6 +23,7 @@ ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-jitsi-web \
 			{% endif %}
 			--mount type=bind,src={{ matrix_jitsi_web_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_jitsi_web_transcripts_path }},dst=/usr/share/jitsi-meet/transcripts \
+			--mount type=bind,src={{ matrix_jitsi_web_crontabs_path }},dst=/var/spool/cron/crontabs \
 			{% for arg in matrix_jitsi_web_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/matrix-ma1sd/defaults/main.yml

@@ -48,7 +48,7 @@ matrix_ma1sd_matrixorg_forwarding_enabled: false
 #
 # To use Postgres:
 # - change the engine (`matrix_ma1sd_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_ma1sd_postgres_*` variables
+# - adjust your database credentials via the `matrix_ma1sd_database_*` variables
 matrix_ma1sd_database_engine: 'sqlite'
 
 matrix_ma1sd_sqlite_database_path_local: "{{ matrix_ma1sd_data_path }}/ma1sd.db"

roles/matrix-nginx-proxy/defaults/main.yml

@@ -442,7 +442,14 @@ matrix_ssl_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains
 matrix_ssl_additional_domains_to_obtain_certificates_for: []
 
 # Controls whether to obtain production or staging certificates from Let's Encrypt.
+# If you'd like to use another ACME Certificate Authority server (not Let's Encrypt), use `matrix_ssl_lets_encrypt_server`
 matrix_ssl_lets_encrypt_staging: false
+
+# Controls from which Certificate Authority server to retrieve the SSL certificates (passed as a `--server` flag to Certbot).
+# By default, we use the Let's Encrypt production environment (use `matrix_ssl_lets_encrypt_staging` for using the staging environment).
+# Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
+matrix_ssl_lets_encrypt_server: ''
+
 matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.21.0"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -42,6 +42,7 @@
     --non-interactive
     --work-dir=/tmp
     --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
     --standalone
     --preferred-challenges http
@@ -70,6 +71,7 @@
     --non-interactive
     --work-dir=/tmp
     --http-01-port 8080
+    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
     {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
     --standalone
     --preferred-challenges http

roles/matrix-postgres-backup/defaults/main.yml

@@ -33,7 +33,7 @@ matrix_postgres_backup_docker_image_v11: "{{ matrix_container_global_registry_pr
 matrix_postgres_backup_docker_image_v12: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:12{{ matrix_postgres_backup_docker_image_suffix }}"
 matrix_postgres_backup_docker_image_v13: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:13{{ matrix_postgres_backup_docker_image_suffix }}"
 matrix_postgres_backup_docker_image_v14: "{{ matrix_container_global_registry_prefix }}prodrigestivill/postgres-backup-local:14{{ matrix_postgres_backup_docker_image_suffix }}"
-matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v13 }}"
+matrix_postgres_backup_docker_image_latest: "{{ matrix_postgres_backup_docker_image_v14 }}"
 
 # This variable is assigned at runtime. Overriding its value has no effect.
 matrix_postgres_backup_docker_image_to_use: '{{ matrix_postgres_backup_docker_image_latest }}'

roles/matrix-registration/defaults/main.yml

@@ -38,7 +38,7 @@ matrix_registration_container_http_host_bind_port: ''
 #
 # To use Postgres:
 # - change the engine (`matrix_registration_database_engine: 'postgres'`)
-# - adjust your database credentials via the `matrix_registration_postgres_*` variables
+# - adjust your database credentials via the `matrix_registration_database_*` variables
 matrix_registration_database_engine: 'sqlite'
 
 matrix_registration_sqlite_database_path_local: "{{ matrix_registration_data_path }}/db.sqlite3"

roles/matrix-synapse-admin/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_synapse_admin_container_self_build_repo: "https://github.com/Awesome-Tech
 
 matrix_synapse_admin_docker_src_files_path: "{{ matrix_base_data_path }}/synapse-admin/docker-src"
 
-matrix_synapse_admin_version: 0.8.1
+matrix_synapse_admin_version: 0.8.4
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_name_prefix }}awesometechnologies/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_self_build else matrix_container_global_registry_prefix }}"
 matrix_synapse_admin_docker_image_force_pull: "{{ matrix_synapse_admin_docker_image.endswith(':latest') }}"

roles/matrix-synapse/defaults/main.yml

@@ -15,8 +15,8 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
 # amd64 gets released first.
 # arm32 relies on self-building, so the same version can be built immediately.
 # arm64 users need to wait for a prebuilt image to become available.
-matrix_synapse_version: v1.48.0
-matrix_synapse_version_arm64: v1.48.0
+matrix_synapse_version: v1.49.2
+matrix_synapse_version_arm64: v1.49.2
 matrix_synapse_docker_image_tag: "{{ matrix_synapse_version if matrix_architecture in ['arm32', 'amd64'] else matrix_synapse_version_arm64 }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
 
@@ -321,6 +321,9 @@ matrix_synapse_push_include_content: true
 # URLs shared by users.
 matrix_synapse_url_preview_enabled: true
 
+# A list of values for the Accept-Language HTTP header used when downloading webpages during URL preview generation
+matrix_url_preview_accept_language: ['en-US', 'en']
+
 # Enable exposure of metrics to Prometheus
 # See https://github.com/matrix-org/synapse/blob/master/docs/metrics-howto.md
 matrix_synapse_metrics_enabled: false

roles/matrix-synapse/tasks/synapse/workers/setup_uninstall.yml

@@ -8,6 +8,7 @@
     name: "{{ item.key }}"
     state: stopped
   with_dict: "{{ ansible_facts.services|default({})|dict2items|selectattr('key', 'match', 'matrix-synapse-worker-.+\\.service')|list|items2dict }}"
+  when: "item.value['status'] != 'not-found'" # see https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1461
 
 - name: Find worker configs to be cleaned
   find:

roles/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1149,8 +1149,7 @@ max_spider_size: 10M
 #   - fr;q=0.8
 #   - *;q=0.7
 #
-url_preview_accept_language:
-#   - en
+url_preview_accept_language: {{ matrix_url_preview_accept_language|to_json }}
 
 
 ## Captcha ##
@@ -1227,6 +1226,46 @@ enable_registration: {{ matrix_synapse_enable_registration|to_json }}
 #
 #session_lifetime: 24h
 
+# Time that an access token remains valid for, if the session is
+# using refresh tokens.
+# For more information about refresh tokens, please see the manual.
+# Note that this only applies to clients which advertise support for
+# refresh tokens.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is 5 minutes.
+#
+#refreshable_access_token_lifetime: 5m
+
+# Time that a refresh token remains valid for (provided that it is not
+# exchanged for another one first).
+# This option can be used to automatically log-out inactive sessions.
+# Please see the manual for more information.
+#
+# Note also that this is calculated at login time and refresh time:
+# changes are not applied to existing sessions until they are refreshed.
+#
+# By default, this is infinite.
+#
+#refresh_token_lifetime: 24h
+
+# Time that an access token remains valid for, if the session is NOT
+# using refresh tokens.
+# Please note that not all clients support refresh tokens, so setting
+# this to a short value may be inconvenient for some users who will
+# then be logged out frequently.
+#
+# Note also that this is calculated at login time: changes are not applied
+# retrospectively to existing sessions for users that have already logged in.
+#
+# By default, this is infinite.
+#
+#nonrefreshable_access_token_lifetime: 24h
+
+# The user must provide all of the below types of 3PID when registering.
+
 # The user must provide all of the below types of 3PID when registering.
 #
 #registrations_require_3pid:
@@ -2344,8 +2383,10 @@ email:
 
   # Username/password for authentication to the SMTP server. By default, no
   # authentication is attempted.
+  {% if matrix_synapse_email_smtp_user %}
   smtp_user: {{ matrix_synapse_email_smtp_user|string|to_json }}
   smtp_pass: {{ matrix_synapse_email_smtp_pass|string|to_json }}
+  {% endif %}
 
   # Uncomment the following to require TLS transport security for SMTP.
   # By default, Synapse will connect over plain text, and will then switch to

roles/matrix-synapse/vars/workers.yml

@@ -5,10 +5,10 @@ matrix_synapse_workers_generic_worker_endpoints:
   # expressions:
 
   # Sync requests
-  - ^/_matrix/client/(v2_alpha|r0)/sync$
-  - ^/_matrix/client/(api/v1|v2_alpha|r0)/events$
-  - ^/_matrix/client/(api/v1|r0)/initialSync$
-  - ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$
+  - ^/_matrix/client/(v2_alpha|r0|v3)/sync$
+  - ^/_matrix/client/(api/v1|v2_alpha|r0|v3)/events$
+  - ^/_matrix/client/(api/v1|r0|v3)/initialSync$
+  - ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$
 
   # Federation requests
   - ^/_matrix/federation/v1/event/
@@ -33,7 +33,7 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/federation/v1/get_groups_publicised$
   - ^/_matrix/key/v2/query
   - ^/_matrix/federation/unstable/org.matrix.msc2946/spaces/
-  - ^/_matrix/federation/unstable/org.matrix.msc2946/hierarchy/
+  - ^/_matrix/federation/(v1|unstable/org.matrix.msc2946)/hierarchy/
 
   # Inbound federation transaction request
   - ^/_matrix/federation/v1/send/
@@ -46,7 +46,7 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$
   - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/spaces$
-  - ^/_matrix/client/unstable/org.matrix.msc2946/rooms/.*/hierarchy$
+  - ^/_matrix/client/(v1|unstable/org.matrix.msc2946)/rooms/.*/hierarchy$
   - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/3pid$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices$
@@ -63,7 +63,7 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
-  - ^/_matrix/client/(r0|unstable)/register$
+  - ^/_matrix/client/(r0|v3|unstable)/register$
   - ^/_matrix/client/unstable/org.matrix.msc3231/register/org.matrix.msc3231.login.registration_token/validity$
 
   # Event sending requests

setup.yml

@@ -20,6 +20,7 @@
     - matrix-bridge-appservice-irc
     - matrix-bridge-beeper-linkedin
     - matrix-bridge-mautrix-facebook
+    - matrix-bridge-mautrix-twitter
     - matrix-bridge-mautrix-hangouts
     - matrix-bridge-mautrix-googlechat
     - matrix-bridge-mautrix-instagram
@@ -58,3 +59,33 @@
     - matrix-postgres-backup
     - matrix-prometheus-postgres-exporter
     - matrix-common-after
+
+  tasks:
+    - name: Ensure web-user is present
+      user:
+        name: "{{ web_user }}"
+        state: present
+        system: yes
+      register: web_user_res
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Ensure directory for revproxy config is present
+      file:
+        path: "{{ revproxy_autoload_dir }}/matrix"
+        state: directory
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0750
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Template reverse proxy configuration
+      template:
+        src: Caddyfile.j2
+        dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0640
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Restart reverse proxy
+      docker_container:
+        name: web
+        state: started
+        restart: yes

templates/Caddyfile.j2

@@ -0,0 +1,110 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        # matrix-ma1sd
+	reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+                header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+	reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
+		import proxyheaders
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        route /synapse-admin/* {
+                uri strip_prefix /synapse-admin
+                reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
+        }
+	reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /_synapse/metrics
+		reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }}
+        }
+        route /metrics/synapse/worker/federation-sender {
+                uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-skype {
+                    uri replace /mx-puppet-skype /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}
+	reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} {
+		#header_up X-Forwarded-For {remote}
+		import proxyheaders
+		#header_up Host {host}
+	}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}