feat: add automatic creation of reverse-proxy routing

Ansible 2.10 & AWX 19.4 compatibility

.gitignore

@@ -1,7 +1,3 @@
-/inventory/*
-!/inventory/.gitkeep
-!/inventory/host_vars/.gitkeep
-!/inventory/scripts
 /roles/*/files/scratchpad
 .DS_Store
 .python-version

ansible.cfg

@@ -1,6 +1,11 @@
 [defaults]
+
+vault_password_file = gpg/open_vault.sh
+
 retry_files_enabled = False
 stdout_callback = yaml
 
+inventory = inventory/hosts
+
 [connection]
 pipelining = True

collections/requirements.yml

@@ -0,0 +1,4 @@
+---
+collections:
+  - name: community.general
+  - name: community.docker  

docs/configuring-playbook-own-webserver.md

@@ -111,6 +111,9 @@ matrix_coturn_enabled: false
 
 # Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
 matrix_nginx_proxy_trust_forwarded_proto: true
+
+# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
 ```
 
 With this, nginx would still be in use, but it would not bother with anything SSL related or with taking up public ports.
@@ -136,6 +139,12 @@ matrix_nginx_proxy_https_enabled: false
 matrix_nginx_proxy_container_http_host_bind_port: ''
 matrix_nginx_proxy_container_federation_host_bind_port: ''
 
+# Trust the reverse proxy to send the correct `X-Forwarded-Proto` header as it is handling the SSL connection.
+matrix_nginx_proxy_trust_forwarded_proto: true
+
+# Trust and use the other reverse proxy's `X-Forwarded-For` header.
+matrix_nginx_proxy_x_forwarded_for: '$proxy_add_x_forwarded_for'
+
 # Disable Coturn because it needs SSL certs
 # (Clients can, though exposing IP address, use Matrix.org TURN)
 matrix_coturn_enabled: false

gpg/open_vault.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+set -e -u
+
+gpg2 --batch --use-agent --decrypt $(dirname $0)/vault_passphrase.gpg 2>/dev/null

gpg/vault_passphrase.gpg

@@ -0,0 +1,18 @@
+-----BEGIN PGP MESSAGE-----
+
+hQIMAxEs7W/4x4lxARAAssinIzR2rGs+Qkm0Q2tRdSXSXRx3OhH+2T5p0Rz3YkqU
+iyiUtyT/Ll7RMUAlAEDZITvirXe4ZZImDcxQegEzFgO7BowQYJDRdhaRmLKZpiuQ
+foRnJAAR12sf49arjJjaBQb91ViOp5MkxAtXiiqWyXwSSII+cV88flMq143cFmfC
+C5OdIQd3SqrbFhGRTjUzoIMqnJH8xksjwph9GS811dY14rQv5X1Ybt5zehMJ7/m/
+luLNg2zgQgYOUxcovddCVMI54ThXyDubDox/5xLvVjyVOFHgwC/VLn+QXHuPY/r5
++rVzz/30eq0uOLKD3LnDBQskCWRVWGC2ulKaZtlylBq6KRzIM6c6+VPSHCjoFyES
+RRpRHeIXGLs31eLkr8dc+VNbPKpMsjm/E/4ZVE2JBpy7S/kh1XYVQxT6ahDKT1tD
+4YN9O0JyNXzjiyNaTTLwNGh5+ICEd3ZCfa4O/og2LySGPOw6mX8ukgP029LHVp6+
+0tRwSWiIM3US/NIVGA+o9e9I/I5Bp/cnzJgd7faUIlzcVPP+euCbo4GsYWpX3Nca
+eRcr7AVY3wwuZtl7/s8KbQKk0ulLxS4Lo2XmdpQl8CPGwASdbMf/H8B256+xiUQ3
+ml400ZaCC7Loeduwl1ez1H/dFFzmpUziaxxtWW4aFtOUYhGeSCTu6ZIgxVq3eBnS
+jAGv8bt+0Xnrpih3mZWM92cw2VKfzYD9WG+dCB4DtZMKhl1ub2bkeTC/B9F+QuP6
+anlonYHs2wmPXzjcx8ajonbYrYXanoNRHDId6OqVAbjYqbua6TG6H9LUFweIj1RV
+yhUPejzhA8xEB0nUcKJZKLvuqvwPbr06GODnAKY5TQ4yILMAnBx0pNzfQNzo
+=Cecg
+-----END PGP MESSAGE-----

group_vars/matrix_servers

@@ -79,14 +79,14 @@ matrix_appservice_discord_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_appservice_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.as.token') | to_uuid }}"
+matrix_appservice_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.as.token') | to_uuid }}"
 
-matrix_appservice_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
+matrix_appservice_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'discord.hs.token') | to_uuid }}"
 
 # We only make this use Postgres if our own Postgres server is enabled.
 # It's only then (for now) that we can automatically create the necessary database and user for this service.
 matrix_appservice_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_appservice_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.discord.db') | to_uuid }}"
+matrix_appservice_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.discord.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -111,12 +111,12 @@ matrix_appservice_webhooks_container_image_self_build: "{{ matrix_architecture !
 # matrix-appservice-webhooks' client-server port to the local host.
 matrix_appservice_webhooks_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_webhooks_matrix_port) }}"
 
-matrix_appservice_webhooks_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
+matrix_appservice_webhooks_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.as.token') | to_uuid }}"
 
 matrix_appservice_webhooks_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
-matrix_appservice_webhooks_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
+matrix_appservice_webhooks_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.hs.token') | to_uuid }}"
 
-matrix_appservice_webhooks_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
+matrix_appservice_webhooks_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'webhook.id.token') | to_uuid }}"
 
 matrix_appservice_webhooks_systemd_required_services_list: |
   {{
@@ -150,12 +150,12 @@ matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64'
 # matrix-appservice-slack's client-server port to the local host.
 matrix_appservice_slack_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else ('127.0.0.1:' ~ matrix_appservice_slack_slack_port) }}"
 
-matrix_appservice_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.as.token') | to_uuid }}"
+matrix_appservice_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.as.token') | to_uuid }}"
 
 matrix_appservice_slack_homeserver_url: "http://matrix-synapse:{{ matrix_synapse_container_client_api_port }}"
-matrix_appservice_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
+matrix_appservice_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.hs.token') | to_uuid }}"
 
-matrix_appservice_slack_id_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'slack.id.token') | to_uuid }}"
+matrix_appservice_slack_id_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'slack.id.token') | to_uuid }}"
 
 matrix_appservice_slack_systemd_required_services_list: |
   {{
@@ -168,7 +168,7 @@ matrix_appservice_slack_systemd_required_services_list: |
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_appservice_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}"
-matrix_appservice_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.slack.db') | to_uuid }}"
+matrix_appservice_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.slack.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -205,12 +205,12 @@ matrix_appservice_irc_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_appservice_irc_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.as.token') | to_uuid }}"
+matrix_appservice_irc_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.as.token') | to_uuid }}"
 
-matrix_appservice_irc_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
+matrix_appservice_irc_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'irc.hs.token') | to_uuid }}"
 
 matrix_appservice_irc_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'nedb' }}"
-matrix_appservice_irc_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'as.irc.db') | to_uuid }}"
+matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'as.irc.db') | to_uuid }}"
 
 
 ######################################################################
@@ -240,15 +240,15 @@ matrix_beeper_linkedin_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_beeper_linkedin_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.as.token') | to_uuid }}"
+matrix_beeper_linkedin_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.as.token') | to_uuid }}"
 
-matrix_beeper_linkedin_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'linked.hs.token') | to_uuid }}"
+matrix_beeper_linkedin_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'linked.hs.token') | to_uuid }}"
 
 matrix_beeper_linkedin_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 matrix_beeper_linkedin_bridge_presence: "{{ matrix_synapse_presence_enabled if matrix_synapse_enabled else true }}"
 
-matrix_beeper_linkedin_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'maulinkedin.db') | to_uuid }}"
+matrix_beeper_linkedin_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'maulinkedin.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -278,9 +278,9 @@ matrix_mautrix_facebook_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_facebook_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.as.token') | to_uuid }}"
+matrix_mautrix_facebook_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.as.token') | to_uuid }}"
 
-matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
+matrix_mautrix_facebook_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'fb.hs.token') | to_uuid }}"
 
 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
@@ -289,7 +289,7 @@ matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_presence_enabled if
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_facebook_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_facebook_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.fb.db') | to_uuid }}"
+matrix_mautrix_facebook_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.fb.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -320,9 +320,9 @@ matrix_mautrix_hangouts_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_hangouts_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.as.token') | to_uuid }}"
+matrix_mautrix_hangouts_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.as.token') | to_uuid }}"
 
-matrix_mautrix_hangouts_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ho.hs.token') | to_uuid }}"
+matrix_mautrix_hangouts_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ho.hs.token') | to_uuid }}"
 
 matrix_mautrix_hangouts_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"
 
@@ -330,7 +330,7 @@ matrix_mautrix_hangouts_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_hangouts_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_hangouts_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}"
+matrix_mautrix_hangouts_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.hangouts.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -361,9 +361,9 @@ matrix_mautrix_googlechat_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_googlechat_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.as.token') | to_uuid }}"
+matrix_mautrix_googlechat_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.as.token') | to_uuid }}"
 
-matrix_mautrix_googlechat_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'gc.hs.token') | to_uuid }}"
+matrix_mautrix_googlechat_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'gc.hs.token') | to_uuid }}"
 
 matrix_mautrix_googlechat_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9007' }}"
 
@@ -371,7 +371,7 @@ matrix_mautrix_googlechat_login_shared_secret: "{{ matrix_synapse_ext_password_p
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_googlechat_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_googlechat_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.gc.db') | to_uuid }}"
+matrix_mautrix_googlechat_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.gc.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -402,9 +402,9 @@ matrix_mautrix_instagram_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.as.token') | to_uuid }}"
+matrix_mautrix_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.as.token') | to_uuid }}"
 
-matrix_mautrix_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ig.hs.token') | to_uuid }}"
+matrix_mautrix_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ig.hs.token') | to_uuid }}"
 
 matrix_mautrix_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
@@ -413,7 +413,7 @@ matrix_mautrix_instagram_bridge_presence: "{{ matrix_synapse_presence_enabled if
 # We'd like to force-set people with external Postgres to SQLite, so the bridge role can complain
 # and point them to a migration path.
 matrix_mautrix_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.ig.db') | to_uuid }}"
+matrix_mautrix_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.ig.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -448,14 +448,14 @@ matrix_mautrix_signal_homeserver_domain: '{{ matrix_domain }}'
 
 matrix_mautrix_signal_homeserver_address: "{{ matrix_homeserver_container_url }}"
 
-matrix_mautrix_signal_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.hs.token') | to_uuid }}"
+matrix_mautrix_signal_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.hs.token') | to_uuid }}"
 
-matrix_mautrix_signal_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'si.as.token') | to_uuid }}"
+matrix_mautrix_signal_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'si.as.token') | to_uuid }}"
 
 matrix_mautrix_signal_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 matrix_mautrix_signal_database_engine: 'postgres'
-matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.signal.db') | to_uuid }}"
+matrix_mautrix_signal_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.signal.db') | to_uuid }}"
 
 matrix_mautrix_signal_container_self_build: "{{ matrix_architecture not in ['amd64', 'arm64'] }}"
 matrix_mautrix_signal_daemon_container_self_build: "{{ matrix_architecture != 'amd64' }}"
@@ -491,11 +491,11 @@ matrix_mautrix_telegram_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_telegram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
+matrix_mautrix_telegram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.as.token') | to_uuid }}"
 
-matrix_mautrix_telegram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"
+matrix_mautrix_telegram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegr.hs.token') | to_uuid }}"
 
-matrix_mautrix_telegram_public_endpoint: "/{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'telegram') | to_uuid }}"
+matrix_mautrix_telegram_public_endpoint: "/{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'telegram') | to_uuid }}"
 
 matrix_mautrix_telegram_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:9006' }}"
 
@@ -503,7 +503,7 @@ matrix_mautrix_telegram_login_shared_secret: "{{ matrix_synapse_ext_password_pro
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_telegram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_telegram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mau.telegram.db') | to_uuid }}"
+matrix_mautrix_telegram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mau.telegram.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -533,15 +533,15 @@ matrix_mautrix_whatsapp_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mautrix_whatsapp_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.as.token') | to_uuid }}"
+matrix_mautrix_whatsapp_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.as.token') | to_uuid }}"
 
-matrix_mautrix_whatsapp_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'whats.hs.token') | to_uuid }}"
+matrix_mautrix_whatsapp_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'whats.hs.token') | to_uuid }}"
 
 matrix_mautrix_whatsapp_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mautrix_whatsapp_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mautrix_whatsapp_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}"
+matrix_mautrix_whatsapp_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mauwhatsapp.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -567,10 +567,10 @@ matrix_sms_bridge_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_sms_bridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.as.token') | to_uuid }}"
+matrix_sms_bridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.as.token') | to_uuid }}"
 
 matrix_sms_bridge_homeserver_port: "{{ matrix_synapse_container_client_api_port }}"
-matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'sms.hs.token') | to_uuid }}"
+matrix_sms_bridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'sms.hs.token') | to_uuid }}"
 
 ######################################################################
 #
@@ -587,9 +587,9 @@ matrix_sms_bridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | pas
 # We don't enable bridges by default.
 matrix_heisenbridge_enabled: false
 
-matrix_heisenbridge_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.as.tok') | to_uuid }}"
+matrix_heisenbridge_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.as.tok') | to_uuid }}"
 
-matrix_heisenbridge_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}"
+matrix_heisenbridge_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'heisen.hs.tok') | to_uuid }}"
 
 matrix_heisenbridge_systemd_wanted_services_list: |
   {{
@@ -626,15 +626,15 @@ matrix_mx_puppet_skype_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_skype_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
+matrix_mx_puppet_skype_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_skype_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"
+matrix_mx_puppet_skype_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'skype.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_skype_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_skype_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_skype_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}"
+matrix_mx_puppet_skype_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.skype.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -665,15 +665,15 @@ matrix_mx_puppet_slack_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_slack_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"
+matrix_mx_puppet_slack_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_slack_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}"
+matrix_mx_puppet_slack_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxslk.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_slack_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_slack_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_slack_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}"
+matrix_mx_puppet_slack_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.slack.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -703,9 +703,9 @@ matrix_mx_puppet_twitter_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_twitter_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"
+matrix_mx_puppet_twitter_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_twitter_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}"
+matrix_mx_puppet_twitter_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxtwt.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_twitter_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
@@ -713,7 +713,7 @@ matrix_mx_puppet_twitter_container_http_host_bind_port: "{{ '' if matrix_nginx_p
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_twitter_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_twitter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}"
+matrix_mx_puppet_twitter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.twitter.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -744,15 +744,15 @@ matrix_mx_puppet_instagram_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_instagram_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"
+matrix_mx_puppet_instagram_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_instagram_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}"
+matrix_mx_puppet_instagram_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxig.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_instagram_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_instagram_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_instagram_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}"
+matrix_mx_puppet_instagram_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.ig.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -782,15 +782,15 @@ matrix_mx_puppet_discord_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_discord_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"
+matrix_mx_puppet_discord_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_discord_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}"
+matrix_mx_puppet_discord_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxdsc.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_discord_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_discord_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_discord_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}"
+matrix_mx_puppet_discord_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.dsc.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -820,15 +820,15 @@ matrix_mx_puppet_steam_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_steam_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"
+matrix_mx_puppet_steam_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_steam_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}"
+matrix_mx_puppet_steam_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxste.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_steam_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_steam_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_steam_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}"
+matrix_mx_puppet_steam_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.steam.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -858,15 +858,15 @@ matrix_mx_puppet_groupme_systemd_required_services_list: |
     (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
   }}
 
-matrix_mx_puppet_groupme_appservice_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}"
+matrix_mx_puppet_groupme_appservice_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.as.tok') | to_uuid }}"
 
-matrix_mx_puppet_groupme_homeserver_token: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}"
+matrix_mx_puppet_groupme_homeserver_token: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxgro.hs.tok') | to_uuid }}"
 
 matrix_mx_puppet_groupme_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_mx_puppet_groupme_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_mx_puppet_groupme_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}"
+matrix_mx_puppet_groupme_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mxpup.groupme.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -896,7 +896,7 @@ matrix_bot_matrix_reminder_bot_systemd_required_services_list: |
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_bot_matrix_reminder_bot_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_bot_matrix_reminder_bot_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
+matrix_bot_matrix_reminder_bot_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'reminder.bot.db') | to_uuid }}"
 matrix_bot_matrix_reminder_bot_container_self_build: "{{ matrix_architecture != 'amd64' }}"
 
 ######################################################################
@@ -1068,7 +1068,7 @@ matrix_dimension_systemd_required_services_list: |
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_dimension_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_dimension_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'dimension.db') | to_uuid }}"
+matrix_dimension_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'dimension.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -1093,7 +1093,7 @@ matrix_etherpad_systemd_required_services_list: |
     (['matrix-postgres.service'] if matrix_postgres_enabled else [])
   }}
 
-matrix_etherpad_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'etherpad.db') | to_uuid }}"
+matrix_etherpad_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'etherpad.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -1152,9 +1152,9 @@ matrix_jitsi_jvb_container_colibri_ws_host_bind_port: "{{ '' if matrix_nginx_pro
 
 matrix_jitsi_prosody_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_enabled else '127.0.0.1:5280' }}"
 
-matrix_jitsi_jibri_xmpp_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jibri') | to_uuid }}"
-matrix_jitsi_jicofo_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jicofo') | to_uuid }}"
-matrix_jitsi_jvb_auth_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'jvb') | to_uuid }}"
+matrix_jitsi_jibri_xmpp_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jibri') | to_uuid }}"
+matrix_jitsi_jicofo_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jicofo') | to_uuid }}"
+matrix_jitsi_jvb_auth_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'jvb') | to_uuid }}"
 
 matrix_jitsi_web_stun_servers: |
   {{
@@ -1257,7 +1257,7 @@ matrix_ma1sd_systemd_wanted_services_list: |
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_ma1sd_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_ma1sd_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'ma1sd.db') | to_uuid }}"
+matrix_ma1sd_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'ma1sd.db') | to_uuid }}"
 
 ######################################################################
 #
@@ -1746,7 +1746,7 @@ matrix_synapse_container_manhole_api_host_bind_port: "{{ '127.0.0.1:9000' if mat
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ '127.0.0.1' if (matrix_synapse_workers_enabled and not matrix_nginx_proxy_enabled) else '' }}"
 
-matrix_synapse_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'synapse.db') | to_uuid }}"
+matrix_synapse_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'synapse.db') | to_uuid }}"
 
 # We do not enable TLS in Synapse by default.
 # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
@@ -1897,7 +1897,7 @@ matrix_prometheus_scraper_postgres_targets: "{{ ['matrix-prometheus-postgres-exp
 ######################################################################
 
 matrix_prometheus_postgres_exporter_enabled: false
-matrix_prometheus_postgres_exporter_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}"
+matrix_prometheus_postgres_exporter_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'prometheus.pg.db') | to_uuid }}"
 
 matrix_prometheus_postgres_exporter_systemd_required_services_list: |
   {{
@@ -1973,7 +1973,7 @@ matrix_registration_systemd_required_services_list: |
 
 # Postgres is the default, except if not using `matrix_postgres` (internal postgres)
 matrix_registration_database_engine: "{{ 'postgres' if matrix_postgres_enabled else 'sqlite' }}"
-matrix_registration_database_password: "{{ matrix_synapse_macaroon_secret_key | password_hash('sha512', 'mx.registr.db') | to_uuid }}"
+matrix_registration_database_password: "{{ '%s' | format(matrix_synapse_macaroon_secret_key) | password_hash('sha512', 'mx.registr.db') | to_uuid }}"
 
 ######################################################################
 #

inventory/host_vars/matrix.finallycoffee.eu/vars.yml

@@ -0,0 +1,339 @@
+#
+# General config
+# Domain of the matrix server and SSL config
+#
+matrix_domain: finallycoffee.eu
+matrix_ssl_retrieval_method: none
+matrix_nginx_proxy_enabled: false
+matrix_base_data_path: "{{ vault_matrix_base_data_path }}"
+matrix_server_fqn_element: "chat.{{ matrix_domain }}"
+
+web_user: "web"
+revproxy_autoload_dir: "/vault/services/web/sites.d"
+
+#matrix_client_element_version: v1.8.4
+#matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.37.1"
+#matrix_mautrix_telegram_version: v0.10.0
+
+#
+# General Synapse config
+#
+matrix_postgres_connection_password: "{{ vault_matrix_postgres_connection_password }}"
+# A secret used to protect access keys issued by the server.
+matrix_synapse_macaroon_secret_key: "{{ vault_matrix_synapse_macaroon_secret_key }}"
+# Make synapse accept larger media aswell
+matrix_synapse_max_upload_size_mb: 100
+# Enable metrics at (default) :9100/_synapse/metrics
+matrix_synapse_metrics_enabled: true
+matrix_synapse_enable_group_creation: true
+matrix_synapse_turn_shared_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+matrix_synapse_turn_uris:
+  - "turns:voip.matrix.finallycoffee.eu?transport=udp"
+  - "turns:voip.matrix.finallycoffee.eu?transport=tcp"
+# Auto-join all users into those rooms
+matrix_synapse_auto_join_rooms:
+  - "#welcome:finallycoffee.eu"
+  - "#announcements:finallycoffee.eu"
+
+## Synapse rate limits
+matrix_synapse_rc_federation:
+  window_size: 1000
+  sleep_limit: 25
+  sleep_delay: 500
+  reject_limit: 50
+  concurrent: 5
+matrix_synapse_rc_message:
+  per_second: 0.5
+  burst_count: 25
+
+## Synapse cache tuning
+matrix_synapse_caches_global_factor: 0.7
+matrix_synapse_event_cache_size: "200K"
+
+## Synapse workers
+matrix_synapse_workers_enabled: true
+matrix_synapse_workers_preset: "little-federation-helper"
+matrix_synapse_workers_generic_worker_client_server_count: 0
+matrix_synapse_workers_media_repository_workers_count: 0
+matrix_synapse_workers_federation_sender_workers_count: 1
+matrix_synapse_workers_pusher_workers_count: 0
+matrix_synapse_workers_appservice_workers_count: 1
+
+# Static secret auth for matrix-synapse-shared-secret-auth
+matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
+matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: "{{ vault_matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-ma1sd:8090"
+matrix_synapse_ext_password_provider_rest_auth_registration_enforce_lowercase: false
+matrix_synapse_ext_password_provider_rest_auth_registration_profile_name_autofill: true
+matrix_synapse_ext_password_provider_rest_auth_login_profile_name_autofill: false
+
+# Enable experimental spaces support
+matrix_synapse_configuration_extension_yaml: |
+  experimental_features:
+    spaces_enabled: true
+
+#
+# synapse-admin tool
+#
+matrix_synapse_admin_enabled: true
+matrix_synapse_admin_container_http_host_bind_port: 8985
+
+
+#
+# VoIP / CoTURN config
+#
+# A shared secret (between Synapse and Coturn) used for authentication.
+matrix_coturn_turn_static_auth_secret: "{{ vault_matrix_coturn_turn_static_auth_secret }}"
+# Disable coturn, as we use own instance
+matrix_coturn_enabled: false
+
+
+#
+# dimension (integration manager) config
+#
+matrix_dimension_enabled: true
+matrix_dimension_admins: "{{ vault_matrix_dimension_admins }}"
+matrix_server_fqn_dimension: "dimension.matrix.{{ matrix_domain }}"
+matrix_dimension_access_token: "{{ vault_matrix_dimension_access_token }}"
+matrix_dimension_configuration_extension_yaml: |
+    telegram:
+        botToken: "{{ vault_matrix_dimension_configuration_telegram_bot_token }}"
+
+
+#
+# mautrix-whatsapp config
+#
+matrix_mautrix_whatsapp_enabled: true
+matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port: 9402
+matrix_mautrix_whatsapp_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_whatsapp_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{% raw %}{{.Name}} ({{if .Notify}}{{.Notify}}{{else}}{{.Jid}}{{end}}) (via WhatsApp){% endraw %}"
+        max_connection_attempts: 5
+        connection_timeout: 30
+        contact_wait_delay: 5
+        private_chat_portal_meta: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+    logging:
+        print_level: info
+    metrics:
+        enabled: true
+        listen: 0.0.0.0:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+    whatsapp:
+        os_name: Linux mautrix-whatsapp
+        browser_name: Chrome
+
+
+#
+# mautrix-telegram config
+#
+matrix_mautrix_telegram_enabled: true
+matrix_mautrix_telegram_api_id: "{{ vault_matrix_mautrix_telegram_api_id }}"
+matrix_mautrix_telegram_api_hash: "{{ vault_matrix_mautrix_telegram_api_hash }}"
+matrix_mautrix_telegram_public_endpoint: '/bridge/telegram'
+matrix_mautrix_telegram_container_http_monitoring_host_bind_port: 9401
+matrix_mautrix_telegram_container_http_host_bind_port_public: 8980
+matrix_mautrix_telegram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}:80"
+matrix_mautrix_telegram_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Telegram)"
+        parallel_file_transfer: false
+        inline_images: false
+        image_as_file_size: 20
+        delivery_receipts: true
+        login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"
+        animated_sticker:
+            target: webm
+        encryption:
+            allow: true
+            default: true
+        permissions:
+            "@transcaffeine:finallycoffee.eu": "admin"
+            "gruenhage.xyz": "full"
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+#        permissions: "{{ vault_matrix_mautrix_telegram_permission_map | from_yaml }}"
+
+
+#
+# mautrix-signal config
+#
+matrix_mautrix_signal_enabled: true
+matrix_mautrix_signal_container_http_monitoring_host_bind_port: 9408
+matrix_mautrix_signal_container_extra_arguments:
+    - "-p 127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}"
+matrix_mautrix_signal_configuration_extension_yaml: |
+    bridge:
+        displayname_template: "{displayname} (via Signal)"
+        community_id: "+signal:finallycoffee.eu"
+        encryption:
+            allow: true
+            default: true
+            key_sharing:
+                allow: true
+                require_verification: false
+        delivery_receipts: true
+    logging:
+        root:
+            level: INFO
+    metrics:
+        enabled: true
+        listen_port: {{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+
+
+#
+# mx-puppet-instagram configuration
+#
+matrix_mx_puppet_instagram_enabled: true
+matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port: 9403
+matrix_mx_puppet_instagram_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_instagram_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/acmiSAinuHDOULofFFeolTvr
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-skype configuration
+#
+matrix_mx_puppet_skype_enabled: true
+matrix_mx_puppet_skype_container_http_monitoring_host_bind_port: 9405
+matrix_mx_puppet_skype_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_skype_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/jjXDuFqtpFOBOnywoHgzTuYt
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+        path: /metrics
+
+
+#
+# mx-puppet-discord configuration
+#
+matrix_mx_puppet_discord_enabled: true
+matrix_mx_puppet_discord_client_id: "{{ vault_matrix_mx_puppet_discord_client_id }}"
+matrix_mx_puppet_discord_client_secret: "{{ vault_matrix_mx_puppet_discord_client_secret }}"
+matrix_mx_puppet_discord_container_http_monitoring_host_bind_port: 9404
+matrix_mx_puppet_discord_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}"
+matrix_mx_puppet_discord_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+        avatarUrl: mxc://finallycoffee.eu/BxcAAhjXmglMbtthStEHtCzd
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# mx-puppet-slack configuration
+#
+matrix_mx_puppet_slack_enabled: true
+matrix_mx_puppet_slack_client_id: "{{ vault_matrix_mx_puppet_slack_client_id }}"
+matrix_mx_puppet_slack_client_secret: "{{ vault_matrix_mx_puppet_slack_client_secret }}"
+matrix_mx_puppet_slack_redirect_path: '/bridge/slack/oauth'
+matrix_mx_puppet_slack_container_http_auth_host_bind_port: 8981
+matrix_mx_puppet_slack_container_http_monitoring_host_bind_port: 9406
+matrix_mx_puppet_slack_container_extra_arguments:
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}"
+  - "-p 127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}:8008"
+matrix_mx_puppet_slack_configuration_extension_yaml: |
+    bridge:
+        enableGroupSync: true
+    metrics:
+        enabled: true
+        port: {{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+        path: /metrics
+    limits:
+        maxAutojoinUsers: 500
+        roomUserAutojoinDelay: 50
+    presence:
+        enabled: true
+        interval: 3000
+
+
+#
+# Element web configuration
+#
+# Branding config
+matrix_client_element_brand: "Chat"
+matrix_client_element_default_theme: "dark"
+matrix_client_element_themes_enabled: true
+matrix_client_element_welcome_headline: "Welcome to chat.finallycoffee.eu"
+matrix_client_element_welcome_text: |
+    Decentralised, encrypted chat &amp; collaboration,<br />
+    hosted on finallycoffee.eu, powered by element.io &amp;
+    <a href="https://matrix.org" target="_blank" rel="noreferrer noopener">
+      <img width="79" height="34" alt="[matrix]" style="padding-left: 1px;vertical-align: middle" src="welcome/images/matrix.svg" />
+    </a>
+matrix_client_element_welcome_logo: "welcome/images/logo.png"
+matrix_client_element_welcome_logo_link: "https://{{ matrix_domain }}"
+matrix_client_element_branding_authHeaderLogoUrl: "welcome/images/logo.png"
+matrix_client_element_branding_welcomeBackgroundUrl: "welcome/images/background.jpg"
+matrix_client_element_container_extra_arguments:
+  - "-v {{ matrix_client_element_data_path }}/background.jpg:/app/{{ matrix_client_element_branding_welcomeBackgroundUrl }}:ro"
+  - "-v {{ matrix_client_element_data_path }}/logo.png:/app/{{ matrix_client_element_branding_authHeaderLogoUrl }}:ro"
+# Integration and capabilites config
+matrix_client_element_integrations_ui_url: "https://{{ matrix_server_fqn_dimension }}/element"
+matrix_client_element_integrations_rest_url: "https://{{ matrix_server_fqn_dimension }}/api/v1/scalar"
+matrix_client_element_integrations_widgets_urls:
+  - "https://{{ matrix_server_fqn_dimension }}/widgets"
+  - "https://scalar.vector.im/api"
+matrix_client_element_integrations_jitsi_widget_url: "https://{{ matrix_server_fqn_dimension }}/widgets/jitsi"
+matrix_client_element_disable_custom_urls: false
+matrix_client_element_roomdir_servers:
+  - "matrix.org"
+  - "finallycoffee.eu"
+  - "entropia.de"
+matrix_client_element_enable_presence_by_hs_url:
+  https://matrix.org: false
+
+
+# Matrix ma1sd extended configuration
+matrix_ma1sd_configuration_extension_yaml: |
+    hashing:
+      enabled: true
+      pepperLength: 20
+      rotationPolicy: per_requests
+      requests: 10
+      hashStorageType: sql
+      algorithms:
+          - none
+          - sha256
+
+
+# Matrix mail notification relay setup
+matrix_mailer_enabled: true
+matrix_mailer_sender_address: "Matrix on finallycoffee.eu <system-matrix@{{ matrix_domain }}>"
+matrix_mailer_relay_use: true
+matrix_mailer_relay_host_name: "{{ vault_matrix_mailer_relay_host_name }}"
+matrix_mailer_relay_host_port: 587
+matrix_mailer_relay_auth: true
+matrix_mailer_relay_auth_username: "{{ vault_matrix_mailer_relay_auth_username }}"
+matrix_mailer_relay_auth_password: "{{ vault_matrix_mailer_relay_auth_password }}"

inventory/host_vars/matrix.finallycoffee.eu/vault.yml

@@ -0,0 +1,100 @@
+$ANSIBLE_VAULT;1.1;AES256
+64343261653838626666353837393238353033353632393763363634303466613033376235386235
+6333386536323034643139656232636133386463393264300a663333333237656337343562366336
+66663064393930656566396636333430373233373362346339383866623066316133323366663961
+3732666162363238300a636230346163656334393063343030333064393962663431326461653239
+36653030393234623335313335383832646463663835653035303765633064666435373464653336
+31323433373734633531353562333065623039623633633163376235353737343935623133326663
+65333761383130336165356439623066363964313033666433316231663533393532333738333430
+36633463343335366364343565353862363531376539626237613263303331323631333366363830
+33613937346531323139343166613839366233383663363732353561643238383362353964373135
+61633430353037316266343962376238383238366562323764373135646365383030626130383433
+32313263663165656366313633653431663332636532656465623465353062643934343738633434
+63346333326331633830363663666631326466353138646233383235313532383864633233613134
+39363734353165653065343938643861646630376334303832613163663265373839323765396234
+38633336393739666565346565343865346233373639363530383533386533616337373033613865
+66353434653262663263326237626265636430646630313866383532376264383933343933326264
+65316337323863343935306138343462336666313332396439656234613831356262663630663038
+31376539653638333263333933633134303734656662343039396563343636366433396130653830
+33326539636432646438613236356430343435623539333062666630373265306635343233646333
+39653934323738303239643834663463396165656235393437396635623131316532333465316231
+65373130393463383932383837383830656637653963666638653665356437303239376262613062
+34613830613164323365636461303035616136636330323531383164376334363862383762366665
+62643839333662373461363038326436616639326264633735316139346536373839666236653634
+30376536386137636336363562376339393261373739333162373461656364353139626339346637
+30366431336534663037653438376330346238636562383932653561306134626566333861333630
+39633536653233393161333136316564623631313839633461333438633166363064303238663464
+65353338353464313635333934623833303965393462373530303666643537336662376266613434
+37356664616539323631373535316434383361323935376638666437646538316537613030653231
+62636263663935646466383663306535626465633239366562373038356366366331333537333663
+64363130386535306362646533393161643737366662313631623132356465636565313530353363
+35366165383837326564623363636632616331393834313130303937303664353436363266323033
+61373532383962393937666261626263666631346235646237656337363831633734623733633835
+39613736373031633263396530626566303665343039663866333632636565633034376366356635
+35383633336465636331306232353434653739653339396437363163313630393035366665383263
+34353238656563306366336466376363316430636666353965356535653334343630633532313034
+64626436643030656335616337653564653331326463383461643739333163613361333133633639
+66656137313937356134646362623536363065633564633166343766356436313130373663663334
+63626138356562303761323336646332383761646663383032386261623936633661653735343637
+35326137343532333635353436376665326633633135656537623631326336353138346136636239
+37396135326362613039663136333964626237353562343966383764613231363061333534316233
+38636130313261643061613138656235396530656366313132346362383430333734663866383666
+61633631353830643565313437306664636262666135353133656531623563616335643737373438
+63633235363566616466663262333466383939373336383139643362376365623763386137666332
+39353363636437393236303764343337633233386236303563636634353836363537383632306434
+33653632373064646361616364323133343138363437373436636232373261663639616330666465
+37333130393435613134366437396361363830656137663963643132303334633331633661363061
+38356439666161643431356532353334383539353566386333666461663562613231383331623063
+33336435636239343663663937353864306363363264663033303539616434333436353134383034
+64663533366134306462366565333236383235373233656132396538663437616333343534333166
+66646566623734636532666230326530633538656639353262343665316235386534376534386634
+65663032303930353661363162373533363762353237393030346238306532326264303636383264
+63363063326265396166313533663362346539333532386665316466386131623161313738623239
+66386236656561396539356634636234393436323239396330366237333539343761393431336138
+66396230656435356365356530343132373861376336346532653063666331343366393761373131
+66313864373362326139316461666232386132306535616561663566623963353034313961666266
+34373534363834626334386139653532656564333863323363343165643538336430386434613235
+64386564643564636530313565326433623365303738386433323463396437653066636134313564
+33383035393436393163373864353331376163653137316136376564643066636335313735396664
+33623735353438643237333734353766363863313763653737633135353332363066336232363131
+33333532653737633033666336326331376561636330643935323636626562303439346338633135
+33663035366461336339666665663835373235633338613664636439393837303932643363643830
+63333862643430383235663836653161376637373265646463313538386531666362376532663738
+62333536383537613562336235666431393164616263303863323834343735326133646131303063
+62623836313730363832313764363562306666383337396561633865336561396632303539333166
+35623063336534653531303134653630666264333133393864626665623564313466363731316339
+36646666653062326665346332373963376439396538396663656130616333316533623331346461
+39643862356663316338333662646464353233356635303931626366323831303136366462366133
+34303234343064393265303866636137646461336530653733623264383261653864633332346435
+62383065353662303564633239326664356364366365626466666266326466333834316437383134
+35383261373437643261623533623533326335393932356632653634326432376235393038333464
+33626361366565316533663537343237316563343730363632663639623930313963316665663965
+33386435663462626435383733383336343064333935356364623436626632356535333430343262
+62363136353562633631613965353062363231343037626166363035376530646537646136363730
+35303530343361616230383662333139333533333138613834323437636238656538656436623433
+38353363336665346637643631663934633061626532376330633731316565336166313936393533
+35323535376539633937376532333536323234376632306362633438626565376234353235353836
+37663735366165393963313536356437653361306232313736356164656635616333306332356637
+39353465633536313539366264646364343231653466346165313863623365333465623336376635
+37396663333638356565306439636365653438623935363361356464316663613465303933346537
+61303863323631343264613665323866363935383265323562326364346364343133393965333135
+33306434646533333662613930666337646330303439333938326433376161613836663237303534
+63636139636338656664333034356635653330666362633563366663616661303266326135643036
+34383939613035323331366261356531343961303239626365383332313633393561623963643134
+30353239356234336635616663313830396133643035663838653837613262616364623637616237
+37363662663466396330323830343963366262643339316162643164353430663763613634346233
+62303539336433313066346339363163336236373334613938613061613038613466636632336335
+35326133373061323164623436623338316466396261393630623466313164393736353566356237
+34396530383361613464643461313336663331643438313136353039386263633134616534666464
+33373536326637316635326461656130383333613832386662643431666435663565343565616266
+35303738656362663266653735373833613765356366626436336437326665396635636335616566
+32663733396432656430356335383262613133623066636238623166613839393833616436653936
+34306536343664643732356262663435623834313732373564613337373765373130653734386632
+35623038623639346564393466393463613238363231663965633037353337353332663464336539
+33616131353734663463336436303866306334336339316364313962346430383338306161636462
+64303064313135346236346434316333346434303764356237636530663239633631383561393537
+66383836326634666362613661353533363432303437663235393336396331356465633031326430
+35333263633731626564326430613937343136633562386432396537363663653438333333366135
+33333339376165303736643661343535356561353938346131653662363966643839653262363537
+38373331353539313463363236383633326138366534313064303739626337343962653830653663
+626263633730663932376165333438323835

inventory/hosts

@@ -0,0 +1,22 @@
+$ANSIBLE_VAULT;1.1;AES256
+31336566376336626265653165306635633033376662656164383037383834653239656136333734
+3833666339393037323035343565343235396163636166370a643933333933386133366564396465
+30393637613164356564393337633361653432333232383664303739363736633435363764343530
+3532313739363963660a343434356534316230623133636366386334323465376139363162616238
+39396638366262313531653635326361616537396338363533303961623165343931373939306239
+31336632643166633662653765333231393461643933306464303165633037343061323636313034
+34376631656563646665373566633431366638383863666130323264316337663237343135306236
+66323536346164663239343139623430303230333466633437643337343930363530653964626163
+38336363633730393136333637383631636266396636646533356262376630646139303636666538
+32366437353163663865623234643061313639646162643965393535353938313133326237313265
+66646163333535396539646461356334633532313530653834623263386265383765356130333466
+30373531306137393935363030313739666536363138363962646565306439393239303030643162
+33333166663430393866666439653532623034396130313066383035396535646633366237303264
+36356665366461323664373038366364623937386233313039323837666333653764616462333365
+31326264633236373937313537633961633164323138356135633765663639323537656263633766
+38653836323263386333376131333330326237393666363064326463663961633839393039323835
+61306265333232623037356465393133323733363634646364336261326333366239346565366338
+61646132333033373866623739343830336164316461646366666237313565626639323537623732
+38323830656136323137323530343764666433633432366136643538323832653130376363653135
+64376261386635636533353961613335663962306337353866616464613636303735336230623962
+3336

roles/matrix-awx/tasks/purge_database_build_list.yml

@@ -1,11 +0,0 @@
----
-
-- name: Collect entire room list into stdout
-  shell: |
-    curl -X GET --header "Authorization: Bearer {{ janitors_token.stdout[1:-1] }}" '{{ synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_synapse/admin/v1/rooms?from={{ item }}'
-  register: awx_rooms_output
-
-- name: Print stdout to file
-  delegate_to: 127.0.0.1
-  shell: |
-    echo '{{ awx_rooms_output.stdout }}' >> /tmp/{{ subscription_id }}_room_list_complete.json

roles/matrix-awx/tasks/purge_database_main.yml

@@ -29,9 +29,9 @@
   when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
   register: awx_synapse_container_ip
 
-- name: Collect access token for janitor user
+- name: Collect access token for @_janitor user
   shell: |
-    curl -X POST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
+    curl -X POST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
   when: (awx_purge_mode.find("No local users [recommended]") != -1) or (awx_purge_mode.find("Number of users [slower]") != -1) or (awx_purge_mode.find("Number of events [slower]") != -1)
   register: awx_janitors_token
   no_log: True

roles/matrix-awx/tasks/purge_media_main.yml

@@ -21,21 +21,22 @@
   shell: "/usr/bin/docker inspect --format '{''{range.NetworkSettings.Networks}''}{''{.IPAddress}''}{''{end}''}' matrix-synapse"
   register: awx_synapse_container_ip
 
-- name: Collect access token for janitor user
+- name: Collect access token for @_janitor user
   shell: |
-    curl -XPOST -d '{"type":"m.login.password", "user":"janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
+    curl -XPOST -d '{"type":"m.login.password", "user":"_janitor", "password":"{{ awx_janitor_user_password }}"}' "{{ awx_synapse_container_ip.stdout }}:{{ matrix_synapse_container_client_api_port }}/_matrix/client/r0/login" | jq '.access_token'
   register: awx_janitors_token
   no_log: True
 
 - name: Generate list of dates to purge to
   delegate_to: 127.0.0.1
-  shell: "dateseq {{ matrix_purge_from_date }} {{ matrix_purge_to_date }}"
+  shell: "dateseq {{ awx_purge_from_date }} {{ awx_purge_to_date }}"
   register: awx_purge_dates
 
 - name: Calculate initial size of local media repository
   shell: du -sh /matrix/synapse/storage/media-store/local*
   register: awx_local_media_size_before
   when: awx_purge_media_type == "Local Media"
+  async: 600
   ignore_errors: yes
   no_log: True
 
@@ -43,6 +44,7 @@
   shell: du -sh /matrix/synapse/storage/media-store/remote*
   register: awx_remote_media_size_before
   when: awx_purge_media_type == "Remote Media"
+  async: 600 
   ignore_errors: yes
   no_log: True
 

roles/matrix-awx/tasks/set_variables_dimension.yml

@@ -12,9 +12,9 @@
       - curl
     state: present
 
-- name: Collect access token of Dimension user
+- name: Collect access token of @_dimension user
   shell: |
-    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
+    curl -X POST --header 'Content-Type: application/json' -d '{ "identifier": { "type": "m.id.user","user": "_dimension" }, "password": "{{ awx_dimension_user_password }}", "type": "m.login.password"}' 'https://matrix.{{ matrix_domain }}/_matrix/client/r0/login' | jq -c '. | {access_token}' | sed 's/.*\":\"//' | sed 's/\"}//'
   register: awx_dimension_user_access_token
 
 - name: Record Synapse variables locally on AWX

roles/matrix-base/defaults/main.yml

@@ -118,6 +118,72 @@ matrix_client_element_e2ee_secure_backup_required: false
 # See: https://github.com/vector-im/element-web/blob/develop/docs/e2ee.md
 matrix_client_element_e2ee_secure_backup_setup_methods: []
 
+# Default `/.well-known/matrix/client` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_client_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_client_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-client.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/client` should go to `matrix_well_known_matrix_client_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_client_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_client_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_client_configuration_extension_json: |
+#   {
+#     "io.element.call_behaviour": {
+#       "widget_build_url": "https://dimension.example.com/api/v1/dimension/bigbluebutton/widget_state"
+#     }
+#   }
+matrix_well_known_matrix_client_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_client_configuration_extension: "{{ matrix_well_known_matrix_client_configuration_extension_json|from_json if matrix_well_known_matrix_client_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/client` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_client_configuration_default` and `matrix_well_known_matrix_client_configuration_extension_json`.
+matrix_well_known_matrix_client_configuration: "{{ matrix_well_known_matrix_client_configuration_default|combine(matrix_well_known_matrix_client_configuration_extension, recursive=True) }}"
+
+# Default `/.well-known/matrix/server` configuration - it covers the generic use case.
+# You can customize it by controlling the various variables inside the template file that it references.
+#
+# For a more advanced customization, you can extend the default (see `matrix_well_known_matrix_server_configuration_extension_json`)
+# or completely replace this variable with your own template.
+#
+# The side-effect of this lookup is that Ansible would even parse the JSON for us, returning a dict.
+# This is unlike what it does when looking up YAML template files (no automatic parsing there).
+matrix_well_known_matrix_server_configuration_default: "{{ lookup('template', 'templates/static-files/well-known/matrix-server.j2') }}"
+
+# Your custom JSON configuration for `/.well-known/matrix/server` should go to `matrix_well_known_matrix_server_configuration_extension_json`.
+# This configuration extends the default starting configuration (`matrix_well_known_matrix_server_configuration_default`).
+#
+# You can override individual variables from the default configuration, or introduce new ones.
+#
+# If you need something more special, you can take full control by
+# completely redefining `matrix_well_known_matrix_server_configuration`.
+#
+# Example configuration extension follows:
+#
+# matrix_well_known_matrix_server_configuration_extension_json: |
+#   {
+#     "something": "another"
+#   }
+matrix_well_known_matrix_server_configuration_extension_json: '{}'
+
+matrix_well_known_matrix_server_configuration_extension: "{{ matrix_well_known_matrix_server_configuration_extension_json|from_json if matrix_well_known_matrix_server_configuration_extension_json|from_json is mapping else {} }}"
+
+# Holds the final `/.well-known/matrix/server` configuration (a combination of the default and its extension).
+# You most likely don't need to touch this variable. Instead, see `matrix_well_known_matrix_server_configuration_default` and `matrix_well_known_matrix_server_configuration_extension_json`.
+matrix_well_known_matrix_server_configuration: "{{ matrix_well_known_matrix_server_configuration_default|combine(matrix_well_known_matrix_server_configuration_extension, recursive=True) }}"
+
 # The Docker network that all services would be put into
 matrix_docker_network: "matrix"
 

roles/matrix-base/tasks/setup_well_known.yml

@@ -13,16 +13,16 @@
     - "{{ matrix_static_files_base_path }}/.well-known/matrix"
 
 - name: Ensure Matrix /.well-known/matrix/client file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-client.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_client_configuration|to_nice_json }}"
     dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_groupname }}"
 
 - name: Ensure Matrix /.well-known/matrix/server file configured
-  template:
-    src: "{{ role_path }}/templates/static-files/well-known/matrix-server.j2"
+  copy:
+    content: "{{ matrix_well_known_matrix_server_configuration|to_nice_json }}"
     dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
     mode: 0644
     owner: "{{ matrix_user_username }}"

roles/matrix-bridge-mautrix-telegram/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_mautrix_telegram_container_self_build: false
 matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
 
-matrix_mautrix_telegram_version: v0.10.1
+matrix_mautrix_telegram_version: v0.10.2
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
@@ -110,6 +110,8 @@ matrix_mautrix_telegram_configuration_extension: "{{ matrix_mautrix_telegram_con
 # You most likely don't need to touch this variable. Instead, see `matrix_mautrix_telegram_configuration_yaml`.
 matrix_mautrix_telegram_configuration: "{{ matrix_mautrix_telegram_configuration_yaml|from_yaml|combine(matrix_mautrix_telegram_configuration_extension, recursive=True) }}"
 
+matrix_mautrix_telegram_sender_localpart: "telegrambot"
+
 matrix_mautrix_telegram_registration_yaml: |
   id: telegram
   as_token: "{{ matrix_mautrix_telegram_appservice_token }}"
@@ -123,10 +125,10 @@ matrix_mautrix_telegram_registration_yaml: |
       aliases:
       - exclusive: true
         regex: '^#telegram_.+:{{ matrix_mautrix_telegram_homeserver_domain|regex_escape }}$'
-  # See https://github.com/mautrix/signal/issues/43
   sender_localpart: _bot_{{ matrix_mautrix_telegram_appservice_bot_username }}
   url: {{ matrix_mautrix_telegram_appservice_address }}
   rate_limited: false
   de.sorunome.msc2409.push_ephemeral: true
+#  sender_localpart: "bridges_{{ matrix_mautrix_telegram_sender_localpart }}"
 
 matrix_mautrix_telegram_registration: "{{ matrix_mautrix_telegram_registration_yaml|from_yaml }}"

roles/matrix-bridge-mx-puppet-discord/templates/config.yaml.j2

@@ -25,7 +25,7 @@ presence:
   # Bridge Discord online/offline status
   enabled: true
   # How often to send status to the homeserver in milliseconds
-  interval: 500
+  interval: 10000
 
 provisioning:
   # Regex of Matrix IDs allowed to use the puppet bridge
@@ -70,7 +70,7 @@ namePatterns:
   #
   # name: username of the user
   # discriminator: hashtag of the user (ex. #1234)
-  user: :name
+  user: ":name (#:discriminator) (via Discord)"
 
   # A user's guild-specific displayname - if they've set a custom nick in
   # a guild
@@ -82,7 +82,7 @@ namePatterns:
   # displayname: the user's custom group-specific nick
   # channel: the name of the channel
   # guild: the name of the guild
-  userOverride: :name
+  userOverride: ":displayname (:name#:discriminator) (via Discord)"
 
   # Room names for bridged Discord channels
   #
@@ -90,7 +90,7 @@ namePatterns:
   #
   # name: name of the channel
   # guild: name of the guild
-  room: :name
+  room: "#:name (:guild on Discord)"
 
   # Group names for bridged Discord servers
   #

roles/matrix-client-element/tasks/setup_install.yml

@@ -76,6 +76,18 @@
     - {src: "{{ matrix_client_element_embedded_pages_home_path }}", name: "home.html"}
   when: "item.src is not none"
 
+- name: Copy Element costum files
+  copy:
+    src: "{{ item.src }}"
+    dest: "{{ matrix_client_element_data_path }}/{{ item.name }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - {src: "{{ role_path }}/files/background.jpg", name: "background.jpg"}
+    - {src: "{{ role_path }}/files/antifa_coffee_cups.png", name: "logo.png"}
+  when: "matrix_client_element_enabled|bool and item.src is not none"
+
 - name: Ensure Element config files removed
   file:
     path: "{{ matrix_client_element_data_path }}/{{ item.name }}"

roles/matrix-client-element/templates/welcome.html.j2

@@ -33,7 +33,7 @@ h1::after {
 }
 
 .mx_Logo {
-    height: 54px;
+    height: 92px;
     margin-top: 2px;
 }
 

roles/matrix-common-after/tasks/awx_post.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: Create user account @janitor
+- name: Create user account @_janitor
   command: |
-    /usr/local/bin/matrix-synapse-register-user janitor {{ awx_janitor_user_password | quote }} 1
+    /usr/local/bin/matrix-synapse-register-user _janitor {{ awx_janitor_user_password | quote }} 1
   register: cmd
   when: not awx_janitor_user_created|bool
   no_log: True
@@ -18,9 +18,9 @@
     'awx_janitor_user_created': 'true'
   when: not awx_janitor_user_created|bool
 
-- name: Create user account @dimension
+- name: Create user account @_dimension
   command: |
-    /usr/local/bin/matrix-synapse-register-user dimension {{ awx_dimension_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user _dimension {{ awx_dimension_user_password | quote }} 0
   register: cmd
   when: not awx_dimension_user_created|bool
   no_log: True
@@ -36,9 +36,9 @@
     'awx_dimension_user_created': 'true'
   when: not awx_dimension_user_created|bool
 
-- name: Create user account @mjolnir
+- name: Create user account @_mjolnir
   command: |
-    /usr/local/bin/matrix-synapse-register-user mjolnir {{ awx_mjolnir_user_password | quote }} 0
+    /usr/local/bin/matrix-synapse-register-user _mjolnir {{ awx_mjolnir_user_password | quote }} 0
   register: cmd
   when: not awx_mjolnir_user_created|bool
   no_log: True

roles/matrix-mailer/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"
 
-matrix_mailer_version: 4.94.2-r0-5
+matrix_mailer_version: 4.95-r0
 matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:{{ matrix_mailer_version }}"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

roles/matrix-nginx-proxy/defaults/main.yml

@@ -382,6 +382,11 @@ matrix_nginx_proxy_ssl_prefer_server_ciphers: "{{ matrix_nginx_proxy_ssl_presets
 # To see the full list for suportes ciphers run `openssl ciphers` on your server
 matrix_nginx_proxy_ssl_ciphers: "{{ matrix_nginx_proxy_ssl_presets[matrix_nginx_proxy_ssl_preset]['ciphers'] }}"
 
+# Specifies what to use for the X-Forwarded-For variable.
+# If you're fronting the nginx reverse-proxy with additional reverse-proxy servers,
+# you may wish to set this to '$proxy_add_x_forwarded_for' instead.
+matrix_nginx_proxy_x_forwarded_for: '$remote_addr'
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_nginx_proxy_self_check_validate_certificates: true
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-bot-go-neb.conf.j2

@@ -27,7 +27,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-element.conf.j2

@@ -35,7 +35,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-client-hydrogen.conf.j2

@@ -33,7 +33,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-dimension.conf.j2

@@ -30,7 +30,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2

@@ -58,7 +58,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@@ -76,7 +76,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@@ -94,7 +94,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 	{% endif %}
 
@@ -111,7 +111,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 	{% endif %}
@@ -136,7 +136,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 
 		client_body_buffer_size 25M;
@@ -284,7 +284,7 @@ server {
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 
 		client_body_buffer_size 25M;

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-grafana.conf.j2

@@ -37,7 +37,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 {% endmacro %}
 

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-jitsi.conf.j2

@@ -30,7 +30,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 	}
 
 	# colibri (JVB) websockets
@@ -45,7 +45,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection "upgrade";
 
@@ -70,7 +70,7 @@
 		proxy_read_timeout 900s;
 		proxy_set_header Connection "upgrade";
 		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 		tcp_nodelay on;
 	}

roles/matrix-nginx-proxy/templates/nginx/conf.d/matrix-sygnal.conf.j2

@@ -28,7 +28,7 @@
 		{% endif %}
 
 		proxy_set_header Host $host;
-		proxy_set_header X-Forwarded-For $remote_addr;
+		proxy_set_header X-Forwarded-For {{ matrix_nginx_proxy_x_forwarded_for }};
 		proxy_set_header X-Forwarded-Proto {{ matrix_nginx_proxy_x_forwarded_proto_value }};
 	}
 {% endmacro %}

setup.yml

@@ -58,3 +58,33 @@
     - matrix-postgres-backup
     - matrix-prometheus-postgres-exporter
     - matrix-common-after
+
+  tasks:
+    - name: Ensure web-user is present
+      user:
+        name: "{{ web_user }}"
+        state: present
+        system: yes
+      register: web_user_res
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Ensure directory for revproxy config is present
+      file:
+        path: "{{ revproxy_autoload_dir }}/matrix"
+        state: directory
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0750
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Template reverse proxy configuration
+      template:
+        src: Caddyfile.j2
+        dest: "{{ revproxy_autoload_dir }}/matrix/Caddyfile"
+        owner: "{{ web_user_res.uid }}"
+        group: "{{ web_user_res.group }}"
+        mode: 0640
+      tags: [ setup-caddy, setup-all, start ]
+    - name: Restart reverse proxy
+      docker_container:
+        name: web
+        state: started
+        restart: yes

templates/Caddyfile.j2

@@ -0,0 +1,110 @@
+https://{{ matrix_server_fqn_matrix }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	header {
+		Strict-Transport-Security "max-age=31536000;"
+		X-Frame-Options "DENY"
+		X-XSS-Protection "1; mode=block"
+	}
+        # matrix-ma1sd
+	reverse_proxy /_matrix/identity/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        reverse_proxy /_matrix/client/r0/user_directory/search/* {{ matrix_ma1sd_container_http_host_bind_port }} {
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+                header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+	reverse_proxy /_matrix/federation/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/key/* http://{{ matrix_synapse_container_federation_api_plain_host_bind_port }}
+	reverse_proxy /_matrix/* {{ matrix_synapse_container_client_api_host_bind_port }} {
+		import proxyheaders
+		header_down Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		header_down Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+        route /synapse-admin/* {
+                uri strip_prefix /synapse-admin
+                reverse_proxy http://127.0.0.1{{ matrix_synapse_admin_container_http_host_bind_port }}
+        }
+	reverse_proxy /_synapse/* http://{{ matrix_synapse_container_client_api_host_bind_port }}
+        basicauth /metrics/* bcrypt monitoring {
+                monitoring JDJhJDE0JGdQRlNHVFpSQmRiaWlPem9LdXlkS09HN2E3LklZS05YZmtXTEY1NlFXbkMxd3hBUmwwbVZl
+        }
+        route /metrics/synapse {
+                uri replace /metrics/synapse /_synapse/metrics
+		reverse_proxy http://{{ matrix_synapse_container_metrics_api_host_bind_port }}
+        }
+        route /metrics/synapse/worker/appservice {
+                uri replace /metrics/synapse/worker/appservice /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_appservice_workers_metrics_range_start }}
+        }
+        route /metrics/synapse/worker/federation-sender {
+                uri replace /metrics/synapse/worker/federation-sender /_synapse/metrics
+		reverse_proxy http://127.0.0.1:{{ matrix_synapse_workers_federation_sender_workers_metrics_range_start }}
+        }
+        route /metrics/bridge/* {
+                uri strip_prefix /metrics/bridge
+                route /mautrix-telegram {
+                    uri replace /mautrix-telegram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-whatsapp {
+                    uri replace /mautrix-whatsapp /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_whatsapp_container_http_monitoring_host_bind_port }}
+                }
+                route /mautrix-signal {
+                    uri replace /mautrix-signal /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mautrix_signal_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-instagram {
+                    uri replace /mx-puppet-instagram /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_instagram_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-discord {
+                    uri replace /mx-puppet-discord /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_discord_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-skype {
+                    uri replace /mx-puppet-skype /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_skype_container_http_monitoring_host_bind_port }}
+                }
+                route /mx-puppet-slack {
+                    uri replace /mx-puppet-slack /metrics
+                    reverse_proxy http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_monitoring_host_bind_port }}
+                }
+        }
+	reverse_proxy /bridge/telegram/* http://127.0.0.1:{{ matrix_mautrix_telegram_container_http_host_bind_port_public }}
+	reverse_proxy /bridge/slack/* http://127.0.0.1:{{ matrix_mx_puppet_slack_container_http_auth_host_bind_port }}
+}
+
+https://{{ matrix_server_fqn_dimension }} {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_dimension_container_http_host_bind_port }} {
+		#header_up X-Forwarded-For {remote}
+		import proxyheaders
+		#header_up Host {host}
+	}
+}
+
+https://{{ matrix_server_fqn_element }} {
+	tls /tls_certs/chat.finallycoffee.eu/fullchain.pem /tls_certs/chat.finallycoffee.eu/privkey.pem
+	encode zstd gzip
+	reverse_proxy http://{{ matrix_client_element_container_http_host_bind_port }}
+}
+
+https://{{ matrix_domain }}/.well-known/matrix/* {
+	tls /tls_certs/finallycoffee.eu/fullchain.pem /tls_certs/finallycoffee.eu/privkey.pem
+	route {
+		uri strip_prefix /.well-known/matrix
+		root * /matrix_static
+		file_server
+	}
+	header {
+		Content-Type "application/json"
+		X-Content-Type-Options "nosniff"
+		Access-Control-Allow-Origin *
+		Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
+		Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"
+	}
+}