meta: move inventory structure to be more usable

This makes it possible for Renovate to detect updates such as from `x.x.x-0` to `x.x.x-1`.

References:
- https://docs.renovatebot.com/modules/versioning/loose/
- https://docs.renovatebot.com/configuration-options/#versioning

Signed-off-by: Suguru Hirahara <acioustick@noreply.codeberg.org>

.github/renovate.json

@@ -20,6 +20,7 @@
 	"packageRules": [
 		{
 			"ignoreUnstable": false,
+			"versioning": "loose",
 			"matchSourceUrls": [
 				"https://github.com/devture/com.devture.ansible.role{/,}**",
 				"https://github.com/mother-of-all-self-hosting{/,}**"

.github/workflows/matrix.yml

@@ -24,10 +24,14 @@ jobs:
     steps:
       - name: Check out
         uses: actions/checkout@v4
+
       - name: Run ansible-lint
-        uses: ansible-community/ansible-lint-action@v6.17.0
+        uses: ansible/ansible-lint@v25.6.1
         with:
-          path: roles/custom
+          args: "roles/custom"
+          setup_python: "true"
+          working_directory: ""
+          requirements_file: requirements.yml
   precommit:
     name: Run pre-commit
     runs-on: ubuntu-latest

docs/configuring-playbook-continuwuity.md

@@ -50,8 +50,8 @@ If a specific setting you'd like to change does not have a dedicated Ansible var
 
 ```yaml
 matrix_continuwuity_environment_variables_extension: |
-  continuwuity_MAX_REQUEST_SIZE=50000000
-  continuwuity_REQUEST_TIMEOUT=60
+  CONTINUWUITY_MAX_REQUEST_SIZE=50000000
+  CONTINUWUITY_REQUEST_TIMEOUT=60
 ```
 
 ## Creating the first user account

docs/configuring-playbook-jitsi.md

@@ -70,7 +70,7 @@ By default the Jitsi Meet instance **does not require for anyone to log in, and
 
 If you would like to control who is allowed to start meetings on your instance, you'd need to enable Jitsi's authentication and optionally guests mode.
 
-See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#configure-jitsi-authentication-and-guests-mode-optional) on the role's documentation for details about how to configure the authentication and guests mode. The recommended authentication method is `internal` as it also works in federated rooms. If you want to enable authentication with Matrix OpenID making use of [Matrix User Verification Service (UVS)](https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-user-verification-service.md), see [here](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix) for details about how to set it up.
+See [this section](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#configure-jitsi-authentication-and-guests-mode-optional) on the role's documentation for details about how to configure the authentication and guests mode. The recommended authentication method is `internal` as it also works in federated rooms. If you want to enable authentication with Matrix OpenID making use of [Matrix User Verification Service (UVS)](configuring-playbook-user-verification-service.md), see [here](https://github.com/mother-of-all-self-hosting/ansible-role-jitsi/blob/main/docs/configuring-jitsi.md#authenticate-using-matrix-openid-auth-type-matrix) for details about how to set it up.
 
 ### Enable Gravatar (optional)
 

i18n/requirements.txt

@@ -1,6 +1,6 @@
 alabaster==1.0.0
 babel==2.17.0
-certifi==2025.6.15
+certifi==2025.7.9
 charset-normalizer==3.4.2
 click==8.2.1
 docutils==0.21.2
@@ -14,7 +14,7 @@ mdit-py-plugins==0.4.2
 mdurl==0.1.2
 myst-parser==4.0.1
 packaging==25.0
-Pygments==2.19.1
+Pygments==2.19.2
 PyYAML==6.0.2
 requests==2.32.4
 setuptools==80.9.0

requirements.yml

@@ -7,7 +7,7 @@
   version: v1.4.1-1.9.14-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.3.0-4
+  version: v0.3.0-6
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
   version: 7.4.7
@@ -16,22 +16,22 @@
   version: 129c8590e106b83e6f4c259649a613c6279e937a
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.3.0-0
+  version: v2.3.2-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-0
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.3-0
+  version: v11.6.3-1
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10314-0
+  version: v10314-1
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.0-0
+  version: v1.9.0-2
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.11.0-5
+  version: v2.13.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 201c939eed363de269a83ba29784fc3244846048
@@ -43,19 +43,19 @@
   version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v17.4-0
+  version: v17.5-0
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v17-3
+  version: v17-5
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.4.1-0
+  version: v3.4.2-1
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-3
+  version: v1.9.1-9
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.17.1-1
+  version: v0.17.1-6
   name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.4.0-0
@@ -67,11 +67,11 @@
   version: v1.0.0-0
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.4.1-1
+  version: v3.4.4-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-0
+  version: v2.10.0-1
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v8.1.2-0
+  version: v8.1.3-0
   name: valkey

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.5.21
+matrix_alertmanager_receiver_version: 2025.7.2
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.3.1"
+matrix_appservice_draupnir_for_all_version: "v2.5.0"
 
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 0.17.1
+matrix_authentication_service_version: 0.18.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-base/tasks/ensure_fuse_installed_redhat.yml

@@ -5,6 +5,6 @@
 ---
 
 - name: Ensure fuse installed (RedHat)
-  ansible.builtin.yum:
+  ansible.builtin.package:
     name: fuse
     state: present

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.7.4
+matrix_bot_baibot_version: v1.7.6
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.3.1"
+matrix_bot_draupnir_version: "v2.5.0"
 
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -148,17 +148,14 @@ matrix_bot_draupnir_synapse_http_antispam_config_base_url: "{{ matrix_bot_draupn
 # Therefore the module is configured from Draupnir because the consumer of the module determines what settings are relevant.
 
 matrix_bot_draupnir_synapse_http_antispam_config_enabled_callbacks:
-  - check_event_for_spam
   - user_may_invite
   - user_may_join_room
 
 matrix_bot_draupnir_synapse_http_antispam_config_fail_open:
-  check_event_for_spam: true
   user_may_invite: true
   user_may_join_room: true
 
-matrix_bot_draupnir_synapse_http_antispam_config_async:
-  check_event_for_spam: true
+matrix_bot_draupnir_synapse_http_antispam_config_async: {}
 
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.

roles/custom/matrix-bridge-mautrix-bluesky/defaults/main.yml

@@ -36,6 +36,11 @@ matrix_mautrix_bluesky_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 # A public address that external services can use to reach this appservice.
 matrix_mautrix_bluesky_appservice_public_address: ''
 
+# Displayname template for Bluesky users.
+# {{ .DisplayName }} is replaced with the display name of the Bluesky user.
+# {{ .Username }} is replaced with the username of the Bluesky user.
+matrix_mautrix_bluesky_network_displayname_template: "{% raw %}{{ .DisplayName }}{% endraw %} (Bluesky)"
+
 matrix_mautrix_bluesky_bridge_command_prefix: "!bs"
 
 matrix_mautrix_bluesky_bridge_permissions: |

roles/custom/matrix-bridge-mautrix-bluesky/templates/config.yaml.j2

@@ -11,7 +11,7 @@ network:
     # {{ .DisplayName }} is replaced with the display name of the Bluesky user.
     # {{ .Username }} is replaced with the username of the Bluesky user.
     # {% endraw %}
-    displayname_template: "{% raw %}{{ .DisplayName }}{% endraw %} (Bluesky)"
+    displayname_template: {{ matrix_mautrix_bluesky_network_displayname_template | to_json }}
 
     # Maximum number of conversations to sync on startup
     conversation_sync_limit: 20

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -48,6 +48,14 @@ matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 
 matrix_mautrix_signal_command_prefix: "!signal"
 
+# Displayname template for Signal users.
+# {{.ProfileName}} - The Signal profile name set by the user.
+# {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
+# {{.PhoneNumber}} - The phone number of the user.
+# {{.UUID}} - The UUID of the Signal user.
+# {{.AboutEmoji}} - The emoji set by the user in their profile.
+matrix_mautrix_signal_network_displayname_template: "{% raw %}{{or .ProfileName .PhoneNumber 'Unknown user'}} (Signal){% endraw %}"
+
 matrix_mautrix_signal_bridge_permissions: |
   {{
     {'*': 'relay', matrix_mautrix_signal_homeserver_domain: 'user'}

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -9,7 +9,7 @@ network:
     # {{.UUID}} - The UUID of the Signal user.
     # {{.AboutEmoji}} - The emoji set by the user in their profile.
     # {% endraw %}
-    displayname_template: "{% raw %}{{or .ProfileName .PhoneNumber 'Unknown user'}} (Signal){% endraw %}"
+    displayname_template: {{ matrix_mautrix_signal_network_displayname_template | to_json }}
     # Should avatars from the user's contact list be used? This is not safe on multi-user instances.
     use_contact_avatars: false
     # Should the bridge request the user's contact list from the phone on startup?

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -36,6 +36,27 @@ matrix_mautrix_slack_appservice_address: "http://matrix-mautrix-slack:8080"
 
 matrix_mautrix_slack_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 
+# Displayname template for Slack users. Available variables:
+#  .Name - The username of the user
+#  .Team.Name - The name of the team the channel is in
+#  .Team.Domain - The Slack subdomain of the team the channel is in
+#  .ID - The internal ID of the user
+#  .IsBot - Whether the user is a bot
+#  .Profile.DisplayName - The username or real name of the user (depending on settings)
+# Variables only available for users (not bots):
+#  .TeamID - The internal ID of the workspace the user is in
+#  .TZ - The timezone region of the user (e.g. Europe/London)
+#  .TZLabel - The label of the timezone of the user (e.g. Greenwich Mean Time)
+#  .TZOffset - The UTC offset of the timezone of the user (e.g. 0)
+#  .Profile.RealName - The real name of the user
+#  .Profile.FirstName - The first name of the user
+#  .Profile.LastName - The last name of the user
+#  .Profile.Title - The job title of the user
+#  .Profile.Pronouns - The pronouns of the user
+#  .Profile.Email - The email address of the user
+#  .Profile.Phone - The formatted phone number of the user
+matrix_mautrix_slack_network_displayname_template: '{% raw %}{{or .Profile.DisplayName .Profile.RealName .Name}}{{if .IsBot}} (bot){{end}}{% endraw %}'
+
 matrix_mautrix_slack_command_prefix: "!slack"
 
 matrix_mautrix_slack_bridge_permissions: |
@@ -168,3 +189,12 @@ matrix_mautrix_slack_bridge_encryption_pickle_key: maunium.net/go/mautrix-whatsa
 
 matrix_mautrix_slack_provisioning_shared_secret: ''
 matrix_mautrix_slack_public_media_signing_key: ''
+
+# Controls whether relay mode is enabled
+matrix_mautrix_slack_bridge_relay_enabled: false
+
+# Controls whether only admins can set themselves as relay users
+matrix_mautrix_slack_bridge_relay_admin_only: true
+
+# List of user login IDs which anyone can set as a relay, as long as the relay user is in the room
+matrix_mautrix_slack_bridge_relay_default_relays: []

roles/custom/matrix-bridge-mautrix-slack/templates/config.yaml.j2

@@ -20,7 +20,7 @@ network:
     #  .Profile.Pronouns - The pronouns of the user
     #  .Profile.Email - The email address of the user
     #  .Profile.Phone - The formatted phone number of the user
-    displayname_template: '{% raw %}{{or .Profile.DisplayName .Profile.RealName .Name}}{{if .IsBot}} (bot){{end}}{% endraw %}'
+    displayname_template: {{ matrix_mautrix_slack_network_displayname_template | to_json }}
     # Channel name template for Slack channels (all types). Available variables:
     #  .Name - The name of the channel
     #  .Team.Name - The name of the team the channel is in
@@ -113,12 +113,12 @@ bridge:
     relay:
         # Whether relay mode should be allowed. If allowed, the set-relay command can be used to turn any
         # authenticated user into a relaybot for that chat.
-        enabled: false
+        enabled: {{ matrix_mautrix_slack_bridge_relay_enabled | to_json }}
         # Should only admins be allowed to set themselves as relay users?
         # If true, non-admins can only set users listed in default_relays as relays in a room.
-        admin_only: true
+        admin_only: {{ matrix_mautrix_slack_bridge_relay_admin_only | to_json }}
         # List of user login IDs which anyone can set as a relay, as long as the relay user is in the room.
-        default_relays: []
+        default_relays: {{ matrix_mautrix_slack_bridge_relay_default_relays | to_json }}
         # The formats to use when sending messages via the relaybot.
         # Available variables:
         #   .Sender.UserID - The Matrix user ID of the sender.

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -44,6 +44,11 @@ matrix_mautrix_twitter_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 # A public address that external services can use to reach this appservice.
 matrix_mautrix_twitter_appservice_public_address: ''
 
+# Displayname template for Twitter users.
+# {{ .DisplayName }} is replaced with the display name of the Twitter user.
+# {{ .Username }} is replaced with the username of the Twitter user.
+matrix_mautrix_twitter_network_displayname_template: "{% raw %}{{ .DisplayName }}{% endraw %} (Twitter)"
+
 matrix_mautrix_twitter_bridge_command_prefix: "!tw"
 
 matrix_mautrix_twitter_bridge_permissions: |

roles/custom/matrix-bridge-mautrix-twitter/templates/config.yaml.j2

@@ -11,7 +11,7 @@ network:
     # {{ .DisplayName }} is replaced with the display name of the Twitter user.
     # {{ .Username }} is replaced with the username of the Twitter user.
     # {% endraw %}
-    displayname_template: "{% raw %}{{ .DisplayName }}{% endraw %} (Twitter)"
+    displayname_template: {{ matrix_mautrix_twitter_network_displayname_template | to_json }}
 
     # Maximum number of conversations to sync on startup
     conversation_sync_limit: 20

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -161,6 +161,13 @@ matrix_mautrix_whatsapp_double_puppet_secrets: "{{ matrix_mautrix_whatsapp_doubl
 matrix_mautrix_whatsapp_double_puppet_secrets_auto: {}
 matrix_mautrix_whatsapp_double_puppet_secrets_custom: {}
 
+# Displayname template for WhatsApp users.
+# {{.PushName}}     - nickname set by the WhatsApp user
+# {{.BusinessName}} - validated WhatsApp business name
+# {{.Phone}}        - phone number (international format)
+# {{.FullName}}     - Name you set in the contacts list
+matrix_mautrix_whatsapp_network_displayname_template: '{% raw %}{{or .BusinessName .PushName .Phone}} (WA){% endraw %}'
+
 # Enable End-to-bridge encryption
 matrix_mautrix_whatsapp_bridge_encryption_allow: "{{ matrix_bridges_encryption_enabled }}"
 matrix_mautrix_whatsapp_bridge_encryption_default: "{{ matrix_bridges_encryption_default }}"

roles/custom/matrix-bridge-mautrix-whatsapp/templates/config.yaml.j2

@@ -22,7 +22,7 @@ network:
     # {{.Phone}}        - phone number (international format)
     # {{.FullName}}     - Name you set in the contacts list
     # {% endraw %}
-    displayname_template: "{% raw %}{{or .BusinessName .PushName .Phone}} (WA){% endraw %}"
+    displayname_template: {{ matrix_mautrix_whatsapp_network_displayname_template | to_json }}
 
     # Should incoming calls send a message to the Matrix room?
     call_start_notices: true

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.11.104
+matrix_client_element_version: v1.11.105
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -33,9 +33,14 @@ matrix_client_fluffychat_container_additional_networks: "{{ matrix_client_fluffy
 matrix_client_fluffychat_container_additional_networks_auto: []
 matrix_client_fluffychat_container_additional_networks_custom: []
 
+# Configures the port number used inside the container image.
+matrix_client_fluffychat_container_http_port: 8080
+
 # Controls whether the matrix-client-fluffychat container exposes its HTTP port (tcp/8080 in the container).
 #
-# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8765"), or empty string to not expose.
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:8080"), or empty string to not expose.
+#
+# Also see: `matrix_client_fluffychat_container_http_port`
 matrix_client_fluffychat_container_http_host_bind_port: ''
 
 # matrix_client_fluffychat_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
@@ -44,6 +49,7 @@ matrix_client_fluffychat_container_http_host_bind_port: ''
 # To inject your own other container labels, see `matrix_client_fluffychat_container_labels_additional_labels`.
 matrix_client_fluffychat_container_labels_traefik_enabled: true
 matrix_client_fluffychat_container_labels_traefik_docker_network: "{{ matrix_client_fluffychat_container_network }}"
+matrix_client_fluffychat_container_labels_traefik_http_service_load_balancer_port: "{{ matrix_client_fluffychat_container_http_port }}"
 matrix_client_fluffychat_container_labels_traefik_hostname: "{{ matrix_client_fluffychat_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/fluffychat`).
 matrix_client_fluffychat_container_labels_traefik_path_prefix: "{{ matrix_client_fluffychat_path_prefix }}"

roles/custom/matrix-client-fluffychat/templates/labels.j2

@@ -11,7 +11,7 @@ traefik.enable=true
 traefik.docker.network={{ matrix_client_fluffychat_container_labels_traefik_docker_network }}
 {% endif %}
 
-traefik.http.services.matrix-client-fluffychat.loadbalancer.server.port=8080
+traefik.http.services.matrix-client-fluffychat.loadbalancer.server.port={{ matrix_client_fluffychat_container_labels_traefik_http_service_load_balancer_port }}
 
 {% set middlewares = [] %}
 

roles/custom/matrix-client-fluffychat/templates/systemd/matrix-client-fluffychat.service.j2

@@ -22,7 +22,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--read-only \
 			--network={{ matrix_client_fluffychat_container_network }} \
 			{% if matrix_client_fluffychat_container_http_host_bind_port %}
-			-p {{ matrix_client_fluffychat_container_http_host_bind_port }}:8080 \
+			-p {{ matrix_client_fluffychat_container_http_host_bind_port }}:{{ matrix_client_fluffychat_container_http_port }} \
 			{% endif %}
 			--label-file={{ matrix_client_fluffychat_data_path }}/labels \
 			--tmpfs=/tmp:rw,noexec,nosuid,size=10m \

roles/custom/matrix-conduit/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg
 matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}"
 matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixconduit/matrix-conduit
-matrix_conduit_docker_image_tag: "v0.10.4"
+matrix_conduit_docker_image_tag: "v0.10.6"
 matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}"
 
 matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit"

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -143,6 +143,9 @@ matrix_continuwuity_config_max_request_size: 20_000_000
 # Enables registration. If set to false, no users can register on this server.
 matrix_continuwuity_config_allow_registration: false
 
+# Controls if newly registered users are automatically suspended, requiring admin approval.
+matrix_continuwuity_config_suspend_on_register: false
+
 # Controls the `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse` setting.
 # This is only used when `matrix_continuwuity_config_allow_registration` is set to true and no registration token is configured.
 matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse: false
@@ -166,12 +169,11 @@ matrix_continuwuity_config_allow_check_for_updates: false
 # Controls the `emergency_password` setting.
 matrix_continuwuity_config_emergency_password: ''
 
-# Controls the `allow_federation` setting.
-matrix_continuwuity_config_allow_federation: true
-
-matrix_continuwuity_trusted_servers:
+# Controls the `matrix_continuwuity_trusted_servers`` setting.
+matrix_continuwuity_config_trusted_servers:
  - "matrix.org"
 
+# Controls the `matrix_continuwuity_config_log` setting.
 matrix_continuwuity_config_log: "info,state_res=warn,rocket=off,_=off,sled=off"
 
 # TURN integration.
@@ -184,15 +186,23 @@ matrix_continuwuity_config_turn_password: ''
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_continuwuity_self_check_validate_certificates: true
 
+# Controls server (de)federation settings.
+matrix_continuwuity_config_allow_federation: true
+matrix_continuwuity_config_allowed_remote_server_names: []
+matrix_continuwuity_config_forbidden_remote_server_names: []
+matrix_continuwuity_config_forbidden_remote_room_directory_server_names: []
+matrix_continuwuity_config_prevent_media_downloads_from: []
+matrix_continuwuity_config_ignore_messages_from_server_names: []
+
+# Controls the `url_preview_domain_contains_allowlist` setting.
+matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
+
 # Additional environment variables to pass to the container.
 #
 # Environment variables take priority over settings in the configuration file.
 #
 # Example:
 # matrix_continuwuity_environment_variables_extension: |
-#   continuwuity_MAX_REQUEST_SIZE=50000000
-#   continuwuity_REQUEST_TIMEOUT=60
+#   CONTINUWUITY_MAX_REQUEST_SIZE=50000000
+#   CONTINUWUITY_REQUEST_TIMEOUT=60
 matrix_continuwuity_environment_variables_extension: ''
-
-matrix_continuwuity_forbidden_remote_server_names: []
-matrix_continuwuity_forbidden_remote_room_directory_server_names: []

roles/custom/matrix-continuwuity/tasks/validate_config.yml

@@ -13,3 +13,18 @@
     - {'name': 'matrix_continuwuity_hostname', when: true}
     - {'name': 'matrix_continuwuity_container_network', when: true}
     - {'name': 'matrix_continuwuity_container_labels_internal_client_api_traefik_entrypoints', when: "{{ matrix_continuwuity_container_labels_internal_client_api_enabled }}"}
+
+- name: (Deprecation) Catch and report renamed Continuwuity settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
+  when: "item.old in vars"
+  with_items:
+    - {'old': 'matrix_continuwuity_allowed_remote_server_names', 'new': 'matrix_continuwuity_config_allowed_remote_server_names'}
+    - {'old': 'matrix_continuwuity_forbidden_remote_room_directory_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_room_directory_server_names'}
+    - {'old': 'matrix_continuwuity_forbidden_remote_server_names', 'new': 'matrix_continuwuity_config_forbidden_remote_server_names'}
+    - {'old': 'matrix_continuwuity_ignore_messages_from_server_names', 'new': 'matrix_continuwuity_config_ignore_messages_from_server_names'}
+    - {'old': 'matrix_continuwuity_prevent_media_downloads_from', 'new': 'matrix_continuwuity_config_prevent_media_downloads_from'}
+    - {'old': 'matrix_continuwuity_trusted_servers', 'new': 'matrix_continuwuity_config_trusted_servers'}
+    - {'old': 'matrix_continuwuity_url_preview_domain_contains_allowlist', 'new': 'matrix_continuwuity_config_url_preview_domain_contains_allowlist'}

roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2

@@ -7,8 +7,8 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
 ### continuwuity Configuration
-### See:
-### https://continuwuity.org/configuration
+### For more information, see:
+### https://continuwuity.org/configuration.html
 
 [global]
 
@@ -16,7 +16,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 # suffix for user and room IDs/aliases.
 #
 # See the docs for reverse proxying and delegation:
-# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # Also see the `[global.well_known]` config section at the very bottom.
 #
@@ -27,7 +27,7 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 # YOU NEED TO EDIT THIS. THIS CANNOT BE CHANGED AFTER WITHOUT A DATABASE
 # WIPE.
 #
-# example: "continuwuity.woof"
+# example: "continuwuity.org"
 #
 server_name = {{ matrix_continuwuity_config_server_name | to_json }}
 
@@ -44,7 +44,7 @@ address = "0.0.0.0"
 # The port(s) continuwuity will listen on.
 #
 # For reverse proxying, see:
-# https://continuwuity.org/deploying/generic#setting-up-the-reverse-proxy
+# https://continuwuity.org/deploying/generic.html#setting-up-the-reverse-proxy
 #
 # If you are using Docker, don't change this, you'll need to map an
 # external port to this.
@@ -59,8 +59,9 @@ port = {{ matrix_continuwuity_config_port_number }}
 # listening on a UNIX socket, you MUST remove/comment the `address` key.
 #
 # Remember to make sure that your reverse proxy has access to this socket
-# file, either by adding your reverse proxy to the 'continuwuity' group or
-# granting world R/W permissions with `unix_socket_perms` (666 minimum).
+# file, either by adding your reverse proxy to the appropriate user group
+# or granting world R/W permissions with `unix_socket_perms` (666
+# minimum).
 #
 # example: "/run/continuwuity/continuwuity.sock"
 #
@@ -70,8 +71,8 @@ port = {{ matrix_continuwuity_config_port_number }}
 #
 #unix_socket_perms = 660
 
-# This is the only directory where continuwuity will save its data, including
-# media. Note: this was previously "/var/lib/matrix-conduit".
+# This is the only directory where continuwuity will save its data,
+# including media. Note: this was previously "/var/lib/matrix-conduit".
 #
 # YOU NEED TO EDIT THIS.
 #
@@ -79,9 +80,9 @@ port = {{ matrix_continuwuity_config_port_number }}
 #
 database_path = "/var/lib/continuwuity"
 
-# continuwuity supports online database backups using RocksDB's Backup engine
-# API. To use this, set a database backup path that continuwuity can write
-# to.
+# continuwuity supports online database backups using RocksDB's Backup
+# engine API. To use this, set a database backup path that continuwuity
+# can write to.
 #
 # For more information, see:
 # https://continuwuity.org/maintenance.html#backups
@@ -108,17 +109,13 @@ database_path = "/var/lib/continuwuity"
 new_user_displayname_suffix = {{ matrix_continuwuity_config_new_user_displayname_suffix | to_json }}
 
 # If enabled, continuwuity will send a simple GET request periodically to
-# `https://pupbrain.dev/check-for-updates/stable` for any new
-# announcements made. Despite the name, this is not an update check
-# endpoint, it is simply an announcement check endpoint.
-#
-# This is disabled by default as this is rarely used except for security
-# updates or major updates.
+# `https://continuwuity.org/.well-known/continuwuity/announcements` for any new
+# announcements or major updates. This is not an update check endpoint.
 #
 allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates | to_json }}
 
-# Set this to any float value to multiply continuwuity's in-memory LRU caches
-# with such as "auth_chain_cache_capacity".
+# Set this to any float value to multiply continuwuity's in-memory LRU
+# caches with such as "auth_chain_cache_capacity".
 #
 # May be useful if you have significant memory to spare to increase
 # performance.
@@ -190,14 +187,6 @@ allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates
 #
 #servernameevent_data_cache_capacity = varies by system
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#server_visibility_cache_capacity = varies by system
-
-# This item is undocumented. Please contribute documentation for it.
-#
-#user_visibility_cache_capacity = varies by system
-
 # This item is undocumented. Please contribute documentation for it.
 #
 #stateinfo_cache_capacity = varies by system
@@ -259,7 +248,7 @@ allow_check_for_updates = {{ matrix_continuwuity_config_allow_check_for_updates
 #
 # If you are running continuwuity in a container environment, this config
 # option may need to be enabled. For more details, see:
-# https://continuwuity.org/troubleshooting#potential-dns-issues-when-using-docker
+# https://continuwuity.org/troubleshooting.html#potential-dns-issues-when-using-docker
 #
 #query_over_tcp_only = false
 
@@ -372,6 +361,26 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 #pusher_idle_timeout = 15
 
+# Maximum time to receive a request from a client (seconds).
+#
+#client_receive_timeout = 75
+
+# Maximum time to process a request received from a client (seconds).
+#
+#client_request_timeout = 180
+
+# Maximum time to transmit a response to a client (seconds)
+#
+#client_response_timeout = 120
+
+# Grace period for clean shutdown of client requests (seconds).
+#
+#client_shutdown_timeout = 10
+
+# Grace period for clean shutdown of federation requests (seconds).
+#
+#sender_shutdown_timeout = 5
+
 # Enables registration. If set to false, no users can register on this
 # server.
 #
@@ -384,17 +393,27 @@ max_request_size = {{ matrix_continuwuity_config_max_request_size }}
 #
 allow_registration = {{ matrix_continuwuity_config_allow_registration | to_json }}
 
-yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }}
-
-allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
-
-# This item is undocumented. Please contribute documentation for it.
+# If registration is enabled, and this setting is true, new users
+# registered after the first admin user will be automatically suspended
+# and will require an admin to run `!admin users unsuspend <user_id>`.
 #
-#yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = false
+# Suspended users are still able to read messages, make profile updates,
+# leave rooms, and deactivate their account, however cannot send messages,
+# invites, or create/join or otherwise modify rooms.
+# They are effectively read-only.
+#
+suspend_on_register = {{ matrix_continuwuity_config_suspend_on_register | to_json }}
+
+# Enabling this setting opens registration to anyone without restrictions.
+# This makes your server vulnerable to abuse
+#
+yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = {{ matrix_continuwuity_config_yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse | to_json }}
 
 # A static registration token that new users will have to provide when
 # creating an account. If unset and `allow_registration` is true,
-# registration is open without any condition.
+# you must set
+# `yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse`
+# to true to allow open registration without any conditions.
 #
 # YOU NEED TO EDIT THIS OR USE registration_token_file.
 #
@@ -402,8 +421,9 @@ allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
 #
 registration_token = {{ matrix_continuwuity_config_registration_token | to_json }}
 
-# Path to a file on the system that gets read for the registration token.
-# this config option takes precedence/priority over "registration_token".
+# Path to a file on the system that gets read for additional registration
+# tokens. Multiple tokens can be added if you separate them with
+# whitespace
 #
 # continuwuity must be able to access the file, and it must not be empty
 #
@@ -418,12 +438,21 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 # Controls whether federation is allowed or not. It is not recommended to
 # disable this after the fact due to potential federation breakage.
 #
-#allow_federation = true
+allow_federation = {{ matrix_continuwuity_config_allow_federation | to_json }}
 
-# This item is undocumented. Please contribute documentation for it.
+# Allows federation requests to be made to itself
+#
+# This isn't intended and is very likely a bug if federation requests are
+# being sent to yourself. This currently mainly exists for development
+# purposes.
 #
 #federation_loopback = false
 
+# Always calls /forget on behalf of the user if leaving a room. This is a
+# part of MSC4267 "Automatically forgetting rooms on leave"
+#
+#forget_forced_upon_leave = false
+
 # Set this to true to require authentication on the normally
 # unauthenticated profile retrieval endpoints (GET)
 # "/_matrix/client/v3/profile/{userId}".
@@ -501,9 +530,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 
 # Default room version continuwuity will create rooms with.
 #
-# Per spec, room version 10 is the default.
+# Per spec, room version 11 is the default.
 #
-#default_room_version = 10
+#default_room_version = 11
 
 # This item is undocumented. Please contribute documentation for it.
 #
@@ -568,9 +597,9 @@ registration_token = {{ matrix_continuwuity_config_registration_token | to_json
 # Currently, continuwuity doesn't support inbound batched key requests, so
 # this list should only contain other Synapse servers.
 #
-# example: ["matrix.org", "envs.net", "constellatory.net", "tchncs.de"]
+# example: ["matrix.org", "tchncs.de"]
 #
-trusted_servers = {{ matrix_continuwuity_trusted_servers | to_json }}
+trusted_servers = {{ matrix_continuwuity_config_trusted_servers | to_json }}
 
 # Whether to query the servers listed in trusted_servers first or query
 # the origin server first. For best security, querying the origin server
@@ -627,8 +656,9 @@ log = {{ matrix_continuwuity_config_log | to_json }}
 #
 #log_span_events = "none"
 
-# Configures whether continuwuity_LOG EnvFilter matches values using regular
-# expressions. See the tracing_subscriber documentation on Directives.
+# Configures whether CONTINUWUITY_LOG EnvFilter matches values using
+# regular expressions. See the tracing_subscriber documentation on
+# Directives.
 #
 #log_filter_regex = true
 
@@ -664,13 +694,17 @@ log = {{ matrix_continuwuity_config_log | to_json }}
 # ("turn_secret"), It is recommended to use a shared secret over static
 # credentials.
 #
-#turn_username = false
+{% if matrix_continuwuity_config_turn_username != ''  %}
+turn_username = {{ matrix_continuwuity_config_turn_username | to_json }}
+{% endif %}
 
 # Static TURN password to provide the client if not using a shared secret
 # ("turn_secret"). It is recommended to use a shared secret over static
 # credentials.
 #
-#turn_password = false
+{% if matrix_continuwuity_config_turn_password != '' %}
+turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
+{% endif %}
 
 # Vector list of TURN URIs/servers to use.
 #
@@ -689,18 +723,10 @@ turn_uris = {{ matrix_continuwuity_config_turn_uris | to_json }}
 # This is more secure, but if needed you can use traditional static
 # username/password credentials.
 #
-#turn_secret = false
 {% if matrix_continuwuity_config_turn_secret != '' %}
 turn_secret = {{ matrix_continuwuity_config_turn_secret | to_json }}
 {% endif %}
 
-# If you have your TURN server configured to use a username and password
-# you can provide these information too. In this case comment out `turn_secret above`!
-{% if matrix_continuwuity_config_turn_username != '' or matrix_continuwuity_config_turn_password != '' %}
-turn_username = {{ matrix_continuwuity_config_turn_username | to_json }}
-turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
-{% endif %}
-
 # TURN secret to use that's read from the file path specified.
 #
 # This takes priority over "turn_secret" first, and falls back to
@@ -714,12 +740,12 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #turn_ttl = 86400
 
-# List/vector of room IDs or room aliases that continuwuity will make newly
-# registered users join. The rooms specified must be rooms that you have
-# joined at least once on the server, and must be public.
+# List/vector of room IDs or room aliases that continuwuity will make
+# newly registered users join. The rooms specified must be rooms that you
+# have joined at least once on the server, and must be public.
 #
-# example: ["#continuwuity:puppygock.gay",
-# "!eoIzvAvVwY23LPDay8:puppygock.gay"]
+# example: ["#continuwuity:continuwuity.org",
+# "!main-1:continuwuity.org"]
 #
 #auto_join_rooms = []
 
@@ -742,10 +768,10 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #auto_deactivate_banned_room_attempts = false
 
-# RocksDB log level. This is not the same as continuwuity's log level. This
-# is the log level for the RocksDB engine/library which show up in your
-# database folder/path as `LOG` files. continuwuity will log RocksDB errors
-# as normal through tracing or panics if severe for safety.
+# RocksDB log level. This is not the same as continuwuity's log level.
+# This is the log level for the RocksDB engine/library which show up in
+# your database folder/path as `LOG` files. continuwuity will log RocksDB
+# errors as normal through tracing or panics if severe for safety.
 #
 #rocksdb_log_level = "error"
 
@@ -806,7 +832,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 
 # Type of RocksDB database compression to use.
 #
-# Available options are "zstd", "zlib", "bz2", "lz4", or "none".
+# Available options are "zstd", "bz2", "lz4", or "none".
 #
 # It is best to use ZSTD as an overall good balance between
 # speed/performance, storage, IO amplification, and CPU usage. For more
@@ -827,6 +853,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # magic number and translated to the library's default compression level
 # as they all differ. See their `kDefaultCompressionLevel`.
 #
+# Note when using the default value we may override it with a setting
+# tailored specifically for continuwuity.
+#
 #rocksdb_compression_level = 32767
 
 # Level of compression the specified compression algorithm for the
@@ -840,6 +869,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # less likely for this data to be used. Research your chosen compression
 # algorithm.
 #
+# Note when using the default value we may override it with a setting
+# tailored specifically for continuwuity.
+#
 #rocksdb_bottommost_compression_level = 32767
 
 # Whether to enable RocksDB's "bottommost_compression".
@@ -851,7 +883,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 # See https://github.com/facebook/rocksdb/wiki/Compression for more details.
 #
-#rocksdb_bottommost_compression = false
+#rocksdb_bottommost_compression = true
 
 # Database recovery mode (for RocksDB WAL corruption).
 #
@@ -878,7 +910,7 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 # 0 = AbsoluteConsistency
 # 1 = TolerateCorruptedTailRecords (default)
 # 2 = PointInTime (use me if trying to recover)
-# 3 = SkipAnyCorruptedRecord (you now voided your continuwuity warranty)
+# 3 = SkipAnyCorruptedRecord (you now voided your Continuwuity warranty)
 #
 # For more information on these modes, see:
 # https://github.com/facebook/rocksdb/wiki/WAL-Recovery-Modes
@@ -897,6 +929,20 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #rocksdb_paranoid_file_checks = false
 
+# Enables or disables checksum verification in rocksdb at runtime.
+# Checksums are usually hardware accelerated with low overhead; they are
+# enabled in rocksdb by default. Older or slower platforms may see gains
+# from disabling.
+#
+#rocksdb_checksums = true
+
+# Enables the "atomic flush" mode in rocksdb. This option is not intended
+# for users. It may be removed or ignored in future versions. Atomic flush
+# may be enabled by the paranoid to possibly improve database integrity at
+# the cost of performance.
+#
+#rocksdb_atomic_flush = false
+
 # Database repair mode (for RocksDB SST corruption).
 #
 # Use this option when the server reports corruption while running or
@@ -934,10 +980,10 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 #rocksdb_compaction_ioprio_idle = true
 
-# Disables RocksDB compaction. You should never ever have to set this
-# option to true. If you for some reason find yourself needing to use this
-# option as part of troubleshooting or a bug, please reach out to us in
-# the continuwuity Matrix room with information and details.
+# Enables RocksDB compaction. You should never ever have to set this
+# option to false. If you for some reason find yourself needing to use
+# this option as part of troubleshooting or a bug, please reach out to us
+# in the continuwuity Matrix room with information and details.
 #
 # Disabling compaction will lead to a significantly bloated and
 # explosively large database, gradually poor performance, unnecessarily
@@ -970,7 +1016,9 @@ turn_password = {{ matrix_continuwuity_config_turn_password | to_json }}
 #
 # example: "F670$2CP@Hw8mG7RY1$%!#Ic7YA"
 #
+{% if matrix_continuwuity_config_emergency_password != '' %}
 emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json }}
+{% endif %}
 
 # This item is undocumented. Please contribute documentation for it.
 #
@@ -978,8 +1026,8 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 
 # Allow local (your server only) presence updates/requests.
 #
-# Note that presence on continuwuity is very fast unlike Synapse's. If using
-# outgoing presence, this MUST be enabled.
+# Note that presence on continuwuity is very fast unlike Synapse's. If
+# using outgoing presence, this MUST be enabled.
 #
 #allow_local_presence = true
 
@@ -995,8 +1043,8 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 #
 # This option sends presence updates to other servers, but does not
 # receive any unless `allow_incoming_presence` is true. Note that presence
-# on continuwuity is very fast unlike Synapse's. If using outgoing presence,
-# you MUST enable `allow_local_presence` as well.
+# on continuwuity is very fast unlike Synapse's. If using outgoing
+# presence, you MUST enable `allow_local_presence` as well.
 #
 #allow_outgoing_presence = true
 
@@ -1115,7 +1163,7 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 
 # Check consistency of the media directory at startup:
 # 1. When `media_compat_file_link` is enabled, this check will upgrade
-#    media when switching back and forth between Conduit and continuwuity.
+#    media when switching back and forth between Conduit and conduwuit.
 #    Both options must be enabled to handle this.
 # 2. When media is deleted from the directory, this check will also delete
 #    its database entry.
@@ -1150,27 +1198,71 @@ emergency_password = {{ matrix_continuwuity_config_emergency_password | to_json
 #
 #prune_missing_media = false
 
-# Vector list of servers that continuwuity will refuse to download remote
-# media from.
+# List of forbidden server names via regex patterns that we will block
+# incoming AND outgoing federation with, and block client room joins /
+# remote user invites.
 #
-#prevent_media_downloads_from = []
-
-# List of forbidden server names that we will block incoming AND outgoing
-# federation with, and block client room joins / remote user invites.
+# Note that your messages can still make it to forbidden servers through
+# backfilling. Events we receive from forbidden servers via backfill
+# from servers we *do* federate with will be stored in the database.
 #
 # This check is applied on the room ID, room alias, sender server name,
 # sender user's server name, inbound federation X-Matrix origin, and
 # outbound federation handler.
 #
-# Basically "global" ACLs.
+# You can set this to ["*"] to block all servers by default, and then
+# use `allowed_remote_server_names` to allow only specific servers.
 #
-forbidden_remote_server_names = {{ matrix_continuwuity_forbidden_remote_server_names | to_json }}
+# example: ["badserver\\.tld$", "badphrase", "19dollarfortnitecards"]
+#
+forbidden_remote_server_names = {{ matrix_continuwuity_config_forbidden_remote_server_names | to_json }}
 
-# List of forbidden server names that we will block all outgoing federated
-# room directory requests for. Useful for preventing our users from
-# wandering into bad servers or spaces.
+# List of allowed server names via regex patterns that we will allow,
+# regardless of if they match `forbidden_remote_server_names`.
 #
-forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_remote_room_directory_server_names | to_json }}
+# This option has no effect if `forbidden_remote_server_names` is empty.
+#
+# example: ["goodserver\\.tld$", "goodphrase"]
+#
+allowed_remote_server_names = {{ matrix_continuwuity_config_allowed_remote_server_names | to_json }}
+
+# Vector list of regex patterns of server names that continuwuity will
+# refuse to download remote media from.
+#
+# example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
+#
+prevent_media_downloads_from = {{ matrix_continuwuity_config_prevent_media_downloads_from | to_json }}
+
+# List of forbidden server names via regex patterns that we will block all
+# outgoing federated room directory requests for. Useful for preventing
+# our users from wandering into bad servers or spaces.
+#
+# example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
+#
+forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_config_forbidden_remote_room_directory_server_names | to_json }}
+
+# Vector list of regex patterns of server names that continuwuity will not
+# send messages to the client from.
+#
+# Note that there is no way for clients to receive messages once a server
+# has become unignored without doing a full sync. This is a protocol
+# limitation with the current sync protocols. This means this is somewhat
+# of a nuclear option.
+#
+# example: ["reallybadserver\.tld$", "reallybadphrase",
+# "69dollarfortnitecards"]
+#
+ignore_messages_from_server_names = {{ matrix_continuwuity_config_ignore_messages_from_server_names | to_json }}
+
+# Send messages from users that the user has ignored to the client.
+#
+# There is no way for clients to receive messages sent while a user was
+# ignored without doing a full sync. This is a protocol limitation with
+# the current sync protocols. Disabling this option will move
+# responsibility of ignoring messages to the client, which can avoid this
+# limitation.
+#
+#send_messages_from_ignored_users_to_client = false
 
 # Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you
 # do not want continuwuity to send outbound requests to. Defaults to
@@ -1215,7 +1307,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # attack surface to your server, you are expected to be aware of the risks
 # by doing so.
 #
-#url_preview_domain_contains_allowlist = []
+url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_preview_domain_contains_allowlist | to_json }}
 
 # Vector list of explicit domains allowed to send requests to for URL
 # previews.
@@ -1279,7 +1371,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # used, and startup as warnings if any room aliases in your database have
 # a forbidden room alias/ID.
 #
-# example: ["19dollarfortnitecards", "b[4a]droom"]
+# example: ["19dollarfortnitecards", "b[4a]droom", "badphrase"]
 #
 #forbidden_alias_names = []
 
@@ -1292,7 +1384,7 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # startup as warnings if any local users in your database have a forbidden
 # username.
 #
-# example: ["administrator", "b[a4]dusernam[3e]"]
+# example: ["administrator", "b[a4]dusernam[3e]", "badphrase"]
 #
 #forbidden_usernames = []
 
@@ -1323,8 +1415,8 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 
 # Allow admins to enter commands in rooms other than "#admins" (admin
 # room) by prefixing your message with "\!admin" or "\\!admin" followed up
-# a normal continuwuity admin command. The reply will be publicly visible to
-# the room, originating from the sender.
+# a normal continuwuity admin command. The reply will be publicly visible
+# to the room, originating from the sender.
 #
 # example: \\!admin debug ping puppygock.gay
 #
@@ -1341,8 +1433,8 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # This option can also be configured with the `--execute` continuwuity
 # argument and can take standard shell commands and environment variables
 #
-# For example: `./continuwuity --execute "server admin-notice continuwuity has
-# started up at $(date)"`
+# For example: `./continuwuity --execute "server admin-notice continuwuity
+# has started up at $(date)"`
 #
 # example: admin_execute = ["debug ping puppygock.gay", "debug echo hi"]`
 #
@@ -1355,6 +1447,13 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 #
 #admin_execute_errors_ignore = false
 
+# List of admin commands to execute on SIGUSR2.
+#
+# Similar to admin_execute, but these commands are executed when the
+# server receives SIGUSR2 on supporting platforms.
+#
+#admin_signal_execute = []
+
 # Controls the max log level for admin command log captures (logs
 # generated from running admin commands). Defaults to "info" on release
 # builds, else "debug" on debug builds.
@@ -1364,21 +1463,20 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 # The default room tag to apply on the admin room.
 #
 # On some clients like Element, the room tag "m.server_notice" is a
-# special pinned room at the very bottom of your room list. The continuwuity
-# admin room can be pinned here so you always have an easy-to-access
-# shortcut dedicated to your admin room.
+# special pinned room at the very bottom of your room list. The
+# continuwuity admin room can be pinned here so you always have an
+# easy-to-access shortcut dedicated to your admin room.
 #
 #admin_room_tag = "m.server_notice"
 
 # Sentry.io crash/panic reporting, performance monitoring/metrics, etc.
-# This is NOT enabled by default. continuwuity's default Sentry reporting
-# endpoint domain is `o4506996327251968.ingest.us.sentry.io`.
+# This is NOT enabled by default.
 #
 #sentry = false
 
 # Sentry reporting URL, if a custom one is desired.
 #
-#sentry_endpoint = "https://fe2eb4536aa04949e28eff3128d64757@o4506996327251968.ingest.us.sentry.io/4506996334657536"
+#sentry_endpoint = ""
 
 # Report your continuwuity server_name in Sentry.io crash reports and
 # metrics.
@@ -1512,6 +1610,34 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 #
 #sender_workers = 0
 
+# Enables listener sockets; can be set to false to disable listening. This
+# option is intended for developer/diagnostic purposes only.
+#
+#listening = true
+
+# Enables configuration reload when the server receives SIGUSR1 on
+# supporting platforms.
+#
+#config_reload_signal = true
+
+[global.tls]
+
+# Path to a valid TLS certificate file.
+#
+# example: "/path/to/my/certificate.crt"
+#
+#certs =
+
+# Path to a valid TLS certificate private key.
+#
+# example: "/path/to/my/certificate.key"
+#
+#key =
+
+# Whether to listen and allow for HTTP and HTTPS connections (insecure!)
+#
+#dual_protocol = false
+
 [global.well_known]
 
 # The server URL that the client well-known file will serve. This should
@@ -1529,18 +1655,46 @@ forbidden_remote_room_directory_server_names = {{ matrix_continuwuity_forbidden_
 #
 #server =
 
-# This item is undocumented. Please contribute documentation for it.
+# URL to a support page for the server, which will be served as part of
+# the MSC1929 server support endpoint at /.well-known/matrix/support.
+# Will be included alongside any contact information
 #
 #support_page =
 
-# This item is undocumented. Please contribute documentation for it.
+# Role string for server support contacts, to be served as part of the
+# MSC1929 server support endpoint at /.well-known/matrix/support.
 #
-#support_role =
+#support_role = "m.role.admin"
 
-# This item is undocumented. Please contribute documentation for it.
+# Email address for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_mxid if specified.
 #
 #support_email =
 
-# This item is undocumented. Please contribute documentation for it.
+# Matrix ID for server support contacts, to be served as part of the
+# MSC1929 server support endpoint.
+# This will be used along with support_email if specified.
+#
+# If no email or mxid is specified, all of the server's admins will be
+# listed.
 #
 #support_mxid =
+
+[global.blurhashing]
+
+# blurhashing x component, 4 is recommended by https://blurha.sh/
+#
+#components_x = 4
+
+# blurhashing y component, 3 is recommended by https://blurha.sh/
+#
+#components_y = 3
+
+# Max raw size that the server will blurhash, this is the size of the
+# image after converting it to raw data, it should be higher than the
+# upload limit but not too high. The higher it is the higher the
+# potential load will be for clients requesting blurhashes. The default
+# is 33.55MB. Setting it to 0 disables blurhashing.
+#
+#blurhash_max_raw_size = 33554432

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.12.2
+matrix_element_call_version: v0.13.1
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml

@@ -24,7 +24,7 @@
 matrix_synapse_reverse_proxy_companion_enabled: true
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.28.0-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.29.0-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.132.0
+matrix_synapse_version: v1.133.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1417,7 +1417,7 @@ matrix_synapse_ext_spam_checker_mjolnir_antispam_config:
 matrix_synapse_ext_synapse_http_antispam_enabled: false
 matrix_synapse_ext_synapse_http_antispam_git_repository_url: "https://github.com/maunium/synapse-http-antispam"
 # renovate: datasource=github-releases depName=maunium/synapse-http-antispam
-matrix_synapse_ext_synapse_http_antispam_git_version: "v0.4.0"
+matrix_synapse_ext_synapse_http_antispam_git_version: "v0.5.0"
 # Where Synapse can locate the consumer of the antispam API. Currently
 # Draupnir is the only consumer of this API that is playbook supported.
 # But https://github.com/maunium/meowlnir also supports the API.
@@ -1426,6 +1426,10 @@ matrix_synapse_ext_synapse_http_antispam_config_base_url: ''
 # homeserver a lot like how AS authentication is done. This is fully managed
 # the same way AS authentication is by the playbook.
 matrix_synapse_ext_synapse_http_antispam_config_authorization: ''
+# This controls if the module will ping the consumer or not for ease of troubleshooting. This defaults
+# to enabled to help assure users that the connection is working.
+# Due to that its only a single log line per worker per startup this default is deemed acceptable.
+matrix_synapse_ext_synapse_http_antispam_config_do_ping: true
 # This controls what callbacks are activated. This list is fully dependent on what consumer is in play.
 # And what capabilities said consumer should or shouldn't have. There are also performance implications
 # to these choices.
@@ -1440,6 +1444,7 @@ matrix_synapse_ext_synapse_http_antispam_config: "{{ matrix_synapse_ext_synapse_
 matrix_synapse_ext_synapse_http_antispam_config_yaml: |
   base_url: {{ matrix_synapse_ext_synapse_http_antispam_config_base_url | to_json }}
   authorization: {{ matrix_synapse_ext_synapse_http_antispam_config_authorization | to_json }}
+  do_ping: {{ matrix_synapse_ext_synapse_http_antispam_config_do_ping | to_json }}
   enabled_callbacks: {{ matrix_synapse_ext_synapse_http_antispam_config_enabled_callbacks | to_json }}
   fail_open: {{ matrix_synapse_ext_synapse_http_antispam_config_fail_open | to_json }}
   async: {{ matrix_synapse_ext_synapse_http_antispam_config_async | to_json }}