Merge branch 'master' into pub.solar

2021-01-19 16:19:52 +01:00 · 2021-01-19 16:19:52 +01:00 · 07e8f04fa9
parent 8720ab02d2 c9d96d8135
commit 07e8f04fa9
109 changed files with 529 additions and 281 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,25 @@
+# 2021-01-17
+
+## matrix-corporal goes 2.0
+
+[matrix-corporal v2 has been released](https://github.com/devture/matrix-corporal/releases/tag/2.0.0) and the playbook also supports it now.
+
+No manual intervention is required in the common case.
+
+The new [matrix-corporal](https://github.com/devture/matrix-corporal) version is also the first one to support Interactive Authentication. If you wish to enable that (hint: you should), you'll need to set up the [REST auth password provider](docs/configuring-playbook-rest-auth.md). There's more information in [our matrix-corporal docs](docs/configuring-playbook-matrix-corporal.md).
+
+
+# 2021-01-14
+
+## Moving from cronjobs to systemd timers
+
+We no longer use cronjobs for Let's Encrypt SSL renewal and `matrix-nginx-proxy`/`matrix-coturn` reloading. Instead, we've switched to systemd timers.
+
+The largest benefit of this is that we no longer require you to install a cron daemon, thus simplifying our install procedure.
+
+The playbook will migrate you from cronjobs to systemd timers automatically. This is just a heads up.
+
+
 # 2021-01-08

 ## (Breaking Change) New SSL configuration
--- a/README.md
+++ b/README.md
@ -146,7 +146,7 @@ This playbook sets up your server using the following Docker images:

 - [devture/matrix-corporal](https://hub.docker.com/r/devture/matrix-corporal/) - [Matrix Corporal](https://github.com/devture/matrix-corporal): reconciliator and gateway for a managed Matrix server (optional)

- [devture/zeratax-matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)
+- [zeratax/matrix-registration](https://hub.docker.com/r/devture/zeratax-matrix-registration/) - [matrix-registration](https://github.com/ZerataX/matrix-registration): a simple python application to have a token based matrix registration (optional)

 - [nginx](https://hub.docker.com/_/nginx/) - the [nginx](http://nginx.org/) web server (optional)

--- a/docs/configuring-playbook-bridge-mautrix-telegram.md
+++ b/docs/configuring-playbook-bridge-mautrix-telegram.md
@ -12,7 +12,6 @@ matrix_mautrix_telegram_api_id: YOUR_TELEGRAM_APP_ID
 matrix_mautrix_telegram_api_hash: YOUR_TELEGRAM_API_HASH
 ```

-
 ## Set up Double Puppeting

 If you'd like to use [Double Puppeting](https://github.com/tulir/mautrix-telegram/wiki/Authentication#replacing-telegram-accounts-matrix-puppet-with-matrix-account) (hint: you most likely do), you have 2 ways of going about it.
--- a/docs/configuring-playbook-matrix-corporal.md
+++ b/docs/configuring-playbook-matrix-corporal.md
@ -11,7 +11,9 @@ The playbook can install and configure [matrix-corporal](https://github.com/devt
 In short, it's a sort of automation and firewalling service, which is helpful if you're instaling Matrix services in a controlled corporate environment.
 See that project's documentation to learn what it does and why it might be useful to you.

-If you decide that you'd like to let this playbook install it for you, you'd need to also [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md).
+If you decide that you'd like to let this playbook install it for you, you'd need to also:
+- (required) [set up the Shared Secret Auth password provider module](configuring-playbook-shared-secret-auth.md)
+- (optional, but encouraged) [set up the REST authentication password provider module](configuring-playbook-rest-auth.md)


 ## Playbook configuration
@ -24,6 +26,15 @@ You would then need some configuration like this:
 matrix_synapse_ext_password_provider_shared_secret_auth_enabled: true
 matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret: YOUR_SHARED_SECRET_GOES_HERE

+# When matrix-corporal is acting as the primary authentication provider,
+# you need to set up the REST authentication password provider module
+# to make Interactive User Authentication work.
+# This is necessary for certain user actions (like E2EE, device management, etc).
+#
+# See configuring-playbook-rest-auth.md
+matrix_synapse_ext_password_provider_rest_auth_enabled: true
+matrix_synapse_ext_password_provider_rest_auth_endpoint: "http://matrix-corporal:41080/_matrix/corporal"
+
 matrix_corporal_enabled: true

 matrix_corporal_policy_provider_config: |
@ -40,9 +51,9 @@ matrix_corporal_policy_provider_config: |
 matrix_corporal_http_api_enabled: true
 matrix_corporal_http_api_auth_token: "AUTH_TOKEN_HERE"

-# If you need to change the reconciliator user's id from the default (matrix-corporal)..
+# If you need to change matrix-corporal's user id from the default (matrix-corporal).
 # In any case, you need to make sure this Matrix user is created on your server.
-matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
+matrix_corporal_corporal_user_id_local_part: "matrix-corporal"

 # Because Corporal peridoically performs lots of user logins from the same IP,
 # you may need raise Synapse's ratelimits.
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@ -6,14 +6,16 @@
  - **Ubuntu** (16.04+, although [20.04 may be problematic](ansible.md#supported-ansible-versions))
  - **Archlinux**

-This playbook doesn't support running on ARM (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/299)), however a minimal subset of the tools can be built on the host, which may result in a working configuration, even on a Raspberry pi (see [Alternative Architectures](alternative-architectures.md)). We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
+We only strive to support released stable versions of distributions, not betas or pre-releases. This playbook can take over your whole server or co-exist with other services that you have there.
+
+This playbook somewhat supports running on non-`amd64` architectures like ARM. See [Alternative Architectures](alternative-architectures.md).
+
+If your distro runs within an [LXC container](https://linuxcontainers.org/), you may hit [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/703). It can be worked around, if absolutely necessary, but we suggest that you avoid running from within an LXC container.

 - `root` access to your server (or a user capable of elevating to `root` via `sudo`).

 - [Python](https://www.python.org/) being installed on the server. Most distributions install Python by default, but some don't (e.g. Ubuntu 18.04) and require manual installation (something like `apt-get install python3`). On some distros, Ansible may incorrectly [detect the Python version](https://docs.ansible.com/ansible/latest/reference_appendices/interpreter_discovery.html) (2 vs 3) and you may need to explicitly specify the interpreter path in `inventory/hosts` during installation (e.g. `ansible_python_interpreter=/usr/bin/python3`)

- A `cron`-like tool installed on the server such as `cron` or `anacron` to automatically schedule the Let's Encrypt SSL certificates's renewal. *This can be ignored if you use your own SSL certificates.*
-
 - The [Ansible](http://ansible.com/) program being installed on your own computer. It's used to run this playbook and configures your server for you. Take a look at [our guide about Ansible](ansible.md) for more information, as well as [version requirements](ansible.md#supported-ansible-versions) and alternative ways to run Ansible.

 - Either the `dig` tool or `python-dns` installed on your own computer. Used later on, by the playbook's [services check](maintenance-checking-services.md) feature.
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -18,8 +18,10 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-corporal`
 - `matrix-ma1sd`
 - `matrix-mailer`
+- `matrix-bridge-appservice-slack`
 - `matrix-bridge-mautrix-facebook`
 - `matrix-bridge-mautrix-hangouts`
+- `matrix-bridge-mautrix-telegram`
 - `matrix-bridge-mx-puppet-skype`

 Adding self-building support to other roles is welcome. Feel free to contribute!
--- a/docs/uninstalling.md
+++ b/docs/uninstalling.md
@ -23,15 +23,13 @@ If you prefer to uninstall manually, run these commands (most are meant to be ex

 - ensure all Matrix services are stopped: `ansible-playbook -i inventory/hosts setup.yml --tags=stop` (if you can't get Ansible working to run this command, you can run `systemctl stop 'matrix*'` manually on the server)

- delete the Matrix-related systemd `.service` files (`rm -f /etc/systemd/system/matrix*.service`) and reload systemd (`systemctl daemon-reload`)
-
- delete all Matrix-related cronjobs (`rm -f /etc/cron.d/matrix*`)
+- delete the Matrix-related systemd `.service` and `.timer` files (`rm -f /etc/systemd/system/matrix*.{service,timer}`) and reload systemd (`systemctl daemon-reload`)

 - delete some helper scripts (`rm -f /usr/local/bin/matrix*`)

 - delete some cached Docker images (`docker system prune -a`) or just delete them all (`docker rmi $(docker images -aq)`)

- delete the Docker network: `docker network rm matrix` (might have been deleted already if you ran the `docker system prune` command)
+- delete the Docker networks: `docker network rm matrix matrix-coturn` (might have been deleted already if you ran the `docker system prune` command)

 - uninstall Docker itself, if necessary

--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -110,6 +110,8 @@ matrix_appservice_webhooks_systemd_required_services_list: |
 # We don't enable bridges by default.
 matrix_appservice_slack_enabled: false

+matrix_appservice_slack_container_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-appservice-slack over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-appservice-slack's client-server port to the local host.
@ -305,6 +307,9 @@ matrix_mautrix_signal_database_password: "{{ matrix_synapse_macaroon_secret_key
 # We don't enable bridges by default.
 matrix_mautrix_telegram_enabled: false

+# Images are multi-arch (amd64 and arm64, but not arm32).
+matrix_mautrix_telegram_container_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
+
 matrix_mautrix_telegram_systemd_required_services_list: |
  {{
    ['docker.service']
@ -669,6 +674,9 @@ matrix_corporal_matrix_homeserver_api_endpoint: "http://matrix-synapse:8008"

 matrix_corporal_matrix_auth_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}"

+# This is only useful if there's REST auth provider to make use of it.
+matrix_corporal_http_gateway_internal_rest_auth_enabled: "{{ matrix_synapse_ext_password_provider_rest_auth_enabled }}"
+
 matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registration_shared_secret }}"

 ######################################################################
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -48,7 +48,16 @@ matrix_base_data_path_mode: "750"

 matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
 matrix_systemd_path: "/etc/systemd/system"
+
+# Specifies the path to use for the `HOME` environment variable for systemd unit files.
+# Docker 20.10 complains with `WARNING: Error loading config file: .dockercfg: $HOME is not defined`
+# if `$HOME` is not defined, so we define something to make it happy.
+matrix_systemd_unit_home_path: /root
+
+# This is now unused. We keep it so that cleanup tasks can use it.
+# To be removed in the future.
 matrix_cron_path: "/etc/cron.d"
+
 matrix_local_bin_path: "/usr/local/bin"

 matrix_host_command_docker: "/usr/bin/env docker"
--- a/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
+++ b/roles/matrix-base/templates/usr-local-bin/matrix-remove-all.j2
@ -20,8 +20,6 @@ else
 		rm -f {{ matrix_systemd_path }}/$s
 	done
 	systemctl daemon-reload
-	echo "Remove matrix cronjobs"
-	find /etc/cron.d/ -name "matrix-*" -delete
 	echo "Remove matrix scripts"
 	find {{ matrix_local_bin_path }}/ -name "matrix-*" -delete
 	echo "Remove unused Docker images and resources"
--- a/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml
+++ b/roles/matrix-bot-matrix-reminder-bot/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-bot-matrix-reminder-bot.service'] }}"
  when: matrix_bot_matrix_reminder_bot_enabled|bool
--- a/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
+++ b/roles/matrix-bot-matrix-reminder-bot/templates/systemd/matrix-bot-matrix-reminder-bot.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-bot-matrix-reminder-bot
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-bot-matrix-reminder-bot

--- a/roles/matrix-bridge-appservice-discord/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_appservice_discord_enabled and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-discord.service'] }}"
  when: matrix_appservice_discord_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-discord
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-discord

--- a/roles/matrix-bridge-appservice-irc/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_appservice_irc_enabled|bool and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-irc.service'] }}"
  when: matrix_appservice_irc_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
+++ b/roles/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-irc
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-irc

--- a/roles/matrix-bridge-appservice-slack/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-slack/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_appservice_slack_enabled: true

+matrix_appservice_slack_container_self_build: false
+matrix_appservice_slack_docker_repo: "https://github.com/matrix-org/matrix-appservice-slack.git"
+matrix_appservice_slack_docker_src_files_path: "{{ matrix_base_data_path }}/appservice-slack/docker-src"
+
 matrix_appservice_slack_docker_image: "docker.io/matrixdotorg/matrix-appservice-slack:release-1.5.0"
 matrix_appservice_slack_docker_image_force_pull: "{{ matrix_appservice_slack_docker_image.endswith(':latest') }}"

--- a/roles/matrix-bridge-appservice-slack/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-slack.service'] }}"
  when: matrix_appservice_slack_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
@ -8,9 +8,11 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
-    - "{{ matrix_appservice_slack_base_path }}"
-    - "{{ matrix_appservice_slack_config_path }}"
-    - "{{ matrix_appservice_slack_data_path }}"
+    - { path: "{{ matrix_appservice_slack_base_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_config_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_data_path }}", when: true }
+    - { path: "{{ matrix_appservice_slack_docker_src_files_path }}", when: "{{ matrix_appservice_slack_container_self_build }}" }
+  when: item.when|bool

 - set_fact:
    matrix_appservice_slack_requires_restart: false
@ -35,6 +37,26 @@
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_appservice_slack_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_slack_docker_image_force_pull }}"
+  when: "not matrix_appservice_slack_container_self_build|bool"
+
+- name: Ensure matrix-appservice-slack repository is present when self-building
+  git:
+    repo: "{{ matrix_appservice_slack_docker_repo }}"
+    dest: "{{ matrix_appservice_slack_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_appservice_slack_git_pull_results
+  when: "matrix_appservice_slack_container_self_build|bool"
+
+- name: Ensure matrix-appservice-slack Docker image is built
+  docker_image:
+    name: "{{ matrix_appservice_slack_docker_image }}"
+    source: build
+    force_source: yes
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_appservice_slack_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_appservice_slack_container_self_build|bool and matrix_appservice_slack_git_pull_results.changed"

 - name: Ensure Matrix Appservice Slack config installed
  copy:
--- a/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
+++ b/roles/matrix-bridge-appservice-slack/templates/systemd/matrix-appservice-slack.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-slack

--- a/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-appservice-webhooks.service'] }}"
  when: matrix_appservice_webhooks_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
+++ b/roles/matrix-bridge-appservice-webhooks/templates/systemd/matrix-appservice-webhooks.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-appservice-webhooks
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-appservice-webhooks

--- a/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-facebook.service'] }}"
  when: matrix_mautrix_facebook_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/systemd/matrix-mautrix-facebook.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-facebook
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-facebook
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-facebook-db \
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-hangouts.service'] }}"
  when: matrix_mautrix_hangouts_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
+++ b/roles/matrix-bridge-mautrix-hangouts/templates/systemd/matrix-mautrix-hangouts.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-hangouts matrix-mautrix-hangouts-db
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-hangouts-db \
--- a/roles/matrix-bridge-mautrix-signal/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-signal/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal', 'matrix-mautrix-signal-daemon'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-signal.service', 'matrix-mautrix-signal-daemon.service'] }}"
  when: matrix_mautrix_signal_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal-daemon.service.j2
@ -13,6 +13,7 @@ Wants={{ service }}

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"

 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal-daemon
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal-daemon
--- a/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
+++ b/roles/matrix-bridge-mautrix-signal/templates/systemd/matrix-mautrix-signal.service.j2
@ -13,6 +13,7 @@ Wants={{ service }}

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-signal
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-signal

--- a/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -3,6 +3,10 @@

 matrix_mautrix_telegram_enabled: true

+matrix_mautrix_telegram_container_self_build: false
+matrix_mautrix_telegram_docker_repo: "https://mau.dev/tulir/mautrix-telegram.git"
+matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
+
 # See: https://mau.dev/tulir/mautrix-telegram/container_registry
 matrix_mautrix_telegram_docker_image: "dock.mau.dev/tulir/mautrix-telegram:v0.9.0"
 matrix_mautrix_telegram_docker_image_force_pull: "{{ matrix_mautrix_telegram_docker_image.endswith(':latest') }}"
--- a/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-telegram.service'] }}"
  when: matrix_mautrix_telegram_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -34,24 +34,46 @@
      when: "matrix_mautrix_telegram_sqlite_database_path_local_stat_result.stat.exists|bool"
  when: "matrix_mautrix_telegram_database_engine == 'postgres'"

+- name: Ensure Mautrix Telegram paths exist
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_mautrix_telegram_base_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_config_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_data_path }}", when: true }
+    - { path: "{{ matrix_mautrix_telegram_docker_src_files_path }}", when: "{{ matrix_mautrix_telegram_container_self_build }}" }
+  when: item.when|bool
+
 - name: Ensure Mautrix Telegram image is pulled
  docker_image:
    name: "{{ matrix_mautrix_telegram_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_mautrix_telegram_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mautrix_telegram_docker_image_force_pull }}"
+  when: "not matrix_mautrix_telegram_container_self_build|bool"

- name: Ensure Mautrix Telegram paths exist
-  file:
-    path: "{{ item }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - "{{ matrix_mautrix_telegram_base_path }}"
-    - "{{ matrix_mautrix_telegram_config_path }}"
-    - "{{ matrix_mautrix_telegram_data_path }}"
+- name: Ensure matrix-mautrix-telegram repository is present when self-building
+  git:
+    repo: "{{ matrix_mautrix_telegram_docker_repo }}"
+    dest: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
+    force: "yes"
+  register: matrix_mautrix_telegram_git_pull_results
+  when: "matrix_mautrix_telegram_container_self_build|bool"
+
+- name: Ensure matrix-mautrix-telegram Docker image is build
+  docker_image:
+    name: "{{ matrix_mautrix_telegram_docker_image }}"
+    source: build
+    force_source: yes
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_mautrix_telegram_docker_src_files_path }}"
+      pull: yes
+  when: "matrix_mautrix_telegram_container_self_build|bool and matrix_mautrix_telegram_git_pull_results.changed"

 - name: Check if an old database file already exists
  stat:
--- a/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
+++ b/roles/matrix-bridge-mautrix-telegram/templates/systemd/matrix-mautrix-telegram.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-telegram
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-telegram
 ExecStartPre={{ matrix_host_command_docker }} run --rm --name matrix-mautrix-telegram-db \
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mautrix-whatsapp.service'] }}"
  when: matrix_mautrix_whatsapp_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -26,6 +26,7 @@
              engine_variable_name: 'matrix_mautrix_whatsapp_database_engine'
              engine_old: 'sqlite'
              systemd_services_to_stop: ['matrix-mautrix-whatsapp.service']
+              pgloader_options: ['--with "quote identifiers"']

        - import_tasks: "{{ role_path }}/../matrix-postgres/tasks/util/migrate_db_to_postgres.yml"

--- a/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-bridge-mautrix-whatsapp/templates/systemd/matrix-mautrix-whatsapp.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mautrix-whatsapp
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mautrix-whatsapp

--- a/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-discord/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-discord.service'] }}"
  when: matrix_mx_puppet_discord_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2
+++ b/roles/matrix-bridge-mx-puppet-discord/templates/systemd/matrix-mx-puppet-discord.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-discord
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-discord

--- a/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-instagram/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-instagram.service'] }}"
  when: matrix_mx_puppet_instagram_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
+++ b/roles/matrix-bridge-mx-puppet-instagram/templates/systemd/matrix-mx-puppet-instagram.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-instagram
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-instagram

--- a/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-skype.service'] }}"
  when: matrix_mx_puppet_skype_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
+++ b/roles/matrix-bridge-mx-puppet-skype/templates/systemd/matrix-mx-puppet-skype.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-skype
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-skype

--- a/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-slack.service'] }}"
  when: matrix_mx_puppet_slack_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
+++ b/roles/matrix-bridge-mx-puppet-slack/templates/systemd/matrix-mx-puppet-slack.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-slack
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-slack

--- a/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-steam/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-steam.service'] }}"
  when: matrix_mx_puppet_steam_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2
+++ b/roles/matrix-bridge-mx-puppet-steam/templates/systemd/matrix-mx-puppet-steam.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-steam
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-steam

--- a/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
+++ b/roles/matrix-bridge-mx-puppet-twitter/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mx-puppet-twitter.service'] }}"
  when: matrix_mx_puppet_twitter_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2
+++ b/roles/matrix-bridge-mx-puppet-twitter/templates/systemd/matrix-mx-puppet-twitter.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mx-puppet-twitter
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mx-puppet-twitter

--- a/roles/matrix-bridge-sms/tasks/init.yml
+++ b/roles/matrix-bridge-sms/tasks/init.yml
@ -7,7 +7,7 @@
  when: "matrix_sms_bridge_enabled and matrix_synapse_role_executed|default(False)"

 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-sms-bridge.service'] }}"
  when: matrix_sms_bridge_enabled|bool

 # If the matrix-synapse role is not used, these variables may not exist.
--- a/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2
+++ b/roles/matrix-bridge-sms/templates/systemd/matrix-sms-bridge.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-/usr/bin/docker kill matrix-sms-bridge
 ExecStartPre=-/usr/bin/docker rm matrix-sms-bridge

--- a/roles/matrix-client-element/tasks/init.yml
+++ b/roles/matrix-client-element/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-client-element.service'] }}"
  when: matrix_client_element_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
--- a/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
+++ b/roles/matrix-client-element/templates/systemd/matrix-client-element.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-client-element
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-client-element

--- a/roles/matrix-common-after/tasks/start.yml
+++ b/roles/matrix-common-after/tasks/start.yml
@ -1,6 +1,6 @@
 ---

- name: Deterimne whether we should make services autostart
+- name: Determine whether we should make services autostart
  set_fact:
    matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}"

@ -46,7 +46,7 @@
        Try running `systemctl status {{ item }}` and `journalctl -fu {{ item }}` on the server to investigate.
    with_items: "{{ matrix_systemd_services_list }}"
    when:
-      - "ansible_facts.services[item + '.service']|default(none) is none or ansible_facts.services[item + '.service'].state != 'running'"
+      - "item.endswith('.service') and (ansible_facts.services[item]|default(none) is none or ansible_facts.services[item].state != 'running')"
  when: " ansible_distribution != 'Archlinux'"

 - block:
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -24,7 +24,7 @@ matrix_corporal_systemd_required_services_list: ['docker.service']

 matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
 matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_corporal_container_image_self_build else 'docker.io/' }}"
-matrix_corporal_docker_image_tag: "1.11.0"
+matrix_corporal_docker_image_tag: "2.1.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"

 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@ -50,10 +50,16 @@ matrix_corporal_matrix_registration_shared_secret: ""
 matrix_corporal_matrix_timeout_milliseconds: 45000

 matrix_corporal_reconciliation_retry_interval_milliseconds: 30000
-matrix_corporal_reconciliation_user_id_local_part: "matrix-corporal"
+matrix_corporal_corporal_user_id_local_part: "matrix-corporal"

 matrix_corporal_http_gateway_timeout_milliseconds: 60000

+# If enabled, matrix-corporal exposes a `POST /_matrix/corporal/_matrix-internal/identity/v1/check_credentials` API
+# on the gateway (Client-Server API) server.
+# This API can then be used together with the REST Auth password provider by pointing it to matrix-corporal (e.g. `http://matrix-corporal:41080/_matrix/corporal`).
+# Doing so allows Interactive Authentication to work.
+matrix_corporal_http_gateway_internal_rest_auth_enabled: false
+
 matrix_corporal_http_api_enabled: false
 matrix_corporal_http_api_auth_token: ""
 matrix_corporal_http_api_timeout_milliseconds: 15000
--- a/roles/matrix-corporal/tasks/init.yml
+++ b/roles/matrix-corporal/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal.service'] }}"
  when: matrix_corporal_enabled|bool
--- a/roles/matrix-corporal/tasks/validate_config.yml
+++ b/roles/matrix-corporal/tasks/validate_config.yml
@ -16,7 +16,6 @@
    msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
  when: "matrix_corporal_http_api_enabled|bool and matrix_corporal_http_api_auth_token == ''"

-
 - name: (Deprecation) Catch and report renamed corporal variables
  fail:
    msg: >-
@ -25,3 +24,4 @@
  when: "item.old in vars"
  with_items:
    - {'old': 'matrix_corporal_container_expose_ports', 'new': '<superseded by matrix_corporal_container_http_gateway_host_bind_port and matrix_corporal_container_http_api_host_bind_port>'}
+    - {'old': 'matrix_corporal_reconciliation_user_id_local_part', 'new': 'matrix_corporal_corporal_user_id_local_part'}
--- a/roles/matrix-corporal/templates/config.json.j2
+++ b/roles/matrix-corporal/templates/config.json.j2
@ -7,14 +7,20 @@
 		"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
 	},

+	"Corporal": {
+		"UserID": "@{{ matrix_corporal_corporal_user_id_local_part }}:{{ matrix_domain }}"
+	},
+
 	"Reconciliation": {
-		"UserId": "@{{ matrix_corporal_reconciliation_user_id_local_part }}:{{ matrix_domain }}",
 		"RetryIntervalMilliseconds": {{ matrix_corporal_reconciliation_retry_interval_milliseconds }}
 	},

 	"HttpGateway": {
 		"ListenAddress": "0.0.0.0:41080",
-		"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }}
+		"TimeoutMilliseconds": {{ matrix_corporal_http_gateway_timeout_milliseconds }},
+		"InternalRESTAuth": {
+			"Enabled": {{ matrix_corporal_http_gateway_internal_rest_auth_enabled|to_json }}
+		}
 	},

 	"HttpApi": {
--- a/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
+++ b/roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-corporal
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-corporal

--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -3,7 +3,7 @@ matrix_coturn_enabled: true
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/instrumentisto/coturn-docker-image.git"

-matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.1.3"
+matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}instrumentisto/coturn:4.5.2"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else 'docker.io/' }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

--- a/roles/matrix-coturn/tasks/init.yml
+++ b/roles/matrix-coturn/tasks/init.yml
@ -1,7 +1,11 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn.service'] }}"
  when: matrix_coturn_enabled|bool

+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-coturn-reload.timer'] }}"
+  when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
+
 # ansible lower than 2.8, does not support docker_image build parameters
 # for self buildig it is explicitly needed, so we rather fail here
 - name: Fail if running on Ansible lower than 2.8 and trying self building
--- a/roles/matrix-coturn/tasks/main.yml
+++ b/roles/matrix-coturn/tasks/main.yml
@ -8,8 +8,14 @@
    - setup-all
    - setup-coturn

- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
-  when: run_setup|bool
+- import_tasks: "{{ role_path }}/tasks/setup_install.yml"
+  when: "run_setup|bool and matrix_coturn_enabled|bool"
+  tags:
+    - setup-all
+    - setup-coturn
+
+- import_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+  when: "run_setup|bool and not matrix_coturn_enabled|bool"
  tags:
    - setup-all
    - setup-coturn
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@ -1,137 +0,0 @@
---
-
-#
-# Tasks related to setting up Coturn
-#
-
- name: Ensure Matrix Coturn path exists
-  file:
-    path: "{{ item.path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  with_items:
-    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
-  when: matrix_coturn_enabled|bool and item.when
-
- name: Ensure Coturn image is pulled
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
-  when: matrix_coturn_enabled|bool and not matrix_coturn_container_image_self_build
-
- name: Ensure Coturn repository is present on self-build
-  git:
-    repo: "{{ matrix_coturn_container_image_self_build_repo }}"
-    dest: "{{ matrix_coturn_docker_src_files_path }}"
-    version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
-    force: "yes"
-  register: matrix_coturn_git_pull_results
-  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build"
-
- name: Ensure Coturn Docker image is built
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    source: build
-    force_source: "{{ matrix_coturn_git_pull_results.changed }}"
-    build:
-      dockerfile: Dockerfile
-      path: "{{ matrix_coturn_docker_src_files_path }}"
-      pull: yes
-  when: "matrix_coturn_enabled|bool and matrix_coturn_container_image_self_build|bool"
-
- name: Ensure Coturn configuration path exists
-  file:
-    path: "{{ matrix_coturn_base_path }}"
-    state: directory
-    mode: 0750
-    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_groupname }}"
-  when: matrix_coturn_enabled|bool
-
- name: Ensure turnserver.conf installed
-  template:
-    src: "{{ role_path }}/templates/turnserver.conf.j2"
-    dest: "{{ matrix_coturn_config_path }}"
-    mode: 0644
-  when: matrix_coturn_enabled|bool
-
- name: Ensure Coturn network is created in Docker
-  docker_network:
-    name: "{{ matrix_coturn_docker_network }}"
-    driver: bridge
-  when: matrix_coturn_enabled|bool
-
- name: Ensure matrix-coturn.service installed
-  template:
-    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
-    dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
-    mode: 0644
-  register: matrix_coturn_systemd_service_result
-  when: matrix_coturn_enabled|bool
-
- name: Ensure systemd reloaded after matrix-coturn.service installation
-  service:
-    daemon_reload: yes
-  when: "matrix_coturn_enabled|bool and matrix_coturn_systemd_service_result.changed"
-
-# This may be unnecessary when more long-lived certificates are used.
-# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
-# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
- name: Ensure periodic reloading of matrix-coturn is configured for SSL renewal (matrix-coturn-reload)
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-coturn-ssl-reload.j2"
-    dest: /etc/cron.d/matrix-coturn-ssl-reload
-    mode: 0644
-  when: "matrix_coturn_enabled|bool and matrix_coturn_tls_enabled|bool"
-
-
-#
-# Tasks related to getting rid of Coturn (if it was previously enabled)
-#
-
- name: Ensure matrix-coturn-ssl-reload cronjob removed
-  file:
-    path: /etc/cron.d/matrix-coturn-ssl-reload
-    state: absent
-  when: "not matrix_coturn_enabled|bool or not matrix_coturn_tls_enabled|bool"
-
- name: Check existence of matrix-coturn service
-  stat:
-    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
-  register: matrix_coturn_service_stat
-  when: "not matrix_coturn_enabled|bool"
-
- name: Ensure matrix-coturn is stopped
-  service:
-    name: matrix-coturn
-    state: stopped
-    daemon_reload: yes
-  register: stopping_result
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure matrix-coturn.service doesn't exist
-  file:
-    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
-    state: absent
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure systemd reloaded after matrix-coturn.service removal
-  service:
-    daemon_reload: yes
-  when: "not matrix_coturn_enabled|bool and matrix_coturn_service_stat.stat.exists"
-
- name: Ensure Matrix coturn paths don't exist
-  file:
-    path: "{{ matrix_coturn_base_path }}"
-    state: absent
-  when: "not matrix_coturn_enabled|bool"
-
- name: Ensure coturn Docker image doesn't exist
-  docker_image:
-    name: "{{ matrix_coturn_docker_image }}"
-    state: absent
-  when: "not matrix_coturn_enabled|bool"
--- a/roles/matrix-coturn/tasks/setup_install.yml
+++ b/roles/matrix-coturn/tasks/setup_install.yml
@ -0,0 +1,104 @@
+---
+
+# This is a cleanup/migration task. It can be removed some time in the future.
+- name: (Migration) Remove deprecated cronjob
+  file:
+    path: "{{ matrix_cron_path }}/matrix-coturn-ssl-reload"
+    state: absent
+
+- name: Ensure Matrix Coturn path exists
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
+  when: "item.when|bool"
+
+- name: Ensure Coturn image is pulled
+  docker_image:
+    name: "{{ matrix_coturn_docker_image }}"
+    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+    force_source: "{{ matrix_coturn_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_coturn_docker_image_force_pull }}"
+  when: "not matrix_coturn_container_image_self_build|bool"
+
+- block:
+    - name: Ensure Coturn repository is present on self-build
+      git:
+        repo: "{{ matrix_coturn_container_image_self_build_repo }}"
+        dest: "{{ matrix_coturn_docker_src_files_path }}"
+        version: "{{ matrix_coturn_docker_image.split(':')[1] }}"
+        force: "yes"
+      register: matrix_coturn_git_pull_results
+
+    - name: Ensure Coturn Docker image is built
+      docker_image:
+        name: "{{ matrix_coturn_docker_image }}"
+        source: build
+        force_source: "{{ matrix_coturn_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_coturn_docker_src_files_path }}"
+          pull: yes
+  when: "matrix_coturn_container_image_self_build|bool"
+
+- name: Ensure Coturn configuration path exists
+  file:
+    path: "{{ matrix_coturn_base_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure turnserver.conf installed
+  template:
+    src: "{{ role_path }}/templates/turnserver.conf.j2"
+    dest: "{{ matrix_coturn_config_path }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+
+- name: Ensure Coturn network is created in Docker
+  docker_network:
+    name: "{{ matrix_coturn_docker_network }}"
+    driver: bridge
+
+- name: Ensure matrix-coturn.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
+    dest: "{{ matrix_systemd_path }}/matrix-coturn.service"
+    mode: 0644
+  register: matrix_coturn_systemd_service_change_results
+
+# This may be unnecessary when more long-lived certificates are used.
+# We optimize for the common use-case though (short-lived Let's Encrypt certificates).
+# Reloading doesn't hurt anyway, so there's no need to make this more flexible.
+- name: Ensure reloading systemd units installed, if necessary
+  template:
+    src: "{{ role_path }}/templates/systemd/{{ item }}.j2"
+    dest: "{{ matrix_systemd_path }}/{{ item }}"
+    mode: 0644
+  register: "matrix_coturn_systemd_service_change_results"
+  when: "matrix_coturn_tls_enabled|bool"
+  with_items:
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+# A similar task exists in `setup_uninstall.yml`
+- name: Ensure reloading systemd units uninstalled, if unnecessary
+  file:
+    path: "{{ item }}"
+    state: absent
+  register: "matrix_coturn_systemd_service_change_results"
+  when: "not matrix_coturn_tls_enabled|bool"
+  with_items:
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+- name: Ensure systemd reloaded if systemd units changed
+  service:
+    daemon_reload: yes
+  when: "matrix_coturn_systemd_service_change_results.changed"
--- a/roles/matrix-coturn/tasks/setup_uninstall.yml
+++ b/roles/matrix-coturn/tasks/setup_uninstall.yml
@ -0,0 +1,47 @@
+---
+
+- name: Check existence of matrix-coturn service
+  stat:
+    path: "{{ matrix_systemd_path }}/matrix-coturn.service"
+  register: matrix_coturn_service_stat
+  when: "not matrix_coturn_enabled|bool"
+
+- name: Ensure matrix-coturn is stopped
+  service:
+    name: matrix-coturn
+    state: stopped
+    daemon_reload: yes
+  when: "matrix_coturn_service_stat.stat.exists|bool"
+
+- name: Ensure matrix-coturn-reload.timer is stopped
+  service:
+    name: matrix-coturn
+    state: stopped
+    daemon_reload: yes
+  failed_when: false
+  when: "matrix_coturn_service_stat.stat.exists|bool"
+
+- name: Ensure systemd units don't exist
+  file:
+    path: "{{ matrix_systemd_path }}/{{ item }}"
+    state: absent
+  register: matrix_coturn_systemd_unit_uninstallation_result
+  with_items:
+    - matrix-coturn.service
+    - matrix-coturn-reload.service
+    - matrix-coturn-reload.timer
+
+- name: Ensure systemd reloaded after unit removal
+  service:
+    daemon_reload: yes
+  when: "matrix_coturn_systemd_unit_uninstallation_result.changed|bool"
+
+- name: Ensure Matrix coturn paths don't exist
+  file:
+    path: "{{ matrix_coturn_base_path }}"
+    state: absent
+
+- name: Ensure coturn Docker image doesn't exist
+  docker_image:
+    name: "{{ matrix_coturn_docker_image }}"
+    state: absent
--- a/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2
+++ b/roles/matrix-coturn/templates/cron.d/matrix-coturn-ssl-reload.j2
@ -1 +0,0 @@
-20 4 */5 * * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.service.j2
@ -0,0 +1,6 @@
+[Unit]
+Description=Reloads matrix-coturn so that new SSL certificates can kick in
+
+[Service]
+Type=oneshot
+ExecStart={{ matrix_host_command_systemctl }} reload matrix-coturn.service
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn-reload.timer.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Reloads matrix-coturn periodically so that new SSL certificates can kick in
+
+[Timer]
+Unit=matrix-coturn-reload.service
+OnCalendar=Sunday *-*-* 13:00:00
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
--- a/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
+++ b/roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-coturn
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-coturn

--- a/roles/matrix-dimension/tasks/init.yml
+++ b/roles/matrix-dimension/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dimension.service'] }}"
  when: matrix_dimension_enabled|bool
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dimension
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dimension

--- a/roles/matrix-dynamic-dns/tasks/init.yml
+++ b/roles/matrix-dynamic-dns/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-dynamic-dns.service'] }}"
  when: "matrix_dynamic_dns_enabled|bool"
--- a/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2
+++ b/roles/matrix-dynamic-dns/templates/systemd/matrix-dynamic-dns.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-dynamic-dns
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-dynamic-dns
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-dynamic-dns \
--- a/roles/matrix-email2matrix/tasks/init.yml
+++ b/roles/matrix-email2matrix/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-email2matrix.service'] }}"
  when: matrix_email2matrix_enabled|bool
--- a/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
+++ b/roles/matrix-email2matrix/templates/systemd/matrix-email2matrix.service.j2
@ -7,6 +7,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-email2matrix
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-email2matrix

--- a/roles/matrix-jitsi/tasks/init.yml
+++ b/roles/matrix-jitsi/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web', 'matrix-jitsi-prosody', 'matrix-jitsi-jicofo', 'matrix-jitsi-jvb'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-jitsi-web.service', 'matrix-jitsi-prosody.service', 'matrix-jitsi-jicofo.service', 'matrix-jitsi-jvb.service'] }}"
  when: matrix_jitsi_enabled|bool
--- a/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
+++ b/roles/matrix-jitsi/templates/jicofo/matrix-jitsi-jicofo.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jicofo
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jicofo

--- a/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
+++ b/roles/matrix-jitsi/templates/jvb/matrix-jitsi-jvb.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-jvb
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-jvb

--- a/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
+++ b/roles/matrix-jitsi/templates/prosody/matrix-jitsi-prosody.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-prosody
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-prosody

--- a/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
+++ b/roles/matrix-jitsi/templates/web/matrix-jitsi-web.service.j2
@ -9,6 +9,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-jitsi-web
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-jitsi-web

--- a/roles/matrix-ma1sd/defaults/main.yml
+++ b/roles/matrix-ma1sd/defaults/main.yml
@ -5,10 +5,13 @@ matrix_ma1sd_enabled: true

 matrix_ma1sd_container_image_self_build: false
 matrix_ma1sd_container_image_self_build_repo: "https://github.com/ma1uta/ma1sd.git"
+matrix_ma1sd_container_image_self_build_branch: "{{ matrix_ma1sd_version }}"

 matrix_ma1sd_architecture: "amd64"

-matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:2.4.0-{{ matrix_ma1sd_architecture }}"
+matrix_ma1sd_version: "2.4.0"
+
+matrix_ma1sd_docker_image: "{{ matrix_ma1sd_docker_image_name_prefix }}ma1uta/ma1sd:{{ matrix_ma1sd_version }}-{{ matrix_ma1sd_architecture }}"
 matrix_ma1sd_docker_image_name_prefix: "{{ 'localhost/' if matrix_ma1sd_container_image_self_build else 'docker.io/' }}"
 matrix_ma1sd_docker_image_force_pull: "{{ matrix_ma1sd_docker_image.endswith(':latest') }}"

--- a/roles/matrix-ma1sd/tasks/init.yml
+++ b/roles/matrix-ma1sd/tasks/init.yml
@ -1,5 +1,5 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-ma1sd.service'] }}"
  when: matrix_ma1sd_enabled|bool

 # ansible lower than 2.8, does not support docker_image build parameters
--- a/roles/matrix-ma1sd/tasks/setup_install.yml
+++ b/roles/matrix-ma1sd/tasks/setup_install.yml
@ -79,21 +79,24 @@
    git:
      repo: "{{ matrix_ma1sd_container_image_self_build_repo }}"
      dest: "{{ matrix_ma1sd_docker_src_files_path }}"
-      version: "{{ matrix_ma1sd_docker_image.split(':')[1].split('-')[0] }}"
+      version: "{{ matrix_ma1sd_container_image_self_build_branch }}"
      force: "yes"
    register: matrix_ma1sd_git_pull_results

  - name: Ensure ma1sd Docker image is built
-    shell: "./gradlew dockerBuild"
+    shell: "DOCKER_BUILDKIT=1 ./gradlew dockerBuild"
    args:
      chdir: "{{ matrix_ma1sd_docker_src_files_path }}"

  - name: Ensure ma1sd Docker image is tagged correctly
    docker_image:
-      # The build script always tags the image with something like `ma1uta/ma1sd:2.4.0`.
-      # Remove the `-{{ matrix_ma1sd_architecture }}` suffix and our `localhost/` prefix (applied when self-building)
-      # to get to what has actually been built, so we can retag it as `{{ matrix_ma1sd_docker_image }}`.
-      name: "{{ matrix_ma1sd_docker_image.split('-')[0].replace('localhost/', '') }}"
+      # The build script always tags the image with 2 tags:
+      # - based on the branch/version: e.g. `ma1uta/ma1sd:2.4.0` (when on `2.4.0`)
+      #   or `ma1uta/ma1sd:2.4.0-19-ga71d32b` (when on a given commit for a pre-release)
+      # - generic one: `ma1uta/ma1sd:latest-dev`
+      #
+      # It's hard to predict the first one, so we'll use the latter.
+      name: "ma1uta/ma1sd:latest-dev"
      repository: "{{ matrix_ma1sd_docker_image }}"
      force_tag: yes
      source: local
--- a/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
+++ b/roles/matrix-ma1sd/templates/systemd/matrix-ma1sd.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-ma1sd
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-ma1sd

--- a/roles/matrix-mailer/defaults/main.yml
+++ b/roles/matrix-mailer/defaults/main.yml
@ -7,7 +7,7 @@ matrix_mailer_container_image_self_build_repository_url: "https://github.com/dev
 matrix_mailer_container_image_self_build_src_files_path: "{{ matrix_mailer_base_path }}/docker-src"
 matrix_mailer_container_image_self_build_version: "{{ matrix_mailer_docker_image.split(':')[1] }}"

-matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93.1-r0"
+matrix_mailer_docker_image: "{{ matrix_mailer_docker_image_name_prefix }}devture/exim-relay:4.93-r1"
 matrix_mailer_docker_image_name_prefix: "{{ 'localhost/' if matrix_mailer_container_image_self_build else 'docker.io/' }}"
 matrix_mailer_docker_image_force_pull: "{{ matrix_mailer_docker_image.endswith(':latest') }}"

@ -19,6 +19,8 @@ matrix_mailer_container_user_gid: 101
 # A list of extra arguments to pass to the container
 matrix_mailer_container_extra_arguments: []

+matrix_mailer_hostname: "{{ matrix_server_fqn_matrix }}"
+
 matrix_mailer_sender_address: "matrix@{{ matrix_domain }}"
 matrix_mailer_relay_use: false
 matrix_mailer_relay_host_name: "mail.example.com"
--- a/roles/matrix-mailer/tasks/init.yml
+++ b/roles/matrix-mailer/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-mailer.service'] }}"
  when: matrix_mailer_enabled|bool
--- a/roles/matrix-mailer/templates/env-mailer.j2
+++ b/roles/matrix-mailer/templates/env-mailer.j2
@ -6,3 +6,4 @@ SMARTHOST={{ matrix_mailer_relay_host_name }}::{{ matrix_mailer_relay_host_port
 SMTP_USERNAME={{ matrix_mailer_relay_auth_username }}
 SMTP_PASSWORD={{ matrix_mailer_relay_auth_password }}
 {% endif %}
+HOSTNAME={{ matrix_mailer_hostname }}
--- a/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
+++ b/roles/matrix-mailer/templates/systemd/matrix-mailer.service.j2
@ -7,9 +7,12 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-mailer
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-mailer

+# --hostname gives us a friendlier hostname than the default.
+# The real hostname is passed via a `HOSTNAME` environment variable though.
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-mailer \
 			--log-driver=none \
 			--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -215,10 +215,6 @@ matrix_nginx_proxy_proxy_jitsi_additional_server_configuration_blocks: []
 # A list of strings containing additional configuration blocks to add to the base domain server configuration.
 matrix_nginx_proxy_proxy_domain_additional_server_configuration_blocks: []

-# Specifies when to reload the matrix-nginx-proxy service so that
-# a new SSL certificate could go into effect.
-matrix_nginx_proxy_reload_cron_time_definition: "20 4 */5 * *"
-
 # Specifies the SSL configuration that should be used for the SSL protocols and ciphers
 # This is based on the Mozilla Server Side TLS Recommended configurations.
 #
--- a/roles/matrix-nginx-proxy/tasks/init.yml
+++ b/roles/matrix-nginx-proxy/tasks/init.yml
@ -1,3 +1,8 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-nginx-proxy.service'] }}"
  when: matrix_nginx_proxy_enabled|bool
+
+- set_fact:
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + [item.name] }}"
+  when: "item.applicable|bool and item.enableable|bool"
+  with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
@ -10,71 +10,56 @@
    - "{{ matrix_local_bin_path }}/matrix-ssl-certificates-renew"
    - "{{ matrix_cron_path }}/matrix-ssl-certificate-renewal"
    - "{{ matrix_cron_path }}/matrix-nginx-proxy-periodic-restarter"
-
+    - "/etc/cron.d/matrix-ssl-lets-encrypt"
+    - "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"

 #
 # Tasks related to setting up Let's Encrypt's management of certificates
 #

- name: (Deprecation) Catch and report renamed settings
-  fail:
-    msg: >-
-      Your configuration contains a variable, which now has a different name.
-      Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
-  with_items:
-    - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
-    - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
-  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and item.old in vars"
+- block:
+    - name: Ensure certbot Docker image is pulled
+      docker_image:
+        name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"

- name: Fail if required variables are undefined
-  fail:
-    msg: "Detected an undefined required variable"
-  with_items:
-    - "matrix_ssl_lets_encrypt_support_email"
-  when: "matrix_ssl_retrieval_method == 'lets-encrypt' and vars[item] is none"
+    - name: Obtain Let's Encrypt certificates
+      include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
+      with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
+      loop_control:
+        loop_var: domain_name

- name: Ensure certbot Docker image is pulled
-  docker_image:
-    name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
-    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
-    force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
+    - name: Ensure Let's Encrypt SSL renewal script installed
+      template:
+        src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
+        dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        mode: 0750
+
+    - name: Ensure SSL renewal systemd units installed
+      template:
+        src: "{{ role_path }}/templates/systemd/{{ item.name }}.j2"
+        dest: "{{ matrix_systemd_path }}/{{ item.name }}"
+        mode: 0644
+      when: "item.applicable|bool"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"
  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

- name: Obtain Let's Encrypt certificates
-  include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
-  with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
-  loop_control:
-    loop_var: domain_name
-  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
-
- name: Ensure Let's Encrypt SSL renewal script installed
-  template:
-    src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2"
-    dest: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
-    mode: 0750
-  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
-
- name: Ensure periodic SSL renewal cronjob configured
-  template:
-    src: "{{ role_path }}/templates/cron.d/matrix-ssl-lets-encrypt.j2"
-    dest: /etc/cron.d/matrix-ssl-lets-encrypt
-    mode: 0644
-  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
-
-
 #
 # Tasks related to getting rid of Let's Encrypt's management of certificates
 #

- name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
-  file:
-    path: /etc/cron.d/matrix-ssl-lets-encrypt
-    state: absent
-  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
+- block:
+    - name: Ensure matrix-ssl-lets-encrypt-renew cronjob removed
+      file:
+        path: "{{ matrix_systemd_path }}/{{ item.name }}"
+        state: absent
+      when: "{{ not item.applicable }}"
+      with_items: "{{ matrix_ssl_renewal_systemd_units_list }}"

- name: Ensure Let's Encrypt SSL renewal script removed
-  file:
-    path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
-    state: absent
+    - name: Ensure Let's Encrypt SSL renewal script removed
+      file:
+        path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
+        state: absent
  when: "matrix_ssl_retrieval_method != 'lets-encrypt'"
--- a/roles/matrix-nginx-proxy/tasks/validate_config.yml
+++ b/roles/matrix-nginx-proxy/tasks/validate_config.yml
@ -12,6 +12,8 @@
    # People who configured this to disable Riot, would now wish to be disabling Element.
    # We now also have `matrix_nginx_proxy_proxy_riot_compat_redirect_`, but that's something else and is disabled by default.
    - {'old': 'matrix_nginx_proxy_proxy_riot_enabled', 'new': 'matrix_nginx_proxy_proxy_element_enabled'}
+    - {'old': 'matrix_ssl_lets_encrypt_renew_cron_time_definition', 'new': '<not configurable anymore>'}
+    - {'old': 'matrix_nginx_proxy_reload_cron_time_definition', 'new': '<not configurable anymore>'}

 - name: Fail on unknown matrix_ssl_retrieval_method
  fail:
@ -24,3 +26,22 @@
    msg: >-
      `matrix_nginx_proxy_ssl_preset` needs to be set to a known value.
  when: "matrix_nginx_proxy_ssl_preset not in ['modern', 'intermediate', 'old']"
+
+- block:
+    - name: (Deprecation) Catch and report renamed settings
+      fail:
+        msg: >-
+          Your configuration contains a variable, which now has a different name.
+          Please change your configuration to rename the variable (`{{ item.old }}` -> `{{ item.new }}`).
+      with_items:
+        - {'old': 'host_specific_matrix_ssl_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+        - {'old': 'host_specific_matrix_ssl_lets_encrypt_support_email', 'new': 'matrix_ssl_lets_encrypt_support_email'}
+      when: "item.old in vars"
+
+    - name: Fail if required variables are undefined
+      fail:
+        msg: "Detected an undefined required variable"
+      with_items:
+        - "matrix_ssl_lets_encrypt_support_email"
+      when: "vars[item] is none"
+  when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
--- a/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2
+++ b/roles/matrix-nginx-proxy/templates/cron.d/matrix-ssl-lets-encrypt.j2
@ -1,5 +0,0 @@
-MAILTO="{{ matrix_ssl_lets_encrypt_support_email }}"
-15 4 * * * root {{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
-{% if matrix_nginx_proxy_enabled %}
-20 5 * * * root {{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
-{% endif %}
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
@ -12,6 +12,7 @@ DefaultDependencies=no

 [Service]
 Type=simple
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
 ExecStartPre=-{{ matrix_host_command_docker }} kill matrix-nginx-proxy
 ExecStartPre=-{{ matrix_host_command_docker }} rm matrix-nginx-proxy

--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.service.j2
@ -0,0 +1,7 @@
+[Unit]
+Description=Renews Let's Encrypt SSL certificates
+
+[Service]
+Type=oneshot
+Environment="HOME={{ matrix_systemd_unit_home_path }}"
+ExecStart={{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-lets-encrypt-certificates-renew.timer.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Renews Let's Encrypt SSL certificates periodically
+
+[Timer]
+Unit=matrix-ssl-lets-encrypt-certificates-renew.service
+OnCalendar=Sunday *-*-* 05:00:00
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.service.j2
@ -0,0 +1,6 @@
+[Unit]
+Description=Reloads matrix-nginx-proxy so that new SSL certificates can kick in
+
+[Service]
+Type=oneshot
+ExecStart={{ matrix_host_command_systemctl }} reload matrix-nginx-proxy.service
--- a/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2
+++ b/roles/matrix-nginx-proxy/templates/systemd/matrix-ssl-nginx-proxy-reload.timer.j2
@ -0,0 +1,10 @@
+[Unit]
+Description=Reloads matrix-nginx-proxy periodically so that new SSL certificates can kick in
+
+[Timer]
+Unit=matrix-ssl-nginx-proxy-reload.service
+OnCalendar=Sunday *-*-* 13:00:00
+RandomizedDelaySec=3h
+
+[Install]
+WantedBy=timers.target
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@ -24,7 +24,6 @@ docker run \
 		{% if matrix_ssl_lets_encrypt_staging %}
 			--staging \
 		{% endif %}
-		--quiet \
 		--standalone \
 		--preferred-challenges http \
 		--agree-tos \
--- a/roles/matrix-nginx-proxy/vars/main.yml
+++ b/roles/matrix-nginx-proxy/vars/main.yml
@ -1,4 +1,18 @@
 ---

 # Tells whether this role had executed or not. Toggled to `true` during runtime.
-matrix_nginx_proxy_role_executed: false
+matrix_nginx_proxy_role_executed: false
+
+matrix_ssl_renewal_systemd_units_list:
+  - name: matrix-ssl-lets-encrypt-certificates-renew.service
+    applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
+    enableable: false
+  - name: matrix-ssl-lets-encrypt-certificates-renew.timer
+    applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' }}"
+    enableable: true
+  - name: matrix-ssl-nginx-proxy-reload.service
+    applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
+    enableable: false
+  - name: matrix-ssl-nginx-proxy-reload.timer
+    applicable: "{{ matrix_ssl_retrieval_method == 'lets-encrypt' and matrix_nginx_proxy_enabled|bool }}"
+    enableable: true
--- a/roles/matrix-postgres/tasks/init.yml
+++ b/roles/matrix-postgres/tasks/init.yml
@ -1,3 +1,3 @@
 - set_fact:
-    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
+    matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres.service'] }}"
  when: matrix_postgres_enabled|bool
--- a/Show more
+++ b/Show more
				`@ -1 +0,0 @@`
				`20 4 /5 * root {{ matrix_host_command_systemctl }} reload matrix-coturn.service`