Merge branch 'master' into pub.solar

2020-05-09 14:25:26 +02:00 · 2020-05-09 14:25:26 +02:00 · a00e600d28
parent ba4c24874d 1a766afcf2
commit a00e600d28
51 changed files with 248 additions and 113 deletions
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -4,11 +4,14 @@
 If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.

 ## Prerequisites
+
 This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`.

 Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.

+
 ## Enable
+
 [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
@ -17,23 +20,31 @@ matrix_dimension_enabled: true


 ## Define admin users
+
 These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon.
 Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):

 ```yaml
-matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com']
+matrix_dimension_admins:
+  - "@user1:{{ matrix_domain }}"
+  - "@user2:{{ matrix_domain }}"
 ```

+
 ## Access token
-You are required to specify an access token for Dimension to work.
-To get an access token, follow these steps:
+
+We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username).
+Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.
+
+You are required to specify an access token (belonging to this new user) for Dimension to work.
+To get an access token for the Dimension user, follow these steps:

 1. In a private browsing session (incognito window), open Riot.
-2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password.
-3. Set the display name and avatar, if required.
-4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
-5. Copy the highlighted text to your configuration.
-6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
+2. Log in with the `dimension` user and its password.
+1. Set the display name and avatar, if required.
+2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
+3. Copy the highlighted text to your configuration.
+4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.

 **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**

@ -45,12 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"

 For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens).

+
+## Installation
+
 After these variables have been set, please run the following command to re-run setup and to restart Dimension:

 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```

+
+## Jitsi domain
+
+By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details.
+
+In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* &rightarrow; *Settings* &rightarrow; *Widgets* &rightarrow; *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately.
+
+
 ## Additional features

 To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it.
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat

 Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services.

-The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet).
+The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here.


 ## Prerequisites
@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: ""
 ```


-## (Optional) configure internal Jitsi authentication and guests mode
+## (Optional) Configure Jitsi authentication and guests mode

 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.

 If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).

-If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room.
+If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.

 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:

@ -49,11 +49,28 @@ matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
 ```

+### (Optional) LDAP authentication
+
+The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
+
+```yaml
+matrix_jitsi_enable_auth: true
+matrix_jitsi_auth_type: ldap
+matrix_jitsi_ldap_url: ldap://ldap.DOMAIN  # or ldaps:// if using tls
+matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
+matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
+matrix_jitsi_ldap_use_tls: false
+matrix_jitsi_ldap_start_tls: true
+```
+
+For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
+
+
 ## (Optional) Making your Jitsi server work on a LAN

 By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok.

-The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work.
+The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work.

 Here is how to do it in the playbook.

@ -68,7 +85,7 @@ matrix_jitsi_jvb_container_extra_arguments:

 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`

-## Required if configuring Jitsi with its internal authentication: register new users
+## Required if configuring Jitsi with internal authentication: register new users

 Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
 Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
@ -84,9 +101,15 @@ Run this command for each user you would like to create, replacing `<USERNAME>`

 ## Usage

-You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
+You can use the self-hosted Jitsi server in multiple ways:

-To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+
+- **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default).
+
+- **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN`
+
+**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support).


 ## Troubleshooting
--- a/docs/configuring-playbook-turn.md
+++ b/docs/configuring-playbook-turn.md
@ -31,3 +31,12 @@ matrix_synapse_turn_uris:
 - turn:HOSTNAME_OR_IP?transport=udp
 - turn:HOSTNAME_OR_IP?transport=tcp
 ```
+
+If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too.
+If you do not do it, Jitsi will fall back to an upstream service.
+
+```yaml
+matrix_jitsi_web_stun_servers:
+- stun:HOSTNAME_OR_IP:PORT
+```
+You can put multiple host/port combinations if you like.
--- a/docs/configuring-well-known.md
+++ b/docs/configuring-well-known.md
@ -104,7 +104,7 @@ server {
 </VirtualHost>
 ```

-**For Caddy**, it would be something like this:
+**For Caddy 2**, it would be something like this:

 ```caddy
 reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
 }
 ```

+**For Caddy 1**, it would be something like this:
+
+```caddy
+proxy /.well-known/matrix/ https://matrix.DOMAIN {
+    header_upstream Host {http.reverse_proxy.upstream.hostport}
+}
+```
+
 **For HAProxy**, it would be something like this:

 ```haproxy
--- a/docs/maintenance-migrating.md
+++ b/docs/maintenance-migrating.md
@ -1,8 +1,10 @@
 # Migrating to new server

 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime
-2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 
+2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*`
 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)!
 4. Make sure your DNS records are adjusted to point to the new server's IP address
 5. Remove old server from the `inventory/hosts` file and add new server.
-6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server
+6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server
+7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`.
+8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services
--- a/roles/matrix-base/defaults/main.yml
+++ b/roles/matrix-base/defaults/main.yml
@ -22,8 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"

 matrix_user_username: "matrix"
-matrix_user_uid: 991
-matrix_user_gid: 991
+matrix_user_groupname: "matrix"

 matrix_base_data_path: "/matrix"
 matrix_base_data_path_mode: "750"
--- a/roles/matrix-base/tasks/main.yml
+++ b/roles/matrix-base/tasks/main.yml
@ -2,6 +2,11 @@
  tags:
    - always

+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool"
+  tags:
+    - setup-all
+
 - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml"
  when: run_setup|bool
  tags:
@ -12,6 +17,14 @@
  tags:
    - setup-all

+# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`,
+# which are required by many other roles.
+- import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
+  when: run_setup|bool
+  tags:
+    - always
+    - setup-system-user
+
 - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
  when: run_setup|bool
  tags:
--- a/roles/matrix-base/tasks/setup_matrix_base.yml
+++ b/roles/matrix-base/tasks/setup_matrix_base.yml
@ -1,25 +1,12 @@
 ---

- name: Ensure Matrix group is created
-  group:
-    name: "{{ matrix_user_username }}"
-    gid: "{{ matrix_user_gid }}"
-    state: present
-
- name: Ensure Matrix user is created
-  user:
-    name: "{{ matrix_user_username }}"
-    uid: "{{ matrix_user_uid }}"
-    state: present
-    group: "{{ matrix_user_username }}"
-
 - name: Ensure Matrix base path exists
  file:
    path: "{{ item }}"
    state: directory
    mode: "{{ matrix_base_data_path_mode }}"
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_base_data_path }}"

@ -54,4 +41,3 @@
    src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2"
    dest: "{{ matrix_local_bin_path }}/matrix-remove-all"
    mode: 0750
-
--- a/roles/matrix-base/tasks/setup_matrix_user.yml
+++ b/roles/matrix-base/tasks/setup_matrix_user.yml
@ -0,0 +1,22 @@
+---
+
+- name: Ensure Matrix group is created
+  group:
+    name: "{{ matrix_user_groupname }}"
+    state: present
+  register: matrix_group
+
+- name: Set Matrix Group GID Variable
+  set_fact:
+    matrix_user_gid: "{{ matrix_group.gid }}"
+
+- name: Ensure Matrix user is created
+  user:
+    name: "{{ matrix_user_username }}"
+    state: present
+    group: "{{ matrix_user_groupname }}"
+  register: matrix_user
+
+- name: Set Matrix Group UID Variable
+  set_fact:
+    matrix_user_uid: "{{ matrix_user.uid }}"
--- a/roles/matrix-base/tasks/setup_well_known.yml
+++ b/roles/matrix-base/tasks/setup_well_known.yml
@ -8,7 +8,7 @@
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

@ -18,7 +18,7 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix /.well-known/matrix/server file configured
  template:
@ -26,7 +26,7 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_well_known_matrix_server_enabled|bool

 - name: Ensure Matrix /.well-known/matrix/server file deleted
--- a/roles/matrix-base/tasks/validate_config.yml
+++ b/roles/matrix-base/tasks/validate_config.yml
@ -0,0 +1,11 @@
+---
+
+- name: (Deprecation) Warn about unused user/group variables
+  fail:
+    msg: >
+      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore.
+      User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything.
+  when: "item in vars"
+  with_items:
+    - 'matrix_user_uid'
+    - 'matrix_user_gid'
--- a/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/setup_install.yml
@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_discord_base_path }}"
    - "{{ matrix_appservice_discord_config_path }}"
@ -46,7 +46,7 @@
    dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure AppService Discord registration.yaml installed
  copy:
@ -54,7 +54,7 @@
    dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
 # We intentionally suppress Ansible changes.
--- a/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-irc/tasks/setup_install.yml
@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_irc_base_path }}"
    - "{{ matrix_appservice_irc_config_path }}"
@ -50,7 +50,7 @@
    dest: "{{ matrix_appservice_irc_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Check if Appservice IRC passkey exists
  stat:
@ -70,7 +70,7 @@
    path: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 # Ideally, we'd like to generate the final registration.yaml file by ourselves.
 #
@ -134,7 +134,7 @@
    dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-irc.service installed
  template:
--- a/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-slack/tasks/setup_install.yml
@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_slack_base_path }}"
    - "{{ matrix_appservice_slack_config_path }}"
@ -25,7 +25,7 @@
    dest: "{{ matrix_appservice_slack_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure appservice-slack registration.yaml installed
  copy:
@ -33,7 +33,7 @@
    dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-slack.service installed
  template:
--- a/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
+++ b/roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml
@ -13,7 +13,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_appservice_webhooks_base_path }}"
    - "{{ matrix_appservice_webhooks_config_path }}"
@ -25,7 +25,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix Appservice webhooks schema.yml template exists
  template:
@ -33,7 +33,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure Matrix Appservice webhooks database.json template exists
  template:
@ -41,7 +41,7 @@
    dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure appservice-webhooks registration.yaml installed
  copy:
@ -49,7 +49,7 @@
    dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-appservice-webhooks.service installed
  template:
--- a/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true }
@ -73,7 +73,7 @@
    dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-facebook registration.yaml installed
  copy:
@ -81,7 +81,7 @@
    dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-facebook.service installed
  template:
--- a/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true }
    - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true }
@ -72,7 +72,7 @@
    dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-hangouts registration.yaml installed
  copy:
@ -80,7 +80,7 @@
    dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-hangouts.service installed
  template:
--- a/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -21,7 +21,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_mautrix_telegram_base_path }}"
    - "{{ matrix_mautrix_telegram_config_path }}"
@ -50,7 +50,7 @@
    dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-telegram registration.yaml installed
  copy:
@ -58,7 +58,7 @@
    dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-telegram.service installed
  template:
--- a/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -21,7 +21,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_mautrix_whatsapp_base_path }}"
    - "{{ matrix_mautrix_whatsapp_config_path }}"
@ -59,7 +59,7 @@
    dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mautrix-whatsapp registration.yaml installed
  copy:
@ -67,7 +67,7 @@
    dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mautrix-whatsapp.service installed
  template:
--- a/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml
@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true }
@ -42,6 +42,7 @@
  docker_image:
    name: "{{ matrix_mx_puppet_skype_docker_image }}"
    source: build
+    force_source: yes
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"
@ -71,7 +72,7 @@
    dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mx-puppet-skype skype-registration.yaml installed
  copy:
@ -79,7 +80,7 @@
    dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mx-puppet-skype.service installed
  template:
--- a/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
+++ b/roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
@ -22,7 +22,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true }
    - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true }
@ -70,7 +70,7 @@
    dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure mx-puppet-slack slack-registration.yaml installed
  copy:
@ -78,7 +78,7 @@
    dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-mx-puppet-slack.service installed
  template:
--- a/roles/matrix-corporal/tasks/setup_corporal.yml
+++ b/roles/matrix-corporal/tasks/setup_corporal.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_corporal_config_dir_path }}"
    - "{{ matrix_corporal_cache_dir_path }}"
@ -31,7 +31,7 @@
    dest: "{{ matrix_corporal_config_dir_path }}/config.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_corporal_enabled|bool

 - name: Ensure matrix-corporal.service installed
--- a/roles/matrix-coturn/defaults/main.yml
+++ b/roles/matrix-coturn/defaults/main.yml
@ -2,7 +2,7 @@ matrix_coturn_enabled: true

 matrix_coturn_container_image_self_build: false

-matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
+matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

 # The Docker network that Coturn would be put into.
--- a/roles/matrix-coturn/tasks/setup_coturn.yml
+++ b/roles/matrix-coturn/tasks/setup_coturn.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
  when: matrix_riot_web_enabled|bool and item.when
@ -47,7 +47,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_coturn_enabled|bool

 - name: Ensure turnserver.conf installed
--- a/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
+++ b/roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2
@ -9,6 +9,9 @@ Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-dimension
 ExecStartPre=-/usr/bin/docker rm matrix-dimension

+# Fixup database ownership if it got changed somehow (during a server migration, etc.)
+ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db
+
 ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			--log-driver=none \
 			--user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \
--- a/roles/matrix-email2matrix/tasks/setup_email2matrix.yml
+++ b/roles/matrix-email2matrix/tasks/setup_email2matrix.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_email2matrix_base_path }}"
    - "{{ matrix_email2matrix_config_dir_path }}"
@ -21,7 +21,7 @@
    src: "{{ role_path }}/templates/config.json.j2"
    dest: "{{ matrix_email2matrix_config_dir_path }}/config.json"
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
    mode: 0640
  when: matrix_email2matrix_enabled|bool

--- a/roles/matrix-jitsi/defaults/main.yml
+++ b/roles/matrix-jitsi/defaults/main.yml
@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false
 matrix_jitsi_enable_recording: true
 matrix_jitsi_enable_transcriptions: true

+# Authentication type, must be one of internal, jwt or ldap. Currently only
+# internal and ldap are supported by this playbook.
+matrix_jitsi_auth_type: internal
+
+# Configuration options for LDAP authentication. For details see upstream:
+#   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
+# Defaults are taken from:
+#   https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
+matrix_jitsi_ldap_url: ""
+matrix_jitsi_ldap_base: ""
+matrix_jitsi_ldap_binddn: ""
+matrix_jitsi_ldap_bindpw: ""
+matrix_jitsi_ldap_filter: "uid=%u"
+matrix_jitsi_ldap_auth_method: "bind"
+matrix_jitsi_ldap_version: "3"
+matrix_jitsi_ldap_use_tls: false
+matrix_jitsi_ldap_tls_ciphers: ""
+matrix_jitsi_ldap_tls_check_peer: false
+matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
+matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
+matrix_jitsi_ldap_start_tls: false
+
 matrix_jitsi_timezone: UTC

 matrix_jitsi_xmpp_domain: matrix-jitsi-web
--- a/roles/matrix-jitsi/tasks/setup_jitsi_base.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_base.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_base_path }}", when: true }
  when: matrix_jitsi_enabled|bool and item.when
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true }
--- a/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true }
--- a/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }
--- a/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
+++ b/roles/matrix-jitsi/tasks/setup_jitsi_web.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0777
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
    - { path: "{{ matrix_jitsi_web_config_path }}", when: true }
--- a/roles/matrix-jitsi/templates/prosody/env.j2
+++ b/roles/matrix-jitsi/templates/prosody/env.j2
@ -1,8 +1,22 @@
-AUTH_TYPE=internal
+AUTH_TYPE={{ matrix_jitsi_auth_type }}

 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}

+LDAP_URL={{ matrix_jitsi_ldap_url }}
+LDAP_BASE={{ matrix_jitsi_ldap_base }}
+LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
+LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
+LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
+LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
+LDAP_VERSION={{ matrix_jitsi_ldap_version }}
+LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
+LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
+LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
+LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
+LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
+LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
+
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}
--- a/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
+++ b/roles/matrix-ma1sd/tasks/setup_ma1sd.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_ma1sd_config_path }}", when: true }
    - { path: "{{ matrix_ma1sd_data_path }}", when: true }
@ -69,7 +69,7 @@
    dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_ma1sd_enabled|bool

 - name: Ensure custom templates are installed if any
@ -78,7 +78,7 @@
    dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
    - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}
--- a/roles/matrix-mailer/tasks/setup_mailer.yml
+++ b/roles/matrix-mailer/tasks/setup_mailer.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_mailer_enabled|bool

 - name: Ensure mailer environment variables file created
--- a/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
@ -16,7 +16,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_nginx_proxy_base_path }}"
    - "{{ matrix_nginx_proxy_data_path }}"
@ -34,7 +34,7 @@
    src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
    mode: 0400
  when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"

@ -79,7 +79,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_nginx_proxy_base_domain_serving_enabled|bool

 - name: Ensure Matrix nginx-proxy homepage for base domain exists
@ -88,7 +88,7 @@
    dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool

 - name: Ensure Matrix nginx-proxy configuration for base domain exists
--- a/roles/matrix-nginx-proxy/tasks/setup_well_known.yml
+++ b/roles/matrix-nginx-proxy/tasks/setup_well_known.yml
@ -11,7 +11,7 @@
    state: directory
    mode: 0755
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_static_files_base_path }}/.well-known/matrix"

@ -21,4 +21,4 @@
    dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/main.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/main.yml
@ -14,7 +14,7 @@
    state: directory
    mode: 0770
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
    recurse: true
  with_items:
    - "{{ matrix_ssl_log_dir_path }}"
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml
@ -17,7 +17,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"

 # The proper way to do this is by using a sequence of
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@ -50,7 +50,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-postgres is started
  service:
--- a/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml
+++ b/roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml
@ -46,7 +46,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: "result_pg_old_data_dir_stat.stat.exists"

 - block:
--- a/roles/matrix-postgres/tasks/run_synapse_janitor.yml
+++ b/roles/matrix-postgres/tasks/run_synapse_janitor.yml
@ -42,7 +42,7 @@
    force: true
    mode: 0550
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure matrix-postgres is started
  service:
--- a/roles/matrix-postgres/tasks/setup_postgres.yml
+++ b/roles/matrix-postgres/tasks/setup_postgres.yml
@ -38,7 +38,7 @@
    state: directory
    mode: 0700
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - "{{ matrix_postgres_base_path }}"
    - "{{ matrix_postgres_data_path }}"
@ -52,7 +52,7 @@
    path: "{{ matrix_postgres_data_path }}"
    state: directory
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
    recurse: yes
  when: matrix_postgres_enabled|bool

--- a/roles/matrix-riot-web/defaults/main.yml
+++ b/roles/matrix-riot-web/defaults/main.yml
@ -2,7 +2,7 @@ matrix_riot_web_enabled: true

 matrix_riot_web_container_image_self_build: false

-matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15"
+matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"

 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
--- a/roles/matrix-riot-web/tasks/setup_riot_web.yml
+++ b/roles/matrix-riot-web/tasks/setup_riot_web.yml
@ -10,7 +10,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_riot_web_data_path }}", when: true }
    - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" }
@ -48,7 +48,7 @@
    dest: "{{ matrix_riot_web_data_path }}/config.json"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: matrix_riot_web_enabled|bool

 - name: Ensure Matrix riot-web config files installed
@ -57,7 +57,7 @@
    dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
    - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"}
--- a/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml
@ -12,7 +12,7 @@
    force: true
    mode: 0440
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - set_fact:
    matrix_synapse_password_providers_enabled: true
--- a/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
+++ b/roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml
@ -12,7 +12,7 @@
    force: true
    mode: 0440
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - set_fact:
    matrix_synapse_password_providers_enabled: true
--- a/roles/matrix-synapse/tasks/goofys/setup_install.yml
+++ b/roles/matrix-synapse/tasks/goofys/setup_install.yml
@ -17,8 +17,8 @@
    path: "{{ matrix_synapse_media_store_path }}"
    state: directory
    mode: 0750
-    owner: "{{ matrix_user_uid }}"
-    group: "{{ matrix_user_gid }}"
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists"

 - name: Ensure goofys environment variables file created
--- a/roles/matrix-synapse/tasks/import_media_store.yml
+++ b/roles/matrix-synapse/tasks/import_media_store.yml
@ -66,7 +66,7 @@
  file:
    path: "{{ matrix_synapse_media_store_path }}"
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
    recurse: yes
  when: "not matrix_s3_media_store_enabled|bool"

--- a/roles/matrix-synapse/tasks/setup_synapse.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse.yml
@ -6,7 +6,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  with_items:
    - { path: "{{ matrix_synapse_config_dir_path }}", when: true }
    - { path: "{{ matrix_synapse_run_path }}", when: true }
--- a/roles/matrix-synapse/tasks/synapse/setup_install.yml
+++ b/roles/matrix-synapse/tasks/synapse/setup_install.yml
@ -15,7 +15,7 @@
    state: directory
    mode: 0750
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
  when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"

 - name: Ensure Synapse repository is present on self-build
@ -79,7 +79,7 @@
    dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
    mode: 0644
    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

 - name: Ensure Synapse log config installed
  template: