Merge branch 'master' into pub.solar

docs/configuring-playbook-dimension.md

@@ -4,11 +4,14 @@
 If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.
 
 ## Prerequisites
+
 This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`.
 
 Other important prerequisite is the `dimension.<your-domain>` DNS record being set up correctly. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.
 
+
 ## Enable
+
 [Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 
 ```yaml
@@ -17,23 +20,31 @@ matrix_dimension_enabled: true
 
 
 ## Define admin users
+
 These users can modify the integrations this Dimension supports. Admin interface is accessible by opening Dimension in Riot and clicking the settings icon.
 Add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 
 ```yaml
-matrix_dimension_admins: ['@user1:domain.com', '@user2:domain.com']
+matrix_dimension_admins:
+  - "@user1:{{ matrix_domain }}"
+  - "@user2:{{ matrix_domain }}"
 ```
 
+
 ## Access token
-You are required to specify an access token for Dimension to work.
+
-To get an access token, follow these steps:
+We recommend that you create a dedicated Matrix user for Dimension (`dimension` is a good username).
+Follow our [Registering users](registering-users.md) guide to learn how to register **a regular (non-admin) user**.
+
+You are required to specify an access token (belonging to this new user) for Dimension to work.
+To get an access token for the Dimension user, follow these steps:
 
 1. In a private browsing session (incognito window), open Riot.
-2. It's preferable to use a dedicated user for the access token, so create and log in with that user's username and password.
+2. Log in with the `dimension` user and its password.
-3. Set the display name and avatar, if required.
+1. Set the display name and avatar, if required.
-4. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
+2. In the settings page choose "Help & About", scroll down to the bottom and click `Access Token: <click to reveal>`.
-5. Copy the highlighted text to your configuration.
+3. Copy the highlighted text to your configuration.
-6. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
+4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.
 
 **Access tokens are sensitive information. Do not include them in any bug reports, messages, or logs. Do not share the access token with anyone.**
 
@@ -45,12 +56,23 @@ matrix_dimension_access_token: "YOUR ACCESS TOKEN HERE"
 
 For more information on how to acquire an access token, visit [https://t2bot.io/docs/access_tokens](https://t2bot.io/docs/access_tokens).
 
+
+## Installation
+
 After these variables have been set, please run the following command to re-run setup and to restart Dimension:
 
 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 ```
 
+
+## Jitsi domain
+
+By default Dimension will use [jitsi.riot.im](https://jitsi.riot.im/) as the `conferenceDomain` of [Jitsi](https://jitsi.org/) audio/video conference widgets. For users running [a self-hosted Jitsi instance](./configuring-playbook-jitsi.md), you will likely want the widget to use your own Jitsi instance. Currently there is no way to configure this via the playbook, see [this issue](https://github.com/turt2live/matrix-dimension/issues/345) for details.
+
+In the interim until the above limitation is resolved, an admin user needs to configure the domain via the admin ui once dimension is running. In riot-web, go to *Manage Integrations* &rightarrow; *Settings* &rightarrow; *Widgets* &rightarrow; *Jitsi Conference Settings* and set *Jitsi Domain* and *Jitsi Script URL* appropriately.
+
+
 ## Additional features
 
 To use a more custom configuration, you can define a `matrix_dimension_configuration_extension_yaml` string variable and put your configuration in it.

docs/configuring-playbook-jitsi.md

@@ -4,7 +4,7 @@ The playbook can install the [Jitsi](https://jitsi.org/) video-conferencing plat
 
 Jitsi installation is **not enabled by default**, because it's not a core component of Matrix services.
 
-The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet).
+The setup done by the playbook is very similar to [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet). You can refer to the documentation there for many of the options here.
 
 
 ## Prerequisites
@@ -34,13 +34,13 @@ matrix_jitsi_jibri_xmpp_password: ""
 ```
 
 
-## (Optional) configure internal Jitsi authentication and guests mode
+## (Optional) Configure Jitsi authentication and guests mode
 
 By default the Jitsi Meet instance does not require any kind of login and is open to use for anyone without registration.
 
 If you're fine with such an open Jitsi instance, please skip to [Apply changes](#apply-changes).
 
-If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's `internal` authentication and guests mode. With this optional configuration, all meeting rooms have to be opened by at least one registered user, after that guests are free to join. If a registered host is not present yet, guests are put on hold into a waiting room.
+If you would like to control who is allowed to open meetings on your new Jitsi instance, then please follow this step to enable Jitsi's authentication and guests mode. With authentication enabled, all meeting rooms have to be opened by a registered user, after which guests are free to join. If a registered host is not yet present, guests are put on hold in individual waiting rooms.
 
 Add these two lines to your `inventory/host_vars/matrix.DOMAIN/vars.yml` configuration:
 
@@ -49,11 +49,28 @@ matrix_jitsi_enable_auth: true
 matrix_jitsi_enable_guests: true
 ```
 
+### (Optional) LDAP authentication
+
+The default authentication mode of Jitsi is `internal`, however LDAP is also supported. An example LDAP configuration could be:
+
+```yaml
+matrix_jitsi_enable_auth: true
+matrix_jitsi_auth_type: ldap
+matrix_jitsi_ldap_url: ldap://ldap.DOMAIN  # or ldaps:// if using tls
+matrix_jitsi_ldap_base: "OU=People,DC=DOMAIN"
+matrix_jitsi_ldap_filter: "(&(uid=%u)(employeeType=active))"
+matrix_jitsi_ldap_use_tls: false
+matrix_jitsi_ldap_start_tls: true
+```
+
+For more information refer to the [docker-jitsi-meet](https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap) and the [saslauthd `LDAP_SASLAUTHD`](https://github.com/winlibs/cyrus-sasl/blob/master/saslauthd/LDAP_SASLAUTHD) documentation.
+
+
 ## (Optional) Making your Jitsi server work on a LAN
 
 By default the Jitsi Meet instance does not work with a client in LAN (Local Area Network), even if others are connected from WAN. There are no video and audio. In the case of WAN to WAN everything is ok.
 
-The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add DOCKER_HOST_ADDRESS in enviornment variable to make it work.
+The reason is the Jitsi VideoBridge git to LAN client the IP address of the docker image instead of the host. The [documentation](https://github.com/jitsi/docker-jitsi-meet#running-behind-nat-or-on-a-lan-environment) of Jitsi in docker suggest to add `DOCKER_HOST_ADDRESS` in enviornment variable to make it work.
 
 Here is how to do it in the playbook.
 
@@ -68,7 +85,7 @@ matrix_jitsi_jvb_container_extra_arguments:
 
 Then re-run the playbook: `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`
 
-## Required if configuring Jitsi with its internal authentication: register new users
+## Required if configuring Jitsi with internal authentication: register new users
 
 Until this gets integrated into the playbook, we need to register new users / meeting hosts for Jitsi manually.
 Please SSH into your matrix host machine and execute the following command targeting the `matrix-jitsi-prosody` container:
@@ -84,9 +101,15 @@ Run this command for each user you would like to create, replacing `<USERNAME>`
 
 ## Usage
 
-You can use the self-hosted Jitsi server through Riot, through an Integration Manager like [Dimension](docs/configuring-playbook-dimension.md) or directly at `https://jitsi.DOMAIN`.
+You can use the self-hosted Jitsi server in multiple ways:
 
-To use it via riot-web (the one configured by the playbook at `https://riot.DOMAIN`), just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+- **by adding a widget to a room via riot-web** (the one configured by the playbook at `https://riot.DOMAIN`). Just start a voice or a video call in a room containing more than 2 members and that would create a Jitsi widget which utilizes your self-hosted Jitsi server.
+
+- **by adding a widget to a room via the Dimension Integration Manager**. You'll have to point the widget to your own Jitsi server manually. See our [Dimension](./configuring-playbook-dimension.md) documentation page for more details. Naturally, Dimension would need to be installed first (the playbook doesn't install it by default).
+
+- **directly (without any Matrix integration)**. Just go to `https://jitsi.DOMAIN`
+
+**Note**: Riot apps on mobile devices currently [don't support joining meetings on a self-hosted Jitsi server](https://github.com/vector-im/riot-web/blob/601816862f7d84ac47547891bd53effa73d32957/docs/jitsi.md#mobile-app-support).
 
 
 ## Troubleshooting

docs/configuring-playbook-turn.md

@@ -31,3 +31,12 @@ matrix_synapse_turn_uris:
 - turn:HOSTNAME_OR_IP?transport=udp
 - turn:HOSTNAME_OR_IP?transport=tcp
 ```
+
+If you have or want to enable [Jitsi](configuring-playbook-jitsi.md), you might want to enable the TURN server there too.
+If you do not do it, Jitsi will fall back to an upstream service.
+
+```yaml
+matrix_jitsi_web_stun_servers:
+- stun:HOSTNAME_OR_IP:PORT
+```
+You can put multiple host/port combinations if you like.

docs/configuring-well-known.md

@@ -104,7 +104,7 @@ server {
 </VirtualHost>
 ```
 
-**For Caddy**, it would be something like this:
+**For Caddy 2**, it would be something like this:
 
 ```caddy
 reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
@@ -112,6 +112,14 @@ reverse_proxy /.well-known/matrix/* https://matrix.DOMAIN {
 }
 ```
 
+**For Caddy 1**, it would be something like this:
+
+```caddy
+proxy /.well-known/matrix/ https://matrix.DOMAIN {
+    header_upstream Host {http.reverse_proxy.upstream.hostport}
+}
+```
+
 **For HAProxy**, it would be something like this:
 
 ```haproxy

docs/maintenance-migrating.md

@@ -1,8 +1,10 @@
 # Migrating to new server
 
 1. Prepare by lowering DNS TTL for your domains (`matrix.DOMAIN`, etc.), so that DNS record changes (step 4 below) would happen faster, leading ot less downtime
-2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*` 
+2. Stop all services on the old server and make sure they won't be starting again. Execute this on the old server: `systemctl disable --now matrix*`
 3. Copy directory `/matrix` from the old server to the new server. Make sure to preserve ownership and permissions (use `cp -p` or `rsync -ar`)!
 4. Make sure your DNS records are adjusted to point to the new server's IP address
 5. Remove old server from the `inventory/hosts` file and add new server.
-6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start`. This will create the matrix user and group and start all services on the new server
+6. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-system-user`. This will create the `matrix` user and group on the new server
+7. Because the `matrix` user and group are created dynamically on each server, the user/group id may differ between the old and new server. We suggest that you adjust ownership of `/matrix` files manually by running this on the new server: `chown -R matrix:matrix /matrix`.
+8. Run `ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start` to finish the installation and start all services

roles/matrix-base/defaults/main.yml

@@ -22,8 +22,7 @@ matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
 matrix_server_fqn_jitsi: "jitsi.{{ matrix_domain }}"
 
 matrix_user_username: "matrix"
-matrix_user_uid: 991
+matrix_user_groupname: "matrix"
-matrix_user_gid: 991
 
 matrix_base_data_path: "/matrix"
 matrix_base_data_path_mode: "750"

roles/matrix-base/tasks/main.yml

@@ -2,6 +2,11 @@
   tags:
     - always
 
+- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
+  when: "run_setup|bool"
+  tags:
+    - setup-all
+
 - import_tasks: "{{ role_path }}/tasks/clean_up_old_files.yml"
   when: run_setup|bool
   tags:
@@ -12,6 +17,14 @@
   tags:
     - setup-all
 
+# This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`,
+# which are required by many other roles.
+- import_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
+  when: run_setup|bool
+  tags:
+    - always
+    - setup-system-user
+
 - import_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
   when: run_setup|bool
   tags:

roles/matrix-base/tasks/setup_matrix_base.yml

@@ -1,25 +1,12 @@
 ---
 
-- name: Ensure Matrix group is created
-  group:
-    name: "{{ matrix_user_username }}"
-    gid: "{{ matrix_user_gid }}"
-    state: present
-
-- name: Ensure Matrix user is created
-  user:
-    name: "{{ matrix_user_username }}"
-    uid: "{{ matrix_user_uid }}"
-    state: present
-    group: "{{ matrix_user_username }}"
-
 - name: Ensure Matrix base path exists
   file:
     path: "{{ item }}"
     state: directory
     mode: "{{ matrix_base_data_path_mode }}"
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_base_data_path }}"
 
@@ -54,4 +41,3 @@
     src: "{{ role_path }}/templates/usr-local-bin/matrix-remove-all.j2"
     dest: "{{ matrix_local_bin_path }}/matrix-remove-all"
     mode: 0750
-

roles/matrix-base/tasks/setup_matrix_user.yml

@@ -0,0 +1,22 @@
+---
+
+- name: Ensure Matrix group is created
+  group:
+    name: "{{ matrix_user_groupname }}"
+    state: present
+  register: matrix_group
+
+- name: Set Matrix Group GID Variable
+  set_fact:
+    matrix_user_gid: "{{ matrix_group.gid }}"
+
+- name: Ensure Matrix user is created
+  user:
+    name: "{{ matrix_user_username }}"
+    state: present
+    group: "{{ matrix_user_groupname }}"
+  register: matrix_user
+
+- name: Set Matrix Group UID Variable
+  set_fact:
+    matrix_user_uid: "{{ matrix_user.uid }}"

roles/matrix-base/tasks/setup_well_known.yml

@@ -8,7 +8,7 @@
     state: directory
     mode: 0755
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_static_files_base_path }}/.well-known/matrix"
 
@@ -18,7 +18,7 @@
     dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure Matrix /.well-known/matrix/server file configured
   template:
@@ -26,7 +26,7 @@
     dest: "{{ matrix_static_files_base_path }}/.well-known/matrix/server"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_well_known_matrix_server_enabled|bool
 
 - name: Ensure Matrix /.well-known/matrix/server file deleted

roles/matrix-base/tasks/validate_config.yml

@@ -0,0 +1,11 @@
+---
+
+- name: (Deprecation) Warn about unused user/group variables
+  fail:
+    msg: >
+      The `{{ item }}` variable defined in your configuration is not used by this playbook anymore.
+      User/group creation is now dynamic. You can remove these variables from your configuration, as they have no effect on anything.
+  when: "item in vars"
+  with_items:
+    - 'matrix_user_uid'
+    - 'matrix_user_gid'

roles/matrix-bridge-appservice-discord/tasks/setup_install.yml

@@ -13,7 +13,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_appservice_discord_base_path }}"
     - "{{ matrix_appservice_discord_config_path }}"
@@ -46,7 +46,7 @@
     dest: "{{ matrix_appservice_discord_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure AppService Discord registration.yaml installed
   copy:
@@ -54,7 +54,7 @@
     dest: "{{ matrix_appservice_discord_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 # If `matrix_appservice_discord_client_id` hasn't changed, the same invite link would be generated.
 # We intentionally suppress Ansible changes.

roles/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -13,7 +13,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_appservice_irc_base_path }}"
     - "{{ matrix_appservice_irc_config_path }}"
@@ -50,7 +50,7 @@
     dest: "{{ matrix_appservice_irc_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Check if Appservice IRC passkey exists
   stat:
@@ -70,7 +70,7 @@
     path: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 # Ideally, we'd like to generate the final registration.yaml file by ourselves.
 #
@@ -134,7 +134,7 @@
     dest: "{{ matrix_appservice_irc_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-appservice-irc.service installed
   template:

roles/matrix-bridge-appservice-slack/tasks/setup_install.yml

@@ -13,7 +13,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_appservice_slack_base_path }}"
     - "{{ matrix_appservice_slack_config_path }}"
@@ -25,7 +25,7 @@
     dest: "{{ matrix_appservice_slack_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure appservice-slack registration.yaml installed
   copy:
@@ -33,7 +33,7 @@
     dest: "{{ matrix_appservice_slack_config_path }}/slack-registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-appservice-slack.service installed
   template:

roles/matrix-bridge-appservice-webhooks/tasks/setup_install.yml

@@ -13,7 +13,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_appservice_webhooks_base_path }}"
     - "{{ matrix_appservice_webhooks_config_path }}"
@@ -25,7 +25,7 @@
     dest: "{{ matrix_appservice_webhooks_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure Matrix Appservice webhooks schema.yml template exists
   template:
@@ -33,7 +33,7 @@
     dest: "{{ matrix_appservice_webhooks_config_path }}/schema.yml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure Matrix Appservice webhooks database.json template exists
   template:
@@ -41,7 +41,7 @@
     dest: "{{ matrix_appservice_webhooks_data_path }}/database.json"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure appservice-webhooks registration.yaml installed
   copy:
@@ -49,7 +49,7 @@
     dest: "{{ matrix_appservice_webhooks_config_path }}/webhooks-registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-appservice-webhooks.service installed
   template:

roles/matrix-bridge-mautrix-facebook/tasks/setup_install.yml

@@ -22,7 +22,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_mautrix_facebook_base_path }}", when: true }
     - { path: "{{ matrix_mautrix_facebook_config_path }}", when: true }
@@ -73,7 +73,7 @@
     dest: "{{ matrix_mautrix_facebook_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mautrix-facebook registration.yaml installed
   copy:
@@ -81,7 +81,7 @@
     dest: "{{ matrix_mautrix_facebook_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mautrix-facebook.service installed
   template:

roles/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml

@@ -22,7 +22,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_mautrix_hangouts_base_path }}", when: true }
     - { path: "{{ matrix_mautrix_hangouts_config_path }}", when: true }
@@ -72,7 +72,7 @@
     dest: "{{ matrix_mautrix_hangouts_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mautrix-hangouts registration.yaml installed
   copy:
@@ -80,7 +80,7 @@
     dest: "{{ matrix_mautrix_hangouts_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mautrix-hangouts.service installed
   template:

roles/matrix-bridge-mautrix-telegram/tasks/setup_install.yml

@@ -21,7 +21,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_mautrix_telegram_base_path }}"
     - "{{ matrix_mautrix_telegram_config_path }}"
@@ -50,7 +50,7 @@
     dest: "{{ matrix_mautrix_telegram_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mautrix-telegram registration.yaml installed
   copy:
@@ -58,7 +58,7 @@
     dest: "{{ matrix_mautrix_telegram_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mautrix-telegram.service installed
   template:

roles/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml

@@ -21,7 +21,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_mautrix_whatsapp_base_path }}"
     - "{{ matrix_mautrix_whatsapp_config_path }}"
@@ -59,7 +59,7 @@
     dest: "{{ matrix_mautrix_whatsapp_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mautrix-whatsapp registration.yaml installed
   copy:
@@ -67,7 +67,7 @@
     dest: "{{ matrix_mautrix_whatsapp_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mautrix-whatsapp.service installed
   template:

roles/matrix-bridge-mx-puppet-skype/tasks/setup_install.yml

@@ -22,7 +22,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_mx_puppet_skype_base_path }}", when: true }
     - { path: "{{ matrix_mx_puppet_skype_config_path }}", when: true }
@@ -42,6 +42,7 @@
   docker_image:
     name: "{{ matrix_mx_puppet_skype_docker_image }}"
     source: build
+    force_source: yes
     build:
       dockerfile: Dockerfile
       path: "{{ matrix_mx_puppet_skype_docker_src_files_path }}"
@@ -71,7 +72,7 @@
     dest: "{{ matrix_mx_puppet_skype_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mx-puppet-skype skype-registration.yaml installed
   copy:
@@ -79,7 +80,7 @@
     dest: "{{ matrix_mx_puppet_skype_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mx-puppet-skype.service installed
   template:

roles/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml

@@ -22,7 +22,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_mx_puppet_slack_base_path }}", when: true }
     - { path: "{{ matrix_mx_puppet_slack_config_path }}", when: true }
@@ -70,7 +70,7 @@
     dest: "{{ matrix_mx_puppet_slack_config_path }}/config.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure mx-puppet-slack slack-registration.yaml installed
   copy:
@@ -78,7 +78,7 @@
     dest: "{{ matrix_mx_puppet_slack_config_path }}/registration.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-mx-puppet-slack.service installed
   template:

roles/matrix-corporal/tasks/setup_corporal.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_corporal_config_dir_path }}"
     - "{{ matrix_corporal_cache_dir_path }}"
@@ -31,7 +31,7 @@
     dest: "{{ matrix_corporal_config_dir_path }}/config.json"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_corporal_enabled|bool
 
 - name: Ensure matrix-corporal.service installed

roles/matrix-coturn/defaults/main.yml

@@ -2,7 +2,7 @@ matrix_coturn_enabled: true
 
 matrix_coturn_container_image_self_build: false
 
-matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.1"
+matrix_coturn_docker_image: "instrumentisto/coturn:4.5.1.2"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"
 
 # The Docker network that Coturn would be put into.

roles/matrix-coturn/tasks/setup_coturn.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_coturn_docker_src_files_path }}", when: "{{ matrix_coturn_container_image_self_build }}"}
   when: matrix_riot_web_enabled|bool and item.when
@@ -47,7 +47,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_coturn_enabled|bool
 
 - name: Ensure turnserver.conf installed

roles/matrix-dimension/templates/systemd/matrix-dimension.service.j2

@@ -9,6 +9,9 @@ Type=simple
 ExecStartPre=-/usr/bin/docker kill matrix-dimension
 ExecStartPre=-/usr/bin/docker rm matrix-dimension
 
+# Fixup database ownership if it got changed somehow (during a server migration, etc.)
+ExecStartPre=-/usr/bin/chown {{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} {{ matrix_dimension_base_path }}/dimension.db
+
 ExecStart=/usr/bin/docker run --rm --name matrix-dimension \
 			--log-driver=none \
 			--user={{ matrix_dimension_user_uid }}:{{ matrix_dimension_user_gid }} \

roles/matrix-email2matrix/tasks/setup_email2matrix.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_email2matrix_base_path }}"
     - "{{ matrix_email2matrix_config_dir_path }}"
@@ -21,7 +21,7 @@
     src: "{{ role_path }}/templates/config.json.j2"
     dest: "{{ matrix_email2matrix_config_dir_path }}/config.json"
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
     mode: 0640
   when: matrix_email2matrix_enabled|bool
 

roles/matrix-jitsi/defaults/main.yml

@@ -7,6 +7,28 @@ matrix_jitsi_enable_guests: false
 matrix_jitsi_enable_recording: true
 matrix_jitsi_enable_transcriptions: true
 
+# Authentication type, must be one of internal, jwt or ldap. Currently only
+# internal and ldap are supported by this playbook.
+matrix_jitsi_auth_type: internal
+
+# Configuration options for LDAP authentication. For details see upstream:
+#   https://github.com/jitsi/docker-jitsi-meet#authentication-using-ldap.
+# Defaults are taken from:
+#   https://github.com/jitsi/docker-jitsi-meet/blob/master/prosody/rootfs/defaults/saslauthd.conf
+matrix_jitsi_ldap_url: ""
+matrix_jitsi_ldap_base: ""
+matrix_jitsi_ldap_binddn: ""
+matrix_jitsi_ldap_bindpw: ""
+matrix_jitsi_ldap_filter: "uid=%u"
+matrix_jitsi_ldap_auth_method: "bind"
+matrix_jitsi_ldap_version: "3"
+matrix_jitsi_ldap_use_tls: false
+matrix_jitsi_ldap_tls_ciphers: ""
+matrix_jitsi_ldap_tls_check_peer: false
+matrix_jitsi_ldap_tls_cacert_file: "/etc/ssl/certs/ca-certificates.crt"
+matrix_jitsi_ldap_tls_cacert_dir: "/etc/ssl/certs"
+matrix_jitsi_ldap_start_tls: false
+
 matrix_jitsi_timezone: UTC
 
 matrix_jitsi_xmpp_domain: matrix-jitsi-web

roles/matrix-jitsi/tasks/setup_jitsi_base.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_jitsi_base_path }}", when: true }
   when: matrix_jitsi_enabled|bool and item.when

roles/matrix-jitsi/tasks/setup_jitsi_jicofo.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0777
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_jitsi_jicofo_base_path }}", when: true }
     - { path: "{{ matrix_jitsi_jicofo_config_path }}", when: true }

roles/matrix-jitsi/tasks/setup_jitsi_jvb.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0777
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_jitsi_jvb_base_path }}", when: true }
     - { path: "{{ matrix_jitsi_jvb_config_path }}", when: true }

roles/matrix-jitsi/tasks/setup_jitsi_prosody.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0777
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_jitsi_prosody_base_path }}", when: true }
     - { path: "{{ matrix_jitsi_prosody_config_path }}", when: true }

roles/matrix-jitsi/tasks/setup_jitsi_web.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0777
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_jitsi_web_base_path }}", when: true }
     - { path: "{{ matrix_jitsi_web_config_path }}", when: true }

roles/matrix-jitsi/templates/prosody/env.j2

@@ -1,8 +1,22 @@
-AUTH_TYPE=internal
+AUTH_TYPE={{ matrix_jitsi_auth_type }}
 
 ENABLE_AUTH={{ 1 if matrix_jitsi_enable_auth else 0 }}
 ENABLE_GUESTS={{ 1 if matrix_jitsi_enable_guests else 0 }}
 
+LDAP_URL={{ matrix_jitsi_ldap_url }}
+LDAP_BASE={{ matrix_jitsi_ldap_base }}
+LDAP_BINDDN={{ matrix_jitsi_ldap_binddn }}
+LDAP_BINDPW={{ matrix_jitsi_ldap_bindpw }}
+LDAP_FILTER={{ matrix_jitsi_ldap_filter }}
+LDAP_AUTH_METHOD={{ matrix_jitsi_ldap_auth_method }}
+LDAP_VERSION={{ matrix_jitsi_ldap_version }}
+LDAP_USE_TLS={{ 1 if matrix_jitsi_ldap_use_tls else 0 }}
+LDAP_TLS_CIPHERS={{ matrix_jitsi_ldap_tls_ciphers }}
+LDAP_TLS_CHECK_PEER={{ 1 if matrix_jitsi_ldap_tls_check_peer else 0 }}
+LDAP_TLS_CACERT_FILE={{ matrix_jitsi_ldap_tls_cacert_file }}
+LDAP_TLS_CACERT_DIR={{ matrix_jitsi_ldap_tls_cacert_dir }}
+LDAP_START_TLS={{ 1 if matrix_jitsi_ldap_start_tls else 0 }}
+
 XMPP_DOMAIN={{ matrix_jitsi_xmpp_domain }}
 XMPP_AUTH_DOMAIN={{ matrix_jitsi_xmpp_auth_domain }}
 XMPP_GUEST_DOMAIN={{ matrix_jitsi_xmpp_guest_domain }}

roles/matrix-ma1sd/tasks/setup_ma1sd.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_ma1sd_config_path }}", when: true }
     - { path: "{{ matrix_ma1sd_data_path }}", when: true }
@@ -69,7 +69,7 @@
     dest: "{{ matrix_ma1sd_config_path }}/ma1sd.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_ma1sd_enabled|bool
 
 - name: Ensure custom templates are installed if any
@@ -78,7 +78,7 @@
     dest: "{{ matrix_ma1sd_data_path }}/{{ item.location }}"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_invite_template }}", location: 'invite-template.eml'}
     - {value: "{{ matrix_ma1sd_threepid_medium_email_custom_session_validation_template }}", location: 'validate-template.eml'}

roles/matrix-mailer/tasks/setup_mailer.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_mailer_enabled|bool
 
 - name: Ensure mailer environment variables file created

roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml

@@ -16,7 +16,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_nginx_proxy_base_path }}"
     - "{{ matrix_nginx_proxy_data_path }}"
@@ -34,7 +34,7 @@
     src: "{{ role_path }}/templates/nginx/matrix-synapse-metrics-htpasswd.j2"
     dest: "{{ matrix_nginx_proxy_data_path }}/matrix-synapse-metrics-htpasswd"
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
     mode: 0400
   when: "matrix_nginx_proxy_proxy_synapse_metrics_basic_auth_enabled|bool and matrix_nginx_proxy_proxy_synapse_metrics|bool"
 
@@ -79,7 +79,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_nginx_proxy_base_domain_serving_enabled|bool
 
 - name: Ensure Matrix nginx-proxy homepage for base domain exists
@@ -88,7 +88,7 @@
     dest: "{{ matrix_nginx_proxy_data_path }}/matrix-domain/index.html"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_nginx_proxy_base_domain_serving_enabled|bool and matrix_nginx_proxy_base_domain_homepage_enabled|bool
 
 - name: Ensure Matrix nginx-proxy configuration for base domain exists

roles/matrix-nginx-proxy/tasks/setup_well_known.yml

@@ -11,7 +11,7 @@
     state: directory
     mode: 0755
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_static_files_base_path }}/.well-known/matrix"
 
@@ -21,4 +21,4 @@
     dest: "{{ matrix_static_files_base_path }}/.well-known/matrix"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"

roles/matrix-nginx-proxy/tasks/ssl/main.yml

@@ -14,7 +14,7 @@
     state: directory
     mode: 0770
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
     recurse: true
   with_items:
     - "{{ matrix_ssl_log_dir_path }}"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml

@@ -17,7 +17,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
 
 # The proper way to do this is by using a sequence of

roles/matrix-postgres/tasks/import_sqlite_db.yml

@@ -50,7 +50,7 @@
     state: directory
     mode: 0700
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-postgres is started
   service:

roles/matrix-postgres/tasks/migrate_postgres_data_directory.yml

@@ -46,7 +46,7 @@
     state: directory
     mode: 0700
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: "result_pg_old_data_dir_stat.stat.exists"
 
 - block:

roles/matrix-postgres/tasks/run_synapse_janitor.yml

@@ -42,7 +42,7 @@
     force: true
     mode: 0550
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure matrix-postgres is started
   service:

roles/matrix-postgres/tasks/setup_postgres.yml

@@ -38,7 +38,7 @@
     state: directory
     mode: 0700
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - "{{ matrix_postgres_base_path }}"
     - "{{ matrix_postgres_data_path }}"
@@ -52,7 +52,7 @@
     path: "{{ matrix_postgres_data_path }}"
     state: directory
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
     recurse: yes
   when: matrix_postgres_enabled|bool
 

roles/matrix-riot-web/defaults/main.yml

@@ -2,7 +2,7 @@ matrix_riot_web_enabled: true
 
 matrix_riot_web_container_image_self_build: false
 
-matrix_riot_web_docker_image: "vectorim/riot-web:v1.5.15"
+matrix_riot_web_docker_image: "vectorim/riot-web:v1.6.0"
 matrix_riot_web_docker_image_force_pull: "{{ matrix_riot_web_docker_image.endswith(':latest') }}"
 
 matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"

roles/matrix-riot-web/tasks/setup_riot_web.yml

@@ -10,7 +10,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_riot_web_data_path }}", when: true }
     - { path: "{{ matrix_riot_web_docker_src_files_path }}", when: "{{ matrix_riot_web_container_image_self_build }}" }
@@ -48,7 +48,7 @@
     dest: "{{ matrix_riot_web_data_path }}/config.json"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: matrix_riot_web_enabled|bool
 
 - name: Ensure Matrix riot-web config files installed
@@ -57,7 +57,7 @@
     dest: "{{ matrix_riot_web_data_path }}/{{ item.name }}"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - {src: "{{ role_path }}/templates/nginx.conf.j2", name: "nginx.conf"}
     - {src: "{{ role_path }}/templates/welcome.html.j2", name: "welcome.html"}

roles/matrix-synapse/tasks/ext/rest-auth/setup_install.yml

@@ -12,7 +12,7 @@
     force: true
     mode: 0440
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - set_fact:
     matrix_synapse_password_providers_enabled: true

roles/matrix-synapse/tasks/ext/shared-secret-auth/setup_install.yml

@@ -12,7 +12,7 @@
     force: true
     mode: 0440
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - set_fact:
     matrix_synapse_password_providers_enabled: true

roles/matrix-synapse/tasks/goofys/setup_install.yml

@@ -17,8 +17,8 @@
     path: "{{ matrix_synapse_media_store_path }}"
     state: directory
     mode: 0750
-    owner: "{{ matrix_user_uid }}"
+    owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_gid }}"
+    group: "{{ matrix_user_groupname }}"
   when: "not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists"
 
 - name: Ensure goofys environment variables file created

roles/matrix-synapse/tasks/import_media_store.yml

@@ -66,7 +66,7 @@
   file:
     path: "{{ matrix_synapse_media_store_path }}"
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
     recurse: yes
   when: "not matrix_s3_media_store_enabled|bool"
 

roles/matrix-synapse/tasks/setup_synapse.yml

@@ -6,7 +6,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   with_items:
     - { path: "{{ matrix_synapse_config_dir_path }}", when: true }
     - { path: "{{ matrix_synapse_run_path }}", when: true }

roles/matrix-synapse/tasks/synapse/setup_install.yml

@@ -15,7 +15,7 @@
     state: directory
     mode: 0750
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
   when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
 
 - name: Ensure Synapse repository is present on self-build
@@ -79,7 +79,7 @@
     dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
     mode: 0644
     owner: "{{ matrix_user_username }}"
-    group: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
 
 - name: Ensure Synapse log config installed
   template: