Merge branch 'master' into pub.solar

2023-11-10 17:47:17 +01:00 · 2023-11-10 17:47:17 +01:00 · a323cba3c2
parent a8d362c8b4 8f19d9bbef
commit a323cba3c2
22 changed files with 137 additions and 35 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+* text=auto eol=lf
--- a/.github/workflows/matrix.yml
+++ b/.github/workflows/matrix.yml
@ -13,7 +13,7 @@ jobs:
      - name: Check out
        uses: actions/checkout@v4
      - name: Run yamllint
-        uses: frenck/action-yamllint@v1.4.1
+        uses: frenck/action-yamllint@v1.4.2
  ansible-lint:
    name: ansible-lint
    runs-on: ubuntu-latest
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,35 @@
+# 2023-10-23
+
+## Enabling `allow_public_rooms_over_federation` by default for Synapse
+
+**TDLR**: if your Matrix server is federating (which it mostly likely is, unless you've [disabled federation](docs/configuring-playbook-federation.md#disabling-federation)), your public rooms will not only be joinable across federation (as they've always been), but from now on will be discoverable (made available as a list across federation). We're changing this by flipping the value for Synapse's `allow_public_rooms_over_federation` setting to `true`, going against the upstream default. Servers that disable federation are not affected. Servers that have public rooms which are not published to the room directory are also not affected.
+
+We generally try to stick to the default configuration for Synapse (and all other components), unless these defaults seem wrong or harmful. One such previous case from a few months ago was us [Enabling `forget_rooms_on_leave` by default for Synapse](#enabling-forget_rooms_on_leave-by-default-for-synapse) - the default value was making Synapse more wasteful of resources by default.
+
+Today, we're going against upstream defaults again and flipping the `allow_public_rooms_over_federation` configuration option to `true`.
+This way, public rooms on your server will be made discoverable by others via federation, using the [`GET /_matrix/federation/v1/publicRooms` of the Server-Server API](https://spec.matrix.org/v1.8/server-server-api/#get_matrixfederationv1publicrooms).
+
+The upstream Synapse default is `false` (disabled), so that public rooms are not exposed for other servers to discover (learn about their existence). Nevertheless, even if these rooms are not exposed (listed) for discovery, they are **still joinable** by anyone who knows their address or is invited to the room by an existing member.
+
+**We go against the upstream default** in an effort to make Matrix federation more useful - a public room should be globally public - not only joinable, but also discoverable across federation.
+
+The **historical reasoning** behind this change is as follows:
+
+- `allow_public_rooms_over_federation` seems to have been enabled by default for Synapse until v1.7.0 (~2019), just like we believe it should be for a globally-federating network - rooms should be joinable and discoverable across federation.
+
+- In Synapse v1.7.0 (~2019), `allow_public_rooms_over_federation` [got disabled](https://github.com/matrix-org/synapse/blob/e9069c9f919685606506f04527332e83fbfa44d9/docs/upgrade.md?plain=1#L1877-L1891) by default in a [security-by-obscurity](https://en.wikipedia.org/wiki/Security_through_obscurity) workaround for misconfigured servers. See the [Avoiding unwelcome visitors on private Matrix servers](https://matrix.org/blog/2019/11/09/avoiding-unwelcome-visitors-on-private-matrix-servers/) `matrix.org` blog article. We believe that people wishing for a truly private server, should [disable federation](docs/configuring-playbook-federation.md#disabling-federation), instead of having a fully-federating server and trying to hide its public rooms. We also provide other workarounds below. We (and the Synapse team, obviously) believe that Matrix should federate by default, so federating the public room list seems to make sense.
+
+- [etke.cc](https://etke.cc/) has been developing the free-software [Matrix Rooms Search](https://gitlab.com/etke.cc/mrs) project for a while now. One public (demo) instance of it is hosted at [matrixrooms.info](https://matrixrooms.info/). This search engine tries to go through the Matrix federation and discover & index public rooms to allow people to find them. We believe it's vital for Matrix (and any chat or social network for that matter) to be more discoverable, so that people can find communities and others to talk to. Today (on 23rd of October 2023), `matrixrooms.info` is indexing `23066` Matrix servers. Of these, only `1567` servers (7%) are making their public rooms discoverable. Who knows what wonderful communities and rooms are available on these 93% other Matrix servers that are supposedly federating, but are still gate-keeping their public room list. Indubitably, many of these servers are hosted via matrix-docker-ansible-deploy, so we feel partially responsible for making Matrix federation less useful.
+
+Here are **actions you may wish to take** as a result of this change:
+
+- (recommended) embrace the new default. If your Matrix server is federating, your public rooms have always been joinable across federation anyway. Exposing the list of public rooms does no harm and more-so does good by contributing to the usefulness of the Matrix network by facilitating room discovery.
+
+- (switch to a better way of doings things on your semi-private server) The problem that the Synapse team appears to have solved by flipping the `allow_public_rooms_over_federation` default in Synapse v1.7.0 seems to for "mostly private" servers, which federate and have a bunch of rooms made public (and published in their room directory) in an effort to allow people on the same homeserver to easily find and join them (self-onboarding). With the introduction of Matrix Spaces, you can reorganize your flow around spaces - you can auto-join your users to a Matrix Space (via Synapse's `auto_join_rooms` setting - controlled by our `matrix_synapse_auto_join_rooms` variable), then add a bunch of rooms to the space and make them joinable by people belonging to the space. That is to say, do not make rooms public and do not publish them to the room directory unless they are really public. Instead, use other mechanisms for semi-public rooms or private rooms. One alternative is to stick to what you're doing (public rooms published to your rooms directory) but having a `m.federate: true` flag set during creation (clients like Element have a nice UI checkbox for this) to explicitly disable federation for them.
+
+- (keeping the old behavior) if you wish to keep doing what you're doing (keeping your Matrix server federating, but hiding its public rooms list), add `matrix_synapse_allow_public_rooms_over_federation: false` to your `vars.yml` configuration. This restores the old behavior. You may also consider [disabling federation](docs/configuring-playbook-federation.md#disabling-federation) completely instead of relying on security-by-obscurity measures.
+
+
 # 2023-10-18

 ## Postgres parameters are automatically tuned now
--- a/docs/configuring-playbook-bridge-beeper-linkedin.md
+++ b/docs/configuring-playbook-bridge-beeper-linkedin.md
@ -32,14 +32,10 @@ You may wish to look at `roles/custom/matrix-bridge-beeper-linkedin/templates/co

 ## Set up Double Puppeting

-If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have 2 ways of going about it.
-
-### Method 1: automatically, by enabling Shared Secret Auth
+If you'd like to use [Double Puppeting](https://docs.mau.fi/bridges/general/double-puppeting.html) (hint: you most likely do), you have to enable Shared Secred Auth.

 The bridge will automatically perform Double Puppeting if you enable [Shared Secret Auth](configuring-playbook-shared-secret-auth.md) for this playbook.

-This is the recommended way of setting up Double Puppeting, as it's easier to accomplish, works for all your users automatically, and has less of a chance of breaking in the future.
-

 ## Usage

--- a/docs/configuring-playbook-sliding-sync-proxy.md
+++ b/docs/configuring-playbook-sliding-sync-proxy.md
@ -8,7 +8,7 @@ See the project's [documentation](https://github.com/matrix-org/sliding-sync) to

 Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi).

-Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version.
+Element X Android is [available on the Github Releases page](https://github.com/vector-im/element-x-android/releases).

 **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.

--- a/examples/apache/matrix-synapse.conf
+++ b/examples/apache/matrix-synapse.conf
@ -37,6 +37,7 @@
 	# Keep some URIs free for different proxy/location
 	ProxyPassMatch ^/.well-known/matrix/client !
 	ProxyPassMatch ^/.well-known/matrix/server !
+	ProxyPassMatch ^/.well-known/matrix/support !
 	ProxyPassMatch ^/_matrix/identity !
 	ProxyPassMatch ^/_matrix/client/r0/user_directory/search !

@ -46,11 +47,11 @@
 	ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
 	ProxyPass /_synapse/client http://127.0.0.1:8008/_synapse/client retry=0 nocanon
 	ProxyPassReverse /_synapse/client http://127.0.0.1:8008/_synapse/client
-	
+
 	# Proxy Admin API (necessary for Synapse-Admin)
 	# ProxyPass /_synapse/admin http://127.0.0.1:8008/_synapse/admin retry=0 nocanon
 	# ProxyPassReverse /_synapse/admin http://127.0.0.1:8008/_synapse/admin
-	
+
 	# Proxy Synapse-Admin
 	# ProxyPass /synapse-admin http://127.0.0.1:8766 retry=0 nocanon
 	# ProxyPassReverse /synapse-admin http://127.0.0.1:8766
@ -64,6 +65,7 @@
 		Header always set Content-Type "application/json"
 		Header always set Access-Control-Allow-Origin "*"
 	</Location>
+
 	# Map /.well-known/matrix/server for server discovery
 	Alias /.well-known/matrix/server /matrix/static-files/.well-known/matrix/server
 	<Files "/matrix/static-files/.well-known/matrix/server">
@ -72,6 +74,16 @@
 	<Location "/.well-known/matrix/server">
 		Header always set Content-Type "application/json"
 	</Location>
+
+	# Map /.well-known/matrix/support for support discovery
+	Alias /.well-known/matrix/support /matrix/static-files/.well-known/matrix/support
+	<Files "/matrix/static-files/.well-known/matrix/support">
+		Require all granted
+	</Files>
+	<Location "/.well-known/matrix/support">
+		Header always set Content-Type "application/json"
+	</Location>
+
 	<Directory /matrix/static-files/.well-known/matrix/>
 		AllowOverride All
 		# Apache 2.4:
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -2491,6 +2491,8 @@ jitsi_base_path: "{{ matrix_base_data_path }}/jitsi"
 jitsi_uid: "{{ matrix_user_uid }}"
 jitsi_gid: "{{ matrix_user_gid }}"

+jitsi_user_username: "{{ matrix_user_username }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach jitsi/web over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # the Jitsi HTTP port to the local host.
@ -2551,6 +2553,7 @@ jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
 jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"

 # Allow verification using JWT and matrix-UVS
+jitsi_prosody_auth_matrix_uvs_sync_power_levels: "{{ matrix_user_verification_service_enabled }}"
 jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
 jitsi_prosody_auth_matrix_uvs_location: "{{ matrix_user_verification_service_container_url }}"

@ -4300,9 +4303,6 @@ matrix_user_creator_users_auto: |
 #
 ######################################################################

-## FIXME: Needs to be updated when there is a proper release by upstream.
-matrix_user_verification_service_docker_image: "{{ matrix_user_verification_service_docker_image_name_prefix }}matrixdotorg/matrix-user-verification-service@sha256:d2aabc984dd69d258c91900c36928972d7aaef19d776caa3cd6a0fbc0e307270"
-
 matrix_user_verification_service_enabled: false
 matrix_user_verification_service_systemd_required_services_list: |
  {{
--- a/requirements.yml
+++ b/requirements.yml
@ -4,7 +4,7 @@
  version: v1.0.0-1
  name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.6-1.8.3-0
+  version: v1.2.6-1.8.4-0
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
  version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@ -18,7 +18,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
  version: v16.0-8
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
-  version: a0cc7c1c696872ba8880d9c5e5a54098de825030
+  version: d2c2585fe3f5ebf39045bc90c97ee160e1341594
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
@ -26,7 +26,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
  version: v1.0.0-0
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: v2.10.5-0
+  version: v2.10.5-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
  version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
@ -35,9 +35,9 @@
  version: 7.0.1
  name: geerlingguy.docker
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v10.1.5-0
+  version: v10.2.0-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v8960-1
+  version: v8960-3
  name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
  version: v2.7.0-2
--- a/roles/custom/matrix-bot-chatgpt/defaults/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/defaults/main.yml
@ -5,7 +5,7 @@
 matrix_bot_chatgpt_enabled: true

 # renovate: datasource=docker depName=ghcr.io/matrixgpt/matrix-chatgpt-bot
-matrix_bot_chatgpt_version: 3.1.2
+matrix_bot_chatgpt_version: 3.1.4

 matrix_bot_chatgpt_container_image_self_build: false
 matrix_bot_chatgpt_container_image_self_build_repo: "https://github.com/matrixgpt/matrix-chatgpt-bot"
--- a/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
+++ b/roles/custom/matrix-bridge-heisenbridge/defaults/main.yml
@ -5,7 +5,7 @@
 matrix_heisenbridge_enabled: true

 # renovate: datasource=docker depName=hif1/heisenbridge
-matrix_heisenbridge_version: 1.14.5
+matrix_heisenbridge_version: 1.14.6
 matrix_heisenbridge_docker_image: "{{ matrix_container_global_registry_prefix }}hif1/heisenbridge:{{ matrix_heisenbridge_version }}"
 matrix_heisenbridge_docker_image_force_pull: "{{ matrix_heisenbridge_docker_image.endswith(':latest') }}"

--- a/roles/custom/matrix-client-cinny/defaults/main.yml
+++ b/roles/custom/matrix-client-cinny/defaults/main.yml
@ -7,7 +7,7 @@ matrix_client_cinny_container_image_self_build: false
 matrix_client_cinny_container_image_self_build_repo: "https://github.com/ajbura/cinny.git"

 # renovate: datasource=docker depName=ajbura/cinny
-matrix_client_cinny_version: v2.2.6
+matrix_client_cinny_version: v3.2.0
 matrix_client_cinny_docker_image: "{{ matrix_client_cinny_docker_image_name_prefix }}ajbura/cinny:{{ matrix_client_cinny_version }}"
 matrix_client_cinny_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_cinny_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_cinny_docker_image_force_pull: "{{ matrix_client_cinny_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@ -11,7 +11,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"

 # renovate: datasource=docker depName=vectorim/element-web
-matrix_client_element_version: v1.11.46
+matrix_client_element_version: v1.11.48

 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-dendrite/defaults/main.yml
+++ b/roles/custom/matrix-dendrite/defaults/main.yml
@ -11,7 +11,7 @@ matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
 matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
 matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
 # renovate: datasource=docker depName=matrixdotorg/dendrite-monolith
-matrix_dendrite_docker_image_tag: "v0.13.3"
+matrix_dendrite_docker_image_tag: "v0.13.4"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"

 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"
--- a/roles/custom/matrix-dynamic-dns/defaults/main.yml
+++ b/roles/custom/matrix-dynamic-dns/defaults/main.yml
@ -7,8 +7,8 @@ matrix_dynamic_dns_enabled: true
 # The dynamic dns daemon interval
 matrix_dynamic_dns_daemon_interval: '300'

-# renovate: datasource=docker depName=linuxserver/ddclient
-matrix_dynamic_dns_version: v3.10.0-ls136
+# renovate: datasource=docker depName=linuxserver/ddclient versioning=semver
+matrix_dynamic_dns_version: 3.11.1

 # The docker container to use when in mode
 matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"
--- a/roles/custom/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/custom/matrix-nginx-proxy/defaults/main.yml
@ -2,7 +2,7 @@
 # Project source code URL: https://github.com/nginx/nginx
 matrix_nginx_proxy_enabled: true
 # renovate: datasource=docker depName=nginx
-matrix_nginx_proxy_version: 1.25.2-alpine
+matrix_nginx_proxy_version: 1.25.3-alpine

 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
@ -331,6 +331,12 @@ matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

+# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/user_directory/search -> /_matrix/client/r0/user_directory/search).
+# This is to assist identity servers which only handle the r0 endpoints.
+# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
+# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
+matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled: true
+
 # Controls whether proxying for 3PID-based registration (`/_matrix/client/r0/register/(email|msisdn)/requestToken`) should be done (on the matrix domain).
 # This allows another service to control registrations involving 3PIDs.
 # To learn more, see: https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md
@ -338,6 +344,12 @@ matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled: false
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
 matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container: "127.0.0.1:{{ matrix_ma1sd_container_port }}"

+# Controls whether the user directory search API will be URL-rewritten (/_matrix/client/v3/register/(email|msisdn)/requestToken -> /_matrix/client/r0/register/(email|msisdn)/requestToken).
+# This is to assist identity servers which only handle the r0 endpoints.
+# The v3 endpoints are the same (spec-wise), so they can usually be redirected without downsides.
+# If this is disabled, API requests will be forwarded as-is, without any URL rewriting.
+matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled: true
+
 # Controls whether proxying for the Identity API (`/_matrix/identity`) should be done (on the matrix domain)
 matrix_nginx_proxy_proxy_matrix_identity_api_enabled: false
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:{{ matrix_ma1sd_container_port }}"
--- a/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
+++ b/roles/custom/matrix-nginx-proxy/templates/nginx/conf.d/matrix-domain.conf.j2
@ -119,7 +119,7 @@
 	# Redirect other endpoints registered by the media-repo to its container
 	# /_matrix/client/r0/logout
 	# /_matrix/client/r0/logout/all
-	location ^~ /_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {
+	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/(logout|logout/all) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
@ -142,7 +142,7 @@
 	# Redirect other endpoints registered by the media-repo to its container
 	# /_matrix/client/r0/admin/purge_media_cache
 	# /_matrix/client/r0/admin/quarantine_media/{roomId:[^/]+}
-	location ^~ /_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {
+	location ~ ^/_matrix/client/(r0|v1|v3|unstable)/admin/(purge_media_cache|quarantine_media/.*) {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
@ -185,13 +185,19 @@
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled %}
-	location ^~ /_matrix/client/r0/user_directory/search {
+	location ~ ^/_matrix/client/(r0|v3)/user_directory/search {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container }}";
+			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
+			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
+			{% endif %}
 			proxy_pass http://$backend;
 		{% else %}
+			{% if matrix_nginx_proxy_proxy_matrix_user_directory_search_v3_to_r0_redirect_enabled %}
+			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
+			{% endif %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container }};
 		{% endif %}
@ -202,13 +208,19 @@
 	{% endif %}

 	{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_enabled %}
-	location ~ ^/_matrix/client/r0/register/(email|msisdn)/requestToken$ {
+	location ~ ^/_matrix/client/(r0|v3)/register/(email|msisdn)/requestToken$ {
 		{% if matrix_nginx_proxy_enabled %}
 			{# Use the embedded DNS resolver in Docker containers to discover the service #}
 			resolver {{ matrix_nginx_proxy_http_level_resolver }} valid=5s;
 			set $backend "{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_with_container }}";
+			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
+			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
+			{% endif %}
 			proxy_pass http://$backend;
 		{% else %}
+			{% if matrix_nginx_proxy_proxy_matrix_3pid_registration_v3_to_r0_redirect_enabled %}
+			rewrite ^(.*?)/v3/(.*?)$  $1/r0/$2 break;
+			{% endif %}
 			{# Generic configuration for use outside of our container setup #}
 			proxy_pass http://{{ matrix_nginx_proxy_proxy_matrix_3pid_registration_addr_sans_container }};
 		{% endif %}
--- a/roles/custom/matrix-sliding-sync/defaults/main.yml
+++ b/roles/custom/matrix-sliding-sync/defaults/main.yml
@ -6,7 +6,7 @@
 matrix_sliding_sync_enabled: true

 # renovate: datasource=docker depName=ghcr.io/matrix-org/sliding-sync
-matrix_sliding_sync_version: v0.99.11
+matrix_sliding_sync_version: v0.99.12

 matrix_sliding_sync_scheme: https

--- a/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml
@ -26,7 +26,7 @@
 matrix_synapse_reverse_proxy_companion_enabled: true

 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.25.2-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.25.3-alpine

 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@ -5,7 +5,7 @@
 matrix_synapse_enabled: true

 # renovate: datasource=docker depName=matrixdotorg/synapse
-matrix_synapse_version: v1.94.0
+matrix_synapse_version: v1.95.1

 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@ -312,8 +312,13 @@ matrix_synapse_presence_enabled: true
 matrix_synapse_allow_public_rooms_without_auth: false

 # Controls whether remote servers can fetch this server's public rooms directory via federation.
-# For private servers, you most likely wish to forbid it.
-matrix_synapse_allow_public_rooms_over_federation: false
+# The upstream default is `false`, but we try to make Matrix federation more useful.
+#
+# For private servers, you may wish to forbid it to align yourself with upstream defaults.
+# However, disabling federation completely (see `matrix_synapse_federation_enabled`) is a better way to make your server private,
+# instead of relying on security-by-obscurity -- federating with others, having your public rooms joinable by anyone,
+# but hiding them and thinking you've secured them.
+matrix_synapse_allow_public_rooms_over_federation: true

 # Whether to require authentication to retrieve profile data (avatars,
 # display names) of other users through the client API. Defaults to
--- a/roles/custom/matrix-user-verification-service/defaults/main.yml
+++ b/roles/custom/matrix-user-verification-service/defaults/main.yml
@ -5,6 +5,10 @@ matrix_user_verification_service_ansible_name: "Matrix User Verification Service
 # Enable by default. This is overwritten in provided group vars.
 matrix_user_verification_service_enabled: true

+matrix_user_verification_service_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+matrix_user_verification_service_container_image_self_build_repo: "https://github.com/matrix-org/matrix-user-verification-service"
+matrix_user_verification_service_container_image_self_build_branch: "{{ 'master' if matrix_registration_version == 'latest' else matrix_user_verification_service_version }}"
+
 # Fix version tag
 # renovate: datasource=docker depName=matrixdotorg/matrix-user-verification-service
 matrix_user_verification_service_version: "v3.0.0"
@ -13,6 +17,7 @@ matrix_user_verification_service_version: "v3.0.0"
 matrix_user_verification_service_base_path: "{{ matrix_base_data_path }}/user-verification-service"
 matrix_user_verification_service_config_path: "{{ matrix_user_verification_service_base_path }}/config"
 matrix_user_verification_service_config_env_file: "{{ matrix_user_verification_service_config_path }}/.env"
+matrix_user_verification_service_docker_src_files_path: "{{ matrix_user_verification_service_base_path }}/docker-src"

 # Docker
 matrix_user_verification_service_docker_image_name_prefix: "{{ matrix_container_global_registry_prefix }}"
--- a/roles/custom/matrix-user-verification-service/tasks/setup_install.yml
+++ b/roles/custom/matrix-user-verification-service/tasks/setup_install.yml
@ -9,6 +9,7 @@
    group: "{{ matrix_user_groupname }}"
  with_items:
    - {path: "{{ matrix_user_verification_service_config_path }}", when: true}
+    - {path: "{{ matrix_user_verification_service_docker_src_files_path }}", when: "{{ matrix_user_verification_service_container_image_self_build }}"}
  when: item.when | bool

 - name: Ensure Matrix User Verification Service image is pulled
@ -21,6 +22,30 @@
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
+  when: "not matrix_user_verification_service_container_image_self_build | bool"
+
+- name: Ensure Matrix User Verification Service repository is present when self-building
+  ansible.builtin.git:
+    repo: "{{ matrix_user_verification_service_container_image_self_build_repo }}"
+    dest: "{{ matrix_user_verification_service_docker_src_files_path }}"
+    version: "{{ matrix_user_verification_service_container_image_self_build_branch }}"
+    force: "yes"
+  become: true
+  become_user: "{{ matrix_user_username }}"
+  register: matrix_user_verification_service_git_pull_results
+  when: "matrix_user_verification_service_container_image_self_build | bool"
+
+- name: Ensure Matrix User Verification Service image is built
+  community.docker.docker_image:
+    name: "{{ matrix_user_verification_service_docker_image }}"
+    source: build
+    force_source: "{{ matrix_user_verification_service_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_user_verification_service_git_pull_results.changed }}"
+    build:
+      dockerfile: Dockerfile
+      path: "{{ matrix_user_verification_service_docker_src_files_path }}"
+      pull: true
+  when: "matrix_user_verification_service_container_image_self_build | bool"

 - name: Ensure Matrix User Verification Service env file installed
  ansible.builtin.template:
--- a/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2
+++ b/roles/custom/matrix-user-verification-service/templates/systemd/matrix-user-verification-service.service.j2
@ -17,13 +17,14 @@ ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_s
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'


-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name={{ matrix_user_verification_service_container_name }} \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
+			--tmpfs /.npm \
 			--network={{ matrix_user_verification_service_container_network }} \
 			{% if matrix_user_verification_service_container_http_host_bind_port %}
 			-p {{ matrix_user_verification_service_container_http_host_bind_port }}:3000 \
@ -37,6 +38,7 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run \
 {% for network in matrix_user_verification_service_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_user_verification_service_container_name }}
 {% endfor %}
+ExecStart=/usr/bin/env docker start --attach matrix-user-verification-service

 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill {{ matrix_user_verification_service_container_name }} 2>/dev/null'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_user_verification_service_container_name }} 2>/dev/null'