Merge branch 'master' into pub.solar

2020-12-09 14:06:21 +01:00 · 2020-12-09 14:06:21 +01:00 · b1c1708b14
commit b1c1708b14
parent 3eb1e785e6 aa86e0dac6
27 changed files with 256 additions and 95 deletions
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+# https://liberapay.com/s.pantaleev/
+liberapay: s.pantaleev
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,15 @@
+# 2020-12-08
+
+## openid APIs exposed by default on the federation port when federation disabled
+
+We've changed some defaults. People running with our default configuration (federation enabled), are not affected at all.
+
+If you are running an unfederated server (`matrix_synapse_federation_enabled: false`), this may be of interest to you.
+
+When federation is disabled, but ma1sd or Dimension are enabled, we'll now expose the `openid` APIs on the federation port.
+These APIs are necessary for some ma1sd features to work. If you'd like to prevent this, you can: `matrix_synapse_federation_port_openid_resource_required: false`.
+
+
 # 2020-11-27

 ## Recent Jitsi updates may require configuration changes
--- a/README.md
+++ b/README.md
@ -1,3 +1,5 @@
+[![Support room on Matrix](https://img.shields.io/matrix/matrix-docker-ansible-deploy:devture.com.svg?label=%23matrix-docker-ansible-deploy%3Adevture.com&logo=matrix&style=for-the-badge&server_fqdn=matrix.devture.com)](https://matrix.to/#/#matrix-docker-ansible-deploy:devture.com) [![donate](https://liberapay.com/assets/widgets/donate.svg)](https://liberapay.com/s.pantaleev/donate)
+
 # Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker

 ## Purpose
--- a/docs/configuring-playbook-bridge-appservice-discord.md
+++ b/docs/configuring-playbook-bridge-appservice-discord.md
@ -14,18 +14,20 @@ Instructions loosely based on [this](https://github.com/Half-Shot/matrix-appserv
 1. Create a Discord Application [here](https://discordapp.com/developers/applications).
 2. Retrieve Client ID.
 3. Create a bot from the Bot tab and retrieve the Bot token.
-4. Enable the bridge with the following configuration in your `vars.yml` file:
+4. From the Bot tab, enable all checkboxes related to Privileged Gateway Intents (you can skip this step if you're not using `matrix_appservice_discord_auth_usePrivilegedIntents: true` below)
+5. Enable the bridge with the following configuration in your `vars.yml` file:

 ```yaml
 matrix_appservice_discord_enabled: true
 matrix_appservice_discord_client_id: "YOUR DISCORD APP CLIENT ID"
 matrix_appservice_discord_bot_token: "YOUR DISCORD APP BOT TOKEN"
+matrix_appservice_discord_auth_usePrivilegedIntents: true
 ```

-4. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
-5. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
-6. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
-7. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.
+6. If you've already installed Matrix services using the playbook before, you'll need to re-run it (`--tags=setup-all,start`). If not, proceed with [configuring other playbook services](configuring-playbook.md) and then with [Installing](installing.md). Get back to this guide once ready.
+7. Retrieve Discord invite link from the `{{ matrix_appservice_discord_config_path }}/invite_link` file on the server (this defaults to `/matrix/appservice-discord/config/invite_link`). You need to peek at the file on the server via SSH, etc., because it's not available via HTTP(S).
+8. Invite the Bot to Discord servers you wish to bridge. Administrator permission is recommended.
+9. Room addresses follow this syntax: `#_discord_guildid_channelid`. You can easily find the guild and channel ids by logging into Discord in a browser and opening the desired channel. The URL will have this format: `discordapp.com/channels/guild_id/channel_id`. Once you have figured out the appropriate room addrss, you can join by doing `/join #_discord_guildid_channelid` in your Matrix client.

 Other configuration options are available via the `matrix_appservice_discord_configuration_extension_yaml` variable.

--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -3,6 +3,9 @@
 **[Dimension](https://dimension.t2bot.io) can only be installed after Matrix services are installed and running.**
 If you're just installing Matrix services for the first time, please continue with the [Configuration](configuring-playbook.md) / [Installation](installing.md) flow and come back here later.

+**Note**: enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
+
+
 ## Prerequisites

 This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and an [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environment. This is handled automatically based on the value of `matrix_synapse_federation_enabled`.
@ -48,7 +51,7 @@ To get an access token for the Dimension user, you can follow one of two options
 3. Copy the highlighted text to your configuration.
 4. Close the private browsing session. **Do not log out**. Logging out will invalidate the token, making it not work.

-*With CURL* 
+*With CURL*

 ```
 curl -X POST --header 'Content-Type: application/json' -d '{
--- a/docs/configuring-playbook-federation.md
+++ b/docs/configuring-playbook-federation.md
@ -37,3 +37,13 @@ matrix_synapse_federation_enabled: false
 ```

 With that, your server's users will only be able to talk among themselves, but not to anyone who is on another server.
+
+**Disabling federation does not necessarily disable the federation port** (`8448`). Services like [Dimension](configuring-playbook-dimension.md) and [ma1sd](configuring-playbook-ma1sd.md) normally rely on `openid` APIs exposed on that port. Even if you disable federation and only if necessary, we may still be exposing the federation port and serving the `openid` APIs there. To override this and completely disable Synapse's federation port use:
+
+```yaml
+# This stops the federation port on the Synapse side (normally `matrix-synapse:8048` on the container network).
+matrix_synapse_federation_port_enabled: false
+
+# This removes the `8448` virtual host from the matrix-nginx-proxy reverse-proxy server.
+matrix_nginx_proxy_proxy_matrix_federation_api_enabled: false
+```
--- a/docs/configuring-playbook-jitsi.md
+++ b/docs/configuring-playbook-jitsi.md
@ -99,7 +99,7 @@ matrix_jitsi_web_custom_config_extension: |

  config.disableAudioLevels = true;

-  # Limit the number of video feeds forwarded to each client
+  // Limit the number of video feeds forwarded to each client
  config.channelLastN = 4;

 matrix_jitsi_web_config_resolution_width_ideal_and_max: 480
--- a/docs/configuring-playbook-ma1sd.md
+++ b/docs/configuring-playbook-ma1sd.md
@ -4,7 +4,9 @@ By default, this playbook configures an [ma1sd](https://github.com/ma1uta/ma1sd)

 This server is private by default, potentially at the expense of user discoverability.

-ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.
+*ma1sd is a fork of [mxisd](https://github.com/kamax-io/mxisd) which was pronounced end of life 2019-06-21.*
+
+**Note**: enabling ma1sd (which is also the default), means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).


 ## Disabling ma1sd
@ -50,6 +52,9 @@ To use the [Registration](https://github.com/ma1uta/ma1sd/blob/master/docs/featu

 - `matrix_ma1sd_configuration_extension_yaml` - to configure ma1sd as required. See the [Registration feature's docs](https://github.com/ma1uta/ma1sd/blob/master/docs/features/registration.md) for inspiration. Also see the [Additional features](#additional-features) section below to learn more about how to use `matrix_ma1sd_configuration_extension_yaml`.

+**Note**: For this to work, either the homeserver needs to [federate](configuring-playbook-federation.md) or the `openid` APIs need to exposed on the federation port. When federation is disabled and ma1sd is enabled, we automatically expose the `openid` APIs (only!) on the federation port. Make sure the federation port (usually `https://matrix.DOMAIN:8448`) is whitelisted in your firewall (even if you don't actually use/need federation).
+
+
 ## Authentication

 [Authentication](https://github.com/ma1uta/ma1sd/blob/master/docs/features/authentication.md) provides the possibility to use your own [Identity Stores](https://github.com/ma1uta/ma1sd/blob/master/docs/stores/README.md) (for example LDAP) to authenticate users on your Homeserver. The following configuration can be used to authenticate against an LDAP server:
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@ -22,6 +22,17 @@ This playbook doesn't support running on ARM (see [this issue](https://github.co

 - Properly configured DNS records for `<your-domain>` (details in [Configuring DNS](configuring-dns.md)).

- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports: `80/tcp` (HTTP webserver), `443/tcp` (HTTPS webserver), `3478/tcp` (TURN over TCP), `3478/udp` (TURN over UDP), `5349/tcp` (TURN over TCP), `5349/udp` (TURN over UDP), `8448/tcp` (Matrix Federation API HTTPS webserver), the range `49152-49172/udp` (TURN over UDP), `4443/tcp` (Jitsi Harvester fallback), `10000/udp` (Jitsi video RTP). Depending on your firewall/NAT setup, incoming RTP packets on port 10000 may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).
+- Some TCP/UDP ports open. This playbook configures the server's internal firewall for you. In most cases, you don't need to do anything special. But **if your server is running behind another firewall**, you'd need to open these ports:
+
+  - `80/tcp`: HTTP webserver
+  - `443/tcp`: HTTPS webserver
+  - `3478/tcp`: TURN over TCP (used by Coturn)
+  - `3478/udp`: TURN over UDP (used by Coturn)
+  - `5349/tcp`: TURN over TCP (used by Coturn)
+  - `5349/udp`: TURN over UDP (used by Coturn)
+  - `8448/tcp`: Matrix Federation API HTTPS webserver. In some cases, this **may necessary even with federation disabled**. Integration Servers (like Dimension) and Identity Servers (like ma1sd) may need to access `openid` APIs on the federation port.
+  - the range `49152-49172/udp`: TURN over UDP
+  - `4443/tcp`: Jitsi Harvester fallback
+  - `10000/udp`: Jitsi video RTP. Depending on your firewall/NAT setup, incoming RTP packets on port `10000` may have the external IP of your firewall as destination address, due to the usage of STUN in JVB (see [`matrix_jitsi_jvb_stun_servers`](../roles/matrix-jitsi/defaults/main.yml)).

 When ready to proceed, continue with [Configuring DNS](configuring-dns.md).
--- a/docs/self-building.md
+++ b/docs/self-building.md
@ -15,6 +15,7 @@ List of roles where self-building the Docker image is currently possible:
 - `matrix-client-element`
 - `matrix-registration`
 - `matrix-coturn`
+- `matrix-corporal`
 - `matrix-ma1sd`
 - `matrix-mailer`
 - `matrix-bridge-mautrix-facebook`
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -201,6 +201,8 @@ matrix_mautrix_facebook_homeserver_token: "{{ matrix_synapse_macaroon_secret_key

 matrix_mautrix_facebook_login_shared_secret: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret if matrix_synapse_ext_password_provider_shared_secret_auth_enabled else '' }}"

+matrix_mautrix_facebook_bridge_presence: "{{ matrix_synapse_use_presence if matrix_synapse_enabled else true }}"
+
 ######################################################################
 #
 # /matrix-bridge-mautrix-facebook
@ -539,6 +541,8 @@ matrix_bot_matrix_reminder_bot_enabled: false

 matrix_corporal_enabled: false

+matrix_corporal_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
+
 # Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
 # matrix-corporal's web-server ports to the local host.
@ -616,8 +620,6 @@ matrix_dimension_container_http_host_bind_port: "{{ '' if matrix_nginx_proxy_ena
 matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
 matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"

-matrix_dimension_homeserver_federationUrl: "http://matrix-synapse:{{ 8048 if matrix_synapse_federation_enabled|bool else 8008 }}"
-
 ######################################################################
 #
 # /matrix-dimension
@ -812,7 +814,8 @@ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container: "matrix-ma1sd:
 matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container: "127.0.0.1:8090"

 # By default, we do TLS termination for the Matrix Federation API (port 8448) at matrix-nginx-proxy.
-matrix_nginx_proxy_proxy_matrix_federation_api_enabled: true
+# Unless this is handled there OR Synapse's federation listener port is disabled, we'll reverse-proxy.
+matrix_nginx_proxy_proxy_matrix_federation_api_enabled: "{{ matrix_synapse_federation_port_enabled and not matrix_synapse_tls_federation_listener_enabled }}"
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_with_container: "matrix-synapse:8048"
 matrix_nginx_proxy_proxy_matrix_federation_api_addr_sans_container: "127.0.0.1:8048"

@ -986,12 +989,7 @@ matrix_synapse_tls_federation_listener_enabled: false
 matrix_synapse_tls_certificate_path: ~
 matrix_synapse_tls_private_key_path: ~

-matrix_synapse_http_listener_resource_names: |
-  {{
-    ["client"]
-    +
-    ( ["openid"] if matrix_dimension_enabled and not matrix_synapse_federation_enabled else [] )
-  }}
+matrix_synapse_federation_port_openid_resource_required: "{{ not matrix_synapse_federation_enabled and (matrix_dimension_enabled or matrix_ma1sd_enabled) }}"

 matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
 matrix_synapse_email_smtp_host: "matrix-mailer"
--- a/roles/matrix-base/files/yum.repos.d/docker-ce.repo
+++ b/roles/matrix-base/files/yum.repos.d/docker-ce.repo
@ -1,62 +1,62 @@
 [docker-ce-stable]
 name=Docker CE Stable - $basearch
-baseurl=https://download.docker.com/linux/centos/7/$basearch/stable
+baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/stable
 enabled=1
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg

 [docker-ce-stable-debuginfo]
 name=Docker CE Stable - Debuginfo $basearch
-baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/stable
+baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/stable
 enabled=0
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg

 [docker-ce-stable-source]
 name=Docker CE Stable - Sources
-baseurl=https://download.docker.com/linux/centos/7/source/stable
-enabled=0
-gpgcheck=1
-gpgkey=https://download.docker.com/linux/centos/gpg
-
-[docker-ce-edge]
-name=Docker CE Edge - $basearch
-baseurl=https://download.docker.com/linux/centos/7/$basearch/edge
-enabled=0
-gpgcheck=1
-gpgkey=https://download.docker.com/linux/centos/gpg
-
-[docker-ce-edge-debuginfo]
-name=Docker CE Edge - Debuginfo $basearch
-baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/edge
-enabled=0
-gpgcheck=1
-gpgkey=https://download.docker.com/linux/centos/gpg
-
-[docker-ce-edge-source]
-name=Docker CE Edge - Sources
-baseurl=https://download.docker.com/linux/centos/7/source/edge
+baseurl=https://download.docker.com/linux/centos/$releasever/source/stable
 enabled=0
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg

 [docker-ce-test]
 name=Docker CE Test - $basearch
-baseurl=https://download.docker.com/linux/centos/7/$basearch/test
+baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/test
 enabled=0
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg

 [docker-ce-test-debuginfo]
 name=Docker CE Test - Debuginfo $basearch
-baseurl=https://download.docker.com/linux/centos/7/debug-$basearch/test
+baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/test
 enabled=0
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg

 [docker-ce-test-source]
 name=Docker CE Test - Sources
-baseurl=https://download.docker.com/linux/centos/7/source/test
+baseurl=https://download.docker.com/linux/centos/$releasever/source/test
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/centos/gpg
+
+[docker-ce-nightly]
+name=Docker CE Nightly - $basearch
+baseurl=https://download.docker.com/linux/centos/$releasever/$basearch/nightly
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/centos/gpg
+
+[docker-ce-nightly-debuginfo]
+name=Docker CE Nightly - Debuginfo $basearch
+baseurl=https://download.docker.com/linux/centos/$releasever/debug-$basearch/nightly
+enabled=0
+gpgcheck=1
+gpgkey=https://download.docker.com/linux/centos/gpg
+
+[docker-ce-nightly-source]
+name=Docker CE Nightly - Sources
+baseurl=https://download.docker.com/linux/centos/$releasever/source/nightly
 enabled=0
 gpgcheck=1
 gpgkey=https://download.docker.com/linux/centos/gpg
--- a/roles/matrix-bridge-appservice-discord/defaults/main.yml
+++ b/roles/matrix-bridge-appservice-discord/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_appservice_discord_enabled: true

-matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:latest"
+matrix_appservice_discord_docker_image: "docker.io/halfshot/matrix-appservice-discord:v1.0.0"
 matrix_appservice_discord_docker_image_force_pull: "{{ matrix_appservice_discord_docker_image.endswith(':latest') }}"

 matrix_appservice_discord_base_path: "{{ matrix_base_data_path }}/appservice-discord"
@ -17,6 +17,8 @@ matrix_appservice_discord_bot_token: ''
 matrix_appservice_discord_appservice_token: ''
 matrix_appservice_discord_homeserver_token: ''

+matrix_appservice_discord_homeserver_domain: "{{ matrix_domain }}"
+
 # Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9005 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9005"), or empty string to not expose.
@ -39,6 +41,14 @@ matrix_appservice_discord_bridge_homeserverUrl: "{{ matrix_homeserver_url }}"
 matrix_appservice_discord_bridge_disablePresence: false
 matrix_appservice_discord_bridge_enableSelfServiceBridging: false

+# Tells whether the bot should make use of "Privileged Gateway Intents".
+#
+# Enabling this means that you need to enable it for the bot (Discord application) as well,
+# by triggering all Intent checkboxes on a page like this: `https://discord.com/developers/applications/694448564151123988/bot`
+#
+# Learn more: https://gist.github.com/advaith1/e69bcc1cdd6d0087322734451f15aa2f
+matrix_appservice_discord_auth_usePrivilegedIntents: false
+
 matrix_appservice_discord_configuration_yaml: "{{ lookup('template', 'templates/config.yaml.j2') }}"

 matrix_appservice_discord_configuration_extension_yaml: |
@ -62,10 +72,10 @@ matrix_appservice_discord_registration_yaml: |
  namespaces:
    users:
    - exclusive: true
-      regex: '^@_discord_.*'
+      regex: '@_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}'
    aliases:
    - exclusive: true
-      regex: '^#_discord_.*'
+      regex: '#_discord_.*:{{ matrix_appservice_discord_homeserver_domain|regex_escape }}'
  url: {{ matrix_appservice_discord_appservice_url }}
  sender_localpart: _discord_bot
  rate_limited: false
--- a/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml
+++ b/roles/matrix-bridge-appservice-discord/tasks/validate_config.yml
@ -10,6 +10,7 @@
    - "matrix_appservice_discord_bot_token"
    - "matrix_appservice_discord_appservice_token"
    - "matrix_appservice_discord_homeserver_token"
+    - "matrix_appservice_discord_homeserver_domain"

 - name: (Deprecation) Catch and report renamed appservice-discord variables
  fail:
--- a/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2
+++ b/roles/matrix-bridge-appservice-discord/templates/config.yaml.j2
@ -26,10 +26,17 @@ bridge:
  disableReadReceipts: false
  # Disable Join Leave echos from matrix
  disableJoinLeaveNotifications: false
+  # Disable Invite echos from matrix
+  disableInviteNotifications: false
+  # Auto-determine the language of code blocks (this can be CPU-intensive)
+  determineCodeLanguage: false
 # Authentication configuration for the discord bot.
 auth:
  clientID: {{ matrix_appservice_discord_client_id|string|to_json }}
  botToken: {{ matrix_appservice_discord_bot_token }}
+  # You must enable "Privileged Gateway Intents" in your bot settings on discord.com (e.g. https://discord.com/developers/applications/12345/bot)
+  # for this to work
+  usePrivilegedIntents: {{ matrix_appservice_discord_auth_usePrivilegedIntents|to_json }}
 logging:
  # What level should the logger output to the console at.
  console: "warn" #silly, verbose, info, http, warn, error, silent
@ -45,8 +52,6 @@ logging:
  #     enable:
  #       - "DiscordBot"
 database:
-  userStorePath: "/data/user-store.db"
-  roomStorePath: "/data/room-store.db"
  # You may either use SQLite or Postgresql for the bridge database, which contains
  # important mappings for events and user puppeting configurations.
  # Use the filename option for SQLite, or connString for Postgresql.
@ -82,10 +87,12 @@ channel:
 limits:
    # Delay in milliseconds between discord users joining a room.
    roomGhostJoinDelay: 6000
-    # Delay in milliseconds before sending messages to discord to avoid echos.
-    # (Copies of a sent message may arrive from discord before we've
+    # Lock timeout in milliseconds before sending messages to discord to avoid
+    # echos. Default is rather high as the lock will most likely time out
+    # before anyways.
+    # echos = (Copies of a sent message may arrive from discord before we've
    # fininished handling it, causing us to echo it back to the room)
-    discordSendDelay: 750
+    discordSendDelay: 1500
 ghosts:
    # Pattern for the ghosts nick, available is :nick, :username, :tag and :id
    nickPattern: ":nick"
--- a/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
+++ b/roles/matrix-bridge-mautrix-facebook/defaults/main.yml
@ -35,6 +35,10 @@ matrix_mautrix_facebook_homeserver_token: ''
 # Can be set to enable automatic double-puppeting via Shared Secret Auth (https://github.com/devture/matrix-synapse-shared-secret-auth).
 matrix_mautrix_facebook_login_shared_secret: ''

+matrix_mautrix_facebook_bridge_login_shared_secret_map: "{{ {matrix_mautrix_facebook_homeserver_domain: matrix_mautrix_facebook_login_shared_secret} if matrix_mautrix_facebook_login_shared_secret else {} }}"
+
+matrix_mautrix_facebook_bridge_presence: true
+
 # Default configuration template which covers the generic use case.
 # You can customize it by controlling the various variables inside it.
 #
--- a/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
+++ b/roles/matrix-bridge-mautrix-facebook/templates/config.yaml.j2
@ -81,23 +81,32 @@ bridge:
    command_prefix: "!fb"

    # Number of chats to sync (and create portals for) on startup/login.
-    # Maximum 20, set 0 to disable automatic syncing.
+    # Set 0 to disable automatic syncing.
    initial_chat_sync: 10
    # Whether or not the Facebook users of logged in Matrix users should be
    # invited to private chats when the user sends a message from another client.
    invite_own_puppet_to_pm: false
-    # Whether or not to use /sync to get presence, read receipts and typing notifications when using
-    # your own Matrix account as the Matrix puppet for your Facebook account.
+    # Whether or not to use /sync to get presence, read receipts and typing notifications
+    # when double puppeting is enabled
    sync_with_custom_puppets: true
-    # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
+    # Whether or not to update the m.direct account data event when double puppeting is enabled.
+    # Note that updating the m.direct event is not atomic (except with mautrix-asmux)
+    # and is therefore prone to race conditions.
+    sync_direct_chat_list: false
+    # Servers to always allow double puppeting from
+    double_puppet_server_map: {}
+    #    example.com: https://example.com
+    # Allow using double puppeting from any server with a valid client .well-known file.
+    double_puppet_allow_discovery: false
+    # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
    #
    # If set, custom puppets will be enabled automatically for local users
    # instead of users having to find an access token and run `login-matrix`
    # manually.
-    login_shared_secret: {{ matrix_mautrix_facebook_login_shared_secret|to_json }}
-    # Whether or not to bridge presence in both directions. Facebook allows users not to broadcast
-    # presence, but then it won't send other users' presence to the client.
-    presence: true
+    # If using this for other servers than the bridge's server,
+    # you must also set the URL in the double_puppet_server_map.
+    login_shared_secret_map: {{ matrix_mautrix_facebook_bridge_login_shared_secret_map|to_json }}
+    presence: {{ matrix_mautrix_facebook_bridge_presence|to_json }}
    # Whether or not to update avatars when syncing all contacts at startup.
    update_avatar_initial_sync: true
    # End-to-bridge encryption support options. These require matrix-nio to be installed with pip
--- a/roles/matrix-bridge-sms/defaults/main.yml
+++ b/roles/matrix-bridge-sms/defaults/main.yml
@ -3,7 +3,7 @@

 matrix_sms_bridge_enabled: true

-matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.4"
+matrix_sms_bridge_docker_image: "docker.io/folivonet/matrix-sms-bridge:0.5.5"

 matrix_sms_bridge_base_path: "{{ matrix_base_data_path }}/matrix-sms-bridge"
 matrix_sms_bridge_config_path: "{{ matrix_base_data_path }}/matrix-sms-bridge/config"
--- a/roles/matrix-client-element/defaults/main.yml
+++ b/roles/matrix-client-element/defaults/main.yml
@ -3,7 +3,7 @@ matrix_client_element_enabled: true
 matrix_client_element_container_image_self_build: false
 matrix_client_element_container_image_self_build_repo: "https://github.com/vector-im/riot-web.git"

-matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.14"
+matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:v1.7.15"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else 'docker.io/' }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

--- a/roles/matrix-common-after/tasks/start.yml
+++ b/roles/matrix-common-after/tasks/start.yml
@ -1,5 +1,9 @@
 ---

+- name: Deterimne whether we should make services autostart
+  set_fact:
+    matrix_services_autostart_enabled_bool: "{{ true if matrix_services_autostart_enabled|default('') == '' else matrix_services_autostart_enabled|bool }}"
+
 - name: Ensure systemd is reloaded
  service:
    daemon_reload: yes
@ -14,7 +18,7 @@
 - name: Ensure Matrix services are started
  service:
    name: "{{ item }}"
-    enabled: yes
+    enabled: "{{ matrix_services_autostart_enabled_bool }}"
    state: started
  with_items: "{{ matrix_systemd_services_list }}"
  when: not ansible_check_mode
--- a/roles/matrix-corporal/defaults/main.yml
+++ b/roles/matrix-corporal/defaults/main.yml
@ -3,6 +3,9 @@

 matrix_corporal_enabled: true

+matrix_corporal_container_image_self_build: false
+matrix_corporal_container_image_self_build_repo: "https://github.com/devture/matrix-corporal.git"
+
 # Controls whether the matrix-corporal container exposes its gateway HTTP port (tcp/41080 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:41080"), or empty string to not expose.
@ -19,10 +22,13 @@ matrix_corporal_container_extra_arguments: []
 # List of systemd services that matrix-corporal.service depends on
 matrix_corporal_systemd_required_services_list: ['docker.service']

-matrix_corporal_docker_image: "docker.io/devture/matrix-corporal:1.11.0"
+matrix_corporal_docker_image: "{{ matrix_corporal_docker_image_name_prefix }}devture/matrix-corporal:{{ matrix_corporal_docker_image_tag }}"
+matrix_corporal_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}"
+matrix_corporal_docker_image_tag: "1.11.0"
 matrix_corporal_docker_image_force_pull: "{{ matrix_corporal_docker_image.endswith(':latest') }}"

 matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
+matrix_corporal_container_src_files_path: "{{ matrix_corporal_base_path }}/container-src"
 matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
 matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
 matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
--- a/roles/matrix-corporal/tasks/setup_corporal.yml
+++ b/roles/matrix-corporal/tasks/setup_corporal.yml
@ -17,13 +17,33 @@
    - "{{ matrix_corporal_var_dir_path }}"
  when: matrix_corporal_enabled|bool

+- name: Ensure Matrix Corporal repository is present on self-build
+  git:
+    repo: "{{ matrix_corporal_container_image_self_build_repo }}"
+    dest: "{{ matrix_corporal_container_src_files_path }}"
+    version: "{{ matrix_corporal_docker_image.split(':')[1] }}"
+    force: "yes"
+  register: matrix_corporal_git_pull_results
+  when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool"
+
+- name: Ensure Matrix Corporal Docker image is built
+  docker_image:
+    name: "{{ matrix_corporal_docker_image }}"
+    source: build
+    force_source: "{{ matrix_corporal_git_pull_results.changed }}"
+    build:
+      dockerfile: etc/docker/Dockerfile
+      path: "{{ matrix_corporal_container_src_files_path }}"
+      pull: yes
+  when: "matrix_corporal_enabled|bool and matrix_corporal_container_image_self_build|bool"
+
 - name: Ensure Matrix Corporal Docker image is pulled
  docker_image:
    name: "{{ matrix_corporal_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_corporal_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_corporal_docker_image_force_pull }}"
-  when: matrix_corporal_enabled|bool
+  when: "matrix_corporal_enabled|bool and not matrix_corporal_container_image_self_build|bool"

 - name: Ensure Matrix Corporal config installed
  copy:
--- a/roles/matrix-jitsi/templates/web/interface_config.js.j2
+++ b/roles/matrix-jitsi/templates/web/interface_config.js.j2
@ -205,9 +205,11 @@ var interfaceConfig = {
 		{% if matrix_jitsi_enable_transcriptions %}
            'closedcaptions',
 		{% endif %}
-
+		{% if matrix_jitsi_enable_recording %}
+            'recording',
+		{% endif %}
        'microphone', 'camera', 'desktop', 'embedmeeting', 'fullscreen',
-        'fodeviceselection', 'hangup', 'profile', 'chat', 'recording',
+        'fodeviceselection', 'hangup', 'profile', 'chat',
        'livestreaming', 'etherpad', 'sharedvideo', 'settings', 'raisehand',
        'videoquality', 'filmstrip', 'invite', 'feedback', 'stats', 'shortcuts',
        'tileview', 'videobackgroundblur', 'download', 'help', 'mute-everyone', 'security'
--- a/roles/matrix-ma1sd/templates/ma1sd.yaml.j2
+++ b/roles/matrix-ma1sd/templates/ma1sd.yaml.j2
@ -82,13 +82,13 @@ hashing:
    - none   # the same as v1 bulk lookup
    - sha256 # hash the 3PID and pepper.
  delay: 2m # how often hashes will be updated if rotation policy = per_seconds (default is 10s)
-  requests: 10 
+  requests: 10
 {% endif %}

 synapseSql:
-  enabled: {{ matrix_ma1sd_synapsesql_enabled }}
-  type: {{ matrix_ma1sd_synapsesql_type }}
-  connection: {{ matrix_ma1sd_synapsesql_connection }}
+  enabled: {{ matrix_ma1sd_synapsesql_enabled|to_json }}
+  type: {{ matrix_ma1sd_synapsesql_type|to_json }}
+  connection: {{ matrix_ma1sd_synapsesql_connection|to_json }}

 hashing:
  enabled: true
--- a/roles/matrix-nginx-proxy/defaults/main.yml
+++ b/roles/matrix-nginx-proxy/defaults/main.yml
@ -3,7 +3,7 @@ matrix_nginx_proxy_enabled: true
 # We use an official nginx image, which we fix-up to run unprivileged.
 # An alternative would be an `nginxinc/nginx-unprivileged` image, but
 # that is frequently out of date.
-matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.4-alpine"
+matrix_nginx_proxy_docker_image: "docker.io/nginx:1.19.5-alpine"
 matrix_nginx_proxy_docker_image_force_pull: "{{ matrix_nginx_proxy_docker_image.endswith(':latest') }}"

 matrix_nginx_proxy_base_path: "{{ matrix_base_data_path }}/nginx-proxy"
@ -259,7 +259,7 @@ matrix_ssl_domains_to_obtain_certificates_for: []

 # Controls whether to obtain production or staging certificates from Let's Encrypt.
 matrix_ssl_lets_encrypt_staging: false
-matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.9.0"
+matrix_ssl_lets_encrypt_certbot_docker_image: "docker.io/certbot/certbot:{{ matrix_ssl_architecture }}-v1.10.1"
 matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@ -6,8 +6,9 @@ matrix_synapse_enabled: true
 matrix_synapse_container_image_self_build: false
 matrix_synapse_container_image_self_build_repo: "https://github.com/matrix-org/synapse.git"

-matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:v1.23.0"
+matrix_synapse_docker_image: "{{ matrix_synapse_docker_image_name_prefix }}matrixdotorg/synapse:{{ matrix_synapse_docker_image_tag }}"
 matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_container_image_self_build else 'docker.io/' }}"
+matrix_synapse_docker_image_tag: "{{ 'v1.24.0' if matrix_architecture == 'amd64' else 'v1.23.0' }}"
 matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"

 matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
@ -136,6 +137,11 @@ matrix_synapse_tls_private_key_path: "/data/{{ matrix_server_fqn_matrix }}.tls.k
 # names.
 matrix_synapse_http_listener_resource_names: ["client"]

+# Resources served on Synapse's federation port.
+# When disabling federation, we may wish to serve the `openid` resource here,
+# so that services like Dimension and ma1sd can work.
+matrix_synapse_federation_listener_resource_names: "{{ ['federation'] if matrix_synapse_federation_enabled else (['openid'] if matrix_synapse_federation_port_openid_resource_required else []) }}"
+
 # Enable this to allow Synapse to report utilization statistics about your server to matrix.org
 # (things like number of users, number of messages sent, uptime, load, etc.)
 matrix_synapse_report_stats: false
@ -211,10 +217,25 @@ matrix_synapse_caches_global_factor: 0.5

 # Controls whether Synapse will federate at all.
 # Disable this to completely isolate your server from the rest of the Matrix network.
-# Also see: `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
+#
+# Disabling this still keeps the federation port exposed, because it may be used for other services (`openid`).
+#
+# Also see:
+# - `matrix_synapse_tls_federation_listener_enabled` if you wish to keep federation enabled,
 # but want to stop the TLS listener (port 8448).
+# - `matrix_synapse_federation_port_enabled` to avoid exposing the federation ports
 matrix_synapse_federation_enabled: true

+# Controls whether the federation ports are used at all.
+# One may wish to disable federation (`matrix_synapse_federation_enabled: true`),
+# but still run other resources (like `openid`) on the federation port
+# by enabling them in `matrix_synapse_federation_listener_resource_names`.
+matrix_synapse_federation_port_enabled: "{{ matrix_synapse_federation_enabled or matrix_synapse_federation_port_openid_resource_required }}"
+
+# Controls whether an `openid` listener is to be enabled. Useful when disabling federation,
+# but needing the `openid` APIs for Dimension or an identity server like ma1sd.
+matrix_synapse_federation_port_openid_resource_required: false
+
 # A list of domain names that are allowed to federate with the given Synapse server.
 # An empty list value (`[]`) will also effectively stop federation, but if that's the desired
 # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@ -188,7 +188,7 @@ listeners:
      - '0.0.0.0'
 {% endif %}

-{% if matrix_synapse_federation_enabled and matrix_synapse_tls_federation_listener_enabled %}
+{% if matrix_synapse_federation_port_enabled and matrix_synapse_tls_federation_listener_enabled %}
  # TLS-enabled listener: for when matrix traffic is sent directly to synapse.
  - port: 8448
    tls: true
@ -197,7 +197,7 @@ listeners:
    x_forwarded: false

    resources:
-      - names: [federation]
+      - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
        compress: false
 {% endif %}

@ -213,7 +213,7 @@ listeners:
      - names: {{ matrix_synapse_http_listener_resource_names|to_json }}
        compress: false

-{% if matrix_synapse_federation_enabled %}
+{% if matrix_synapse_federation_port_enabled %}
  # Unsecure HTTP listener (Federation API): for when matrix traffic passes through a reverse proxy
  # that unwraps TLS.
  - port: 8048
@ -223,7 +223,7 @@ listeners:
    x_forwarded: true

    resources:
-      - names: [federation]
+      - names: {{ matrix_synapse_federation_listener_resource_names|to_json }}
        compress: false
 {% endif %}

@ -1202,8 +1202,9 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
 # email will be globally disabled.
 #
 # Additionally, if `msisdn` is not set, registration and password resets via msisdn
-# will be disabled regardless. This is due to Synapse currently not supporting any
-# method of sending SMS messages on its own.
+# will be disabled regardless, and users will not be able to associate an msisdn
+# identifier to their account. This is due to Synapse currently not supporting
+# any method of sending SMS messages on its own.
 #
 # To enable using an identity server for operations regarding a particular third-party
 # identifier type, set the value to the URL of that identity server as shown in the
@ -1522,6 +1523,12 @@ saml2_config:
    #  remote:
    #    - url: https://our_idp/metadata.xml

+    # Allowed clock difference in seconds between the homeserver and IdP.
+    #
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
+    #
+    #accepted_time_diff: 3
+
    # By default, the user has to go to our login page first. If you'd like
    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
    # 'service.sp' section:
@ -1644,6 +1651,14 @@ saml2_config:
  #  - attribute: department
  #    value: "sales"

+  # If the metadata XML contains multiple IdP entities then the `idp_entityid`
+  # option must be set to the entity to redirect users to.
+  #
+  # Most deployments only have a single IdP entity and so should omit this
+  # option.
+  #
+  #idp_entityid: 'https://our_idp/entityid'
+

 # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
 #
@ -2222,21 +2237,35 @@ password_providers:
 {% endif %}


+## Push ##

-# Clients requesting push notifications can either have the body of
-# the message sent in the notification poke along with other details
-# like the sender, or just the event ID and room ID (`event_id_only`).
-# If clients choose the former, this option controls whether the
-# notification request includes the content of the event (other details
-# like the sender are still included). For `event_id_only` push, it
-# has no effect.
-#
-# For modern android devices the notification content will still appear
-# because it is loaded by the app. iPhone, however will send a
-# notification saying only that a message arrived and who it came from.
-#
 push:
-   include_content: {{ matrix_synapse_push_include_content|to_json }}
+  # Clients requesting push notifications can either have the body of
+  # the message sent in the notification poke along with other details
+  # like the sender, or just the event ID and room ID (`event_id_only`).
+  # If clients choose the former, this option controls whether the
+  # notification request includes the content of the event (other details
+  # like the sender are still included). For `event_id_only` push, it
+  # has no effect.
+  #
+  # For modern android devices the notification content will still appear
+  # because it is loaded by the app. iPhone, however will send a
+  # notification saying only that a message arrived and who it came from.
+  #
+  # The default value is "true" to include message details. Uncomment to only
+  # include the event ID and room ID in push notification payloads.
+  #
+  include_content: {{ matrix_synapse_push_include_content|to_json }}
+
+  # When a push notification is received, an unread count is also sent.
+  # This number can either be calculated as the number of unread messages
+  # for the user, or the number of *rooms* the user has unread messages in.
+  #
+  # The default value is "true", meaning push clients will see the number of
+  # rooms with unread messages in them. Uncomment to instead send the number
+  # of unread messages.
+  #
+  #group_unread_count_by_room: false


 # Spam checkers are third-party modules that can block specific actions