Merge branch 'master' into pub.solar

2023-03-08 18:19:12 +01:00 · 2023-03-08 18:19:12 +01:00 · e604445738
parent e025fa5269 0d93ee8c46
commit e604445738
167 changed files with 2567 additions and 1526 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,43 @@
 # 2023-03-07
 ## Sliding Sync Proxy (Element X) support
 Thanks to [Benjamin Kampmann](https://github.com/gnunicorn) for [getting it started](https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/2515), [FSG-Cat](https://github.com/FSG-Cat) for fixing it up and me ([Slavi](https://github.com/spantaleev)) for polishing it up, the playbook can now install and configure the [sliding-sync proxy](https://github.com/matrix-org/sliding-sync).
 The upcoming Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)) require the `sliding-sync` proxy to do their job. **These clients are still in beta** (especially Element X Android, which requires manual compilation to get it working with a non-`matrix.org` homeseserver). Playbook users can now easily give these clients a try and help test them thanks to us having `sliding-sync` support.
 To get started, see our [Setting up Sliding Sync Proxy](docs/configuring-playbook-sliding-sync-proxy.md) documentation page.
 # 2023-03-02
 ## The matrix-etherpad role lives independently now
 **TLDR**: the `matrix-etherpad` role is now included from [another repository](https://gitlab.com/etke.cc/roles/etherpad). Some variables have been renamed. All functionality remains intact.
 You need to **update you roles** (`just roles` or `make roles`) regardless of whether you're using Etherpad or not.
 If you're making use of Etherpad via this playbook, you will need to update variable references in your `vars.yml` file:
 - Rename `matrix_etherpad_public_endpoint` to `etherpad_path_prefix`
 - Replace `matrix_etherpad_mode: dimension` with:
  - for `matrix-nginx-proxy` users:
    - `etherpad_nginx_proxy_dimension_integration_enabled: true`
    - `etherpad_hostname: "{{ matrix_server_fqn_dimension }}"`
  - for Traefik users:
    - define your own `etherpad_hostname` and `etherpad_path_prefix` as you see fit
 - Rename all other variables:
  - `matrix_etherpad_docker_image_` -> `matrix_etherpad_container_image_`
  - `matrix_etherpad_` -> `etherpad_`
 Along with this relocation, the new role also:
 - supports [self-building](docs/self-building.md), so it should work on `arm32` and `arm64` architectures
 - has native Traefik reverse-proxy support (Etherpad requests no longer go through `matrix-nginx-proxy` when using Traefik)
 # 2023-02-26
 ## Traefik is the default reverse-proxy now
@ -57,7 +97,7 @@ At some point in the **near** future (days, or even weeks at most), we hope to c
 ### How do I keep using my own other reverse-proxy?
-We recommend that you follow the guide for [Fronting the integraed reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
+We recommend that you follow the guide for [Fronting the integrated reverse-proxy webserver with another reverse-proxy](docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy).
 # 2023-02-25
@ -194,9 +234,9 @@ devture_traefik_config_certificatesResolvers_acme_email: YOUR_EMAIL_ADDRESS
 You may still need to keep certain old `matrix_nginx_proxy_*` variables (like `matrix_nginx_proxy_base_domain_serving_enabled`), even when using Traefik. For now, we recommend keeping all `matrix_nginx_proxy_*` variables just in case. In the future, reliance on `matrix-nginx-proxy` will be removed.
-Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/devture-traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble.
+Switching to Traefik will obtain new SSL certificates from Let's Encrypt (stored in `/matrix/traefik/ssl/acme.json`). **The switch is reversible**. You can always go back to `playbook-managed-nginx` if Traefik is causing you trouble.
-**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/devture-traefik`), so you may run into a Let's Encrypt rate limit if you do it often.
+**Note**: toggling `matrix_playbook_reverse_proxy_type` between Traefik and nginx will uninstall the Traefik role and all of its data (under `/matrix/traefik`), so you may run into a Let's Encrypt rate limit if you do it often.
 Treafik directly reverse-proxies to **some** services right now, but for most other services it goes through `matrix-nginx-proxy` (e.g. Traefik -> `matrix-nginx-proxy` -> [Ntfy](docs/configuring-playbook-ntfy.md)). So, even if you opt into Traefik, you'll still see `matrix-nginx-proxy` being installed in local-only mode. This will improve with time.
@ -483,11 +523,11 @@ Various services (like Dimension, etc.) still talk to Synapse via `matrix-nginx-
 Until now, [Etherpad](https://etherpad.org/) (which [the playbook could install for you](docs/configuring-playbook-etherpad.md)) required the [Dimension integration manager](docs/configuring-playbook-dimension.md) to also be installed, because Etherpad was hosted on the Dimension domain (at `dimension.DOMAIN/etherpad`).
-From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`matrix_etherpad_mode: standalone`).
+From now on, Etherpad can be installed in `standalone` mode on `etherpad.DOMAIN` and used even without Dimension. This is much more versatile, so the playbook now defaults to this new mode (`etherpad_mode: standalone`).
 If you've already got both Etherpad and Dimension in use you could:
- **either** keep hosting Etherpad under the Dimension domain by adding `matrix_etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary.
+- **either** keep hosting Etherpad under the Dimension domain by adding `etherpad_mode: dimension` to your `vars.yml` file. All your existing room widgets will continue working at the same URLs and no other changes will be necessary.
 - **or**, you could change to hosting Etherpad separately on `etherpad.DOMAIN`. You will need to [configure a DNS record](docs/configuring-dns.md) for this new domain. You will also need to reconfigure Dimension to use the new pad URLs (`https://etherpad.DOMAIN/...`) going forward (refer to our [configuring Etherpad documentation](docs/configuring-playbook-etherpad.md)). All your existing room widgets (which still use `https://dimension.DOMAIN/etherpad/...`) will break as Etherpad is not hosted there anymore. You will need to re-add them or to consider not using `standalone` mode
--- a/README.md
+++ b/README.md
@ -162,6 +162,7 @@ Various services that don't fit any other category.
 | Name | Default? | Description | Documentation |
 | ---- | -------- | ----------- | ------------- |
 | [sliding-sync](https://github.com/matrix-org/sliding-sync)| x | Sliding Sync support for clients which require it (e.g. Element X) | [Link](docs/configuring-playbook-sliding-sync-proxy.md) |
 | [synapse-simple-antispam](https://github.com/t2bot/synapse-simple-antispam) (advanced) | x | A spam checker module | [Link](docs/configuring-playbook-synapse-simple-antispam.md) |
 | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | x | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) |
 | [Etherpad](https://etherpad.org) | x | An open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) |
--- a/docs/ansible.md
+++ b/docs/ansible.md
@ -65,7 +65,7 @@ docker run -it --rm \
 -w /work \
 -v `pwd`:/work \
 --entrypoint=/bin/sh \
-docker.io/devture/ansible:2.13.6-r0-1
+docker.io/devture/ansible:2.13.6-r0-2
 ```
 Once you execute the above command, you'll be dropped into a `/work` directory inside a Docker container.
--- a/docs/configuring-playbook-bot-go-neb.md
+++ b/docs/configuring-playbook-bot-go-neb.md
@ -24,6 +24,31 @@ ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.go-neb
 Once the user is created you can [obtain an access token](obtaining-access-tokens.md).
 ## Decide on a domain and path
 By default, Go-NEB is configured to use its own dedicated domain (`goneb.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
 You can override the domain and path like this:
 ```yaml
 # Switch to the domain used for Matrix services (`matrix.DOMAIN`),
 # so we won't need to add additional DNS records for Go-NEB.
 matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_matrix }}"
 # Expose under the /go-neb subpath
 matrix_bot_go_neb_path_prefix: /go-neb
 ```
 **NOTE**: When using `matrix-nginx-proxy` instead of Traefik, you won't be able to override the path prefix. You can only override the domain, but that needs to happen using another variable: `matrix_server_fqn_go_neb` (e.g. `matrix_server_fqn_go_neb: "mybot.{{ matrix_domain }}"`).
 ## Adjusting DNS records
 Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Go-NEB domain to the Matrix server.
 If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
 ## Adjusting the playbook configuration
 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file (adapt to your needs):
@ -193,9 +218,7 @@ matrix_bot_go_neb_services:
 ## Installing
-Don't forget to add `goneb.<your-domain>` to DNS as described in [Configuring DNS](configuring-dns.md) before running the playbook.
+After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again:
 After configuring the playbook, run the [installation](installing.md) command again:
 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
--- a/docs/configuring-playbook-dimension.md
+++ b/docs/configuring-playbook-dimension.md
@ -6,14 +6,29 @@ If you're just installing Matrix services for the first time, please continue wi
 **Note**: This playbook now supports running [Dimension](https://dimension.t2bot.io) in both a federated and [unfederated](https://github.com/turt2live/matrix-dimension/blob/master/docs/unfederated.md) environments. This is handled automatically based on the value of `matrix_synapse_federation_enabled`. Enabling Dimension, means that the `openid` API endpoints will be exposed on the Matrix Federation port (usually `8448`), even if [federation](configuring-playbook-federation.md) is disabled. It's something to be aware of, especially in terms of firewall whitelisting (make sure port `8448` is accessible).
-## Prerequisites
+## Decide on a domain and path
-The `dimension.<your-domain>` DNS record must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up DNS record correctly.
+By default, Dimension is configured to use its own dedicated domain (`dimension.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
 You can override the domain and path like this:
 ```yaml
 # Switch to another hostname compared to the default (`dimension.{{ matrix_domain }}`)
 matrix_dimension_hostname: "integrations.{{ matrix_domain }}"
 ```
 While there is a `matrix_dimension_path_prefix` variable for changing the path where Dimension is served, overriding it is not possible right now due to [this Dimension issue](https://github.com/turt2live/matrix-dimension/issues/510). You must serve Dimension at a dedicated subdomain until this issue is solved.
 ## Adjusting DNS records
 Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Dimension domain to the Matrix server.
 ## Enable
-[Dimension integrations manager](https://dimension.t2bot.io) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
+To enable Dimension, add this to your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 ```yaml
 matrix_dimension_enabled: true
@ -54,7 +69,7 @@ For more information on how to acquire an access token, visit [https://t2bot.io/
 ## Installation
-After these variables have been set, please run the following command to re-run setup and to restart Dimension:
+After these variables have been set and you have potentially [adjusted your DNS records](#adjusting-dns-records), please run the following command to re-run setup and to restart Dimension:
 ```
 ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
--- a/docs/configuring-playbook-etherpad.md
+++ b/docs/configuring-playbook-etherpad.md
@ -1,19 +1,41 @@
 # Setting up Etherpad (optional)
-[Etherpad](https://etherpad.org) is is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app.
+[Etherpad](https://etherpad.org) is an open source collaborative text editor that can be embedded in a Matrix chat room using the [Dimension integrations manager](https://dimension.t2bot.io) or used as standalone web app.
 When enabled together with the Jitsi audio/video conferencing system (see [our docs on Jitsi](configuring-playbook-jitsi.md)), it will be made available as an option during the conferences.
-## Prerequisites
+## Decide on a domain and path
-Etherpad can be installed in 2 modes:
+By default, Etherpad is configured to use its own dedicated domain (`etherpad.DOMAIN`) and requires you to [adjust your DNS records](#adjusting-dns-records).
- (default) `standalone` mode (`matrix_etherpad_mode: standalone`) - Etherpad will be hosted on `etherpad.<your-domain>` (`matrix_server_fqn_etherpad`), so the DNS record for this domian must be created. See [Configuring your DNS server](configuring-dns.md) on how to set up the `etherpad` DNS record correctly
+You can override the domain and path like this:
- `dimension` mode (`matrix_etherpad_mode: dimension`) - Etherpad will be hosted on `dimension.<your-domain>/etherpad` (`matrix_server_fqn_dimension`). This requires that you **first** configure the **Dimension integrations manager** as described in [the playbook documentation](configuring-playbook-dimension.md)
+```yaml
 # Switch to the domain used for Matrix services (`matrix.DOMAIN`),
 # so we won't need to add additional DNS records for Etherpad.
 etherpad_hostname: "{{ matrix_server_fqn_matrix }}"
-We recomend that you go with the default (`standalone`) mode, which makes Etherpad independent and allows it to be used with or without Dimension.
+# Expose under the /etherpad subpath
 etherpad_path_prefix: /etherpad
 ```
 **NOTE**: When using the old `matrix-nginx-proxy` reverse-proxy instead of Traefik, you have only 2 choices:
 - serving Etherpad at its own dedicated domain:
  - you need to set the domain using the `matrix_server_fqn_etherpad` variable (not `etherpad_hostname`)
  - you must use `etherpad_path_prefix: /`
 - serving Etherpad at the [Dimension](configuring-playbook-dimension.md) integration manager's domain (`matrix_server_fqn_dimension`)
  - you need to have Dimension enabled
  - you need to add `etherpad_path_prefix: /etherpad` or another prefix (different than `/`)
  - you need to add `etherpad_nginx_proxy_dimension_integration_enabled: true` to enable this integration
 ## Adjusting DNS records
 Once you've decided on the domain and path, **you may need to adjust your DNS** records to point the Etherpad domain to the Matrix server.
 If you've decided to reuse the `matrix.` domain, you won't need to do any extra DNS configuration.
 ## Installing
@ -21,48 +43,51 @@ We recomend that you go with the default (`standalone`) mode, which makes Etherp
 [Etherpad](https://etherpad.org) installation is disabled by default. You can enable it in your configuration file (`inventory/host_vars/matrix.<your-domain>/vars.yml`):
 ```yaml
-matrix_etherpad_enabled: true
+etherpad_enabled: true
 # Uncomment below if you'd like to install Etherpad on the Dimension domain (not recommended)
 # matrix_etherpad_mode: dimension
 # Uncomment below to enable the admin web UI
-# matrix_etherpad_admin_username: admin
+# etherpad_admin_username: admin
-# matrix_etherpad_admin_password: some-password
+# etherpad_admin_password: some-password
 ```
-If enabled, the admin web-UI should then be available on `https://etherpad.<your-domain>/admin` (or `https://dimension.<your-domain>/etherpad/admin`, if `matrix_etherpad_mode: dimension`)
+Then, [run the installation process](installing.md) again (e.g. `just install-all`).
-## Managing / Deleting old pads
+## Usage
 The Etherpad UI should be available at `https://etherpad.<your-domain>`, while the admin UI (if enabled) should then be available at `https://etherpad.<your-domain>/admin`.
 If you've [decided on another hostname or path-prefix](#decide-on-a-domain-and-path) (e.g. `https://matrix.DOMAIN/etherpad`), adjust these URLs accordingly before usage.
 ### Managing / Deleting old pads
 If you want to manage and remove old unused pads from Etherpad, you will first need to able Admin access as described above.
-Then from the plugin manager page (`https://etherpad.<your-domain>/admin/plugins` or `https://dimension.<your-domain>/etherpad/admin/plugins`), install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI.
+Then from the plugin manager page (`https://etherpad.<your-domain>/admin/plugins`, install the `adminpads2` plugin. Once installed, you should have a "Manage pads" section in the Admin web-UI.
-## How to use Etherpad widgets without an Integration Manager (like Dimension)
+### How to use Etherpad widgets without an Integration Manager (like Dimension)
 This is how it works in Element, it might work quite similar with other clients:
 To integrate a standalone etherpad in a room, create your pad by visiting `https://etherpad.DOMAIN`. When the pad opens, copy the URL and send a command like this to the room: `/addwidget URL`. You will then find your integrated Etherpad within the right sidebar in the `Widgets` section.
-## Set Dimension default to the self-hosted Etherpad (optional)
+### Set Dimension default to the self-hosted Etherpad (optional)
 If you decided to install [Dimension integration manager](configuring-playbook-dimension.md) alongside Etherpad, the Dimension administrator users can configure the default URL template.
 The Dimension configuration menu can be accessed with the sprocket icon as you begin to add a widget to a room in Element. There you will find the Etherpad Widget Configuration action beneath the _Widgets_ tab.
-### Removing the integrated Etherpad chat
+#### Removing the integrated Etherpad chat
-If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template. Examples:
+If you wish to disable the Etherpad chat button, you can do it by appending `?showChat=false` to the end of the pad URL, or the template.
 - `https://etherpad.<your-domain>/p/$roomId_$padName?showChat=false` (for the default - `matrix_etherpad_mode: standalone`)
- `https://dimension.<your-domain>/etherpad/p/$roomId_$padName?showChat=false` (for `matrix_etherpad_mode: dimension`)
+Example: `https://etherpad.<your-domain>/p/$roomId_$padName?showChat=false`
-### Known issues
+## Known issues
 If your Etherpad widget fails to load, this might be due to Dimension generating a Pad name so long, the Etherpad app rejects it.
 `$roomId_$padName` can end up being longer than 50 characters. You can avoid having this problem by altering the template so it only contains the three word random identifier `$padName`.
--- a/docs/configuring-playbook-own-webserver.md
+++ b/docs/configuring-playbook-own-webserver.md
@ -123,7 +123,7 @@ You can disable such behavior and make the integrated reverse-proxy webserver on
 This is the recommended way for using another reverse-proxy, because the integrated one would act as a black box and wire all Matrix services correctly. You would only need to reverse-proxy a few individual domains and ports over to it.
-**For Traefik** fronted by another reverse-proxy, you would need some configuration like this:
+To front Traefik with another reverse-proxy, you would need some configuration like this:
 ```yaml
 matrix_playbook_reverse_proxy_type: playbook-managed-traefik
@ -134,42 +134,33 @@ matrix_playbook_ssl_enabled: true
 # Disable the web-secure (port 443) endpoint, which also disables SSL certificate retrieval
 devture_traefik_config_entrypoint_web_secure_enabled: false
 # If your reverse-proxy runs on another machine, consider using `0.0.0.0:81`, just `81` or `SOME_IP_ADDRESS_OF_THIS_MACHINE:81`
 devture_traefik_container_web_host_bind_port: '127.0.0.1:81'
 # We bind to `127.0.0.1` by default (see above), so trusting `X-Forwarded-*` headers from
 # a reverse-proxy running on the local machine is safe enough.
 devture_traefik_config_entrypoint_web_forwardedHeaders_insecure: true
 # Or, if you're publishing the port (`devture_traefik_container_web_host_bind_port` above) to a public network interfaces:
 # - remove the `devture_traefik_config_entrypoint_web_forwardedHeaders_insecure` variable definition above
 # - uncomment and adjust the line below
 # devture_traefik_config_entrypoint_web_forwardedHeaders_trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 # Likewise (to `devture_traefik_container_web_host_bind_port` above),
 # if your reverse-proxy runs on another machine, consider changing the `host_bind_port` setting below.
 devture_traefik_additional_entrypoints_auto:
  - name: matrix-federation
-    port: "{{ matrix_federation_public_port }}"
+    port: 8449
-    host_bind_port: "127.0.0.1:{{ matrix_federation_public_port }}"
+    host_bind_port: '127.0.0.1:8449'
    config: {}
 	# If your reverse-proxy runs on another machine, remove the config above and use this config instead:
 	# config:
 	#   forwardedHeaders:
 	#     insecure: true
 	#     # trustedIPs: ['IP-ADDRESS-OF-YOUR-REVERSE-PROXY']
 ```
-(Deprecated) **For `matrix-nginx-proxy`** fronted by another reverse-proxy, you would need some configuration like this:
+For an example where the playbook's Traefik reverse-proxy is fronted by [Nginx](https://nginx.org/) running on the same server, see [Nginx reverse-proxy fronting the playbook's Traefik](../examples/nginx/README.md).
 ```yaml
 matrix_playbook_reverse_proxy_type: playbook-managed-nginx
 # Ensure that public urls use https
 matrix_playbook_ssl_enabled: true
 # Disable SSL certificate retrieval
 matrix_ssl_retrieval_method: none
 # Given that we won't be obtaining SSL certificates here, disable HTTPS
 matrix_nginx_proxy_https_enabled: false
 # Do not listen for HTTP on port 80 globally (default), listen on the loopback interface.
 # If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
 matrix_nginx_proxy_container_http_host_bind_port: '127.0.0.1:81'
 # Likewise, expose the Matrix Federation port on the loopback interface.
 # Since `matrix_nginx_proxy_https_enabled` is set to `false`, this federation port will serve HTTP traffic.
 # If you'd like, you can make it use the local network as well and reverse-proxy from another local machine.
 #
 # You'd most likely need to expose it publicly on port 8448 (8449 was chosen for the local port to prevent overlap).
 matrix_nginx_proxy_container_federation_host_bind_port: '127.0.0.1:8449'
 ```
 If you'll be fronting with a reverse-proxy that lives on another machine (not on the same one as Matrix), you need to replace `127.0.0.1` in the above configurations with `0.0.0.0` or another network interface.
 ### Using no reverse-proxy on the Matrix side at all
@ -232,4 +223,4 @@ Some of these services are configured with certain default expecations with rega
 For each new playbook service that you enable, you'll need special handling.
-The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, etc.
+The [`examples/`](../examples/) directory contains examples for various servers: Caddy, Apache, HAproxy, Nginx, etc.
--- a/docs/configuring-playbook-postgres-backup.md
+++ b/docs/configuring-playbook-postgres-backup.md
@ -23,8 +23,8 @@ Refer to the table below for additional configuration variables and their defaul
 |`devture_postgres_backup_keep_days`|`7`|Number of daily backups to keep|
 |`devture_postgres_backup_keep_weeks`|`4`|Number of weekly backups to keep|
 |`devture_postgres_backup_keep_months`|`12`|Number of monthly backups to keep|
-|`devture_postgres_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_data_path` |
+|`devture_postgres_backup_base_path` | `"{{ matrix_base_data_path }}/postgres-backup"` | Base path for postgres-backup. Also see `devture_postgres_backup_data_path` |
-|`devture_postgres_data_path` | `"{{ devture_postgres_base_path }}/data"` | Storage path for postgres-backup database backups |
+|`devture_postgres_backup_data_path` | `"{{ devture_postgres_backup_base_path }}/data"` | Storage path for postgres-backup database backups |
 ## Installing
--- a/docs/configuring-playbook-sliding-sync-proxy.md
+++ b/docs/configuring-playbook-sliding-sync-proxy.md
@ -0,0 +1,51 @@
 # Setting up Sliding Sync Proxy (optional)
 The playbook can install and configure [sliding-sync](https://github.com/matrix-org/sliding-sync) proxy for you.
 Sliding Sync is an implementation of [MSC3575](https://github.com/matrix-org/matrix-spec-proposals/blob/kegan/sync-v3/proposals/3575-sync.md) and a prerequisite for running the new (**still beta**) Element X clients ([Element X iOS](https://github.com/vector-im/element-x-ios) and [Element X Android](https://github.com/vector-im/element-x-android)).
 See the project's [documentation](https://github.com/matrix-org/sliding-sync) to learn more.
 Element X iOS is [available on TestFlight](https://testflight.apple.com/join/uZbeZCOi).
 Element X Android requires manual compilation to get it working with a non-`matrix.org` homeseserver. It's also less feature-complete than the iOS version.
 **NOTE**: The Sliding Sync proxy **only works with the Traefik reverse-proxy**. If you have an old server installation (from the time `matrix-nginx-proxy` was our default reverse-proxy - `matrix_playbook_reverse_proxy_type: playbook-managed-nginx`), you won't be able to use Sliding Sync.
 ## Decide on a domain and path
 By default, the Sliding Sync proxy is configured to be served on the Matrix domain (`matrix.DOMAIN`, controlled by `matrix_server_fqn_matrix`), under the `/sliding-sync` path.
 This makes it easy to set it up, **without** having to [adjust your DNS records](#adjusting-dns-records).
 If you'd like to run the Sliding Sync proxy on another hostname or path, use the `matrix_sliding_sync_hostname` and `matrix_sliding_sync_path_prefix` variables.
 ## Adjusting DNS records
 If you've changed the default hostame, **you may need to adjust your DNS** records.
 ## Adjusting the playbook configuration
 Add the following configuration to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file:
 ```yaml
 matrix_sliding_sync_enabled: true
 ```
 ## Installing
 After potentially [adjusting DNS records](#adjusting-dns-records) and configuring the playbook, run the [installation](installing.md) command again: `just install-all`.
 ## Usage
 You **don't need to do anything special** to make use of the Sliding Sync Proxy.
 Simply open your client which supports Sliding Sync (like Element X) and log in.
 When the Sliding Sync proxy is [installed](#installing), your `/.well-known/matrix/client` file is also updated. A new `org.matrix.msc3575.proxy` section and `url` property are added there and made to point to your Sliding Sync proxy's base URL (e.g. `https://matrix.DOMAIN/sliding-sync`).
 This allows clients which support Sliding Sync to detect the Sliding Sync Proxy's URL and make use of it.
--- a/docs/configuring-playbook-ssl-certificates.md
+++ b/docs/configuring-playbook-ssl-certificates.md
@ -29,6 +29,72 @@ devture_traefik_config_entrypoint_web_secure_enabled: false
 ## Using self-signed SSL certificates
-Using self-signed certificates with Traefik is a somewhat involved processes, where you need to manually mount the files into the container and adjust the "static" configuration to refer to them.
+If you'd like to use your own SSL certificates, instead of the default (SSL certificates obtained automatically via [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) from [Let's Encrypt](https://letsencrypt.org/)):
-Feel free to research this approach on your own and improve this guide!
+- generate your self-signed certificate files
 - follow the [Using your own SSL certificates](#using-your-own-ssl-certificates) documentation below
 ## Using your own SSL certificates
 To use your own SSL certificates with Traefik, you need to:
 - disable [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) / [Let's Encrypt](https://letsencrypt.org/) support
 - put a custom Traefik configuration file on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
 - register your custom configuration file with Traefik, by adding an extra provider of type [file](https://doc.traefik.io/traefik/providers/file/)
 - put the SSL files on the server, with the help of this Ansible playbook (via the `matrix-aux` role) or manually
 ```yaml
 # Disable ACME / Let's Encrypt support.
 devture_traefik_config_certificatesResolvers_acme_enabled: false
 # Disabling ACME support (above) automatically disables the creation of the SSL directory.
 # Force-enable it here, because we'll add our certificate files there.
 devture_traefik_ssl_dir_enabled: true
 # Tell Traefik to load our custom configuration file (certificates.yml).
 # The file is created below, in `matrix_aux_file_definitions`.
 # The `/config/..` path is an in-container path, not a path on the host (like `/matrix/traefik/config`). Do not change it!
 devture_traefik_configuration_extension_yaml: |
  providers:
    file:
      filename: /config/certificates.yml
      watch: true
 # Use the matrix-aux role to create our custom files on the server.
 # If you'd like to do this manually, you remove this `matrix_aux_file_definitions` variable.
 matrix_aux_file_definitions:
  # Create the privkey.pem file on the server by
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/privkey.pem"
    src: /path/on/your/Ansible/computer/to/privkey.pem
 	# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
 	# Note the indentation level.
 	# content: |
 	#   FILE CONTENT
 	#   HERE
  # Create the cert.pem file on the server
  # uploading a file from the computer where Ansible is running.
  - dest: "{{ devture_traefik_ssl_dir_path }}/cert.pem"
    src: /path/on/your/Ansible/computer/to/cert.pem
 	# Alternatively, comment out `src` above and uncomment the lines below to provide the certificate content inline.
 	# Note the indentation level.
 	# content: |
 	#   FILE CONTENT
 	#   HERE
  # Create the custom Traefik configuration.
  # The `/ssl/..` paths below are in-container paths, not paths on the host (/`matrix/traefik/ssl/..`). Do not change them!
  - dest: "{{ devture_traefik_config_dir_path }}/certificates.yml"
    content: |
      tls:
        certificates:
          - certFile: /ssl/cert.pem
            keyFile: /ssl/privkey.pem
        stores:
          default:
            defaultCertificate:
              certFile: /ssl/cert.pem
              keyFile: /ssl/privkey.pem
 ```
--- a/docs/configuring-playbook-traefik.md
+++ b/docs/configuring-playbook-traefik.md
@ -35,6 +35,8 @@ devture_traefik_dashboard_basicauth_user: YOUR_USERNAME_HERE
 devture_traefik_dashboard_basicauth_password: YOUR_PASSWORD_HERE
 ```
 **WARNING**: enabling the dashboard on a hostname you use for something else (like `matrix_server_fqn_matrix` in the configuration above) may cause conflicts. Enabling the Traefik Dashboard makes Traefik capture all `/dashboard` and `/api` requests and forward them to itself. If any of the services hosted on the same hostname requires any of these 2 URL prefixes, you will experience problems. So far, we're not aware of any playbook services which occupy these endpoints and are likely to cause conflicts.
 ## Additional configuration
 Use the `devture_traefik_configuration_extension_yaml` variable provided by the Traefik Ansible role to override or inject additional settings, even when no dedicated variable exists.
--- a/docs/configuring-playbook.md
+++ b/docs/configuring-playbook.md
@ -195,6 +195,8 @@ When you're done with all the configuration you'd like to do, continue with [Ins
 ### Other specialized services
 - [Setting up the Sliding Sync Proxy](configuring-playbook-sliding-sync-proxy.md) for clients which require Sliding Sync support (like Element X) (optional)
 - [Setting up the Sygnal push gateway](configuring-playbook-sygnal.md) (optional)
 - [Setting up the ntfy push notifications server](configuring-playbook-ntfy.md) (optional)
--- a/docs/faq.md
+++ b/docs/faq.md
@ -125,7 +125,7 @@ This is similar to the [EMnify/matrix-synapse-auto-deploy](https://github.com/EM
 - this one installs everything in a single directory (`/matrix` by default) and **doesn't "contaminate" your server** with files all over the place
- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up nginx for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md)
+- this one **doesn't necessarily take over** ports 80 and 443. By default, it sets up [Traefik](https://doc.traefik.io/traefik/) for you there, but you can also [use your own webserver](configuring-playbook-own-webserver.md)
 - this one **runs everything in Docker containers**, so it's likely more predictable and less fragile (see [Docker images used by this playbook](container-images.md))
@ -322,7 +322,7 @@ matrix_playbook_docker_installation_enabled: false
 ### I run another webserver on the same server where I wish to install Matrix. What now?
-By default, we install a webserver for you (nginx), but you can also use [your own webserver](configuring-playbook-own-webserver.md).
+By default, we install a webserver for you ([Traefik](https://doc.traefik.io/traefik/)), but you can also use [your own webserver](configuring-playbook-own-webserver.md).
 ### How is the effective configuration determined?
@ -336,12 +336,14 @@ Configuration variables are defined in multiple places in this playbook and are
 ### What configuration variables are available?
-You can discover the variables you can override in each role (`role/matrix*/defaults/main.yml`).
+You can discover the variables you can override in each role (`roles/*/*/defaults/main.yml`).
 As described in [How is the effective configuration determined?](#how-is-the-effective-configuration-determined), these role-defaults may be overriden by values defined in `group_vars/matrix_servers`.
 Refer to both of these for inspiration. Still, as mentioned in [Configuring the playbook](configuring-playbook.md), you're only ever supposed to edit your own `inventory/host_vars/matrix.DOMAIN/vars.yml` file and nothing else inside the playbook (unless you're meaning to contribute new features).
 **Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
 ### I'd like to adjust some configuration which doesn't have a corresponding variable. How do I do it?
 The playbook doesn't aim to expose all configuration settings for all services using variables.
@ -352,7 +354,9 @@ See [What configuration variables are available?](#what-configuration-variables-
 Besides that, each role (component) aims to provide a `matrix_SOME_COMPONENT_configuration_extension_yaml` (or `matrix_SOME_COMPONENT_configuration_extension_json`) variable, which can be used to override the configuration.
-Check each role's `role/matrix*/defaults/main.yml` for the corresponding variable and an example for how use it.
+Check each role's `roles/*/*/defaults/main.yml` for the corresponding variable and an example for how use it.
 **Note**: some of the roles (`roles/galaxy/*`) live in separate repositories and are only installed after your run `just roles` (or `make roles`).
 ## Installation
@ -461,15 +465,8 @@ After verifying that everything still works after the Postgres upgrade, you can
 ### How do I debug or force SSL certificate renewal?
-SSL certificate renewal normally happens automatically via [systemd timers](https://wiki.archlinux.org/index.php/Systemd/Timers).
+SSL certificates are managed automatically by the [Traefik](https://doc.traefik.io/traefik/) reverse-proxy server.
-If you're having trouble with SSL certificate renewal, you can inspect the renewal logs using:
+If you're having trouble with SSL certificate renewal, check the Traefik logs (`journalctl -fu matrix-traefik`).
- `journalctl -fu matrix-ssl-lets-encrypt-certificates-renew.service`
+If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (Traefik), you should investigate in another way.
 - *or* by looking at the log files in `/matrix/ssl/log/`
 To trigger renewal, run: `systemctl start matrix-ssl-lets-encrypt-certificates-renew.service`. You can then take a look at the logs again.
 If you're using the integrated webserver (`matrix-nginx-proxy`), you can reload it manually like this: `systemctl reload matrix-nginx-proxy`. Reloading also happens periodically via a systemd timer.
 If you're [using your own webserver](configuring-playbook-own-webserver.md) instead of the integrated one (`matrix-nginx-proxy`) you may also need to reload/restart it, to make it pick up the renewed SSL certificate files.
--- a/examples/nginx/README.md
+++ b/examples/nginx/README.md
@ -0,0 +1,17 @@
 # Nginx reverse-proxy fronting the playbook's integrated Traefik reverse-proxy
 This directory contains a sample config that shows you how use the [nginx](https://nginx.org/) webserver to front the integrated [Traefik](https://traefik.io/) reverse-proxy webserver with another reverse-proxy.
 ## Prerequisite configuration
 To get started, first follow the [front the integrated reverse-proxy webserver with another reverse-proxy](../../docs/configuring-playbook-own-webserver.md#fronting-the-integrated-reverse-proxy-webserver-with-another-reverse-proxy) instructions and update your playbook's configuration (`inventory/host_vars/matrix.<your-domain>/vars.yml`).
 ## Using the nginx configuration
 Copy the [matrix.conf](matrix.conf) file to your nginx server's filesystem, modify it to your needs and include it your nginx configuration (e.g. `include /path/to/matrix.conf;`).
 This configuration **disables SSL certificate retrieval**, so you will **need to obtain SSL certificates manually** (e.g. by using [certbot](https://certbot.eff.org/)) and set the appropriate path in `matrix.conf`. In the example nginx configuration, a single certificate is used for all subdomains (`matrix.DOMAIN`, `element.DOMAIN`, etc.). For your setup, may wish to change this and use separate `server` blocks and separate certificate files for each host.
 Also note that your copy of the `matrix.conf` file has to be adapted to whatever services you are using. For example, remove `element.domain.com` from the `server_name` list if you don't use [Element](../../docs/configuring-playbook-client-element.md) web client or add `dimension.domain.com` to it if you do use the [Dimension](../../docs/configuring-playbook-dimension.md) integration manager.
--- a/examples/nginx/matrix.conf
+++ b/examples/nginx/matrix.conf
@ -0,0 +1,96 @@
 server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    # TODO: add/remove services and their subdomains if you use/don't use them
    # this example is using hosting something on the base domain and an element web client, so example.com and element.example.com are listed in addition to matrix.example.com
    # if you don't use those, you can remove them
    # if you use e.g. dimension on dimension.example.com, add dimension.example.com to the server_name list
    server_name example.com matrix.example.com element.example.com;
    location / {
        # note: do not add a path (even a single /) after the port in `proxy_pass`,
        # otherwise, nginx will canonicalise the URI and cause signature verification
        # errors.
        proxy_pass http://localhost:81;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        access_log /var/log/nginx/matrix.access.log;
        error_log /var/log/nginx/matrix.error.log;
        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;
    }
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 # settings for matrix federation
 server {
    # For the federation port
    listen 8448 ssl http2 default_server;
    listen [::]:8448 ssl http2 default_server;
    server_name matrix.example.com;
    location / {
        proxy_pass http://localhost:8449;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $host;
        access_log /var/log/nginx/matrix.access.log;
        error_log /var/log/nginx/matrix.error.log;
        # Nginx by default only allows file uploads up to 1M in size
        # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
        client_max_body_size 50M;
    }
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    # TODO: adapt the path to your ssl certificate for the domains listed on server_name
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }
 # ensure using https
 # TODO: remove server blocks that you don't use / add server blocks for domains you do use
 server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name example.com;
    listen 80;
    return 404; # managed by Certbot
 }
 server {
    if ($host = matrix.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name matrix.example.com;
    listen 80;
    return 404; # managed by Certbot
 }
 server {
    if ($host = element.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    server_name element.example.com;
    listen 80;
    return 404; # managed by Certbot
 }
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@ -19,31 +19,15 @@
 # Also see `devture_docker_sdk_for_python_installation_enabled`.
 matrix_playbook_docker_installation_enabled: true
 # Controls whether to run the Traefik role or not
 # See the `com.devture.ansible.role.traefik` section below for role configuration.
 #
 # There's a difference between `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
 # `devture_traefik_enabled` controls what the Traefik role would do - when not enabled, it will run uninstall tasks, etc.
 # `matrix_playbook_traefik_role_enabled` controls if the Traefik role would even run at all.
 #
 # Sometimes, you're installing Traefik via a different (related playbook) which uses the same role.
 # In such cases, you'd like to disable the role in this playbook from bothering with Traefik at all (`matrix_playbook_traefik_role_enabled: false`).
 # If you used `devture_traefik_enabled: false` + `matrix_playbook_traefik_role_enabled: true` instead, you'd see the Treafik role here
 # try to delete Traefik data (`/devture-traefik`) installed by the other playbook.
 matrix_playbook_traefik_role_enabled: "{{ matrix_playbook_reverse_proxy_type != 'other-traefik-container' }}"
 # Controls whether to attach Traefik labels to services.
-# This is separate from `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`,
+# This is separate from `devture_traefik_enabled`, because you may wish to disable Traefik installation by the playbook,
-# because you may wish to disable Traefik installation by the playbook, yet still use Traefik
+# yet still use Traefik installed in another way.
 # installed in another way.
 matrix_playbook_traefik_labels_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_playbook_traefik_certs_dumper_role_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}"
 # Controls the additional network that reverse-proxyable services will be connected to.
 matrix_playbook_reverse_proxyable_services_additional_network: "{{ devture_traefik_container_network if devture_traefik_enabled else '' }}"
-matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if matrix_playbook_traefik_certs_dumper_role_enabled else matrix_ssl_retrieval_method }}"
+matrix_playbook_ssl_retrieval_method: "{{ 'lets-encrypt' if devture_traefik_certs_dumper_enabled else matrix_ssl_retrieval_method }}"
 matrix_playbook_ssl_enabled: "{{ matrix_playbook_ssl_retrieval_method in ['lets-encrypt', 'self-signed', 'manually-managed'] }}"
@ -306,7 +290,7 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-email2matrix.service', 'priority': 2000, 'groups': ['matrix', 'bridges', 'email2matrix']}] if matrix_email2matrix_enabled else [])
    +
-    ([{'name': 'matrix-etherpad.service', 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if matrix_etherpad_enabled else [])
+    ([{'name': (etherpad_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'etherpad']}] if etherpad_enabled else [])
    +
    ([{'name': (grafana_identifier + '.service'), 'priority': 4000, 'groups': ['matrix', 'monitoring', 'grafana']}] if grafana_enabled else [])
    +
@ -346,6 +330,8 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-registration.service', 'priority': 4000, 'groups': ['matrix', 'registration']}] if matrix_registration_enabled else [])
    +
    ([{'name': 'matrix-sliding-sync.service', 'priority': 4000, 'groups': ['matrix', 'sliding-sync']}] if matrix_sliding_sync_enabled else [])
    +
    ([{'name': 'matrix-sygnal.service', 'priority': 800, 'groups': ['matrix', 'sygnal']}] if matrix_sygnal_enabled else [])
    +
    ([{'name': 'matrix-goofys.service', 'priority': 800, 'groups': ['matrix', 'goofys']}] if matrix_s3_media_store_enabled else [])
@ -358,9 +344,11 @@ devture_systemd_service_manager_services_list_auto: |
    +
    ([{'name': 'matrix-user-verification-service.service', 'priority': 800, 'groups': ['matrix', 'matrix-user-verification-service']}] if matrix_user_verification_service_enabled else [])
    +
-    ([{'name': 'devture-traefik.service', 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
+    ([{'name': (devture_container_socket_proxy_identifier + '.service'), 'priority': 2900, 'groups': ['matrix', 'reverse-proxies', 'container-socket-proxy']}] if devture_container_socket_proxy_enabled else [])
    +
-    ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if matrix_playbook_traefik_certs_dumper_role_enabled else [])
+    ([{'name': (devture_traefik_identifier + '.service'), 'priority': 3000, 'groups': ['matrix', 'traefik', 'reverse-proxies']}] if devture_traefik_enabled else [])
    +
    ([{'name': (devture_traefik_certs_dumper_identifier + '.service'), 'priority': 3500, 'groups': ['matrix', 'traefik-certs-dumper']}] if devture_traefik_certs_dumper_enabled else [])
  }}
 ########################################################################
@ -435,6 +423,15 @@ matrix_homeserver_container_federation_url: |-
    }[matrix_homeserver_implementation]
  }}
 matrix_homeserver_container_network: |-
  {{
    matrix_nginx_proxy_container_network if matrix_nginx_proxy_enabled else {
      'synapse': matrix_synapse_container_network,
      'dendrite': matrix_dendrite_container_network,
      'conduit': matrix_conduit_container_network,
    }[matrix_homeserver_implementation]
  }}
 matrix_integration_manager_rest_url: "{{ matrix_dimension_integrations_rest_url if matrix_dimension_enabled else None }}"
 matrix_integration_manager_ui_url: "{{ matrix_dimension_integrations_ui_url if matrix_dimension_enabled else None }}"
@ -1698,12 +1695,15 @@ matrix_bot_buscarron_container_additional_networks: |
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_bot_buscarron_container_network != matrix_nginx_proxy_container_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_buscarron_container_network else [])
    ) | unique
  }}
 matrix_bot_buscarron_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_bot_buscarron_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_bot_buscarron_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_bot_buscarron_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ######################################################################
 #
@ -1777,7 +1777,7 @@ matrix_bot_postmoogle_systemd_required_services_list: |
    +
    (['matrix-synapse.service'] if matrix_synapse_enabled else [])
    +
-    (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled else [])
+    (matrix_playbook_bot_postmoogle_traefik_certs_dumper_waiter_services | trim | split(' ') if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled else [])
  }}
 # Postgres is the default, except if not using internal Postgres server
@ -1819,17 +1819,41 @@ matrix_bot_chatgpt_container_image_self_build: "{{ matrix_architecture not in ['
 # We don't enable bots by default.
 matrix_bot_go_neb_enabled: false
 matrix_bot_go_neb_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_bot_go_neb_hostname: "{{ matrix_server_fqn_bot_go_neb }}"
 matrix_bot_go_neb_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-bot-go-neb' }}"
 matrix_bot_go_neb_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_bot_go_neb_container_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_bot_go_neb_container_network else [])
    ) | unique
  }}
 matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_bot_go_neb_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_bot_go_neb_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_bot_go_neb_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_bot_go_neb_systemd_required_services_list: |
  {{
    ['docker.service']
    +
    ['matrix-' + matrix_homeserver_implementation + '.service']
    +
    ([devture_postgres_identifier + '.service'] if devture_postgres_enabled else [])
    +
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}
 matrix_bot_go_neb_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '4050') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 ######################################################################
 #
 # /matrix-bot-go-neb
@ -2040,6 +2064,7 @@ matrix_rageshake_container_http_host_bind_port: "{{ (matrix_playbook_service_hos
 matrix_rageshake_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_rageshake_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_rageshake_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ######################################################################
 #
@ -2118,7 +2143,7 @@ matrix_coturn_container_additional_volumes: |
         'dst': '/privatekey.key',
         'options': 'ro',
       },
-      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else []
+      ] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else []
    )
  }}
@ -2126,7 +2151,7 @@ matrix_coturn_systemd_required_services_list: |
  {{
    ['docker.service']
    +
-    ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and matrix_playbook_traefik_certs_dumper_role_enabled and matrix_coturn_tls_enabled else [])
+    ([devture_traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and devture_traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
  }}
 ######################################################################
@ -2145,12 +2170,33 @@ matrix_dimension_enabled: false
 matrix_dimension_container_image_self_build: "{{ matrix_architecture != 'amd64' }}"
-# Normally, matrix-nginx-proxy is enabled and nginx can reach Dimension over the container network.
+matrix_dimension_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
-# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
+
-# the Dimension HTTP port to the local host.
+matrix_dimension_hostname: "{{ matrix_server_fqn_dimension }}"
 matrix_dimension_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else 'matrix-dimension' }}"
 matrix_dimension_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([matrix_homeserver_container_network] if matrix_homeserver_container_network != matrix_dimension_container_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_dimension_container_network else [])
    ) | unique
  }}
 matrix_dimension_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '8184') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 matrix_dimension_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_dimension_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_dimension_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_dimension_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_dimension_homeserver_clientServerUrl: "{{ matrix_homeserver_container_url }}"
 matrix_dimension_homeserver_federationUrl: "{{ matrix_homeserver_container_federation_url }}"
 matrix_dimension_homeserver_mediaUrl: "https://{{ matrix_server_fqn_matrix }}"
 matrix_dimension_systemd_required_services_list: |
  {{
@ -2176,29 +2222,57 @@ matrix_dimension_database_password: "{{ '%s' | format(matrix_homeserver_generic_
 ######################################################################
 #
-# matrix-etherpad
+# etke/etherpad
 #
 ######################################################################
-matrix_etherpad_enabled: false
+etherpad_enabled: false
-matrix_etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+etherpad_identifier: matrix-etherpad
-matrix_etherpad_base_url: "{{ 'https://' + matrix_server_fqn_dimension + matrix_etherpad_public_endpoint if matrix_etherpad_mode == 'dimension' else 'https://' + matrix_server_fqn_etherpad + '/' }}"
+etherpad_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
-matrix_etherpad_systemd_required_services_list: |
+etherpad_base_path: "{{ matrix_base_data_path }}/etherpad"
 etherpad_framing_enabled: "{{ matrix_dimension_enabled or matrix_jitsi_enabled }}"
 etherpad_hostname: "{{ matrix_server_fqn_etherpad }}"
 etherpad_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
 etherpad_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '9001') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
 etherpad_container_network: "{{ matrix_nginx_proxy_container_network if matrix_playbook_reverse_proxy_type == 'playbook-managed-nginx' else etherpad_identifier }}"
 etherpad_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != etherpad_container_network else [])
    ) | unique
  }}
 etherpad_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 etherpad_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 etherpad_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 etherpad_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 etherpad_systemd_required_services_list: |
  {{
    ['docker.service']
    +
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
  }}
-matrix_etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
+etherpad_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
-matrix_etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}"
+etherpad_database_name: matrix_etherpad
 etherpad_database_username: matrix_etherpad
 etherpad_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'etherpad.db', rounds=655555) | to_uuid }}"
 ######################################################################
 #
-# /matrix-etherpad
+# /etke/etherpad
 #
 ######################################################################
@ -2266,9 +2340,9 @@ matrix_jitsi_web_stun_servers: |
 # If the self-hosted Etherpad instance is available, it will also show up in Jitsi conferences,
 # unless explicitly disabled by setting `matrix_jitsi_etherpad_enabled` to false.
 # Falls back to the scalar.vector.im etherpad in case someone sets `matrix_jitsi_etherpad_enabled` to true,
-# while also setting `matrix_etherpad_enabled` to false.
+# while also setting `etherpad_enabled` to false.
-matrix_jitsi_etherpad_enabled: "{{ matrix_etherpad_enabled }}"
+matrix_jitsi_etherpad_enabled: "{{ etherpad_enabled }}"
-matrix_jitsi_etherpad_base: "{{ matrix_etherpad_base_url if matrix_etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
+matrix_jitsi_etherpad_base: "{{ etherpad_base_url if etherpad_enabled else 'https://scalar.vector.im/etherpad' }}"
 # Allow verification using JWT and matrix-UVS
 matrix_jitsi_prosody_auth_matrix_uvs_auth_token: "{{ matrix_user_verification_service_uvs_auth_token }}"
@ -2434,10 +2508,10 @@ matrix_nginx_proxy_proxy_element_enabled: "{{ matrix_client_element_enabled and
 matrix_nginx_proxy_proxy_hydrogen_enabled: "{{ matrix_client_hydrogen_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_cinny_enabled: "{{ matrix_client_cinny_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_buscarron_enabled: "{{ matrix_bot_buscarron_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
-matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
+matrix_nginx_proxy_proxy_dimension_enabled: "{{ matrix_dimension_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_rageshake_enabled: "{{ matrix_rageshake_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
-matrix_nginx_proxy_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}"
+matrix_nginx_proxy_proxy_etherpad_enabled: "{{ etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
-matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
+matrix_nginx_proxy_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled and matrix_playbook_reverse_proxy_type in ['playbook-managed-nginx', 'other-nginx-non-container'] }}"
 matrix_nginx_proxy_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_proxy_jitsi_manage_wellknown: "{{ matrix_jitsi_require_well_known }}"
@ -2449,11 +2523,9 @@ matrix_nginx_proxy_proxy_ntfy_enabled: "{{ ntfy_enabled and matrix_playbook_reve
 matrix_nginx_proxy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_nginx_proxy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_nginx_proxy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_matrix_enabled: true
 matrix_nginx_proxy_container_labels_traefik_proxy_dimension_enabled: "{{ matrix_dimension_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_etherpad_enabled: "{{ matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone' }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_bot_go_neb_enabled: "{{ matrix_bot_go_neb_enabled }}"
 matrix_nginx_proxy_container_labels_traefik_proxy_jitsi_enabled: "{{ matrix_jitsi_enabled }}"
 matrix_nginx_proxy_proxy_matrix_corporal_api_enabled: "{{ matrix_corporal_enabled and matrix_corporal_http_api_enabled }}"
@ -2542,9 +2614,11 @@ matrix_nginx_proxy_systemd_wanted_services_list: |
    +
    (['matrix-jitsi.service'] if matrix_jitsi_enabled else [])
    +
    (['matrix-sliding-sync-proxy.service'] if matrix_sliding_sync_enabled else [])
    +
    (['matrix-bot-go-neb.service'] if matrix_bot_go_neb_enabled else [])
    +
-    (['matrix-etherpad.service'] if matrix_etherpad_enabled else [])
+    ([etherpad_identifier + '.service'] if etherpad_enabled else [])
    +
    (['matrix-hookshot.service'] if matrix_hookshot_enabled else [])
  }}
@ -2565,7 +2639,7 @@ matrix_ssl_domains_to_obtain_certificates_for: |
    +
    ([matrix_server_fqn_dimension] if matrix_dimension_enabled else [])
    +
-    ([matrix_server_fqn_etherpad] if (matrix_etherpad_enabled and matrix_etherpad_mode == 'standalone') else [])
+    ([matrix_server_fqn_etherpad] if (etherpad_enabled and not etherpad_nginx_proxy_dimension_integration_enabled) else [])
    +
    ([matrix_server_fqn_bot_go_neb] if matrix_bot_go_neb_enabled else [])
    +
@ -2675,6 +2749,12 @@ devture_postgres_managed_databases_auto: |
      'password': matrix_dendrite_database_password,
    }] if (matrix_dendrite_enabled and matrix_dendrite_database_hostname == devture_postgres_connection_hostname) else [])
    +
    ([{
      'name': matrix_sliding_sync_database_name,
      'username': matrix_sliding_sync_database_username,
      'password': matrix_sliding_sync_database_password,
    }] if (matrix_sliding_sync_enabled) else [])
    +
    ([{
      'name': matrix_ma1sd_database_name,
      'username': matrix_ma1sd_database_username,
@ -2856,10 +2936,10 @@ devture_postgres_managed_databases_auto: |
    }] if (matrix_dimension_enabled and matrix_dimension_database_engine == 'postgres' and matrix_dimension_database_hostname == devture_postgres_connection_hostname) else [])
    +
    ([{
-      'name': matrix_etherpad_database_name,
+      'name': etherpad_database_name,
-      'username': matrix_etherpad_database_username,
+      'username': etherpad_database_username,
-      'password': matrix_etherpad_database_password,
+      'password': etherpad_database_password,
-    }] if (matrix_etherpad_enabled and matrix_etherpad_database_engine == 'postgres' and matrix_etherpad_database_hostname == devture_postgres_connection_hostname) else [])
+    }] if (etherpad_enabled and etherpad_database_engine == 'postgres' and etherpad_database_hostname == devture_postgres_connection_hostname) else [])
    +
    ([{
      'name': prometheus_postgres_exporter_database_name,
@ -2941,6 +3021,7 @@ matrix_sygnal_container_http_host_bind_port: "{{ (matrix_playbook_service_host_b
 matrix_sygnal_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 matrix_sygnal_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_sygnal_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_sygnal_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ######################################################################
 #
@ -2974,6 +3055,7 @@ ntfy_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_inter
 ntfy_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 ntfy_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 ntfy_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 ntfy_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ntfy_visitor_request_limit_exempt_hosts_hostnames_auto: |
  {{
@ -3031,6 +3113,7 @@ matrix_client_element_container_additional_networks: "{{ [matrix_playbook_revers
 matrix_client_element_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_client_element_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_client_element_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_client_element_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_client_element_default_hs_url: "{{ matrix_homeserver_url }}"
 matrix_client_element_default_is_url: "{{ matrix_identity_server_url }}"
@ -3084,6 +3167,7 @@ matrix_client_hydrogen_container_additional_networks: "{{ [matrix_playbook_rever
 matrix_client_hydrogen_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_client_hydrogen_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_client_hydrogen_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_client_hydrogen_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_client_hydrogen_default_hs_url: "{{ matrix_homeserver_url }}"
@ -3117,6 +3201,7 @@ matrix_client_cinny_container_additional_networks: "{{ [matrix_playbook_reverse_
 matrix_client_cinny_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_client_cinny_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_client_cinny_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_client_cinny_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_client_cinny_default_hs_url: "{{ matrix_homeserver_url }}"
@ -3296,6 +3381,7 @@ matrix_synapse_admin_container_additional_networks: "{{ [matrix_playbook_reverse
 matrix_synapse_admin_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_synapse_admin_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_synapse_admin_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_synapse_admin_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ######################################################################
 #
@ -3327,6 +3413,7 @@ prometheus_node_exporter_container_additional_networks: "{{ [matrix_playbook_rev
 prometheus_node_exporter_container_labels_traefik_enabled: false
 prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 ######################################################################
 #
@ -3358,6 +3445,7 @@ prometheus_postgres_exporter_container_additional_networks: "{{ [matrix_playbook
 prometheus_postgres_exporter_container_labels_traefik_enabled: false
 prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 prometheus_postgres_exporter_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 prometheus_postgres_exporter_database_username: matrix_prometheus_postgres_exporter
@ -3461,6 +3549,7 @@ grafana_container_additional_networks: |
 grafana_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
 grafana_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 grafana_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 grafana_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 # Normally, matrix-nginx-proxy is enabled and nginx can reach Grafana over the container network.
 # If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
@ -3560,6 +3649,63 @@ matrix_registration_database_password: "{{ '%s' | format(matrix_homeserver_gener
 ######################################################################
 ######################################################################
 #
 # matrix-sliding-sync
 #
 ######################################################################
 # We don't enable the sliding sync proxy by default.
 matrix_sliding_sync_enabled: false
 matrix_sliding_sync_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"
 matrix_sliding_sync_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_sliding_sync_path_prefix: /sliding-sync
 matrix_sliding_sync_container_image_self_build: "{{ matrix_architecture not in ['amd64'] }}"
 matrix_sliding_sync_container_additional_networks: |
  {{
    (
      ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [])
      +
      ([matrix_nginx_proxy_container_network] if matrix_nginx_proxy_enabled and matrix_nginx_proxy_container_network != matrix_sliding_sync_container_network else [])
      +
      ([devture_postgres_container_network] if devture_postgres_enabled and devture_postgres_container_network != matrix_sliding_sync_container_network else [])
    ) | unique
  }}
 matrix_sliding_sync_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
 matrix_sliding_sync_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
 matrix_sliding_sync_container_labels_traefik_entrypoints: "{{ devture_traefik_entrypoint_primary }}"
 matrix_sliding_sync_container_labels_traefik_tls_certResolver: "{{ devture_traefik_certResolver_primary }}"
 matrix_sliding_sync_systemd_required_services_list: |
  {{
    ['docker.service']
    +
    ['matrix-' + matrix_homeserver_implementation + '.service']
    +
    ([devture_postgres_identifier ~ '.service'] if devture_postgres_enabled else [])
    +
    (['matrix-nginx-proxy.service'] if matrix_nginx_proxy_enabled else [])
  }}
 matrix_sliding_sync_environment_variable_syncv3_secret: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.secret', rounds=655555) | to_uuid }}"
 matrix_sliding_sync_database_hostname: "{{ devture_postgres_connection_hostname if devture_postgres_enabled else '' }}"
 matrix_sliding_sync_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'ss.db', rounds=655555) | to_uuid }}"
 ######################################################################
 #
 # /matrix-sliding-sync
 #
 ######################################################################
 ######################################################################
 #
 # matrix-dendrite
@ -3730,16 +3876,43 @@ matrix_user_verification_service_uvs_auth_token: "{{ '%s' | format(matrix_homese
 ######################################################################
 ########################################################################
 #                                                                      #
 # com.devture.ansible.role.container_socket_proxy                      #
 #                                                                      #
 ########################################################################
 devture_container_socket_proxy_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
 devture_container_socket_proxy_identifier: matrix-container-socket-proxy
 devture_container_socket_proxy_base_path: "{{ matrix_base_data_path }}/container-socket-proxy"
 devture_container_socket_proxy_uid: "{{ matrix_user_uid }}"
 devture_container_socket_proxy_gid: "{{ matrix_user_gid }}"
 # Traefik requires read access to the containers APIs to do its job
 devture_container_socket_proxy_api_containers_enabled: true
 ########################################################################
 #                                                                      #
 # /com.devture.ansible.role.container_socket_proxy                     #
 #                                                                      #
 ########################################################################
 ########################################################################
 #                                                                      #
 # com.devture.ansible.role.traefik                                     #
 #                                                                      #
 ########################################################################
 # To completely disable the Traefik role from running, use `matrix_playbook_traefik_role_enabled: false`.
 # See the comment there for more details about why we have both `devture_traefik_enabled` and `matrix_playbook_traefik_role_enabled`.
 devture_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' }}"
 devture_traefik_identifier: matrix-traefik
 devture_traefik_base_path: "{{ matrix_base_data_path }}/traefik"
 devture_traefik_uid: "{{ matrix_user_uid }}"
 devture_traefik_gid: "{{ matrix_user_gid }}"
@ -3751,6 +3924,20 @@ devture_traefik_additional_entrypoints_auto:
 devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_additional_domains_to_obtain_certificates_for }}"
 devture_traefik_config_providers_docker_endpoint: "{{ devture_container_socket_proxy_endpoint if devture_container_socket_proxy_enabled else 'unix:///var/run/docker.sock' }}"
 devture_traefik_container_additional_networks: |
  {{
    ([devture_container_socket_proxy_container_network] if devture_container_socket_proxy_enabled else [])
  }}
 devture_traefik_systemd_required_services_list: |
  {{
    (['docker.service'])
    +
    ([devture_container_socket_proxy_identifier + '.service'] if devture_container_socket_proxy_enabled else [])
  }}
 ########################################################################
 #                                                                      #
 # /com.devture.ansible.role.traefik                                    #
@ -3764,9 +3951,7 @@ devture_traefik_additional_domains_to_obtain_certificates_for: "{{ matrix_ssl_ad
 #                                                                      #
 ########################################################################
-# To completely disable the Traefik certs dumper role from running, use `matrix_playbook_traefik_certs_dumper_role_enabled: false`.
+devture_traefik_certs_dumper_enabled: "{{ (matrix_playbook_reverse_proxy_type == 'playbook-managed-traefik' and devture_traefik_config_entrypoint_web_secure_enabled and devture_traefik_config_certificatesResolvers_acme_enabled) or matrix_playbook_reverse_proxy_type == 'other-traefik-container' }}"
 # See the comment there for more details about why we have both `devture_traefik_certs_dumper_enabled` and `matrix_playbook_traefik_certs_dumper_role_enabled`.
 devture_traefik_certs_dumper_enabled: "{{ matrix_playbook_traefik_certs_dumper_role_enabled }}"
 devture_traefik_certs_dumper_identifier: matrix-traefik-certs-dumper
--- a/playbooks/matrix.yml
+++ b/playbooks/matrix.yml
@ -103,7 +103,9 @@
    - custom/matrix-ldap-registration-proxy
    - custom/matrix-ma1sd
    - custom/matrix-dimension
-    - custom/matrix-etherpad
+    - galaxy/etherpad
    - custom/etherpad-proxy-connect
    - custom/matrix-sliding-sync
    - custom/matrix-email2matrix
    - custom/matrix-sygnal
    - galaxy/ntfy
@ -118,11 +120,11 @@
    - custom/matrix-user-creator
    - custom/matrix-common-after
-    - when: matrix_playbook_traefik_role_enabled | bool
+    - role: galaxy/com.devture.ansible.role.container_socket_proxy
      role: galaxy/com.devture.ansible.role.traefik
-    - when: matrix_playbook_traefik_certs_dumper_role_enabled | bool
+    - role: galaxy/com.devture.ansible.role.traefik
-      role: galaxy/com.devture.ansible.role.traefik_certs_dumper
+
    - role: galaxy/com.devture.ansible.role.traefik_certs_dumper
    - when: devture_systemd_service_manager_enabled | bool
      role: galaxy/com.devture.ansible.role.systemd_service_manager
--- a/requirements.yml
+++ b/requirements.yml
@ -4,7 +4,7 @@
  version: 6.1.0
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
-  version: 54d6d1831f063e4a99b66c722f49053d59f8ee60
+  version: 129c8590e106b83e6f4c259649a613c6279e937a
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
  version: c1f40e82b4d6b072b6f0e885239322bdaaaf554f
@ -22,7 +22,7 @@
  version: a1bb78d194434b38005f3a9e623bfa4b2c06c7bc
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
-  version: 77b1f9ae1aafa31c9078178c1036bf744c99d08b
+  version: 8e9ec48a09284c84704d7a2dce17da35f181574d
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
  version: 6ccb88ac5fc27e1e70afcd48278ade4b564a9096
@ -37,19 +37,25 @@
  version: v0.11.1-2
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.3-1.7.7-1
+  version: v1.2.3-1.7.8-0
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v9.3.6-2
+  version: v9.4.3-0
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
-  version: v2.1.0-0
+  version: v2.1.2-0
 - src: git+https://gitlab.com/etke.cc/roles/redis.git
-  version: v7.0.7-0
+  version: v7.0.9-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
  version: v1.8.18-2
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
  version: v0.1.1-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik.git
-  version: 5e3248cd4d17db9ff3ba90904e7330150dab599e
+  version: v2.9.8-1
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
-  version: e7563caa814e634d2f8deec4a41e970caa1c0ae4
+  version: v2.8.1-0
--- a/roles/custom/etherpad-proxy-connect/defaults/main.yml
+++ b/roles/custom/etherpad-proxy-connect/defaults/main.yml
@ -0,0 +1,11 @@
 ---
 # etherpad-proxy-connect is a compatibility role connecting the new Etherpad role with matrix-nginx-proxy.
 # It adds back support for serving Etherpad under the Dimension domain (`matrix_server_fqn_dimension`).
 # Controls whether Etherpad will be hosted under the Dimension domain when matrix-nginx-proxy is used (depending on matrix_playbook_reverse_proxy_type).
 # If you're not using matrix-nginx-proxy, then this value has no effect.
 etherpad_nginx_proxy_dimension_integration_enabled: false
 # Controls the path at which Etherpad will be exposed on the Dimension domain.
 etherpad_nginx_proxy_dimension_integration_path_prefix: "{{ etherpad_path_prefix }}"
--- a/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml
+++ b/roles/custom/etherpad-proxy-connect/tasks/inject_into_nginx_proxy.yml
@ -11,14 +11,14 @@
 - name: Generate Etherpad proxying configuration for matrix-nginx-proxy
  ansible.builtin.set_fact:
-    matrix_etherpad_matrix_nginx_proxy_configuration: |
+    etherpad_matrix_nginx_proxy_configuration: |
-      rewrite ^{{ matrix_etherpad_public_endpoint }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ matrix_etherpad_public_endpoint }}/ permanent;
+      rewrite ^{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}$ {{ matrix_nginx_proxy_x_forwarded_proto_value }}://$server_name{{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ permanent;
-      location {{ matrix_etherpad_public_endpoint }}/ {
+      location {{ etherpad_nginx_proxy_dimension_integration_path_prefix }}/ {
      {% if matrix_nginx_proxy_enabled | default(False) %}
        {# Use the embedded DNS resolver in Docker containers to discover the service #}
        resolver 127.0.0.11 valid=5s;
-        proxy_pass http://matrix-etherpad:9001/;
+        proxy_pass http://{{ etherpad_identifier }}:9001/;
        {# These are proxy directives needed specifically by Etherpad #}
        proxy_buffering off;
        proxy_http_version 1.1;  # recommended with keepalive connections
@ -42,5 +42,5 @@
      {{
        matrix_nginx_proxy_proxy_dimension_additional_server_configuration_blocks | default([])
        +
-        [matrix_etherpad_matrix_nginx_proxy_configuration]
+        [etherpad_matrix_nginx_proxy_configuration]
      }}
--- a/roles/custom/etherpad-proxy-connect/tasks/main.yml
+++ b/roles/custom/etherpad-proxy-connect/tasks/main.yml
@ -0,0 +1,12 @@
 ---
 - when: etherpad_enabled | bool and etherpad_nginx_proxy_dimension_integration_enabled | bool
  tags:
    - install-all
    - setup-all
    - install-nginx-proxy
    - setup-nginx-proxy
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
--- a/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml
+++ b/roles/custom/etherpad-proxy-connect/tasks/validate_config.yml
@ -0,0 +1,32 @@
 ---
 - name: Fail if reverse-proxy is not nginx
  when: matrix_playbook_reverse_proxy_type not in ['playbook-managed-nginx', 'other-nginx-non-container']
  ansible.builtin.fail:
    msg: >
      Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using matrix-nginx-proxy.
      `matrix_playbook_reverse_proxy_type` ({{ matrix_playbook_reverse_proxy_type }}) indicates that you're using another reverse-proxy.
      If you're using Traefik, you should configure `etherpad_hostname` and `etherpad_path_prefix` instead.
 - name: Fail if Dimension not enabled
  when: not matrix_dimension_enabled
  ansible.builtin.fail:
    msg: >
      Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using Dimension.
      Looks like Dimension is not enabled in your configuration (judging by `matrix_dimension_enabled`).
      Consider configuring `etherpad_hostname` and `etherpad_path_prefix` instead.
 - name: Fail if Etherpad hostname does not match Dimension hostname
  when: etherpad_hostname != matrix_server_fqn_dimension
  ansible.builtin.fail:
    msg: >
      Etherpad's integration into matrix-nginx-proxy's Dimension server requires that you set `etherpad_hostname` to `matrix_server_fqn_dimension`.
      Consider adding this to your configuration: `{% raw %}etherpad_hostname: "{{ matrix_server_fqn_dimension }}"{% endraw %}`
 - name: Fail if / path prefix used for Etherpad
  when: etherpad_nginx_proxy_dimension_integration_path_prefix == '/'
  ansible.builtin.fail:
    msg: >
      Etherpad's integration into matrix-nginx-proxy's Dimension server only makes sense if you're using a non-`/` path for Etherpad.
      You've chosen a path prefix of `/` in `etherpad_nginx_proxy_dimension_integration_path_prefix`.
      The `/` path must go to Dimension itself, so you need to pick a different prefix (e.g. `/etherpad`).
--- a/roles/custom/matrix-aux/tasks/main.yml
+++ b/roles/custom/matrix-aux/tasks/main.yml
@ -1,9 +1,9 @@
 ---
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml"
  tags:
    - setup-all
    - setup-aux-files
    - install-all
    - install-aux-files
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml"
--- a/roles/custom/matrix-base/defaults/main.yml
+++ b/roles/custom/matrix-base/defaults/main.yml
@ -72,7 +72,7 @@ matrix_server_fqn_buscarron: "buscarron.{{ matrix_domain }}"
 # This is where you access the Dimension.
 matrix_server_fqn_dimension: "dimension.{{ matrix_domain }}"
-# This is where you access the etherpad (if enabled via matrix_etherpad_enabled; disabled by default).
+# This is where you access the etherpad (if enabled via etherpad_enabled; disabled by default).
 matrix_server_fqn_etherpad: "etherpad.{{ matrix_domain }}"
 # For use with Go-NEB! (github callback url for example)
@ -284,7 +284,7 @@ matrix_homeserver_app_service_config_files_auto: []
 # Valid options and a description of their behavior:
 #
 # - `playbook-managed-traefik`
-#     - the playbook will install devture-traefik
+#     - the playbook will run a managed Traefik instance (matrix-traefik)
 #     - Traefik will do SSL termination, unless you disable it (e.g. `devture_traefik_config_entrypoint_web_secure_enabled: false`)
 #     - if SSL termination is enabled (as it is by default), you need to populate: `devture_traefik_config_certificatesResolvers_acme_email`
 #     - it will also install matrix-nginx-proxy in local-only mode, while we migrate the rest of the services to a Traefik-native mode of working
--- a/roles/custom/matrix-base/tasks/main.yml
+++ b/roles/custom/matrix-base/tasks/main.yml
@ -1,30 +1,28 @@
 ---
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
  tags:
    - setup-all
    - install-all
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
 # This needs to always run, because it populates `matrix_user_uid` and `matrix_user_gid`,
 # which are required by many other roles.
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
  tags:
    - always
    - setup-system-user
    - common
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_user.yml"
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
  tags:
    - setup-all
    - install-all
    - common
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_matrix_base.yml"
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
  tags:
    - setup-all
    - setup-ma1sd
    - setup-synapse
@ -37,3 +35,5 @@
    - install-dendrite
    - install-conduit
    - install-nginx-proxy
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_well_known.yml"
--- a/roles/custom/matrix-base/templates/bin/remove-all.j2
+++ b/roles/custom/matrix-base/templates/bin/remove-all.j2
@ -25,8 +25,12 @@ else
 	echo "Remove unused Docker images and resources"
 	docker system prune -af
 	echo "Remove Docker matrix network (should be gone already, but ..)"
 	docker network rm {{ matrix_docker_network }}
 	echo "This playbook creates a lot of matrix-* networks. Consider removing them manually ('docker network ls', followed by 'docker network rm NETWORK_NAME')"
 	echo "Remove {{ matrix_base_data_path }} directory"
 	rm -fr "{{ matrix_base_data_path }}"
 	exit 0
--- a/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
+++ b/roles/custom/matrix-base/templates/static-files/well-known/matrix-client.j2
@ -26,6 +26,11 @@
 		"preferredDomain": {{ matrix_client_element_jitsi_preferredDomain|to_json }}
 	}
 	{% endif %}
 	{% if matrix_sliding_sync_enabled %},
 	"org.matrix.msc3575.proxy": {
 		"url": "{{ matrix_sliding_sync_base_url }}"
 	}
 	{% endif %}
 	{% if matrix_client_element_location_sharing_enabled %},
 	"m.tile_server": {
        "map_style_url": "https://{{ matrix_server_fqn_element }}/map_style.json"
--- a/roles/custom/matrix-bot-buscarron/tasks/main.yml
+++ b/roles/custom/matrix-bot-buscarron/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-buscarron
    - install-all
    - install-bot-buscarron
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
      when: "run_setup | bool and matrix_bot_buscarron_enabled | bool"
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
      when: "run_setup | bool and matrix_bot_buscarron_enabled | bool"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-buscarron
-    - install-all
+  block:
    - install-bot-buscarron
 - block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
      when: "run_setup | bool and not matrix_bot_buscarron_enabled | bool"
  tags:
    - setup-all
    - setup-bot-buscarron
--- a/roles/custom/matrix-bot-chatgpt/tasks/main.yml
+++ b/roles/custom/matrix-bot-chatgpt/tasks/main.yml
@ -1,20 +1,21 @@
 ---
- block:
+-
    - when: matrix_bot_chatgpt_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_chatgpt_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
  tags:
    - setup-all
    - setup-bot-chatgpt
    - install-all
    - install-bot-chatgpt
  block:
    - when: matrix_bot_chatgpt_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
- block:
+    - when: matrix_bot_chatgpt_enabled | bool
-    - when: not matrix_bot_chatgpt_enabled | bool
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+
-  tags:
+- tags:
    - setup-all
    - setup-bot-chatgpt
  block:
    - when: not matrix_bot_chatgpt_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bot-draupnir/tasks/main.yml
+++ b/roles/custom/matrix-bot-draupnir/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-draupnir
    - install-all
    - install-bot-draupnir
  block:
    - when: matrix_bot_draupnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_draupnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-draupnir
-    - install-all
+  block:
    - install-bot-draupnir
 - block:
    - when: not matrix_bot_draupnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-draupnir
--- a/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
+++ b/roles/custom/matrix-bot-draupnir/templates/production.yaml.j2
@ -36,7 +36,7 @@ autojoinOnlyIfManager: true
 # If `autojoinOnlyIfManager` is false, only the members in this space can invite
 # the bot to new rooms.
-acceptInvitesFromSpace: "!example:example.org"
+#acceptInvitesFromSpace: "!example:example.org"
 # Whether Draupnir should report ignored invites to the management room (if autojoinOnlyIfManager is true).
 recordIgnoredInvites: false
@ -49,11 +49,11 @@ recordIgnoredInvites: false
 #
 # Note: By default, Draupnir is fairly verbose - expect a lot of messages in this room.
 # (see verboseLogging to adjust this a bit.)
-managementRoom: "#moderators:example.org"
+managementRoom: "{{ matrix_bot_draupnir_management_room }}"
 # Whether Draupnir should log a lot more messages in the room,
 # mainly involves "all-OK" messages, and debugging messages for when Draupnir checks bans in a room.
-verboseLogging: true
+verboseLogging: false
 # The log level of terminal (or container) output,
 # can be one of DEBUG, INFO, WARN and ERROR, in increasing order of importance and severity.
@ -130,7 +130,7 @@ admin:
  # (with enough permissions) to "make" a user an admin.
  #
  # This only works if a local user with enough admin permissions is present in the room.
-  enableMakeRoomAdminCommand: true
+  enableMakeRoomAdminCommand: false
 # Misc options for command handling and commands
 commands:
@ -146,6 +146,7 @@ commands:
  # Any additional bot prefixes that Draupnir will listen to. i.e. adding `mod` will allow `!mod help`.
  additionalPrefixes:
    - "draupnir-bot"
    - "draupnir_bot"
    - "draupnir"
  # Whether or not commands with a wildcard (*) will require an additional `--force` argument
--- a/roles/custom/matrix-bot-go-neb/defaults/main.yml
+++ b/roles/custom/matrix-bot-go-neb/defaults/main.yml
@ -1,11 +1,22 @@
 ---
 # Go-NEB is a Matrix bot written in Go. It is the successor to Matrix-NEB, the original Matrix bot written in Python.
 # Project source code URL: https://github.com/matrix-org/go-neb
 matrix_bot_go_neb_enabled: true
 matrix_bot_go_neb_version: latest
-matrix_bot_go_neb_docker_image: "matrixdotorg/go-neb:{{ matrix_bot_go_neb_version }}"
+
-matrix_bot_go_neb_docker_image_force_pull: "{{ matrix_bot_go_neb_docker_image.endswith(':latest') }}"
+matrix_bot_go_neb_scheme: https
 # The hostname at which Go-NEB is served.
 matrix_bot_go_neb_hostname: ''
 # The path at which Go-NEB is exposed.
 # This value must either be `/` or not end with a slash (e.g. `/go-neb`).
 matrix_bot_go_neb_path_prefix: /
 matrix_bot_go_neb_base_url: "{{ matrix_bot_go_neb_scheme }}://{{ matrix_bot_go_neb_hostname }}{{ matrix_bot_go_neb_path_prefix }}{{ '' if matrix_bot_go_neb_path_prefix == '/' else '/' }}"
 matrix_bot_go_neb_base_path: "{{ matrix_base_data_path }}/go-neb"
 matrix_bot_go_neb_config_path: "{{ matrix_bot_go_neb_base_path }}/config"
@ -13,11 +24,63 @@ matrix_bot_go_neb_config_path_in_container: "/config/config.yaml"
 matrix_bot_go_neb_data_path: "{{ matrix_bot_go_neb_base_path }}/data"
 matrix_bot_go_neb_data_store_path: "{{ matrix_bot_go_neb_data_path }}/store"
 matrix_bot_go_neb_container_image: "{{ matrix_bot_go_neb_container_image_registry_prefix }}matrixdotorg/go-neb:{{ matrix_bot_go_neb_container_image_tag }}"
 matrix_bot_go_neb_container_image_tag: "{{ matrix_bot_go_neb_version }}"
 matrix_bot_go_neb_container_image_force_pull: "{{ matrix_bot_go_neb_container_image.endswith(':latest') }}"
 matrix_bot_go_neb_container_image_registry_prefix: docker.io/
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_bot_go_neb_container_network: matrix-bot-go-neb
 # A list of additional container networks that the container would be connected to.
 # The role does not create these networks, so make sure they already exist.
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_bot_go_neb_container_additional_networks: []
 # Controls whether the matrix-bot-go-neb container exposes its HTTP port (tcp/4050 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:4050"), or empty string to not expose.
 matrix_bot_go_neb_container_http_host_bind_port: ''
 # matrix_bot_go_neb_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
 # See `../templates/labels.j2` for details.
 #
 # To inject your own other container labels, see `matrix_bot_go_neb_container_labels_additional_labels`.
 matrix_bot_go_neb_container_labels_traefik_enabled: true
 matrix_bot_go_neb_container_labels_traefik_docker_network: "{{ matrix_bot_go_neb_container_network }}"
 matrix_bot_go_neb_container_labels_traefik_hostname: "{{ matrix_bot_go_neb_hostname }}"
 # The path prefix must either be `/` or not end with a slash (e.g. `/go-neb`).
 matrix_bot_go_neb_container_labels_traefik_path_prefix: "{{ matrix_bot_go_neb_path_prefix }}"
 matrix_bot_go_neb_container_labels_traefik_rule: "Host(`{{ matrix_bot_go_neb_container_labels_traefik_hostname }}`){% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}`){% endif %}"
 matrix_bot_go_neb_container_labels_traefik_priority: 0
 matrix_bot_go_neb_container_labels_traefik_entrypoints: web-secure
 matrix_bot_go_neb_container_labels_traefik_tls: "{{ matrix_bot_go_neb_container_labels_traefik_entrypoints != 'web' }}"
 matrix_bot_go_neb_container_labels_traefik_tls_certResolver: default  # noqa var-naming
 # Controls which additional headers to attach to all HTTP responses.
 # To add your own headers, use `matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom`
 matrix_bot_go_neb_container_labels_traefik_additional_response_headers: "{{ matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto | combine(matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom) }}"
 matrix_bot_go_neb_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine ({'X-XSS-Protection': matrix_bot_go_neb_http_header_xss_protection} if matrix_bot_go_neb_http_header_xss_protection else {})
    | combine ({'X-Frame-Options': matrix_bot_go_neb_http_header_frame_options} if matrix_bot_go_neb_http_header_frame_options else {})
    | combine ({'X-Content-Type-Options': matrix_bot_go_neb_http_header_content_type_options} if matrix_bot_go_neb_http_header_content_type_options else {})
    | combine ({'Content-Security-Policy': matrix_bot_go_neb_http_header_content_security_policy} if matrix_bot_go_neb_http_header_content_security_policy else {})
    | combine ({'Permission-Policy': matrix_bot_go_neb_http_header_content_permission_policy} if matrix_bot_go_neb_http_header_content_permission_policy else {})
    | combine ({'Strict-Transport-Security': matrix_bot_go_neb_http_header_strict_transport_security} if matrix_bot_go_neb_http_header_strict_transport_security and matrix_bot_go_neb_container_labels_traefik_tls else {})
  }}
 matrix_bot_go_neb_container_labels_traefik_additional_response_headers_custom: {}
 # matrix_bot_go_neb_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
 # See `../templates/labels.j2` for details.
 #
 # Example:
 # matrix_bot_go_neb_container_labels_additional_labels: |
 #   my.label=1
 #   another.label="here"
 matrix_bot_go_neb_container_labels_additional_labels: ''
 # A list of extra arguments to pass to the container
 matrix_bot_go_neb_container_extra_arguments: []
@ -27,6 +90,57 @@ matrix_bot_go_neb_systemd_required_services_list: ['docker.service']
 # List of systemd services that matrix-bot-go-neb.service wants
 matrix_bot_go_neb_systemd_wanted_services_list: []
 # Specifies the value of the `X-XSS-Protection` header
 # Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
 #
 # Learn more about it is here:
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
 # - https://portswigger.net/web-security/cross-site-scripting/reflected
 matrix_bot_go_neb_http_header_xss_protection: "1; mode=block"
 # Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 matrix_bot_go_neb_http_header_frame_options: SAMEORIGIN
 # Specifies the value of the `X-Content-Type-Options` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
 matrix_bot_go_neb_http_header_content_type_options: nosniff
 # Specifies the value of the `Content-Security-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
 matrix_bot_go_neb_http_header_content_security_policy: frame-ancestors 'self'
 # Specifies the value of the `Permission-Policy` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
 matrix_bot_go_neb_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_bot_go_neb_floc_optout_enabled else '' }}"
 # Specifies the value of the `Strict-Transport-Security` header.
 # See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 matrix_bot_go_neb_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_bot_go_neb_hsts_preload_enabled else '' }}"
 # Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
 #
 # Learn more about what it is here:
 # - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
 # - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
 # - https://amifloced.org/
 #
 # Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
 # See: `matrix_bot_go_neb_content_permission_policy`
 matrix_bot_go_neb_floc_optout_enabled: true
 # Controls if HSTS preloading is enabled
 #
 # In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
 # indicates a willingness to be "preloaded" into browsers:
 # `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
 # For more information visit:
 # - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
 # - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 # - https://hstspreload.org/#opt-in
 # See: `matrix_bot_go_neb_http_header_strict_transport_security`
 matrix_bot_go_neb_hsts_preload_enabled: false
 # Database-related configuration fields.
 #
 # MUST be "sqlite3". No other type is supported.
--- a/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-go-neb/tasks/setup_install.yml
@ -1,8 +1,5 @@
 ---
 - ansible.builtin.set_fact:
    matrix_bot_go_neb_requires_restart: false
 - name: Ensure go-neb paths exist
  ansible.builtin.file:
    path: "{{ item.path }}"
@ -16,17 +13,6 @@
    - {path: "{{ matrix_bot_go_neb_data_store_path }}", when: true}
  when: "item.when | bool"
 - name: Ensure go-neb image is pulled
  community.docker.docker_image:
    name: "{{ matrix_bot_go_neb_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_bot_go_neb_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_docker_image_force_pull }}"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure go-neb config installed
  ansible.builtin.copy:
    content: "{{ matrix_bot_go_neb_configuration | to_nice_yaml(indent=2, width=999999) }}"
@ -35,16 +21,35 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 - name: Ensure go-neb support files installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/{{ item }}.j2"
    dest: "{{ matrix_bot_go_neb_base_path }}/{{ item }}"
    mode: 0640
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
  with_items:
    - env
    - labels
 - name: Ensure go-neb container network is created
  community.general.docker_network:
    name: "{{ matrix_bot_go_neb_container_network }}"
    driver: bridge
 - name: Ensure go-neb container image is pulled
  community.docker.docker_image:
    name: "{{ matrix_bot_go_neb_container_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_bot_go_neb_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_go_neb_container_image_force_pull }}"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure matrix-bot-go-neb.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/systemd/matrix-bot-go-neb.service.j2"
    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-bot-go-neb.service"
    mode: 0644
  register: matrix_bot_go_neb_systemd_service_result
 - name: Ensure matrix-bot-go-neb.service restarted, if necessary
  ansible.builtin.service:
    name: "matrix-bot-go-neb.service"
    state: restarted
    daemon_reload: true
  when: "matrix_bot_go_neb_requires_restart | bool"
--- a/roles/custom/matrix-bot-go-neb/tasks/main.yml
+++ b/roles/custom/matrix-bot-go-neb/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
      when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
      when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
  tags:
    - setup-all
    - setup-bot-go-neb
    - install-all
    - install-bot-go-neb
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
      when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
- block:
+    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
-    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
+      when: "run_setup | bool and matrix_bot_go_neb_enabled | bool"
-      when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool"
+
-  tags:
+- tags:
    - setup-all
    - setup-bot-go-neb
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"
      when: "run_setup | bool and not matrix_bot_go_neb_enabled | bool"
--- a/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml
+++ b/roles/custom/matrix-bot-go-neb/tasks/setup_uninstall.yml
--- a/roles/custom/matrix-bot-go-neb/templates/env.j2
+++ b/roles/custom/matrix-bot-go-neb/templates/env.j2
@ -0,0 +1,8 @@
 BIND_ADDRESS=:4050
 DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}
 DATABASE_URL={{ matrix_bot_go_neb_storage_database }}
 BASE_URL={{ matrix_bot_go_neb_base_url }}
 CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}
--- a/roles/custom/matrix-bot-go-neb/templates/labels.j2
+++ b/roles/custom/matrix-bot-go-neb/templates/labels.j2
@ -0,0 +1,45 @@
 {% if matrix_bot_go_neb_container_labels_traefik_enabled %}
 traefik.enable=true
 {% if matrix_bot_go_neb_container_labels_traefik_docker_network %}
 traefik.docker.network={{ matrix_bot_go_neb_container_labels_traefik_docker_network }}
 {% endif %}
 {% set middlewares = [] %}
 {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.regex=({{ matrix_bot_go_neb_container_labels_traefik_path_prefix | quote }})$
 traefik.http.middlewares.matrix-bot-go-neb-slashless-redirect.redirectregex.replacement=${1}/
 {% set middlewares = middlewares + ['matrix-bot-go-neb-slashless-redirect'] %}
 {% endif %}
 {% if matrix_bot_go_neb_container_labels_traefik_path_prefix != '/' %}
 traefik.http.middlewares.matrix-bot-go-neb-strip-prefix.stripprefix.prefixes={{ matrix_bot_go_neb_container_labels_traefik_path_prefix }}
 {% set middlewares = middlewares + ['matrix-bot-go-neb-strip-prefix'] %}
 {% endif %}
 {% if matrix_bot_go_neb_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
 {% for name, value in matrix_bot_go_neb_container_labels_traefik_additional_response_headers.items() %}
 traefik.http.middlewares.matrix-bot-go-neb-add-headers.headers.customresponseheaders.{{ name }}={{ value }}
 {% endfor %}
 {% set middlewares = middlewares + ['matrix-bot-go-neb-add-headers'] %}
 {% endif %}
 traefik.http.routers.matrix-bot-go-neb.rule={{ matrix_bot_go_neb_container_labels_traefik_rule }}
 {% if matrix_bot_go_neb_container_labels_traefik_priority | int > 0 %}
 traefik.http.routers.matrix-bot-go-neb.priority={{ matrix_bot_go_neb_container_labels_traefik_priority }}
 {% endif %}
 traefik.http.routers.matrix-bot-go-neb.service=matrix-bot-go-neb
 {% if middlewares | length > 0 %}
 traefik.http.routers.matrix-bot-go-neb.middlewares={{ middlewares | join(',') }}
 {% endif %}
 traefik.http.routers.matrix-bot-go-neb.entrypoints={{ matrix_bot_go_neb_container_labels_traefik_entrypoints }}
 traefik.http.routers.matrix-bot-go-neb.tls={{ matrix_bot_go_neb_container_labels_traefik_tls | to_json }}
 {% if matrix_bot_go_neb_container_labels_traefik_tls %}
 traefik.http.routers.matrix-bot-go-neb.tls.certResolver={{ matrix_bot_go_neb_container_labels_traefik_tls_certResolver }}
 {% endif %}
 traefik.http.services.matrix-bot-go-neb.loadbalancer.server.port=4050
 {% endif %}
 {{ matrix_bot_go_neb_container_labels_additional_labels }}
--- a/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2
+++ b/roles/custom/matrix-bot-go-neb/templates/systemd/matrix-bot-go-neb.service.j2
@ -16,31 +16,37 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-bot-go-neb \
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-bot-go-neb \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
-			--network={{ matrix_docker_network }} \
+			--network={{ matrix_bot_go_neb_container_network }} \
 			{% if matrix_bot_go_neb_container_http_host_bind_port %}
 			-p {{ matrix_bot_go_neb_container_http_host_bind_port }}:4050 \
 			{% endif %}
-			-e 'BIND_ADDRESS=:4050' \
+			--env-file={{ matrix_bot_go_neb_base_path }}/env \
-			-e 'DATABASE_TYPE={{ matrix_bot_go_neb_database_engine }}' \
+			--label-file={{ matrix_bot_go_neb_base_path }}/labels \
 			-e 'BASE_URL=https://{{ matrix_server_fqn_bot_go_neb }}' \
 			-e 'CONFIG_FILE={{ matrix_bot_go_neb_config_path_in_container }}' \
 			-e 'DATABASE_URL={{ matrix_bot_go_neb_storage_database }}' \
 			--mount type=bind,src={{ matrix_bot_go_neb_config_path }},dst=/config,ro \
 			--mount type=bind,src={{ matrix_bot_go_neb_data_path }},dst=/data \
 			--entrypoint=/bin/sh \
 			{% for arg in matrix_bot_go_neb_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}
-			{{ matrix_bot_go_neb_docker_image }} \
+			{{ matrix_bot_go_neb_container_image }} \
 			-c "go-neb /config/config.yaml"
 {% for network in matrix_bot_go_neb_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-bot-go-neb
 {% endfor %}
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-bot-go-neb
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-bot-go-neb 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-bot-go-neb 2>/dev/null || true'
 Restart=always
 RestartSec=30
 SyslogIdentifier=matrix-bot-go-neb
--- a/roles/custom/matrix-bot-honoroit/defaults/main.yml
+++ b/roles/custom/matrix-bot-honoroit/defaults/main.yml
@ -9,7 +9,7 @@ matrix_bot_honoroit_docker_repo: "https://gitlab.com/etke.cc/honoroit.git"
 matrix_bot_honoroit_docker_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
-matrix_bot_honoroit_version: v0.9.16
+matrix_bot_honoroit_version: v0.9.17
 matrix_bot_honoroit_docker_image: "{{ matrix_bot_honoroit_docker_image_name_prefix }}etke.cc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_bot_honoroit_docker_image_force_pull: "{{ matrix_bot_honoroit_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bot-honoroit/tasks/main.yml
+++ b/roles/custom/matrix-bot-honoroit/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-honoroit
    - install-all
    - install-bot-honoroit
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
      when: "run_setup | bool and matrix_bot_honoroit_enabled | bool"
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
      when: "run_setup | bool and matrix_bot_honoroit_enabled | bool"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-honoroit
-    - install-all
+  block:
    - install-bot-honoroit
 - block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
      when: "run_setup | bool and not matrix_bot_honoroit_enabled | bool"
  tags:
    - setup-all
    - setup-bot-honoroit
--- a/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml
+++ b/roles/custom/matrix-bot-matrix-registration-bot/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-matrix-registration-bot
    - install-all
    - install-bot-matrix-registration-bot
  block:
    - when: matrix_bot_matrix_registration_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_matrix_registration_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-matrix-registration-bot
-    - install-all
+  block:
    - install-bot-matrix-registration-bot
 - block:
    - when: not matrix_bot_matrix_registration_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-matrix-registration-bot
--- a/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml
+++ b/roles/custom/matrix-bot-matrix-reminder-bot/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-matrix-reminder-bot
    - install-all
    - install-bot-matrix-reminder-bot
  block:
    - when: matrix_bot_matrix_reminder_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_matrix_reminder_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-matrix-reminder-bot
-    - install-all
+  block:
    - install-bot-matrix-reminder-bot
 - block:
    - when: not matrix_bot_matrix_reminder_bot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-matrix-reminder-bot
--- a/roles/custom/matrix-bot-maubot/tasks/main.yml
+++ b/roles/custom/matrix-bot-maubot/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_bot_maubot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_bot_maubot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-bot-maubot
    - install-all
    - install-bot-maubot
  block:
    - when: matrix_bot_maubot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_maubot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-maubot
-    - install-all
+  block:
    - install-bot-maubot
 - block:
    - when: not matrix_bot_maubot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-maubot
--- a/roles/custom/matrix-bot-maubot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bot-maubot/tasks/setup_install.yml
@ -53,7 +53,7 @@
    name: "{{ matrix_bot_maubot_docker_image }}"
    source: build
    force_source: "{{ matrix_bot_maubot_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
-    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_mailer_git_pull_results.changed }}"
+    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_bot_maubot_git_pull_results.changed }}"
    build:
      dockerfile: Dockerfile
      path: "{{ matrix_bot_maubot_docker_src_files_path }}"
--- a/roles/custom/matrix-bot-mjolnir/tasks/main.yml
+++ b/roles/custom/matrix-bot-mjolnir/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-mjolnir
    - install-all
    - install-bot-mjolnir
  block:
    - when: matrix_bot_mjolnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_mjolnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-mjolnir
-    - install-all
+  block:
    - install-bot-mjolnir
 - block:
    - when: not matrix_bot_mjolnir_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-mjolnir
--- a/roles/custom/matrix-bot-postmoogle/tasks/main.yml
+++ b/roles/custom/matrix-bot-postmoogle/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-bot-postmoogle
    - install-all
    - install-bot-postmoogle
  block:
    - when: matrix_bot_postmoogle_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_bot_postmoogle_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-bot-postmoogle
-    - install-all
+  block:
    - install-bot-postmoogle
 - block:
    - when: not matrix_bot_postmoogle_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-bot-postmoogle
--- a/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml
+++ b/roles/custom/matrix-bridge-appservice-discord/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-appservice-discord
    - install-all
    - install-appservice-discord
  block:
    - when: matrix_appservice_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_appservice_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-appservice-discord
-    - install-all
+  block:
    - install-appservice-discord
 - block:
    - when: not matrix_appservice_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-appservice-discord
--- a/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-appservice-discord/tasks/setup_install.yml
@ -65,7 +65,10 @@
  when: "matrix_appservice_discord_stat_db.stat.exists"
 - name: (Data relocation) Move AppService Discord discord.db file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_appservice_discord_base_path }}/{{ item }} {{ matrix_appservice_discord_data_path }}/{{ item }}"
    creates: "{{ matrix_appservice_discord_data_path }}/{{ item }}"
    removes: "{{ matrix_appservice_discord_base_path }}/{{ item }}"
  with_items:
    - discord.db
    - user-store.db
--- a/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/defaults/main.yml
@ -11,7 +11,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
-matrix_appservice_irc_version: 0.36.0
+matrix_appservice_irc_version: 0.37.0
 matrix_appservice_irc_docker_image: "{{ matrix_container_global_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_tag: "{{ 'latest' if matrix_appservice_irc_version == 'latest' else ('release-' + matrix_appservice_irc_version) }}"
 matrix_appservice_irc_docker_image_force_pull: "{{ matrix_appservice_irc_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-appservice-irc
    - install-all
    - install-appservice-irc
  block:
    - when: matrix_appservice_irc_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_appservice_irc_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-appservice-irc
-    - install-all
+  block:
    - install-appservice-irc
 - block:
    - when: not matrix_appservice_irc_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-appservice-irc
--- a/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml
@ -108,16 +108,12 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 - name: Check if Appservice IRC passkey exists
  ansible.builtin.stat:
    path: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
  register: irc_passkey_file
 - name: Generate Appservice IRC passkey if it doesn't exist
-  ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
+  ansible.builtin.shell:
    cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
    creates: "{{ matrix_appservice_irc_data_path }}/passkey.pem"
  become: true
  become_user: "{{ matrix_user_username }}"
  when: "not irc_passkey_file.stat.exists"
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
--- a/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml
+++ b/roles/custom/matrix-bridge-appservice-kakaotalk/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-appservice-kakaotalk
    - install-all
    - install-appservice-kakaotalk
  block:
    - when: matrix_appservice_kakaotalk_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_appservice_kakaotalk_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-appservice-kakaotalk
-    - install-all
+  block:
    - install-appservice-kakaotalk
 - block:
    - when: not matrix_appservice_kakaotalk_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-appservice-kakaotalk
--- a/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml
+++ b/roles/custom/matrix-bridge-appservice-slack/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_appservice_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_appservice_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-appservice-slack
    - install-all
    - install-appservice-slack
  block:
    - when: matrix_appservice_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_appservice_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-appservice-slack
-    - install-all
+  block:
    - install-appservice-slack
 - block:
    - when: not matrix_appservice_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-appservice-slack
--- a/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml
+++ b/roles/custom/matrix-bridge-appservice-webhooks/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_appservice_webhooks_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_appservice_webhooks_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-appservice-webhooks
    - install-all
    - install-appservice-webhooks
  block:
    - when: matrix_appservice_webhooks_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_appservice_webhooks_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-appservice-webhooks
-    - install-all
+  block:
    - install-appservice-webhooks
 - block:
    - when: not matrix_appservice_webhooks_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-appservice-webhooks
--- a/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml
+++ b/roles/custom/matrix-bridge-beeper-linkedin/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-beeper-linkedin
    - install-all
    - install-beeper-linkedin
  block:
    - when: matrix_beeper_linkedin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_beeper_linkedin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-beeper-linkedin
-    - install-all
+  block:
    - install-beeper-linkedin
 - block:
    - when: not matrix_beeper_linkedin_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-beeper-linkedin
--- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-go-skype-bridge
    - install-all
    - install-go-skype-bridge
  block:
    - when: matrix_go_skype_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_go_skype_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-go-skype-bridge
-    - install-all
+  block:
    - install-go-skype-bridge
 - block:
    - when: not matrix_go_skype_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-go-skype-bridge
--- a/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-go-skype-bridge/tasks/setup_install.yml
@ -97,11 +97,17 @@
  when: "matrix_go_skype_bridge_stat_database.stat.exists"
 - name: (Data relocation) Move go-skype-bridge database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db {{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db"
    creates: "{{ matrix_go_skype_bridge_data_path }}/go-skype-bridge.db"
    removes: "{{ matrix_go_skype_bridge_base_path }}/go-skype-bridge.db"
  when: "matrix_go_skype_bridge_stat_database.stat.exists"
 - name: (Data relocation) Move go-skype-bridge mx-state file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_go_skype_bridge_base_path }}/mx-state.json {{ matrix_go_skype_bridge_data_path }}/mx-state.json"
    creates: "{{ matrix_go_skype_bridge_data_path }}/mx-state.json"
    removes: "{{ matrix_go_skype_bridge_base_path }}/mx-state.json"
  when: "matrix_go_skype_bridge_stat_mx_state.stat.exists"
 - name: Ensure go-skype-bridge config.yaml installed
--- a/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml
+++ b/roles/custom/matrix-bridge-heisenbridge/tasks/main.yml
@ -1,17 +1,17 @@
 ---
- block:
+- tags:
    - when: matrix_heisenbridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
  tags:
    - setup-all
    - setup-heisenbridge
    - install-all
    - install-heisenbridge
  block:
    - when: matrix_heisenbridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- block:
+- tags:
    - when: not matrix_heisenbridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-heisenbridge
  block:
    - when: not matrix_heisenbridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-bridge-hookshot/defaults/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/defaults/main.yml
@ -122,15 +122,15 @@ matrix_hookshot_jira_oauth_redirect_uri: "{{ matrix_hookshot_urlprefix }}{{ matr
 # No need to change these
 matrix_hookshot_generic_enabled: true
-matrix_hookshot_generic_enableHttpGet: false
+matrix_hookshot_generic_enableHttpGet: false  # noqa var-naming
 # Default value of matrix_hookshot_generic_endpoint: "/hookshot/webhooks"
 matrix_hookshot_generic_endpoint: "{{ matrix_hookshot_webhook_endpoint }}"
 # urlprefix gets updated with protocol & port in group_vars/matrix_servers
-matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}"
+matrix_hookshot_generic_urlPrefix: "{{ matrix_hookshot_urlprefix }}{{ matrix_hookshot_generic_endpoint }}"  # noqa var-naming
 # If you're also using matrix-appservice-webhooks, take care that these prefixes don't overlap
-matrix_hookshot_generic_userIdPrefix: '_webhooks_'
+matrix_hookshot_generic_userIdPrefix: '_webhooks_'  # noqa var-naming
-matrix_hookshot_generic_allowJsTransformationFunctions: false
+matrix_hookshot_generic_allowJsTransformationFunctions: false  # noqa var-naming
-matrix_hookshot_generic_waitForComplete: false
+matrix_hookshot_generic_waitForComplete: false  # noqa var-naming
 matrix_hookshot_feeds_enabled: true
--- a/roles/custom/matrix-bridge-hookshot/tasks/main.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-hookshot
    - install-all
    - install-hookshot
  block:
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-hookshot
-    - install-all
+  block:
    - install-hookshot
 - block:
    - when: not matrix_hookshot_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-hookshot
--- a/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml
@ -57,7 +57,9 @@
  register: hookshot_passkey_file
 - name: Generate hookshot passkey if it doesn't exist
-  ansible.builtin.shell: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096"
+  ansible.builtin.shell:
    cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_hookshot_base_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:4096"
    creates: "{{ matrix_hookshot_base_path }}/passkey.pem"
  become: true
  become_user: "{{ matrix_user_username }}"
  when: "not hookshot_passkey_file.stat.exists"
--- a/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-discord/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mautrix-discord
    - install-all
    - install-mautrix-discord
  block:
    - when: matrix_mautrix_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-discord
-    - install-all
+  block:
    - install-mautrix-discord
 - block:
    - when: not matrix_mautrix_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-discord
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_facebook_enabled | bool and matrix_mautrix_facebook_appservice_public_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-facebook
    - install-all
    - install-mautrix-facebook
  block:
    - when: matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-facebook
-    - install-all
+  block:
    - install-mautrix-facebook
 - block:
    - when: not matrix_mautrix_facebook_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-facebook
--- a/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-facebook/tasks/setup_install.yml
@ -91,7 +91,10 @@
  when: "matrix_mautrix_facebook_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-facebook database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db {{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
    creates: "{{ matrix_mautrix_facebook_data_path }}/mautrix-facebook.db"
    removes: "{{ matrix_mautrix_facebook_base_path }}/mautrix-facebook.db"
  when: "matrix_mautrix_facebook_stat_database.stat.exists"
 - name: Ensure mautrix-facebook config.yaml installed
--- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_googlechat_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_googlechat_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-googlechat
    - install-all
    - install-mautrix-googlechat
  block:
    - when: matrix_mautrix_googlechat_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_googlechat_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-googlechat
-    - install-all
+  block:
    - install-mautrix-googlechat
 - block:
    - when: not matrix_mautrix_googlechat_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-googlechat
--- a/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-googlechat/tasks/setup_install.yml
@ -91,7 +91,10 @@
  when: "matrix_mautrix_googlechat_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-googlechat database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db {{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"
    creates: "{{ matrix_mautrix_googlechat_data_path }}/mautrix-googlechat.db"
    removes: "{{ matrix_mautrix_googlechat_base_path }}/mautrix-googlechat.db"
  when: "matrix_mautrix_googlechat_stat_database.stat.exists"
 - name: Ensure mautrix-googlechat config.yaml installed
--- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_hangouts_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_hangouts_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-hangouts
    - install-all
    - install-mautrix-hangouts
  block:
    - when: matrix_mautrix_hangouts_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_hangouts_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-hangouts
-    - install-all
+  block:
    - install-mautrix-hangouts
 - block:
    - when: not matrix_mautrix_hangouts_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-hangouts
--- a/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-hangouts/tasks/setup_install.yml
@ -91,7 +91,10 @@
  when: "matrix_mautrix_hangouts_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-hangouts database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db {{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
    creates: "{{ matrix_mautrix_hangouts_data_path }}/mautrix-hangouts.db"
    removes: "{{ matrix_mautrix_hangouts_base_path }}/mautrix-hangouts.db"
  when: "matrix_mautrix_hangouts_stat_database.stat.exists"
 - name: Ensure mautrix-hangouts config.yaml installed
--- a/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-instagram/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_instagram_enabled | bool and matrix_mautrix_instagram_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-instagram
    - install-all
    - install-mautrix-instagram
  block:
    - when: matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-instagram
-    - install-all
+  block:
    - install-mautrix-instagram
 - block:
    - when: not matrix_mautrix_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-instagram
--- a/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-signal/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_signal_enabled | bool and matrix_mautrix_signal_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-signal
    - install-all
    - install-mautrix-signal
  block:
    - when: matrix_mautrix_signal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_signal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-signal
-    - install-all
+  block:
    - install-mautrix-signal
 - block:
    - when: not matrix_mautrix_signal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-signal
--- a/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-slack/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mautrix-slack
    - install-all
    - install-mautrix-slack
  block:
    - when: matrix_mautrix_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-slack
-    - install-all
+  block:
    - install-mautrix-slack
 - block:
    - when: not matrix_mautrix_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-slack
--- a/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/defaults/main.yml
@ -17,7 +17,7 @@ matrix_mautrix_telegram_docker_repo: "https://mau.dev/mautrix/telegram.git"
 matrix_mautrix_telegram_docker_repo_version: "{{ 'master' if matrix_mautrix_telegram_version == 'latest' else matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_src_files_path: "{{ matrix_base_data_path }}/mautrix-telegram/docker-src"
-matrix_mautrix_telegram_version: v0.12.2
+matrix_mautrix_telegram_version: v0.13.0
 # See: https://mau.dev/mautrix/telegram/container_registry
 matrix_mautrix_telegram_docker_image: "{{ matrix_mautrix_telegram_docker_image_name_prefix }}mautrix/telegram:{{ matrix_mautrix_telegram_version }}"
 matrix_mautrix_telegram_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_telegram_container_image_self_build else 'dock.mau.dev/' }}"
--- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_telegram_enabled | bool and matrix_mautrix_telegram_appservice_public_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-telegram
    - install-all
    - install-mautrix-telegram
  block:
    - when: matrix_mautrix_telegram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_telegram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-telegram
-    - install-all
+  block:
    - install-mautrix-telegram
 - block:
    - when: not matrix_mautrix_telegram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-telegram
--- a/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-telegram/tasks/setup_install.yml
@ -116,7 +116,10 @@
  when: "matrix_mautrix_telegram_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-telegram database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db {{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
    creates: "{{ matrix_mautrix_telegram_data_path }}/mautrix-telegram.db"
    removes: "{{ matrix_mautrix_telegram_base_path }}/mautrix-telegram.db"
  when: "matrix_mautrix_telegram_stat_database.stat.exists"
 - name: Ensure mautrix-telegram config.yaml installed
--- a/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-twitter/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_twitter_enabled | bool and matrix_mautrix_twitter_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-twitter
    - install-all
    - install-mautrix-twitter
  block:
    - when: matrix_mautrix_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-twitter
-    - install-all
+  block:
    - install-mautrix-twitter
 - block:
    - when: not matrix_mautrix_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-twitter
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mautrix_whatsapp_enabled | bool and matrix_mautrix_whatsapp_metrics_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mautrix-whatsapp
    - install-all
    - install-mautrix-whatsapp
  block:
    - when: matrix_mautrix_whatsapp_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mautrix_whatsapp_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mautrix-whatsapp
-    - install-all
+  block:
    - install-mautrix-whatsapp
 - block:
    - when: not matrix_mautrix_whatsapp_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mautrix-whatsapp
--- a/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mautrix-whatsapp/tasks/setup_install.yml
@ -97,11 +97,17 @@
  when: "matrix_mautrix_whatsapp_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-whatsapp database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db {{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
    creates: "{{ matrix_mautrix_whatsapp_data_path }}/mautrix-whatsapp.db"
    removes: "{{ matrix_mautrix_whatsapp_base_path }}/mautrix-whatsapp.db"
  when: "matrix_mautrix_whatsapp_stat_database.stat.exists"
 - name: (Data relocation) Move mautrix-whatsapp mx-state file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mautrix_whatsapp_base_path }}/mx-state.json {{ matrix_mautrix_whatsapp_data_path }}/mx-state.json"
    creates: "{{ matrix_mautrix_whatsapp_data_path }}/mx-state.json"
    removes: "{{ matrix_mautrix_whatsapp_base_path }}/mx-state.json"
  when: "matrix_mautrix_whatsapp_stat_mx_state.stat.exists"
 - name: Ensure mautrix-whatsapp config.yaml installed
--- a/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-discord/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-discord
    - install-all
    - install-mx-puppet-discord
  block:
    - when: matrix_mx_puppet_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-discord
-    - install-all
+  block:
    - install-mx-puppet-discord
 - block:
    - when: not matrix_mx_puppet_discord_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-discord
--- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-groupme
    - install-all
    - install-mx-puppet-groupme
  block:
    - when: matrix_mx_puppet_groupme_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_groupme_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-groupme
-    - install-all
+  block:
    - install-mx-puppet-groupme
 - block:
    - when: not matrix_mx_puppet_groupme_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-groupme
--- a/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-groupme/tasks/setup_install.yml
@ -29,7 +29,10 @@
  when: "matrix_mx_puppet_groupme_stat_database.stat.exists"
 - name: (Data relocation) Move mx-puppet-groupme database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mx_puppet_groupme_base_path }}/database.db {{ matrix_mx_puppet_groupme_data_path }}/database.db"
    creates: "{{ matrix_mx_puppet_groupme_data_path }}/database.db"
    removes: "{{ matrix_mx_puppet_groupme_base_path }}/database.db"
  when: "matrix_mx_puppet_groupme_stat_database.stat.exists"
 - ansible.builtin.set_fact:
--- a/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-instagram/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-instagram
    - install-all
    - install-mx-puppet-instagram
  block:
    - when: matrix_mx_puppet_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-instagram
-    - install-all
+  block:
    - install-mx-puppet-instagram
 - block:
    - when: not matrix_mx_puppet_instagram_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-instagram
--- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mx_puppet_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mx_puppet_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-slack
    - install-all
    - install-mx-puppet-slack
  block:
    - when: matrix_mx_puppet_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-slack
-    - install-all
+  block:
    - install-mx-puppet-slack
 - block:
    - when: not matrix_mx_puppet_slack_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-slack
--- a/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-slack/tasks/setup_install.yml
@ -91,7 +91,10 @@
  when: "matrix_mx_puppet_slack_enabled | bool and matrix_mx_puppet_slack_container_image_self_build"
 - name: (Data relocation) Move mx-puppet-slack database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mx_puppet_slack_base_path }}/database.db {{ matrix_mx_puppet_slack_data_path }}/database.db"
    creates: "{{ matrix_mx_puppet_slack_data_path }}/database.db"
    removes: "{{ matrix_mx_puppet_slack_base_path }}/database.db"
  when: "matrix_mx_puppet_slack_stat_database.stat.exists"
 - name: Ensure mx-puppet-slack config.yaml installed
--- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-steam
    - install-all
    - install-mx-puppet-steam
  block:
    - when: matrix_mx_puppet_steam_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_steam_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-steam
-    - install-all
+  block:
    - install-mx-puppet-steam
 - block:
    - when: not matrix_mx_puppet_steam_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-steam
--- a/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-steam/tasks/setup_install.yml
@ -29,7 +29,10 @@
  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
 - name: (Data relocation) Move mx-puppet-steam database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mx_puppet_steam_base_path }}/database.db {{ matrix_mx_puppet_steam_data_path }}/database.db"
    creates: "{{ matrix_mx_puppet_steam_data_path }}/database.db"
    removes: "{{ matrix_mx_puppet_steam_base_path }}/database.db"
  when: "matrix_mx_puppet_steam_stat_database.stat.exists"
 - ansible.builtin.set_fact:
--- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_mx_puppet_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_mx_puppet_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-mx-puppet-twitter
    - install-all
    - install-mx-puppet-twitter
  block:
    - when: matrix_mx_puppet_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_mx_puppet_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-mx-puppet-twitter
-    - install-all
+  block:
    - install-mx-puppet-twitter
 - block:
    - when: not matrix_mx_puppet_twitter_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-mx-puppet-twitter
--- a/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml
+++ b/roles/custom/matrix-bridge-mx-puppet-twitter/tasks/setup_install.yml
@ -29,7 +29,10 @@
  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
 - name: (Data relocation) Move mx-puppet-twitter database file to ./data directory
-  ansible.builtin.command: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db"
+  ansible.builtin.command:
    cmd: "mv {{ matrix_mx_puppet_twitter_base_path }}/database.db {{ matrix_mx_puppet_twitter_data_path }}/database.db"
    creates: "{{ matrix_mx_puppet_twitter_data_path }}/database.db"
    removes: "{{ matrix_mx_puppet_twitter_base_path }}/database.db"
  when: "matrix_mx_puppet_twitter_stat_database.stat.exists"
 - ansible.builtin.set_fact:
--- a/roles/custom/matrix-bridge-sms/tasks/main.yml
+++ b/roles/custom/matrix-bridge-sms/tasks/main.yml
@ -1,20 +1,20 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-matrix-sms-bridge
    - install-all
    - install-matrix-sms-bridge
  block:
    - when: matrix_sms_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_sms_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-matrix-sms-bridge
-    - install-all
+  block:
    - install-matrix-sms-bridge
 - block:
    - when: not matrix_sms_bridge_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-matrix-sms-bridge
--- a/roles/custom/matrix-cactus-comments/tasks/main.yml
+++ b/roles/custom/matrix-cactus-comments/tasks/main.yml
@ -1,29 +1,29 @@
 ---
- block:
+- tags:
    - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
  tags:
    - setup-all
    - setup-nginx-proxy
    - install-all
    - install-nginx-proxy
  block:
    - when: matrix_cactus_comments_enabled | bool and matrix_cactus_comments_serve_client_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/inject_into_nginx_proxy.yml"
- block:
+- tags:
    - setup-all
    - setup-cactus-comments
    - install-all
    - install-cactus-comments
  block:
    - when: matrix_cactus_comments_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_cactus_comments_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-cactus-comments
-    - install-all
+  block:
    - install-cactus-comments
 - block:
    - when: not matrix_cactus_comments_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-cactus-comments
--- a/roles/custom/matrix-client-cinny/tasks/main.yml
+++ b/roles/custom/matrix-client-cinny/tasks/main.yml
@ -1,26 +1,26 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-client-cinny
    - install-all
    - install-client-cinny
  block:
    - when: matrix_client_cinny_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_client_cinny_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-client-cinny
-    - install-all
+  block:
    - install-client-cinny
 - block:
    - when: not matrix_client_cinny_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-client-cinny
- block:
+- tags:
    - self-check
  block:
    - when: matrix_client_cinny_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
  tags:
    - self-check
--- a/roles/custom/matrix-client-element/defaults/main.yml
+++ b/roles/custom/matrix-client-element/defaults/main.yml
@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
-matrix_client_element_version: v1.11.23
+matrix_client_element_version: v1.11.24
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"
--- a/roles/custom/matrix-client-element/tasks/main.yml
+++ b/roles/custom/matrix-client-element/tasks/main.yml
@ -1,6 +1,11 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-client-element
    - install-all
    - install-client-element
  block:
    - when: matrix_client_element_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
@ -9,21 +14,16 @@
    - when: matrix_client_element_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-client-element
-    - install-all
+  block:
    - install-client-element
 - block:
    - when: not matrix_client_element_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-client-element
- block:
+- tags:
    - self-check
  block:
    - when: matrix_client_element_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
  tags:
    - self-check
--- a/roles/custom/matrix-client-element/tasks/setup_install.yml
+++ b/roles/custom/matrix-client-element/tasks/setup_install.yml
@ -56,6 +56,7 @@
      --tag={{ matrix_client_element_docker_image }}
      --file={{ matrix_client_element_docker_src_files_path }}/Dockerfile
      {{ matrix_client_element_docker_src_files_path }}
  changed_when: true
  when: matrix_client_element_container_image_self_build | bool
 - name: Ensure Element configuration installed
--- a/roles/custom/matrix-client-hydrogen/tasks/main.yml
+++ b/roles/custom/matrix-client-hydrogen/tasks/main.yml
@ -1,26 +1,26 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-client-hydrogen
    - install-all
    - install-client-hydrogen
  block:
    - when: matrix_client_hydrogen_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_client_hydrogen_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-client-hydrogen
-    - install-all
+  block:
    - install-client-hydrogen
 - block:
    - when: not matrix_client_hydrogen_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-client-hydrogen
- block:
+- tags:
    - self-check
  block:
    - when: matrix_client_hydrogen_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
  tags:
    - self-check
--- a/roles/custom/matrix-common-after/tasks/main.yml
+++ b/roles/custom/matrix-common-after/tasks/main.yml
@ -1,6 +1,6 @@
 ---
- block:
+- tags:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml"
  tags:
    - run-docker-prune
  block:
    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/run_docker_prune.yml"
--- a/roles/custom/matrix-conduit/defaults/main.yml
+++ b/roles/custom/matrix-conduit/defaults/main.yml
@ -23,6 +23,14 @@ matrix_conduit_systemd_required_services_list: ["docker.service"]
 # List of systemd services that matrix-conduit.service wants
 matrix_conduit_systemd_wanted_services_list: []
 # The base container network. It will be auto-created by this role if it doesn't exist already.
 matrix_conduit_container_network: "{{ matrix_docker_network }}"
 # A list of additional container networks that the container would be connected to.
 # The role does not create these networks, so make sure they already exist.
 # Use this to expose this container to another reverse proxy, which runs in a different container network.
 matrix_conduit_container_additional_networks: []
 # Extra arguments for the Docker container
 matrix_conduit_container_extra_arguments: []
--- a/roles/custom/matrix-conduit/tasks/main.yml
+++ b/roles/custom/matrix-conduit/tasks/main.yml
@ -1,17 +1,17 @@
 ---
- block:
+- tags:
    - when: matrix_conduit_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
  tags:
    - setup-all
    - setup-conduit
    - install-all
    - install-conduit
  block:
    - when: matrix_conduit_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
- block:
+- tags:
    - when: not matrix_conduit_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-conduit
  block:
    - when: not matrix_conduit_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
--- a/roles/custom/matrix-conduit/tasks/setup_install.yml
+++ b/roles/custom/matrix-conduit/tasks/setup_install.yml
@ -1,14 +1,4 @@
 ---
 - name: Ensure Conduit Docker image is pulled
  community.docker.docker_image:
    name: "{{ matrix_conduit_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure Conduit config path exists
  ansible.builtin.file:
@ -34,6 +24,22 @@
    owner: "{{ matrix_user_username }}"
    group: "{{ matrix_user_groupname }}"
 - name: Ensure Conduit container network is created
  community.general.docker_network:
    name: "{{ matrix_conduit_container_network }}"
    driver: bridge
 - name: Ensure Conduit container image is pulled
  community.docker.docker_image:
    name: "{{ matrix_conduit_docker_image }}"
    source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
    force_source: "{{ matrix_conduit_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
    force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_docker_image_force_pull }}"
  register: result
  retries: "{{ devture_playbook_help_container_retries_count }}"
  delay: "{{ devture_playbook_help_container_retries_delay }}"
  until: result is not failed
 - name: Ensure matrix-conduit.service installed
  ansible.builtin.template:
    src: "{{ role_path }}/templates/conduit/systemd/matrix-conduit.service.j2"
--- a/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2
+++ b/roles/custom/matrix-conduit/templates/conduit/systemd/matrix-conduit.service.j2
@ -12,13 +12,15 @@ Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true'
 ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true'
-ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name matrix-conduit \
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--rm \
 			--name=matrix-conduit \
 			--log-driver=none \
 			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
 			--cap-drop=ALL \
 			--read-only \
 			--tmpfs=/tmp:rw,noexec,nosuid,size={{ matrix_conduit_tmp_directory_size_mb }}m \
-			--network={{ matrix_docker_network }} \
+			--network={{ matrix_conduit_container_network }} \
 			--env CONDUIT_CONFIG=/etc/matrix-conduit/conduit.toml \
 			--mount type=bind,src={{ matrix_conduit_data_path }},dst=/var/lib/matrix-conduit \
 			--mount type=bind,src={{ matrix_conduit_config_path }},dst=/etc/matrix-conduit,ro \
@ -27,6 +29,12 @@ ExecStart={{ devture_systemd_docker_base_host_command_docker }} run --rm --name
 			{% endfor %}
 			{{ matrix_conduit_docker_image }}
 {% for network in matrix_conduit_container_additional_networks %}
 ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} matrix-conduit
 {% endfor %}
 ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach matrix-conduit
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} kill matrix-conduit 2>/dev/null || true'
 ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm matrix-conduit 2>/dev/null || true'
 ExecReload={{ devture_systemd_docker_base_host_command_docker }} exec matrix-conduit /bin/sh -c 'kill -HUP 1'
--- a/roles/custom/matrix-corporal/tasks/main.yml
+++ b/roles/custom/matrix-corporal/tasks/main.yml
@ -1,26 +1,26 @@
 ---
- block:
+- tags:
    - setup-all
    - setup-corporal
    - install-all
    - install-corporal
  block:
    - when: matrix_corporal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
    - when: matrix_corporal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_install.yml"
-  tags:
+
 - tags:
    - setup-all
    - setup-corporal
-    - install-all
+  block:
    - install-corporal
 - block:
    - when: not matrix_corporal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup_uninstall.yml"
  tags:
    - setup-all
    - setup-corporal
- block:
+- tags:
    - self-check
  block:
    - when: matrix_corporal_enabled | bool
      ansible.builtin.include_tasks: "{{ role_path }}/tasks/self_check.yml"
  tags:
    - self-check
--- a/Show more
+++ b/Show more