Merge branch 'master' into pub.solar

Without explicitly passing the `media_url` configuration,
Heisenbridge would try to guess it. It works most of the time,
but some people are experiencing trouble with it.

There's no need for wasteful work and for potential unreliability,
so we now configure the `media_url` explicitly.

Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2932

README.md

@@ -93,7 +93,7 @@ Use alternative file storage to the default `media_store` folder.
 | ---- | -------- | ----------- | ------------- |
 | [Goofys](https://github.com/kahing/goofys) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3-goofys.md) |
 | [synapse-s3-storage-provider](https://github.com/matrix-org/synapse-s3-storage-provider) | x | [Amazon S3](https://aws.amazon.com/s3/) (or other S3-compatible object store) storage for Synapse's content repository (`media_store`) files | [Link](docs/configuring-playbook-s3.md) |
-| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-media-repo.md) |
+| [matrix-media-repo](https://github.com/turt2live/matrix-media-repo) | x | matrix-media-repo is a highly customizable multi-domain media repository for Matrix. Intended for medium to large deployments, this media repo de-duplicates media while being fully compliant with the specification. | [Link](docs/configuring-playbook-matrix-media-repo.md) |
 
 ### Bridges
 

docs/configuring-playbook-bot-draupnir.md

@@ -20,7 +20,7 @@ You can use the playbook to [register a new user](registering-users.md):
 ansible-playbook -i inventory/hosts setup.yml --extra-vars='username=bot.draupnir password=PASSWORD_FOR_THE_BOT admin=no' --tags=register-user
 ```
 
-If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
+If you would like draupnir to be able to deactivate users, move aliases, shutdown rooms, show abuse reports ([see below](#abuse-reports)), etc then it must be a server admin so you need to change `admin=no` to `admin=yes` in the command above.
 
 
 ## 2. Get an access token
@@ -32,9 +32,9 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
 
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step draupnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
 
-If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
 
-The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.
+The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Draupnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Draupnir it self. If you made Draupnir Admin you can just use the Draupnir token.
 
 
 
@@ -77,7 +77,7 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
 
 ## Usage
 
-You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/matrix-org/draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
+You can refer to the upstream [documentation](https://github.com/the-draupnir-project/Draupnir) for additional ways to use and configure draupnir. Check out their [quickstart guide](https://github.com/the-draupnir-project/Draupnir/blob/main/docs/moderators.md#quick-usage) for some basic commands you can give to the bot.
 
 You can configure additional options by adding the `matrix_bot_draupnir_configuration_extension_yaml` variable to your `inventory/host_vars/matrix.DOMAIN/vars.yml` file.
 
@@ -94,3 +94,17 @@ matrix_bot_draupnir_configuration_extension_yaml: |
   # completely redefining `matrix_bot_draupnir_configuration_yaml`.
   recordIgnoredInvites: true
 ```
+
+## Abuse Reports
+
+Draupnir supports two methods to receive reports in the management room.
+
+The first method intercepts the report API endpoint of the client-server API, which requires integration with the reverse proxy in front of the homeserver.
+While this playbook uses reverse proxies, it does not yet implement this.
+
+The other method polls an synapse admin API endpoint and is hence only available when using synapse and when the Draupnir user is an admin user (see step 1).
+To enable it, set `pollReports: true` in Draupnir's config:
+```yaml
+matrix_bot_draupnir_configuration_extension_yaml: |
+  pollReports: true
+```

docs/configuring-playbook-bot-mjolnir.md

@@ -31,9 +31,9 @@ Refer to the documentation on [how to obtain an access token](obtaining-access-t
 
 You will need to prevent Synapse from rate limiting the bot's account. This is not an optional step. If you do not do this step Mjolnir will crash. This can be done using Synapse's [admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#override-ratelimiting-for-users). Please ask for help if you are uncomfortable with these steps or run into issues.
 
-If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
+If your Synapse Admin API is exposed to the internet for some reason like running the Synapse Admin Role [Link](/docs/configuring-playbook-synapse-admin.md) or running `matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled: true` in your playbook config. If your API is not externally exposed you should still be able to on the local host for your synapse run these commands. 
 
-The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X DELETE https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.
+The following command works on semi up to date Windows 10 installs and All Windows 11 installations and other systems that ship curl. `curl --header "Authorization: Bearer <access_token>" -X POST https://matrix.example.com/_synapse/admin/v1/users/@example:example.com/override_ratelimit` Replace `@example:example.com` with the MXID of your Mjolnir and example.com with your homeserver domain. You can easily obtain an access token for a homeserver admin account the same way you can obtain an access token for Mjolnir it self. If you made Mjolnir Admin you can just use the Mjolnir token.
 
 ## 4. Create a management room
 

docs/importing-postgres.md

@@ -32,7 +32,7 @@ just run-tags import-postgres \
 
 - `SERVER_PATH_TO_POSTGRES_DUMP_FILE` must be a file path to a Postgres dump file on the server (not on your local machine!)
 - `postgres_default_import_database` defaults to `matrix`, which is useful for importing multiple databases (for dumps made with `pg_dumpall`). If you're importing a single database (e.g. `synapse`), consider changing `postgres_default_import_database` accordingly
-
+- after importing a large database, it's a good idea to run [an `ANALYZE` operation](https://www.postgresql.org/docs/current/sql-analyze.html) to make Postgres rebuild its database statistics and optimize its query planner. You can easily do this via the playbook by running `just run-tags run-postgres-vacuum -e postgres_vacuum_preset=analyze` (see [Vacuuming PostgreSQL](maintenance-postgres.md#vacuuming-postgresql) for more details).
 
 ## Troubleshooting
 

docs/maintenance-postgres.md

@@ -34,17 +34,22 @@ When in doubt, consider [making a backup](#backing-up-postgresql).
 
 ## Vacuuming PostgreSQL
 
-Deleting lots data from Postgres does not make it release disk space, until you perform a `VACUUM` operation.
+Deleting lots data from Postgres does not make it release disk space, until you perform a [`VACUUM` operation](https://www.postgresql.org/docs/current/sql-vacuum.html).
 
-To perform a `FULL` Postgres [VACUUM](https://www.postgresql.org/docs/current/sql-vacuum.html), run the playbook with `--tags=run-postgres-vacuum`.
+You can run different `VACUUM` operations via the playbook, with the default preset being `vacuum-complete`:
 
-Example:
+- (default) `vacuum-complete`: stops all services temporarily and runs `VACUUM FULL VERBOSE ANALYZE`.
+- `vacuum-full`: stops all services temporarily and runs `VACUUM FULL VERBOSE`
+- `vacuum`: runs `VACUUM VERBOSE` without stopping any services
+- `vacuum-analyze` runs `VACUUM VERBOSE ANALYZE` without stopping any services
+- `analyze` runs `ANALYZE VERBOSE` without stopping any services (this is just [ANALYZE](https://www.postgresql.org/docs/current/sql-analyze.html) without doing a vacuum, so it's faster)
 
-```bash
-just run-tags run-postgres-vacuum,start
-```
+**Note**: for the `vacuum-complete` and `vacuum-full` presets, you'll need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`). These presets also stop all services (e.g. Synapse, etc.) while the vacuum operation is running.
 
-**Note**: this will automatically stop Synapse temporarily and restart it later. You'll also need plenty of available disk space in your Postgres data directory (usually `/matrix/postgres/data`).
+Example playbook invocations:
+
+- `just run-tags run-postgres-vacuum`: runs the default `vacuum-complete` preset and restarts all services
+- `just run-tags run-postgres-vacuum -e postgres_vacuum_preset=analyze`: runs the `analyze` preset with all services remaining operational at all times
 
 
 ## Backing up PostgreSQL

requirements.yml

@@ -4,7 +4,7 @@
   version: v1.0.0-1
   name: auxiliary
 - src: git+https://gitlab.com/etke.cc/roles/backup_borg.git
-  version: v1.2.5-1.8.2-1
+  version: v1.2.6-1.8.2-0
 - src: git+https://github.com/devture/com.devture.ansible.role.container_socket_proxy.git
   version: v0.1.1-2
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
@@ -16,7 +16,7 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
   version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres.git
-  version: v16.0-2
+  version: v16.0-5
 - src: git+https://github.com/devture/com.devture.ansible.role.postgres_backup.git
   version: a0cc7c1c696872ba8880d9c5e5a54098de825030
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
@@ -30,19 +30,19 @@
 - src: git+https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper.git
   version: v2.8.1-0
 - src: git+https://gitlab.com/etke.cc/roles/etherpad.git
-  version: v1.9.2-1
+  version: v1.9.3-0
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 6.2.0
+  version: 7.0.1
   name: geerlingguy.docker
 - src: git+https://gitlab.com/etke.cc/roles/grafana.git
-  version: v10.1.2-0
+  version: v10.1.4-0
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v8960-0
+  version: v8960-1
   name: jitsi
 - src: git+https://gitlab.com/etke.cc/roles/ntfy.git
   version: v2.7.0-2
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v2.47.0-0
+  version: v2.47.1-0
   name: prometheus
 - src: git+https://gitlab.com/etke.cc/roles/prometheus_node_exporter.git
   version: v1.6.1-0

roles/custom/matrix-bot-draupnir/templates/systemd/matrix-bot-draupnir.service.j2

@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Draupnir bot
-{% for service in matrix_bot_draupnir_systemd_required_services_list %}
+{% for service in matrix_bot_draupnir_systemd_wanted_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}

roles/custom/matrix-bot-matrix-registration-bot/defaults/main.yml

@@ -5,7 +5,7 @@
 matrix_bot_matrix_registration_bot_enabled: true
 matrix_bot_matrix_registration_bot_container_image_self_build: false
 matrix_bot_matrix_registration_bot_docker_repo: "https://github.com/moan0s/matrix-registration-bot.git"
-matrix_bot_matrix_registration_bot_docker_repo_version: "{{ matrix_bot_matrix_registration_bot_version if matrix_bot_matrix_registration_bot_version != 'latest' else 'main' }}"
+matrix_bot_matrix_registration_bot_docker_repo_version: "{{ 'main' if matrix_bot_matrix_registration_bot_version == 'latest' else ('v' + matrix_bot_matrix_registration_bot_version) }}"
 matrix_bot_matrix_registration_bot_docker_src_files_path: "{{ matrix_bot_matrix_registration_bot_base_path }}/docker-src"
 
 matrix_bot_matrix_registration_bot_version: 1.3.0

roles/custom/matrix-bot-maubot/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_bot_maubot_docker_src_files_path: "{{ matrix_bot_maubot_base_path }}/dock
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
 
 
-matrix_bot_maubot_version: v0.4.1
+matrix_bot_maubot_version: v0.4.2
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_name_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else 'dock.mau.dev/' }}"
 matrix_bot_maubot_docker_image_force_pull: "{{ matrix_bot_maubot_docker_image.endswith(':latest') }}"

roles/custom/matrix-bot-mjolnir/templates/systemd/matrix-bot-mjolnir.service.j2

@@ -1,7 +1,7 @@
 #jinja2: lstrip_blocks: "True"
 [Unit]
 Description=Matrix Mjolnir bot
-{% for service in matrix_bot_mjolnir_systemd_required_services_list %}
+{% for service in matrix_bot_mjolnir_systemd_wanted_services_list %}
 Requires={{ service }}
 After={{ service }}
 {% endfor %}

roles/custom/matrix-bot-postmoogle/defaults/main.yml

@@ -9,7 +9,7 @@ matrix_bot_postmoogle_docker_repo: "https://gitlab.com/etke.cc/postmoogle.git"
 matrix_bot_postmoogle_docker_repo_version: "{{ 'main' if matrix_bot_postmoogle_version == 'latest' else matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 
-matrix_bot_postmoogle_version: v0.9.14
+matrix_bot_postmoogle_version: v0.9.16
 matrix_bot_postmoogle_docker_image: "{{ matrix_bot_postmoogle_docker_image_name_prefix }}etke.cc/postmoogle:{{ matrix_bot_postmoogle_version }}"
 matrix_bot_postmoogle_docker_image_name_prefix: "{{ 'localhost/' if matrix_bot_postmoogle_container_image_self_build else 'registry.gitlab.com/' }}"
 matrix_bot_postmoogle_docker_image_force_pull: "{{ matrix_bot_postmoogle_docker_image.endswith(':latest') }}"
@@ -65,12 +65,15 @@ matrix_bot_postmoogle_database_dialect: "{{
 
 
 # The bot's username. This user needs to be created manually beforehand.
-# Also see `matrix_bot_postmoogle_password`.
+# Also see `matrix_bot_postmoogle_password` or `matrix_bot_postmoogle_sharedsecret`
 matrix_bot_postmoogle_login: "postmoogle"
 
 # The password that the bot uses to authenticate.
 matrix_bot_postmoogle_password: ''
 
+# Alternative to password - shared secret requires matrix_bot_postmoogle_login to be MXID
+matrix_bot_postmoogle_sharedsecret: ''
+
 matrix_bot_postmoogle_homeserver: "{{ matrix_homeserver_container_url }}"
 
 # Command prefix
@@ -79,6 +82,12 @@ matrix_bot_postmoogle_prefix: '!pm'
 # Max email size in megabytes, including attachments
 matrix_bot_postmoogle_maxsize: '1024'
 
+# Optional SMTP relay mode
+matrix_bot_postmoogle_relay_host: ''
+matrix_bot_postmoogle_relay_port: ''
+matrix_bot_postmoogle_relay_username: ''
+matrix_bot_postmoogle_relay_password: ''
+
 # A list of admins
 # Example set of rules:
 # matrix_bot_postmoogle_admins:
@@ -102,9 +111,6 @@ matrix_bot_postmoogle_monitoring_healthchecks_duration: 60
 # Log level
 matrix_bot_postmoogle_loglevel: 'INFO'
 
-# Disable encryption
-matrix_bot_postmoogle_noencryption: false
-
 # deprecated, use matrix_bot_postmoogle_domains
 matrix_bot_postmoogle_domain: "{{ matrix_server_fqn_matrix }}"
 
@@ -147,6 +153,9 @@ matrix_bot_postmoogle_tls_required: false
 # trusted proxies
 matrix_bot_postmoogle_proxies: []
 
+# known forwarders
+matrix_bot_postmoogle_mailboxes_forwarded: []
+
 # reserved mailboxes
 matrix_bot_postmoogle_mailboxes_reserved: []
 

roles/custom/matrix-bot-postmoogle/templates/env.j2

@@ -1,5 +1,6 @@
 POSTMOOGLE_LOGIN={{ matrix_bot_postmoogle_login }}
 POSTMOOGLE_PASSWORD={{ matrix_bot_postmoogle_password }}
+POSTMOOGLE_SHAREDSECRET={{ matrix_bot_postmoogle_sharedsecret }}
 POSTMOOGLE_HOMESERVER={{ matrix_bot_postmoogle_homeserver }}
 POSTMOOGLE_DOMAINS={{ matrix_bot_postmoogle_domains | join(' ') }}
 POSTMOOGLE_PORT={{ matrix_bot_postmoogle_port }}
@@ -8,7 +9,6 @@ POSTMOOGLE_DB_DIALECT={{ matrix_bot_postmoogle_database_dialect }}
 POSTMOOGLE_PREFIX={{ matrix_bot_postmoogle_prefix }}
 POSTMOOGLE_MAXSIZE={{ matrix_bot_postmoogle_maxsize }}
 POSTMOOGLE_LOGLEVEL={{ matrix_bot_postmoogle_loglevel }}
-POSTMOOGLE_NOENCRYPTION={{ matrix_bot_postmoogle_noencryption }}
 POSTMOOGLE_ADMINS={{ matrix_bot_postmoogle_admins | join(' ') }}
 POSTMOOGLE_TLS_PORT={{ matrix_bot_postmoogle_tls_port }}
 POSTMOOGLE_TLS_CERT={{ matrix_bot_postmoogle_tls_cert }}
@@ -16,10 +16,15 @@ POSTMOOGLE_TLS_KEY={{ matrix_bot_postmoogle_tls_key }}
 POSTMOOGLE_TLS_REQUIRED={{ matrix_bot_postmoogle_tls_required }}
 POSTMOOGLE_DATA_SECRET={{ matrix_bot_postmoogle_data_secret }}
 POSTMOOGLE_PROXIES={{ matrix_bot_postmoogle_proxies | join(' ') }}
+POSTMOOGLE_RELAY_HOST={{ matrix_bot_postmoogle_relay_host }}
+POSTMOOGLE_RELAY_PORT={{ matrix_bot_postmoogle_relay_port }}
+POSTMOOGLE_RELAY_USERNAME={{ matrix_bot_postmoogle_relay_username }}
+POSTMOOGLE_RELAY_PASSWORD={{ matrix_bot_postmoogle_relay_password }}
 POSTMOOGLE_MONITORING_SENTRY_DSN={{ matrix_bot_postmoogle_monitoring_sentry_dsn }}
 POSTMOOGLE_MONITORING_SENTRY_RATE={{ matrix_bot_postmoogle_monitoring_sentry_rate }}
 POSTMOOGLE_MONITORING_HEALTHCHECKS_UUID={{ matrix_bot_postmoogle_monitoring_healthchecks_uuid }}
 POSTMOOGLE_MONITORING_HEALTHCHECKS_DURATION={{ matrix_bot_postmoogle_monitoring_healthchecks_duration }}
+POSTMOOGLE_MAILBOXES_FORWARDED={{ matrix_bot_postmoogle_mailboxes_forwarded | join(' ') }}
 POSTMOOGLE_MAILBOXES_RESERVED={{ matrix_bot_postmoogle_mailboxes_reserved | join(' ') }}
 POSTMOOGLE_MAILBOXES_ACTIVATION={{ matrix_bot_postmoogle_mailboxes_activation }}
 

roles/custom/matrix-bridge-heisenbridge/defaults/main.yml

@@ -30,7 +30,15 @@ matrix_heisenbridge_homeserver_url: "{{ matrix_homeserver_container_url }}"
 matrix_heisenbridge_appservice_token: ''
 matrix_heisenbridge_homeserver_token: ''
 
-# Default registration file
+matrix_heisenbridge_config_media_url: "{{ matrix_homeserver_url }}"
+matrix_heisenbridge_config_displayname: "Heisenbridge"
+
+matrix_heisenbridge_registration_yaml_heisenbridge:
+  media_url: "{{ matrix_heisenbridge_config_media_url }}"
+  displayname: "{{ matrix_heisenbridge_config_displayname }}"
+
+# Default registration file consumed by both the homeserver and Heisenbridge.
+# Besides registration information, it contains configuration (see the heisenbridge key).
 matrix_heisenbridge_registration_yaml:
   id: heisenbridge
   url: http://matrix-heisenbridge:9898
@@ -44,5 +52,6 @@ matrix_heisenbridge_registration_yaml:
         exclusive: true
     aliases: []
     rooms: []
+  heisenbridge: "{{ matrix_heisenbridge_registration_yaml_heisenbridge }}"
 
 matrix_heisenbridge_registration: "{{ matrix_heisenbridge_registration_yaml | from_yaml }}"

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_hookshot_container_image_self_build: false
 matrix_hookshot_container_image_self_build_repo: "https://github.com/matrix-org/matrix-hookshot.git"
 matrix_hookshot_container_image_self_build_branch: "{{ 'main' if matrix_hookshot_version == 'latest' else matrix_hookshot_version }}"
 
-matrix_hookshot_version: 4.4.1
+matrix_hookshot_version: 4.5.1
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_name_prefix }}halfshot/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_name_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_container_global_registry_prefix }}"

roles/custom/matrix-bridge-mautrix-googlechat/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_mautrix_googlechat_container_image_self_build: false
 matrix_mautrix_googlechat_container_image_self_build_repo: "https://github.com/mautrix/googlechat.git"
 matrix_mautrix_googlechat_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_googlechat_version == 'latest' else matrix_mautrix_googlechat_version }}"
 
-matrix_mautrix_googlechat_version: v0.5.0
+matrix_mautrix_googlechat_version: v0.5.1
 # See: https://mau.dev/mautrix/googlechat/container_registry
 matrix_mautrix_googlechat_docker_image: "{{ matrix_mautrix_googlechat_docker_image_name_prefix }}mautrix/googlechat:{{ matrix_mautrix_googlechat_version }}"
 matrix_mautrix_googlechat_docker_image_name_prefix: "{{ 'localhost/' if matrix_mautrix_googlechat_container_image_self_build else 'dock.mau.dev/' }}"

roles/custom/matrix-bridge-mautrix-wsproxy/tasks/setup_install.yml

@@ -14,6 +14,18 @@
 - ansible.builtin.set_fact:
     matrix_mautrix_wsproxy_syncproxy_requires_restart: false
 
+- name: Ensure Mautrix wsproxy paths exist
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_groupname }}"
+  with_items:
+    - path: "{{ matrix_mautrix_wsproxy_base_path }}"
+      when: true
+  when: item.when | bool
+
 - name: Ensure Mautrix wsproxy support files installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/{{ item }}.j2"

roles/custom/matrix-client-element/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/vecto
 # - https://github.com/vector-im/element-web/issues/19544
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
 
-matrix_client_element_version: v1.11.43
+matrix_client_element_version: v1.11.45
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_name_prefix }}vectorim/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_name_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_client_element_docker_image_force_pull: "{{ matrix_client_element_docker_image.endswith(':latest') }}"

roles/custom/matrix-coturn/defaults/main.yml

@@ -8,7 +8,7 @@ matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
-matrix_coturn_version: 4.6.2-r4
+matrix_coturn_version: 4.6.2-r5
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_name_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_name_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_container_global_registry_prefix }}"
 matrix_coturn_docker_image_force_pull: "{{ matrix_coturn_docker_image.endswith(':latest') }}"

roles/custom/matrix-dendrite/defaults/main.yml

@@ -10,7 +10,7 @@ matrix_dendrite_container_image_self_build_repo: "https://github.com/matrix-org/
 matrix_dendrite_docker_image_path: "matrixdotorg/dendrite-monolith"
 matrix_dendrite_docker_image: "{{ matrix_dendrite_docker_image_name_prefix }}{{ matrix_dendrite_docker_image_path }}:{{ matrix_dendrite_docker_image_tag }}"
 matrix_dendrite_docker_image_name_prefix: "{{ 'localhost/' if matrix_dendrite_container_image_self_build else matrix_container_global_registry_prefix }}"
-matrix_dendrite_docker_image_tag: "v0.13.2"
+matrix_dendrite_docker_image_tag: "v0.13.3"
 matrix_dendrite_docker_image_force_pull: "{{ matrix_dendrite_docker_image.endswith(':latest') }}"
 
 matrix_dendrite_base_path: "{{ matrix_base_data_path }}/dendrite"

roles/custom/matrix-dynamic-dns/defaults/main.yml

@@ -7,7 +7,7 @@ matrix_dynamic_dns_enabled: true
 # The dynamic dns daemon interval
 matrix_dynamic_dns_daemon_interval: '300'
 
-matrix_dynamic_dns_version: v3.10.0-ls131
+matrix_dynamic_dns_version: v3.10.0-ls135
 
 # The docker container to use when in mode
 matrix_dynamic_dns_docker_image: "{{ matrix_dynamic_dns_docker_image_name_prefix }}linuxserver/ddclient:{{ matrix_dynamic_dns_version }}"

roles/custom/matrix-ldap-registration-proxy/tasks/setup_uninstall.yml

@@ -9,7 +9,7 @@
   block:
     - name: Ensure matrix-matrix_ldap_registration_proxy is stopped
       ansible.builtin.service:
-        name: matrix-matrix_ldap_registration_proxy
+        name: matrix-ldap-registration-proxy
         state: stopped
         enabled: false
         daemon_reload: true

roles/custom/matrix-sliding-sync/defaults/main.yml

@@ -77,7 +77,7 @@ matrix_sliding_sync_systemd_required_services_list: ["docker.service"]
 matrix_sliding_sync_systemd_wanted_services_list: []
 
 # Controls the SYNCV3_SERVER environment variable
-matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_url }}"
+matrix_sliding_sync_environment_variable_syncv3_server: "{{ matrix_homeserver_container_url }}"
 
 # Controls the SYNCV3_SECRET environment variable
 matrix_sliding_sync_environment_variable_syncv3_secret: ''

roles/custom/matrix-synapse/defaults/main.yml

@@ -4,7 +4,7 @@
 
 matrix_synapse_enabled: true
 
-matrix_synapse_version: v1.92.3
+matrix_synapse_version: v1.93.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -425,6 +425,11 @@ matrix_synapse_federation_port_openid_resource_required: false
 # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`.
 matrix_synapse_federation_domain_whitelist: ~
 
+# Enable/disable OpenID Connect
+matrix_synapse_oidc_enabled: false
+# List of OpenID Connect providers, ref: https://matrix-org.github.io/synapse/latest/openid.html#sample-configs
+matrix_synapse_oidc_providers: []
+
 # A list of additional "volumes" to mount in the container.
 # This list gets populated dynamically based on Synapse extensions that have been enabled.
 # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."}
@@ -1005,6 +1010,11 @@ matrix_synapse_trusted_key_servers:
 
 matrix_synapse_redaction_retention_period: 7d
 
+# Controls how long to keep locally forgotten rooms before purging them from the DB.
+# Defaults to `null`, meaning it's disabled.
+# Example value: 28d
+matrix_synapse_forgotten_room_retention_period: ~
+
 matrix_synapse_user_ips_max_age: 28d
 
 

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -509,7 +509,12 @@ limit_remote_rooms:
 #
 #redaction_retention_period: 28d
 
-redaction_retention_period: {{ matrix_synapse_redaction_retention_period }}
+redaction_retention_period: {{ matrix_synapse_redaction_retention_period | to_json }}
+
+# How long to keep locally forgotten rooms before purging them from the DB.
+#
+#forgotten_room_retention_period: 28d
+forgotten_room_retention_period: {{ matrix_synapse_forgotten_room_retention_period | to_json }}
 
 # How long to track users' last seen time and IPs in the database.
 #
@@ -517,7 +522,7 @@ redaction_retention_period: {{ matrix_synapse_redaction_retention_period }}
 #
 #user_ips_max_age: 14d
 
-user_ips_max_age: {{ matrix_synapse_user_ips_max_age }}
+user_ips_max_age: {{ matrix_synapse_user_ips_max_age | to_json }}
 
 # Inhibits the /requestToken endpoints from returning an error that might leak
 # information about whether an e-mail address is in use or not on this
@@ -2086,9 +2091,9 @@ saml2_config:
 # use 'oidc' for the idp_id to ensure that existing users continue to be
 # recognised.)
 #
-oidc_providers:
+{% if matrix_synapse_oidc_enabled and matrix_synapse_oidc_providers | length > 0 %}
   # Generic example
-  #
+  #matrix_synapse_oidc_providers:
   #- idp_id: my_idp
   #  idp_name: "My OpenID provider"
   #  idp_icon: "mxc://example.com/mediaid"
@@ -2112,6 +2117,9 @@ oidc_providers:
   #  attribute_requirements:
   #    - attribute: userGroup
   #      value: "synapseUsers"
+oidc_providers:
+  {{ matrix_synapse_oidc_providers|to_nice_yaml(indent=2, width=999999) }}
+{% endif %}
 
 
 # Enable Central Authentication Service (CAS) for registration and login.

roles/custom/matrix-user-creator/tasks/main.yml

@@ -5,6 +5,7 @@
     # If it did, the initial installation (`--tags=setup-all`) would also potentially polute the database with data,
     # which would make importing a database dump problematic.
     - ensure-matrix-users-created
+    - ensure-users-created
   block:
     - when: matrix_user_creator_users | length > 0
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/setup.yml"

setup.yml

@@ -15,6 +15,7 @@
       role: galaxy/geerlingguy.docker
       vars:
         docker_install_compose: false
+        docker_install_compose_plugin: false
       tags:
         - setup-docker
         - setup-all