1dac2b5c14
matrix-bridge-hookshot: normalize generated passkey ownership
...
Similar to c6d33b819https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
2026-03-16 16:50:40 +02:00
c6d33b819a
matrix-authentication-service: normalize generated key ownership
...
Fix host-generated MAS key ownership and mode after creation so installs recover cleanly when become_user is not honored. Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
2026-03-16 16:49:51 +02:00
7e0d86d2ea
chore(deps): update ghcr.io/etkecc/postmoogle docker tag to v0.9.29
2026-03-16 11:27:51 +02:00
5df7e678f7
matrix-synapse: add an explicit msc4306 feature toggle
...
Expose Synapse's `msc4306_enabled` experimental flag as a first-class MDAD
variable and wire it into `homeserver.yaml` alongside the other experimental
feature toggles.
This makes thread-subscriptions support explicit in playbook configuration,
rather than requiring operators to inject the upstream flag via raw
`matrix_synapse_configuration_extension_yaml`.
The variable intentionally controls only the Synapse feature flag. It does not
change the default `thread_subscriptions` worker count, which remains `0` in the
standard presets. Keeping those as separate choices avoids auto-starting an
experimental worker just because the upstream feature toggle is enabled.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/config/experimental.py#L600-L602
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/versions.py#L183-L184
2026-03-15 01:26:53 +02:00
9af79ce4d2
matrix-synapse: support thread_subscriptions stream writers
...
Add `thread_subscriptions` as a supported web-facing stream writer in MDAD and
route its unstable client endpoints via the same explicit writer-or-main model
used for the other web-facing stream-backed APIs.
This is not just another generic worker route. Current Synapse gives thread
subscriptions their own `writers.thread_subscriptions` configuration, backs them
with a multi-writer stream, and asserts on store writes that the current
instance is an allowed thread-subscriptions writer.
Explicit early routing is also required here because the subscription endpoint is
room-scoped. In MDAD's specialized-worker model, the existing room-worker regex
would otherwise match `/_matrix/client/unstable/io.element.msc4306/rooms/...`
and steal the request before it reached the correct writer-or-main fallback.
Unlike `device_lists`, support is added without enabling a thread-subscriptions
worker by default in the standard presets. The underlying MSC4306/4308 feature
remains unstable and disabled by default upstream, so the conservative default
is to keep the worker count at `0` and let the new explicit routes fall back to
`main` unless an operator opts in.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/config/workers.py#L175-L182
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/storage/databases/main/thread_subscriptions.py#L66-L83
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/storage/databases/main/thread_subscriptions.py#L192-L322
2026-03-15 01:16:24 +02:00
0f687a69c5
matrix-synapse: simplify redundant SSO main-override regexes
...
MDAD keeps `/_synapse/client/*` out of the broad worker-routing model.
Those paths are mounted by current Synapse on client-serving workers, but MDAD's
worker route buckets only match `/_matrix/client/*`, so `/_synapse/client/*`
requests already fall through to the main-process default.
That made the `/_synapse/client/*` branches in the dedicated SSO override regex
redundant. Remove those branches and leave the explicit SSO override focused on
the real `/_matrix/client/.../login/sso/redirect` path family, which would
otherwise be caught by the broad `/login` client-reader routing.
This also removes duplicated ownership of `login/sso/redirect` from the generic
main-override regex so the dedicated SSO override is the single place that
models that path.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/app/generic_worker.py#L197-L203
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/synapse/client/__init__.py#L39-L90
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/login.py#L636-L643
2026-03-15 01:02:19 +02:00
ec36904671
matrix-synapse: route MSC3814 dehydrated-device APIs to workers
...
Add the unstable MSC3814 dehydrated-device endpoints to both MDAD
worker-routing models:
- the specialized client_reader bucket
- the broad generic_worker route list
This is not a docs-driven change. Current workers.md does not meaningfully
spell out these paths, but the current Synapse code does mount them via the
normal devices servlet registration path, and non-main client workers do not
skip that servlet group.
That makes these endpoints a good fit for the same worker buckets that already
handle the surrounding device- and E2EE-related client APIs.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L81-L129
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L179-L197
2026-03-15 00:39:25 +02:00
69df322f40
matrix-synapse: split client_reader routes into grouped regexes
...
The client_reader route bucket had collapsed into one long alternation,
which made small worker-audit edits hard to review. Any endpoint change
rewrote the whole regex and obscured whether we were changing routing
policy or just maintaining the route list.
Refactor the variable into grouped regex entries with comments instead.
This keeps the current specialized-worker policy intact: nginx still
renders the client_reader locations in the same block, and the routes
still target the same upstream bucket. The goal here is to make future
doc/code audits, additions, and removals mechanical and reviewable.
This also matches MDAD's current worker model, where generic workers are
not mixed with the specialized room/sync/client/federation reader
routing buckets, so there is no need to derive this from the generic
worker map.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#historical-apps
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
2026-03-15 00:29:32 +02:00
c0044a9b0a
matrix-synapse: route MatrixRTC transport discovery to workers
...
Current Synapse registers the MatrixRTC transport discovery endpoint on
client-serving workers when MSC4143 is enabled, but MDAD does not model
that path in either its client-reader bucket or its broader generic-
worker endpoint list.
Add the unstable MatrixRTC transport discovery route so MDAD's worker
routing matches the current upstream worker surface for this endpoint.
This is a small, isolated routing addition for a simple authenticated
GET endpoint.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/matrixrtc.py#L30-L52
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L81-L129
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/__init__.py#L179-L197
2026-03-15 00:11:58 +02:00
63a0e8216b
matrix-synapse: route account deactivation like current Synapse
...
Current Synapse still documents and registers
`/_matrix/client/.../account/deactivate` on client-serving workers when
auth is not delegated. MDAD already routes neighboring account endpoints
such as `account/3pid` and `account/whoami`, but it omitted
`account/deactivate` from both its client-reader bucket and its broader
generic-worker endpoint list.
Add the missing route patterns so MDAD's worker routing matches the
current upstream worker surface in non-delegated-auth deployments. In
MAS / MSC3861 mode the endpoint is not registered upstream anyway, so
this does not expand the effective delegated-auth surface.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/account.py#L284-L324
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/account.py#L913-L920
2026-03-14 23:49:20 +02:00
975f14d2d8
matrix-synapse: route the current Nheko summary endpoint
...
Synapse currently supports both the deprecated
`/_matrix/client/unstable/im.nheko.summary/rooms/<room>/summary`
route and the recommended
`/_matrix/client/unstable/im.nheko.summary/summary/<room>`
form. MDAD only matched the deprecated shape.
Add the recommended pattern alongside the old one so worker routing
matches the current upstream API surface while preserving backward
compatibility for the deprecated path.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#synapseappgeneric_worker
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/room.py#L1716-L1728
2026-03-14 23:32:10 +02:00
d80ef72fbe
matrix-synapse: remove stale client-reader residue and refresh worker comment
...
Current Synapse no longer exposes device management under
`/_matrix/client/.../account/devices`. The live client API shape is
`/devices`, `/devices/{device_id}`, and `/delete_devices`, and
MDAD already routes those real device-list-sensitive endpoints through
explicit device-list handling.
Keeping `account/devices` in the old client-reader regex therefore only
preserves stale route-model residue. While touching the same area,
refresh the `/_synapse/client/*` comment to reflect current Synapse:
client-serving generic workers now mount a meaningful Synapse-specific
client tree there, but MDAD still intentionally keeps those paths out of
its broad worker regexes because they are deployment-sensitive and
auth-sensitive.
Refs:
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/docs/workers.md#historical-apps
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L49-L150
- https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/synapse/client/__init__.py#L39-L88
2026-03-14 23:31:51 +02:00
dfe8628fbf
matrix-synapse: add routing-focused reverse-proxy access log preset
2026-03-14 02:56:48 +02:00
a3ff72ebff
matrix-synapse: enable push_rules writer in worker presets
2026-03-14 01:50:07 +02:00
df76b1cd5b
matrix-synapse: enable device_lists writer in worker presets
2026-03-14 01:49:45 +02:00
dafac35a0e
matrix-synapse: route stream-backed client endpoints explicitly and add device_lists stream writer support
...
Some client API endpoints (e.g. keys/upload) are backed by Synapse stream writers and
should not rely on broad worker regexes or route-order fallthrough for correctness.
When explicit per-stream routing is missing, requests may be captured by generic, room, or client_reader workers, instead of:
- going to the configured stream writer
- or to `main` when that stream writer is not enabled
This refactors synapse-reverse-proxy-companion's routing so that web-facing stream-backed endpoint families
are handled explicitly and early, with deterministic writer-or-main fallback.
Add first-class support for the missing `device_lists` stream writer,
generalize the same routing model to `push_rules`,
and remove stale broad-route ownership for device-list-sensitive endpoints.
2026-03-14 01:42:08 +02:00
f9fa63fc7e
Add noqa var-naming to matrix_client_fluffychat_config_defaultHomeserver
...
Signed-off-by: Suguru Hirahara <did:key:z6MkvVZk1A3KBApWJXv2Ju4H14ErDfRGxh8zxdXSZ4vACDg5>
2026-03-12 14:48:43 +09:00
79a4156a78
chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.149.1
2026-03-11 12:26:30 +02:00
d12970c0fd
chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.3.11
2026-03-11 12:19:32 +02:00
d4e8da3e0a
Bump default OpenAI text-generation model (gpt-5.2 -> gpt-5.4)
2026-03-11 10:05:46 +02:00
0320e671e3
chore(deps): update nginx docker tag to v1.29.6
2026-03-11 01:47:55 +02:00
4e3658bb98
chore(deps): update ghcr.io/element-hq/synapse docker tag to v1.149.0
2026-03-10 22:43:44 +02:00
94beb79279
chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.12
2026-03-10 22:06:25 +02:00
12d8015bc4
optional postgres unix socket with synapse
2026-03-10 17:38:16 +00:00
1898bb5c49
chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.13.0
2026-03-10 15:08:40 +02:00
81b944540b
chore(deps): update matrixdotorg/mjolnir docker tag to v1.12.1
2026-03-10 07:38:57 +02:00
df5b84588b
Add support for sticky events (experimental)
2026-03-09 15:51:38 +02:00
6b6b74afa9
matrix-synapse-admin: fail when enabled with non-Synapse homeserver
2026-03-08 15:26:21 +02:00
f803ad6957
Synapse Admin v0.11.4-etke54
2026-03-08 12:39:11 +00:00
82caf3a7d3
improve synapse redis socket mounting
2026-03-08 09:56:26 +00:00
45d5ebd008
fix comments
2026-03-08 08:09:17 +00:00
0c40a03efc
allow synapse to use redis unix socket instead of tcp
2026-03-08 07:24:33 +00:00
df205a2f77
Upgrade baibot (v1.14.3 -> v1.15.0) and adapt to support optional access-token auth mode
...
Ref:
- https://github.com/etkecc/baibot/pull/83
- https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/CHANGELOG.md#2026-03-07-version-1150
- https://github.com/etkecc/baibot/blob/748d2b7fd4ab7bbd53cde1400935d634dc13ea38/docs/configuration/authentication.md
2026-03-07 12:43:48 +02:00
1ee5c1f416
feat(synapse): add ca_certs_file support for LDAP TLS
...
Add matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file
variable to allow specifying a custom CA certificate file for LDAP TLS
verification. Useful when Synapse is running in a container that does not
trust a private/internal CA by default.
Example usage:
matrix_synapse_ext_password_provider_ldap_tls_options_ca_certs_file: /etc/ssl/certs/my-ca.crt
2026-03-05 14:06:52 +02:00
c9bb48ff11
chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.3.4
2026-03-04 12:11:43 +02:00
af237ac9c7
chore(deps): update forgejo.ellis.link/continuwuation/continuwuity docker tag to v0.5.6
2026-03-04 07:37:15 +02:00
f5b722b13d
Add commet webclient support ( #4997 )
2026-03-03 17:39:01 +02:00
58bf4fe34b
fix: conditionally include m.identity_server in Element Web config.json
...
When no identity server is configured, `matrix_client_element_default_is_url`
defaults to `~` (YAML null). The `| string | to_json` filter chain converts
this to the literal string `"None"`, causing Element Web to log errors:
- TypeError: URL constructor: None is not a valid URL
- Invalid base_url for m.identity_server
The well-known template (`.well-known/matrix/client.j2`) already handles
this correctly with a conditional guard (see PR #314 ). This applies the
same pattern to the Element Web `config.json.j2` template.
2026-03-03 12:50:52 +02:00
d5ffc94916
Add support for the Sable client (Cinny fork)
2026-03-03 12:48:59 +02:00
768fdbbde3
chore(deps): update dock.mau.dev/mautrix/signal docker tag to v26.02.2
2026-03-02 19:57:16 +02:00
90bcb1f4ee
feat: prune empty dir when migrate to s3 storage
...
OTW many empty dirs are kept
2026-03-01 01:04:22 +02:00
0620d6a822
fix: make matrix_synapse_ext_synapse_s3_storage_provider_config_prefix be used
2026-03-01 00:48:59 +02:00
3564155a73
chore(deps): update dock.mau.dev/mautrix/signal docker tag to v26
2026-02-27 23:13:05 +02:00
a949605518
Remove duplicate "Project source code URL" from roles/custom/matrix-synapse/defaults/main.yml
...
This was causing issues when it's parsed out by certain tools.
Regression since 28afbde971
2026-02-26 12:40:45 +02:00
28afbde971
Merge Synapse reverse-proxy companion role into matrix-synapse
...
The companion role was tightly coupled to Synapse through shared tags, worker routing, and lifecycle ordering. Keeping them separate added coordination overhead without practical benefits, especially for parallelized execution.
This merges the role into matrix-synapse while keeping companion logic organized under dedicated reverse_proxy_companion task/template subdirectories.
Compatibility is preserved:
- matrix_synapse_reverse_proxy_companion_* variable names remain unchanged
- install/setup companion-specific tags remain available
Cross-role/global wiring is now in group_vars (matrix-synapse section), while role defaults provide sensible standalone defaults and self-wiring for Synapse-owned values.
2026-02-26 06:51:47 +02:00
da86297655
chore(deps): update docker.io/metio/matrix-alertmanager-receiver docker tag to v2026.2.25
2026-02-25 09:57:48 +02:00
8c6c544c90
chore(deps): update matrixdotorg/mjolnir docker tag to v1.12.0
2026-02-24 22:57:33 +02:00
b98a6d39c9
chore(deps): update ghcr.io/element-hq/element-call docker tag to v0.17.0
2026-02-24 22:55:31 +02:00
93c6587b9d
chore(deps): update ghcr.io/element-hq/element-web docker tag to v1.12.11
2026-02-24 16:54:10 +02:00
f187cf84d5
chore(deps): update ghcr.io/element-hq/matrix-authentication-service docker tag to v1.12.0
2026-02-24 16:52:38 +02:00
Slavi Pantaleev
renovate[bot]
Suguru Hirahara
Aine
Benjamin Blacher
mikhail.sarnov
D4GU
tripleawwy
parisni