chore(deps): update dependency sable to v1.13.1-0

Avoid reopening a transition window where Synapse can accept new registrations or other auth changes
after syn2mas completes but before the MAS cutover is finalized.

Inspired by and continuing the work done in: https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/5097

docs/configuring-playbook-matrix-authentication-service.md

@@ -398,6 +398,8 @@ To perform a real migration, run the `matrix-authentication-service-mas-cli-syn2
 just run-tags matrix-authentication-service-mas-cli-syn2mas
 ```
 
+After `syn2mas` completes, Synapse will intentionally remain stopped to avoid new registrations or other authentication changes from being accepted before the migration is completed. Continue with the next steps in this guide before re-running the installation.
+
 Having performed a `syn2mas` migration once, trying to do it again will report errors (e.g. "Error: The MAS database is not empty: rows found in at least `users`. Please drop and recreate the database, then try again.").
 
 ## Verify that Matrix Authentication Service is installed correctly

i18n/requirements.txt

@@ -14,7 +14,7 @@ mdit-py-plugins==0.5.0
 mdurl==0.1.2
 myst-parser==5.0.0
 packaging==26.0
-Pygments==2.19.2
+Pygments==2.20.0
 PyYAML==6.0.3
 requests==2.33.0
 setuptools==82.0.1

requirements.yml

@@ -39,13 +39,13 @@
   version: v0.5.1-2
   name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10741-2
+  version: v10888-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.12-1
+  version: v1.10.1-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.20.0-0
+  version: v2.21.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: ea8c5cc750c4e23d004c9a836dfd9eda82d45ff4
@@ -75,7 +75,7 @@
   version: v0.19.1-3
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.6.0-3
+  version: v1.13.1-0
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -110,11 +110,17 @@
   ansible.builtin.debug:
     var: matrix_authentication_service_mas_cli_syn2mas_command_result
 
-- name: Ensure Synapse is started (if it previously was)
+- name: Inject syn2mas post-migration note
   when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_cli_syn2mas_command_result.changed"
-  ansible.builtin.service:
-    name: matrix-synapse
-    state: started
+  ansible.builtin.set_fact:
+    devture_playbook_runtime_messages_list: |
+      {{
+        devture_playbook_runtime_messages_list | default([])
+        +
+        [
+          "Synapse was intentionally not restarted after `syn2mas`. Continue with the next steps in the Matrix Authentication Service migration guide before re-running the installation."
+        ]
+      }}
 
 - name: Ensure Matrix Authentication Service is started (if it previously was)
   when: "not matrix_authentication_service_syn2mas_migrate_dry_run and matrix_authentication_service_mas_ensure_stopped_result.changed"

roles/custom/matrix-cactus-comments-client/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.41.0
+matrix_cactus_comments_client_version: 2.42.0
 
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.4.1
+matrix_client_fluffychat_version: v2.5.1
 matrix_client_fluffychat_container_image: "{{ matrix_client_fluffychat_container_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_container_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_container_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -199,6 +199,12 @@ matrix_continuwuity_config_ignore_messages_from_server_names: []
 # Controls the `url_preview_domain_contains_allowlist` setting.
 matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
 
+# Controls the `url_preview_domain_explicit_allowlist` setting.
+matrix_continuwuity_config_url_preview_domain_explicit_allowlist: []
+
+# Controls the `url_preview_check_root_domain` setting.
+matrix_continuwuity_config_url_preview_check_root_domain: false
+
 # Additional environment variables to pass to the container.
 #
 # Environment variables take priority over settings in the configuration file.

roles/custom/matrix-continuwuity/templates/continuwuity.toml.j2

@@ -1319,7 +1319,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_previe
 # attack surface to your server, you are expected to be aware of the risks
 # by doing so.
 #
-#url_preview_domain_explicit_allowlist = []
+url_preview_domain_explicit_allowlist = {{ matrix_continuwuity_config_url_preview_domain_explicit_allowlist | to_json }}
 
 # Vector list of explicit domains not allowed to send requests to for URL
 # previews.
@@ -1359,7 +1359,7 @@ url_preview_domain_contains_allowlist = {{ matrix_continuwuity_config_url_previe
 # allowlist is still too broad for you but you still want to allow all the
 # subdomains under a root domain.
 #
-#url_preview_check_root_domain = false
+url_preview_check_root_domain = {{ matrix_continuwuity_config_url_preview_check_root_domain | to_json }}
 
 # List of forbidden room aliases and room IDs as strings of regex
 # patterns.

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.4.1
+matrix_livekit_jwt_service_version: 0.4.2
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

roles/custom/matrix-static-files/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.41.0
+matrix_static_files_version: 2.42.0
 
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -210,7 +210,7 @@
 - name: Fail if OpenID Connect is enabled for Synapse when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
     msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it doesn't make sense to enable OpenID Connect (`matrix_synapse_oidc_enabled: true`), because it is not Synapse that is handling authentication. Synapse will refuse to start otherwise."
-  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled
+  when: matrix_synapse_matrix_authentication_service_enabled and matrix_synapse_oidc_enabled and not matrix_authentication_service_migration_in_progress
 
 - name: Fail if CAS config is enabled for Synapse when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -2987,7 +2987,7 @@ background_updates:
     #default_batch_size: 50
 
 
-{% if matrix_synapse_matrix_authentication_service_enabled %}
+{% if matrix_synapse_matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress %}
 matrix_authentication_service:
   enabled: true
   endpoint: {{ matrix_synapse_matrix_authentication_service_endpoint | to_json }}