chore(deps): update matrixdotorg/sygnal docker tag to v0.17.0

Relates to 904a98d56c.

Signed-off-by: The one with the braid <info@braid.business>

.github/workflows/matrix.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Run yamllint
         uses: frenck/action-yamllint@v1.5.0
   ansible-lint:
@@ -23,10 +23,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.11.0
+        uses: ansible/ansible-lint@v25.12.0
         with:
           args: "roles/custom"
           setup_python: "true"
@@ -37,6 +37,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       - name: Run pre-commit
         uses: pre-commit/action@v3.0.1

CHANGELOG.md

@@ -1,3 +1,19 @@
+# 2025-12-09
+
+## Traefik Cert Dumper upgrade
+
+The variable `traefik_certs_dumper_ssl_dir_path` was renamed to `traefik_certs_dumper_ssl_path`. Users who use [their own webserver with Traefik](docs/configuring-playbook-own-webserver.md) may need to adjust their configuration.
+
+The variable `traefik_certs_dumper_dumped_certificates_dir_path` was renamed to `traefik_certs_dumper_dumped_certificates_path`. Users who use [SRV Server Delegation](docs/howto-srv-server-delegation.md) may need to adjust their configuration.
+
+# 2025-11-23
+
+## Matrix.to support
+
+The playbook now supports [Matrix.to](https://github.com/matrix-org/matrix.to) — a simple URL redirection service which powers [matrix.to](https://matrix.to).
+
+To learn more, see our [Setting up Matrix.to](docs/configuring-playbook-matrixto.md) documentation page.
+
 # 2025-11-09
 
 ## matrix-appservice-webhooks has been removed from the playbook

README.md

@@ -179,6 +179,7 @@ Various services that don't fit any other categories.
 | [synapse_auto_accept_invite](https://github.com/matrix-org/synapse-auto-accept-invite) | ❌ | Synapse module to automatically accept invites | [Link](docs/configuring-playbook-synapse-auto-accept-invite.md) |
 | [synapse_auto_compressor](https://github.com/matrix-org/rust-synapse-compress-state/#automated-tool-synapse_auto_compressor) | ❌ | Cli tool that automatically compresses `state_groups` database table in background | [Link](docs/configuring-playbook-synapse-auto-compressor.md) |
 | [Matrix Corporal](https://github.com/devture/matrix-corporal) (advanced) | ❌ | Reconciliator and gateway for a managed Matrix server | [Link](docs/configuring-playbook-matrix-corporal.md) |
+| [Matrix.to](https://github.com/matrix-org/matrix.to) | ❌ | Simple URL redirection service for the Matrix ecosystem | [Link](docs/configuring-playbook-matrixto.md) |
 | [Etherpad](https://etherpad.org) | ❌ | Open source collaborative text editor | [Link](docs/configuring-playbook-etherpad.md) |
 | [Jitsi](https://jitsi.org/) | ❌ | Open source video-conferencing platform | [Link](docs/configuring-playbook-jitsi.md) |
 | [Cactus Comments](https://cactus.chat) | ❌ | Federated comment system built on Matrix | [Link](docs/configuring-playbook-cactus-comments.md) |

docs/configuring-playbook-client-fluffychat-web.md

@@ -13,7 +13,7 @@ FluffyChat Web is a cute cross-platform (web, iOS, Android) messenger for Matrix
 
 💡 **Note**: the latest version of FluffyChat Web is also available on the web, hosted by 3rd parties. If you trust giving your credentials to the following 3rd party Single Page Application, you can consider using it from there:
 
-- [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffychat.im/) developers
+- [fluffychat.im](https://fluffychat.im/web), hosted by the [FluffyChat](https://fluffy.chat/) developers
 
 ## Adjusting DNS records
 

docs/configuring-playbook-matrixto.md

@@ -0,0 +1,68 @@
+<!--
+SPDX-FileCopyrightText: 2023 - 2024 Slavi Pantaleev
+SPDX-FileCopyrightText: 2024 - 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+-->
+
+# Setting up Matrix.to (optional)
+
+The playbook can install and configure the [Matrix.to](https://github.com/matrix-org/matrix.to) URL redirection service for you.
+
+See the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) to learn what it does and why it might be useful to you.
+
+## Adjusting DNS records
+
+By default, this playbook installs Matrix.to on the `mt.` subdomain (`mt.example.com`) and requires you to create a CNAME record for `mt`, which targets `matrix.example.com`.
+
+When setting, replace `example.com` with your own.
+
+## Adjusting the playbook configuration
+
+To enable Matrix.to, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
+
+```yaml
+matrix_matrixto_enabled: true
+```
+
+### Adjusting the Matrix.to URL (optional)
+
+By tweaking the `matrix_matrixto_hostname` variable, you can easily make the service available at a **different hostname** than the default one.
+
+Example additional configuration for your `vars.yml` file:
+
+```yaml
+# Change the default hostname
+matrix_matrixto_hostname: t.example.com
+```
+
+After changing the domain, **you may need to adjust your DNS** records to point the Matrix.to domain to the Matrix server.
+
+### Extending the configuration
+
+There are some additional things you may wish to configure about the server.
+
+Take a look at:
+
+- `roles/custom/matrix-matrixto/defaults/main.yml` for some variables that you can customize via your `vars.yml` file
+
+## Installing
+
+After configuring the playbook and potentially [adjusting your DNS records](#adjusting-dns-records), run the playbook with [playbook tags](playbook-tags.md) as below:
+
+<!-- NOTE: let this conservative command run (instead of install-all) to make it clear that failure of the command means something is clearly broken. -->
+```sh
+ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,start
+```
+
+The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
+
+`just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed. Note these shortcuts run the `ensure-matrix-users-created` tag too.
+
+## Usage
+
+Refer to the project's [documentation](https://github.com/matrix-org/matrix.to/blob/main/README.md) for available parameters, etc.
+
+## Troubleshooting
+
+As with all other services, you can find the logs in [systemd-journald](https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html) by logging in to the server with SSH and running `journalctl -fu matrix-matrixto`.

docs/configuring-playbook-own-webserver.md

@@ -51,7 +51,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
 # Adjust to point to your Traefik container
 matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container
 
-traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
+traefik_certs_dumper_ssl_path: "/path/to/your/traefiks/acme.json/directory"
 
 # Uncomment and adjust the variable below if the name of your federation entrypoint is different
 # than the default value (matrix-federation).

docs/configuring-playbook.md

@@ -247,6 +247,8 @@ Various services that don't fit any other categories.
 
 - [Setting up Matrix Corporal](configuring-playbook-matrix-corporal.md) (advanced)
 
+- [Setting up Matrix.to](configuring-playbook-matrixto.md)
+
 - [Setting up Etherpad](configuring-playbook-etherpad.md)
 
 - [Setting up the Jitsi video-conferencing platform](configuring-playbook-jitsi.md)

docs/faq.md

@@ -440,6 +440,19 @@ To prevent double-logging, Docker logging is disabled by explicitly passing `--l
 
 See [this section](maintenance-and-troubleshooting.md#how-to-see-the-logs) on the page for maintenance and troubleshooting for more details to see the logs.
 
+### The server fails to start due to the `Unable to start service matrix-coturn.service` error. Why and how to solve it?
+
+The error is most likely because Traefik cannot obtain SSL certificates due to certain reasons such as wrong domain name configuration or port 80 being unavailable due to other services.
+
+If Traefik fails to obtain an SSL certificate for domain names such as `matrix.`, Traefik Certs Dumper cannot extract the SSL certificate out of there, and coturn cannot be started and the error occurs. Refer to these comments for details:
+
+- <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3957#issuecomment-2599590441>
+- <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4570#issuecomment-3364111466>
+
+If you are not sure what the problem is, at first make sure that you have set the "base domain" (`example.com`, **not `matrix.example.com`**) to `matrix_domain`. You should be able to find it at the top of your `vars.yml`.
+
+If it is correctly specified, look Traefik's logs (`journalctl -fu matrix-traefik.service`) for errors by Let's Encrypt for troubleshooting.
+
 ## Miscellaneous
 
 ### I would like to see this favorite service of mine integrated and become available on my Matrix server. How can I request it?

docs/howto-srv-server-delegation.md

@@ -112,12 +112,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },
@@ -173,12 +173,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },

group_vars/matrix_servers

@@ -363,6 +363,8 @@ devture_systemd_service_manager_services_list_auto: |
     +
     ([{'name': 'matrix-coturn.service', 'priority': (900 if devture_systemd_service_manager_service_restart_mode == 'clean-stop-start' else 1500), 'groups': ['matrix', 'coturn']}] if matrix_coturn_enabled else [])
     +
+    ([{'name': 'matrix-matrixto.service', 'priority': 4000, 'groups': ['matrix', 'matrixto']}] if matrix_matrixto_enabled else [])
+    +
     ([{'name': 'matrix-rageshake.service', 'priority': 4000, 'groups': ['matrix', 'rageshake']}] if matrix_rageshake_enabled else [])
     +
     ([{'name': 'matrix-coturn-reload.timer', 'priority': 5000, 'groups': ['matrix', 'coturn']}] if (matrix_coturn_enabled and matrix_coturn_tls_enabled) else [])
@@ -2240,8 +2242,8 @@ matrix_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['a
 matrix_postmoogle_ssl_path: |-
   {{
     {
-      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
-      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
+      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
+      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
       'none': '',
     }[matrix_playbook_reverse_proxy_type]
   }}
@@ -3077,6 +3079,38 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
 #
 ######################################################################
 
+######################################################################
+#
+# matrix-matrixto
+#
+######################################################################
+
+# We don't enable matrixto by default.
+matrix_matrixto_enabled: false
+
+matrix_matrixto_base_path: "{{ matrix_base_data_path }}/matrixto"
+
+# The container image is not provided at https://github.com/matrix-org/matrix.to
+matrix_matrixto_container_image_self_build: true
+
+matrix_matrixto_hostname: "{{ matrix_server_fqn_matrixto }}"
+
+matrix_matrixto_container_network: matrix-matrixto
+
+matrix_matrixto_container_additional_networks: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
+
+matrix_matrixto_container_http_host_bind_port: "{{ (matrix_playbook_service_host_bind_interface_prefix ~ '5000') if matrix_playbook_service_host_bind_interface_prefix else '' }}"
+
+matrix_matrixto_container_labels_traefik_enabled: "{{ matrix_playbook_traefik_labels_enabled }}"
+matrix_matrixto_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_matrixto_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_matrixto_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
+
+######################################################################
+#
+# /matrix-matrixto
+#
+######################################################################
 
 ######################################################################
 #
@@ -3157,12 +3191,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },
@@ -5847,7 +5881,7 @@ traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumpe
 traefik_certs_dumper_uid: "{{ matrix_user_uid }}"
 traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
 
-traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
+traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
 
 traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"
 
@@ -5956,12 +5990,12 @@ livekit_server_container_additional_volumes_auto: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
          'dst': livekit_server_config_turn_cert_file,
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
          'dst': livekit_server_config_turn_key_file,
          'options': 'ro',
        },

i18n/requirements.txt

@@ -2,7 +2,7 @@ alabaster==1.0.0
 babel==2.17.0
 certifi==2025.11.12
 charset-normalizer==3.4.4
-click==8.3.0
+click==8.3.1
 docutils==0.22.3
 idna==3.11
 imagesize==1.4.1
@@ -19,9 +19,9 @@ PyYAML==6.0.3
 requests==2.32.5
 setuptools==80.9.0
 snowballstemmer==3.0.1
-Sphinx==8.2.3
+Sphinx==9.0.4
 sphinx-intl==2.3.2
-sphinx-markdown-builder==0.6.8
+sphinx-markdown-builder==0.6.9
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.5.0
+urllib3==2.6.1

requirements.yml

@@ -4,19 +4,19 @@
   version: v1.0.0-5
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.2-2.0.11-1
+  version: v1.4.2-2.0.12-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.4.1-2
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.8.0
+  version: 7.9.0
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
-  version: 129c8590e106b83e6f4c259649a613c6279e937a
+  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.5.2-1
+  version: v2.5.2-2
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-2
@@ -25,31 +25,31 @@
   version: v11.6.5-4
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10590-0
+  version: v10655-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.3-0
+  version: v1.9.7-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.14.0-3
+  version: v2.15.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
-  version: 7663e3114513e56f28d3ed762059b445c678a71a
+  version: 8630e4f1749bcb659c412820f754473f09055052
   name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
   version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
   name: playbook_runtime_messages
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_state_preserver.git
-  version: ff2fd42e1c1a9e28e3312bbd725395f9c2fc7f16
+  version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.1-0
+  version: v18.1-3
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
   version: v18-0
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.7.3-1
+  version: v3.8.0-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
   version: v1.9.1-12
@@ -64,13 +64,13 @@
   version: v1.0.0-4
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: v1.1.0-0
+  version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.1-0
+  version: v3.6.4-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-2
+  version: v2.10.0-3
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
   version: v9-0

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.11.12
+matrix_alertmanager_receiver_version: 2025.11.26
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_appservice_draupnir_for_all_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_appservice_draupnir_for_all_version: "v2.7.1"
+matrix_appservice_draupnir_for_all_version: "v2.8.0"
 
 matrix_appservice_draupnir_for_all_container_image_self_build: false
 matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"

roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml

@@ -13,7 +13,7 @@
   with_items:
     - "matrix_appservice_draupnir_for_all_config_adminRoom"
     - "matrix_bot_draupnir_container_network"
-  when: "vars[item] == '' or vars[item] is none"
+  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
 
 - name: (Deprecation) Catch and report renamed matrix-appservice-draupnir-for-all settings
   ansible.builtin.fail:

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.6.0
+matrix_authentication_service_version: 1.8.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -19,7 +19,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_authentication_service_syn2mas_synapse_homeserver_config_path', when: true}
 

roles/custom/matrix-authentication-service/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_authentication_service_hostname', when: true}
     - {'name': 'matrix_authentication_service_config_database_username', when: true}

roles/custom/matrix-base/defaults/main.yml

@@ -148,6 +148,9 @@ matrix_server_fqn_ntfy: "ntfy.{{ matrix_domain }}"
 # This is where you access rageshake.
 matrix_server_fqn_rageshake: "rageshake.{{ matrix_domain }}"
 
+# This is where you access Matrix.to.
+matrix_server_fqn_matrixto: "mt.{{ matrix_domain }}"
+
 matrix_federation_public_port: 8448
 
 # The name of the Traefik entrypoint for handling Matrix Federation
@@ -270,7 +273,7 @@ matrix_metrics_exposure_http_basic_auth_users: ''
 #     - nevertheless, the playbook expects that you would install Traefik yourself via other means
 #     - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
 #     - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
-#     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_dir_path`)
+#     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_path`)
 #
 # - `none`
 #     - no reverse-proxy will be installed

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.8.1
+matrix_bot_baibot_version: v1.10.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -204,8 +204,8 @@ matrix_bot_baibot_config_agents_static_definitions_anthropic_config_base_url: ht
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_enabled: true
-# For valid model choices, see: https://platform.anthropic.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-3-7-sonnet-20250219
+# For valid model choices, see: https://docs.claude.com/en/docs/about-claude/models/overview
+matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_model_id: claude-sonnet-4-5-20250929
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_anthropic_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"
@@ -368,7 +368,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.1
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -12,7 +12,7 @@
 matrix_bot_draupnir_enabled: true
 
 # renovate: datasource=docker depName=gnuxie/draupnir
-matrix_bot_draupnir_version: "v2.7.1"
+matrix_bot_draupnir_version: "v2.8.0"
 
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
@@ -101,7 +101,7 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # Controls if we activate the config block for Pantalaimon for now. Its name will
 # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase.
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
-matrix_bot_draupnir_login_native: ""
+matrix_bot_draupnir_login_native: false
 
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -44,7 +44,7 @@
     - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
     - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
-  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail if Draupnir room hijacking enabled without enabling the Synapse Admin API
   ansible.builtin.fail:
@@ -57,7 +57,7 @@
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
-  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use
   ansible.builtin.fail:

roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_bot_matrix_registration_bot_bot_password"
     - "matrix_bot_matrix_registration_bot_api_base_url"

roles/custom/matrix-bot-maubot/defaults/main.yml

@@ -30,7 +30,7 @@ matrix_bot_maubot_docker_repo: "https://mau.dev/maubot/maubot.git"
 matrix_bot_maubot_docker_repo_version: "{{ 'master' if matrix_bot_maubot_version == 'latest' else matrix_bot_maubot_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/maubot/maubot
-matrix_bot_maubot_version: v0.5.2
+matrix_bot_maubot_version: v0.6.0
 matrix_bot_maubot_docker_image: "{{ matrix_bot_maubot_docker_image_registry_prefix }}maubot/maubot:{{ matrix_bot_maubot_version }}"
 matrix_bot_maubot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_bot_maubot_container_image_self_build else matrix_bot_maubot_docker_image_registry_prefix_upstream }}"
 matrix_bot_maubot_docker_image_registry_prefix_upstream: "{{ matrix_bot_maubot_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml

@@ -18,14 +18,14 @@
     - {'name': 'matrix_bot_mjolnir_raw_homeserver_url', when: true}
     - {'name': 'matrix_bot_mjolnir_pantalaimon_username', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_mjolnir_pantalaimon_password', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
-  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail if inappropriate variables are defined
   ansible.builtin.fail:
     msg: "The `{{ item.name }}` variable must be undefined or have a null value."
   with_items:
     - {'name': 'matrix_bot_mjolnir_access_token', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
-  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: (Deprecation) Catch and report renamed Mjolnir settings
   ansible.builtin.fail:

roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml

@@ -51,7 +51,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_appservice_token"
     - "matrix_hookshot_homeserver_address"
@@ -62,7 +62,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable GitHub.
-  when: "matrix_hookshot_github_enabled and vars[item] == ''"
+  when: "matrix_hookshot_github_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_github_auth_id"
     - "matrix_hookshot_github_webhook_secret"
@@ -71,7 +71,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth.
-  when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''"
+  when: "matrix_hookshot_github_oauth_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_github_oauth_client_id"
     - "matrix_hookshot_github_oauth_client_secret"
@@ -80,7 +80,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable Jira.
-  when: "matrix_hookshot_jira_enabled and vars[item] == ''"
+  when: "matrix_hookshot_jira_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_jira_webhook_secret"
 
@@ -88,7 +88,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth.
-  when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''"
+  when: "matrix_hookshot_jira_oauth_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_jira_oauth_client_id"
     - "matrix_hookshot_jira_oauth_client_secret"

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.2510.0
+matrix_mautrix_gmessages_version: v0.2511.0
 
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"

roles/custom/matrix-bridge-mautrix-meta-instagram/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_instagram_enabled: true
 matrix_mautrix_meta_instagram_identifier: matrix-mautrix-meta-instagram
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_instagram_version: v0.2510.0
+matrix_mautrix_meta_instagram_version: v0.2511.0
 
 matrix_mautrix_meta_instagram_base_path: "{{ matrix_base_data_path }}/mautrix-meta-instagram"
 matrix_mautrix_meta_instagram_config_path: "{{ matrix_mautrix_meta_instagram_base_path }}/config"

roles/custom/matrix-bridge-mautrix-meta-messenger/defaults/main.yml

@@ -20,7 +20,7 @@ matrix_mautrix_meta_messenger_enabled: true
 matrix_mautrix_meta_messenger_identifier: matrix-mautrix-meta-messenger
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/meta
-matrix_mautrix_meta_messenger_version: v0.2510.0
+matrix_mautrix_meta_messenger_version: v0.2511.0
 
 matrix_mautrix_meta_messenger_base_path: "{{ matrix_base_data_path }}/mautrix-meta-messenger"
 matrix_mautrix_meta_messenger_config_path: "{{ matrix_mautrix_meta_messenger_base_path }}/config"

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.2510.0
+matrix_mautrix_signal_version: v0.2511.0
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"
@@ -50,11 +50,14 @@ matrix_mautrix_signal_appservice_address: "http://matrix-mautrix-signal:8080"
 matrix_mautrix_signal_msc4190_enabled: "{{ matrix_bridges_msc4190_enabled }}"
 matrix_mautrix_signal_self_sign_enabled: "{{ matrix_bridges_self_sign_enabled }}"
 
+matrix_mautrix_signal_extev_polls: false
+
 matrix_mautrix_signal_command_prefix: "!signal"
 
 # Displayname template for Signal users.
 # {{.ProfileName}} - The Signal profile name set by the user.
 # {{.ContactName}} - The name for the user from your phone's contact list. This is not safe on multi-user instances.
+# {{.Nickname}} - The nickname set for the user in the native Signal app. This is not safe on multi-user instances.
 # {{.PhoneNumber}} - The phone number of the user.
 # {{.UUID}} - The UUID of the Signal user.
 # {{.AboutEmoji}} - The emoji set by the user in their profile.

roles/custom/matrix-bridge-mautrix-signal/templates/config.yaml.j2

@@ -19,6 +19,8 @@ network:
     # Google Maps: 'https://www.google.com/maps/place/%[1]s,%[2]s'
     # OpenStreetMap: 'https://www.openstreetmap.org/?mlat=%[1]s&mlon=%[2]s'
     location_format: 'https://www.google.com/maps/place/%[1]s,%[2]s'
+    # Should polls be sent using unstable MSC3381 event types?
+    extev_polls: {{ matrix_mautrix_signal_extev_polls | to_json }}
 
 # Config options that affect the central bridge module.
 bridge:

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2510.0
+matrix_mautrix_slack_version: v0.2511.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_docker_image: "{{ matrix_mautrix_slack_docker_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2510.0
+matrix_mautrix_twitter_version: v0.2511.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_docker_image: "{{ matrix_mautrix_twitter_docker_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_docker_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2510.0
+matrix_mautrix_whatsapp_version: v0.2511.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_mautrix_androidsms_appservice_token"
     - "matrix_mautrix_androidsms_homeserver_token"

roles/custom/matrix-bridge-sms/tasks/validate_config.yml

@@ -11,7 +11,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_sms_bridge_appservice_token"
     - "matrix_sms_bridge_homeserver_hostname"

roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml

@@ -15,7 +15,7 @@
   block:
     - name: Ensure matrix-bridge-zulip is stopped
       ansible.builtin.service:
-        name: matrix-bridge-zulip
+        name: matrix-zulip-bridge
         state: stopped
         enabled: false
         daemon_reload: true

roles/custom/matrix-cactus-comments-client/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.39.0
+matrix_cactus_comments_client_version: 2.40.1
 
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"

roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_cactus_comments_client_hostname
     - matrix_cactus_comments_client_path_prefix

roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2

@@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--env-file={{ matrix_cactus_comments_client_base_path }}/env \
 			--label-file={{ matrix_cactus_comments_client_base_path }}/labels \
-			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/public,ro \
+			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/var/public,ro \
 			{{ matrix_cactus_comments_client_container_image }}
 
 {% for network in matrix_cactus_comments_client_container_additional_networks %}

roles/custom/matrix-cactus-comments/tasks/validate_config.yml

@@ -24,7 +24,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_cactus_comments_as_token"
     - "matrix_cactus_comments_hs_token"

roles/custom/matrix-client-cinny/tasks/validate_config.yml

@@ -36,7 +36,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_cinny_container_labels_traefik_hostname
         - matrix_client_cinny_container_labels_traefik_path_prefix

roles/custom/matrix-client-element/defaults/main.yml

@@ -26,10 +26,10 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 # Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM):
 # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
 # - https://github.com/element-hq/element-web/issues/19544
-matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
+matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.3
+matrix_client_element_version: v1.12.6
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`) for using FluffyChat Web.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_client_fluffychat_container_network
 
@@ -27,7 +27,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_fluffychat_container_labels_traefik_hostname
         - matrix_client_fluffychat_container_labels_traefik_path_prefix

roles/custom/matrix-client-hydrogen/tasks/validate_config.yml

@@ -30,7 +30,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_hydrogen_container_labels_traefik_hostname
         - matrix_client_hydrogen_container_labels_traefik_path_prefix

roles/custom/matrix-client-schildichat/tasks/validate_config.yml

@@ -20,7 +20,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`) for using SchildiChat Web.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_client_schildichat_default_hs_url
     - matrix_client_schildichat_container_network
@@ -39,7 +39,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_schildichat_container_labels_traefik_hostname
         - matrix_client_schildichat_container_labels_traefik_path_prefix

roles/custom/matrix-corporal/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_corporal_container_network"
     - "matrix_corporal_matrix_homeserver_api_endpoint"

roles/custom/matrix-dimension/tasks/validate_config.yml

@@ -39,7 +39,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_dimension_container_labels_traefik_hostname
         - matrix_dimension_container_labels_traefik_path_prefix

roles/custom/matrix-element-admin/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.8
+matrix_element_admin_version: 0.1.9
 
 matrix_element_admin_scheme: https
 

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.16.1
+matrix_element_call_version: v0.16.3
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-element-call/tasks/validate_config.yml

@@ -17,7 +17,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_element_call_container_network', when: true}
     - {'name': 'matrix_element_call_hostname', when: true}

roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml

@@ -11,7 +11,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_ldap_registration_proxy_hostname"
     - "matrix_ldap_registration_proxy_ldap_uri"

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.3.0
+matrix_livekit_jwt_service_version: 0.4.0
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
@@ -68,8 +68,15 @@ matrix_livekit_jwt_service_container_labels_additional_labels: ''
 # A list of extra arguments to pass to the container
 matrix_livekit_jwt_service_container_extra_arguments: []
 
-# Controls the LK_JWT_PORT environment variable
-matrix_livekit_jwt_service_environment_variable_livekit_jwt_port: 8080
+# Controls the port that the service listens on internally in the container.
+# This is still used for Traefik configuration and container port binding.
+matrix_livekit_jwt_service_container_port: 8080
+
+# Controls the LIVEKIT_JWT_BIND environment variable.
+# This is the preferred method in v0.4.0+, replacing the deprecated LIVEKIT_JWT_PORT.
+# Format: "host:port" or ":port" (to bind to all interfaces).
+# The default ":8080" binds to all interfaces on port 8080.
+matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind: ":{{ matrix_livekit_jwt_service_container_port }}"
 
 # Controls the LIVEKIT_KEY environment variable
 matrix_livekit_jwt_service_environment_variable_livekit_key: ""

roles/custom/matrix-livekit-jwt-service/tasks/main.yml

@@ -8,7 +8,7 @@
 
 - tags:
     - setup-all
-    - setup-jwt-service
+    - setup-livekit-jwt-service
     - install-all
     - install-livekit-jwt-service
   block:

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -6,11 +6,20 @@
 
 ---
 
+- name: (Deprecation) Catch and report renamed LiveKit JWT Service settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
+  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
+  with_items:
+    - {'old': 'matrix_livekit_jwt_service_environment_variable_livekit_jwt_port', 'new': 'matrix_livekit_jwt_service_container_port'}
+
 - name: Fail if required LiveKit JWT Service settings are not defined
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_livekit_jwt_service_hostname', when: true}
     - {'name': 'matrix_livekit_jwt_service_container_network', when: true}

roles/custom/matrix-livekit-jwt-service/templates/env.j2

@@ -5,7 +5,7 @@ SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-LIVEKIT_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port | int | to_json }}
+LIVEKIT_JWT_BIND={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind }}
 
 LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }}
 LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }}

roles/custom/matrix-livekit-jwt-service/templates/labels.j2

@@ -10,7 +10,7 @@ traefik.enable=true
 
 traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }}
 
-traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }}
+traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_container_port }}
 
 {% set middlewares = [] %}
 

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -20,7 +20,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
     --cap-drop=ALL \
     --network={{ matrix_livekit_jwt_service_container_network }} \
     {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
-    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }} \
+    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_container_port }} \
     {% endif %}
     --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
     --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \

roles/custom/matrix-matrixto/defaults/main.yml

@@ -0,0 +1,178 @@
+# SPDX-FileCopyrightText: 2023 - 2024 Nikita Chernyi
+# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2024 Sergio Durigan Junior
+# SPDX-FileCopyrightText: 2025 MASH project contributors
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+# Project source code URL: https://app.radicle.xyz/nodes/seed.radicle.garden/rad%3Az3Re1EQbd186vUQDwHByYiLadsVWY
+
+matrix_matrixto_enabled: true
+
+matrix_matrixto_identifier: matrix-matrixto
+matrix_matrixto_base_path: "/{{ matrix_matrixto_identifier }}"
+
+matrix_matrixto_version: 1.2.17-1
+
+matrix_matrixto_scheme: https
+
+# The hostname at which Matrix.to is served.
+matrix_matrixto_hostname: ""
+
+# The path at which Matrix.to is exposed.
+# This value must either be `/` or not end with a slash (e.g. `/matrixto`).
+#
+# Hosting Matrix.to under a subpath does not seem to be possible due to Matrix.to's
+# technical limitations.
+matrix_matrixto_path_prefix: /
+
+matrix_matrixto_container_image: "{{ matrix_matrixto_container_image_registry_prefix }}shirahara/matrixto:{{ matrix_matrixto_container_image_tag }}"
+matrix_matrixto_container_image_tag: "{{ matrix_matrixto_version }}"
+matrix_matrixto_container_image_registry_prefix: "{{ matrix_matrixto_container_image_registry_prefix_upstream }}"
+matrix_matrixto_container_image_registry_prefix_upstream: "{{ matrix_matrixto_container_image_registry_prefix_upstream_default }}"
+matrix_matrixto_container_image_registry_prefix_upstream_default: ""
+matrix_matrixto_container_image_force_pull: "{{ matrix_matrixto_container_image.endswith(':latest') }}"
+
+matrix_matrixto_container_image_self_build: true
+matrix_matrixto_container_image_self_build_name: "shirahara/matrixto:{{ matrix_matrixto_container_image_self_build_repo_version }}"
+matrix_matrixto_container_image_self_build_repo: "https://seed.radicle.garden/z3Re1EQbd186vUQDwHByYiLadsVWY.git"
+matrix_matrixto_container_image_self_build_repo_version: "{{ matrix_matrixto_version if matrix_matrixto_version != 'latest' else 'main' }}"
+matrix_matrixto_container_image_self_build_src_files_path: "{{ matrix_matrixto_base_path }}/docker-src"
+
+# Controls whether the container exposes its HTTP port (tcp/8080 in the container).
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
+matrix_matrixto_container_http_host_bind_port: ""
+
+# The base container network. It will be auto-created by this role if it doesn't exist already.
+matrix_matrixto_container_network: "{{ matrix_matrixto_identifier }}"
+
+# The port number in the container
+matrix_matrixto_container_http_port: 5000
+
+# A list of additional container networks that the container would be connected to.
+# The role does not create these networks, so make sure they already exist.
+# Use this to expose this container to another reverse proxy, which runs in a different container network.
+matrix_matrixto_container_additional_networks: "{{ matrix_matrixto_container_additional_networks_auto + matrix_matrixto_container_additional_networks_custom }}"
+matrix_matrixto_container_additional_networks_auto: []
+matrix_matrixto_container_additional_networks_custom: []
+
+# A list of additional "volumes" to mount in the container.
+# This list gets populated dynamically at runtime. You can provide a different default value,
+# if you wish to mount your own files into the container.
+# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
+# See the `--mount` documentation for the `docker run` command.
+matrix_matrixto_container_additional_volumes: "{{ matrix_matrixto_container_additional_volumes_auto + matrix_matrixto_container_additional_volumes_custom }}"
+matrix_matrixto_container_additional_volumes_auto: []
+matrix_matrixto_container_additional_volumes_custom: []
+
+# matrix_matrixto_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# See `../templates/labels.j2` for details.
+#
+# To inject your own other container labels, see `matrix_matrixto_container_labels_additional_labels`.
+matrix_matrixto_container_labels_traefik_enabled: true
+matrix_matrixto_container_labels_traefik_docker_network: "{{ matrix_matrixto_container_network }}"
+matrix_matrixto_container_labels_traefik_hostname: "{{ matrix_matrixto_hostname }}"
+# The path prefix must either be `/` or not end with a slash (e.g. `/matrixto`).
+matrix_matrixto_container_labels_traefik_path_prefix: "{{ matrix_matrixto_path_prefix }}"
+matrix_matrixto_container_labels_traefik_rule: "Host(`{{ matrix_matrixto_container_labels_traefik_hostname }}`){% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`){% endif %}"
+matrix_matrixto_container_labels_traefik_priority: 0
+matrix_matrixto_container_labels_traefik_entrypoints: web-secure
+matrix_matrixto_container_labels_traefik_tls: "{{ matrix_matrixto_container_labels_traefik_entrypoints != 'web' }}"
+matrix_matrixto_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls which additional headers to attach to all HTTP requests.
+# To add your own custom request headers, use `matrix_matrixto_container_labels_traefik_additional_request_headers_custom`
+matrix_matrixto_container_labels_traefik_additional_request_headers: "{{ matrix_matrixto_container_labels_traefik_additional_request_headers_auto | combine(matrix_matrixto_container_labels_traefik_additional_request_headers_custom) }}"
+matrix_matrixto_container_labels_traefik_additional_request_headers_auto: {}
+matrix_matrixto_container_labels_traefik_additional_request_headers_custom: {}
+
+# Controls which additional headers to attach to all HTTP responses.
+# To add your own custom response headers, use `matrix_matrixto_container_labels_traefik_additional_response_headers_custom`
+matrix_matrixto_container_labels_traefik_additional_response_headers: "{{ matrix_matrixto_container_labels_traefik_additional_response_headers_auto | combine(matrix_matrixto_container_labels_traefik_additional_response_headers_custom) }}"
+matrix_matrixto_container_labels_traefik_additional_response_headers_auto: |
+  {{
+    {}
+    | combine ({'X-XSS-Protection': matrix_matrixto_http_header_xss_protection} if matrix_matrixto_http_header_xss_protection else {})
+    | combine ({'X-Content-Type-Options': matrix_matrixto_http_header_content_type_options} if matrix_matrixto_http_header_content_type_options else {})
+    | combine ({'Content-Security-Policy': matrix_matrixto_http_header_content_security_policy} if matrix_matrixto_http_header_content_security_policy else {})
+    | combine ({'Permissions-Policy': matrix_matrixto_http_header_permissions_policy} if matrix_matrixto_http_header_permissions_policy else {})
+    | combine ({'Strict-Transport-Security': matrix_matrixto_http_header_strict_transport_security} if matrix_matrixto_http_header_strict_transport_security and matrix_matrixto_container_labels_traefik_tls else {})
+  }}
+matrix_matrixto_container_labels_traefik_additional_response_headers_custom: {}
+
+# matrix_matrixto_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
+# See `../templates/labels.j2` for details.
+#
+# Example:
+# matrix_matrixto_container_labels_additional_labels: |
+#   my.label=1
+#   another.label="here"
+matrix_matrixto_container_labels_additional_labels: ""
+
+# A list of extra arguments to pass to the container (`docker run` command)
+matrix_matrixto_container_extra_arguments: []
+
+# Specifies the value of the `X-XSS-Protection` header
+# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
+#
+# Learn more about it is here:
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
+# - https://portswigger.net/web-security/cross-site-scripting/reflected
+matrix_matrixto_http_header_xss_protection: "1; mode=block"
+
+# Specifies the value of the `X-Content-Type-Options` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+matrix_matrixto_http_header_content_type_options: nosniff
+
+# Specifies the value of the `Content-Security-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+matrix_matrixto_http_header_content_security_policy: frame-ancestors 'self'
+
+# Specifies the value of the `Permissions-Policy` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+matrix_matrixto_http_header_permissions_policy: "{{ 'interest-cohort=()' if matrix_matrixto_floc_optout_enabled else '' }}"
+
+# Specifies the value of the `Strict-Transport-Security` header.
+# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+matrix_matrixto_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_matrixto_hsts_preload_enabled else '' }}"
+
+# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
+#
+# Learn more about what it is here:
+# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
+# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
+# - https://amifloced.org/
+#
+# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
+# See: `matrix_matrixto_http_header_permissions_policy`
+matrix_matrixto_floc_optout_enabled: true
+
+# Controls if HSTS preloading is enabled
+#
+# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
+# indicates a willingness to be "preloaded" into browsers:
+# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
+# For more information visit:
+# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+# - https://hstspreload.org/#opt-in
+# See: `matrix_matrixto_http_header_strict_transport_security`
+matrix_matrixto_hsts_preload_enabled: false
+
+# List of systemd services that the Matrix.to systemd service depends on
+matrix_matrixto_systemd_required_services_list: "{{ matrix_matrixto_systemd_required_services_list_default + matrix_matrixto_systemd_required_services_list_auto + matrix_matrixto_systemd_required_services_list_custom }}"
+matrix_matrixto_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
+matrix_matrixto_systemd_required_services_list_auto: []
+matrix_matrixto_systemd_required_services_list_custom: []
+
+# List of systemd services that the Matrix.to systemd service wants
+matrix_matrixto_systemd_wanted_services_list: "{{ matrix_matrixto_systemd_wanted_services_list_default + matrix_matrixto_systemd_wanted_services_list_auto + matrix_matrixto_systemd_wanted_services_list_custom }}"
+matrix_matrixto_systemd_wanted_services_list_default: []
+matrix_matrixto_systemd_wanted_services_list_auto: []
+matrix_matrixto_systemd_wanted_services_list_custom: []
+
+# Additional environment variables.
+matrix_matrixto_environment_variables_additional_variables: ""

roles/custom/matrix-matrixto/tasks/install.yml

@@ -0,0 +1,100 @@
+# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Ensure Matrix.to path exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0750"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - "{{ matrix_matrixto_base_path }}"
+
+- name: Ensure Matrix.to support files installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/{{ item }}.j2"
+    dest: "{{ matrix_matrixto_base_path }}/{{ item }}"
+    mode: "0640"
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  with_items:
+    - env
+    - labels
+
+- name: Run if self-building of Matrix.to container image is not enabled
+  when: "not matrix_matrixto_container_image_self_build | bool"
+  block:
+    - name: Ensure Matrix.to container image is pulled via community.docker.docker_image
+      when: devture_systemd_docker_base_container_image_pull_method == 'ansible-module'
+      community.docker.docker_image:
+        name: "{{ matrix_matrixto_container_image }}"
+        source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
+        force_source: "{{ matrix_matrixto_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_container_image_force_pull }}"
+      register: result
+      retries: "{{ devture_playbook_help_container_retries_count }}"
+      delay: "{{ devture_playbook_help_container_retries_delay }}"
+      until: result is not failed
+
+    - name: Ensure Matrix.to container image is pulled via ansible.builtin.command
+      when: devture_systemd_docker_base_container_image_pull_method == 'command'
+      ansible.builtin.command:
+        cmd: "{{ devture_systemd_docker_base_host_command_docker }} pull {{ matrix_matrixto_container_image }}"
+      register: result
+      retries: "{{ devture_playbook_help_container_retries_count }}"
+      delay: "{{ devture_playbook_help_container_retries_delay }}"
+      until: result is not failed
+      changed_when: "'Downloaded newer image' in result.stdout"
+
+- name: Run if self-building of Matrix.to container image is enabled
+  when: "matrix_matrixto_container_image_self_build | bool"
+  block:
+    - name: Ensure Matrix.to repository is present on self-build
+      ansible.builtin.git:
+        repo: "{{ matrix_matrixto_container_image_self_build_repo }}"
+        version: "{{ matrix_matrixto_container_image_self_build_repo_version }}"
+        dest: "{{ matrix_matrixto_container_image_self_build_src_files_path }}"
+        force: "yes"
+      register: matrix_matrixto_git_pull_results
+
+    - name: Ensure Matrix.to container image is built
+      community.docker.docker_image:
+        name: "{{ matrix_matrixto_container_image_self_build_name }}"
+        source: build
+        force_source: "{{ matrix_matrixto_git_pull_results.changed if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
+        force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_matrixto_git_pull_results.changed }}"
+        build:
+          dockerfile: Dockerfile
+          path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}"
+          pull: true
+          args:
+
+- name: Ensure Matrix.to container network is created via community.docker.docker_network
+  when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module'
+  community.docker.docker_network:
+    enable_ipv6: "{{ devture_systemd_docker_base_ipv6_enabled }}"
+    name: "{{ matrix_matrixto_container_network }}"
+    driver: bridge
+    driver_options: "{{ devture_systemd_docker_base_container_networks_driver_options }}"
+
+- name: Ensure Matrix.to container network is created via ansible.builtin.command
+  when: devture_systemd_docker_base_container_network_creation_method == 'command'
+  ansible.builtin.command:
+    cmd: >-
+      {{ devture_systemd_docker_base_host_command_docker }} network create
+      {% if devture_systemd_docker_base_ipv6_enabled %}--ipv6{% endif %}
+      {{ devture_systemd_docker_base_container_networks_driver_options_string }}
+      {{ matrix_matrixto_container_network }}
+  register: network_creation_result
+  changed_when: network_creation_result.rc == 0
+  failed_when: network_creation_result.rc != 0 and 'already exists' not in network_creation_result.stderr
+
+- name: Ensure Matrix.to systemd service is present
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-matrixto.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service"
+    mode: "0644"

roles/custom/matrix-matrixto/tasks/main.yml

@@ -0,0 +1,27 @@
+# SPDX-FileCopyrightText: 2023 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Perform Matrix.to installation tasks
+  when: matrix_matrixto_enabled | bool
+  tags:
+    - setup-all
+    - setup-matrixto
+    - install-all
+    - install-matrixto
+  block:
+    - name: Validate Matrix.to configuration
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_config.yml"
+    - name: Install Matrix.to
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/install.yml"
+
+- name: Perform Matrix.to uninstallation tasks
+  when: not matrix_matrixto_enabled | bool
+  tags:
+    - setup-all
+    - setup-matrixto
+  block:
+    - name: Uninstall Matrix.to
+      ansible.builtin.include_tasks: "{{ role_path }}/tasks/uninstall.yml"

roles/custom/matrix-matrixto/tasks/uninstall.yml

@@ -0,0 +1,45 @@
+# SPDX-FileCopyrightText: 2023 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Check existence of Matrix.to systemd service
+  ansible.builtin.stat:
+    path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service"
+  register: matrix_matrixto_service_stat
+
+- name: Uninstall Matrix.to systemd services and files
+  when: matrix_matrixto_service_stat.stat.exists | bool
+  block:
+    - name: Ensure Matrix.to systemd service is stopped
+      ansible.builtin.service:
+        name: "{{ matrix_matrixto_identifier }}"
+        state: stopped
+        enabled: false
+        daemon_reload: true
+
+    - name: Ensure Matrix.to systemd service does not exist
+      ansible.builtin.file:
+        path: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_matrixto_identifier }}.service"
+        state: absent
+
+    - name: Ensure Matrix.to container network does not exist via community.docker.docker_network
+      when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module'
+      community.docker.docker_network:
+        name: "{{ matrix_matrixto_container_network }}"
+        state: absent
+
+    - name: Ensure Matrix.to container network does not exist via ansible.builtin.command
+      when: devture_systemd_docker_base_container_network_creation_method == 'command'
+      ansible.builtin.command:
+        cmd: >-
+          {{ devture_systemd_docker_base_host_command_docker }} network rm
+          {{ matrix_matrixto_container_network }}
+      register: network_deletion_result
+      changed_when: matrix_matrixto_container_network in network_deletion_result.stdout
+
+    - name: Ensure Matrix.to path does not exist
+      ansible.builtin.file:
+        path: "{{ matrix_matrixto_base_path }}"
+        state: absent

roles/custom/matrix-matrixto/tasks/validate_config.yml

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2023 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 Suguru Hirahara
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Fail if required Matrix.to settings not defined
+  ansible.builtin.fail:
+    msg: >-
+      You need to define a required configuration setting (`{{ item }}`).
+  when: "lookup('vars', item, default='') | string | length == 0"
+  with_items:
+    - matrix_matrixto_hostname
+    - matrix_matrixto_path_prefix
+    - matrix_matrixto_container_network
+
+- name: Run if Traefik is enabled
+  when: matrix_matrixto_container_labels_traefik_enabled | bool
+  block:
+    - name: Fail if Traefik settings required for Matrix.to are not defined
+      ansible.builtin.fail:
+        msg: >-
+          You need to define a required configuration setting (`{{ item }}`).
+      when: "lookup('vars', item, default='') | string | length == 0"
+      with_items:
+        - matrix_matrixto_container_labels_traefik_hostname
+        - matrix_matrixto_container_labels_traefik_path_prefix
+
+    - name: Fail if matrix_matrixto_container_labels_traefik_path_prefix is different than /
+      ansible.builtin.fail:
+        msg: >-
+          matrix_matrixto_container_labels_traefik_path_prefix (`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`) must be `/`.
+          Matrix.to does not support hosting under a subpath yet.
+      when: "matrix_matrixto_container_labels_traefik_path_prefix != '/'"
+
+    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
+    # Knowing that `matrix_matrixto_container_labels_traefik_path_prefix` does not end with a slash
+    # ensures we know how to set these routes up without having to do "does it end with a slash" checks elsewhere.
+    - name: Fail if matrix_matrixto_container_labels_traefik_path_prefix ends with a slash
+      ansible.builtin.fail:
+        msg: >-
+          matrix_matrixto_container_labels_traefik_path_prefix (`{{ matrix_matrixto_container_labels_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/matrixto`).
+      when: "matrix_matrixto_container_labels_traefik_path_prefix != '/' and matrix_matrixto_container_labels_traefik_path_prefix[-1] == '/'"

roles/custom/matrix-matrixto/templates/env.j2

@@ -0,0 +1,7 @@
+{#
+SPDX-FileCopyrightText: 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{{ matrix_matrixto_environment_variables_additional_variables }}

roles/custom/matrix-matrixto/templates/labels.j2

@@ -0,0 +1,59 @@
+{#
+SPDX-FileCopyrightText: 2023 Slavi Pantaleev
+SPDX-FileCopyrightText: 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_matrixto_container_labels_traefik_enabled %}
+traefik.enable=true
+
+{% if matrix_matrixto_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_matrixto_container_labels_traefik_docker_network }}
+{% endif %}
+
+{% set middlewares = [] %}
+
+{% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.{{ matrix_matrixto_identifier }}-slashless-redirect.redirectregex.regex=^({{ matrix_matrixto_container_labels_traefik_path_prefix | quote }})$
+traefik.http.middlewares.{{ matrix_matrixto_identifier }}-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + [matrix_matrixto_identifier + '-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_matrixto_container_labels_traefik_path_prefix != '/' %}
+traefik.http.middlewares.{{ matrix_matrixto_identifier }}-strip-prefix.stripprefix.prefixes={{ matrix_matrixto_container_labels_traefik_path_prefix }}
+{% set middlewares = middlewares + [matrix_matrixto_identifier + '-strip-prefix'] %}
+{% endif %}
+
+{% if matrix_matrixto_container_labels_traefik_additional_request_headers.keys() | length > 0 %}
+{% for name, value in matrix_matrixto_container_labels_traefik_additional_request_headers.items() %}
+traefik.http.middlewares.{{ matrix_matrixto_identifier }}-add-request-headers.headers.customrequestheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + [matrix_matrixto_identifier + '-add-request-headers'] %}
+{% endif %}
+
+{% if matrix_matrixto_container_labels_traefik_additional_response_headers.keys() | length > 0 %}
+{% for name, value in matrix_matrixto_container_labels_traefik_additional_response_headers.items() %}
+traefik.http.middlewares.{{ matrix_matrixto_identifier }}-add-response-headers.headers.customresponseheaders.{{ name }}={{ value }}
+{% endfor %}
+{% set middlewares = middlewares + [matrix_matrixto_identifier + '-add-response-headers'] %}
+{% endif %}
+
+traefik.http.routers.{{ matrix_matrixto_identifier }}.rule={{ matrix_matrixto_container_labels_traefik_rule }}
+{% if matrix_matrixto_container_labels_traefik_priority | int > 0 %}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.priority={{ matrix_matrixto_container_labels_traefik_priority }}
+{% endif %}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.service={{ matrix_matrixto_identifier }}
+{% if middlewares | length > 0 %}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.middlewares={{ middlewares | join(',') }}
+{% endif %}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.entrypoints={{ matrix_matrixto_container_labels_traefik_entrypoints }}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.tls={{ matrix_matrixto_container_labels_traefik_tls | to_json }}
+{% if matrix_matrixto_container_labels_traefik_tls %}
+traefik.http.routers.{{ matrix_matrixto_identifier }}.tls.certResolver={{ matrix_matrixto_container_labels_traefik_tls_certResolver }}
+{% endif %}
+
+traefik.http.services.{{ matrix_matrixto_identifier }}.loadbalancer.server.port={{ matrix_matrixto_container_http_port }}
+{% endif %}
+
+{{ matrix_matrixto_container_labels_additional_labels }}

roles/custom/matrix-matrixto/templates/systemd/matrix-matrixto.service.j2

@@ -0,0 +1,59 @@
+{#
+SPDX-FileCopyrightText: 2023 Slavi Pantaleev
+SPDX-FileCopyrightText: 2024 Nikita Chernyi
+SPDX-FileCopyrightText: 2025 Suguru Hirahara
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+[Unit]
+Description=Matrix.to ({{ matrix_matrixto_identifier }})
+{% for service in matrix_matrixto_systemd_required_services_list %}
+Requires={{ service }}
+After={{ service }}
+{% endfor %}
+{% for service in matrix_matrixto_systemd_wanted_services_list %}
+Wants={{ service }}
+{% endfor %}
+DefaultDependencies=no
+
+[Service]
+Type=simple
+Environment="HOME={{ devture_systemd_docker_base_systemd_unit_home_path }}"
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_matrixto_identifier }} 2>/dev/null || true'
+ExecStartPre=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_matrixto_identifier }} 2>/dev/null || true'
+
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
+      --rm \
+      --name={{ matrix_matrixto_identifier }} \
+      --log-driver=none \
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+      --cap-drop=ALL \
+      --read-only \
+      --network={{ matrix_matrixto_container_network }} \
+      {% if matrix_matrixto_container_http_host_bind_port %}
+      -p {{ matrix_matrixto_container_http_host_bind_port }}:{{ matrix_matrixto_container_http_port }} \
+      {% endif %}
+      --env-file={{ matrix_matrixto_base_path }}/env \
+      --label-file={{ matrix_matrixto_base_path }}/labels \
+      --tmpfs=/tmp:rw,noexec,nosuid,size=128m \
+      {% for arg in matrix_matrixto_container_extra_arguments %}
+      {{ arg }} \
+      {% endfor %}
+      {{ matrix_matrixto_container_image_self_build_name if matrix_matrixto_container_image_self_build else matrix_matrixto_container_image }}
+
+{% for network in matrix_matrixto_container_additional_networks %}
+ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} {{ matrix_matrixto_identifier }}
+{% endfor %}
+
+ExecStart={{ devture_systemd_docker_base_host_command_docker }} start --attach {{ matrix_matrixto_identifier }}
+
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} stop -t {{ devture_systemd_docker_base_container_stop_grace_time_seconds }} {{ matrix_matrixto_identifier }} 2>/dev/null || true'
+ExecStop=-{{ devture_systemd_docker_base_host_command_sh }} -c '{{ devture_systemd_docker_base_host_command_docker }} rm {{ matrix_matrixto_identifier }} 2>/dev/null || true'
+
+Restart=always
+RestartSec=30
+SyslogIdentifier={{ matrix_matrixto_identifier }}
+
+[Install]
+WantedBy=multi-user.target

roles/custom/matrix-pantalaimon/tasks/validate_config.yml

@@ -9,7 +9,7 @@
     msg: "The `{{ item }}` variable must be defined and have a non-null value."
   with_items:
     - "matrix_pantalaimon_homeserver_url"
-  when: "vars[item] == '' or vars[item] is none"
+  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
 
 - name: (Deprecation) Catch and report renamed Pantalaimon variables
   ansible.builtin.fail:

roles/custom/matrix-rageshake/defaults/main.yml

@@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: /
 # There are no stable container image tags yet.
 # See: https://github.com/matrix-org/rageshake/issues/69
 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake
-matrix_rageshake_version: 1.17.0
+matrix_rageshake_version: 1.17.1
 
 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake"
 matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config"

roles/custom/matrix-rageshake/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_rageshake_hostname
     - matrix_rageshake_path_prefix
@@ -29,7 +29,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_rageshake_container_labels_traefik_hostname
         - matrix_rageshake_container_labels_traefik_path_prefix

roles/custom/matrix-static-files/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.39.0
+matrix_static_files_version: 2.40.1
 
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"

roles/custom/matrix-static-files/tasks/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}
     - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}

roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2

@@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--env-file={{ matrix_static_files_base_path }}/env \
 			--label-file={{ matrix_static_files_base_path }}/labels \
-			--mount type=bind,src={{ matrix_static_files_public_path }},dst=/public,ro \
+			--mount type=bind,src={{ matrix_static_files_public_path }},dst=/var/public,ro \
 			--mount type=bind,src={{ matrix_static_files_config_path }},dst=/config,ro \
 			{{ matrix_static_files_container_image }}
 

roles/custom/matrix-sygnal/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_sygnal_hostname: ''
 matrix_sygnal_path_prefix: /
 
 # renovate: datasource=docker depName=matrixdotorg/sygnal
-matrix_sygnal_version: v0.15.1
+matrix_sygnal_version: v0.17.0
 
 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
 matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"

roles/custom/matrix-sygnal/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_sygnal_hostname
     - matrix_sygnal_path_prefix
@@ -21,7 +21,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_sygnal_container_labels_traefik_hostname
         - matrix_sygnal_container_labels_traefik_path_prefix

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke49
+matrix_synapse_admin_version: v0.11.1-etke50
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse-admin/tasks/validate_config.yml

@@ -26,7 +26,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_admin_container_labels_traefik_hostname
         - matrix_synapse_admin_container_labels_traefik_path_prefix

roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml

@@ -20,7 +20,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_synapse_auto_compressor_database_hostname
     - matrix_synapse_auto_compressor_database_password

roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml

@@ -24,7 +24,7 @@
 matrix_synapse_reverse_proxy_companion_enabled: true
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.29.3-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.29.4-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.141.0
+matrix_synapse_version: v1.144.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -675,7 +675,7 @@ matrix_synapse_caches_sync_response_cache_duration: "2m"
 # Controls how much memory this role thinks is available for cache-size-related calculations.
 # By default, all of the server's memory is taken into account, but you can adjust this.
 # You can also go for directly adjusting cache-sizes (matrix_synapse_cache_autotuning_max_cache_memory_usage, matrix_synapse_cache_autotuning_target_cache_memory_usage) instead of adjusting this.
-matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_memtotal_mb * 1024 * 1024) | int }}"
+matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_facts['memtotal_mb'] * 1024 * 1024) | int }}"
 
 # Controls the cap to use for matrix_synapse_cache_autotuning_max_cache_memory_usage.
 matrix_synapse_cache_size_calculations_max_cache_memory_usage_cap_bytes: "{{ (2 * 1024 * 1024 * 1024) }}"  # 2GB

roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
@@ -19,7 +19,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
-  when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''"
+  when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id"
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key"

roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using synapse-http-antispam.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_http_antispam_enabled"
     - "matrix_synapse_ext_synapse_http_antispam_config_base_url"

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_synapse_username', when: true}
     - {'name': 'matrix_synapse_uid', when: true}
@@ -48,7 +48,7 @@
   ansible.builtin.fail:
     msg: >-
       `{{ item }}` cannot be more than 1. This is a single-instance worker.
-  when: "vars[item] | int > 1"
+  when: "lookup('vars', item, default='') | int > 1"
   with_items:
     - "matrix_synapse_workers_appservice_workers_count"
     - "matrix_synapse_workers_user_dir_workers_count"
@@ -138,7 +138,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`.
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_container_image_customizations_templates_git_repository_url
         - matrix_synapse_container_image_customizations_templates_git_repository_branch
@@ -147,7 +147,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`.
-      when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''"
+      when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname
 
@@ -166,7 +166,7 @@
 - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
     msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_matrix_authentication_service_enabled and vars[item] | bool
+  when: matrix_synapse_matrix_authentication_service_enabled and lookup('vars', item, default='') | bool
   with_items:
     - matrix_synapse_ext_password_provider_rest_auth_enabled
     - matrix_synapse_ext_password_provider_shared_secret_auth_enabled

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -55,7 +55,7 @@ matrix_playbook_migration_matrix_postmoogle_migration_validation_enabled: true
 # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2999
 # - https://github.com/geerlingguy/ansible-role-docker/pull/410
 matrix_playbook_migration_debian_signedby_migration_enabled: true
-matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_distribution | lower }}.list"
+matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_facts['distribution'] | lower }}.list"
 
 # Controls if the old apt repository for Docker (`signed-by=/etc/apt/trusted.gpg.d/docker.asc`) will be removed,
 # so that the Docker role (7.2.0+) can install a new non-conflicting one (`signed-by=/etc/apt/keyrings/docker.asc`).

setup.yml

@@ -91,6 +91,7 @@
     - custom/matrix-bot-draupnir
     - custom/matrix-cactus-comments
     - custom/matrix-cactus-comments-client
+    - custom/matrix-matrixto
     - custom/matrix-rageshake
     - custom/matrix-synapse
     - custom/matrix-synapse-auto-compressor