Add pre-commit check for migration version sync between defaults and examples/vars.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/matrix.yml

@@ -9,34 +9,37 @@ name: Matrix CI
 
 on: [push, pull_request]  # yamllint disable-line rule:truthy
 
+permissions:
+  contents: read
+
 jobs:
-  yamllint:
+  prek:
-    name: yamllint
+    name: Run prek hooks
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-      - name: Run yamllint
-        uses: frenck/action-yamllint@v1.5.0
-  ansible-lint:
-    name: ansible-lint
     runs-on: ubuntu-latest
+    container:
+      image: docker.io/archlinux:base-devel
+
     steps:
+      # git must be installed before checkout so it does a proper clone
+      # (with .git directory) instead of a tarball download.
+      - name: Install git
+        run: pacman -Sy --noconfirm git
+
       - name: Check out
         uses: actions/checkout@v6
 
-      - name: Run ansible-lint
+      - name: Restore prek cache
-        uses: ansible/ansible-lint@v26.3.0
+        uses: actions/cache@v5
         with:
-          args: "roles/custom"
+          path: var/prek
-          setup_python: "true"
+          key: arch-prek-v1-${{ hashFiles('.pre-commit-config.yaml') }}
-          working_directory: ""
+
-          requirements_file: requirements.yml
+      - name: Install dependencies
-  precommit:
+        run: pacman -S --noconfirm --needed just mise python
-    name: Run pre-commit
+
-    runs-on: ubuntu-latest
+      - name: Run prek hooks
-    steps:
+        run: |
-      - name: Checkout code
+          # The checkout action sets safe.directory using its own bundled
-        uses: actions/checkout@v6
+          # git, which is separate from the pacman-installed git that prek uses.
-      - name: Run pre-commit
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-        uses: pre-commit/action@v3.0.1
+          just prek-run-on-all

.gitignore

@@ -4,6 +4,7 @@
 .python-version
 .idea/
 .direnv/
+/var/
 
 # ignore roles pulled by ansible-galaxy
 /roles/galaxy/*

.pre-commit-config.yaml

@@ -1,17 +1,16 @@
 ---
-default_install_hook_types: [pre-push]
 
-exclude: "LICENSES/"
+exclude: "^(LICENSES/|var/)"
 
 # See: https://pre-commit.com/hooks.html
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
-      # - id: check-executables-have-shebangs
       - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
+      - id: check-shebang-scripts-are-executable
       - id: check-toml
       - id: trailing-whitespace
       - id: end-of-file-fixer
@@ -24,3 +23,18 @@ repos:
     rev: v6.2.0
     hooks:
       - id: reuse
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v26.3.0
+    hooks:
+      - id: ansible-lint
+        files: '^roles/custom/'
+        args: ['roles/custom']
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-examples-vars-migration-version
+        name: Check examples/vars.yml migration version matches expected
+        entry: bin/check-examples-vars-migration-version.sh
+        language: script
+        files: '(examples/vars\.yml|roles/custom/matrix_playbook_migration/defaults/main\.yml)'
+        pass_filenames: false

CHANGELOG.md

@@ -1,3 +1,36 @@
+# 2026-03-23
+
+## Migration validation system introduced
+
+Previously, when updating your setup, you had to remember to read the [CHANGELOG](CHANGELOG.md) file or risk breakage.
+
+Now, the playbook includes a migration validation system that ensures you're aware of breaking changes before they affect your deployment.
+You're now forced to acknowledge each breaking change, unless you wish to live dangerously (see below).
+
+A new `matrix_playbook_migration_validated_version` variable has been introduced.
+
+**New users** who started from the [example `vars.yml`](examples/vars.yml) file already have this variable set and do not need to do anything.
+
+**Existing users** will need to add the following to their `vars.yml` file after reviewing all changelog entries up to now:
+
+```yml
+matrix_playbook_migration_validated_version: v2026.03.23.0
+```
+
+Going forward, whenever a breaking change is introduced the playbook will:
+
+- bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
+
+- fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
+
+After reviewing and adapting your setup, you simply update the variable to the new version.
+
+If you'd like to live dangerously and skip these checks (not recommended), you can set this once and be done with it:
+
+```yml
+matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+```
+
 # 2026-03-19
 
 ## Matrix Authentication Service now prefers UNIX sockets for playbook-managed Postgres

bin/check-examples-vars-migration-version.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# Ensures that the migration validated version in examples/vars.yml
+# matches the expected version in the matrix_playbook_migration role defaults.
+
+set -euo pipefail
+
+defaults_file="roles/custom/matrix_playbook_migration/defaults/main.yml"
+examples_file="examples/vars.yml"
+
+expected_version=$(grep -oP '^matrix_playbook_migration_expected_version:\s*"?\K[^"]+' "$defaults_file")
+examples_version=$(grep -oP '^matrix_playbook_migration_validated_version:\s*"?\K[^"]+' "$examples_file")
+
+if [ -z "$expected_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_expected_version from $defaults_file"
+	exit 1
+fi
+
+if [ -z "$examples_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_validated_version from $examples_file"
+	exit 1
+fi
+
+if [ "$expected_version" != "$examples_version" ]; then
+	echo "ERROR: Migration version mismatch!"
+	echo "  $defaults_file has expected version: $expected_version"
+	echo "  $examples_file has validated version: $examples_version"
+	echo ""
+	echo "Please update $examples_file to match."
+	exit 1
+fi

examples/vars.yml

@@ -1,4 +1,9 @@
 ---
+# This variable acknowledges that you've reviewed breaking changes up to this version.
+# The playbook will fail if this is outdated, guiding you through what changed.
+# See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
+matrix_playbook_migration_validated_version: v2026.03.23.0
+
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
 #

flake.nix

@@ -19,6 +19,7 @@
           devShells.default = mkShell {
             buildInputs = [
               just
+              mise
               ansible
             ];
             shellHook = ''

group_vars/matrix_servers

@@ -278,7 +278,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (backup_borg_identifier + '.timer'),
       'priority': 5000,
-      'restart_necessary': true,
+      'restart_necessary': (backup_borg_restart_necessary | bool),
       'groups': ['matrix', 'backup', 'borg'],
     }] if backup_borg_enabled else [])
     +
@@ -383,14 +383,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-appservice-kakaotalk.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'appservice-kakaotalk'],
     }] if matrix_appservice_kakaotalk_enabled else [])
     +
     ([{
       'name': 'matrix-appservice-kakaotalk-node.service',
       'priority': 1900,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'appservice-kakaotalk', 'appservice-kakaotalk-node'],
     }] if matrix_appservice_kakaotalk_enabled else [])
     +
@@ -404,14 +404,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-wechat.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_wechat_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'wechat'],
     }] if matrix_wechat_enabled else [])
     +
     ([{
       'name': 'matrix-wechat-agent.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_wechat_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'wechat'],
     }] if matrix_wechat_enabled else [])
     +
@@ -621,7 +621,12 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': ('matrix-' + matrix_homeserver_implementation + '.service'),
       'priority': matrix_homeserver_systemd_service_manager_priority,
-      'restart_necessary': true,
+      'restart_necessary': (
+        (matrix_conduit_restart_necessary | bool) if matrix_homeserver_implementation == 'conduit'
+        else (matrix_continuwuity_restart_necessary | bool) if matrix_homeserver_implementation == 'continuwuity'
+        else (matrix_dendrite_restart_necessary | bool) if matrix_homeserver_implementation == 'dendrite'
+        else true
+      ),
       'groups': ['matrix', 'homeservers', matrix_homeserver_implementation],
     }] if matrix_homeserver_enabled else [])
     +
@@ -684,28 +689,28 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (jitsi_identifier + '-web.service'),
       'priority': 4200,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_web_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-web'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-prosody.service'),
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_prosody_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-prosody'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-jicofo.service'),
       'priority': 4100,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_jicofo_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-jicofo'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-jvb.service'),
       'priority': 4100,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_jvb_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-jvb'],
     }] if jitsi_enabled else [])
     +
@@ -719,7 +724,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (matrix_media_repo_identifier + '.service'),
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_media_repo_restart_necessary | bool),
       'groups': ['matrix', 'matrix-media-repo'],
     }] if matrix_media_repo_enabled else [])
     +
@@ -803,7 +808,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-element-call.service',
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_element_call_restart_necessary | bool),
       'groups': ['matrix', 'element-call'],
     }] if matrix_element_call_enabled else [])
     +
@@ -838,14 +843,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-goofys.service',
       'priority': 800,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_goofys_restart_necessary | bool),
       'groups': ['matrix', 'goofys'],
     }] if (matrix_synapse_enabled and matrix_s3_media_store_enabled) else [])
     +
     ([{
       'name': 'matrix-synapse-s3-storage-provider-migrate.timer',
       'priority': 5000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_synapse_s3_storage_provider_restart_necessary | bool),
       'groups': ['matrix'],
     }] if (matrix_synapse_enabled and matrix_synapse_ext_synapse_s3_storage_provider_enabled) else [])
     +

justfile

@@ -4,6 +4,11 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# mise (dev tool version manager)
+mise_data_dir := env("MISE_DATA_DIR", justfile_directory() / "var/mise")
+mise_trusted_config_paths := justfile_directory() / "mise.toml"
+prek_home := env("PREK_HOME", justfile_directory() / "var/prek")
+
 # Shows help
 default:
     @{{ just_executable() }} --list --justfile "{{ justfile() }}"
@@ -39,9 +44,39 @@ update-playbook-only:
     @git pull -q
     @-git stash pop -q
 
-# Runs ansible-lint against all roles in the playbook
+# Invokes mise with the project-local data directory
-lint:
+mise *args: _ensure_mise_data_directory
-    ansible-lint
+    #!/bin/sh
+    export MISE_DATA_DIR="{{ mise_data_dir }}"
+    export MISE_TRUSTED_CONFIG_PATHS="{{ mise_trusted_config_paths }}"
+    export MISE_YES=1
+    export PREK_HOME="{{ prek_home }}"
+    mise {{ args }}
+
+# Runs prek (pre-commit hooks manager) with the given arguments
+prek *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek {{ args }}
+
+# Runs pre-commit hooks on staged files
+prek-run-on-staged *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run {{ args }}
+
+# Runs pre-commit hooks on all files
+prek-run-on-all *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run --all-files {{ args }}
+
+# Installs the git pre-commit hook
+prek-install-git-pre-commit-hook: _ensure_mise_tools_installed
+    #!/usr/bin/env sh
+    set -eu
+    {{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek install
+    hook="{{ justfile_directory() }}/.git/hooks/pre-commit"
+    # The installed git hook runs later under Git, outside this just/mise environment.
+    # Injecting PREK_HOME keeps prek's cache under var/prek instead of a global home dir,
+    # which is more predictable and works better in sandboxed tools like Codex/OpenCode.
+    if [ -f "$hook" ] && ! grep -q '^export PREK_HOME=' "$hook"; then
+        sed -i '2iexport PREK_HOME="{{ prek_home }}"' "$hook"
+    fi
 
 # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
 install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)
@@ -84,3 +119,12 @@ stop-group group *extra_args:
 # Rebuilds the mautrix-meta-instagram Ansible role using the mautrix-meta-messenger role as a source
 rebuild-mautrix-meta-instagram:
     /bin/bash "{{ justfile_directory() }}/bin/rebuild-mautrix-meta-instagram.sh" "{{ justfile_directory() }}/roles/custom"
+
+# Internal - ensures var/mise and var/prek directories exist
+_ensure_mise_data_directory:
+    @mkdir -p "{{ mise_data_dir }}"
+    @mkdir -p "{{ prek_home }}"
+
+# Internal - ensures mise tools are installed
+_ensure_mise_tools_installed: _ensure_mise_data_directory
+    @{{ just_executable() }} --justfile "{{ justfile() }}" mise install --quiet

mise.toml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[tools]
+prek = "0.3.2"
+
+[settings]
+yes = true

requirements.yml

@@ -4,20 +4,20 @@
   version: v1.0.0-6
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.3-2.1.3-1
+  version: v1.4.3-2.1.3-2
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.11.1-0
+  version: v4.11.1-1
   name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-3
+  version: v0.4.2-4
   name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
-  version: v4.9.0-0
+  version: v4.9.0-1
   name: coturn
   activation_prefix: coturn_
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
-  version: v4.0.0-1
+  version: v4.0.0-2
   name: ddclient
   activation_prefix: ddclient_
 - src: git+https://github.com/geerlingguy/ansible-role-docker
@@ -27,25 +27,25 @@
   version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.1-2
+  version: v2.6.1-3
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.99.1-r0-0-0
+  version: v4.99.1-r0-0-1
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-8
+  version: v11.6.5-9
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
-  version: v0.5.1-1
+  version: v0.5.1-2
   name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10741-1
+  version: v10741-2
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.12-0
+  version: v1.9.12-1
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.19.2-0
+  version: v2.19.2-1
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -60,22 +60,22 @@
   version: v18.3-1
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v18-1
+  version: v18-2
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.10.0-0
+  version: v3.10.0-1
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-nginxlog-exporter.git
-  version: v1.10.0-1
+  version: v1.10.0-2
   name: prometheus_nginxlog_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-15
+  version: v1.10.2-0
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.19.1-1
+  version: v0.19.1-3
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.6.0-1
+  version: v1.6.0-2
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
@@ -87,11 +87,11 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.11-0
+  version: v3.6.11-2
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-5
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-2
+  version: v9.0.3-3
   name: valkey

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.15.0
+matrix_bot_baibot_version: v1.16.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml

@@ -225,3 +225,13 @@ matrix_appservice_kakaotalk_registration_yaml: |
   rate_limited: false
 
 matrix_appservice_kakaotalk_registration: "{{ matrix_appservice_kakaotalk_registration_yaml | from_yaml }}"
+
+# matrix_appservice_kakaotalk_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_appservice_kakaotalk_restart_necessary: false

roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml

@@ -13,10 +13,10 @@
     force_source: "{{ matrix_appservice_kakaotalk_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_container_image_force_pull }}"
   when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: result
+  register: matrix_appservice_kakaotalk_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_appservice_kakaotalk_container_image_pull_result is not failed
 
 - name: Ensure matrix-appservice-kakaotalk-node image is pulled
   community.docker.docker_image:
@@ -25,10 +25,10 @@
     force_source: "{{ matrix_appservice_kakaotalk_node_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_node_container_image_force_pull }}"
   when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: result
+  register: matrix_appservice_kakaotalk_node_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_appservice_kakaotalk_node_container_image_pull_result is not failed
 
 - name: Ensure matrix-appservice-kakaotalk paths exist
   ansible.builtin.file:
@@ -86,6 +86,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_node_config_result
 
 - name: Ensure matrix-appservice-kakaotalk config.yaml installed
   ansible.builtin.copy:
@@ -94,6 +95,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_config_result
 
 - name: Ensure matrix-appservice-kakaotalk registration.yaml installed
   ansible.builtin.copy:
@@ -102,6 +104,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_registration_result
 
 - name: Ensure matrix-appservice-kakaotalk container network is created
   community.general.docker_network:
@@ -122,3 +125,17 @@
     src: "{{ role_path }}/templates/systemd/matrix-appservice-kakaotalk.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service"
     mode: '0644'
+  register: matrix_appservice_kakaotalk_systemd_service_result
+
+- name: Determine whether matrix-appservice-kakaotalk needs a restart
+  ansible.builtin.set_fact:
+    matrix_appservice_kakaotalk_restart_necessary: >-
+      {{
+        matrix_appservice_kakaotalk_node_config_result.changed | default(false)
+        or matrix_appservice_kakaotalk_config_result.changed | default(false)
+        or matrix_appservice_kakaotalk_registration_result.changed | default(false)
+        or matrix_appservice_kakaotalk_node_systemd_service_result.changed | default(false)
+        or matrix_appservice_kakaotalk_systemd_service_result.changed | default(false)
+        or matrix_appservice_kakaotalk_container_image_pull_result.changed | default(false)
+        or matrix_appservice_kakaotalk_node_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-bridge-wechat/defaults/main.yml

@@ -163,3 +163,13 @@ matrix_wechat_agent_service_secret: "{{ matrix_wechat_bridge_listen_secret }}"
 matrix_wechat_agent_configuration_yaml: "{{ lookup('template', 'templates/agent-config.yaml.j2') }}"
 
 matrix_wechat_agent_configuration: "{{ matrix_wechat_agent_configuration_yaml | from_yaml }}"
+
+# matrix_wechat_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_wechat_restart_necessary: false

roles/custom/matrix-bridge-wechat/tasks/install.yml

@@ -27,10 +27,10 @@
     force_source: "{{ matrix_wechat_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_container_image_force_pull }}"
   when: not matrix_wechat_container_image_self_build
-  register: result
+  register: matrix_wechat_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_wechat_container_image_pull_result is not failed
 
 - when: matrix_wechat_container_image_self_build | bool
   block:
@@ -62,10 +62,10 @@
     force_source: "{{ matrix_wechat_agent_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_agent_container_image_force_pull }}"
   when: not matrix_wechat_agent_container_image_self_build
-  register: result
+  register: matrix_wechat_agent_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_wechat_agent_container_image_pull_result is not failed
 
 - when: matrix_wechat_agent_container_image_self_build | bool
   block:
@@ -97,6 +97,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_config_result
 
 - name: Ensure WeChat registration.yaml installed
   ansible.builtin.copy:
@@ -105,6 +106,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_registration_result
 
 - name: Ensure Wechat Agent configuration installed
   ansible.builtin.copy:
@@ -113,6 +115,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_agent_config_result
 
 - name: Ensure matrix-wechat container network is created
   community.general.docker_network:
@@ -134,3 +137,16 @@
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-wechat-agent.service"
     mode: '0644'
   register: matrix_wechat_agent_systemd_service_result
+
+- name: Determine whether WeChat Bridge needs a restart
+  ansible.builtin.set_fact:
+    matrix_wechat_restart_necessary: >-
+      {{
+        matrix_wechat_config_result.changed | default(false)
+        or matrix_wechat_registration_result.changed | default(false)
+        or matrix_wechat_agent_config_result.changed | default(false)
+        or matrix_wechat_systemd_service_result.changed | default(false)
+        or matrix_wechat_agent_systemd_service_result.changed | default(false)
+        or matrix_wechat_container_image_pull_result.changed | default(false)
+        or matrix_wechat_agent_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-conduit/defaults/main.yml

@@ -154,3 +154,13 @@ matrix_conduit_turn_uris: []
 matrix_conduit_turn_secret: ''
 matrix_conduit_turn_username: ''
 matrix_conduit_turn_password: ''
+
+# matrix_conduit_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_conduit_restart_necessary: false

roles/custom/matrix-conduit/tasks/setup_install.yml

@@ -31,6 +31,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_conduit_config_result
 
 - name: Ensure Conduit support files installed
   ansible.builtin.template:
@@ -41,6 +42,7 @@
     group: "{{ matrix_group_name }}"
   with_items:
     - labels
+  register: matrix_conduit_support_files_result
 
 - name: Ensure Conduit container network is created
   community.general.docker_network:
@@ -55,13 +57,24 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_conduit_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_container_image_force_pull }}"
-  register: result
+  register: matrix_conduit_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_conduit_container_image_pull_result is not failed
 
 - name: Ensure matrix-conduit.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-conduit.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service"
     mode: '0644'
+  register: matrix_conduit_systemd_service_result
+
+- name: Determine whether Conduit needs a restart
+  ansible.builtin.set_fact:
+    matrix_conduit_restart_necessary: >-
+      {{
+        matrix_conduit_config_result.changed | default(false)
+        or matrix_conduit_support_files_result.changed | default(false)
+        or matrix_conduit_systemd_service_result.changed | default(false)
+        or matrix_conduit_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -208,3 +208,13 @@ matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
 #   CONTINUWUITY_MAX_REQUEST_SIZE=50000000
 #   CONTINUWUITY_REQUEST_TIMEOUT=60
 matrix_continuwuity_environment_variables_extension: ''
+
+# matrix_continuwuity_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_continuwuity_restart_necessary: false

roles/custom/matrix-continuwuity/tasks/install.yml

@@ -27,6 +27,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_continuwuity_config_result
 
 - name: Ensure continuwuity support files installed
   ansible.builtin.template:
@@ -38,6 +39,7 @@
   with_items:
     - labels
     - env
+  register: matrix_continuwuity_support_files_result
 
 - name: Ensure continuwuity container network is created
   community.general.docker_network:
@@ -52,13 +54,24 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_continuwuity_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_container_image_force_pull }}"
-  register: result
+  register: matrix_continuwuity_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_continuwuity_container_image_pull_result is not failed
 
 - name: Ensure matrix-continuwuity.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
     mode: '0644'
+  register: matrix_continuwuity_systemd_service_result
+
+- name: Determine whether continuwuity needs a restart
+  ansible.builtin.set_fact:
+    matrix_continuwuity_restart_necessary: >-
+      {{
+        matrix_continuwuity_config_result.changed | default(false)
+        or matrix_continuwuity_support_files_result.changed | default(false)
+        or matrix_continuwuity_systemd_service_result.changed | default(false)
+        or matrix_continuwuity_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-dendrite/defaults/main.yml

@@ -361,3 +361,13 @@ matrix_dendrite_media_api_max_thumbnail_generators: 10
 
 # Controls whether the full-text search engine is enabled
 matrix_dendrite_sync_api_search_enabled: false
+
+# matrix_dendrite_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_dendrite_restart_necessary: false

roles/custom/matrix-dendrite/tasks/setup_install.yml

@@ -55,10 +55,10 @@
     force_source: "{{ matrix_dendrite_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_container_image_force_pull }}"
   when: "not matrix_dendrite_container_image_self_build | bool"
-  register: result
+  register: matrix_dendrite_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_dendrite_container_image_pull_result is not failed
 
 # We do this so that the signing key would get generated.
 # We don't use the `docker_container` module, because using it with `cap_drop` requires
@@ -89,6 +89,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_dendrite_config_result
 
 - when: "matrix_dendrite_container_image_self_build | bool"
   block:
@@ -139,6 +140,21 @@
     - src: bin/create-account.j2
       dest: "{{ matrix_dendrite_bin_path }}/create-account"
       mode: "0750"
-    - src: systemd/matrix-dendrite.service.j2
+  register: matrix_dendrite_support_files_result
-      dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service"
+
-      mode: "0644"
+- name: Ensure matrix-dendrite.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-dendrite.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service"
+    mode: '0644'
+  register: matrix_dendrite_systemd_service_result
+
+- name: Determine whether Dendrite needs a restart
+  ansible.builtin.set_fact:
+    matrix_dendrite_restart_necessary: >-
+      {{
+        matrix_dendrite_config_result.changed | default(false)
+        or matrix_dendrite_support_files_result.changed | default(false)
+        or matrix_dendrite_systemd_service_result.changed | default(false)
+        or matrix_dendrite_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-element-call/defaults/main.yml

@@ -153,3 +153,13 @@ matrix_element_call_config_default_server_config_m_homeserver_server_name: "{{ m
 
 # Controls the livekit/livekit_service_url property in the config.json file.
 matrix_element_call_config_livekit_livekit_service_url: ""
+
+# matrix_element_call_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_element_call_restart_necessary: false

roles/custom/matrix-element-call/tasks/install.yml

@@ -23,6 +23,7 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_element_call_config_result
 
 - name: Ensure Element Call container labels file is in place
   ansible.builtin.template:
@@ -31,16 +32,17 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_element_call_support_files_result
 
 - name: Ensure Element Call container image is pulled
   community.docker.docker_image:
     name: "{{ matrix_element_call_container_image }}"
     source: pull
     force_source: "{{ matrix_element_call_container_image_force_pull }}"
-  register: element_call_image_result
+  register: matrix_element_call_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: element_call_image_result is not failed
+  until: matrix_element_call_container_image_pull_result is not failed
 
 - name: Ensure Element Call container network is created
   community.general.docker_network:
@@ -54,3 +56,14 @@
     src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
     mode: '0644'
+  register: matrix_element_call_systemd_service_result
+
+- name: Determine whether Element Call needs a restart
+  ansible.builtin.set_fact:
+    matrix_element_call_restart_necessary: >-
+      {{
+        matrix_element_call_config_result.changed | default(false)
+        or matrix_element_call_support_files_result.changed | default(false)
+        or matrix_element_call_systemd_service_result.changed | default(false)
+        or matrix_element_call_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml

@@ -40,6 +40,7 @@
       path: "{{ matrix_ldap_registration_proxy_container_src_files_path }}"
       pull: true
   when: true
+  register: matrix_ldap_registration_proxy_container_image_build_result
 
 - name: Ensure matrix_ldap_registration_proxy config installed
   ansible.builtin.template:
@@ -82,4 +83,5 @@
         matrix_ldap_registration_proxy_config_result.changed | default(false)
         or matrix_ldap_registration_proxy_support_files_result.changed | default(false)
         or matrix_ldap_registration_proxy_systemd_service_result.changed | default(false)
+        or matrix_ldap_registration_proxy_container_image_build_result.changed | default(false)
       }}

roles/custom/matrix-matrixto/tasks/install.yml

@@ -45,6 +45,7 @@
       path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}"
       pull: true
       args:
+  register: matrix_matrixto_container_image_build_result
 
 - name: Ensure Matrix.to container network is created via community.docker.docker_network
   when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module'
@@ -79,4 +80,5 @@
       {{
         matrix_matrixto_support_files_result.changed | default(false)
         or matrix_matrixto_systemd_service_result.changed | default(false)
+        or matrix_matrixto_container_image_build_result.changed | default(false)
       }}

roles/custom/matrix-media-repo/defaults/main.yml

@@ -939,3 +939,13 @@ matrix_media_repo_pgo_submit_key: "INSERT_VALUE_HERE"
 
 # Specifies whether the homeserver supports federation
 matrix_media_repo_homeserver_federation_enabled: true
+
+# matrix_media_repo_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_media_repo_restart_necessary: false

roles/custom/matrix-media-repo/tasks/setup_install.yml

@@ -35,6 +35,7 @@
   with_items:
     - env
     - labels
+  register: matrix_media_repo_support_files_result
 
 - name: Ensure media-repo configuration installed
   ansible.builtin.template:
@@ -43,6 +44,7 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_media_repo_config_result
 
 - name: Ensure media-repo Docker image is pulled
   community.docker.docker_image:
@@ -51,10 +53,10 @@
     force_source: "{{ matrix_media_repo_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_container_image_force_pull }}"
   when: "not matrix_media_repo_container_image_self_build | bool"
-  register: result
+  register: matrix_media_repo_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_media_repo_container_image_pull_result is not failed
 
 - when: "matrix_media_repo_container_image_self_build | bool"
   block:
@@ -153,3 +155,14 @@
     src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service"
     mode: '0640'
+  register: matrix_media_repo_systemd_service_result
+
+- name: Determine whether media-repo needs a restart
+  ansible.builtin.set_fact:
+    matrix_media_repo_restart_necessary: >-
+      {{
+        matrix_media_repo_config_result.changed | default(false)
+        or matrix_media_repo_support_files_result.changed | default(false)
+        or matrix_media_repo_systemd_service_result.changed | default(false)
+        or matrix_media_repo_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-synapse/defaults/main.yml

@@ -125,6 +125,17 @@ matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_stor
 # extra arguments to pass to s3-storage-provider script when starting Synapse container
 matrix_synapse_ext_s3_storage_provider_container_arguments: []
 
+# matrix_synapse_s3_storage_provider_restart_necessary controls whether the
+# s3-storage-provider migrate timer will be restarted (when true) or merely
+# started (when false) by the systemd service manager role (when conditional
+# restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files or the systemd service/timer files changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_synapse_s3_storage_provider_restart_necessary: false
+
 matrix_synapse_container_client_api_port: 8008
 
 # Controls the `x_forwarded` setting for the "Insecure HTTP listener (Client API)".
@@ -1648,6 +1659,16 @@ matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
 matrix_s3_media_store_region: "eu-central-1"
 matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}"
 
+# matrix_goofys_restart_necessary controls whether the Goofys service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_goofys_restart_necessary: false
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_synapse_self_check_validate_certificates: true
 

roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml

@@ -27,12 +27,14 @@
     src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2"
     dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env"
     mode: '0640'
+  register: matrix_synapse_s3_storage_provider_env_result
 
 - name: Ensure s3-storage-provider database.yaml file installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/database.yaml.j2"
     dest: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}/database.yaml"
     mode: '0640'
+  register: matrix_synapse_s3_storage_provider_database_config_result
 
 - name: Ensure s3-storage-provider scripts installed
   ansible.builtin.template:
@@ -42,6 +44,7 @@
   with_items:
     - shell
     - migrate
+  register: matrix_synapse_s3_storage_provider_scripts_result
 
 - name: Ensure matrix-synapse-s3-storage-provider-migrate.service and timer are installed
   ansible.builtin.template:
@@ -52,3 +55,13 @@
     - matrix-synapse-s3-storage-provider-migrate.service
     - matrix-synapse-s3-storage-provider-migrate.timer
   register: matrix_synapse_s3_storage_provider_systemd_service_result
+
+- name: Determine whether s3-storage-provider migrate timer needs a restart
+  ansible.builtin.set_fact:
+    matrix_synapse_s3_storage_provider_restart_necessary: >-
+      {{
+        matrix_synapse_s3_storage_provider_env_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_database_config_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_scripts_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_systemd_service_result.changed | default(false)
+      }}

roles/custom/matrix-synapse/tasks/goofys/setup_install.yml

@@ -20,10 +20,10 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_s3_goofys_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_container_image_force_pull }}"
-  register: result
+  register: matrix_goofys_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_goofys_container_image_pull_result is not failed
 
 # This will throw a Permission Denied error if already mounted
 - name: Check Matrix Goofys external storage mountpoint path
@@ -47,9 +47,20 @@
     dest: "{{ matrix_synapse_config_dir_path }}/env-goofys"
     owner: root
     mode: '0600'
+  register: matrix_goofys_env_result
 
 - name: Ensure matrix-goofys.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service"
     mode: '0644'
+  register: matrix_goofys_systemd_service_result
+
+- name: Determine whether Goofys needs a restart
+  ansible.builtin.set_fact:
+    matrix_goofys_restart_necessary: >-
+      {{
+        matrix_goofys_env_result.changed | default(false)
+        or matrix_goofys_systemd_service_result.changed | default(false)
+        or matrix_goofys_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -1,9 +1,27 @@
-# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2023 - 2026 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
+
+# The version that the user has validated their setup against.
+# When empty, the user will be prompted to set this variable.
+# New users should set this to the current expected version (see below).
+# See `examples/vars.yml` and `matrix_playbook_migration_expected_version` for the recommended value.
+matrix_playbook_migration_validated_version: ''
+
+# The version that the playbook expects the user to have validated against.
+# This is bumped whenever a breaking change is introduced.
+# The value configured here needs to exist in `matrix_playbook_migration_breaking_changes` as well.
+matrix_playbook_migration_expected_version: "v2026.03.23.0"
+
+# A list of breaking changes, used to inform users what changed between their validated version and the expected version.
+matrix_playbook_migration_breaking_changes:
+  - version: "v2026.03.23.0"
+    summary: "Initial migration validation system"
+    changelog_url: "https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2026-03-22"
+
 # Controls if (`matrix_prometheus_nginxlog_exporter` -> `prometheus_nginxlog_exporter`) validation will run.
 matrix_playbook_migration_matrix_prometheus_nginxlog_exporter_migration_validation_enabled: true
 

roles/custom/matrix_playbook_migration/tasks/main.yml

@@ -1,9 +1,14 @@
-# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2022 - 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
 
+- tags:
+    - always
+  block:
+    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_migration_version.yml"
+
 - tags:
     - setup-all
     - install-all

roles/custom/matrix_playbook_migration/tasks/validate_migration_version.yml

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if migration version is not validated (first-time onboarding)
+  ansible.builtin.fail:
+    msg: >-
+      This playbook now uses a migration validation system to help you stay aware of breaking changes.
+
+      It appears that you haven't configured the `matrix_playbook_migration_validated_version` variable yet.
+
+      Please review the changelog (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md)
+      and then add the following to your vars.yml file:
+
+      matrix_playbook_migration_validated_version: {{ matrix_playbook_migration_expected_version }}
+  when: "matrix_playbook_migration_validated_version == ''"
+
+- name: Fail if migration version is outdated
+  ansible.builtin.fail:
+    msg: |-
+      Your validated migration version ({{ matrix_playbook_migration_validated_version }}) is behind the expected version ({{ matrix_playbook_migration_expected_version }}).
+
+      The following breaking changes have been introduced since your last validation:
+
+      {% for item in matrix_playbook_migration_breaking_changes | selectattr('version', '>', matrix_playbook_migration_validated_version) | sort(attribute='version') %}
+      - {{ item.version }}: {{ item.summary }} ({{ item.changelog_url }})
+      {% endfor %}
+
+      After reviewing the above changes and adapting your setup, update your vars.yml:
+
+      matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+  when: "matrix_playbook_migration_validated_version != '' and matrix_playbook_migration_validated_version < matrix_playbook_migration_expected_version"