chore(deps): update matrixdotorg/sygnal docker tag to v0.17.0

Relates to 904a98d56c.

Signed-off-by: The one with the braid <info@braid.business>

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.11.1
+        uses: ansible/ansible-lint@v25.12.0
         with:
           args: "roles/custom"
           setup_python: "true"

CHANGELOG.md

@@ -1,3 +1,11 @@
+# 2025-12-09
+
+## Traefik Cert Dumper upgrade
+
+The variable `traefik_certs_dumper_ssl_dir_path` was renamed to `traefik_certs_dumper_ssl_path`. Users who use [their own webserver with Traefik](docs/configuring-playbook-own-webserver.md) may need to adjust their configuration.
+
+The variable `traefik_certs_dumper_dumped_certificates_dir_path` was renamed to `traefik_certs_dumper_dumped_certificates_path`. Users who use [SRV Server Delegation](docs/howto-srv-server-delegation.md) may need to adjust their configuration.
+
 # 2025-11-23
 
 ## Matrix.to support

docs/configuring-playbook-own-webserver.md

@@ -51,7 +51,7 @@ matrix_playbook_reverse_proxy_type: other-traefik-container
 # Adjust to point to your Traefik container
 matrix_playbook_reverse_proxy_hostname: name-of-your-traefik-container
 
-traefik_certs_dumper_ssl_dir_path: "/path/to/your/traefiks/acme.json/directory"
+traefik_certs_dumper_ssl_path: "/path/to/your/traefiks/acme.json/directory"
 
 # Uncomment and adjust the variable below if the name of your federation entrypoint is different
 # than the default value (matrix-federation).

docs/faq.md

@@ -440,6 +440,19 @@ To prevent double-logging, Docker logging is disabled by explicitly passing `--l
 
 See [this section](maintenance-and-troubleshooting.md#how-to-see-the-logs) on the page for maintenance and troubleshooting for more details to see the logs.
 
+### The server fails to start due to the `Unable to start service matrix-coturn.service` error. Why and how to solve it?
+
+The error is most likely because Traefik cannot obtain SSL certificates due to certain reasons such as wrong domain name configuration or port 80 being unavailable due to other services.
+
+If Traefik fails to obtain an SSL certificate for domain names such as `matrix.`, Traefik Certs Dumper cannot extract the SSL certificate out of there, and coturn cannot be started and the error occurs. Refer to these comments for details:
+
+- <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3957#issuecomment-2599590441>
+- <https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4570#issuecomment-3364111466>
+
+If you are not sure what the problem is, at first make sure that you have set the "base domain" (`example.com`, **not `matrix.example.com`**) to `matrix_domain`. You should be able to find it at the top of your `vars.yml`.
+
+If it is correctly specified, look Traefik's logs (`journalctl -fu matrix-traefik.service`) for errors by Let's Encrypt for troubleshooting.
+
 ## Miscellaneous
 
 ### I would like to see this favorite service of mine integrated and become available on my Matrix server. How can I request it?

docs/howto-srv-server-delegation.md

@@ -112,12 +112,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },
@@ -173,12 +173,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/*.' + matrix_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/*.' + matrix_domain + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },

group_vars/matrix_servers

@@ -2242,8 +2242,8 @@ matrix_postmoogle_container_image_self_build: "{{ matrix_architecture not in ['a
 matrix_postmoogle_ssl_path: |-
   {{
     {
-      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
-      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_dir_path if traefik_certs_dumper_enabled else ''),
+      'playbook-managed-traefik': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
+      'other-traefik-container': (traefik_certs_dumper_dumped_certificates_path if traefik_certs_dumper_enabled else ''),
       'none': '',
     }[matrix_playbook_reverse_proxy_type]
   }}
@@ -3088,6 +3088,8 @@ matrix_corporal_matrix_registration_shared_secret: "{{ matrix_synapse_registrati
 # We don't enable matrixto by default.
 matrix_matrixto_enabled: false
 
+matrix_matrixto_base_path: "{{ matrix_base_data_path }}/matrixto"
+
 # The container image is not provided at https://github.com/matrix-org/matrix.to
 matrix_matrixto_container_image_self_build: true
 
@@ -3189,12 +3191,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },
@@ -5879,7 +5881,7 @@ traefik_certs_dumper_base_path: "{{ matrix_base_data_path }}/traefik-certs-dumpe
 traefik_certs_dumper_uid: "{{ matrix_user_uid }}"
 traefik_certs_dumper_gid: "{{ matrix_user_gid }}"
 
-traefik_certs_dumper_ssl_dir_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
+traefik_certs_dumper_ssl_path: "{{ traefik_ssl_dir_path if traefik_enabled else '' }}"
 
 traefik_certs_dumper_container_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else traefik_certs_dumper_container_image_registry_prefix_upstream_default }}"
 
@@ -5988,12 +5990,12 @@ livekit_server_container_additional_volumes_auto: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/certificate.crt'),
          'dst': livekit_server_config_turn_cert_file,
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_dir_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + livekit_server_config_turn_domain + '/privatekey.key'),
          'dst': livekit_server_config_turn_key_file,
          'options': 'ro',
        },

i18n/requirements.txt

@@ -19,9 +19,9 @@ PyYAML==6.0.3
 requests==2.32.5
 setuptools==80.9.0
 snowballstemmer==3.0.1
-Sphinx==8.2.3
+Sphinx==9.0.4
 sphinx-intl==2.3.2
-sphinx-markdown-builder==0.6.8
+sphinx-markdown-builder==0.6.9
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.5.0
+urllib3==2.6.1

requirements.yml

@@ -4,16 +4,16 @@
   version: v1.0.0-5
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.2-2.0.11-1
+  version: v1.4.2-2.0.12-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.4.1-2
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.8.0
+  version: 7.9.0
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
-  version: 129c8590e106b83e6f4c259649a613c6279e937a
+  version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
   version: v2.5.2-2
@@ -28,13 +28,13 @@
   version: v10655-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.4-0
+  version: v1.9.7-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
   version: v2.15.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
-  version: 7663e3114513e56f28d3ed762059b445c678a71a
+  version: 8630e4f1749bcb659c412820f754473f09055052
   name: playbook_help
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages.git
   version: 9b4b088c62b528b73a9a7c93d3109b091dd42ec6
@@ -43,13 +43,13 @@
   version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.1-0
+  version: v18.1-3
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
   version: v18-0
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.7.3-1
+  version: v3.8.0-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
   version: v1.9.1-12
@@ -64,13 +64,13 @@
   version: v1.0.0-4
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
-  version: v1.1.0-0
+  version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.2-0
+  version: v3.6.4-0
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-2
+  version: v2.10.0-3
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
   version: v9-0

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.11.12
+matrix_alertmanager_receiver_version: 2025.11.26
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-appservice-draupnir-for-all/tasks/validate_config.yml

@@ -13,7 +13,7 @@
   with_items:
     - "matrix_appservice_draupnir_for_all_config_adminRoom"
     - "matrix_bot_draupnir_container_network"
-  when: "vars[item] == '' or vars[item] is none"
+  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
 
 - name: (Deprecation) Catch and report renamed matrix-appservice-draupnir-for-all settings
   ansible.builtin.fail:

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.6.0
+matrix_authentication_service_version: 1.8.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -19,7 +19,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_authentication_service_syn2mas_synapse_homeserver_config_path', when: true}
 

roles/custom/matrix-authentication-service/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_authentication_service_hostname', when: true}
     - {'name': 'matrix_authentication_service_config_database_username', when: true}

roles/custom/matrix-base/defaults/main.yml

@@ -273,7 +273,7 @@ matrix_metrics_exposure_http_basic_auth_users: ''
 #     - nevertheless, the playbook expects that you would install Traefik yourself via other means
 #     - you should make sure your Traefik configuration is compatible with what the playbook would have configured (web, web-secure, matrix-federation entrypoints, etc.)
 #     - you need to set `matrix_playbook_reverse_proxyable_services_additional_network` to the name of your Traefik network
-#     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_dir_path`)
+#     - Traefik certs dumper will be enabled by default (`traefik_certs_dumper_enabled`). You need to point it to your Traefik's SSL certificates (`traefik_certs_dumper_ssl_path`)
 #
 # - `none`
 #     - no reverse-proxy will be installed

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.8.2
+matrix_bot_baibot_version: v1.10.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -101,7 +101,7 @@ matrix_bot_draupnir_password: "{{ matrix_bot_draupnir_pantalaimon_password }}"
 # Controls if we activate the config block for Pantalaimon for now. Its name will
 # probably be changed for our usecase due to Draupnir's push to scrub Pantalaimon from the codebase.
 # This configuration option does not follow the common naming schema as its not controlling a config key directly.
-matrix_bot_draupnir_login_native: ""
+matrix_bot_draupnir_login_native: false
 
 # The room ID where people can use the bot. The bot has no access controls, so
 # anyone in this room can use the bot - secure your room!

roles/custom/matrix-bot-draupnir/tasks/validate_config.yml

@@ -44,7 +44,7 @@
     - {'name': 'matrix_bot_draupnir_config_rawHomeserverUrl', when: true}
     - {'name': 'matrix_bot_draupnir_pantalaimon_username', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_pantalaimon_password', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
-  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail if Draupnir room hijacking enabled without enabling the Synapse Admin API
   ansible.builtin.fail:
@@ -57,7 +57,7 @@
   with_items:
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_draupnir_config_accessToken', when: "{{ matrix_bot_draupnir_login_native }}"}
-  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail when matrix_bot_draupnir_config_experimentalRustCrypto is enabled together with matrix_bot_draupnir_pantalaimon_use
   ansible.builtin.fail:

roles/custom/matrix-bot-matrix-registration-bot/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_bot_matrix_registration_bot_bot_password"
     - "matrix_bot_matrix_registration_bot_api_base_url"

roles/custom/matrix-bot-mjolnir/tasks/validate_config.yml

@@ -18,14 +18,14 @@
     - {'name': 'matrix_bot_mjolnir_raw_homeserver_url', when: true}
     - {'name': 'matrix_bot_mjolnir_pantalaimon_username', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
     - {'name': 'matrix_bot_mjolnir_pantalaimon_password', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
-  when: "item.when | bool and (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: Fail if inappropriate variables are defined
   ansible.builtin.fail:
     msg: "The `{{ item.name }}` variable must be undefined or have a null value."
   with_items:
     - {'name': 'matrix_bot_mjolnir_access_token', when: "{{ matrix_bot_mjolnir_pantalaimon_use }}"}
-  when: "item.when | bool and not (vars[item.name] == '' or vars[item.name] is none)"
+  when: "item.when | bool and not (lookup('vars', item.name, default='') == '' or lookup('vars', item.name, default='') is none)"
 
 - name: (Deprecation) Catch and report renamed Mjolnir settings
   ansible.builtin.fail:

roles/custom/matrix-bridge-hookshot/tasks/validate_config.yml

@@ -51,7 +51,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_appservice_token"
     - "matrix_hookshot_homeserver_address"
@@ -62,7 +62,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable GitHub.
-  when: "matrix_hookshot_github_enabled and vars[item] == ''"
+  when: "matrix_hookshot_github_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_github_auth_id"
     - "matrix_hookshot_github_webhook_secret"
@@ -71,7 +71,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable GitHub OAuth.
-  when: "matrix_hookshot_github_oauth_enabled and vars[item] == ''"
+  when: "matrix_hookshot_github_oauth_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_github_oauth_client_id"
     - "matrix_hookshot_github_oauth_client_secret"
@@ -80,7 +80,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable Jira.
-  when: "matrix_hookshot_jira_enabled and vars[item] == ''"
+  when: "matrix_hookshot_jira_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_jira_webhook_secret"
 
@@ -88,7 +88,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) to enable Jira OAuth.
-  when: "matrix_hookshot_jira_oauth_enabled and vars[item] == ''"
+  when: "matrix_hookshot_jira_oauth_enabled and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_hookshot_jira_oauth_client_id"
     - "matrix_hookshot_jira_oauth_client_secret"

roles/custom/matrix-bridge-mautrix-wsproxy/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_mautrix_androidsms_appservice_token"
     - "matrix_mautrix_androidsms_homeserver_token"

roles/custom/matrix-bridge-sms/tasks/validate_config.yml

@@ -11,7 +11,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_sms_bridge_appservice_token"
     - "matrix_sms_bridge_homeserver_hostname"

roles/custom/matrix-bridge-zulip/tasks/setup_uninstall.yml

@@ -15,7 +15,7 @@
   block:
     - name: Ensure matrix-bridge-zulip is stopped
       ansible.builtin.service:
-        name: matrix-bridge-zulip
+        name: matrix-zulip-bridge
         state: stopped
         enabled: false
         daemon_reload: true

roles/custom/matrix-cactus-comments-client/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_cactus_comments_client_public_path: "{{ matrix_cactus_comments_client_bas
 matrix_cactus_comments_client_public_path_file_permissions: "0644"
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_cactus_comments_client_version: 2.39.0
+matrix_cactus_comments_client_version: 2.40.1
 
 matrix_cactus_comments_client_container_image: "{{ matrix_cactus_comments_client_container_image_registry_prefix }}joseluisq/static-web-server:{{ matrix_cactus_comments_client_container_image_tag }}"
 matrix_cactus_comments_client_container_image_registry_prefix: "{{ matrix_cactus_comments_client_container_image_registry_prefix_upstream }}"

roles/custom/matrix-cactus-comments-client/tasks/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_cactus_comments_client_hostname
     - matrix_cactus_comments_client_path_prefix

roles/custom/matrix-cactus-comments-client/templates/systemd/matrix-cactus-comments-client.service.j2

@@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--env-file={{ matrix_cactus_comments_client_base_path }}/env \
 			--label-file={{ matrix_cactus_comments_client_base_path }}/labels \
-			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/public,ro \
+			--mount type=bind,src={{ matrix_cactus_comments_client_public_path }},dst=/var/public,ro \
 			{{ matrix_cactus_comments_client_container_image }}
 
 {% for network in matrix_cactus_comments_client_container_additional_networks %}

roles/custom/matrix-cactus-comments/tasks/validate_config.yml

@@ -24,7 +24,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_cactus_comments_as_token"
     - "matrix_cactus_comments_hs_token"

roles/custom/matrix-client-cinny/tasks/validate_config.yml

@@ -36,7 +36,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_cinny_container_labels_traefik_hostname
         - matrix_client_cinny_container_labels_traefik_path_prefix

roles/custom/matrix-client-element/defaults/main.yml

@@ -26,10 +26,10 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 # Controls whether to patch webpack.config.js when self-building, so that building can pass on low-memory systems (< 4 GB RAM):
 # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1357
 # - https://github.com/element-hq/element-web/issues/19544
-matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_memtotal_mb < 4096 }}"
+matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.4
+matrix_client_element_version: v1.12.6
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`) for using FluffyChat Web.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_client_fluffychat_container_network
 
@@ -27,7 +27,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_fluffychat_container_labels_traefik_hostname
         - matrix_client_fluffychat_container_labels_traefik_path_prefix

roles/custom/matrix-client-hydrogen/tasks/validate_config.yml

@@ -30,7 +30,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_hydrogen_container_labels_traefik_hostname
         - matrix_client_hydrogen_container_labels_traefik_path_prefix

roles/custom/matrix-client-schildichat/tasks/validate_config.yml

@@ -20,7 +20,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`) for using SchildiChat Web.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_client_schildichat_default_hs_url
     - matrix_client_schildichat_container_network
@@ -39,7 +39,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_client_schildichat_container_labels_traefik_hostname
         - matrix_client_schildichat_container_labels_traefik_path_prefix

roles/custom/matrix-corporal/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_corporal_container_network"
     - "matrix_corporal_matrix_homeserver_api_endpoint"

roles/custom/matrix-dimension/tasks/validate_config.yml

@@ -39,7 +39,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_dimension_container_labels_traefik_hostname
         - matrix_dimension_container_labels_traefik_path_prefix

roles/custom/matrix-element-admin/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.8
+matrix_element_admin_version: 0.1.9
 
 matrix_element_admin_scheme: https
 

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.16.1
+matrix_element_call_version: v0.16.3
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-element-call/tasks/validate_config.yml

@@ -17,7 +17,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_element_call_container_network', when: true}
     - {'name': 'matrix_element_call_hostname', when: true}

roles/custom/matrix-ldap-registration-proxy/tasks/validate_config.yml

@@ -11,7 +11,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_ldap_registration_proxy_hostname"
     - "matrix_ldap_registration_proxy_ldap_uri"

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.3.0
+matrix_livekit_jwt_service_version: 0.4.0
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"
@@ -68,8 +68,15 @@ matrix_livekit_jwt_service_container_labels_additional_labels: ''
 # A list of extra arguments to pass to the container
 matrix_livekit_jwt_service_container_extra_arguments: []
 
-# Controls the LK_JWT_PORT environment variable
-matrix_livekit_jwt_service_environment_variable_livekit_jwt_port: 8080
+# Controls the port that the service listens on internally in the container.
+# This is still used for Traefik configuration and container port binding.
+matrix_livekit_jwt_service_container_port: 8080
+
+# Controls the LIVEKIT_JWT_BIND environment variable.
+# This is the preferred method in v0.4.0+, replacing the deprecated LIVEKIT_JWT_PORT.
+# Format: "host:port" or ":port" (to bind to all interfaces).
+# The default ":8080" binds to all interfaces on port 8080.
+matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind: ":{{ matrix_livekit_jwt_service_container_port }}"
 
 # Controls the LIVEKIT_KEY environment variable
 matrix_livekit_jwt_service_environment_variable_livekit_key: ""

roles/custom/matrix-livekit-jwt-service/tasks/main.yml

@@ -8,7 +8,7 @@
 
 - tags:
     - setup-all
-    - setup-jwt-service
+    - setup-livekit-jwt-service
     - install-all
     - install-livekit-jwt-service
   block:

roles/custom/matrix-livekit-jwt-service/tasks/validate_config.yml

@@ -6,11 +6,20 @@
 
 ---
 
+- name: (Deprecation) Catch and report renamed LiveKit JWT Service settings
+  ansible.builtin.fail:
+    msg: >-
+      Your configuration contains a variable, which now has a different name.
+      Please rename the variable (`{{ item.old }}` -> `{{ item.new }}`) on your configuration file (vars.yml).
+  when: "lookup('ansible.builtin.varnames', ('^' + item.old + '$'), wantlist=True) | length > 0"
+  with_items:
+    - {'old': 'matrix_livekit_jwt_service_environment_variable_livekit_jwt_port', 'new': 'matrix_livekit_jwt_service_container_port'}
+
 - name: Fail if required LiveKit JWT Service settings are not defined
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_livekit_jwt_service_hostname', when: true}
     - {'name': 'matrix_livekit_jwt_service_container_network', when: true}

roles/custom/matrix-livekit-jwt-service/templates/env.j2

@@ -5,7 +5,7 @@ SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 SPDX-License-Identifier: AGPL-3.0-or-later
 #}
 
-LIVEKIT_JWT_PORT={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port | int | to_json }}
+LIVEKIT_JWT_BIND={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_bind }}
 
 LIVEKIT_KEY={{ matrix_livekit_jwt_service_environment_variable_livekit_key }}
 LIVEKIT_URL={{ matrix_livekit_jwt_service_environment_variable_livekit_url }}

roles/custom/matrix-livekit-jwt-service/templates/labels.j2

@@ -10,7 +10,7 @@ traefik.enable=true
 
 traefik.docker.network={{ matrix_livekit_jwt_service_container_labels_traefik_docker_network }}
 
-traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }}
+traefik.http.services.matrix-livekit-jwt-service.loadbalancer.server.port={{ matrix_livekit_jwt_service_container_port }}
 
 {% set middlewares = [] %}
 

roles/custom/matrix-livekit-jwt-service/templates/systemd/matrix-livekit-jwt-service.service.j2

@@ -20,7 +20,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
     --cap-drop=ALL \
     --network={{ matrix_livekit_jwt_service_container_network }} \
     {% if matrix_livekit_jwt_service_container_http_host_bind_port %}
-    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_environment_variable_livekit_jwt_port }} \
+    -p {{ matrix_livekit_jwt_service_container_http_host_bind_port }}:{{ matrix_livekit_jwt_service_container_port }} \
     {% endif %}
     --env-file={{ matrix_livekit_jwt_service_base_path }}/env \
     --label-file={{ matrix_livekit_jwt_service_base_path }}/labels \

roles/custom/matrix-pantalaimon/tasks/validate_config.yml

@@ -9,7 +9,7 @@
     msg: "The `{{ item }}` variable must be defined and have a non-null value."
   with_items:
     - "matrix_pantalaimon_homeserver_url"
-  when: "vars[item] == '' or vars[item] is none"
+  when: "lookup('vars', item, default='') == '' or lookup('vars', item, default='') is none"
 
 - name: (Deprecation) Catch and report renamed Pantalaimon variables
   ansible.builtin.fail:

roles/custom/matrix-rageshake/defaults/main.yml

@@ -24,7 +24,7 @@ matrix_rageshake_path_prefix: /
 # There are no stable container image tags yet.
 # See: https://github.com/matrix-org/rageshake/issues/69
 # renovate: datasource=docker depName=ghcr.io/matrix-org/rageshake
-matrix_rageshake_version: 1.17.0
+matrix_rageshake_version: 1.17.1
 
 matrix_rageshake_base_path: "{{ matrix_base_data_path }}/rageshake"
 matrix_rageshake_config_path: "{{ matrix_rageshake_base_path }}/config"

roles/custom/matrix-rageshake/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_rageshake_hostname
     - matrix_rageshake_path_prefix
@@ -29,7 +29,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_rageshake_container_labels_traefik_hostname
         - matrix_rageshake_container_labels_traefik_path_prefix

roles/custom/matrix-static-files/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_static_files_enabled: true
 matrix_static_files_identifier: matrix-static-files
 
 # renovate: datasource=docker depName=joseluisq/static-web-server
-matrix_static_files_version: 2.39.0
+matrix_static_files_version: 2.40.1
 
 matrix_static_files_base_path: "{{ matrix_base_data_path }}/{{ 'static-files' if matrix_static_files_identifier == 'matrix-static-files' else matrix_static_files_identifier }}"
 matrix_static_files_config_path: "{{ matrix_static_files_base_path }}/config"

roles/custom/matrix-static-files/tasks/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_hostname', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}
     - {'name': 'matrix_static_files_container_labels_well_known_matrix_endpoint_traefik_path_prefix', when: "{{ matrix_static_files_container_labels_well_known_matrix_endpoint_enabled }}"}

roles/custom/matrix-static-files/templates/systemd/matrix-static-files.service.j2

@@ -29,7 +29,7 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--env-file={{ matrix_static_files_base_path }}/env \
 			--label-file={{ matrix_static_files_base_path }}/labels \
-			--mount type=bind,src={{ matrix_static_files_public_path }},dst=/public,ro \
+			--mount type=bind,src={{ matrix_static_files_public_path }},dst=/var/public,ro \
 			--mount type=bind,src={{ matrix_static_files_config_path }},dst=/config,ro \
 			{{ matrix_static_files_container_image }}
 

roles/custom/matrix-sygnal/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_sygnal_hostname: ''
 matrix_sygnal_path_prefix: /
 
 # renovate: datasource=docker depName=matrixdotorg/sygnal
-matrix_sygnal_version: v0.15.1
+matrix_sygnal_version: v0.17.0
 
 matrix_sygnal_base_path: "{{ matrix_base_data_path }}/sygnal"
 matrix_sygnal_config_path: "{{ matrix_sygnal_base_path }}/config"

roles/custom/matrix-sygnal/tasks/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_sygnal_hostname
     - matrix_sygnal_path_prefix
@@ -21,7 +21,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_sygnal_container_labels_traefik_hostname
         - matrix_sygnal_container_labels_traefik_path_prefix

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke49
+matrix_synapse_admin_version: v0.11.1-etke50
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse-admin/tasks/validate_config.yml

@@ -26,7 +26,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`).
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_admin_container_labels_traefik_hostname
         - matrix_synapse_admin_container_labels_traefik_path_prefix

roles/custom/matrix-synapse-auto-compressor/tasks/validate_config.yml

@@ -20,7 +20,7 @@
   ansible.builtin.fail:
     msg: >
       You need to define a required configuration setting (`{{ item }}`).
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - matrix_synapse_auto_compressor_database_hostname
     - matrix_synapse_auto_compressor_database_password

roles/custom/matrix-synapse-reverse-proxy-companion/defaults/main.yml

@@ -24,7 +24,7 @@
 matrix_synapse_reverse_proxy_companion_enabled: true
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.29.3-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.29.4-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.142.1
+matrix_synapse_version: v1.144.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -675,7 +675,7 @@ matrix_synapse_caches_sync_response_cache_duration: "2m"
 # Controls how much memory this role thinks is available for cache-size-related calculations.
 # By default, all of the server's memory is taken into account, but you can adjust this.
 # You can also go for directly adjusting cache-sizes (matrix_synapse_cache_autotuning_max_cache_memory_usage, matrix_synapse_cache_autotuning_target_cache_memory_usage) instead of adjusting this.
-matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_memtotal_mb * 1024 * 1024) | int }}"
+matrix_synapse_cache_size_calculations_memtotal_bytes: "{{ (ansible_facts['memtotal_mb'] * 1024 * 1024) | int }}"
 
 # Controls the cap to use for matrix_synapse_cache_autotuning_max_cache_memory_usage.
 matrix_synapse_cache_size_calculations_max_cache_memory_usage_cap_bytes: "{{ (2 * 1024 * 1024 * 1024) }}"  # 2GB

roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/validate_config.yml

@@ -9,7 +9,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_bucket"
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_region_name"
@@ -19,7 +19,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using s3-storage-provider.
-  when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and vars[item] == ''"
+  when: "not matrix_synapse_ext_synapse_s3_storage_provider_config_ec2_instance_profile | bool and lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id"
     - "matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key"

roles/custom/matrix-synapse/tasks/ext/synapse-http-antispam/validate_config.yml

@@ -8,7 +8,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item }}`) for using synapse-http-antispam.
-  when: "vars[item] == ''"
+  when: "lookup('vars', item, default='') == ''"
   with_items:
     - "matrix_synapse_ext_synapse_http_antispam_enabled"
     - "matrix_synapse_ext_synapse_http_antispam_config_base_url"

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -10,7 +10,7 @@
   ansible.builtin.fail:
     msg: >-
       You need to define a required configuration setting (`{{ item.name }}`).
-  when: "item.when | bool and vars[item.name] | string | length == 0"
+  when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_synapse_username', when: true}
     - {'name': 'matrix_synapse_uid', when: true}
@@ -48,7 +48,7 @@
   ansible.builtin.fail:
     msg: >-
       `{{ item }}` cannot be more than 1. This is a single-instance worker.
-  when: "vars[item] | int > 1"
+  when: "lookup('vars', item, default='') | int > 1"
   with_items:
     - "matrix_synapse_workers_appservice_workers_count"
     - "matrix_synapse_workers_user_dir_workers_count"
@@ -138,7 +138,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_enabled`.
-      when: "vars[item] == ''"
+      when: "lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_container_image_customizations_templates_git_repository_url
         - matrix_synapse_container_image_customizations_templates_git_repository_branch
@@ -147,7 +147,7 @@
       ansible.builtin.fail:
         msg: >-
           You need to define a required configuration setting (`{{ item }}`) when enabling `matrix_synapse_container_image_customizations_templates_git_repository_keyscan`.
-      when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and vars[item] == ''"
+      when: "matrix_synapse_container_image_customizations_templates_git_repository_keyscan_enabled | bool and lookup('vars', item, default='') == ''"
       with_items:
         - matrix_synapse_container_image_customizations_templates_git_repository_keyscan_hostname
 
@@ -166,7 +166,7 @@
 - name: Fail if known Synapse password provider modules are enabled when auth is delegated to Matrix Authentication Service
   ansible.builtin.fail:
     msg: "When Synapse is delegating authentication to Matrix Authentication Service (`matrix_synapse_matrix_authentication_service_enabled: true`), it does not make sense to enable password provider modules, because it is not Synapse that is handling authentication. Please disable {{ item }} before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
-  when: matrix_synapse_matrix_authentication_service_enabled and vars[item] | bool
+  when: matrix_synapse_matrix_authentication_service_enabled and lookup('vars', item, default='') | bool
   with_items:
     - matrix_synapse_ext_password_provider_rest_auth_enabled
     - matrix_synapse_ext_password_provider_shared_secret_auth_enabled

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -55,7 +55,7 @@ matrix_playbook_migration_matrix_postmoogle_migration_validation_enabled: true
 # - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/2999
 # - https://github.com/geerlingguy/ansible-role-docker/pull/410
 matrix_playbook_migration_debian_signedby_migration_enabled: true
-matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_distribution | lower }}.list"
+matrix_playbook_migration_debian_signedby_migration_repository_path: "/etc/apt/sources.list.d/download_docker_com_linux_{{ ansible_facts['distribution'] | lower }}.list"
 
 # Controls if the old apt repository for Docker (`signed-by=/etc/apt/trusted.gpg.d/docker.asc`) will be removed,
 # so that the Docker role (7.2.0+) can install a new non-conflicting one (`signed-by=/etc/apt/keyrings/docker.asc`).