Add pre-commit check for migration version sync between defaults and examples/vars.yml

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/matrix.yml

@@ -9,34 +9,37 @@ name: Matrix CI
 
 on: [push, pull_request]  # yamllint disable-line rule:truthy
 
+permissions:
+  contents: read
+
 jobs:
-  yamllint:
-    name: yamllint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out
-        uses: actions/checkout@v6
-      - name: Run yamllint
-        uses: frenck/action-yamllint@v1.5.0
-  ansible-lint:
-    name: ansible-lint
+  prek:
+    name: Run prek hooks
     runs-on: ubuntu-latest
+    container:
+      image: docker.io/archlinux:base-devel
+
     steps:
+      # git must be installed before checkout so it does a proper clone
+      # (with .git directory) instead of a tarball download.
+      - name: Install git
+        run: pacman -Sy --noconfirm git
+
       - name: Check out
         uses: actions/checkout@v6
 
-      - name: Run ansible-lint
-        uses: ansible/ansible-lint@v26.1.1
+      - name: Restore prek cache
+        uses: actions/cache@v5
         with:
-          args: "roles/custom"
-          setup_python: "true"
-          working_directory: ""
-          requirements_file: requirements.yml
-  precommit:
-    name: Run pre-commit
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v6
-      - name: Run pre-commit
-        uses: pre-commit/action@v3.0.1
+          path: var/prek
+          key: arch-prek-v1-${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Install dependencies
+        run: pacman -S --noconfirm --needed just mise python
+
+      - name: Run prek hooks
+        run: |
+          # The checkout action sets safe.directory using its own bundled
+          # git, which is separate from the pacman-installed git that prek uses.
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          just prek-run-on-all

.gitignore

@@ -4,6 +4,7 @@
 .python-version
 .idea/
 .direnv/
+/var/
 
 # ignore roles pulled by ansible-galaxy
 /roles/galaxy/*

.pre-commit-config.yaml

@@ -1,22 +1,21 @@
 ---
-default_install_hook_types: [pre-push]
 
-exclude: "LICENSES/"
+exclude: "^(LICENSES/|var/)"
 
 # See: https://pre-commit.com/hooks.html
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v6.0.0
     hooks:
-      # - id: check-executables-have-shebangs
       - id: check-added-large-files
       - id: check-case-conflict
       - id: check-json
+      - id: check-shebang-scripts-are-executable
       - id: check-toml
       - id: trailing-whitespace
       - id: end-of-file-fixer
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.1
+    rev: v2.4.2
     hooks:
       - id: codespell
         args: ["--skip=*.po,*.pot,i18n/"]
@@ -24,3 +23,18 @@ repos:
     rev: v6.2.0
     hooks:
       - id: reuse
+  - repo: https://github.com/ansible/ansible-lint
+    rev: v26.3.0
+    hooks:
+      - id: ansible-lint
+        files: '^roles/custom/'
+        args: ['roles/custom']
+        pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-examples-vars-migration-version
+        name: Check examples/vars.yml migration version matches expected
+        entry: bin/check-examples-vars-migration-version.sh
+        language: script
+        files: '(examples/vars\.yml|roles/custom/matrix_playbook_migration/defaults/main\.yml)'
+        pass_filenames: false

CHANGELOG.md

@@ -1,3 +1,69 @@
+# 2026-03-23
+
+## Migration validation system introduced
+
+Previously, when updating your setup, you had to remember to read the [CHANGELOG](CHANGELOG.md) file or risk breakage.
+
+Now, the playbook includes a migration validation system that ensures you're aware of breaking changes before they affect your deployment.
+You're now forced to acknowledge each breaking change, unless you wish to live dangerously (see below).
+
+A new `matrix_playbook_migration_validated_version` variable has been introduced.
+
+**New users** who started from the [example `vars.yml`](examples/vars.yml) file already have this variable set and do not need to do anything.
+
+**Existing users** will need to add the following to their `vars.yml` file after reviewing all changelog entries up to now:
+
+```yml
+matrix_playbook_migration_validated_version: v2026.03.23.0
+```
+
+Going forward, whenever a breaking change is introduced the playbook will:
+
+- bump its expected version value (`matrix_playbook_migration_expected_version`), causing a discrepancy with what you validated (`matrix_playbook_migration_validated_version`)
+
+- fail when you run it with a helpful message listing what changed and linking to the relevant changelog entries
+
+After reviewing and adapting your setup, you simply update the variable to the new version.
+
+If you'd like to live dangerously and skip these checks (not recommended), you can set this once and be done with it:
+
+```yml
+matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+```
+
+# 2026-03-19
+
+## Matrix Authentication Service now prefers UNIX sockets for playbook-managed Postgres
+
+When [Matrix Authentication Service](docs/configuring-playbook-matrix-authentication-service.md) (MAS) uses the playbook-managed Postgres service, it now connects to it via a [UNIX socket](https://en.wikipedia.org/wiki/Unix_domain_socket) by default instead of TCP.
+
+This follows the same approach [applied to Synapse](#synapse-now-prefers-unix-sockets-for-playbook-managed-postgres-and-valkey) and reduces unnecessary container-network wiring, keeping local IPC off the network stack.
+
+If you use an external Postgres server for MAS, this does not change your setup.
+
+If you'd like to keep the previous TCP-based behavior, add the following configuration to your `vars.yml`:
+
+```yaml
+matrix_authentication_service_config_database_socket_enabled: false
+```
+
+# 2026-03-17
+
+## Synapse now prefers UNIX sockets for playbook-managed Postgres and Valkey
+
+When Synapse uses the playbook-managed Postgres and Valkey services, it now connects to them via [UNIX sockets](https://en.wikipedia.org/wiki/Unix_domain_socket) by default instead of TCP.
+
+This reduces unnecessary container-network wiring and keeps local IPC off the network stack, which is a bit simpler and slightly more secure.
+
+If you use an external Postgres server or external Redis/Valkey for Synapse, this does not change your setup.
+
+If you'd like to keep the previous TCP-based behavior, add the following configuration to your `vars.yml`:
+
+```yaml
+matrix_synapse_database_socket_enabled: false
+matrix_synapse_redis_path_enabled: false
+```
+
 # 2026-03-01
 
 ## (Potential BC Break) Synapse S3 media prefix is now applied consistently

bin/check-examples-vars-migration-version.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+# Ensures that the migration validated version in examples/vars.yml
+# matches the expected version in the matrix_playbook_migration role defaults.
+
+set -euo pipefail
+
+defaults_file="roles/custom/matrix_playbook_migration/defaults/main.yml"
+examples_file="examples/vars.yml"
+
+expected_version=$(grep -oP '^matrix_playbook_migration_expected_version:\s*"?\K[^"]+' "$defaults_file")
+examples_version=$(grep -oP '^matrix_playbook_migration_validated_version:\s*"?\K[^"]+' "$examples_file")
+
+if [ -z "$expected_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_expected_version from $defaults_file"
+	exit 1
+fi
+
+if [ -z "$examples_version" ]; then
+	echo "ERROR: Could not extract matrix_playbook_migration_validated_version from $examples_file"
+	exit 1
+fi
+
+if [ "$expected_version" != "$examples_version" ]; then
+	echo "ERROR: Migration version mismatch!"
+	echo "  $defaults_file has expected version: $expected_version"
+	echo "  $examples_file has validated version: $examples_version"
+	echo ""
+	echo "Please update $examples_file to match."
+	exit 1
+fi

docs/configuring-playbook-bot-baibot.md

@@ -39,16 +39,35 @@ Depending on your current `vars.yml` file and desired configuration, **you may r
 
 To enable the bot, add the following configuration to your `inventory/host_vars/matrix.example.com/vars.yml` file:
 
+Authentication can be configured in one of two mutually-exclusive ways:
+
+- **Password authentication** (`matrix_bot_baibot_config_user_password`) - recommended for most playbook-managed setups, because it integrates with automatic user creation flow used by the playbook, and auto-creates the bot account
+- **Access-token authentication** (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) - useful for specific [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md)/OIDC setups where password authentication is not available or not desired
+
+Even when [Matrix Authentication Service](configuring-playbook-matrix-authentication-service.md) is enabled, password authentication is still typically the best fit for baibot if you're using a playbook-managed bot account.
+
+For upstream details, see baibot's [🔐 Authentication](https://github.com/etkecc/baibot/blob/main/docs/configuration/authentication.md) documentation.
+
 ```yaml
 matrix_bot_baibot_enabled: true
 
 # Uncomment and adjust this part if you'd like to use a username different than the default
 # matrix_bot_baibot_config_user_mxid_localpart: baibot
 
+# Authentication mode (choose exactly one):
+#
+# 1) Password authentication (recommended for most setups)
 # Generate a strong password for the bot. You can create one with a command like `pwgen -s 64 1`.
 # If you'd like to change this password subsequently, see the details below.
 matrix_bot_baibot_config_user_password: 'PASSWORD_FOR_THE_BOT'
 
+# 2) Access-token authentication (for MAS/OIDC-enabled homeservers)
+# matrix_bot_baibot_config_user_access_token: 'YOUR_MAS_COMPATIBILITY_TOKEN_HERE'
+# matrix_bot_baibot_config_user_device_id: 'BAIBOT'
+#
+# You can generate a compatibility token for MAS with:
+# mas-cli manage issue-compatibility-token <username> [device_id]
+
 # An optional passphrase to use for backing up and recovering the bot's encryption keys.
 # You can create one with a command like `pwgen -s 64 1`.
 #
@@ -387,13 +406,15 @@ ansible-playbook -i inventory/hosts setup.yml --tags=setup-all,ensure-matrix-use
 
 **Notes**:
 
-- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account.
+- The `ensure-matrix-users-created` playbook tag makes the playbook automatically create the bot's user account when password authentication is used.
+
+- If you're using access-token authentication, the bot account must already exist and the configured token + device ID must match that account. This mode is mainly for MAS/OIDC setups where password-based bot login is not suitable.
 
 - The shortcut commands with the [`just` program](just.md) are also available: `just install-all` or `just setup-all`
 
   `just install-all` is useful for maintaining your setup quickly ([2x-5x faster](../CHANGELOG.md#2x-5x-performance-improvements-in-playbook-runtime) than `just setup-all`) when its components remain unchanged. If you adjust your `vars.yml` to remove other components, you'd need to run `just setup-all`, or these components will still remain installed.
 
-- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password.
+- If you change the bot password (`matrix_bot_baibot_config_user_password` in your `vars.yml` file) subsequently, the bot user's credentials on the homeserver won't be updated automatically. If you'd like to change the bot user's password, use a tool like [synapse-admin](configuring-playbook-synapse-admin.md) to change it, and then update `matrix_bot_baibot_config_user_password` to let the bot know its new password. (This note applies to password authentication mode.)
 
 ## Usage
 

docs/configuring-playbook-prometheus-grafana.md

@@ -178,11 +178,11 @@ Name | Description
 `matrix_metrics_exposure_http_basic_auth_enabled`|Set this to `true` to protect all `https://matrix.example.com/metrics/*` endpoints with [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) (see the other variables below for supplying the actual credentials).
 `matrix_metrics_exposure_http_basic_auth_users`|Set this to the Basic Authentication credentials (raw `htpasswd` file content) used to protect `/metrics/*`. This htpasswd-file needs to be generated with the `htpasswd` tool and can include multiple username/password pairs.
 `prometheus_node_exporter_enabled`|Set this to `true` to enable the node (general system stats) exporter (locally, on the container network).
-`prometheus_node_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.example.com/metrics/node-exporter`.
+`prometheus_node_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the node (general system stats) metrics on `https://matrix.example.com/metrics/node-exporter`.
 `prometheus_postgres_exporter_enabled`|Set this to `true` to enable the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) (locally, on the container network).
-`prometheus_postgres_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) metrics on `https://matrix.example.com/metrics/postgres-exporter`.
+`prometheus_postgres_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the [Postgres exporter](#enable-metrics-and-graphs-for-postgres-optional) metrics on `https://matrix.example.com/metrics/postgres-exporter`.
 `prometheus_nginxlog_exporter_enabled`|Set this to `true` to enable the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) (locally, on the container network).
-`prometheus_nginxlog_exporter_container_labels_traefik_enabled`|Set this to `true` to expose the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`.
+`prometheus_nginxlog_exporter_container_labels_metrics_enabled`|Set this to `true` to expose the [prometheus-nginxlog-exporter](#enable-metrics-and-graphs-for-nginx-logs-optional) metrics on `https://matrix.example.com/metrics/nginxlog`.
 
 ### Expose metrics of other services/roles
 

examples/vars.yml

@@ -1,4 +1,9 @@
 ---
+# This variable acknowledges that you've reviewed breaking changes up to this version.
+# The playbook will fail if this is outdated, guiding you through what changed.
+# See the changelog: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md
+matrix_playbook_migration_validated_version: v2026.03.23.0
+
 # The bare domain name which represents your Matrix identity.
 # Matrix user IDs for your server will be of the form (`@alice:example.com`).
 #

flake.nix

@@ -19,6 +19,7 @@
           devShells.default = mkShell {
             buildInputs = [
               just
+              mise
               ansible
             ];
             shellHook = ''

group_vars/matrix_servers

@@ -278,7 +278,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (backup_borg_identifier + '.timer'),
       'priority': 5000,
-      'restart_necessary': true,
+      'restart_necessary': (backup_borg_restart_necessary | bool),
       'groups': ['matrix', 'backup', 'borg'],
     }] if backup_borg_enabled else [])
     +
@@ -383,14 +383,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-appservice-kakaotalk.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'appservice-kakaotalk'],
     }] if matrix_appservice_kakaotalk_enabled else [])
     +
     ([{
       'name': 'matrix-appservice-kakaotalk-node.service',
       'priority': 1900,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_appservice_kakaotalk_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'appservice-kakaotalk', 'appservice-kakaotalk-node'],
     }] if matrix_appservice_kakaotalk_enabled else [])
     +
@@ -404,14 +404,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-wechat.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_wechat_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'wechat'],
     }] if matrix_wechat_enabled else [])
     +
     ([{
       'name': 'matrix-wechat-agent.service',
       'priority': 2000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_wechat_restart_necessary | bool),
       'groups': ['matrix', 'bridges', 'wechat'],
     }] if matrix_wechat_enabled else [])
     +
@@ -621,7 +621,12 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': ('matrix-' + matrix_homeserver_implementation + '.service'),
       'priority': matrix_homeserver_systemd_service_manager_priority,
-      'restart_necessary': true,
+      'restart_necessary': (
+        (matrix_conduit_restart_necessary | bool) if matrix_homeserver_implementation == 'conduit'
+        else (matrix_continuwuity_restart_necessary | bool) if matrix_homeserver_implementation == 'continuwuity'
+        else (matrix_dendrite_restart_necessary | bool) if matrix_homeserver_implementation == 'dendrite'
+        else true
+      ),
       'groups': ['matrix', 'homeservers', matrix_homeserver_implementation],
     }] if matrix_homeserver_enabled else [])
     +
@@ -684,28 +689,28 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (jitsi_identifier + '-web.service'),
       'priority': 4200,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_web_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-web'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-prosody.service'),
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_prosody_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-prosody'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-jicofo.service'),
       'priority': 4100,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_jicofo_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-jicofo'],
     }] if jitsi_enabled else [])
     +
     ([{
       'name': (jitsi_identifier + '-jvb.service'),
       'priority': 4100,
-      'restart_necessary': true,
+      'restart_necessary': (jitsi_jvb_restart_necessary | bool),
       'groups': ['matrix', 'jitsi', 'jitsi-jvb'],
     }] if jitsi_enabled else [])
     +
@@ -719,7 +724,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': (matrix_media_repo_identifier + '.service'),
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_media_repo_restart_necessary | bool),
       'groups': ['matrix', 'matrix-media-repo'],
     }] if matrix_media_repo_enabled else [])
     +
@@ -803,7 +808,7 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-element-call.service',
       'priority': 4000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_element_call_restart_necessary | bool),
       'groups': ['matrix', 'element-call'],
     }] if matrix_element_call_enabled else [])
     +
@@ -838,14 +843,14 @@ devture_systemd_service_manager_services_list_auto: |
     ([{
       'name': 'matrix-goofys.service',
       'priority': 800,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_goofys_restart_necessary | bool),
       'groups': ['matrix', 'goofys'],
     }] if (matrix_synapse_enabled and matrix_s3_media_store_enabled) else [])
     +
     ([{
       'name': 'matrix-synapse-s3-storage-provider-migrate.timer',
       'priority': 5000,
-      'restart_necessary': true,
+      'restart_necessary': (matrix_synapse_s3_storage_provider_restart_necessary | bool),
       'groups': ['matrix'],
     }] if (matrix_synapse_enabled and matrix_synapse_ext_synapse_s3_storage_provider_enabled) else [])
     +
@@ -1079,9 +1084,18 @@ matrix_authentication_service_enabled: false
 matrix_authentication_service_hostname: "{{ matrix_server_fqn_matrix }}"
 matrix_authentication_service_path_prefix: /auth
 
-matrix_authentication_service_config_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_playbook_matrix_authentication_service_uses_managed_postgres: "{{ postgres_enabled }}"
+
+matrix_authentication_service_config_database_host: "{{ matrix_authentication_service_config_database_socket_path if matrix_authentication_service_config_database_socket_enabled else (postgres_connection_hostname if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '') }}"
 matrix_authentication_service_config_database_password: "{{ (matrix_homeserver_generic_secret_key + ':mas.db') | hash('sha512') | to_uuid }}"
 
+# unix socket connection
+matrix_authentication_service_config_database_socket_enabled: "{{ matrix_playbook_matrix_authentication_service_uses_managed_postgres and postgres_container_unix_socket_enabled }}"
+# path to the Postgres socket's parent dir inside the MAS container
+matrix_authentication_service_config_database_socket_path: "{{ '/run-postgres' if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '' }}"
+# path to the Postgres socket on the host
+matrix_authentication_service_config_database_socket_path_host: "{{ postgres_run_path if matrix_playbook_matrix_authentication_service_uses_managed_postgres else '' }}"
+
 matrix_authentication_service_config_matrix_homeserver: "{{ matrix_domain }}"
 matrix_authentication_service_config_matrix_secret: "{{ (matrix_homeserver_generic_secret_key + ':mas.hs.secret') | hash('sha512') | to_uuid }}"
 matrix_authentication_service_config_matrix_endpoint: "{{ matrix_homeserver_container_url }}"
@@ -1114,7 +1128,7 @@ matrix_authentication_service_container_network: "{{ matrix_homeserver_container
 matrix_authentication_service_container_additional_networks_auto: |-
   {{
     (
-      ([postgres_container_network] if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else [])
+      ([postgres_container_network] if (matrix_playbook_matrix_authentication_service_uses_managed_postgres and not matrix_authentication_service_config_database_socket_enabled) else [])
       +
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_authentication_service_config_email_transport == 'smtp' and matrix_authentication_service_config_email_hostname == exim_relay_identifier and matrix_authentication_service_container_network != exim_relay_container_network) else [])
       +
@@ -1139,7 +1153,7 @@ matrix_authentication_service_container_labels_internal_compatibility_layer_entr
 # We'll put our dependency on the homeserver as a "want", rather than a requirement.
 matrix_authentication_service_systemd_required_services_list_auto: |
   {{
-    ([postgres_identifier ~ '.service'] if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else [])
+    ([postgres_identifier ~ '.service'] if matrix_playbook_matrix_authentication_service_uses_managed_postgres else [])
   }}
 
 # See more information about this homeserver "want" in the comment for `matrix_authentication_service_systemd_required_services_list_auto` above.
@@ -1150,9 +1164,12 @@ matrix_authentication_service_systemd_wanted_services_list_auto: |
     ([exim_relay_identifier ~ '.service'] if (exim_relay_enabled and matrix_authentication_service_config_email_transport == 'smtp' and matrix_authentication_service_config_email_hostname == exim_relay_identifier and matrix_authentication_service_container_network != exim_relay_container_network) else [])
   }}
 
-matrix_authentication_service_syn2mas_container_network: "{{ postgres_container_network if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else matrix_authentication_service_container_network }}"
+matrix_authentication_service_syn2mas_container_network: "{{ postgres_container_network if (matrix_playbook_matrix_authentication_service_uses_managed_postgres and not matrix_authentication_service_config_database_socket_enabled) else matrix_authentication_service_container_network }}"
 
 matrix_authentication_service_syn2mas_synapse_homeserver_config_path: "{{ matrix_synapse_config_dir_path + '/homeserver.yaml' if matrix_synapse_enabled else '' }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_enabled: "{{ matrix_synapse_database_socket_enabled if matrix_synapse_enabled else false }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_path: "{{ matrix_synapse_database_socket_path if matrix_synapse_enabled else '' }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_path_host: "{{ matrix_synapse_database_socket_path_host if matrix_synapse_enabled else '' }}"
 
 ######################################################################
 #
@@ -3271,6 +3288,9 @@ matrix_pantalaimon_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }
 ######################################################################
 
 backup_borg_enabled: false
+backup_borg_mariadb_enabled: false
+backup_borg_mysql_enabled: false
+backup_borg_mongodb_enabled: false
 
 backup_borg_identifier: matrix-backup-borg
 backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
@@ -3997,7 +4017,7 @@ postgres_managed_databases_auto: |
       'name': matrix_synapse_database_database,
       'username': matrix_synapse_database_user,
       'password': matrix_synapse_database_password,
-    }] if (matrix_synapse_enabled and matrix_synapse_database_host == postgres_connection_hostname) else [])
+    }] if (matrix_synapse_enabled and matrix_playbook_synapse_uses_managed_postgres) else [])
     +
     ([{
       'name': matrix_dendrite_federation_api_database,
@@ -4041,7 +4061,7 @@ postgres_managed_databases_auto: |
       'name': matrix_authentication_service_config_database_database,
       'username': matrix_authentication_service_config_database_username,
       'password': matrix_authentication_service_config_database_password,
-    }] if (matrix_authentication_service_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname) else [])
+    }] if (matrix_authentication_service_enabled and matrix_playbook_matrix_authentication_service_uses_managed_postgres) else [])
     +
     ([{
       'name': matrix_bot_matrix_reminder_bot_database_name,
@@ -4745,9 +4765,9 @@ matrix_synapse_container_additional_networks_auto: |
     (
       ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
       +
-      ([postgres_container_network] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
+      ([postgres_container_network] if (matrix_playbook_synapse_uses_managed_postgres and (not matrix_synapse_database_socket_enabled) and postgres_container_network != matrix_synapse_container_network) else [])
       +
-      ([valkey_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+      ([valkey_container_network] if (matrix_playbook_synapse_uses_managed_valkey and (not matrix_synapse_redis_path_enabled) and valkey_container_network != matrix_synapse_container_network) else [])
       +
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
       +
@@ -4784,12 +4804,24 @@ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{
 matrix_synapse_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 
+# Playbook-level Synapse topology wiring helpers.
+matrix_playbook_synapse_uses_managed_postgres: "{{ postgres_enabled }}"
+matrix_playbook_synapse_uses_managed_valkey: "{{ matrix_synapse_redis_enabled and valkey_enabled }}"
+matrix_playbook_synapse_auto_compressor_uses_managed_postgres: "{{ matrix_playbook_synapse_uses_managed_postgres and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host }}"
+
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
 
-matrix_synapse_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_synapse_database_host: "{{ postgres_connection_hostname if matrix_playbook_synapse_uses_managed_postgres else '' }}"
 matrix_synapse_database_password: "{{ (matrix_homeserver_generic_secret_key + ':synapse.db') | hash('sha512') | to_uuid }}"
 
+# unix socket connection
+matrix_synapse_database_socket_enabled: "{{ matrix_playbook_synapse_uses_managed_postgres and postgres_container_unix_socket_enabled }}"
+# path to the Postgres socket's parent dir inside the Synapse container
+matrix_synapse_database_socket_path: "{{ '/run-postgres' if matrix_playbook_synapse_uses_managed_postgres else '' }}"
+# path to the Postgres socket on the host, using Postgres
+matrix_synapse_database_socket_path_host: "{{ postgres_run_path if matrix_playbook_synapse_uses_managed_postgres else '' }}"
+
 matrix_synapse_macaroon_secret_key: "{{ (matrix_homeserver_generic_secret_key + ':synapse.mac') | hash('sha512') | to_uuid }}"
 
 # We do not enable TLS in Synapse by default, since it's handled by Traefik.
@@ -4820,9 +4852,9 @@ matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled
 
 matrix_synapse_systemd_required_services_list_auto: |
   {{
-    ([postgres_identifier ~ '.service'] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
+    ([postgres_identifier ~ '.service'] if (matrix_playbook_synapse_uses_managed_postgres and postgres_container_network != matrix_synapse_container_network) else [])
     +
-    ([valkey_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+    ([valkey_identifier ~ '.service'] if matrix_playbook_synapse_uses_managed_valkey else [])
     +
     (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
     +
@@ -4838,8 +4870,17 @@ matrix_synapse_systemd_wanted_services_list_auto: |
 
 # Synapse workers (used for parallel load-scaling) need Redis for IPC.
 matrix_synapse_redis_enabled: "{{ valkey_enabled }}"
-matrix_synapse_redis_host: "{{ valkey_identifier if valkey_enabled else '' }}"
-matrix_synapse_redis_password: "{{ valkey_connection_password if valkey_enabled else '' }}"
+matrix_synapse_redis_host: "{{ valkey_identifier if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+matrix_synapse_redis_password: "{{ valkey_connection_password if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+
+# unix socket connection
+matrix_synapse_redis_path_enabled: "{{ matrix_playbook_synapse_uses_managed_valkey }}"
+# path to the Redis socket's parent dir inside the Synapse container
+matrix_synapse_redis_path: "{{ '/run-valkey' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+# redis socket filename
+matrix_synapse_redis_path_socket: "{{ '/valkey.sock' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+# path to the Redis socket on the host, using Valkey
+matrix_synapse_redis_path_host: "{{ valkey_run_path if matrix_playbook_synapse_uses_managed_valkey else '' }}"
 
 matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
 matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}"
@@ -4935,7 +4976,7 @@ matrix_synapse_auto_compressor_container_image_registry_prefix_upstream: "{{ mat
 
 matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
-matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if (postgres_enabled and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host and matrix_synapse_database_host == postgres_connection_hostname) else 'matrix-synapse-auto-compressor') }}"
+matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else 'matrix-synapse-auto-compressor') }}"
 
 matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}"
 matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}"
@@ -4945,7 +4986,7 @@ matrix_synapse_auto_compressor_database_name: "{{ matrix_synapse_database_databa
 
 matrix_synapse_auto_compressor_systemd_required_services_list_auto: |
   {{
-    ([postgres_identifier ~ '.service'] if (matrix_synapse_auto_compressor_container_network == postgres_container_network) else [])
+    ([postgres_identifier ~ '.service'] if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else [])
   }}
 
 ######################################################################
@@ -5185,11 +5226,10 @@ prometheus_node_exporter_container_network: "{{ matrix_monitoring_container_netw
 
 prometheus_node_exporter_container_additional_networks_auto: "{{ [matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network else [] }}"
 
-prometheus_node_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_node_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_node_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_node_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
-
+prometheus_node_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_node_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_node_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_node_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_node_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
 
@@ -5225,14 +5265,13 @@ prometheus_postgres_exporter_container_additional_networks: |
   {{
     ([postgres_container_network] if (postgres_enabled and prometheus_postgres_exporter_database_hostname == postgres_connection_hostname and prometheus_postgres_exporter_container_network != postgres_container_network) else [])
     +
-    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and prometheus_postgres_exporter_container_labels_traefik_enabled else [])
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_playbook_reverse_proxyable_services_additional_network and prometheus_postgres_exporter_container_labels_metrics_enabled else [])
   }}
 
-prometheus_postgres_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_postgres_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_postgres_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_postgres_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
-
+prometheus_postgres_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_postgres_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_postgres_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_postgres_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_postgres_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_postgres_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
 
@@ -5276,14 +5315,13 @@ prometheus_nginxlog_exporter_container_network_deletion_enabled: false
 
 prometheus_nginxlog_exporter_container_additional_networks_auto: |-
   {{
-    ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and prometheus_nginxlog_exporter_container_labels_traefik_enabled) else [])
+    ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and prometheus_nginxlog_exporter_container_labels_metrics_enabled) else [])
   }}
 
-prometheus_nginxlog_exporter_container_labels_traefik_enabled: "{{ matrix_metrics_exposure_enabled }}"
-prometheus_nginxlog_exporter_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
-prometheus_nginxlog_exporter_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
-prometheus_nginxlog_exporter_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"
-
+prometheus_nginxlog_exporter_container_labels_metrics_enabled: "{{ matrix_metrics_exposure_enabled }}"
+prometheus_nginxlog_exporter_container_labels_metrics_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+prometheus_nginxlog_exporter_container_labels_metrics_entrypoints: "{{ traefik_entrypoint_primary }}"
+prometheus_nginxlog_exporter_container_labels_metrics_tls_certResolver: "{{ traefik_certResolver_primary }}"
 prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_enabled: "{{ matrix_metrics_exposure_http_basic_auth_enabled }}"
 prometheus_nginxlog_exporter_container_labels_metrics_middleware_basic_auth_users: "{{ matrix_metrics_exposure_http_basic_auth_users }}"
 
@@ -5778,7 +5816,7 @@ matrix_user_creator_users_auto: |
       'username': matrix_bot_baibot_config_user_mxid_localpart,
       'initial_password': matrix_bot_baibot_config_user_password,
       'initial_type': 'bot',
-    }] if matrix_bot_baibot_enabled else [])
+    }] if matrix_bot_baibot_enabled and ((matrix_bot_baibot_config_user_password | default('', true) | string | length) > 0) else [])
     +
     ([{
       'username': matrix_bot_matrix_reminder_bot_matrix_user_id_localpart,
@@ -5861,7 +5899,10 @@ matrix_user_verification_service_container_http_host_bind_port: "{{  '' if (jits
 # URL exposed in the docker network
 matrix_user_verification_service_container_url: "http://{{  matrix_user_verification_service_container_name }}:3000"
 
-matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
+# Using `matrix_addons_homeserver_client_api_url` would not work here,
+# because `matrix-traefik:8008` (matrix-internal-client-api) does not expose any `/_synapse` paths.
+# UVS accesses `/_synapse/admin/v1/rooms` API to check room membership.
+matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}"
 
 # We connect via the container network (private IPs), so we need to disable IP checks
 matrix_user_verification_service_uvs_disable_ip_blacklist: "{{ matrix_synapse_enabled }}"

i18n/requirements.txt

@@ -1,7 +1,7 @@
 alabaster==1.0.0
 babel==2.18.0
 certifi==2026.2.25
-charset-normalizer==3.4.4
+charset-normalizer==3.4.6
 click==8.3.1
 docutils==0.22.4
 idna==3.11
@@ -17,11 +17,11 @@ packaging==26.0
 Pygments==2.19.2
 PyYAML==6.0.3
 requests==2.32.5
-setuptools==82.0.0
+setuptools==82.0.1
 snowballstemmer==3.0.1
 Sphinx==9.1.0
 sphinx-intl==2.3.2
-sphinx-markdown-builder==0.6.9
+sphinx-markdown-builder==0.6.10
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0

justfile

@@ -4,6 +4,11 @@
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# mise (dev tool version manager)
+mise_data_dir := env("MISE_DATA_DIR", justfile_directory() / "var/mise")
+mise_trusted_config_paths := justfile_directory() / "mise.toml"
+prek_home := env("PREK_HOME", justfile_directory() / "var/prek")
+
 # Shows help
 default:
     @{{ just_executable() }} --list --justfile "{{ justfile() }}"
@@ -39,9 +44,39 @@ update-playbook-only:
     @git pull -q
     @-git stash pop -q
 
-# Runs ansible-lint against all roles in the playbook
-lint:
-    ansible-lint
+# Invokes mise with the project-local data directory
+mise *args: _ensure_mise_data_directory
+    #!/bin/sh
+    export MISE_DATA_DIR="{{ mise_data_dir }}"
+    export MISE_TRUSTED_CONFIG_PATHS="{{ mise_trusted_config_paths }}"
+    export MISE_YES=1
+    export PREK_HOME="{{ prek_home }}"
+    mise {{ args }}
+
+# Runs prek (pre-commit hooks manager) with the given arguments
+prek *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek {{ args }}
+
+# Runs pre-commit hooks on staged files
+prek-run-on-staged *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run {{ args }}
+
+# Runs pre-commit hooks on all files
+prek-run-on-all *args: _ensure_mise_tools_installed
+    @{{ just_executable() }} --justfile "{{ justfile() }}" prek run --all-files {{ args }}
+
+# Installs the git pre-commit hook
+prek-install-git-pre-commit-hook: _ensure_mise_tools_installed
+    #!/usr/bin/env sh
+    set -eu
+    {{ just_executable() }} --justfile "{{ justfile() }}" mise exec -- prek install
+    hook="{{ justfile_directory() }}/.git/hooks/pre-commit"
+    # The installed git hook runs later under Git, outside this just/mise environment.
+    # Injecting PREK_HOME keeps prek's cache under var/prek instead of a global home dir,
+    # which is more predictable and works better in sandboxed tools like Codex/OpenCode.
+    if [ -f "$hook" ] && ! grep -q '^export PREK_HOME=' "$hook"; then
+        sed -i '2iexport PREK_HOME="{{ prek_home }}"' "$hook"
+    fi
 
 # Runs the playbook with --tags=install-all,ensure-matrix-users-created,start and optional arguments
 install-all *extra_args: (run-tags "install-all,ensure-matrix-users-created,start" extra_args)
@@ -84,3 +119,12 @@ stop-group group *extra_args:
 # Rebuilds the mautrix-meta-instagram Ansible role using the mautrix-meta-messenger role as a source
 rebuild-mautrix-meta-instagram:
     /bin/bash "{{ justfile_directory() }}/bin/rebuild-mautrix-meta-instagram.sh" "{{ justfile_directory() }}/roles/custom"
+
+# Internal - ensures var/mise and var/prek directories exist
+_ensure_mise_data_directory:
+    @mkdir -p "{{ mise_data_dir }}"
+    @mkdir -p "{{ prek_home }}"
+
+# Internal - ensures mise tools are installed
+_ensure_mise_tools_installed: _ensure_mise_data_directory
+    @{{ just_executable() }} --justfile "{{ justfile() }}" mise install --quiet

mise.toml

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+[tools]
+prek = "0.3.2"
+
+[settings]
+yes = true

requirements.yml

@@ -4,20 +4,20 @@
   version: v1.0.0-6
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.3-2.1.1-1
+  version: v1.4.3-2.1.3-2
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.10.5-0
+  version: v4.11.1-1
   name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-3
+  version: v0.4.2-4
   name: container_socket_proxy
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-coturn.git
-  version: v4.9.0-0
+  version: v4.9.0-1
   name: coturn
   activation_prefix: coturn_
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ddclient.git
-  version: v4.0.0-1
+  version: v4.0.0-2
   name: ddclient
   activation_prefix: ddclient_
 - src: git+https://github.com/geerlingguy/ansible-role-docker
@@ -27,25 +27,25 @@
   version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.1-2
+  version: v2.6.1-3
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
-  version: v4.98.1-r0-2-3
+  version: v4.99.1-r0-0-1
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-7
+  version: v11.6.5-9
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
-  version: v0.5.1-1
+  version: v0.5.1-2
   name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10741-0
+  version: v10741-2
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.11-4
+  version: v1.9.12-1
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.17.0-1
+  version: v2.19.2-1
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -57,41 +57,41 @@
   version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.3-0
+  version: v18.3-1
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
-  version: v18-1
+  version: v18-2
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.10.0-0
+  version: v3.10.0-1
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-nginxlog-exporter.git
-  version: v1.10.0-0
+  version: v1.10.0-2
   name: prometheus_nginxlog_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-14
+  version: v1.10.2-0
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.19.1-0
+  version: v0.19.1-3
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.3.0-0
+  version: v1.6.0-2
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
   name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
-  version: v3.1.0-0
+  version: v3.2.0-0
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.9-0
+  version: v3.6.11-2
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-5
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-1
+  version: v9.0.3-3
   name: valkey

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.3.4
+matrix_alertmanager_receiver_version: 2026.3.18
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-appservice-draupnir-for-all/defaults/main.yml

@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2024 - 2025 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2024 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
@@ -20,7 +20,8 @@ matrix_appservice_draupnir_for_all_container_image_self_build_repo: "https://git
 matrix_appservice_draupnir_for_all_container_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_draupnir_for_all_container_image_self_build else matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream }}"
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default }}"
 matrix_appservice_draupnir_for_all_container_image_registry_prefix_upstream_default: "docker.io/"
-matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}gnuxie/draupnir:{{ matrix_appservice_draupnir_for_all_version }}"
+matrix_appservice_draupnir_for_all_container_image: "{{ matrix_appservice_draupnir_for_all_container_image_registry_prefix }}{{ matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier }}:{{ matrix_appservice_draupnir_for_all_version }}"
+matrix_appservice_draupnir_for_all_container_image_registry_namespace_identifier: "gnuxie/draupnir"
 matrix_appservice_draupnir_for_all_container_image_force_pull: "{{ matrix_appservice_draupnir_for_all_container_image.endswith(':latest') }}"
 
 matrix_appservice_draupnir_for_all_base_path: "{{ matrix_base_data_path }}/draupnir-for-all"

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.12.0
+matrix_authentication_service_version: 1.13.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -300,6 +300,15 @@ matrix_authentication_service_config_database_idle_timeout: 600
 # Controls the `database.max_lifetime` configuration setting.
 matrix_authentication_service_config_database_max_lifetime: 1800
 
+# Controls whether the database connection is made via a UNIX socket.
+matrix_authentication_service_config_database_socket_enabled: false
+
+# The path to the Postgres socket's parent directory inside the MAS container.
+matrix_authentication_service_config_database_socket_path: "/run-postgres"
+
+# The path to the Postgres socket directory on the host (bind-mount source).
+matrix_authentication_service_config_database_socket_path_host: ""
+
 ########################################################################################
 #                                                                                      #
 # /Database configuration                                                              #
@@ -613,6 +622,10 @@ matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
 
 matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
 
+matrix_authentication_service_syn2mas_synapse_database_socket_enabled: false
+matrix_authentication_service_syn2mas_synapse_database_socket_path: ""
+matrix_authentication_service_syn2mas_synapse_database_socket_path_host: ""
+
 # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
 # Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
 #

roles/custom/matrix-authentication-service/tasks/install.yml

@@ -33,6 +33,25 @@
       loop_control:
         loop_var: private_key_definition
 
+    # We intentionally do a single fixup pass here (instead of in `prepare_key.yml`)
+    # so that we reconcile both newly generated keys and any pre-existing keys with
+    # incorrect ownership/mode in one place.
+    #
+    # This primarily protects against setups where `become_user` is effectively not
+    # honored (for example due to inventory misconfiguration such as `ansible_become=false`),
+    # which can lead to host-side key generation creating root-owned files.
+    #
+    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+    - name: Ensure Matrix Authentication Service private keys have correct ownership and mode
+      ansible.builtin.file:
+        path: "{{ matrix_authentication_service_data_keys_path }}/{{ item.key_file }}"
+        state: file
+        mode: '0600'
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+      with_items: "{{ matrix_authentication_service_key_management_list }}"
+      register: matrix_authentication_service_private_keys_result
+
 - name: Ensure Matrix Authentication Service configuration installed
   ansible.builtin.copy:
     content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -117,4 +136,5 @@
         or matrix_authentication_service_support_files_result.changed | default(false)
         or matrix_authentication_service_systemd_service_result.changed | default(false)
         or matrix_authentication_service_container_image_pull_result.changed | default(false)
+        or matrix_authentication_service_private_keys_result.changed | default(false)
       }}

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -71,6 +71,12 @@
       --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro
       --mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro
       --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
+      {% if matrix_authentication_service_config_database_socket_enabled %}
+      --mount type=bind,src={{ matrix_authentication_service_config_database_socket_path_host }},dst={{ matrix_authentication_service_config_database_socket_path }}
+      {% endif %}
+      {% if matrix_authentication_service_syn2mas_synapse_database_socket_enabled and (not matrix_authentication_service_config_database_socket_enabled or matrix_authentication_service_syn2mas_synapse_database_socket_path != matrix_authentication_service_config_database_socket_path) %}
+      --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_database_socket_path_host }},dst={{ matrix_authentication_service_syn2mas_synapse_database_socket_path }}
+      {% endif %}
       {{ matrix_authentication_service_container_image }}
       syn2mas
       --synapse-config=/homeserver.yaml

roles/custom/matrix-authentication-service/tasks/validate_config.yml

@@ -14,7 +14,8 @@
     - {'name': 'matrix_authentication_service_hostname', when: true}
     - {'name': 'matrix_authentication_service_config_database_username', when: true}
     - {'name': 'matrix_authentication_service_config_database_password', when: true}
-    - {'name': 'matrix_authentication_service_config_database_host', when: true}
+    - {'name': 'matrix_authentication_service_config_database_host', when: "{{ not matrix_authentication_service_config_database_socket_enabled }}"}
+    - {'name': 'matrix_authentication_service_config_database_socket_path_host', when: "{{ matrix_authentication_service_config_database_socket_enabled }}"}
     - {'name': 'matrix_authentication_service_config_database_database', when: true}
     - {'name': 'matrix_authentication_service_config_secrets_encryption', when: true}
     - {'name': 'matrix_authentication_service_config_matrix_homeserver', when: true}

roles/custom/matrix-authentication-service/templates/systemd/matrix-authentication-service.service.j2

@@ -28,6 +28,9 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			--label-file={{ matrix_authentication_service_config_path }}/labels \
 			--mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro \
 			--mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro \
+			{% if matrix_authentication_service_config_database_socket_enabled %}
+			--mount type=bind,src={{ matrix_authentication_service_config_database_socket_path_host }},dst={{ matrix_authentication_service_config_database_socket_path }} \
+			{% endif %}
 			{% for arg in matrix_authentication_service_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-base/defaults/main.yml

@@ -246,6 +246,21 @@ matrix_integration_manager_ui_url: ~
 matrix_homeserver_container_extra_arguments_auto: []
 matrix_homeserver_app_service_config_files_auto: []
 
+# These playbook-level helpers describe which managed services Synapse should be wired to.
+# They are meant for orchestration concerns like container networking and systemd ordering,
+# while `matrix_synapse_*` variables stay focused on actual connection parameters.
+# These likely get overridden elsewhere.
+matrix_playbook_synapse_uses_managed_postgres: false
+matrix_playbook_synapse_uses_managed_valkey: false
+matrix_playbook_synapse_auto_compressor_uses_managed_postgres: false
+
+# This playbook-level helper describes whether Matrix Authentication Service should be wired
+# to the playbook-managed Postgres instance.
+# It is meant for orchestration concerns like container networking, systemd ordering, and database creation,
+# while `matrix_authentication_service_*` variables stay focused on actual connection parameters.
+# This likely gets overridden elsewhere.
+matrix_playbook_matrix_authentication_service_uses_managed_postgres: false
+
 # Controls whether various services should expose metrics publicly.
 # If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
 matrix_metrics_exposure_enabled: false

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.14.3
+matrix_bot_baibot_version: v1.16.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -59,8 +59,28 @@ matrix_bot_baibot_config_homeserver_url: ""
 # so it can start fresh.
 matrix_bot_baibot_config_user_mxid_localpart: baibot
 
+# Authentication settings (`user.*` configuration keys).
+#
+# baibot supports 2 mutually-exclusive authentication modes.
+# Set EITHER:
+# - password authentication: `matrix_bot_baibot_config_user_password`
+# OR:
+# - access-token authentication: `matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`
+#
+# Password authentication is recommended for most playbook-managed deployments,
+# because it integrates with the `matrix-user-creator` role and can auto-create
+# the bot account (via the `ensure-matrix-users-created` playbook tag).
+# This remains true even on many MAS-enabled deployments where the bot account
+# is local and playbook-managed.
+
 # Controls the `user.password` configuration setting.
-matrix_bot_baibot_config_user_password: ''
+matrix_bot_baibot_config_user_password: null
+
+# Controls the `user.access_token` configuration setting.
+matrix_bot_baibot_config_user_access_token: null
+
+# Controls the `user.device_id` configuration setting.
+matrix_bot_baibot_config_user_device_id: null
 
 # Controls the `user.name` configuration setting.
 #
@@ -385,7 +405,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.4
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"

roles/custom/matrix-bot-baibot/tasks/validate_config.yml

@@ -12,7 +12,6 @@
   when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
     - {'name': 'matrix_bot_baibot_config_user_mxid_localpart', when: true}
-    - {'name': 'matrix_bot_baibot_config_user_password', when: true}
     - {'name': 'matrix_bot_baibot_container_network', when: true}
     - {'name': 'matrix_bot_baibot_config_homeserver_url', when: true}
 
@@ -26,6 +25,58 @@
 
     - {'name': 'matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key', when: "{{ matrix_bot_baibot_config_agents_static_definitions_openai_enabled }}"}
 
+- name: Fail if baibot authentication mode is not configured
+  ansible.builtin.fail:
+    msg: >-
+      You need to configure one baibot authentication mode:
+      either `matrix_bot_baibot_config_user_password`
+      or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`).
+  when: >-
+    (
+      matrix_bot_baibot_config_user_password | default('', true) | string | length == 0
+    )
+    and
+    (
+      matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0
+      and matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0
+    )
+
+- name: Fail if baibot authentication mode is configured ambiguously
+  ansible.builtin.fail:
+    msg: >-
+      You need to configure exactly one baibot authentication mode.
+      Set either `matrix_bot_baibot_config_user_password`,
+      or (`matrix_bot_baibot_config_user_access_token` + `matrix_bot_baibot_config_user_device_id`) but not both.
+  when: >-
+    (
+      matrix_bot_baibot_config_user_password | default('', true) | string | length > 0
+    )
+    and
+    (
+      matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0
+      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0
+    )
+
+- name: Fail if baibot access token authentication is incomplete
+  ansible.builtin.fail:
+    msg: >-
+      Access-token authentication requires both
+      `matrix_bot_baibot_config_user_access_token` and `matrix_bot_baibot_config_user_device_id`.
+  when: >-
+    (
+      matrix_bot_baibot_config_user_password | default('', true) | string | length == 0
+    )
+    and
+    (
+      matrix_bot_baibot_config_user_access_token | default('', true) | string | length > 0
+      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length > 0
+    )
+    and
+    (
+      matrix_bot_baibot_config_user_access_token | default('', true) | string | length == 0
+      or matrix_bot_baibot_config_user_device_id | default('', true) | string | length == 0
+    )
+
 - name: Fail if admin patterns list is empty
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-bot-baibot/templates/config.yaml.j2

@@ -15,7 +15,11 @@ homeserver:
 
 user:
   mxid_localpart: {{ matrix_bot_baibot_config_user_mxid_localpart | to_json }}
+
+  # Authentication: set EITHER password OR access_token + device_id.
   password: {{ matrix_bot_baibot_config_user_password | to_json }}
+  access_token: {{ matrix_bot_baibot_config_user_access_token | to_json }}
+  device_id: {{ matrix_bot_baibot_config_user_device_id | to_json }}
 
   # The name the bot uses as a display name and when it refers to itself.
   # Leave empty to use the default (baibot).

roles/custom/matrix-bot-draupnir/defaults/main.yml

@@ -1,5 +1,5 @@
 # SPDX-FileCopyrightText: 2023 - 2024 MDAD project contributors
-# SPDX-FileCopyrightText: 2023 - 2025 Catalan Lover <catalanlover@protonmail.com>
+# SPDX-FileCopyrightText: 2023 - 2026 Catalan Lover <catalanlover@protonmail.com>
 # SPDX-FileCopyrightText: 2023 Samuel Meenzen
 # SPDX-FileCopyrightText: 2024 - 2025 Slavi Pantaleev
 #
@@ -17,7 +17,8 @@ matrix_bot_draupnir_version: "v2.9.0"
 matrix_bot_draupnir_container_image_self_build: false
 matrix_bot_draupnir_container_image_self_build_repo: "https://github.com/the-draupnir-project/Draupnir.git"
 
-matrix_bot_draupnir_container_image: "{{ matrix_bot_draupnir_container_image_registry_prefix }}gnuxie/draupnir:{{ matrix_bot_draupnir_version }}"
+matrix_bot_draupnir_container_image: "{{ matrix_bot_draupnir_container_image_registry_prefix }}{{ matrix_bot_draupnir_container_image_registry_namespace_identifier }}:{{ matrix_bot_draupnir_version }}"
+matrix_bot_draupnir_container_image_registry_namespace_identifier: "gnuxie/draupnir"
 matrix_bot_draupnir_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_draupnir_container_image_self_build else matrix_bot_draupnir_container_image_registry_prefix_upstream }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream: "{{ matrix_bot_draupnir_container_image_registry_prefix_upstream_default }}"
 matrix_bot_draupnir_container_image_registry_prefix_upstream_default: "docker.io/"

roles/custom/matrix-bot-honoroit/defaults/main.yml

@@ -30,7 +30,7 @@ matrix_bot_honoroit_container_repo_version: "{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_container_src_files_path: "{{ matrix_base_data_path }}/honoroit/docker-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/honoroit
-matrix_bot_honoroit_version: v0.9.29
+matrix_bot_honoroit_version: v0.9.30
 matrix_bot_honoroit_container_image: "{{ matrix_bot_honoroit_container_image_registry_prefix }}etkecc/honoroit:{{ matrix_bot_honoroit_version }}"
 matrix_bot_honoroit_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_honoroit_container_image_self_build else matrix_bot_honoroit_container_image_registry_prefix_upstream }}"
 matrix_bot_honoroit_container_image_registry_prefix_upstream: "{{ matrix_bot_honoroit_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bot-mjolnir/defaults/main.yml

@@ -17,7 +17,7 @@
 matrix_bot_mjolnir_enabled: true
 
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_bot_mjolnir_version: "v1.12.0"
+matrix_bot_mjolnir_version: "v1.12.1"
 
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

roles/custom/matrix-bridge-appservice-kakaotalk/defaults/main.yml

@@ -225,3 +225,13 @@ matrix_appservice_kakaotalk_registration_yaml: |
   rate_limited: false
 
 matrix_appservice_kakaotalk_registration: "{{ matrix_appservice_kakaotalk_registration_yaml | from_yaml }}"
+
+# matrix_appservice_kakaotalk_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_appservice_kakaotalk_restart_necessary: false

roles/custom/matrix-bridge-appservice-kakaotalk/tasks/setup_install.yml

@@ -13,10 +13,10 @@
     force_source: "{{ matrix_appservice_kakaotalk_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_container_image_force_pull }}"
   when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: result
+  register: matrix_appservice_kakaotalk_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_appservice_kakaotalk_container_image_pull_result is not failed
 
 - name: Ensure matrix-appservice-kakaotalk-node image is pulled
   community.docker.docker_image:
@@ -25,10 +25,10 @@
     force_source: "{{ matrix_appservice_kakaotalk_node_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_appservice_kakaotalk_node_container_image_force_pull }}"
   when: not matrix_appservice_kakaotalk_container_image_self_build
-  register: result
+  register: matrix_appservice_kakaotalk_node_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_appservice_kakaotalk_node_container_image_pull_result is not failed
 
 - name: Ensure matrix-appservice-kakaotalk paths exist
   ansible.builtin.file:
@@ -86,6 +86,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_node_config_result
 
 - name: Ensure matrix-appservice-kakaotalk config.yaml installed
   ansible.builtin.copy:
@@ -94,6 +95,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_config_result
 
 - name: Ensure matrix-appservice-kakaotalk registration.yaml installed
   ansible.builtin.copy:
@@ -102,6 +104,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_appservice_kakaotalk_registration_result
 
 - name: Ensure matrix-appservice-kakaotalk container network is created
   community.general.docker_network:
@@ -122,3 +125,17 @@
     src: "{{ role_path }}/templates/systemd/matrix-appservice-kakaotalk.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-appservice-kakaotalk.service"
     mode: '0644'
+  register: matrix_appservice_kakaotalk_systemd_service_result
+
+- name: Determine whether matrix-appservice-kakaotalk needs a restart
+  ansible.builtin.set_fact:
+    matrix_appservice_kakaotalk_restart_necessary: >-
+      {{
+        matrix_appservice_kakaotalk_node_config_result.changed | default(false)
+        or matrix_appservice_kakaotalk_config_result.changed | default(false)
+        or matrix_appservice_kakaotalk_registration_result.changed | default(false)
+        or matrix_appservice_kakaotalk_node_systemd_service_result.changed | default(false)
+        or matrix_appservice_kakaotalk_systemd_service_result.changed | default(false)
+        or matrix_appservice_kakaotalk_container_image_pull_result.changed | default(false)
+        or matrix_appservice_kakaotalk_node_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml

@@ -76,6 +76,20 @@
   become_user: "{{ matrix_user_name }}"
   when: "not hookshot_passkey_file.stat.exists"
 
+# We intentionally reconcile the passkey ownership/mode after generation,
+# because some setups can end up creating host-side files as the SSH user
+# instead of `matrix` when `become_user` is effectively not honored.
+#
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+- name: Ensure hookshot passkey has correct ownership and mode
+  ansible.builtin.file:
+    path: "{{ matrix_hookshot_base_path }}/passkey.pem"
+    state: file
+    mode: '0600'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_hookshot_passkey_result
+
 - name: Ensure hookshot config.yml installed if provided
   ansible.builtin.copy:
     content: "{{ matrix_hookshot_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -154,6 +168,7 @@
         matrix_hookshot_config_result.changed | default(false)
         or matrix_hookshot_registration_result.changed | default(false)
         or matrix_hookshot_github_key_result.changed | default(false)
+        or matrix_hookshot_passkey_result.changed | default(false)
         or matrix_hookshot_support_files_result.changed | default(false)
         or matrix_hookshot_systemd_service_result.changed | default(false)
         or matrix_hookshot_container_image_pull_result.changed | default(false)

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2602.0
+matrix_mautrix_slack_version: v0.2603.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_container_image: "{{ matrix_mautrix_slack_container_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2511.0
+matrix_mautrix_twitter_version: v0.2603.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_container_image: "{{ matrix_mautrix_twitter_container_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2602.0
+matrix_mautrix_whatsapp_version: v0.2603.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_container_image: "{{ matrix_mautrix_whatsapp_container_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-bridge-postmoogle/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_postmoogle_container_repo_version: "{{ 'main' if matrix_postmoogle_versio
 matrix_postmoogle_container_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/postmoogle
-matrix_postmoogle_version: v0.9.28
+matrix_postmoogle_version: v0.9.29
 matrix_postmoogle_container_image: "{{ matrix_postmoogle_container_image_registry_prefix }}etkecc/postmoogle:{{ matrix_postmoogle_version }}"
 matrix_postmoogle_container_image_registry_prefix: "{{ 'localhost/' if matrix_postmoogle_container_image_self_build else matrix_postmoogle_container_image_registry_prefix_upstream }}"
 matrix_postmoogle_container_image_registry_prefix_upstream: "{{ matrix_postmoogle_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-wechat/defaults/main.yml

@@ -163,3 +163,13 @@ matrix_wechat_agent_service_secret: "{{ matrix_wechat_bridge_listen_secret }}"
 matrix_wechat_agent_configuration_yaml: "{{ lookup('template', 'templates/agent-config.yaml.j2') }}"
 
 matrix_wechat_agent_configuration: "{{ matrix_wechat_agent_configuration_yaml | from_yaml }}"
+
+# matrix_wechat_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_wechat_restart_necessary: false

roles/custom/matrix-bridge-wechat/tasks/install.yml

@@ -27,10 +27,10 @@
     force_source: "{{ matrix_wechat_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_container_image_force_pull }}"
   when: not matrix_wechat_container_image_self_build
-  register: result
+  register: matrix_wechat_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_wechat_container_image_pull_result is not failed
 
 - when: matrix_wechat_container_image_self_build | bool
   block:
@@ -62,10 +62,10 @@
     force_source: "{{ matrix_wechat_agent_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_wechat_agent_container_image_force_pull }}"
   when: not matrix_wechat_agent_container_image_self_build
-  register: result
+  register: matrix_wechat_agent_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_wechat_agent_container_image_pull_result is not failed
 
 - when: matrix_wechat_agent_container_image_self_build | bool
   block:
@@ -97,6 +97,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_config_result
 
 - name: Ensure WeChat registration.yaml installed
   ansible.builtin.copy:
@@ -105,6 +106,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_registration_result
 
 - name: Ensure Wechat Agent configuration installed
   ansible.builtin.copy:
@@ -113,6 +115,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_wechat_agent_config_result
 
 - name: Ensure matrix-wechat container network is created
   community.general.docker_network:
@@ -134,3 +137,16 @@
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-wechat-agent.service"
     mode: '0644'
   register: matrix_wechat_agent_systemd_service_result
+
+- name: Determine whether WeChat Bridge needs a restart
+  ansible.builtin.set_fact:
+    matrix_wechat_restart_necessary: >-
+      {{
+        matrix_wechat_config_result.changed | default(false)
+        or matrix_wechat_registration_result.changed | default(false)
+        or matrix_wechat_agent_config_result.changed | default(false)
+        or matrix_wechat_systemd_service_result.changed | default(false)
+        or matrix_wechat_agent_systemd_service_result.changed | default(false)
+        or matrix_wechat_container_image_pull_result.changed | default(false)
+        or matrix_wechat_agent_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.11
+matrix_client_element_version: v1.12.12
 
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

roles/custom/matrix-client-element/tasks/self_check.yml

@@ -5,9 +5,6 @@
 
 ---
 
-- ansible.builtin.set_fact:
-    matrix_client_element_url_endpoint_public: "{{ matrix_client_element_scheme }}://{{ matrix_client_element_hostname }}/config.json"
-
 - name: Check Element Web
   ansible.builtin.uri:
     url: "{{ matrix_client_element_url_endpoint_public }}"

roles/custom/matrix-client-element/vars/main.yml

@@ -5,3 +5,5 @@
 ---
 
 matrix_client_element_embedded_pages_home_url: "{{ ('' if matrix_client_element_embedded_pages_home_path is none else 'home.html') }}"
+
+matrix_client_element_url_endpoint_public: "{{ matrix_client_element_scheme }}://{{ matrix_client_element_hostname }}{{ matrix_client_element_path_prefix }}{% if matrix_client_element_path_prefix != '/' %}/{% endif %}config.json"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -151,7 +151,7 @@ matrix_client_fluffychat_path_prefix: /
 matrix_client_fluffychat_self_check_validate_certificates: true
 
 # Controls the default homeserver domain (not URL) used in the FluffyChat Web configuration.
-matrix_client_fluffychat_config_defaultHomeserver: ~
+matrix_client_fluffychat_config_defaultHomeserver: ~  # noqa var-naming
 
 # matrix_client_fluffychat_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the

roles/custom/matrix-client-fluffychat/tasks/self_check.yml

@@ -4,9 +4,6 @@
 
 ---
 
-- ansible.builtin.set_fact:
-    matrix_client_fluffychat_url_endpoint_public: "{{ matrix_client_fluffychat_scheme }}://{{ matrix_client_fluffychat_hostname }}/"
-
 - name: Check FluffyChat Web
   ansible.builtin.uri:
     url: "{{ matrix_client_fluffychat_url_endpoint_public }}"

roles/custom/matrix-client-fluffychat/vars/main.yml

@@ -0,0 +1,7 @@
+# SPDX-FileCopyrightText: 2025 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+matrix_client_fluffychat_url_endpoint_public: "{{ matrix_client_fluffychat_scheme }}://{{ matrix_client_fluffychat_hostname }}{{ matrix_client_fluffychat_path_prefix }}{% if matrix_client_fluffychat_path_prefix != '/' %}/{% endif %}"

roles/custom/matrix-client-schildichat/tasks/self_check.yml

@@ -6,9 +6,6 @@
 
 ---
 
-- ansible.builtin.set_fact:
-    matrix_client_schildichat_url_endpoint_public: "{{ matrix_client_schildichat_scheme }}://{{ matrix_client_schildichat_hostname }}/config.json"
-
 - name: Check SchildiChat Web
   ansible.builtin.uri:
     url: "{{ matrix_client_schildichat_url_endpoint_public }}"

roles/custom/matrix-client-schildichat/vars/main.yml

@@ -5,3 +5,5 @@
 ---
 
 matrix_client_schildichat_embedded_pages_home_url: "{{ ('' if matrix_client_schildichat_embedded_pages_home_path is none else 'home.html') }}"
+
+matrix_client_schildichat_url_endpoint_public: "{{ matrix_client_schildichat_scheme }}://{{ matrix_client_schildichat_hostname }}{{ matrix_client_schildichat_path_prefix }}{% if matrix_client_schildichat_path_prefix != '/' %}/{% endif %}config.json"

roles/custom/matrix-conduit/defaults/main.yml

@@ -154,3 +154,13 @@ matrix_conduit_turn_uris: []
 matrix_conduit_turn_secret: ''
 matrix_conduit_turn_username: ''
 matrix_conduit_turn_password: ''
+
+# matrix_conduit_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_conduit_restart_necessary: false

roles/custom/matrix-conduit/tasks/setup_install.yml

@@ -31,6 +31,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_conduit_config_result
 
 - name: Ensure Conduit support files installed
   ansible.builtin.template:
@@ -41,6 +42,7 @@
     group: "{{ matrix_group_name }}"
   with_items:
     - labels
+  register: matrix_conduit_support_files_result
 
 - name: Ensure Conduit container network is created
   community.general.docker_network:
@@ -55,13 +57,24 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_conduit_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_conduit_container_image_force_pull }}"
-  register: result
+  register: matrix_conduit_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_conduit_container_image_pull_result is not failed
 
 - name: Ensure matrix-conduit.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-conduit.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-conduit.service"
     mode: '0644'
+  register: matrix_conduit_systemd_service_result
+
+- name: Determine whether Conduit needs a restart
+  ansible.builtin.set_fact:
+    matrix_conduit_restart_necessary: >-
+      {{
+        matrix_conduit_config_result.changed | default(false)
+        or matrix_conduit_support_files_result.changed | default(false)
+        or matrix_conduit_systemd_service_result.changed | default(false)
+        or matrix_conduit_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-continuwuity/defaults/main.yml

@@ -208,3 +208,13 @@ matrix_continuwuity_config_url_preview_domain_contains_allowlist: []
 #   CONTINUWUITY_MAX_REQUEST_SIZE=50000000
 #   CONTINUWUITY_REQUEST_TIMEOUT=60
 matrix_continuwuity_environment_variables_extension: ''
+
+# matrix_continuwuity_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_continuwuity_restart_necessary: false

roles/custom/matrix-continuwuity/tasks/install.yml

@@ -27,6 +27,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_continuwuity_config_result
 
 - name: Ensure continuwuity support files installed
   ansible.builtin.template:
@@ -38,6 +39,7 @@
   with_items:
     - labels
     - env
+  register: matrix_continuwuity_support_files_result
 
 - name: Ensure continuwuity container network is created
   community.general.docker_network:
@@ -52,13 +54,24 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_continuwuity_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_continuwuity_container_image_force_pull }}"
-  register: result
+  register: matrix_continuwuity_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_continuwuity_container_image_pull_result is not failed
 
 - name: Ensure matrix-continuwuity.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/systemd/matrix-continuwuity.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-continuwuity.service"
     mode: '0644'
+  register: matrix_continuwuity_systemd_service_result
+
+- name: Determine whether continuwuity needs a restart
+  ansible.builtin.set_fact:
+    matrix_continuwuity_restart_necessary: >-
+      {{
+        matrix_continuwuity_config_result.changed | default(false)
+        or matrix_continuwuity_support_files_result.changed | default(false)
+        or matrix_continuwuity_systemd_service_result.changed | default(false)
+        or matrix_continuwuity_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-dendrite/defaults/main.yml

@@ -361,3 +361,13 @@ matrix_dendrite_media_api_max_thumbnail_generators: 10
 
 # Controls whether the full-text search engine is enabled
 matrix_dendrite_sync_api_search_enabled: false
+
+# matrix_dendrite_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_dendrite_restart_necessary: false

roles/custom/matrix-dendrite/tasks/setup_install.yml

@@ -55,10 +55,10 @@
     force_source: "{{ matrix_dendrite_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_dendrite_container_image_force_pull }}"
   when: "not matrix_dendrite_container_image_self_build | bool"
-  register: result
+  register: matrix_dendrite_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_dendrite_container_image_pull_result is not failed
 
 # We do this so that the signing key would get generated.
 # We don't use the `docker_container` module, because using it with `cap_drop` requires
@@ -89,6 +89,7 @@
     mode: '0644'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_dendrite_config_result
 
 - when: "matrix_dendrite_container_image_self_build | bool"
   block:
@@ -139,6 +140,21 @@
     - src: bin/create-account.j2
       dest: "{{ matrix_dendrite_bin_path }}/create-account"
       mode: "0750"
-    - src: systemd/matrix-dendrite.service.j2
-      dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service"
-      mode: "0644"
+  register: matrix_dendrite_support_files_result
+
+- name: Ensure matrix-dendrite.service installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/systemd/matrix-dendrite.service.j2"
+    dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-dendrite.service"
+    mode: '0644'
+  register: matrix_dendrite_systemd_service_result
+
+- name: Determine whether Dendrite needs a restart
+  ansible.builtin.set_fact:
+    matrix_dendrite_restart_necessary: >-
+      {{
+        matrix_dendrite_config_result.changed | default(false)
+        or matrix_dendrite_support_files_result.changed | default(false)
+        or matrix_dendrite_systemd_service_result.changed | default(false)
+        or matrix_dendrite_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-element-admin/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_element_admin_enabled: true
 
 # renovate: datasource=docker depName=oci.element.io/element-admin
-matrix_element_admin_version: 0.1.10
+matrix_element_admin_version: 0.1.11
 
 matrix_element_admin_scheme: https
 

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.17.0
+matrix_element_call_version: v0.18.0
 
 matrix_element_call_scheme: https
 
@@ -153,3 +153,13 @@ matrix_element_call_config_default_server_config_m_homeserver_server_name: "{{ m
 
 # Controls the livekit/livekit_service_url property in the config.json file.
 matrix_element_call_config_livekit_livekit_service_url: ""
+
+# matrix_element_call_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_element_call_restart_necessary: false

roles/custom/matrix-element-call/tasks/install.yml

@@ -23,6 +23,7 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_element_call_config_result
 
 - name: Ensure Element Call container labels file is in place
   ansible.builtin.template:
@@ -31,16 +32,17 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_element_call_support_files_result
 
 - name: Ensure Element Call container image is pulled
   community.docker.docker_image:
     name: "{{ matrix_element_call_container_image }}"
     source: pull
     force_source: "{{ matrix_element_call_container_image_force_pull }}"
-  register: element_call_image_result
+  register: matrix_element_call_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: element_call_image_result is not failed
+  until: matrix_element_call_container_image_pull_result is not failed
 
 - name: Ensure Element Call container network is created
   community.general.docker_network:
@@ -54,3 +56,14 @@
     src: "{{ role_path }}/templates/systemd/matrix-element-call.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-element-call.service"
     mode: '0644'
+  register: matrix_element_call_systemd_service_result
+
+- name: Determine whether Element Call needs a restart
+  ansible.builtin.set_fact:
+    matrix_element_call_restart_necessary: >-
+      {{
+        matrix_element_call_config_result.changed | default(false)
+        or matrix_element_call_support_files_result.changed | default(false)
+        or matrix_element_call_systemd_service_result.changed | default(false)
+        or matrix_element_call_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-ldap-registration-proxy/tasks/setup_install.yml

@@ -40,6 +40,7 @@
       path: "{{ matrix_ldap_registration_proxy_container_src_files_path }}"
       pull: true
   when: true
+  register: matrix_ldap_registration_proxy_container_image_build_result
 
 - name: Ensure matrix_ldap_registration_proxy config installed
   ansible.builtin.template:
@@ -82,4 +83,5 @@
         matrix_ldap_registration_proxy_config_result.changed | default(false)
         or matrix_ldap_registration_proxy_support_files_result.changed | default(false)
         or matrix_ldap_registration_proxy_systemd_service_result.changed | default(false)
+        or matrix_ldap_registration_proxy_container_image_build_result.changed | default(false)
       }}

roles/custom/matrix-matrixto/tasks/install.yml

@@ -45,6 +45,7 @@
       path: "{{ matrix_matrixto_container_image_self_build_src_files_path }}"
       pull: true
       args:
+  register: matrix_matrixto_container_image_build_result
 
 - name: Ensure Matrix.to container network is created via community.docker.docker_network
   when: devture_systemd_docker_base_container_network_creation_method == 'ansible-module'
@@ -79,4 +80,5 @@
       {{
         matrix_matrixto_support_files_result.changed | default(false)
         or matrix_matrixto_systemd_service_result.changed | default(false)
+        or matrix_matrixto_container_image_build_result.changed | default(false)
       }}

roles/custom/matrix-media-repo/defaults/main.yml

@@ -939,3 +939,13 @@ matrix_media_repo_pgo_submit_key: "INSERT_VALUE_HERE"
 
 # Specifies whether the homeserver supports federation
 matrix_media_repo_homeserver_federation_enabled: true
+
+# matrix_media_repo_restart_necessary controls whether the service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_media_repo_restart_necessary: false

roles/custom/matrix-media-repo/tasks/setup_install.yml

@@ -35,6 +35,7 @@
   with_items:
     - env
     - labels
+  register: matrix_media_repo_support_files_result
 
 - name: Ensure media-repo configuration installed
   ansible.builtin.template:
@@ -43,6 +44,7 @@
     mode: '0640'
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
+  register: matrix_media_repo_config_result
 
 - name: Ensure media-repo Docker image is pulled
   community.docker.docker_image:
@@ -51,10 +53,10 @@
     force_source: "{{ matrix_media_repo_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_media_repo_container_image_force_pull }}"
   when: "not matrix_media_repo_container_image_self_build | bool"
-  register: result
+  register: matrix_media_repo_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_media_repo_container_image_pull_result is not failed
 
 - when: "matrix_media_repo_container_image_self_build | bool"
   block:
@@ -153,3 +155,14 @@
     src: "{{ role_path }}/templates/media-repo/systemd/matrix-media-repo.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/{{ matrix_media_repo_identifier }}.service"
     mode: '0640'
+  register: matrix_media_repo_systemd_service_result
+
+- name: Determine whether media-repo needs a restart
+  ansible.builtin.set_fact:
+    matrix_media_repo_restart_necessary: >-
+      {{
+        matrix_media_repo_config_result.changed | default(false)
+        or matrix_media_repo_support_files_result.changed | default(false)
+        or matrix_media_repo_systemd_service_result.changed | default(false)
+        or matrix_media_repo_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke53
+matrix_synapse_admin_version: v0.11.4-etke54
 matrix_synapse_admin_container_image: "{{ matrix_synapse_admin_container_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_container_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_container_image_registry_prefix_upstream }}"
 matrix_synapse_admin_container_image_registry_prefix_upstream: "{{ matrix_synapse_admin_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse-admin/tasks/validate_config.yml

@@ -6,6 +6,16 @@
 
 ---
 
+- name: Fail if matrix-synapse-admin is enabled for a non-Synapse homeserver
+  ansible.builtin.fail:
+    msg: >-
+      matrix-synapse-admin can only be used with the Synapse homeserver implementation.
+      Your configuration has `matrix_synapse_admin_enabled: true`, but `matrix_homeserver_implementation` is set to `{{ matrix_homeserver_implementation }}`.
+      Disable matrix-synapse-admin or switch to Synapse.
+  when:
+    - matrix_synapse_admin_enabled | bool
+    - matrix_homeserver_implementation != 'synapse'
+
 - name: (Deprecation) Catch and report renamed matrix-synapse-admin settings
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.148.0
+matrix_synapse_version: v1.149.1
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -125,6 +125,17 @@ matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_stor
 # extra arguments to pass to s3-storage-provider script when starting Synapse container
 matrix_synapse_ext_s3_storage_provider_container_arguments: []
 
+# matrix_synapse_s3_storage_provider_restart_necessary controls whether the
+# s3-storage-provider migrate timer will be restarted (when true) or merely
+# started (when false) by the systemd service manager role (when conditional
+# restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files or the systemd service/timer files changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_synapse_s3_storage_provider_restart_necessary: false
+
 matrix_synapse_container_client_api_port: 8008
 
 # Controls the `x_forwarded` setting for the "Insecure HTTP listener (Client API)".
@@ -934,6 +945,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 0
     stream_writer_receipts_stream_workers_count: 0
     stream_writer_presence_stream_workers_count: 0
+    stream_writer_push_rules_stream_workers_count: 0
+    stream_writer_device_lists_stream_workers_count: 0
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
   one-of-each:
     room_workers_count: 0
     sync_workers_count: 0
@@ -952,6 +968,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 1
     stream_writer_receipts_stream_workers_count: 1
     stream_writer_presence_stream_workers_count: 1
+    stream_writer_push_rules_stream_workers_count: 1
+    stream_writer_device_lists_stream_workers_count: 1
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
   specialized-workers:
     room_workers_count: 1
     sync_workers_count: 1
@@ -970,6 +991,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 1
     stream_writer_receipts_stream_workers_count: 1
     stream_writer_presence_stream_workers_count: 1
+    stream_writer_push_rules_stream_workers_count: 1
+    stream_writer_device_lists_stream_workers_count: 1
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
 
 # Controls whether the matrix-synapse container exposes the various worker ports
 # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container.
@@ -1064,6 +1090,18 @@ matrix_synapse_workers_stream_writer_receipts_stream_workers_count: "{{ matrix_s
 # The count of these workers can only be 0 or 1.
 matrix_synapse_workers_stream_writer_presence_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_presence_stream_workers_count'] }}"
 
+# matrix_synapse_workers_stream_writer_push_rules_stream_workers_count controls how many stream writers that handle the `push_rules` stream to spawn.
+# The count of these workers can only be 0 or 1.
+matrix_synapse_workers_stream_writer_push_rules_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_push_rules_stream_workers_count'] }}"
+
+# matrix_synapse_workers_stream_writer_device_lists_stream_workers_count controls how many stream writers that handle the `device_lists` stream to spawn.
+# More than 1 worker is also supported of this type.
+matrix_synapse_workers_stream_writer_device_lists_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_device_lists_stream_workers_count'] }}"
+
+# matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count controls how many stream writers that handle the `thread_subscriptions` stream to spawn.
+# More than 1 worker is also supported of this type.
+matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_thread_subscriptions_stream_workers_count'] }}"
+
 # A list of stream writer workers to enable. This list is built automatically based on other variables.
 # You're encouraged to enable/disable stream writer workers by setting `matrix_synapse_workers_stream_writer_*_stream_workers_count` variables, instead of adjusting this list manually.
 matrix_synapse_workers_stream_writers: |
@@ -1081,6 +1119,12 @@ matrix_synapse_workers_stream_writers: |
     ([{'stream': 'receipts'}] * matrix_synapse_workers_stream_writer_receipts_stream_workers_count | int)
     +
     ([{'stream': 'presence'}] * matrix_synapse_workers_stream_writer_presence_stream_workers_count | int)
+    +
+    ([{'stream': 'push_rules'}] * matrix_synapse_workers_stream_writer_push_rules_stream_workers_count | int)
+    +
+    ([{'stream': 'device_lists'}] * matrix_synapse_workers_stream_writer_device_lists_stream_workers_count | int)
+    +
+    ([{'stream': 'thread_subscriptions'}] * matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count | int)
   }}
 
 matrix_synapse_workers_stream_writers_container_arguments: []
@@ -1241,11 +1285,21 @@ matrix_synapse_instance_map: |
 
 # Redis information
 matrix_synapse_redis_enabled: false
-matrix_synapse_redis_host: ""
-matrix_synapse_redis_port: 6379
 matrix_synapse_redis_password: ""
 matrix_synapse_redis_dbid: 0
 matrix_synapse_redis_use_tls: false
+# Connection option 1: TCP
+matrix_synapse_redis_host: ""
+matrix_synapse_redis_port: 6379
+# Connection option 2: Unix socket (takes precedence over TCP if `matrix_synapse_redis_path` is set)
+# disabled by default
+matrix_synapse_redis_path_enabled: false
+# the path to the redis socket's parent dir (/tmp, not /tmp/redis.sock file) inside the container, Synapse default's is "/tmp/redis.sock"
+matrix_synapse_redis_path: "/tmp"
+# the filename of the redis socket, inside the container, Synapse default's is "redis.sock"
+matrix_synapse_redis_path_socket: "/redis.sock"
+# the path to the redis socket on the host, e.g., "/matrix/valkey/run" (parent dir, not the socket file itself).
+matrix_synapse_redis_path_host: ""
 
 # Controls whether Synapse starts a replication listener necessary for workers.
 #
@@ -1267,6 +1321,10 @@ matrix_synapse_sentry_dsn: ""
 
 # Postgres database information
 matrix_synapse_database_txn_limit: 0
+#
+# Use this hostname for TCP-based Postgres connections.
+# When `matrix_synapse_database_socket_enabled` is true, this is ignored and
+# `matrix_synapse_database_socket_path` is used instead.
 matrix_synapse_database_host: ''
 matrix_synapse_database_port: 5432
 matrix_synapse_database_cp_min: 5
@@ -1274,6 +1332,13 @@ matrix_synapse_database_cp_max: 10
 matrix_synapse_database_user: "synapse"
 matrix_synapse_database_password: ""
 matrix_synapse_database_database: "synapse"
+# Connection option 2: Unix socket (takes precedence over TCP if enabled)
+# disabled by default
+matrix_synapse_database_socket_enabled: false
+# the path to the postgres socket's parent dir inside the container (not the socket file itself).
+matrix_synapse_database_socket_path: "/tmp/postgres"
+# the path to the postgres socket on the host, e.g., "/matrix/postgres/run" (parent dir, not the socket file itself).
+matrix_synapse_database_socket_path_host: ""
 
 matrix_synapse_turn_uris: []
 matrix_synapse_turn_shared_secret: ""
@@ -1373,6 +1438,23 @@ matrix_synapse_max_event_delay_duration: 24h
 # See https://github.com/matrix-org/matrix-spec-proposals/pull/4222
 matrix_synapse_experimental_features_msc4222_enabled: false
 
+# Controls whether to enable the MSC4306 experimental feature ("thread subscriptions").
+#
+# In current Synapse, this also enables the MSC4308 thread-subscriptions extension
+# to Sliding Sync under the same upstream feature flag.
+#
+# See:
+# - https://github.com/matrix-org/matrix-spec-proposals/pull/4306
+# - https://github.com/matrix-org/matrix-spec-proposals/pull/4308
+matrix_synapse_experimental_features_msc4306_enabled: false
+
+# Controls whether to enable the MSC4354 experimental feature (sticky events).
+#
+# This is implemented since Synapse v1.148.0 and can be used by element-call v0.17.0+
+#
+# See https://github.com/matrix-org/matrix-spec-proposals/pull/4354
+matrix_synapse_experimental_features_msc4354_enabled: false
+
 # Enable this to activate the REST auth password provider module.
 # See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
 matrix_synapse_ext_password_provider_rest_auth_enabled: false
@@ -1424,7 +1506,7 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeserve
 matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir"
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.12.0"
+matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.12.1"
 matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
 # Flag messages sent by servers/users in the ban lists as spam. Currently
 # this means that spammy messages will appear as empty to users. Default
@@ -1577,6 +1659,16 @@ matrix_s3_media_store_aws_secret_key: "your-aws-secret-key"
 matrix_s3_media_store_region: "eu-central-1"
 matrix_s3_media_store_path: "{{ matrix_synapse_media_store_path }}"
 
+# matrix_goofys_restart_necessary controls whether the Goofys service
+# will be restarted (when true) or merely started (when false) by the
+# systemd service manager role (when conditional restart is enabled).
+#
+# This value is automatically computed during installation based on whether
+# any configuration files, the systemd service file, or the container image changed.
+# The default of `false` means "no restart needed" — appropriate when the role's
+# installation tasks haven't run (e.g., due to --tags skipping them).
+matrix_goofys_restart_necessary: false
+
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_synapse_self_check_validate_certificates: true
 
@@ -1590,6 +1682,12 @@ matrix_synapse_server_notices_system_mxid_display_name: "Server Notices"
 matrix_synapse_server_notices_system_mxid_avatar_url: ~
 # The name of the room where server notices will be sent, this room will be created if it doesn't exist.
 matrix_synapse_server_notices_room_name: "Server Notices"
+# Optional avatar URL for the server notices room, example: mxc://example.com/abc123
+matrix_synapse_server_notices_room_avatar_url: ~
+# Optional topic for the server notices room.
+matrix_synapse_server_notices_room_topic: ~
+# If true, users will be automatically joined to the server notices room instead of being invited.
+matrix_synapse_server_notices_auto_join: false
 
 # Controls whether searching the public room list is enabled.
 matrix_synapse_enable_room_list_search: true
@@ -1730,7 +1828,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.29.6-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
@@ -1878,6 +1976,26 @@ matrix_synapse_reverse_proxy_companion_worker_connections: 1024
 # Option to disable the access log
 matrix_synapse_reverse_proxy_companion_access_log_enabled: true
 
+# Controls the regular nginx access log format used for `/var/log/nginx/access.log`.
+# `routing_debug` is the default because it includes the chosen upstream label,
+# the resolved backend address, and timing data, which makes it much easier to
+# verify request routing in worker deployments.
+# This does not affect the separate syslog integration format used by prometheus-nginxlog-exporter.
+matrix_synapse_reverse_proxy_companion_access_log_format: routing_debug
+
+# The available values for `matrix_synapse_reverse_proxy_companion_access_log_format`.
+# You can override this map to define custom formats, but that is fragile and discouraged.
+matrix_synapse_reverse_proxy_companion_access_log_format_presets:
+  main:
+    - '$remote_addr - $remote_user [$time_local] "$request"'
+    - '$status $body_bytes_sent "$http_referer"'
+    - ' "$http_user_agent" "$http_x_forwarded_for"'
+  routing_debug:
+    - '$remote_addr - $remote_user [$time_local] "$request"'
+    - '$status $body_bytes_sent "$http_referer"'
+    - ' "$http_user_agent" "$http_x_forwarded_for"'
+    - ' "$host" "$matrix_upstream_label" "$upstream_addr" "$upstream_status" "$request_time" "$upstream_response_time"'
+
 # Controls whether to send access logs to a remote syslog-compatible server
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
@@ -1974,10 +2092,13 @@ matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_wo
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_thread_subscriptions_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints | default([]) }}"
 matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints | default([]) }}"
-matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register)
-matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$))
+matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|rooms/[^/]+/(forget|upgrade|report)|register)
+matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect(/|$)
 # Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108)
 matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$
 

roles/custom/matrix-synapse/tasks/ext/s3-storage-provider/setup_install.yml

@@ -27,12 +27,14 @@
     src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/env.j2"
     dest: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/env"
     mode: '0640'
+  register: matrix_synapse_s3_storage_provider_env_result
 
 - name: Ensure s3-storage-provider database.yaml file installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/synapse/ext/s3-storage-provider/database.yaml.j2"
     dest: "{{ matrix_synapse_ext_s3_storage_provider_data_path }}/database.yaml"
     mode: '0640'
+  register: matrix_synapse_s3_storage_provider_database_config_result
 
 - name: Ensure s3-storage-provider scripts installed
   ansible.builtin.template:
@@ -42,6 +44,7 @@
   with_items:
     - shell
     - migrate
+  register: matrix_synapse_s3_storage_provider_scripts_result
 
 - name: Ensure matrix-synapse-s3-storage-provider-migrate.service and timer are installed
   ansible.builtin.template:
@@ -52,3 +55,13 @@
     - matrix-synapse-s3-storage-provider-migrate.service
     - matrix-synapse-s3-storage-provider-migrate.timer
   register: matrix_synapse_s3_storage_provider_systemd_service_result
+
+- name: Determine whether s3-storage-provider migrate timer needs a restart
+  ansible.builtin.set_fact:
+    matrix_synapse_s3_storage_provider_restart_necessary: >-
+      {{
+        matrix_synapse_s3_storage_provider_env_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_database_config_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_scripts_result.changed | default(false)
+        or matrix_synapse_s3_storage_provider_systemd_service_result.changed | default(false)
+      }}

roles/custom/matrix-synapse/tasks/goofys/setup_install.yml

@@ -20,10 +20,10 @@
     source: "{{ 'pull' if ansible_version.major > 2 or ansible_version.minor > 7 else omit }}"
     force_source: "{{ matrix_s3_goofys_container_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
     force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_s3_goofys_container_image_force_pull }}"
-  register: result
+  register: matrix_goofys_container_image_pull_result
   retries: "{{ devture_playbook_help_container_retries_count }}"
   delay: "{{ devture_playbook_help_container_retries_delay }}"
-  until: result is not failed
+  until: matrix_goofys_container_image_pull_result is not failed
 
 # This will throw a Permission Denied error if already mounted
 - name: Check Matrix Goofys external storage mountpoint path
@@ -47,9 +47,20 @@
     dest: "{{ matrix_synapse_config_dir_path }}/env-goofys"
     owner: root
     mode: '0600'
+  register: matrix_goofys_env_result
 
 - name: Ensure matrix-goofys.service installed
   ansible.builtin.template:
     src: "{{ role_path }}/templates/goofys/systemd/matrix-goofys.service.j2"
     dest: "{{ devture_systemd_docker_base_systemd_path }}/matrix-goofys.service"
     mode: '0644'
+  register: matrix_goofys_systemd_service_result
+
+- name: Determine whether Goofys needs a restart
+  ansible.builtin.set_fact:
+    matrix_goofys_restart_necessary: >-
+      {{
+        matrix_goofys_env_result.changed | default(false)
+        or matrix_goofys_systemd_service_result.changed | default(false)
+        or matrix_goofys_container_image_pull_result.changed | default(false)
+      }}

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -149,6 +149,14 @@
     - "matrix_synapse_workers_stream_writer_account_data_stream_workers_count"
     - "matrix_synapse_workers_stream_writer_receipts_stream_workers_count"
     - "matrix_synapse_workers_stream_writer_presence_stream_workers_count"
+    - "matrix_synapse_workers_stream_writer_push_rules_stream_workers_count"
+
+- name: Fail if matrix-synapse-reverse-proxy-companion access log format is invalid
+  ansible.builtin.fail:
+    msg: >-
+      `matrix_synapse_reverse_proxy_companion_access_log_format` must be one of:
+      {{ matrix_synapse_reverse_proxy_companion_access_log_format_presets.keys() | sort | join(', ') }}
+  when: "matrix_synapse_reverse_proxy_companion_access_log_format not in matrix_synapse_reverse_proxy_companion_access_log_format_presets"
 
 - name: Fail when mixing generic workers with new specialized workers
   ansible.builtin.fail:

roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2

@@ -10,8 +10,61 @@
 {% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %}
 {% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %}
 {% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %}
+{% set stream_writer_push_rules_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'push_rules') | list %}
+{% set stream_writer_device_lists_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'device_lists') | list %}
+{% set stream_writer_thread_subscriptions_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'thread_subscriptions') | list %}
 {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %}
 {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %}
+{% set stream_writer_client_server_routes = [
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream',
+		'workers': stream_writer_typing_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_typing_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream',
+		'workers': stream_writer_to_device_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_to_device_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream',
+		'workers': stream_writer_account_data_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_account_data_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream',
+		'workers': stream_writer_receipts_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_receipts_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream',
+		'workers': stream_writer_presence_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_presence_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream',
+		'workers': stream_writer_push_rules_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_push_rules_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream',
+		'workers': stream_writer_device_lists_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_device_lists_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247',
+		'workers': stream_writer_thread_subscriptions_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_thread_subscriptions_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_thread_subscriptions_stream_workers_upstream',
+	},
+] %}
 
 {% macro render_worker_upstream(name, workers, load_balance) %}
 	upstream {{ name }} {
@@ -34,6 +87,7 @@
 {% macro render_locations_to_upstream(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
+		set $matrix_upstream_label "{{ upstream_name }}";
 		proxy_pass http://{{ upstream_name }}$request_uri;
 		proxy_http_version 1.1;
 		proxy_set_header Connection "";
@@ -41,9 +95,28 @@
 	{% endfor %}
 {% endmacro %}
 
+{% macro render_locations_to_upstream_or_main(locations, workers, upstream_name) %}
+	{% for location in locations %}
+	location ~ {{ location }} {
+		{% if workers | length > 0 %}
+		set $matrix_upstream_label "{{ upstream_name }}";
+		proxy_pass http://{{ upstream_name }}$request_uri;
+		proxy_http_version 1.1;
+		proxy_set_header Connection "";
+		{% else %}
+		{# Use the embedded DNS resolver in Docker containers to discover the service #}
+		resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s;
+		set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}";
+		proxy_pass http://$backend;
+		{% endif %}
+	}
+	{% endfor %}
+{% endmacro %}
+
 {% macro render_locations_to_upstream_with_whoami_sync_worker_router(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
+		set $matrix_upstream_label "{{ upstream_name }}";
 		# Use auth_request to call the whoami sync worker router.
 		# The handler resolves the access token to a user identifier and returns it
 		# in the X-User-Identifier header, which is then used for upstream hashing.
@@ -52,6 +125,7 @@
 
 		{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled %}
 		add_header X-Sync-Worker-Router-User-Identifier $user_identifier always;
+		add_header X-Sync-Worker-Router-Upstream-Label $matrix_upstream_label always;
 		add_header X-Sync-Worker-Router-Upstream $upstream_addr always;
 		{% endif %}
 
@@ -100,25 +174,11 @@ map $request_uri $room_name {
 	{{- render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }}
 	{% endif %}
 
-	{% if stream_writer_typing_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_to_device_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_account_data_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_receipts_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_presence_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, '') }}
+	{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+	{% if stream_writer_client_server_route.workers | length > 0 %}
+	{{- render_worker_upstream(stream_writer_client_server_route.upstream, stream_writer_client_server_route.workers, '') }}
 	{% endif %}
+	{% endfor %}
 
 	{% if media_repository_workers | length > 0 %}
 	{{- render_worker_upstream('media_repository_workers_upstream', media_repository_workers, 'least_conn;') }}
@@ -142,6 +202,7 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
+	set $matrix_upstream_label "synapse_main_client_api";
 
 	{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %}
 	# Internal location for whoami-based sync worker routing.
@@ -186,36 +247,16 @@ server {
 
 		{# Workers redirects BEGIN #}
 
+		{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+			# {{ stream_writer_client_server_route.doc_url }}
+			{{ render_locations_to_upstream_or_main(stream_writer_client_server_route.locations, stream_writer_client_server_route.workers, stream_writer_client_server_route.upstream) }}
+		{% endfor %}
+
 		{% if generic_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }}
 		{% endif %}
 
-		{% if stream_writer_typing_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_to_device_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_account_data_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_receipts_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_presence_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }}
-		{% endif %}
-
 		{% if room_workers | length > 0 %}
 			# room workers
 			# https://tcpipuk.github.io/synapse/deployment/workers.html
@@ -237,13 +278,14 @@ server {
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }}
 		{% endif %}
 
-		{% if media_repository_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
-			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
-			location ~ {{ location }} {
-				proxy_pass http://media_repository_workers_upstream$request_uri;
+			{% if media_repository_workers | length > 0 %}
+				# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
+				{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
+				location ~ {{ location }} {
+					set $matrix_upstream_label "media_repository_workers_upstream";
+					proxy_pass http://media_repository_workers_upstream$request_uri;
 
-				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
+					{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
 					proxy_cache            {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }};
 					proxy_cache_valid      any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }};
 					proxy_force_ranges on;
@@ -287,6 +329,7 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
+	set $matrix_upstream_label "synapse_main_federation_api";
 
 	{% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %}
 		# Federation overrides — These locations must go to the main Synapse process
@@ -308,11 +351,12 @@ server {
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }}
 		{% endif %}
 
-		{% if media_repository_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
-			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
-			location ~ {{ location }} {
-				proxy_pass http://media_repository_workers_upstream$request_uri;
+			{% if media_repository_workers | length > 0 %}
+				# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
+				{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
+				location ~ {{ location }} {
+					set $matrix_upstream_label "media_repository_workers_upstream";
+					proxy_pass http://media_repository_workers_upstream$request_uri;
 
 				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
 					proxy_buffering        on;

roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2

@@ -48,12 +48,14 @@ http {
 	js_shared_dict_zone zone=whoami_sync_worker_router_cache:{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb }}m;
 	{% endif %}
 
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-		'$status $body_bytes_sent "$http_referer" '
-		'"$http_user_agent" "$http_x_forwarded_for"';
+	{% set access_log_format_fragments = matrix_synapse_reverse_proxy_companion_access_log_format_presets[matrix_synapse_reverse_proxy_companion_access_log_format] %}
+	log_format access_log_fmt
+	{% for fragment in access_log_format_fragments %}
+		'{{ fragment }}'{% if loop.last %};{% endif %}
+	{% endfor %}
 
 	{% if matrix_synapse_reverse_proxy_companion_access_log_enabled %}
-	access_log /var/log/nginx/access.log main;
+	access_log /var/log/nginx/access.log access_log_fmt;
 	{% else %}
 	access_log off;
 	{% endif %}

roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2

@@ -8,6 +8,9 @@ container_id=$(\
 	--env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \
 	--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
 	--mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \
+{% if matrix_synapse_database_socket_enabled %}
+	--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+{% endif %}
 	--workdir=/data \
 	--network={{ matrix_synapse_container_network }} \
 	--entrypoint=/bin/bash \
@@ -18,7 +21,7 @@ container_id=$(\
 	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_prefix %}--prefix $PREFIX {% endif %}{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' \
 )
 
-{# We need to connect to the Postgres network, which should be in this list. #}
+{# Additional container networks (for example, Postgres) should be connected here when needed. #}
 {% for network in matrix_synapse_container_additional_networks %}
 {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} $container_id
 {% endfor %}

roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/shell.j2

@@ -10,13 +10,16 @@ container_id=$(\
 	--env-file={{ matrix_synapse_ext_s3_storage_provider_base_path }}/env \
 	--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
 	--mount type=bind,src={{ matrix_synapse_ext_s3_storage_provider_data_path }},dst=/data \
+{% if matrix_synapse_database_socket_enabled %}
+	--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+{% endif %}
 	--workdir=/data \
 	--network={{ matrix_synapse_container_network }} \
 	--entrypoint=/bin/bash \
 	{{ matrix_synapse_container_image_final }} \
 )
 
-{# We need to connect to the Postgres network, which should be in this list. #}
+{# Additional container networks (for example, Postgres) should be connected here when needed. #}
 {% for network in matrix_synapse_container_additional_networks %}
 {{ devture_systemd_docker_base_host_command_docker }} network connect {{ network }} $container_id
 {% endfor %}

roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/database.yaml.j2

@@ -7,5 +7,5 @@ SPDX-License-Identifier: AGPL-3.0-or-later
 user: {{ matrix_synapse_database_user | to_json }}
 password: {{ matrix_synapse_database_password | to_json }}
 database: {{ matrix_synapse_database_database | to_json }}
-host: {{ matrix_synapse_database_host | to_json }}
+host: {{ (matrix_synapse_database_socket_path if matrix_synapse_database_socket_enabled else matrix_synapse_database_host) | to_json }}
 port: {{ matrix_synapse_database_port | to_json }}

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -864,7 +864,7 @@ database:
     user: {{ matrix_synapse_database_user | string|to_json }}
     password: {{ matrix_synapse_database_password | string|to_json }}
     database: "{{ matrix_synapse_database_database }}"
-    host: "{{ matrix_synapse_database_host }}"
+    host: "{{ matrix_synapse_database_socket_path if matrix_synapse_database_socket_enabled else matrix_synapse_database_host }}"
     port: {{ matrix_synapse_database_port }}
     cp_min: {{ matrix_synapse_database_cp_min | to_json }}
     cp_max: {{ matrix_synapse_database_cp_max | to_json }}
@@ -2730,6 +2730,13 @@ server_notices:
   system_mxid_avatar_url: {{ matrix_synapse_server_notices_system_mxid_avatar_url | string | to_json }}
 {% endif %}
   room_name: {{ matrix_synapse_server_notices_room_name | string | to_json }}
+{% if matrix_synapse_server_notices_room_avatar_url %}
+  room_avatar_url: {{ matrix_synapse_server_notices_room_avatar_url | string | to_json }}
+{% endif %}
+{% if matrix_synapse_server_notices_room_topic %}
+  room_topic: {{ matrix_synapse_server_notices_room_topic | string | to_json }}
+{% endif %}
+  auto_join: {{ matrix_synapse_server_notices_auto_join | to_json }}
 {% endif %}
 
 
@@ -2932,6 +2939,11 @@ redis:
   host: {{ matrix_synapse_redis_host | to_json }}
   port: {{ matrix_synapse_redis_port | to_json }}
 
+  # The full path to a local Unix socket file. If this is used, host and port are ignored.
+  {% if matrix_synapse_redis_path_enabled %}
+  path: {{ (matrix_synapse_redis_path + matrix_synapse_redis_path_socket) | to_json }}
+  {% endif %}
+
   # Optional database ID to connect to. Defaults to 0.
   dbid: {{ matrix_synapse_redis_dbid | to_json }}
 
@@ -3001,6 +3013,12 @@ experimental_features:
   {% if matrix_synapse_experimental_features_msc4222_enabled %}
   msc4222_enabled: true
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4306_enabled %}
+  msc4306_enabled: true
+  {% endif %}
+  {% if matrix_synapse_experimental_features_msc4354_enabled %}
+  msc4354_enabled: true
+  {% endif %}
 
 {% if matrix_synapse_experimental_features_msc4140_enabled %}
 max_event_delay_duration: {{ matrix_synapse_max_event_delay_duration | to_json }}

roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2

@@ -67,6 +67,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
 			{% endfor %}
+			{% if matrix_synapse_redis_path_enabled %}
+			--mount type=bind,src={{ matrix_synapse_redis_path_host }},dst={{ matrix_synapse_redis_path }} \
+			{% endif %}
+			{% if matrix_synapse_database_socket_enabled %}
+			--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+			{% endif %}
 			--label-file={{ matrix_synapse_base_path }}/{{ matrix_synapse_worker_labels_file_name }} \
 			{% for arg in matrix_synapse_container_arguments %}
 			{{ arg }} \

roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -51,6 +51,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \
 			--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
+			{% if matrix_synapse_redis_path_enabled %}
+			--mount type=bind,src={{ matrix_synapse_redis_path_host }},dst={{ matrix_synapse_redis_path }} \
+			{% endif %}
+			{% if matrix_synapse_database_socket_enabled %}
+			--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+			{% endif %}
 			--label-file={{ matrix_synapse_base_path }}/labels \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \

roles/custom/matrix-synapse/vars/main.yml

@@ -31,7 +31,36 @@ matrix_synapse_workers_sync_worker_client_server_endpoints:
 
 # Client reader workers handle generic client-server endpoints that don't contain a roomid or sync
 matrix_synapse_workers_client_reader_client_server_endpoints:
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(room_keys/|keys/(query|changes|claim|upload/|room_keys/)|login|register(/available|/m.login.registration_token/validity|)|password_policy|profile|rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))|createRoom|publicRooms|account/(3pid|whoami|devices)|versions|voip/turnServer|joined_rooms|search|user/.*/filter(/|$)|directory/room/.*|capabilities)
+  # Keep these as grouped regex entries instead of a single huge alternation.
+  # This preserves the existing specialized-routing policy while making future audits
+  # and endpoint-specific edits reviewable.
+
+  # Encryption and room-key APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/room_keys/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/(query|changes|claim|room_keys/)
+
+  # MSC3814 dehydrated-device APIs:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device$
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/[^/]*/events$
+
+  # Login, registration, account, and profile APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/login
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/register(/available|/m.login.registration_token/validity|)?
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/password_policy
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/(3pid|whoami|deactivate)
+
+  # Room-scoped client APIs handled by client readers in the specialized-worker model
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))
+
+  # Generic client discovery and lookup APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(createRoom|publicRooms|versions|voip/turnServer|joined_rooms|search|directory/room/.*|capabilities)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/user/.*/filter(/|$)
+
+  # MatrixRTC transport discovery:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/matrixrtc.py#L30-L52
+  - ^/_matrix/client/unstable/org.matrix.msc4143/rtc/transports$
 
 # Federation reader workers handle generic federation endpoints that don't contain a roomid
 matrix_synapse_workers_federation_reader_federation_endpoints:
@@ -47,12 +76,10 @@ matrix_synapse_workers_federation_reader_federation_endpoints:
 # because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
 # While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
 # - neither part of the client-server API spec (and are thus, different)
-# - nor always OK to forward to a worker (we're supposed to obey `matrix_synapse_companion_container_labels_client_synapse_client_api_enabled`)
+# - and they now include a meaningful Synapse-specific tree (`pick_idp`, `pick_username`, OIDC/SAML callbacks, rendezvous, etc.)
+# - some of these paths are auth-sensitive or deployment-sensitive, so we intentionally keep them out of the broad worker route model unless explicitly handled elsewhere
 #
-# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
-# so it's not that important whether we forward them or not.
-#
-# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much.
+# Basically, we aim to cover most spec client APIs here. Skipping `/_synapse/client` is intentional and conservative.
 matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints | default([]) | map('regex_search', '.*/_matrix/client.*') | list | difference([none]) }}"
 
 # A Synapse generic worker can handle both federation and client-server API endpoints.
@@ -93,6 +120,26 @@ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoi
 matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
 
+# matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints contains the endpoints serviced by the `push_rules` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream
+matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+
+# matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints contains the endpoints serviced by the `device_lists` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream
+matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(r0|v3)/delete_devices$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+
+# matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints contains the endpoints serviced by the `thread_subscriptions` stream writer.
+# Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247
+matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/unstable/io.element.msc4306/rooms/.*/thread/.*/subscription$
+  - ^/_matrix/client/unstable/io.element.msc4308/thread_subscriptions$
+
 # matrix_synapse_workers_user_dir_worker_client_server_endpoints contains the endpoints serviced by the `type = user_dir` (`app = generic_worker`) worker.
 # See: https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory
 matrix_synapse_workers_user_dir_worker_client_server_endpoints:
@@ -101,11 +148,11 @@ matrix_synapse_workers_user_dir_worker_client_server_endpoints:
 # matrix_synapse_workers_known_stream_writer_stream_types contains the list of stream writer stream types that the playbook recognizes.
 # This is used for validation purposes. If adding support for a new type, besides adding it to this list,
 # don't forget to actually configure it where appropriate (see worker.yaml.j2`, the nginx proxy configuration, etc).
-matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists', 'thread_subscriptions']
 
 # matrix_synapse_workers_webserving_stream_writer_types contains a list of stream writer types that serve web (client) requests.
 # Not all stream writers serve web requests. Some just perform background tasks.
-matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists', 'thread_subscriptions']
 
 # matrix_synapse_workers_systemd_services_list contains a list of systemd services (one for each worker systemd service which serves web requests).
 # This list is built during runtime.
@@ -188,9 +235,11 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/
   - ^/_matrix/client/v1/rooms/.*/threads$
   - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
+  - ^/_matrix/client/unstable/im.nheko.summary/summary/.*$
+  - ^/_matrix/client/unstable/org.matrix.msc4143/rtc/transports$
   - ^/_matrix/client/(r0|v3|unstable)/account/3pid$
   - ^/_matrix/client/(r0|v3|unstable)/account/whoami$
-  - ^/_matrix/client/(r0|v3|unstable)/devices$
+  - ^/_matrix/client/(r0|v3|unstable)/account/deactivate$
   - ^/_matrix/client/versions$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/
@@ -208,9 +257,10 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/(r0|v3|unstable)/keys/claim$
   - ^/_matrix/client/(r0|v3|unstable)/room_keys/
-  - ^/_matrix/client/(r0|v3|unstable)/keys/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+  # MSC3814 dehydrated-device support:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device$
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/[^/]*/events$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
@@ -236,11 +286,14 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # Start of intentionally-ignored-endpoints
   #
-  # We ignore these below, because they're better sent to dedicated workers (various stream writers).
-  # If a stream writer is enabled, the endpoint should be routed to the stream writer, not to a generic worker.
-  # If a stream writer of a given type is not enabled, then a generic worker may process it.
-  # Because it's difficult to handle these individually based on which stream writer is enabled and which isn't,
-  # we just disable them here.
+  # We ignore these below, because they are now supposed to be owned by explicit
+  # early stream-backed routing in the reverse proxy.
+  #
+  # The intended behavior is:
+  # - if a stream writer is enabled, route to that stream writer
+  # - otherwise, route to Synapse `main`
+  #
+  # Broad generic-worker routing must not decide fallback behavior for these.
   #
   # # Account data requests
   # - ^/_matrix/client/(r0|v3|unstable)/.*/tags
@@ -253,6 +306,20 @@ matrix_synapse_workers_generic_worker_endpoints:
   # # Presence requests
   # - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
   #
+  # # Push rules requests
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+  #
+  # # Device lists requests
+  # - ^/_matrix/client/(r0|v3)/delete_devices$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  # - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+  #
+  # # Thread subscriptions requests
+  # - ^/_matrix/client/unstable/io.element.msc4306/rooms/.*/thread/.*/subscription$
+  # - ^/_matrix/client/unstable/io.element.msc4308/thread_subscriptions$
+  #
   # # User directory search requests
   # - ^/_matrix/client/(r0|v3|unstable)/user_directory/search$
   # End of intentionally-ignored-endpoints

roles/custom/matrix_playbook_migration/defaults/main.yml

@@ -1,9 +1,27 @@
-# SPDX-FileCopyrightText: 2023 - 2025 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2023 - 2026 Slavi Pantaleev
 # SPDX-FileCopyrightText: 2024 Suguru Hirahara
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
+
+# The version that the user has validated their setup against.
+# When empty, the user will be prompted to set this variable.
+# New users should set this to the current expected version (see below).
+# See `examples/vars.yml` and `matrix_playbook_migration_expected_version` for the recommended value.
+matrix_playbook_migration_validated_version: ''
+
+# The version that the playbook expects the user to have validated against.
+# This is bumped whenever a breaking change is introduced.
+# The value configured here needs to exist in `matrix_playbook_migration_breaking_changes` as well.
+matrix_playbook_migration_expected_version: "v2026.03.23.0"
+
+# A list of breaking changes, used to inform users what changed between their validated version and the expected version.
+matrix_playbook_migration_breaking_changes:
+  - version: "v2026.03.23.0"
+    summary: "Initial migration validation system"
+    changelog_url: "https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md#2026-03-22"
+
 # Controls if (`matrix_prometheus_nginxlog_exporter` -> `prometheus_nginxlog_exporter`) validation will run.
 matrix_playbook_migration_matrix_prometheus_nginxlog_exporter_migration_validation_enabled: true
 

roles/custom/matrix_playbook_migration/tasks/main.yml

@@ -1,9 +1,14 @@
-# SPDX-FileCopyrightText: 2022 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2022 - 2026 Slavi Pantaleev
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
 
+- tags:
+    - always
+  block:
+    - ansible.builtin.include_tasks: "{{ role_path }}/tasks/validate_migration_version.yml"
+
 - tags:
     - setup-all
     - install-all

roles/custom/matrix_playbook_migration/tasks/validate_config.yml

@@ -40,8 +40,8 @@
     - {'old': 'matrix_systemd_services_list', 'new': 'devture_systemd_service_manager_services_list_additional'}
     - {'old': 'matrix_common_after_systemd_service_start_wait_for_timeout_seconds', 'new': 'devture_systemd_service_manager_up_verification_delay_seconds'}
     - {'old': 'matrix_systemd_services_autostart_enabled', 'new': 'devture_systemd_service_manager_services_autostart_enabled'}
-    - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': '<prometheus_node_exporter_container_labels_traefik_enabled or matrix_metrics_exposure_enabled>'}
-    - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': '<prometheus_postgres_exporter_container_labels_traefik_enabled or matrix_metrics_exposure_enabled>'}
+    - {'old': 'matrix_prometheus_node_exporter_metrics_proxying_enabled', 'new': '<prometheus_node_exporter_container_labels_metrics_enabled or matrix_metrics_exposure_enabled>'}
+    - {'old': 'matrix_prometheus_postgres_exporter_metrics_proxying_enabled', 'new': '<prometheus_postgres_exporter_container_labels_metrics_enabled or matrix_metrics_exposure_enabled>'}
     - {'old': 'matrix_playbook_traefik_certs_dumper_role_enabled', 'new': 'traefik_certs_dumper_enabled'}
     - {'old': 'matrix_playbook_traefik_role_enabled', 'new': 'traefik_enabled'}
 
@@ -100,9 +100,9 @@
     - {'old': 'prometheus_nginxlog_exporter_docker_image_registry_prefix_upstream', 'new': 'prometheus_nginxlog_exporter_container_image_registry_prefix_upstream'}
     - {'old': 'prometheus_nginxlog_exporter_docker_image_registry_prefix_upstream_default', 'new': 'prometheus_nginxlog_exporter_container_image_registry_prefix_upstream_default'}
     - {'old': 'prometheus_nginxlog_exporter_docker_image_arch_check_enabled', 'new': 'prometheus_nginxlog_exporter_container_image_arch_check_enabled'}
-    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_enabled', 'new': 'prometheus_nginxlog_exporter_container_labels_traefik_enabled'}
-    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_hostname', 'new': 'prometheus_nginxlog_exporter_container_labels_traefik_hostname'}
-    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_path_prefix', 'new': 'prometheus_nginxlog_exporter_container_labels_traefik_path_prefix'}
+    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_enabled', 'new': 'prometheus_nginxlog_exporter_container_labels_metrics_enabled'}
+    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_hostname', 'new': 'prometheus_nginxlog_exporter_container_labels_metrics_hostname'}
+    - {'old': 'prometheus_nginxlog_exporter_metrics_proxying_path_prefix', 'new': 'prometheus_nginxlog_exporter_container_labels_metrics_path_prefix'}
     - {'old': 'prometheus_nginxlog_exporter_config_namespaces_matrix_source_tags_custom', 'new': 'prometheus_nginxlog_exporter_config_namespaces_source_tags_custom'}
 
 - name: (Deprecation) Catch and report matrix_postgres variables

roles/custom/matrix_playbook_migration/tasks/validate_migration_version.yml

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+
+- name: Fail if migration version is not validated (first-time onboarding)
+  ansible.builtin.fail:
+    msg: >-
+      This playbook now uses a migration validation system to help you stay aware of breaking changes.
+
+      It appears that you haven't configured the `matrix_playbook_migration_validated_version` variable yet.
+
+      Please review the changelog (https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/CHANGELOG.md)
+      and then add the following to your vars.yml file:
+
+      matrix_playbook_migration_validated_version: {{ matrix_playbook_migration_expected_version }}
+  when: "matrix_playbook_migration_validated_version == ''"
+
+- name: Fail if migration version is outdated
+  ansible.builtin.fail:
+    msg: |-
+      Your validated migration version ({{ matrix_playbook_migration_validated_version }}) is behind the expected version ({{ matrix_playbook_migration_expected_version }}).
+
+      The following breaking changes have been introduced since your last validation:
+
+      {% for item in matrix_playbook_migration_breaking_changes | selectattr('version', '>', matrix_playbook_migration_validated_version) | sort(attribute='version') %}
+      - {{ item.version }}: {{ item.summary }} ({{ item.changelog_url }})
+      {% endfor %}
+
+      After reviewing the above changes and adapting your setup, update your vars.yml:
+
+      matrix_playbook_migration_validated_version: "{{ matrix_playbook_migration_expected_version }}"
+  when: "matrix_playbook_migration_validated_version != '' and matrix_playbook_migration_validated_version < matrix_playbook_migration_expected_version"