Update matrix-appservice-irc to 4.0.0 with authenticated media proxy support

- Upgrade from 1.0.1 to 4.0.0
- Add ircService.mediaProxy configuration for authenticated Matrix media
- Add Traefik integration for media proxy endpoint
- Generate signing key for authenticated media

Closes #3512

Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v25.12.1
+        uses: ansible/ansible-lint@v26.1.1
         with:
           args: "roles/custom"
           setup_python: "true"

docs/configuring-playbook-matrix-authentication-service.md

@@ -57,6 +57,10 @@ This section details what you can expect when switching to the Matrix Authentica
 
   - [Reminder bot](configuring-playbook-bot-matrix-reminder-bot.md) seems to be losing some of its state on each restart and may reschedule old reminders once again
 
+  - [Postmoogle](./configuring-playbook-bridge-postmoogle.md) works the first time around, but it consistently fails after restarting:
+
+    > cannot initialize matrix bot error="olm account is marked as shared, keys seem to have disappeared from the server"
+
 - ❌ **Encrypted appservices** do not work yet (related to [MSC4190](https://github.com/matrix-org/matrix-spec-proposals/pull/4190) and [PR 17705 for Synapse](https://github.com/element-hq/synapse/pull/17705)), so all bridges/bots that rely on encryption will fail to start (see [this issue](https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3658) for Hookshot). You can use these bridges/bots only if you **keep end-to-bridge encryption disabled** (which is the default setting).
 
 - ⚠️ [Migrating an existing Synapse homeserver to Matrix Authentication Service](#migrating-an-existing-synapse-homeserver-to-matrix-authentication-service) is **possible**, but requires **some playbook-assisted manual work**. Migration is **reversible with no or minor issues if done quickly enough**, but as users start logging in (creating new login sessions) via the new MAS setup, disabling MAS and reverting back to the Synapse user database will cause these new sessions to break.

docs/configuring-playbook-turn.md

@@ -49,6 +49,23 @@ Regardless of the selected authentication method, the playbook generates secrets
 
 If [Jitsi](configuring-playbook-jitsi.md) is installed, note that switching to `lt-cred-mech` will disable the integration between Jitsi and your coturn server, as Jitsi seems to support the `auth-secret` authentication method only.
 
+### Customize the Coturn hostname (optional)
+
+By default, Coturn uses the same hostname as your Matrix homeserver (the value of `matrix_server_fqn_matrix`, which is typically `matrix.example.com`).
+
+If you'd like to use a custom subdomain for Coturn (e.g., `turn.example.com` or `t.matrix.example.com`), add the following configuration to your `vars.yml` file:
+
+```yaml
+matrix_coturn_hostname: turn.example.com
+```
+
+The playbook will automatically:
+- Configure Coturn to use this hostname
+- Obtain an SSL certificate for the custom domain via Traefik
+- Update all TURN URIs to point to the custom domain
+
+**Note**: Make sure the custom hostname resolves to your server's IP address via DNS before running the playbook.
+
 ### Use your own external coturn server (optional)
 
 If you'd like to use another TURN server (be it coturn or some other one), add the following configuration to your `vars.yml` file. Make sure to replace `HOSTNAME_OR_IP` with your own.

docs/registering-users.md

@@ -161,6 +161,6 @@ You can then proceed to run the query above.
 
 ### Adding/Removing Administrator privileges to an existing user in Matrix Authentication Service
 
-Promoting/demoting a user in Matrix Authentication Service cannot currently (2024-10-19) be done via the [`mas-cli` Management tool](./configuring-playbook-matrix-authentication-service.md#management).
+Promoting/demoting a user in Matrix Authentication Service can be done using the [`mas-cli`](./configuring-playbook-matrix-authentication-service.md#management) management tool's [`manage promote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-promote-admin) and [`manage demote-admin`](https://element-hq.github.io/matrix-authentication-service/reference/cli/manage.html#manage-demote-admin) commands. For example: `/matrix/matrix-authentication-service/bin/mas-cli manage promote-admin some.username`.
 
-You can do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint.
+You can also do it via the [MAS Admin API](https://element-hq.github.io/matrix-authentication-service/api/index.html)'s `POST /api/admin/v1/users/{id}/set-admin` endpoint.

group_vars/matrix_servers

@@ -843,6 +843,8 @@ matrix_appservice_irc_container_additional_networks_auto: |-
       ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
       +
       ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else [])
+      +
+      [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []
     ) | unique
   }}
 
@@ -860,6 +862,13 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos
 matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}"
 matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}"
 
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"  # noqa var-naming
+
+matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"  # noqa var-naming
+
 ######################################################################
 #
 # /matrix-bridge-appservice-irc
@@ -3152,6 +3161,8 @@ matrix_rageshake_container_labels_traefik_tls_certResolver: "{{ traefik_certReso
 
 matrix_coturn_enabled: true
 
+matrix_coturn_hostname: "{{ matrix_server_fqn_matrix }}"
+
 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_container_global_registry_prefix_override if matrix_container_global_registry_prefix_override else matrix_coturn_docker_image_registry_prefix_upstream_default }}"
 
 matrix_coturn_container_image_self_build: "{{ matrix_architecture not in ['amd64', 'arm32', 'arm64'] }}"
@@ -3191,12 +3202,12 @@ matrix_coturn_container_additional_volumes: |
     (
       [
        {
-         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/certificate.crt'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/certificate.crt'),
          'dst': '/certificate.crt',
          'options': 'ro',
        },
        {
-         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_server_fqn_matrix + '/privatekey.key'),
+         'src': (traefik_certs_dumper_dumped_certificates_path +  '/' + matrix_coturn_hostname + '/privatekey.key'),
          'dst': '/privatekey.key',
          'options': 'ro',
        },
@@ -3206,7 +3217,7 @@ matrix_coturn_container_additional_volumes: |
 
 matrix_coturn_systemd_required_services_list_auto: |
   {{
-    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_server_fqn_matrix + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
+    ([traefik_certs_dumper_identifier + '-wait-for-domain@' + matrix_coturn_hostname + '.service'] if matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] and traefik_certs_dumper_enabled and matrix_coturn_tls_enabled else [])
   }}
 
 ######################################################################
@@ -3646,6 +3657,8 @@ matrix_media_repo_container_additional_networks: |
       ([postgres_container_network] if (postgres_enabled and matrix_media_repo_database_hostname == postgres_connection_hostname and postgres_container_network != matrix_media_repo_container_network) else [])
       +
       ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_media_repo_container_labels_traefik_enabled) else [])
+      +
+      ([valkey_container_network] if valkey_enabled and matrix_media_repo_redis_enabled else [])
     ) | unique
   }}
 
@@ -3711,6 +3724,21 @@ matrix_media_repo_homeservers_auto:
 
 matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}"
 
+matrix_media_repo_redis_enabled: "{{ valkey_enabled }}"
+
+# Use next redis index since Synapse is on 0. You can chose between index 0 and 15.
+matrix_media_repo_redis_database_number: 1
+
+matrix_media_repo_redis_shards: |
+  {{
+    ([{
+          'name': 'valkey',
+          'addr': (valkey_identifier + ':' + valkey_container_http_port | string),
+    }])
+    if valkey_enabled and matrix_media_repo_redis_enabled
+    else []
+  }}
+
 ######################################################################
 #
 # /matrix-media-repo
@@ -5836,20 +5864,6 @@ traefik_gid: "{{ matrix_user_gid }}"
 # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint.
 traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s
 
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
-# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs).
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true
-traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true
-traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true
-# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook
-# and actually go through this entrypoint.
-traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}"
-traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}"
-traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}"
-
 traefik_additional_entrypoints_auto: |
   {{
     ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else [])
@@ -5873,6 +5887,11 @@ traefik_systemd_required_services_list: |
     ([container_socket_proxy_identifier + '.service'] if container_socket_proxy_enabled else [])
   }}
 
+traefik_additional_domains_to_obtain_certificates_for_auto: |
+  {{
+    ([matrix_coturn_hostname] if (matrix_coturn_enabled and matrix_coturn_tls_enabled and matrix_coturn_hostname != matrix_server_fqn_matrix) else [])
+  }}
+
 ########################################################################
 #                                                                      #
 # /traefik                                                             #

i18n/requirements.txt

@@ -1,6 +1,6 @@
 alabaster==1.0.0
 babel==2.17.0
-certifi==2025.11.12
+certifi==2026.1.4
 charset-normalizer==3.4.4
 click==8.3.1
 docutils==0.22.4
@@ -12,14 +12,14 @@ markdown-it-py==4.0.0
 MarkupSafe==3.0.3
 mdit-py-plugins==0.5.0
 mdurl==0.1.2
-myst-parser==4.0.1
+myst-parser==5.0.0
-packaging==25.0
+packaging==26.0
 Pygments==2.19.2
 PyYAML==6.0.3
 requests==2.32.5
-setuptools==80.9.0
+setuptools==80.10.2
 snowballstemmer==3.0.1
-Sphinx==9.0.4
+Sphinx==9.1.0
 sphinx-intl==2.3.2
 sphinx-markdown-builder==0.6.9
 sphinxcontrib-applehelp==2.0.0
@@ -30,4 +30,4 @@ sphinxcontrib-qthelp==2.0.0
 sphinxcontrib-serializinghtml==2.0.0
 tabulate==0.9.0
 uc-micro-py==1.0.3
-urllib3==2.6.2
+urllib3==2.6.3

requirements.yml

@@ -1,37 +1,37 @@
 ---
 
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-aux.git
-  version: v1.0.0-5
+  version: v1.0.0-6
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.2-2.0.12-0
+  version: v1.4.3-2.1.1-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
-  version: v0.4.2-0
+  version: v0.4.2-1
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.9.0
+  version: 8.0.0
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
   version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.5.2-2
+  version: v2.6.1-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-2
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-4
+  version: v11.6.5-6
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10655-0
+  version: v10710-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.9-0
+  version: v1.9.11-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.15.0-0
+  version: v2.16.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -49,13 +49,13 @@
   version: v18-0
   name: postgres_backup
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus.git
-  version: v3.8.1-0
+  version: v3.9.1-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-12
+  version: v1.9.1-13
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.18.1-1
+  version: v0.18.1-2
   name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.4.1-0
@@ -67,10 +67,10 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.5-0
+  version: v3.6.7-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
-  version: v2.10.0-3
+  version: v2.10.0-4
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
   version: v9.0.1-0

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.11.26
+matrix_alertmanager_receiver_version: 2026.1.21
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.8.0
+matrix_authentication_service_version: 1.10.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-base/defaults/main.yml

@@ -321,13 +321,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
-# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true  # noqa: var-naming[pattern]
-matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true  # noqa: var-naming[pattern]
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"  # noqa var-naming
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}"  # noqa var-naming
@@ -337,19 +330,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default:
   {{
     {}
 
-    | combine(
-      (
-        {
-          'http': {
-            'encodedCharacters': {
-              'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
-              'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
-            }
-          }
-        }
-      )
-    )
-
     | combine(
       (
         (
@@ -412,30 +392,7 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-inter
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {}
-# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true  # noqa: var-naming[pattern]
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true  # noqa: var-naming[pattern]
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: |
-  {{
-    {}
-
-    | combine(
-      (
-        {
-          'http': {
-            'encodedCharacters': {
-              'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
-              'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
-            }
-          }
-        }
-      )
-    )
-  }}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}
 

roles/custom/matrix-base/tasks/validate_config.yml

@@ -36,6 +36,11 @@
     - {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
     - {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
     - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
+    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
+
 
 # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
 - name: Fail if matrix_homeserver_generic_secret_key is undefined

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.11.0
+matrix_bot_baibot_version: v1.13.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"
@@ -406,7 +406,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_to_speech_response_format: opus
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_enabled: true
-matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1
+matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_model_id: gpt-image-1.5
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_style: null
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_size: null
 matrix_bot_baibot_config_agents_static_definitions_openai_config_image_generation_quality: null

roles/custom/matrix-bridge-appservice-irc/defaults/main.yml

@@ -8,7 +8,7 @@
 # SPDX-FileCopyrightText: 2019 Lyubomir Popov
 # SPDX-FileCopyrightText: 2019 Sylvia van Os
 # SPDX-FileCopyrightText: 2020 John Goerzen
-# SPDX-FileCopyrightText: 2021 - 2023 Thom Wiggers
+# SPDX-FileCopyrightText: 2021 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2021 Ahmad Haghighi
 # SPDX-FileCopyrightText: 2021 Joseph Walton-Rivers
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
-matrix_appservice_irc_version: 1.0.1
+matrix_appservice_irc_version: 4.0.0
 matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}"
 matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}"
@@ -46,8 +46,15 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config
 matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data"
 
 matrix_appservice_irc_homeserver_url: ""
-matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}'
 matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}'
+
+# ircService.mediaProxy configuration for serving publicly accessible URLs to authenticated Matrix media
+matrix_appservice_irc_ircService_mediaProxy_bindPort: 11111  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: https  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname: '{{ matrix_server_fqn_matrix }}'  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix: '/irc/'  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl: "{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme }}://{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}"  # noqa var-naming
+
 matrix_appservice_irc_homeserver_enablePresence: true  # noqa var-naming
 matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999'
 
@@ -89,20 +96,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # It is also used in the Third Party Lookup API as the instance `desc`
 #     # property, where each server is an instance.
 #     name: "ExampleNet"
-
+#     # Additional addresses to connect to, used for load balancing between IRCDs.
 #     additionalAddresses: [ "irc2.example.com" ]
+#     # Typically additionalAddresses would be in addition to the address key given above,
+#     # but some configurations wish to exclusively use additional addresses while reserving
+#     # the top key for identification purposes. Set this to true to exclusively use the
+#     # additionalAddresses array when connecting to servers.
+#     onlyAdditionalAddresses: false
 #     #
 #     # [DEPRECATED] Use `name`, above, instead.
 #     # A human-readable description string
 #     # description: "Example.com IRC network"
-
+#
 #     # An ID for uniquely identifying this server amongst other servers being bridged.
 #     # networkId: "example"
-
+#
-#     # URL to an icon used as the network icon whenever this network appear in
+#     # MXC URL to an icon used as the network icon whenever this network appear in
-#     # a network list. (Like in the Riot room directory, for instance.)
+#     # a network list. (Like in the Element room directory, for instance.)
-#     # icon: https://example.com/images/hash.png
+#     # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
-
+#
 #     # The port to connect to. Optional.
 #     port: 6697
 #     # Whether to use SSL or not. Default: false.
@@ -115,19 +127,26 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # Whether to allow expired certs when connecting to the IRC server.
 #     # Usually this should be off. Default: false.
 #     allowExpiredCerts: false
+#
+#     # Set additional TLS options for the connections to the IRC server.
+#     #tlsOptions:
 #       # A specific CA to trust instead of the default CAs. Optional.
 #       #ca: |
 #       #  -----BEGIN CERTIFICATE-----
-#     #  …
+#       #  ...
 #       #  -----END CERTIFICATE-----
-
+#       # Server name for the SNI (Server Name Indication) TLS extension. If the address you
+#       # are using does not report the correct certificate name, you can override it here.
+#       # servername: real.server.name
+#       # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
+#
 #     #
 #     # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
 #     # password: 'pa$$w0rd'
 #     #
 #     # Whether or not to send connection/error notices to real Matrix users. Default: true.
 #     sendConnectionMessages: true
-
+#
 #     quitDebounce:
 #       # Whether parts due to net-splits are debounced for delayMs, to allow
 #       # time for the netsplit to resolve itself. A netsplit is detected as being
@@ -147,13 +166,13 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       delayMinMs: 3600000 # 1h
 #       # Default: 7200000, = 2h
 #       delayMaxMs: 7200000 # 2h
-
+#
 #     # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
 #     # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
 #     # been given multiple modes, the one that maps to the highest power level will be used.
 #     modePowerMap:
 #       o: 50
-
+#       v: 1
 #     botConfig:
 #       # Enable the presence of the bot in IRC channels. The bot serves as the entity
 #       # which maps from IRC -> Matrix. You can disable the bot entirely which
@@ -176,6 +195,8 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       enabled: true
 #       # The nickname to give the AS bot.
 #       nick: "MatrixBot"
+#       # The username to give to the AS bot. Defaults to "matrixbot"
+#       username: "matrixbot"
 #       # The password to give to NickServ or IRC Server for this nick. Optional.
 #       # password: "helloworld"
 #       #
@@ -184,7 +205,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # real Matrix users in them, even if there is a mapping for the channel.
 #       # Default: true
 #       joinChannelsIfNoUsers: true
-
+#
 #     # Configuration for PMs / private 1:1 communications between users.
 #     privateMessages:
 #       # Enable the ability for PMs to be sent to/from IRC/Matrix.
@@ -193,12 +214,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent Matrix users from sending PMs to the following IRC nicks.
 #       # Optional. Default: [].
 #       # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
-
+#
 #       # Should created Matrix PM rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Optional. Default: true.
 #       federate: true
-
+#
 #     # Configuration for mappings not explicitly listed in the 'mappings'
 #     # section.
 #     dynamicChannels:
@@ -212,27 +233,34 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Should the AS publish the new Matrix room to the public room list so
 #       # anyone can see it? Default: true.
 #       published: true
+#       # Publish the rooms to the homeserver directory, as oppose to the appservice
+#       # room directory. Only used if `published` is on.
+#       # Default: false
+#       useHomeserverDirectory: true
 #       # What should the join_rule be for the new Matrix room? If 'public',
 #       # anyone can join the room. If 'invite', only users with an invite can
 #       # join the room. Note that if an IRC channel has +k or +i set on it,
 #       # join_rules will be set to 'invite' until these modes are removed.
 #       # Default: "public".
 #       joinRule: public
-#       # This will set the m.room.related_groups state event in newly created rooms
-#       # with the given groupId. This means flares will show up on IRC users in those rooms.
-#       # This should be set to the same thing as namespaces.users.group_id in irc_registration.
-#       # This does not alter existing rooms.
-#       # Leaving this option empty will not set the event.
-#       groupId: +myircnetwork:localhost
 #       # Should created Matrix rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Default: true.
 #       federate: true
+#       # Force this room version when creating IRC channels. Beware if the homeserver doesn't
+#       # support the room version then the request will fail. By default, no version is requested.
+#       # roomVersion: "1"
 #       # The room alias template to apply when creating new aliases. This only
 #       # applies if createAlias is 'true'. The following variables are exposed:
 #       # $SERVER => The IRC server address (e.g. "irc.example.com")
 #       # $CHANNEL => The IRC channel (e.g. "#python")
 #       # This MUST have $CHANNEL somewhere in it.
+#       #
+#       # In certain circumstances you might want to bridge your whole IRC network as a
+#       # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
+#       # template to just be $CHANNEL. Doing so will preclude you from supporting
+#       # other prefix characters though.
+#       #
 #       # Default: '#irc_$SERVER_$CHANNEL'
 #       aliasTemplate: "#irc_$CHANNEL"
 #       # A list of user IDs which the AS bot will send invites to in response
@@ -244,7 +272,11 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent the given list of channels from being mapped under any
 #       # circumstances.
 #       # exclude: ["#foo", "#bar"]
-
+#
+#     # excludedUsers:
+#     #   - regex: "@.*:evilcorp.com"
+#     #     kickReason: "We don't like Evilcorp"
+#
 #     # Configuration for controlling how Matrix and IRC membership lists are
 #     # synced.
 #     membershipLists:
@@ -253,12 +285,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # synced. This must be enabled for anything else in this section to take
 #       # effect. Default: false.
 #       enabled: false
-
+#
 #       # Syncing membership lists at startup can result in hundreds of members to
 #       # process all at once. This timer drip feeds membership entries at the
 #       # specified rate. Default: 10000. (10s)
 #       floodDelayMs: 10000
-
+#
 #       global:
 #         ircToMatrix:
 #           # Get a snapshot of all real IRC users on a channel (via NAMES) and
@@ -267,7 +299,14 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # Make virtual Matrix clients join and leave rooms as their real IRC
 #           # counterparts join/part channels. Default: false.
 #           incremental: false
-
+#           # Should the bridge check if all Matrix users are connected to IRC and
+#           # joined to the channel before relaying messages into the room.
+#           #
+#           # This is considered a safety net to avoid any leakages by the bridge to
+#           # unconnected users, but given it ignores all IRC messages while users
+#           # are still connecting it may be overkill.
+#           requireMatrixJoined: false
+#
 #         matrixToIrc:
 #           # Get a snapshot of all real Matrix users in the room and join all of
 #           # them to the mapped IRC channel on startup. Default: false.
@@ -276,21 +315,32 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # counterparts join/leave rooms. Make sure your 'maxClients' value is
 #           # high enough! Default: false.
 #           incremental: false
-
+#
 #       # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
 #       rooms:
 #         - room: "!qporfwt:localhost"
 #           matrixToIrc:
 #             initial: false
 #             incremental: false
-
+#
 #       # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
 #       channels:
 #         - channel: "#foo"
 #           ircToMatrix:
 #             initial: false
 #             incremental: false
-
+#             requireMatrixJoined: false
+#
+#       # Should the bridge ignore users which are not considered active on the bridge
+#       # during startup
+#       ignoreIdleUsersOnStartup:
+#         enabled: true
+#         # How many hours can a user be considered idle for before they are considered
+#         # ignoreable
+#         idleForHours: 720
+#         # A regex which will exclude matching MXIDs from this check.
+#         exclude: "foobar"
+#
 #     mappings:
 #       # 1:many mappings from IRC channels to room IDs on this IRC server.
 #       # The Matrix room must already exist. Your Matrix client should expose
@@ -300,27 +350,27 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # Channel key/password to use. Optional. If provided, Matrix users do
 #         # not need to know the channel key in order to join the channel.
 #         # key: "secret"
-
+#
 #     # Configuration for virtual Matrix users. The following variables are
 #     # exposed:
 #     # $NICK => The IRC nick
 #     # $SERVER => The IRC server address (e.g. "irc.example.com")
 #     matrixClients:
 #       # The user ID template to use when creating virtual Matrix users. This
-#       # MUST have $NICK somewhere in it.
+#       # MUST start with an @ and have $NICK somewhere in it.
 #       # Optional. Default: "@$SERVER_$NICK".
 #       # Example: "@irc.example.com_Alice:example.com"
 #       userTemplate: "@irc_$NICK"
 #       # The display name to use for created Matrix clients. This should have
 #       # $NICK somewhere in it if it is specified. Can also use $SERVER to
 #       # insert the IRC domain.
-#       # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
+#       # Optional. Default: "$NICK". Example: "Alice"
-#       displayName: "$NICK (IRC)"
+#       displayName: "$NICK"
 #       # Number of tries a client can attempt to join a room before the request
 #       # is discarded. You can also use -1 to never retry or 0 to never give up.
 #       # Optional. Default: -1
 #       joinAttempts: -1
-
+#
 #     # Configuration for virtual IRC users. The following variables are exposed:
 #     # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
 #     # $USERID => The user ID
@@ -349,9 +399,20 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # connected user. If not specified, all users will connect from the same
 #         # (default) address. This may require additional OS-specific work to allow
 #         # for the node process to bind to multiple different source addresses
-#         # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
+#         # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
+#         # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
 #         # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
 #         # prefix: "2001:0db8:85a3::"  # modify appropriately
+#
+#         # Optional. Define blocks of IPv6 addresses for different homeservers
+#         # which can be used to restrict users of those homeservers to a given
+#         # IP. These blocks should be considered immutable once set, as changing
+#         # the startFrom value will NOT adjust existing IP addresses.
+#         # Changing the startFrom value to a lower value may conflict with existing clients.
+#         # Multiple homeservers may NOT share blocks.
+#         blocks:
+#           - homeserver: another-server.org
+#             startFrom: '10:0000'
 #       #
 #       # The maximum amount of time in seconds that the client can exist
 #       # without sending another message before being disconnected. Use 0 to
@@ -388,12 +449,36 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # through the bridge e.g. caller ID as there is no way to /ACCEPT.
 #       # Default: "" (no user modes)
 #       # userModes: "R"
+#       # The format of the realname defined for users, either mxid or reverse-mxid
+#       realnameFormat: "mxid"
+#       # The minimum time to wait between connection attempts if we were disconnected
+#       # due to throttling.
+#       # pingTimeoutMs: 600000
+#       # The rate at which to send pings to the IRCd if the client is being quiet for a while.
+#       # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
+#       # that sometimes they don't get around to it and end up ping timing us out.
+#       # pingRateMs: 60000
+#       # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
+#       # defaults should be taken with care as it may dishonestly represent Matrix users on the IRC
+#       # network, and cause your bridge to be banned.
+#       kickOn:
+#         # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
+#         channelJoinFailure: true
+#         # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
+#         ircConnectionFailure: true
+#         # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
+#         userQuit: true
 
-# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
+# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
 matrix_appservice_irc_container_http_host_bind_port: ''
 
+# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port.
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:11111"), or empty string to not expose.
+matrix_appservice_irc_container_media_proxy_host_bind_port: ''
+
 matrix_appservice_irc_container_network: ""
 
 matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}"
@@ -403,6 +488,26 @@ matrix_appservice_irc_container_additional_networks_custom: []
 # A list of extra arguments to pass to the container
 matrix_appservice_irc_container_extra_arguments: []
 
+# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`.
+matrix_appservice_irc_container_labels_traefik_enabled: true
+matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_appservice_irc_container_network }}"
+matrix_appservice_irc_container_labels_traefik_entrypoints: web-secure
+matrix_appservice_irc_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether Traefik labels for the media proxy will be applied
+matrix_appservice_irc_container_labels_media_proxy_enabled: true
+# Derived from publicUrl_pathPrefix, stripping any trailing slash (unless it's just "/")
+matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix: "{{ '/' if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix == '/' else matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix.rstrip('/') }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`)"
+matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000
+matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix-appservice-irc container additional labels
+matrix_appservice_irc_container_labels_additional_labels: ''
+
 # List of systemd services that matrix-appservice-irc.service depends on.
 matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}"
 matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
-# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -121,6 +122,14 @@
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
 
+- name: Ensure Matrix Appservice IRC labels file installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_appservice_irc_base_path }}/labels"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+
 - name: Generate Appservice IRC passkey if it doesn't exist
   ansible.builtin.shell:
     cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
@@ -128,6 +137,41 @@
   become: true
   become_user: "{{ matrix_user_name }}"
 
+- name: Check if an authenticated media signing key exists
+  ansible.builtin.stat:
+    path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+  register: matrix_appservice_irc_stat_auth_media_key
+
+- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
+  block:
+    - name: Generate IRC appservice signing key for authenticated media
+      community.docker.docker_container:
+        name: "create-auth-media-jwk-key"
+        image: "{{ matrix_appservice_irc_docker_image }}"
+        cleanup: true
+        network_mode: none
+        entrypoint: "/usr/local/bin/node"
+        command: >
+          -e "const webcrypto = require('node:crypto');
+          async function main() {
+              const key = await webcrypto.subtle.generateKey({
+                  name: 'HMAC',
+                  hash: 'SHA-512',
+              }, true, ['sign', 'verify']);
+              console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
+          }
+          main().then(() => process.exit(0)).catch(err => { throw err });"
+        detach: false
+      register: matrix_appservice_irc_jwk_result
+
+    - name: Write auth media signing key to file
+      ansible.builtin.copy:
+        content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
+        dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+        mode: "0644"
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
 - name: (Migration) Ensure Appservice IRC passkey permissions are okay

roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml

@@ -44,3 +44,27 @@
     - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
     - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'}
     - {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'}
+    - {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': '<removed; media proxying now uses matrix_appservice_irc_ircService_mediaProxy_publicUrl>'}
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'"
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'"
+
+- when: matrix_appservice_irc_container_labels_traefik_enabled | bool
+  block:
+    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
+    # Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up
+    # without having to do "does it end with a slash" checks elsewhere.
+    - name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash
+      ansible.builtin.fail:
+        msg: >-
+          matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`).
+      when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'"

roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2

@@ -1,14 +1,13 @@
 #jinja2: lstrip_blocks: True
+#
+# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml
+#
+# Configuration specific to AS registration. Unless other marked, all fields
+# are *REQUIRED*.
+# Unless otherwise specified, these keys CANNOT be hot-reloaded.
 homeserver:
-  # The URL to the home server for client-server API calls, also used to form the
+  # The URL to the home server for client-server API calls
-  # media URLs as displayed in bridged IRC channels:
+  url: "{{ matrix_appservice_irc_homeserver_url }}"
-  url: {{ matrix_appservice_irc_homeserver_url }}
-  #
-  # The URL of the homeserver hosting media files. This is only used to transform
-  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
-  # default, this is the homeserver URL, specified above.
-  #
-  media_url: {{ matrix_appservice_irc_homeserver_media_url }}
 
   # Drop Matrix messages which are older than this number of seconds, according to
   # the event's origin_server_ts.
@@ -20,18 +19,29 @@ homeserver:
   # clock times and hence produce different origin_server_ts values, which may be old
   # enough to cause *all* events from the homeserver to be dropped.
   # Default: 0 (don't ever drop)
+  # This key CAN be hot-reloaded.
   # dropMatrixMessagesAfterSecs: 300 # 5 minutes
 
   # The 'domain' part for user IDs on this home server. Usually (but not always)
   # is the "domain name" part of the HS URL.
-  domain: {{ matrix_appservice_irc_homeserver_domain }}
+  domain: "{{ matrix_appservice_irc_homeserver_domain }}"
 
   # Should presence be enabled for Matrix clients on this bridge. If disabled on the
   # homeserver then it should also be disabled here to avoid excess traffic.
   # Default: true
   enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
 
+  # Which port should the appservice bind to. Can be overridden by the one provided in the
+  # command line! Optional.
+  # bindPort: 8090
+
+  # Use this option to force the appservice to listen on another hostname for transactions.
+  # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
+  # bindHostname: 0.0.0.0
+
+# Configuration specific to the IRC service
 ircService:
+
   # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
   # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
   # the database.
@@ -50,11 +60,18 @@ ircService:
     # Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies).
     eventCacheSize: 4096
 
+  # All server keys can be hot-reloaded, however existing IRC connections
+  # will not have changes applied to them.
   servers: {{ matrix_appservice_irc_ircService_servers|to_json }}
 
+  # present relevant UI to the user. MSC2346
+  bridgeInfoState:
+    enabled: false
+    initial: false
   # Configuration for an ident server. If you are running a public bridge it is
   # advised you setup an ident server so IRC mods can ban specific Matrix users
   # rather than the application service itself.
+  # This key CANNOT be hot-reloaded
   ident:
     # True to listen for Ident requests and respond with the
     # Matrix user's user_id (converted to ASCII, respecting RFC 1413).
@@ -71,6 +88,10 @@ ircService:
     # Default: 0.0.0.0
     address: "::"
 
+  # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
+  # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
+  # encodingFallback: "ISO-8859-15"
+
   # Configuration for logging. Optional. Default: console debug level logging
   # only.
   logging:
@@ -87,33 +108,42 @@ ircService:
     # to rotations.
     maxFiles: 5
 
-  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
-  #   $ npm install prom-client@6.3.0
   # Metrics will then be available via GET /metrics on the bridge listening port (-p).
+  # This key CANNOT be hot-reloaded
   metrics:
     # Whether to actually enable the metric endpoint. Default: false
     enabled: true
+    # Which port to listen on (omit to listen on the bindPort)
+    #port: 7001
+    # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
+    host: 127.0.0.1
+    # When determining activeness of remote and matrix users, cut off at this number of hours.
+    userActivityThresholdHours: 72 # 3 days
     # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
     # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
     remoteUserAgeBuckets:
       - "1h"
       - "1d"
       - "1w"
-
   # Configuration for the provisioning API.
-  #
+  # This key CANNOT be hot-reloaded
-  # GET /_matrix/provision/link
-  # GET /_matrix/provision/unlink
-  # GET /_matrix/provision/listlinks
-  #
   provisioning:
     # True to enable the provisioning HTTP endpoint. Default: false.
     enabled: false
-    # The number of seconds to wait before giving up on getting a response from
+    # Whether to enable hosting the setup widget page. Default: false.
-    # an IRC channel operator. If the channel operator does not respond within the
+    widget: false
-    # allotted time period, the provisioning request will fail.
+
-    # Default: 300 seconds (5 mins)
+  # Config for the media proxy, required to serve publicly accessible URLs to authenticated Matrix media
-    requestTimeoutSeconds: 300
+  mediaProxy:
+    # To generate a .jwk file:
+    # $ node src/generate-signing-key.js > signingkey.jwk
+    signingKeyPath: "/data/auth-media.jwk"
+    # How long should the generated URLs be valid for
+    ttlSeconds: 604800
+    # The port for the media proxy to listen on
+    bindPort: {{ matrix_appservice_irc_ircService_mediaProxy_bindPort | to_json }}
+    # The publicly accessible URL to the media proxy
+    publicUrl: {{ matrix_appservice_irc_ircService_mediaProxy_publicUrl | to_json }}
 
 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.
@@ -122,9 +152,14 @@ advanced:
   # however for large bridges it is important to rate limit the bridge to avoid
   # accidentally overloading the homeserver. Defaults to 1000, which should be
   # enough for the vast majority of use cases.
+  # This key CAN be hot-reloaded
   maxHttpSockets: 1000
+  # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
+  # This key CANNOT be hot-reloaded.
+  maxTxnSize: 10000000
 
 # Use an external database to store bridge state.
+# This key CANNOT be hot-reloaded.
 database:
   # database engine (must be 'postgres' or 'nedb'). Default: nedb
   engine: {{ matrix_appservice_irc_database_engine|to_json }}

roles/custom/matrix-bridge-appservice-irc/templates/labels.j2

@@ -0,0 +1,63 @@
+{#
+SPDX-FileCopyrightText: 2025 Jade Ellis
+SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
+SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %}
+traefik.enable=true
+
+{% if matrix_appservice_irc_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_ircService_mediaProxy_bindPort }}
+
+############################################################
+#                                                          #
+# IRC Bridge Media Proxy                                   #
+#                                                          #
+############################################################
+
+{% set middlewares = [] %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }}
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %}
+{% endif %}
+
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy
+traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }}
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /IRC Bridge Media Proxy                                  #
+#                                                          #
+############################################################
+{% endif %}
+
+{{ matrix_appservice_irc_container_labels_additional_labels }}

roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2

@@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% if matrix_appservice_irc_container_http_host_bind_port %}
 			-p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
 			{% endif %}
+			{% if matrix_appservice_irc_container_media_proxy_host_bind_port %}
+			-p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} \
+			{% endif %}
 			--mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \
+			--label-file={{ matrix_appservice_irc_base_path }}/labels \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 7.2.0
+matrix_hookshot_version: 7.3.1
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -72,8 +72,9 @@ matrix_hookshot_cache_redisUri: "{{ ('redis://' + matrix_hookshot_cache_redis_ho
 # Controls whether the end-to-bridge encryption support is enabled.
 # This requires that:
 # - support to also be enabled in the homeserver, see the documentation of Hookshot.
-# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables.
+# - Hookshot to be pointed at a Redis instance via the `matrix_hookshot_cache_redis*` variables. Note that this is configured automatically by the playbook when encryption is enabled.
 # See: https://matrix-org.github.io/matrix-hookshot/latest/advanced/encryption.html
+# NOTE: Encryption is not currently (2025-12-30) supported when using MAS (https://github.com/matrix-org/matrix-hookshot/issues/1084)
 matrix_hookshot_encryption_enabled: "{{ matrix_bridges_encryption_enabled }}"
 
 # Controls whether metrics are enabled in the bridge configuration.
@@ -241,6 +242,18 @@ matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration"   # noqa
 #         level: admin
 matrix_hookshot_permissions: []
 
+# Static connections that can be configured by an administrator, as documented here:
+# https://matrix-org.github.io/matrix-hookshot/latest/usage/static_connections.html
+# Currently only generic webhooks are supported.
+# Example:
+# matrix_hookshot_connections:
+#   - connectionType: uk.half-shot.matrix-hookshot.generic.hook
+#     stateKey: my-unique-webhook-id
+#     roomId: "!room-id"
+#     state:
+#       name: My Static Webhook
+matrix_hookshot_connections: []
+
 matrix_hookshot_bot_displayname: Hookshot Bot
 matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d'
 

roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2

@@ -137,6 +137,7 @@ widgets:
 {% if matrix_hookshot_permissions %}
 permissions: {{ matrix_hookshot_permissions | to_json }}
 {% endif %}
+connections: {{ matrix_hookshot_connections | to_json }}
 listeners:
   # (Optional) HTTP Listener configuration.
   # Bind resource endpoints to ports and addresses.

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.2511.0
+matrix_mautrix_gmessages_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.2512.0
+matrix_mautrix_signal_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2512.0
+matrix_mautrix_whatsapp_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-bridge-steam/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_steam_bridge_container_image_self_build_repo: "https://github.com/jasonla
 matrix_steam_bridge_container_image_self_build_repo_version: "{{ 'main' if matrix_steam_bridge_version == 'latest' else matrix_steam_bridge_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/jasonlaguidice/matrix-steam-bridge
-matrix_steam_bridge_version: 1.0.8
+matrix_steam_bridge_version: 1.1.0
 matrix_steam_bridge_docker_image: "{{ matrix_steam_bridge_docker_image_registry_prefix }}jasonlaguidice/matrix-steam-bridge:{{ matrix_steam_bridge_version }}"
 matrix_steam_bridge_docker_image_registry_prefix: "{{ 'localhost/' if matrix_steam_bridge_container_image_self_build else matrix_steam_bridge_docker_image_registry_prefix_upstream }}"
 matrix_steam_bridge_docker_image_registry_prefix_upstream: "{{ matrix_steam_bridge_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.7
+matrix_client_element_version: v1.12.9
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.3.0
+matrix_client_fluffychat_version: v2.4.0
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-conduit/defaults/main.yml

@@ -19,7 +19,7 @@ matrix_conduit_docker_image_registry_prefix: "{{ matrix_conduit_docker_image_reg
 matrix_conduit_docker_image_registry_prefix_upstream: "{{ matrix_conduit_docker_image_registry_prefix_upstream_default }}"
 matrix_conduit_docker_image_registry_prefix_upstream_default: docker.io/
 # renovate: datasource=docker depName=matrixconduit/matrix-conduit
-matrix_conduit_docker_image_tag: "v0.10.9"
+matrix_conduit_docker_image_tag: "v0.10.11"
 matrix_conduit_docker_image_force_pull: "{{ matrix_conduit_docker_image.endswith(':latest') }}"
 
 matrix_conduit_base_path: "{{ matrix_base_data_path }}/conduit"

roles/custom/matrix-coturn/defaults/main.yml

@@ -18,13 +18,15 @@
 
 matrix_coturn_enabled: true
 
+matrix_coturn_hostname: ""
+
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
-# renovate: datasource=docker depName=coturn/coturn
+# renovate: datasource=docker depName=coturn/coturn versioning=loose
-matrix_coturn_version: 4.6.2-r11
+matrix_coturn_version: 4.8.0
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
@@ -111,6 +113,9 @@ matrix_coturn_container_turn_range_listen_interface: "{{ '' if matrix_coturn_con
 matrix_coturn_turn_udp_min_port: 49152
 matrix_coturn_turn_udp_max_port: 49172
 
+# Controls the `realm` configuration option
+matrix_coturn_realm: "turn.{{ matrix_coturn_hostname }}"
+
 # Controls which authentication method to enable.
 #
 # lt-cred-mech likely provides better compatibility,
@@ -134,7 +139,7 @@ matrix_coturn_lt_cred_mech_password: ""
 # The external IP address of the machine where coturn is.
 # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
-matrix_coturn_turn_external_ip_address: ''
+matrix_coturn_turn_external_ip_address: ""
 matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
 
 # Controls whether external IP address auto-detection should be attempted.
@@ -213,7 +218,7 @@ matrix_coturn_response_origin_only_with_rfc5780_enabled: true
 #   simple-log
 #   aux-server=1.2.3.4
 #   relay-ip=4.3.2.1
-matrix_coturn_additional_configuration: ''
+matrix_coturn_additional_configuration: ""
 
 # To enable TLS, you need to provide paths to certificates.
 # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.

roles/custom/matrix-coturn/tasks/validate_config.yml

@@ -29,6 +29,7 @@
       You need to define a required configuration setting (`{{ item.name }}`).
   when: "item.when | bool and lookup('vars', item.name, default='') | string | length == 0"
   with_items:
+    - {'name': 'matrix_coturn_hostname', when: true}
     - {'name': 'matrix_coturn_turn_static_auth_secret', when: "{{ matrix_coturn_authentication_method == 'auth-secret' }}"}
     - {'name': 'matrix_coturn_lt_cred_mech_username', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}
     - {'name': 'matrix_coturn_lt_cred_mech_password', when: "{{ matrix_coturn_authentication_method == 'lt-cred-mech' }}"}

roles/custom/matrix-coturn/templates/turnserver.conf.j2

@@ -11,7 +11,7 @@ lt-cred-mech
 user={{ matrix_coturn_lt_cred_mech_username }}:{{ matrix_coturn_lt_cred_mech_password }}
 {% endif %}
 
-realm=turn.{{ matrix_server_fqn_matrix }}
+realm={{ matrix_coturn_realm }}
 
 min-port={{ matrix_coturn_turn_udp_min_port }}
 max-port={{ matrix_coturn_turn_udp_max_port }}

roles/custom/matrix-coturn/vars/main.yml

@@ -7,15 +7,15 @@
 matrix_coturn_turn_uris: |-
   {{
     ([
-      'turns:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turns:' + matrix_coturn_hostname + '?transport=udp',
-      'turns:' + matrix_server_fqn_matrix + '?transport=tcp',
+      'turns:' + matrix_coturn_hostname + '?transport=tcp',
     ] if matrix_coturn_tls_enabled else [])
     +
     ([
-      'turn:' + matrix_server_fqn_matrix + '?transport=udp',
+      'turn:' + matrix_coturn_hostname + '?transport=udp',
     ] if (matrix_coturn_container_stun_plain_host_bind_port_udp != '' or matrix_coturn_container_network == 'host')  else [])
     +
     ([
-      'turn:' + matrix_server_fqn_matrix + '?transport=tcp',
+      'turn:' + matrix_coturn_hostname + '?transport=tcp',
     ] if (matrix_coturn_container_stun_plain_host_bind_port_tcp != '' or matrix_coturn_container_network == 'host')  else [])
   }}

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.4.0
+matrix_livekit_jwt_service_version: 0.4.1
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

roles/custom/matrix-media-repo/defaults/main.yml

@@ -895,13 +895,7 @@ matrix_media_repo_redis_database_number: 0
 
 # The Redis shards that should be used by the media repo in the ring. The names of the
 # shards are for your reference and have no bearing on the connection, but must be unique.
-matrix_media_repo_redis_shards:
+matrix_media_repo_redis_shards: []
-  - name: "server1"
-    addr: ":7000"
-  - name: "server2"
-    addr: ":7001"
-  - name: "server3"
-    addr: ":7002"
 
 # Optional sentry (https://sentry.io/) configuration for the media repo
 

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke50
+matrix_synapse_admin_version: v0.11.1-etke52
 matrix_synapse_admin_docker_image: "{{ matrix_synapse_admin_docker_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_docker_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_docker_image_registry_prefix_upstream }}"
 matrix_synapse_admin_docker_image_registry_prefix_upstream: "{{ matrix_synapse_admin_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.144.0
+matrix_synapse_version: v1.146.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -128,6 +128,8 @@ matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
 matrix_synapse_ext_s3_storage_provider_base_path: "{{ matrix_synapse_base_path }}/ext/s3-storage-provider"
 matrix_synapse_ext_s3_storage_provider_bin_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/bin"
 matrix_synapse_ext_s3_storage_provider_data_path: "{{ matrix_synapse_ext_s3_storage_provider_base_path }}/data"
+# extra arguments to pass to s3-storage-provider script when starting Synapse container
+matrix_synapse_ext_s3_storage_provider_container_arguments: []
 
 matrix_synapse_container_client_api_port: 8008
 
@@ -1090,6 +1092,11 @@ matrix_synapse_workers_media_repository_workers_container_arguments: []
 # Adjusting this value manually is generally not necessary.
 matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}"
 
+# matrix_synapse_enable_local_media_storage controls whether the local on-disk media storage provider is enabled in Synapse.
+# When disabled, media is stored only in configured `media_storage_providers` and temporary files are used for processing (no local caching).
+# Warning: If this option is set to false and no `media_storage_providers` are configured, all media requests will return 404 errors as there will be no storage backend available.
+matrix_synapse_enable_local_media_storage: true
+
 # matrix_synapse_enable_authenticated_media controls if authenticated media is enabled.
 # If enabled all "old" media remains accessible over the legacy endpoints but new media is blocked.
 # while this option is enabled all media access and downloads have to be done via authenticated endpoints.

roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/bin/migrate.j2

@@ -11,6 +11,9 @@ container_id=$(\
 	--workdir=/data \
 	--network={{ matrix_synapse_container_network }} \
 	--entrypoint=/bin/bash \
+	{% for arg in matrix_synapse_ext_s3_storage_provider_container_arguments %}
+	{{ arg }} \
+	{% endfor %}
 	{{ matrix_synapse_docker_image_final }} \
 	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}--sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY{% endif %}' \
 )

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1035,11 +1035,15 @@ federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_
 #enable_media_repo: false
 enable_media_repo: {{ matrix_synapse_enable_media_repo | to_json }}
 
+# Enable the local on-disk media storage provider.
+# When disabled, media is stored only in configured media_storage_providers and temporary files are used for processing (no local caching).
+# Warning: If this option is set to false and no media_storage_providers are configured, all media requests will return 404 errors as there will be no storage backend available.
+enable_local_media_storage: {{ matrix_synapse_enable_local_media_storage | to_json }}
+
 # Enable authenticated media.
 # enable_authenticated_media blocks access to new media from the legacy endpoints
 # and freezes the unauthenticated media repo by blocking all downloads that are not using
 # the new authenticated endpoints. If this option is turned off all media reverts to being considered "old"
-
 enable_authenticated_media: {{ matrix_synapse_enable_authenticated_media | to_json }}
 
 # Directory where uploaded images and attachments are stored.

roles/custom/matrix-synapse/vars/main.yml

@@ -200,12 +200,13 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(r0|v3|unstable)/notifications$
 
   # Encryption requests
-  # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri`
   - ^/_matrix/client/(r0|v3|unstable)/keys/query$
   - ^/_matrix/client/(r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/(r0|v3|unstable)/keys/claim$
   - ^/_matrix/client/(r0|v3|unstable)/room_keys/
-  - ^/_matrix/client/(r0|v3|unstable)/keys/upload/
+  - ^/_matrix/client/(r0|v3|unstable)/keys/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
@@ -223,6 +224,12 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/
 
+  # Unstable MSC4140 support
+  - ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$
+
+  # Admin API requests
+  - ^/_synapse/admin/v2/users/[^/]+$
+
   # Start of intentionally-ignored-endpoints
   #
   # We ignore these below, because they're better sent to dedicated workers (various stream writers).