Update matrix-appservice-irc to 4.0.0 with authenticated media proxy support

- Upgrade from 1.0.1 to 4.0.0
- Add ircService.mediaProxy configuration for authenticated Matrix media
- Add Traefik integration for media proxy endpoint
- Generate signing key for authenticated media

Closes #3512

Co-authored-by: Jade Ellis <jade@ellis.link>
Co-authored-by: Slavi Pantaleev <slavi@devture.com>

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v26.1.0
+        uses: ansible/ansible-lint@v26.1.1
         with:
           args: "roles/custom"
           setup_python: "true"

group_vars/matrix_servers

@@ -843,6 +843,8 @@ matrix_appservice_irc_container_additional_networks_auto: |-
       ([] if matrix_addons_homeserver_container_network == '' else [matrix_addons_homeserver_container_network])
       +
       ([postgres_container_network] if (postgres_enabled and matrix_appservice_irc_database_hostname == postgres_connection_hostname and matrix_appservice_irc_container_network != postgres_container_network) else [])
+      +
+      [matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_appservice_irc_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network) else []
     ) | unique
   }}
 
@@ -860,6 +862,13 @@ matrix_appservice_irc_database_hostname: "{{ postgres_connection_hostname if pos
 matrix_appservice_irc_database_password: "{{ '%s' | format(matrix_homeserver_generic_secret_key) | password_hash('sha512', 'as.irc.db', rounds=655555) | to_uuid }}"
 matrix_appservice_irc_database_container_network: "{{ postgres_container_network if postgres_enabled else '' }}"
 
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: "{{ 'https' if matrix_playbook_ssl_enabled else 'http' }}"  # noqa var-naming
+
+matrix_appservice_irc_container_labels_traefik_enabled: "{{ matrix_playbook_reverse_proxy_type in ['playbook-managed-traefik', 'other-traefik-container'] }}"
+matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_playbook_reverse_proxyable_services_additional_network }}"
+matrix_appservice_irc_container_labels_traefik_entrypoints: "{{ traefik_entrypoint_primary }}"
+matrix_appservice_irc_container_labels_traefik_tls_certResolver: "{{ traefik_certResolver_primary }}"  # noqa var-naming
+
 ######################################################################
 #
 # /matrix-bridge-appservice-irc
@@ -3648,6 +3657,8 @@ matrix_media_repo_container_additional_networks: |
       ([postgres_container_network] if (postgres_enabled and matrix_media_repo_database_hostname == postgres_connection_hostname and postgres_container_network != matrix_media_repo_container_network) else [])
       +
       ([matrix_playbook_reverse_proxyable_services_additional_network] if (matrix_playbook_reverse_proxyable_services_additional_network and matrix_media_repo_container_labels_traefik_enabled) else [])
+      +
+      ([valkey_container_network] if valkey_enabled and matrix_media_repo_redis_enabled else [])
     ) | unique
   }}
 
@@ -3713,6 +3724,21 @@ matrix_media_repo_homeservers_auto:
 
 matrix_media_repo_homeserver_federation_enabled: "{{ matrix_homeserver_federation_enabled }}"
 
+matrix_media_repo_redis_enabled: "{{ valkey_enabled }}"
+
+# Use next redis index since Synapse is on 0. You can chose between index 0 and 15.
+matrix_media_repo_redis_database_number: 1
+
+matrix_media_repo_redis_shards: |
+  {{
+    ([{
+          'name': 'valkey',
+          'addr': (valkey_identifier + ':' + valkey_container_http_port | string),
+    }])
+    if valkey_enabled and matrix_media_repo_redis_enabled
+    else []
+  }}
+
 ######################################################################
 #
 # /matrix-media-repo
@@ -5838,20 +5864,6 @@ traefik_gid: "{{ matrix_user_gid }}"
 # This override (for the `web` entrypoint) also cascades to overriding the `web-secure` entrypoint and the `matrix-federation` entrypoint.
 traefik_config_entrypoint_web_transport_respondingTimeouts_readTimeout: 300s
 
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
-# Matrix API endpoints require encoded slashes (e.g., in room keys URLs) and encoded hashes (e.g., in room directory URLs).
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-traefik_config_entrypoint_web_secure_http_encodedCharacters_enabled: true
-traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedSlash: true
-traefik_config_entrypoint_web_secure_http_encodedCharacters_allowEncodedHash: true
-# Doing the same for the `web` entrypoint, for people who disable SSL for the playbook
-# and actually go through this entrypoint.
-traefik_config_entrypoint_web_http_encodedCharacters_enabled: "{{ not matrix_playbook_ssl_enabled }}"
-traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedSlash: "{{ not matrix_playbook_ssl_enabled }}"
-traefik_config_entrypoint_web_http_encodedCharacters_allowEncodedHash: "{{ not matrix_playbook_ssl_enabled }}"
-
 traefik_additional_entrypoints_auto: |
   {{
     ([matrix_playbook_public_matrix_federation_api_traefik_entrypoint_definition] if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_enabled else [])

i18n/requirements.txt

@@ -12,12 +12,12 @@ markdown-it-py==4.0.0
 MarkupSafe==3.0.3
 mdit-py-plugins==0.5.0
 mdurl==0.1.2
-myst-parser==4.0.1
+myst-parser==5.0.0
-packaging==25.0
+packaging==26.0
 Pygments==2.19.2
 PyYAML==6.0.3
 requests==2.32.5
-setuptools==80.9.0
+setuptools==80.10.2
 snowballstemmer==3.0.1
 Sphinx==9.1.0
 sphinx-intl==2.3.2

requirements.yml

@@ -4,34 +4,34 @@
   version: v1.0.0-6
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.3-2.0.13-0
+  version: v1.4.3-2.1.1-0
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.4.2-1
   name: container_socket_proxy
 - src: git+https://github.com/geerlingguy/ansible-role-docker
-  version: 7.9.0
+  version: 8.0.0
   name: docker
 - src: git+https://github.com/devture/com.devture.ansible.role.docker_sdk_for_python.git
   version: 542a2d68db4e9a8e9bb4b508052760b900c7dce6
   name: docker_sdk_for_python
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-etherpad.git
-  version: v2.6.0-1
+  version: v2.6.1-0
   name: etherpad
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-exim-relay.git
   version: v4.98.1-r0-2-2
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-5
+  version: v11.6.5-6
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10655-0
+  version: v10710-0
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
-  version: v1.9.10-0
+  version: v1.9.11-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.15.0-0
+  version: v2.16.0-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -52,10 +52,10 @@
   version: v3.9.1-0
   name: prometheus
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-node-exporter.git
-  version: v1.9.1-12
+  version: v1.9.1-13
   name: prometheus_node_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-prometheus-postgres-exporter.git
-  version: v0.18.1-1
+  version: v0.18.1-2
   name: prometheus_postgres_exporter
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.4.1-0
@@ -67,7 +67,7 @@
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.6-0
+  version: v3.6.7-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-4

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2025.12.24
+matrix_alertmanager_receiver_version: 2026.1.21
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.8.0
+matrix_authentication_service_version: 1.10.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"

roles/custom/matrix-base/defaults/main.yml

@@ -321,13 +321,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port: "{{ matrix
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port: "{{ matrix_federation_public_port }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_host_bind_port_udp: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort if matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled else '' }}"
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config: "{{ (matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_custom, recursive=True) }}"
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
-# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true  # noqa: var-naming[pattern]
-matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true  # noqa: var-naming[pattern]
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_enabled: true
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http3_advertisedPort: "{{ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_port }}"  # noqa var-naming
 matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_transport_respondingTimeouts_readTimeout: "{{ traefik_config_entrypoint_web_secure_transport_respondingTimeouts_readTimeout }}"  # noqa var-naming
@@ -337,19 +330,6 @@ matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_default:
   {{
     {}
 
-    | combine(
-      (
-        {
-          'http': {
-            'encodedCharacters': {
-              'allowEncodedSlash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
-              'allowEncodedHash': matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
-            }
-          }
-        }
-      )
-    )
-
     | combine(
       (
         (
@@ -412,30 +392,7 @@ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name: matrix-inter
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_port: 8008
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_host_bind_port: ''
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config: "{{ (matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto)) | combine(matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom, recursive=True) }}"
-# Traefik v3.6.3+ blocks encoded characters in request paths by default for security.
+matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: {}
-# Matrix API endpoints require encoded slashes and hashes in endpoints containing room IDs, room aliases, etc.
-# Ref:
-# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/4798
-# - https://doc.traefik.io/traefik/migrate/v3/#v364
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash: true  # noqa: var-naming[pattern]
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash: true  # noqa: var-naming[pattern]
-matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_default: |
-  {{
-    {}
-
-    | combine(
-      (
-        {
-          'http': {
-            'encodedCharacters': {
-              'allowEncodedSlash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash,
-              'allowEncodedHash': matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash,
-            }
-          }
-        }
-      )
-    )
-  }}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_auto: {}
 matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_custom: {}
 

roles/custom/matrix-base/tasks/validate_config.yml

@@ -36,6 +36,11 @@
     - {'old': 'matrix_container_global_registry_prefix', 'new': '<no global variable anymore; you need to override the `_registry_prefix` variable in each component separately>'}
     - {'old': 'matrix_user_username', 'new': 'matrix_user_name'}
     - {'old': 'matrix_user_groupname', 'new': 'matrix_group_name'}
+    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_public_matrix_federation_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedSlash', 'new': '<removed>'}
+    - {'old': 'matrix_playbook_internal_matrix_client_api_traefik_entrypoint_config_http_encodedCharacters_allowEncodedHash', 'new': '<removed>'}
+
 
 # We have a dedicated check for this variable, because we'd like to have a custom (friendlier) message.
 - name: Fail if matrix_homeserver_generic_secret_key is undefined

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_bot_baibot_container_repo_version: "{{ 'main' if matrix_bot_baibot_versio
 matrix_bot_baibot_container_src_files_path: "{{ matrix_base_data_path }}/baibot/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/baibot
-matrix_bot_baibot_version: v1.12.0
+matrix_bot_baibot_version: v1.13.0
 matrix_bot_baibot_container_image: "{{ matrix_bot_baibot_container_image_registry_prefix }}etkecc/baibot:{{ matrix_bot_baibot_version }}"
 matrix_bot_baibot_container_image_registry_prefix: "{{ 'localhost/' if matrix_bot_baibot_container_image_self_build else matrix_bot_baibot_container_image_registry_prefix_upstream }}"
 matrix_bot_baibot_container_image_registry_prefix_upstream: "{{ matrix_bot_baibot_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-bridge-appservice-irc/defaults/main.yml

@@ -8,7 +8,7 @@
 # SPDX-FileCopyrightText: 2019 Lyubomir Popov
 # SPDX-FileCopyrightText: 2019 Sylvia van Os
 # SPDX-FileCopyrightText: 2020 John Goerzen
-# SPDX-FileCopyrightText: 2021 - 2023 Thom Wiggers
+# SPDX-FileCopyrightText: 2021 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2021 Ahmad Haghighi
 # SPDX-FileCopyrightText: 2021 Joseph Walton-Rivers
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -33,7 +33,7 @@ matrix_appservice_irc_docker_src_files_path: "{{ matrix_base_data_path }}/appser
 # matrix_appservice_irc_version used to contain the full Docker image tag (e.g. `release-X.X.X`).
 # It's a bare version number now. We try to somewhat retain compatibility below.
 # renovate: datasource=docker depName=docker.io/matrixdotorg/matrix-appservice-irc
-matrix_appservice_irc_version: 1.0.1
+matrix_appservice_irc_version: 4.0.0
 matrix_appservice_irc_docker_image: "{{ matrix_appservice_irc_docker_image_registry_prefix }}matrixdotorg/matrix-appservice-irc:{{ matrix_appservice_irc_docker_image_tag }}"
 matrix_appservice_irc_docker_image_registry_prefix: "{{ 'localhost/' if matrix_appservice_irc_container_image_self_build else matrix_appservice_irc_docker_image_registry_prefix_upstream }}"
 matrix_appservice_irc_docker_image_registry_prefix_upstream: "{{ matrix_appservice_irc_docker_image_registry_prefix_upstream_default }}"
@@ -46,8 +46,15 @@ matrix_appservice_irc_config_path: "{{ matrix_appservice_irc_base_path }}/config
 matrix_appservice_irc_data_path: "{{ matrix_appservice_irc_base_path }}/data"
 
 matrix_appservice_irc_homeserver_url: ""
-matrix_appservice_irc_homeserver_media_url: '{{ matrix_homeserver_url }}'
 matrix_appservice_irc_homeserver_domain: '{{ matrix_domain }}'
+
+# ircService.mediaProxy configuration for serving publicly accessible URLs to authenticated Matrix media
+matrix_appservice_irc_ircService_mediaProxy_bindPort: 11111  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme: https  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname: '{{ matrix_server_fqn_matrix }}'  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix: '/irc/'  # noqa var-naming
+matrix_appservice_irc_ircService_mediaProxy_publicUrl: "{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_scheme }}://{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}"  # noqa var-naming
+
 matrix_appservice_irc_homeserver_enablePresence: true  # noqa var-naming
 matrix_appservice_irc_appservice_address: 'http://matrix-appservice-irc:9999'
 
@@ -89,20 +96,25 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # It is also used in the Third Party Lookup API as the instance `desc`
 #     # property, where each server is an instance.
 #     name: "ExampleNet"
-
+#     # Additional addresses to connect to, used for load balancing between IRCDs.
 #     additionalAddresses: [ "irc2.example.com" ]
+#     # Typically additionalAddresses would be in addition to the address key given above,
+#     # but some configurations wish to exclusively use additional addresses while reserving
+#     # the top key for identification purposes. Set this to true to exclusively use the
+#     # additionalAddresses array when connecting to servers.
+#     onlyAdditionalAddresses: false
 #     #
 #     # [DEPRECATED] Use `name`, above, instead.
 #     # A human-readable description string
 #     # description: "Example.com IRC network"
-
+#
 #     # An ID for uniquely identifying this server amongst other servers being bridged.
 #     # networkId: "example"
-
+#
-#     # URL to an icon used as the network icon whenever this network appear in
+#     # MXC URL to an icon used as the network icon whenever this network appear in
-#     # a network list. (Like in the Riot room directory, for instance.)
+#     # a network list. (Like in the Element room directory, for instance.)
-#     # icon: https://example.com/images/hash.png
+#     # icon: mxc://matrix.org/LpsSLrbANVrEIEOgEaVteItf
-
+#
 #     # The port to connect to. Optional.
 #     port: 6697
 #     # Whether to use SSL or not. Default: false.
@@ -115,19 +127,26 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #     # Whether to allow expired certs when connecting to the IRC server.
 #     # Usually this should be off. Default: false.
 #     allowExpiredCerts: false
-#     # A specific CA to trust instead of the default CAs. Optional.
+#
-#     #ca: |
+#     # Set additional TLS options for the connections to the IRC server.
-#     #  -----BEGIN CERTIFICATE-----
+#     #tlsOptions:
-#     #  …
+#       # A specific CA to trust instead of the default CAs. Optional.
-#     #  -----END CERTIFICATE-----
+#       #ca: |
-
+#       #  -----BEGIN CERTIFICATE-----
+#       #  ...
+#       #  -----END CERTIFICATE-----
+#       # Server name for the SNI (Server Name Indication) TLS extension. If the address you
+#       # are using does not report the correct certificate name, you can override it here.
+#       # servername: real.server.name
+#       # ...or any options in https://nodejs.org/api/tls.html#tls_tls_connect_options_callback
+#
 #     #
 #     # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional.
 #     # password: 'pa$$w0rd'
 #     #
 #     # Whether or not to send connection/error notices to real Matrix users. Default: true.
 #     sendConnectionMessages: true
-
+#
 #     quitDebounce:
 #       # Whether parts due to net-splits are debounced for delayMs, to allow
 #       # time for the netsplit to resolve itself. A netsplit is detected as being
@@ -147,13 +166,13 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       delayMinMs: 3600000 # 1h
 #       # Default: 7200000, = 2h
 #       delayMaxMs: 7200000 # 2h
-
+#
 #     # A map for conversion of IRC user modes to Matrix power levels. This enables bridging
 #     # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has
 #     # been given multiple modes, the one that maps to the highest power level will be used.
 #     modePowerMap:
 #       o: 50
-
+#       v: 1
 #     botConfig:
 #       # Enable the presence of the bot in IRC channels. The bot serves as the entity
 #       # which maps from IRC -> Matrix. You can disable the bot entirely which
@@ -176,6 +195,8 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       enabled: true
 #       # The nickname to give the AS bot.
 #       nick: "MatrixBot"
+#       # The username to give to the AS bot. Defaults to "matrixbot"
+#       username: "matrixbot"
 #       # The password to give to NickServ or IRC Server for this nick. Optional.
 #       # password: "helloworld"
 #       #
@@ -184,7 +205,7 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # real Matrix users in them, even if there is a mapping for the channel.
 #       # Default: true
 #       joinChannelsIfNoUsers: true
-
+#
 #     # Configuration for PMs / private 1:1 communications between users.
 #     privateMessages:
 #       # Enable the ability for PMs to be sent to/from IRC/Matrix.
@@ -193,12 +214,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent Matrix users from sending PMs to the following IRC nicks.
 #       # Optional. Default: [].
 #       # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED
-
+#
 #       # Should created Matrix PM rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Optional. Default: true.
 #       federate: true
-
+#
 #     # Configuration for mappings not explicitly listed in the 'mappings'
 #     # section.
 #     dynamicChannels:
@@ -212,27 +233,34 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Should the AS publish the new Matrix room to the public room list so
 #       # anyone can see it? Default: true.
 #       published: true
+#       # Publish the rooms to the homeserver directory, as oppose to the appservice
+#       # room directory. Only used if `published` is on.
+#       # Default: false
+#       useHomeserverDirectory: true
 #       # What should the join_rule be for the new Matrix room? If 'public',
 #       # anyone can join the room. If 'invite', only users with an invite can
 #       # join the room. Note that if an IRC channel has +k or +i set on it,
 #       # join_rules will be set to 'invite' until these modes are removed.
 #       # Default: "public".
 #       joinRule: public
-#       # This will set the m.room.related_groups state event in newly created rooms
-#       # with the given groupId. This means flares will show up on IRC users in those rooms.
-#       # This should be set to the same thing as namespaces.users.group_id in irc_registration.
-#       # This does not alter existing rooms.
-#       # Leaving this option empty will not set the event.
-#       groupId: +myircnetwork:localhost
 #       # Should created Matrix rooms be federated? If false, only users on the
 #       # HS attached to this AS will be able to interact with this room.
 #       # Default: true.
 #       federate: true
+#       # Force this room version when creating IRC channels. Beware if the homeserver doesn't
+#       # support the room version then the request will fail. By default, no version is requested.
+#       # roomVersion: "1"
 #       # The room alias template to apply when creating new aliases. This only
 #       # applies if createAlias is 'true'. The following variables are exposed:
 #       # $SERVER => The IRC server address (e.g. "irc.example.com")
 #       # $CHANNEL => The IRC channel (e.g. "#python")
 #       # This MUST have $CHANNEL somewhere in it.
+#       #
+#       # In certain circumstances you might want to bridge your whole IRC network as a
+#       # homeserver (e.g. #matrix:libera.chat). For these use cases, you can set the
+#       # template to just be $CHANNEL. Doing so will preclude you from supporting
+#       # other prefix characters though.
+#       #
 #       # Default: '#irc_$SERVER_$CHANNEL'
 #       aliasTemplate: "#irc_$CHANNEL"
 #       # A list of user IDs which the AS bot will send invites to in response
@@ -244,7 +272,11 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # Prevent the given list of channels from being mapped under any
 #       # circumstances.
 #       # exclude: ["#foo", "#bar"]
-
+#
+#     # excludedUsers:
+#     #   - regex: "@.*:evilcorp.com"
+#     #     kickReason: "We don't like Evilcorp"
+#
 #     # Configuration for controlling how Matrix and IRC membership lists are
 #     # synced.
 #     membershipLists:
@@ -253,12 +285,12 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # synced. This must be enabled for anything else in this section to take
 #       # effect. Default: false.
 #       enabled: false
-
+#
 #       # Syncing membership lists at startup can result in hundreds of members to
 #       # process all at once. This timer drip feeds membership entries at the
 #       # specified rate. Default: 10000. (10s)
 #       floodDelayMs: 10000
-
+#
 #       global:
 #         ircToMatrix:
 #           # Get a snapshot of all real IRC users on a channel (via NAMES) and
@@ -267,7 +299,14 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # Make virtual Matrix clients join and leave rooms as their real IRC
 #           # counterparts join/part channels. Default: false.
 #           incremental: false
-
+#           # Should the bridge check if all Matrix users are connected to IRC and
+#           # joined to the channel before relaying messages into the room.
+#           #
+#           # This is considered a safety net to avoid any leakages by the bridge to
+#           # unconnected users, but given it ignores all IRC messages while users
+#           # are still connecting it may be overkill.
+#           requireMatrixJoined: false
+#
 #         matrixToIrc:
 #           # Get a snapshot of all real Matrix users in the room and join all of
 #           # them to the mapped IRC channel on startup. Default: false.
@@ -276,21 +315,32 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #           # counterparts join/leave rooms. Make sure your 'maxClients' value is
 #           # high enough! Default: false.
 #           incremental: false
-
+#
 #       # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect.
 #       rooms:
 #         - room: "!qporfwt:localhost"
 #           matrixToIrc:
 #             initial: false
 #             incremental: false
-
+#
 #       # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect.
 #       channels:
 #         - channel: "#foo"
 #           ircToMatrix:
 #             initial: false
 #             incremental: false
-
+#             requireMatrixJoined: false
+#
+#       # Should the bridge ignore users which are not considered active on the bridge
+#       # during startup
+#       ignoreIdleUsersOnStartup:
+#         enabled: true
+#         # How many hours can a user be considered idle for before they are considered
+#         # ignoreable
+#         idleForHours: 720
+#         # A regex which will exclude matching MXIDs from this check.
+#         exclude: "foobar"
+#
 #     mappings:
 #       # 1:many mappings from IRC channels to room IDs on this IRC server.
 #       # The Matrix room must already exist. Your Matrix client should expose
@@ -300,27 +350,27 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # Channel key/password to use. Optional. If provided, Matrix users do
 #         # not need to know the channel key in order to join the channel.
 #         # key: "secret"
-
+#
 #     # Configuration for virtual Matrix users. The following variables are
 #     # exposed:
 #     # $NICK => The IRC nick
 #     # $SERVER => The IRC server address (e.g. "irc.example.com")
 #     matrixClients:
 #       # The user ID template to use when creating virtual Matrix users. This
-#       # MUST have $NICK somewhere in it.
+#       # MUST start with an @ and have $NICK somewhere in it.
 #       # Optional. Default: "@$SERVER_$NICK".
 #       # Example: "@irc.example.com_Alice:example.com"
 #       userTemplate: "@irc_$NICK"
 #       # The display name to use for created Matrix clients. This should have
 #       # $NICK somewhere in it if it is specified. Can also use $SERVER to
 #       # insert the IRC domain.
-#       # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)"
+#       # Optional. Default: "$NICK". Example: "Alice"
-#       displayName: "$NICK (IRC)"
+#       displayName: "$NICK"
 #       # Number of tries a client can attempt to join a room before the request
 #       # is discarded. You can also use -1 to never retry or 0 to never give up.
 #       # Optional. Default: -1
 #       joinAttempts: -1
-
+#
 #     # Configuration for virtual IRC users. The following variables are exposed:
 #     # $LOCALPART => The user ID localpart ("alice" in @alice:localhost)
 #     # $USERID => The user ID
@@ -349,9 +399,20 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #         # connected user. If not specified, all users will connect from the same
 #         # (default) address. This may require additional OS-specific work to allow
 #         # for the node process to bind to multiple different source addresses
-#         # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library
+#         # Linux kernels 4.3+ support sysctl net.ipv6.ip_nonlocal_bind=1
+#         # Older kernels will need IP_FREEBIND, which requires an LD_PRELOAD with the library
 #         # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt.
 #         # prefix: "2001:0db8:85a3::"  # modify appropriately
+#
+#         # Optional. Define blocks of IPv6 addresses for different homeservers
+#         # which can be used to restrict users of those homeservers to a given
+#         # IP. These blocks should be considered immutable once set, as changing
+#         # the startFrom value will NOT adjust existing IP addresses.
+#         # Changing the startFrom value to a lower value may conflict with existing clients.
+#         # Multiple homeservers may NOT share blocks.
+#         blocks:
+#           - homeserver: another-server.org
+#             startFrom: '10:0000'
 #       #
 #       # The maximum amount of time in seconds that the client can exist
 #       # without sending another message before being disconnected. Use 0 to
@@ -388,12 +449,36 @@ matrix_appservice_irc_ircService_servers: []  # noqa var-naming
 #       # through the bridge e.g. caller ID as there is no way to /ACCEPT.
 #       # Default: "" (no user modes)
 #       # userModes: "R"
+#       # The format of the realname defined for users, either mxid or reverse-mxid
+#       realnameFormat: "mxid"
+#       # The minimum time to wait between connection attempts if we were disconnected
+#       # due to throttling.
+#       # pingTimeoutMs: 600000
+#       # The rate at which to send pings to the IRCd if the client is being quiet for a while.
+#       # Whilst the IRCd *should* be sending pings to us to keep the connection alive, it appears
+#       # that sometimes they don't get around to it and end up ping timing us out.
+#       # pingRateMs: 60000
+#       # Choose which conditions the IRC bridge should kick Matrix users for. Decisions to this from
+#       # defaults should be taken with care as it may dishonestly represent Matrix users on the IRC
+#       # network, and cause your bridge to be banned.
+#       kickOn:
+#         # Kick a Matrix user from a bridged room if they fail to join the IRC channel.
+#         channelJoinFailure: true
+#         # Kick a Matrix user from ALL rooms if they are unable to get connected to IRC.
+#         ircConnectionFailure: true
+#         # Kick a Matrix user from ALL rooms if they choose to QUIT the IRC network.
+#         userQuit: true
 
-# Controls whether the matrix-appservice-discord container exposes its HTTP port (tcp/9999 in the container).
+# Controls whether the matrix-appservice-irc container exposes its HTTP port (tcp/9999 in the container).
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:9999"), or empty string to not expose.
 matrix_appservice_irc_container_http_host_bind_port: ''
 
+# Controls whether the matrix-appservice-irc container exposes its media proxy HTTP port.
+#
+# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:11111"), or empty string to not expose.
+matrix_appservice_irc_container_media_proxy_host_bind_port: ''
+
 matrix_appservice_irc_container_network: ""
 
 matrix_appservice_irc_container_additional_networks: "{{ matrix_appservice_irc_container_additional_networks_auto + matrix_appservice_irc_container_additional_networks_custom }}"
@@ -403,6 +488,26 @@ matrix_appservice_irc_container_additional_networks_custom: []
 # A list of extra arguments to pass to the container
 matrix_appservice_irc_container_extra_arguments: []
 
+# matrix_appservice_irc_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
+# To inject your own other container labels, see `matrix_appservice_irc_container_labels_additional_labels`.
+matrix_appservice_irc_container_labels_traefik_enabled: true
+matrix_appservice_irc_container_labels_traefik_docker_network: "{{ matrix_appservice_irc_container_network }}"
+matrix_appservice_irc_container_labels_traefik_entrypoints: web-secure
+matrix_appservice_irc_container_labels_traefik_tls_certResolver: default  # noqa var-naming
+
+# Controls whether Traefik labels for the media proxy will be applied
+matrix_appservice_irc_container_labels_media_proxy_enabled: true
+# Derived from publicUrl_pathPrefix, stripping any trailing slash (unless it's just "/")
+matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix: "{{ '/' if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix == '/' else matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix.rstrip('/') }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_rule: "Host(`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_hostname }}`) && PathPrefix(`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`)"
+matrix_appservice_irc_container_labels_media_proxy_traefik_priority: 2000
+matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints: "{{ matrix_appservice_irc_container_labels_traefik_entrypoints }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_tls: "{{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints != 'web' }}"
+matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver: "{{ matrix_appservice_irc_container_labels_traefik_tls_certResolver }}"  # noqa var-naming
+
+# matrix-appservice-irc container additional labels
+matrix_appservice_irc_container_labels_additional_labels: ''
+
 # List of systemd services that matrix-appservice-irc.service depends on.
 matrix_appservice_irc_systemd_required_services_list: "{{ matrix_appservice_irc_systemd_required_services_list_default + matrix_appservice_irc_systemd_required_services_list_auto + matrix_appservice_irc_systemd_required_services_list_custom }}"
 matrix_appservice_irc_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"

roles/custom/matrix-bridge-appservice-irc/tasks/setup_install.yml

@@ -1,5 +1,6 @@
 # SPDX-FileCopyrightText: 2019 - 2022 MDAD project contributors
-# SPDX-FileCopyrightText: 2019 - 2024 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2019 - 2026 Slavi Pantaleev
+# SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
 # SPDX-FileCopyrightText: 2019 Dan Arnfield
 # SPDX-FileCopyrightText: 2020 Chris van Dijk
 # SPDX-FileCopyrightText: 2021 Panagiotis Georgiadis
@@ -121,6 +122,14 @@
     owner: "{{ matrix_user_name }}"
     group: "{{ matrix_group_name }}"
 
+- name: Ensure Matrix Appservice IRC labels file installed
+  ansible.builtin.template:
+    src: "{{ role_path }}/templates/labels.j2"
+    dest: "{{ matrix_appservice_irc_base_path }}/labels"
+    mode: 0644
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+
 - name: Generate Appservice IRC passkey if it doesn't exist
   ansible.builtin.shell:
     cmd: "{{ matrix_host_command_openssl }} genpkey -out {{ matrix_appservice_irc_data_path }}/passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048"
@@ -128,6 +137,41 @@
   become: true
   become_user: "{{ matrix_user_name }}"
 
+- name: Check if an authenticated media signing key exists
+  ansible.builtin.stat:
+    path: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+  register: matrix_appservice_irc_stat_auth_media_key
+
+- when: not matrix_appservice_irc_stat_auth_media_key.stat.exists
+  block:
+    - name: Generate IRC appservice signing key for authenticated media
+      community.docker.docker_container:
+        name: "create-auth-media-jwk-key"
+        image: "{{ matrix_appservice_irc_docker_image }}"
+        cleanup: true
+        network_mode: none
+        entrypoint: "/usr/local/bin/node"
+        command: >
+          -e "const webcrypto = require('node:crypto');
+          async function main() {
+              const key = await webcrypto.subtle.generateKey({
+                  name: 'HMAC',
+                  hash: 'SHA-512',
+              }, true, ['sign', 'verify']);
+              console.log(JSON.stringify(await webcrypto.subtle.exportKey('jwk', key), undefined, 4));
+          }
+          main().then(() => process.exit(0)).catch(err => { throw err });"
+        detach: false
+      register: matrix_appservice_irc_jwk_result
+
+    - name: Write auth media signing key to file
+      ansible.builtin.copy:
+        content: "{{ matrix_appservice_irc_jwk_result.container.Output }}"
+        dest: "{{ matrix_appservice_irc_data_path }}/auth-media.jwk"
+        mode: "0644"
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+
 # In the past, we used to generate the passkey.pem file with root, so permissions may not be okay.
 # Fix it.
 - name: (Migration) Ensure Appservice IRC passkey permissions are okay

roles/custom/matrix-bridge-appservice-irc/tasks/validate_config.yml

@@ -44,3 +44,27 @@
     - {'old': 'matrix_appservice_irc_container_expose_client_server_api_port', 'new': '<superseded by matrix_appservice_irc_container_http_host_bind_port>'}
     - {'old': 'matrix_appservice_irc_container_self_build', 'new': 'matrix_appservice_irc_container_image_self_build'}
     - {'old': 'matrix_appservice_irc_docker_image_name_prefix', 'new': 'matrix_appservice_irc_docker_image_registry_prefix'}
+    - {'old': 'matrix_appservice_irc_homeserver_media_url', 'new': '<removed; media proxying now uses matrix_appservice_irc_ircService_mediaProxy_publicUrl>'}
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not start with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must start with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[0] != '/'"
+
+- name: Fail if matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix does not end with a slash
+  ansible.builtin.fail:
+    msg: >-
+      matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix (`{{ matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix }}`) must end with a slash (e.g. `/` or `/irc/`).
+  when: "matrix_appservice_irc_ircService_mediaProxy_publicUrl_pathPrefix[-1] != '/'"
+
+- when: matrix_appservice_irc_container_labels_traefik_enabled | bool
+  block:
+    # We ensure it doesn't end with a slash, because we handle both (slash and no-slash).
+    # Knowing that the path_prefix does not end with a slash ensures we know how to set these routes up
+    # without having to do "does it end with a slash" checks elsewhere.
+    - name: Fail if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix ends with a slash
+      ansible.builtin.fail:
+        msg: >-
+          matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix (`{{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}`) must either be `/` or not end with a slash (e.g. `/irc`).
+      when: "matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' and matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix[-1] == '/'"

roles/custom/matrix-bridge-appservice-irc/templates/config.yaml.j2

@@ -1,14 +1,13 @@
 #jinja2: lstrip_blocks: True
+#
+# Based on https://github.com/matrix-org/matrix-appservice-irc/blob/8daebec7779a2480180cbc4c293838de649aab36/config.sample.yaml
+#
+# Configuration specific to AS registration. Unless other marked, all fields
+# are *REQUIRED*.
+# Unless otherwise specified, these keys CANNOT be hot-reloaded.
 homeserver:
-  # The URL to the home server for client-server API calls, also used to form the
+  # The URL to the home server for client-server API calls
-  # media URLs as displayed in bridged IRC channels:
+  url: "{{ matrix_appservice_irc_homeserver_url }}"
-  url: {{ matrix_appservice_irc_homeserver_url }}
-  #
-  # The URL of the homeserver hosting media files. This is only used to transform
-  # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By
-  # default, this is the homeserver URL, specified above.
-  #
-  media_url: {{ matrix_appservice_irc_homeserver_media_url }}
 
   # Drop Matrix messages which are older than this number of seconds, according to
   # the event's origin_server_ts.
@@ -20,18 +19,29 @@ homeserver:
   # clock times and hence produce different origin_server_ts values, which may be old
   # enough to cause *all* events from the homeserver to be dropped.
   # Default: 0 (don't ever drop)
+  # This key CAN be hot-reloaded.
   # dropMatrixMessagesAfterSecs: 300 # 5 minutes
 
   # The 'domain' part for user IDs on this home server. Usually (but not always)
   # is the "domain name" part of the HS URL.
-  domain: {{ matrix_appservice_irc_homeserver_domain }}
+  domain: "{{ matrix_appservice_irc_homeserver_domain }}"
 
   # Should presence be enabled for Matrix clients on this bridge. If disabled on the
   # homeserver then it should also be disabled here to avoid excess traffic.
   # Default: true
   enablePresence: {{ matrix_appservice_irc_homeserver_enablePresence|to_json }}
 
+  # Which port should the appservice bind to. Can be overridden by the one provided in the
+  # command line! Optional.
+  # bindPort: 8090
+
+  # Use this option to force the appservice to listen on another hostname for transactions.
+  # This is NOT your synapse hostname. E.g. use 127.0.0.1 to only listen locally. Optional.
+  # bindHostname: 0.0.0.0
+
+# Configuration specific to the IRC service
 ircService:
+
   # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot
   # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in
   # the database.
@@ -50,11 +60,18 @@ ircService:
     # Cache this many Matrix events in memory to be used for m.relates_to messages (usually replies).
     eventCacheSize: 4096
 
+  # All server keys can be hot-reloaded, however existing IRC connections
+  # will not have changes applied to them.
   servers: {{ matrix_appservice_irc_ircService_servers|to_json }}
 
+  # present relevant UI to the user. MSC2346
+  bridgeInfoState:
+    enabled: false
+    initial: false
   # Configuration for an ident server. If you are running a public bridge it is
   # advised you setup an ident server so IRC mods can ban specific Matrix users
   # rather than the application service itself.
+  # This key CANNOT be hot-reloaded
   ident:
     # True to listen for Ident requests and respond with the
     # Matrix user's user_id (converted to ASCII, respecting RFC 1413).
@@ -71,6 +88,10 @@ ircService:
     # Default: 0.0.0.0
     address: "::"
 
+  # Encoding fallback - which text encoding to try if text is not UTF-8. Default: not set.
+  # List of supported encodings: https://www.npmjs.com/package/iconv#supported-encodings
+  # encodingFallback: "ISO-8859-15"
+
   # Configuration for logging. Optional. Default: console debug level logging
   # only.
   logging:
@@ -87,33 +108,42 @@ ircService:
     # to rotations.
     maxFiles: 5
 
-  # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`:
-  #   $ npm install prom-client@6.3.0
   # Metrics will then be available via GET /metrics on the bridge listening port (-p).
+  # This key CANNOT be hot-reloaded
   metrics:
     # Whether to actually enable the metric endpoint. Default: false
     enabled: true
+    # Which port to listen on (omit to listen on the bindPort)
+    #port: 7001
+    # Which hostname to listen on (omit to listen on 127.0.0.1), requires port to be set
+    host: 127.0.0.1
+    # When determining activeness of remote and matrix users, cut off at this number of hours.
+    userActivityThresholdHours: 72 # 3 days
     # When collecting remote user active times, which "buckets" should be used. Defaults are given below.
     # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks).
     remoteUserAgeBuckets:
       - "1h"
       - "1d"
       - "1w"
-
   # Configuration for the provisioning API.
-  #
+  # This key CANNOT be hot-reloaded
-  # GET /_matrix/provision/link
-  # GET /_matrix/provision/unlink
-  # GET /_matrix/provision/listlinks
-  #
   provisioning:
     # True to enable the provisioning HTTP endpoint. Default: false.
     enabled: false
-    # The number of seconds to wait before giving up on getting a response from
+    # Whether to enable hosting the setup widget page. Default: false.
-    # an IRC channel operator. If the channel operator does not respond within the
+    widget: false
-    # allotted time period, the provisioning request will fail.
+
-    # Default: 300 seconds (5 mins)
+  # Config for the media proxy, required to serve publicly accessible URLs to authenticated Matrix media
-    requestTimeoutSeconds: 300
+  mediaProxy:
+    # To generate a .jwk file:
+    # $ node src/generate-signing-key.js > signingkey.jwk
+    signingKeyPath: "/data/auth-media.jwk"
+    # How long should the generated URLs be valid for
+    ttlSeconds: 604800
+    # The port for the media proxy to listen on
+    bindPort: {{ matrix_appservice_irc_ircService_mediaProxy_bindPort | to_json }}
+    # The publicly accessible URL to the media proxy
+    publicUrl: {{ matrix_appservice_irc_ircService_mediaProxy_publicUrl | to_json }}
 
 # Options here are generally only applicable to large-scale bridges and may have
 # consequences greater than other options in this configuration file.
@@ -122,13 +152,18 @@ advanced:
   # however for large bridges it is important to rate limit the bridge to avoid
   # accidentally overloading the homeserver. Defaults to 1000, which should be
   # enough for the vast majority of use cases.
+  # This key CAN be hot-reloaded
   maxHttpSockets: 1000
+  # Max size of an appservice transaction payload, in bytes. Defaults to 10Mb
+  # This key CANNOT be hot-reloaded.
+  maxTxnSize: 10000000
 
 # Use an external database to store bridge state.
+# This key CANNOT be hot-reloaded.
 database:
   # database engine (must be 'postgres' or 'nedb'). Default: nedb
   engine: {{ matrix_appservice_irc_database_engine|to_json }}
   # Either a PostgreSQL connection string, or a path to the NeDB storage directory.
   # For postgres, it must start with postgres://
   # For NeDB, it must start with nedb://. The path is relative to the project directory.
-  connectionString: {{ matrix_appservice_irc_database_connectionString|to_json }}
+  connectionString: {{ matrix_appservice_irc_database_connectionString | to_json }}

roles/custom/matrix-bridge-appservice-irc/templates/labels.j2

@@ -0,0 +1,63 @@
+{#
+SPDX-FileCopyrightText: 2025 Jade Ellis
+SPDX-FileCopyrightText: 2025 - 2026 Thom Wiggers
+SPDX-FileCopyrightText: 2026 Slavi Pantaleev
+
+SPDX-License-Identifier: AGPL-3.0-or-later
+#}
+
+{% if matrix_appservice_irc_container_labels_traefik_enabled and matrix_appservice_irc_container_labels_media_proxy_enabled %}
+traefik.enable=true
+
+{% if matrix_appservice_irc_container_labels_traefik_docker_network %}
+traefik.docker.network={{ matrix_appservice_irc_container_labels_traefik_docker_network }}
+{% endif %}
+
+traefik.http.services.matrix-appservice-irc-media-proxy.loadbalancer.server.port={{ matrix_appservice_irc_ircService_mediaProxy_bindPort }}
+
+############################################################
+#                                                          #
+# IRC Bridge Media Proxy                                   #
+#                                                          #
+############################################################
+
+{% set middlewares = [] %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.rule={{ matrix_appservice_irc_container_labels_media_proxy_traefik_rule }}
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.regex=({{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix | quote }})$
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-slashless-redirect.redirectregex.replacement=${1}/
+{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-slashless-redirect'] %}
+{% endif %}
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix != '/' %}
+traefik.http.middlewares.matrix-appservice-irc-media-proxy-strip-prefix.stripprefix.prefixes={{ matrix_appservice_irc_container_labels_media_proxy_traefik_path_prefix }}
+{% set middlewares = middlewares + ['matrix-appservice-irc-media-proxy-strip-prefix'] %}
+{% endif %}
+
+
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_priority | int > 0 %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.priority={{ matrix_appservice_irc_container_labels_media_proxy_traefik_priority }}
+{% endif %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.service=matrix-appservice-irc-media-proxy
+traefik.http.routers.matrix-appservice-irc-media-proxy.entrypoints={{ matrix_appservice_irc_container_labels_media_proxy_traefik_entrypoints }}
+
+{% if middlewares | length > 0 %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.middlewares={{ middlewares | join(',') }}
+{% endif %}
+
+traefik.http.routers.matrix-appservice-irc-media-proxy.tls={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls | to_json }}
+{% if matrix_appservice_irc_container_labels_media_proxy_traefik_tls %}
+traefik.http.routers.matrix-appservice-irc-media-proxy.tls.certResolver={{ matrix_appservice_irc_container_labels_media_proxy_traefik_tls_certResolver }}
+{% endif %}
+
+############################################################
+#                                                          #
+# /IRC Bridge Media Proxy                                  #
+#                                                          #
+############################################################
+{% endif %}
+
+{{ matrix_appservice_irc_container_labels_additional_labels }}

roles/custom/matrix-bridge-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2

@@ -26,8 +26,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% if matrix_appservice_irc_container_http_host_bind_port %}
 			-p {{ matrix_appservice_irc_container_http_host_bind_port }}:9999 \
 			{% endif %}
+			{% if matrix_appservice_irc_container_media_proxy_host_bind_port %}
+			-p {{ matrix_appservice_irc_container_media_proxy_host_bind_port }}:{{ matrix_appservice_irc_ircService_mediaProxy_bindPort }} \
+			{% endif %}
 			--mount type=bind,src={{ matrix_appservice_irc_config_path }},dst=/config \
 			--mount type=bind,src={{ matrix_appservice_irc_data_path }},dst=/data \
+			--label-file={{ matrix_appservice_irc_base_path }}/labels \
 			{% for arg in matrix_appservice_irc_container_extra_arguments %}
 			{{ arg }} \
 			{% endfor %}

roles/custom/matrix-bridge-hookshot/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_hookshot_container_additional_networks_auto: []
 matrix_hookshot_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=halfshot/matrix-hookshot
-matrix_hookshot_version: 7.2.0
+matrix_hookshot_version: 7.3.1
 
 matrix_hookshot_docker_image: "{{ matrix_hookshot_docker_image_registry_prefix }}matrix-org/matrix-hookshot:{{ matrix_hookshot_version }}"
 matrix_hookshot_docker_image_registry_prefix: "{{ 'localhost/' if matrix_hookshot_container_image_self_build else matrix_hookshot_docker_image_registry_prefix_upstream }}"
@@ -242,6 +242,18 @@ matrix_hookshot_widgets_branding_widgetTitle: "Hookshot Configuration"   # noqa
 #         level: admin
 matrix_hookshot_permissions: []
 
+# Static connections that can be configured by an administrator, as documented here:
+# https://matrix-org.github.io/matrix-hookshot/latest/usage/static_connections.html
+# Currently only generic webhooks are supported.
+# Example:
+# matrix_hookshot_connections:
+#   - connectionType: uk.half-shot.matrix-hookshot.generic.hook
+#     stateKey: my-unique-webhook-id
+#     roomId: "!room-id"
+#     state:
+#       name: My Static Webhook
+matrix_hookshot_connections: []
+
 matrix_hookshot_bot_displayname: Hookshot Bot
 matrix_hookshot_bot_avatar: 'mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d'
 

roles/custom/matrix-bridge-hookshot/templates/config.yaml.j2

@@ -137,6 +137,7 @@ widgets:
 {% if matrix_hookshot_permissions %}
 permissions: {{ matrix_hookshot_permissions | to_json }}
 {% endif %}
+connections: {{ matrix_hookshot_connections | to_json }}
 listeners:
   # (Optional) HTTP Listener configuration.
   # Bind resource endpoints to ports and addresses.

roles/custom/matrix-bridge-mautrix-gmessages/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_mautrix_gmessages_container_image_self_build_repo: "https://github.com/ma
 matrix_mautrix_gmessages_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_gmessages_version == 'latest' else matrix_mautrix_gmessages_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/gmessages
-matrix_mautrix_gmessages_version: v0.2511.0
+matrix_mautrix_gmessages_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/gmessages/container_registry
 matrix_mautrix_gmessages_docker_image: "{{ matrix_mautrix_gmessages_docker_image_registry_prefix }}mautrix/gmessages:{{ matrix_mautrix_gmessages_version }}"

roles/custom/matrix-bridge-mautrix-signal/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_mautrix_signal_container_image_self_build_repo: "https://mau.dev/mautrix/
 matrix_mautrix_signal_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_signal_version == 'latest' else matrix_mautrix_signal_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/signal
-matrix_mautrix_signal_version: v0.2512.0
+matrix_mautrix_signal_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/signal/container_registry
 matrix_mautrix_signal_docker_image: "{{ matrix_mautrix_signal_docker_image_registry_prefix }}mautrix/signal:{{ matrix_mautrix_signal_docker_image_tag }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2512.0
+matrix_mautrix_whatsapp_version: v0.2601.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_docker_image: "{{ matrix_mautrix_whatsapp_docker_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.7
+matrix_client_element_version: v1.12.9
 
 matrix_client_element_docker_image: "{{ matrix_client_element_docker_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_docker_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -13,7 +13,7 @@ matrix_client_fluffychat_container_image_self_build_repo: "https://github.com/et
 matrix_client_fluffychat_container_image_self_build_version: "{{ 'main' if matrix_client_fluffychat_version == 'latest' else matrix_client_fluffychat_version }}"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/fluffychat-web
-matrix_client_fluffychat_version: v2.3.0
+matrix_client_fluffychat_version: v2.4.0
 matrix_client_fluffychat_docker_image: "{{ matrix_client_fluffychat_docker_image_registry_prefix }}etkecc/fluffychat-web:{{ matrix_client_fluffychat_version }}"
 matrix_client_fluffychat_docker_image_registry_prefix: "{{ 'localhost/' if matrix_client_fluffychat_container_image_self_build else matrix_client_fluffychat_docker_image_registry_prefix_upstream }}"
 matrix_client_fluffychat_docker_image_registry_prefix_upstream: "{{ matrix_client_fluffychat_docker_image_registry_prefix_upstream_default }}"

roles/custom/matrix-coturn/defaults/main.yml

@@ -18,15 +18,15 @@
 
 matrix_coturn_enabled: true
 
-matrix_coturn_hostname: ''
+matrix_coturn_hostname: ""
 
 matrix_coturn_container_image_self_build: false
 matrix_coturn_container_image_self_build_repo: "https://github.com/coturn/coturn"
 matrix_coturn_container_image_self_build_repo_version: "docker/{{ matrix_coturn_version }}"
 matrix_coturn_container_image_self_build_repo_dockerfile_path: "docker/coturn/alpine/Dockerfile"
 
-# renovate: datasource=docker depName=coturn/coturn
+# renovate: datasource=docker depName=coturn/coturn versioning=loose
-matrix_coturn_version: 4.6.2-r11
+matrix_coturn_version: 4.8.0
 matrix_coturn_docker_image: "{{ matrix_coturn_docker_image_registry_prefix }}coturn/coturn:{{ matrix_coturn_version }}-alpine"
 matrix_coturn_docker_image_registry_prefix: "{{ 'localhost/' if matrix_coturn_container_image_self_build else matrix_coturn_docker_image_registry_prefix_upstream }}"
 matrix_coturn_docker_image_registry_prefix_upstream: "{{ matrix_coturn_docker_image_registry_prefix_upstream_default }}"
@@ -139,7 +139,7 @@ matrix_coturn_lt_cred_mech_password: ""
 # The external IP address of the machine where coturn is.
 # If do not define an IP address here or in `matrix_coturn_turn_external_ip_addresses`, auto-detection via an EchoIP service will be done.
 # See `matrix_coturn_turn_external_ip_address_auto_detection_enabled`
-matrix_coturn_turn_external_ip_address: ''
+matrix_coturn_turn_external_ip_address: ""
 matrix_coturn_turn_external_ip_addresses: "{{ [matrix_coturn_turn_external_ip_address] if matrix_coturn_turn_external_ip_address != '' else [] }}"
 
 # Controls whether external IP address auto-detection should be attempted.
@@ -218,7 +218,7 @@ matrix_coturn_response_origin_only_with_rfc5780_enabled: true
 #   simple-log
 #   aux-server=1.2.3.4
 #   relay-ip=4.3.2.1
-matrix_coturn_additional_configuration: ''
+matrix_coturn_additional_configuration: ""
 
 # To enable TLS, you need to provide paths to certificates.
 # Paths defined in `matrix_coturn_tls_cert_path` and `matrix_coturn_tls_key_path` are in-container paths.

roles/custom/matrix-livekit-jwt-service/defaults/main.yml

@@ -25,7 +25,7 @@ matrix_livekit_jwt_service_container_additional_networks_auto: []
 matrix_livekit_jwt_service_container_additional_networks_custom: []
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/lk-jwt-service
-matrix_livekit_jwt_service_version: 0.4.0
+matrix_livekit_jwt_service_version: 0.4.1
 
 matrix_livekit_jwt_service_container_image_self_build: false
 matrix_livekit_jwt_service_container_repo: "https://github.com/element-hq/lk-jwt-service.git"

roles/custom/matrix-media-repo/defaults/main.yml

@@ -895,13 +895,7 @@ matrix_media_repo_redis_database_number: 0
 
 # The Redis shards that should be used by the media repo in the ring. The names of the
 # shards are for your reference and have no bearing on the connection, but must be unique.
-matrix_media_repo_redis_shards:
+matrix_media_repo_redis_shards: []
-  - name: "server1"
-    addr: ":7000"
-  - name: "server2"
-    addr: ":7001"
-  - name: "server3"
-    addr: ":7002"
 
 # Optional sentry (https://sentry.io/) configuration for the media repo
 

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.144.0
+matrix_synapse_version: v1.146.0
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -1092,6 +1092,11 @@ matrix_synapse_workers_media_repository_workers_container_arguments: []
 # Adjusting this value manually is generally not necessary.
 matrix_synapse_enable_media_repo: "{{ not matrix_synapse_ext_media_repo_enabled and (not matrix_synapse_workers_enabled or (matrix_synapse_workers_enabled_list | selectattr('type', 'equalto', 'media_repository') | list | length == 0)) }}"
 
+# matrix_synapse_enable_local_media_storage controls whether the local on-disk media storage provider is enabled in Synapse.
+# When disabled, media is stored only in configured `media_storage_providers` and temporary files are used for processing (no local caching).
+# Warning: If this option is set to false and no `media_storage_providers` are configured, all media requests will return 404 errors as there will be no storage backend available.
+matrix_synapse_enable_local_media_storage: true
+
 # matrix_synapse_enable_authenticated_media controls if authenticated media is enabled.
 # If enabled all "old" media remains accessible over the legacy endpoints but new media is blocked.
 # while this option is enabled all media access and downloads have to be done via authenticated endpoints.

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -1035,11 +1035,15 @@ federation_rr_transactions_per_room_per_second: {{ matrix_synapse_federation_rr_
 #enable_media_repo: false
 enable_media_repo: {{ matrix_synapse_enable_media_repo | to_json }}
 
+# Enable the local on-disk media storage provider.
+# When disabled, media is stored only in configured media_storage_providers and temporary files are used for processing (no local caching).
+# Warning: If this option is set to false and no media_storage_providers are configured, all media requests will return 404 errors as there will be no storage backend available.
+enable_local_media_storage: {{ matrix_synapse_enable_local_media_storage | to_json }}
+
 # Enable authenticated media.
 # enable_authenticated_media blocks access to new media from the legacy endpoints
 # and freezes the unauthenticated media repo by blocking all downloads that are not using
 # the new authenticated endpoints. If this option is turned off all media reverts to being considered "old"
-
 enable_authenticated_media: {{ matrix_synapse_enable_authenticated_media | to_json }}
 
 # Directory where uploaded images and attachments are stored.

roles/custom/matrix-synapse/vars/main.yml

@@ -200,12 +200,13 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(r0|v3|unstable)/notifications$
 
   # Encryption requests
-  # Note that ^/_matrix/client/(r0|v3|unstable)/keys/upload/ requires `worker_main_http_uri`
   - ^/_matrix/client/(r0|v3|unstable)/keys/query$
   - ^/_matrix/client/(r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/(r0|v3|unstable)/keys/claim$
   - ^/_matrix/client/(r0|v3|unstable)/room_keys/
-  - ^/_matrix/client/(r0|v3|unstable)/keys/upload/
+  - ^/_matrix/client/(r0|v3|unstable)/keys/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
@@ -223,6 +224,12 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/knock/
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/
 
+  # Unstable MSC4140 support
+  - ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$
+
+  # Admin API requests
+  - ^/_synapse/admin/v2/users/[^/]+$
+
   # Start of intentionally-ignored-endpoints
   #
   # We ignore these below, because they're better sent to dedicated workers (various stream writers).