Automatic translations update

syn2mas reads Synapse's homeserver.yaml and reuses the database
connection details from there.

When Synapse is configured to reach the integrated Postgres over a UNIX socket,
the temporary syn2mas container was given the config file but not the socket mount,
so migrations could fail even though Synapse itself was configured correctly.

Wire the Synapse socket settings into MAS via playbook vars and mount
the same socket path into the syn2mas container, so migrations work in
socket-based deployments without coupling the MAS role directly to
Synapse role variables.

.github/workflows/matrix.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@v26.1.1
+        uses: ansible/ansible-lint@v26.3.0
         with:
           args: "roles/custom"
           setup_python: "true"

CHANGELOG.md

@@ -1,3 +1,20 @@
+# 2026-03-17
+
+## Synapse now prefers UNIX sockets for playbook-managed Postgres and Valkey
+
+When Synapse uses the playbook-managed Postgres and Valkey services, it now connects to them via [UNIX sockets](https://en.wikipedia.org/wiki/Unix_domain_socket) by default instead of TCP.
+
+This reduces unnecessary container-network wiring and keeps local IPC off the network stack, which is a bit simpler and slightly more secure.
+
+If you use an external Postgres server or external Redis/Valkey for Synapse, this does not change your setup.
+
+If you'd like to keep the previous TCP-based behavior, add the following configuration to your `vars.yml`:
+
+```yaml
+matrix_synapse_database_socket_enabled: false
+matrix_synapse_redis_path_enabled: false
+```
+
 # 2026-03-01
 
 ## (Potential BC Break) Synapse S3 media prefix is now applied consistently

group_vars/matrix_servers

@@ -1153,6 +1153,9 @@ matrix_authentication_service_systemd_wanted_services_list_auto: |
 matrix_authentication_service_syn2mas_container_network: "{{ postgres_container_network if postgres_enabled and matrix_authentication_service_config_database_host == postgres_connection_hostname else matrix_authentication_service_container_network }}"
 
 matrix_authentication_service_syn2mas_synapse_homeserver_config_path: "{{ matrix_synapse_config_dir_path + '/homeserver.yaml' if matrix_synapse_enabled else '' }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_enabled: "{{ matrix_synapse_database_socket_enabled if matrix_synapse_enabled else false }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_path: "{{ matrix_synapse_database_socket_path if matrix_synapse_enabled else '' }}"
+matrix_authentication_service_syn2mas_synapse_database_socket_path_host: "{{ matrix_synapse_database_socket_path_host if matrix_synapse_enabled else '' }}"
 
 ######################################################################
 #
@@ -3271,6 +3274,9 @@ matrix_pantalaimon_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }
 ######################################################################
 
 backup_borg_enabled: false
+backup_borg_mariadb_enabled: false
+backup_borg_mysql_enabled: false
+backup_borg_mongodb_enabled: false
 
 backup_borg_identifier: matrix-backup-borg
 backup_borg_storage_archive_name_format: matrix-{now:%Y-%m-%d-%H%M%S}
@@ -3997,7 +4003,7 @@ postgres_managed_databases_auto: |
       'name': matrix_synapse_database_database,
       'username': matrix_synapse_database_user,
       'password': matrix_synapse_database_password,
-    }] if (matrix_synapse_enabled and matrix_synapse_database_host == postgres_connection_hostname) else [])
+    }] if (matrix_synapse_enabled and matrix_playbook_synapse_uses_managed_postgres) else [])
     +
     ([{
       'name': matrix_dendrite_federation_api_database,
@@ -4745,9 +4751,9 @@ matrix_synapse_container_additional_networks_auto: |
     (
       ([matrix_playbook_reverse_proxyable_services_additional_network] if matrix_synapse_container_labels_traefik_enabled and matrix_playbook_reverse_proxyable_services_additional_network else [])
       +
-      ([postgres_container_network] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
+      ([postgres_container_network] if (matrix_playbook_synapse_uses_managed_postgres and (not matrix_synapse_database_socket_enabled) and postgres_container_network != matrix_synapse_container_network) else [])
       +
-      ([valkey_container_network] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+      ([valkey_container_network] if (matrix_playbook_synapse_uses_managed_valkey and (not matrix_synapse_redis_path_enabled) and valkey_container_network != matrix_synapse_container_network) else [])
       +
       ([exim_relay_container_network] if (exim_relay_enabled and matrix_synapse_email_enabled and matrix_synapse_email_smtp_host == exim_relay_identifier and matrix_synapse_container_network != exim_relay_container_network) else [])
       +
@@ -4784,12 +4790,24 @@ matrix_synapse_container_labels_public_metrics_middleware_basic_auth_users: "{{
 matrix_synapse_container_labels_internal_client_api_enabled: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_enabled }}"
 matrix_synapse_container_labels_internal_client_api_traefik_entrypoints: "{{ matrix_playbook_internal_matrix_client_api_traefik_entrypoint_name }}"
 
+# Playbook-level Synapse topology wiring helpers.
+matrix_playbook_synapse_uses_managed_postgres: "{{ postgres_enabled }}"
+matrix_playbook_synapse_uses_managed_valkey: "{{ matrix_synapse_redis_enabled and valkey_enabled }}"
+matrix_playbook_synapse_auto_compressor_uses_managed_postgres: "{{ matrix_playbook_synapse_uses_managed_postgres and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host }}"
+
 # For exposing the Synapse worker (and metrics) ports to the local host.
 matrix_synapse_workers_container_host_bind_address: "{{ matrix_playbook_service_host_bind_interface_prefix[0:-1] if (matrix_synapse_workers_enabled and matrix_playbook_service_host_bind_interface_prefix) else '' }}"
 
-matrix_synapse_database_host: "{{ postgres_connection_hostname if postgres_enabled else '' }}"
+matrix_synapse_database_host: "{{ postgres_connection_hostname if matrix_playbook_synapse_uses_managed_postgres else '' }}"
 matrix_synapse_database_password: "{{ (matrix_homeserver_generic_secret_key + ':synapse.db') | hash('sha512') | to_uuid }}"
 
+# unix socket connection
+matrix_synapse_database_socket_enabled: "{{ matrix_playbook_synapse_uses_managed_postgres and postgres_container_unix_socket_enabled }}"
+# path to the Postgres socket's parent dir inside the Synapse container
+matrix_synapse_database_socket_path: "{{ '/run-postgres' if matrix_playbook_synapse_uses_managed_postgres else '' }}"
+# path to the Postgres socket on the host, using Postgres
+matrix_synapse_database_socket_path_host: "{{ postgres_run_path if matrix_playbook_synapse_uses_managed_postgres else '' }}"
+
 matrix_synapse_macaroon_secret_key: "{{ (matrix_homeserver_generic_secret_key + ':synapse.mac') | hash('sha512') | to_uuid }}"
 
 # We do not enable TLS in Synapse by default, since it's handled by Traefik.
@@ -4820,9 +4838,9 @@ matrix_synapse_self_check_validate_certificates: "{{ matrix_playbook_ssl_enabled
 
 matrix_synapse_systemd_required_services_list_auto: |
   {{
-    ([postgres_identifier ~ '.service'] if (postgres_enabled and postgres_container_network != matrix_synapse_container_network and matrix_synapse_database_host == postgres_connection_hostname) else [])
+    ([postgres_identifier ~ '.service'] if (matrix_playbook_synapse_uses_managed_postgres and postgres_container_network != matrix_synapse_container_network) else [])
     +
-    ([valkey_identifier ~ '.service'] if matrix_synapse_redis_enabled and matrix_synapse_redis_host == valkey_identifier else [])
+    ([valkey_identifier ~ '.service'] if matrix_playbook_synapse_uses_managed_valkey else [])
     +
     (['matrix-goofys.service'] if matrix_s3_media_store_enabled else [])
     +
@@ -4838,8 +4856,17 @@ matrix_synapse_systemd_wanted_services_list_auto: |
 
 # Synapse workers (used for parallel load-scaling) need Redis for IPC.
 matrix_synapse_redis_enabled: "{{ valkey_enabled }}"
-matrix_synapse_redis_host: "{{ valkey_identifier if valkey_enabled else '' }}"
-matrix_synapse_redis_password: "{{ valkey_connection_password if valkey_enabled else '' }}"
+matrix_synapse_redis_host: "{{ valkey_identifier if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+matrix_synapse_redis_password: "{{ valkey_connection_password if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+
+# unix socket connection
+matrix_synapse_redis_path_enabled: "{{ matrix_playbook_synapse_uses_managed_valkey }}"
+# path to the Redis socket's parent dir inside the Synapse container
+matrix_synapse_redis_path: "{{ '/run-valkey' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+# redis socket filename
+matrix_synapse_redis_path_socket: "{{ '/valkey.sock' if matrix_playbook_synapse_uses_managed_valkey else '' }}"
+# path to the Redis socket on the host, using Valkey
+matrix_synapse_redis_path_host: "{{ valkey_run_path if matrix_playbook_synapse_uses_managed_valkey else '' }}"
 
 matrix_synapse_container_extra_arguments_auto: "{{ matrix_homeserver_container_extra_arguments_auto }}"
 matrix_synapse_app_service_config_files_auto: "{{ matrix_homeserver_app_service_config_files_auto }}"
@@ -4935,7 +4962,7 @@ matrix_synapse_auto_compressor_container_image_registry_prefix_upstream: "{{ mat
 
 matrix_synapse_auto_compressor_container_image_self_build: "{{ matrix_architecture not in ['arm64', 'amd64'] }}"
 
-matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if (postgres_enabled and matrix_synapse_auto_compressor_database_hostname == matrix_synapse_database_host and matrix_synapse_database_host == postgres_connection_hostname) else 'matrix-synapse-auto-compressor') }}"
+matrix_synapse_auto_compressor_container_network: "{{ (postgres_container_network if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else 'matrix-synapse-auto-compressor') }}"
 
 matrix_synapse_auto_compressor_database_username: "{{ matrix_synapse_database_user if matrix_synapse_enabled else '' }}"
 matrix_synapse_auto_compressor_database_password: "{{ matrix_synapse_database_password if matrix_synapse_enabled else '' }}"
@@ -4945,7 +4972,7 @@ matrix_synapse_auto_compressor_database_name: "{{ matrix_synapse_database_databa
 
 matrix_synapse_auto_compressor_systemd_required_services_list_auto: |
   {{
-    ([postgres_identifier ~ '.service'] if (matrix_synapse_auto_compressor_container_network == postgres_container_network) else [])
+    ([postgres_identifier ~ '.service'] if matrix_playbook_synapse_auto_compressor_uses_managed_postgres else [])
   }}
 
 ######################################################################
@@ -5861,7 +5888,10 @@ matrix_user_verification_service_container_http_host_bind_port: "{{  '' if (jits
 # URL exposed in the docker network
 matrix_user_verification_service_container_url: "http://{{  matrix_user_verification_service_container_name }}:3000"
 
-matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_addons_homeserver_client_api_url }}"
+# Using `matrix_addons_homeserver_client_api_url` would not work here,
+# because `matrix-traefik:8008` (matrix-internal-client-api) does not expose any `/_synapse` paths.
+# UVS accesses `/_synapse/admin/v1/rooms` API to check room membership.
+matrix_user_verification_service_uvs_homeserver_url: "{{ matrix_homeserver_container_url }}"
 
 # We connect via the container network (private IPs), so we need to disable IP checks
 matrix_user_verification_service_uvs_disable_ip_blacklist: "{{ matrix_synapse_enabled }}"

i18n/requirements.txt

@@ -1,7 +1,7 @@
 alabaster==1.0.0
 babel==2.18.0
 certifi==2026.2.25
-charset-normalizer==3.4.5
+charset-normalizer==3.4.6
 click==8.3.1
 docutils==0.22.4
 idna==3.11
@@ -17,11 +17,11 @@ packaging==26.0
 Pygments==2.19.2
 PyYAML==6.0.3
 requests==2.32.5
-setuptools==82.0.0
+setuptools==82.0.1
 snowballstemmer==3.0.1
 Sphinx==9.1.0
 sphinx-intl==2.3.2
-sphinx-markdown-builder==0.6.9
+sphinx-markdown-builder==0.6.10
 sphinxcontrib-applehelp==2.0.0
 sphinxcontrib-devhelp==2.0.0
 sphinxcontrib-htmlhelp==2.1.0

i18n/translation-templates/README.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-bot-baibot.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-bridge-appservice-slack.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-bridge-mautrix-discord.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-bridge-mautrix-slack.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-client-sable.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-continuwuity.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-email.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-jitsi.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-livekit-server.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-matrix-rtc.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-prometheus-grafana.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-synapse-admin.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-synapse-auto-accept-invite.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-synapse-s3-storage-provider.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-synapse.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook-turn.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/configuring-playbook.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/container-images.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/faq.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/installing.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/just.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/maintenance-synapse.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/prerequisites.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

i18n/translation-templates/docs/self-building.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: matrix-docker-ansible-deploy \n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-03-07 10:44+0000\n"
+"POT-Creation-Date: 2026-03-17 13:35+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

requirements.yml

@@ -4,10 +4,10 @@
   version: v1.0.0-6
   name: auxiliary
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-backup_borg.git
-  version: v1.4.3-2.1.1-2
+  version: v1.4.3-2.1.3-1
   name: backup_borg
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-cinny.git
-  version: v4.10.5-0
+  version: v4.11.1-0
   name: cinny
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-container-socket-proxy.git
   version: v0.4.2-3
@@ -33,19 +33,19 @@
   version: v4.98.1-r0-2-3
   name: exim_relay
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-grafana.git
-  version: v11.6.5-7
+  version: v11.6.5-8
   name: grafana
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-hydrogen.git
   version: v0.5.1-1
   name: hydrogen
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-jitsi.git
-  version: v10741-0
+  version: v10741-1
   name: jitsi
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-livekit-server.git
   version: v1.9.12-0
   name: livekit_server
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-ntfy.git
-  version: v2.17.0-1
+  version: v2.19.2-0
   name: ntfy
 - src: git+https://github.com/devture/com.devture.ansible.role.playbook_help.git
   version: 8630e4f1749bcb659c412820f754473f09055052
@@ -57,7 +57,7 @@
   version: dd6e15246b7a9a2d921e0b3f9cd8a4a917a1bb2f
   name: playbook_state_preserver
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres.git
-  version: v18.3-0
+  version: v18.3-1
   name: postgres
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-postgres-backup.git
   version: v18-1
@@ -75,23 +75,23 @@
   version: v0.19.1-0
   name: prometheus_postgres_exporter
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-sable.git
-  version: v1.3.0-0
+  version: v1.6.0-1
   name: sable
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_docker_base.git
   version: v1.5.0-0
   name: systemd_docker_base
 - src: git+https://github.com/devture/com.devture.ansible.role.systemd_service_manager.git
-  version: v3.1.0-0
+  version: v3.2.0-0
   name: systemd_service_manager
 - src: git+https://github.com/devture/com.devture.ansible.role.timesync.git
   version: v1.1.0-1
   name: timesync
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik.git
-  version: v3.6.9-0
+  version: v3.6.10-1
   name: traefik
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.git
   version: v2.10.0-5
   name: traefik_certs_dumper
 - src: git+https://github.com/mother-of-all-self-hosting/ansible-role-valkey.git
-  version: v9.0.3-1
+  version: v9.0.3-2
   name: valkey

roles/custom/matrix-alertmanager-receiver/defaults/main.yml

@@ -11,7 +11,7 @@
 matrix_alertmanager_receiver_enabled: true
 
 # renovate: datasource=docker depName=docker.io/metio/matrix-alertmanager-receiver
-matrix_alertmanager_receiver_version: 2026.3.4
+matrix_alertmanager_receiver_version: 2026.3.11
 
 matrix_alertmanager_receiver_scheme: https
 

roles/custom/matrix-authentication-service/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_authentication_service_container_repo_version: "{{ 'main' if matrix_authe
 matrix_authentication_service_container_src_files_path: "{{ matrix_base_data_path }}/matrix-authentication-service/container-src"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/matrix-authentication-service
-matrix_authentication_service_version: 1.12.0
+matrix_authentication_service_version: 1.13.0
 matrix_authentication_service_container_image_registry_prefix: "{{ 'localhost/' if matrix_authentication_service_container_image_self_build else matrix_authentication_service_container_image_registry_prefix_upstream }}"
 matrix_authentication_service_container_image_registry_prefix_upstream: "{{ matrix_authentication_service_container_image_registry_prefix_upstream_default }}"
 matrix_authentication_service_container_image_registry_prefix_upstream_default: "ghcr.io/"
@@ -613,6 +613,10 @@ matrix_authentication_service_syn2mas_synapse_homeserver_config_path: ""
 
 matrix_authentication_service_syn2mas_container_network: "{{ matrix_authentication_service_container_network }}"
 
+matrix_authentication_service_syn2mas_synapse_database_socket_enabled: false
+matrix_authentication_service_syn2mas_synapse_database_socket_path: ""
+matrix_authentication_service_syn2mas_synapse_database_socket_path_host: ""
+
 # Additional options passed to the syn2mas sub-command (e.g. `mas-cli syn2mas [OPTIONS] migrate|check`).
 # Also see: `matrix_authentication_service_syn2mas_subcommand_extra_options`
 #

roles/custom/matrix-authentication-service/tasks/install.yml

@@ -33,6 +33,25 @@
       loop_control:
         loop_var: private_key_definition
 
+    # We intentionally do a single fixup pass here (instead of in `prepare_key.yml`)
+    # so that we reconcile both newly generated keys and any pre-existing keys with
+    # incorrect ownership/mode in one place.
+    #
+    # This primarily protects against setups where `become_user` is effectively not
+    # honored (for example due to inventory misconfiguration such as `ansible_become=false`),
+    # which can lead to host-side key generation creating root-owned files.
+    #
+    # See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+    - name: Ensure Matrix Authentication Service private keys have correct ownership and mode
+      ansible.builtin.file:
+        path: "{{ matrix_authentication_service_data_keys_path }}/{{ item.key_file }}"
+        state: file
+        mode: '0600'
+        owner: "{{ matrix_user_name }}"
+        group: "{{ matrix_group_name }}"
+      with_items: "{{ matrix_authentication_service_key_management_list }}"
+      register: matrix_authentication_service_private_keys_result
+
 - name: Ensure Matrix Authentication Service configuration installed
   ansible.builtin.copy:
     content: "{{ matrix_authentication_service_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -117,4 +136,5 @@
         or matrix_authentication_service_support_files_result.changed | default(false)
         or matrix_authentication_service_systemd_service_result.changed | default(false)
         or matrix_authentication_service_container_image_pull_result.changed | default(false)
+        or matrix_authentication_service_private_keys_result.changed | default(false)
       }}

roles/custom/matrix-authentication-service/tasks/mas_cli_syn2mas.yml

@@ -71,6 +71,9 @@
       --mount type=bind,src={{ matrix_authentication_service_config_path }}/config.yaml,dst=/config.yaml,ro
       --mount type=bind,src={{ matrix_authentication_service_data_keys_path }},dst=/keys,ro
       --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_homeserver_config_path }},dst=/homeserver.yaml,ro
+      {% if matrix_authentication_service_syn2mas_synapse_database_socket_enabled %}
+      --mount type=bind,src={{ matrix_authentication_service_syn2mas_synapse_database_socket_path_host }},dst={{ matrix_authentication_service_syn2mas_synapse_database_socket_path }}
+      {% endif %}
       {{ matrix_authentication_service_container_image }}
       syn2mas
       --synapse-config=/homeserver.yaml

roles/custom/matrix-base/defaults/main.yml

@@ -246,6 +246,14 @@ matrix_integration_manager_ui_url: ~
 matrix_homeserver_container_extra_arguments_auto: []
 matrix_homeserver_app_service_config_files_auto: []
 
+# These playbook-level helpers describe which managed services Synapse should be wired to.
+# They are meant for orchestration concerns like container networking and systemd ordering,
+# while `matrix_synapse_*` variables stay focused on actual connection parameters.
+# These likely get overridden elsewhere.
+matrix_playbook_synapse_uses_managed_postgres: false
+matrix_playbook_synapse_uses_managed_valkey: false
+matrix_playbook_synapse_auto_compressor_uses_managed_postgres: false
+
 # Controls whether various services should expose metrics publicly.
 # If Prometheus is operating on the same machine, exposing metrics publicly is not necessary.
 matrix_metrics_exposure_enabled: false

roles/custom/matrix-bot-baibot/defaults/main.yml

@@ -405,7 +405,7 @@ matrix_bot_baibot_config_agents_static_definitions_openai_config_api_key: ""
 
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_enabled: true
 # For valid model choices, see: https://platform.openai.com/docs/models
-matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.2
+matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_model_id: gpt-5.4
 # The prompt text to use (can be null or empty to not use a prompt).
 # See: https://huggingface.co/docs/transformers/en/tasks/prompting
 matrix_bot_baibot_config_agents_static_definitions_openai_config_text_generation_prompt: "{{ matrix_bot_baibot_config_agents_static_definitions_prompt }}"

roles/custom/matrix-bot-mjolnir/defaults/main.yml

@@ -17,7 +17,7 @@
 matrix_bot_mjolnir_enabled: true
 
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_bot_mjolnir_version: "v1.12.0"
+matrix_bot_mjolnir_version: "v1.12.1"
 
 matrix_bot_mjolnir_container_image_self_build: false
 matrix_bot_mjolnir_container_image_self_build_repo: "https://github.com/matrix-org/mjolnir.git"

roles/custom/matrix-bridge-hookshot/tasks/setup_install.yml

@@ -76,6 +76,20 @@
   become_user: "{{ matrix_user_name }}"
   when: "not hookshot_passkey_file.stat.exists"
 
+# We intentionally reconcile the passkey ownership/mode after generation,
+# because some setups can end up creating host-side files as the SSH user
+# instead of `matrix` when `become_user` is effectively not honored.
+#
+# See: https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/5033
+- name: Ensure hookshot passkey has correct ownership and mode
+  ansible.builtin.file:
+    path: "{{ matrix_hookshot_base_path }}/passkey.pem"
+    state: file
+    mode: '0600'
+    owner: "{{ matrix_user_name }}"
+    group: "{{ matrix_group_name }}"
+  register: matrix_hookshot_passkey_result
+
 - name: Ensure hookshot config.yml installed if provided
   ansible.builtin.copy:
     content: "{{ matrix_hookshot_configuration | to_nice_yaml(indent=2, width=999999) }}"
@@ -154,6 +168,7 @@
         matrix_hookshot_config_result.changed | default(false)
         or matrix_hookshot_registration_result.changed | default(false)
         or matrix_hookshot_github_key_result.changed | default(false)
+        or matrix_hookshot_passkey_result.changed | default(false)
         or matrix_hookshot_support_files_result.changed | default(false)
         or matrix_hookshot_systemd_service_result.changed | default(false)
         or matrix_hookshot_container_image_pull_result.changed | default(false)

roles/custom/matrix-bridge-mautrix-slack/defaults/main.yml

@@ -17,7 +17,7 @@ matrix_mautrix_slack_container_image_self_build_repo: "https://mau.dev/mautrix/s
 matrix_mautrix_slack_container_image_self_build_branch: "{{ 'main' if matrix_mautrix_slack_version == 'latest' else matrix_mautrix_slack_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/slack
-matrix_mautrix_slack_version: v0.2602.0
+matrix_mautrix_slack_version: v0.2603.0
 # See: https://mau.dev/mautrix/slack/container_registry
 matrix_mautrix_slack_container_image: "{{ matrix_mautrix_slack_container_image_registry_prefix }}mautrix/slack:{{ matrix_mautrix_slack_version }}"
 matrix_mautrix_slack_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_slack_container_image_self_build else matrix_mautrix_slack_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-twitter/defaults/main.yml

@@ -22,7 +22,7 @@ matrix_mautrix_twitter_container_image_self_build_repo: "https://github.com/maut
 matrix_mautrix_twitter_container_image_self_build_repo_version: "{{ 'master' if matrix_mautrix_twitter_version == 'latest' else matrix_mautrix_twitter_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/twitter
-matrix_mautrix_twitter_version: v0.2511.0
+matrix_mautrix_twitter_version: v0.2603.0
 # See: https://mau.dev/tulir/mautrix-twitter/container_registry
 matrix_mautrix_twitter_container_image: "{{ matrix_mautrix_twitter_container_image_registry_prefix }}mautrix/twitter:{{ matrix_mautrix_twitter_version }}"
 matrix_mautrix_twitter_container_image_registry_prefix: "{{ 'localhost/' if matrix_mautrix_twitter_container_image_self_build else matrix_mautrix_twitter_container_image_registry_prefix_upstream }}"

roles/custom/matrix-bridge-mautrix-whatsapp/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_mautrix_whatsapp_container_image_self_build_repo: "https://mau.dev/mautri
 matrix_mautrix_whatsapp_container_image_self_build_branch: "{{ 'master' if matrix_mautrix_whatsapp_version == 'latest' else matrix_mautrix_whatsapp_version }}"
 
 # renovate: datasource=docker depName=dock.mau.dev/mautrix/whatsapp
-matrix_mautrix_whatsapp_version: v0.2602.0
+matrix_mautrix_whatsapp_version: v0.2603.0
 
 # See: https://mau.dev/mautrix/whatsapp/container_registry
 matrix_mautrix_whatsapp_container_image: "{{ matrix_mautrix_whatsapp_container_image_registry_prefix }}mautrix/whatsapp:{{ matrix_mautrix_whatsapp_version }}"

roles/custom/matrix-bridge-postmoogle/defaults/main.yml

@@ -18,7 +18,7 @@ matrix_postmoogle_container_repo_version: "{{ 'main' if matrix_postmoogle_versio
 matrix_postmoogle_container_src_files_path: "{{ matrix_base_data_path }}/postmoogle/docker-src"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/postmoogle
-matrix_postmoogle_version: v0.9.28
+matrix_postmoogle_version: v0.9.29
 matrix_postmoogle_container_image: "{{ matrix_postmoogle_container_image_registry_prefix }}etkecc/postmoogle:{{ matrix_postmoogle_version }}"
 matrix_postmoogle_container_image_registry_prefix: "{{ 'localhost/' if matrix_postmoogle_container_image_self_build else matrix_postmoogle_container_image_registry_prefix_upstream }}"
 matrix_postmoogle_container_image_registry_prefix_upstream: "{{ matrix_postmoogle_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-client-element/defaults/main.yml

@@ -29,7 +29,7 @@ matrix_client_element_container_image_self_build_repo: "https://github.com/eleme
 matrix_client_element_container_image_self_build_low_memory_system_patch_enabled: "{{ ansible_facts['memtotal_mb'] < 4096 }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-web
-matrix_client_element_version: v1.12.11
+matrix_client_element_version: v1.12.12
 
 matrix_client_element_container_image: "{{ matrix_client_element_container_image_registry_prefix }}element-hq/element-web:{{ matrix_client_element_version }}"
 matrix_client_element_container_image_registry_prefix: "{{ 'localhost/' if matrix_client_element_container_image_self_build else matrix_client_element_container_image_registry_prefix_upstream }}"

roles/custom/matrix-client-fluffychat/defaults/main.yml

@@ -151,7 +151,7 @@ matrix_client_fluffychat_path_prefix: /
 matrix_client_fluffychat_self_check_validate_certificates: true
 
 # Controls the default homeserver domain (not URL) used in the FluffyChat Web configuration.
-matrix_client_fluffychat_config_defaultHomeserver: ~
+matrix_client_fluffychat_config_defaultHomeserver: ~  # noqa var-naming
 
 # matrix_client_fluffychat_restart_necessary controls whether the service
 # will be restarted (when true) or merely started (when false) by the

roles/custom/matrix-element-call/defaults/main.yml

@@ -21,7 +21,7 @@ matrix_element_call_enabled: false
 matrix_rtc_enabled: "{{ matrix_element_call_enabled }}"
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/element-call
-matrix_element_call_version: v0.17.0
+matrix_element_call_version: v0.18.0
 
 matrix_element_call_scheme: https
 

roles/custom/matrix-synapse-admin/defaults/main.yml

@@ -28,7 +28,7 @@ matrix_synapse_admin_container_image_self_build: false
 matrix_synapse_admin_container_image_self_build_repo: "https://github.com/etkecc/synapse-admin.git"
 
 # renovate: datasource=docker depName=ghcr.io/etkecc/synapse-admin
-matrix_synapse_admin_version: v0.11.1-etke53
+matrix_synapse_admin_version: v0.11.4-etke54
 matrix_synapse_admin_container_image: "{{ matrix_synapse_admin_container_image_registry_prefix }}etkecc/synapse-admin:{{ matrix_synapse_admin_version }}"
 matrix_synapse_admin_container_image_registry_prefix: "{{ 'localhost/' if matrix_synapse_admin_container_image_self_build else matrix_synapse_admin_container_image_registry_prefix_upstream }}"
 matrix_synapse_admin_container_image_registry_prefix_upstream: "{{ matrix_synapse_admin_container_image_registry_prefix_upstream_default }}"

roles/custom/matrix-synapse-admin/tasks/validate_config.yml

@@ -6,6 +6,16 @@
 
 ---
 
+- name: Fail if matrix-synapse-admin is enabled for a non-Synapse homeserver
+  ansible.builtin.fail:
+    msg: >-
+      matrix-synapse-admin can only be used with the Synapse homeserver implementation.
+      Your configuration has `matrix_synapse_admin_enabled: true`, but `matrix_homeserver_implementation` is set to `{{ matrix_homeserver_implementation }}`.
+      Disable matrix-synapse-admin or switch to Synapse.
+  when:
+    - matrix_synapse_admin_enabled | bool
+    - matrix_homeserver_implementation != 'synapse'
+
 - name: (Deprecation) Catch and report renamed matrix-synapse-admin settings
   ansible.builtin.fail:
     msg: >-

roles/custom/matrix-synapse/defaults/main.yml

@@ -16,7 +16,7 @@ matrix_synapse_enabled: true
 matrix_synapse_github_org_and_repo: element-hq/synapse
 
 # renovate: datasource=docker depName=ghcr.io/element-hq/synapse
-matrix_synapse_version: v1.148.0
+matrix_synapse_version: v1.149.1
 
 matrix_synapse_username: ''
 matrix_synapse_uid: ''
@@ -934,6 +934,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 0
     stream_writer_receipts_stream_workers_count: 0
     stream_writer_presence_stream_workers_count: 0
+    stream_writer_push_rules_stream_workers_count: 0
+    stream_writer_device_lists_stream_workers_count: 0
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
   one-of-each:
     room_workers_count: 0
     sync_workers_count: 0
@@ -952,6 +957,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 1
     stream_writer_receipts_stream_workers_count: 1
     stream_writer_presence_stream_workers_count: 1
+    stream_writer_push_rules_stream_workers_count: 1
+    stream_writer_device_lists_stream_workers_count: 1
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
   specialized-workers:
     room_workers_count: 1
     sync_workers_count: 1
@@ -970,6 +980,11 @@ matrix_synapse_workers_presets:
     stream_writer_account_data_stream_workers_count: 1
     stream_writer_receipts_stream_workers_count: 1
     stream_writer_presence_stream_workers_count: 1
+    stream_writer_push_rules_stream_workers_count: 1
+    stream_writer_device_lists_stream_workers_count: 1
+    # Keep disabled by default: MSC4306/4308 thread subscriptions are unstable
+    # and disabled in upstream Synapse unless explicitly opted in.
+    stream_writer_thread_subscriptions_stream_workers_count: 0
 
 # Controls whether the matrix-synapse container exposes the various worker ports
 # (see `port` and `metrics_port` in `matrix_synapse_workers_enabled_list`) outside of the container.
@@ -1064,6 +1079,18 @@ matrix_synapse_workers_stream_writer_receipts_stream_workers_count: "{{ matrix_s
 # The count of these workers can only be 0 or 1.
 matrix_synapse_workers_stream_writer_presence_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_presence_stream_workers_count'] }}"
 
+# matrix_synapse_workers_stream_writer_push_rules_stream_workers_count controls how many stream writers that handle the `push_rules` stream to spawn.
+# The count of these workers can only be 0 or 1.
+matrix_synapse_workers_stream_writer_push_rules_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_push_rules_stream_workers_count'] }}"
+
+# matrix_synapse_workers_stream_writer_device_lists_stream_workers_count controls how many stream writers that handle the `device_lists` stream to spawn.
+# More than 1 worker is also supported of this type.
+matrix_synapse_workers_stream_writer_device_lists_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_device_lists_stream_workers_count'] }}"
+
+# matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count controls how many stream writers that handle the `thread_subscriptions` stream to spawn.
+# More than 1 worker is also supported of this type.
+matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count: "{{ matrix_synapse_workers_presets[matrix_synapse_workers_preset]['stream_writer_thread_subscriptions_stream_workers_count'] }}"
+
 # A list of stream writer workers to enable. This list is built automatically based on other variables.
 # You're encouraged to enable/disable stream writer workers by setting `matrix_synapse_workers_stream_writer_*_stream_workers_count` variables, instead of adjusting this list manually.
 matrix_synapse_workers_stream_writers: |
@@ -1081,6 +1108,12 @@ matrix_synapse_workers_stream_writers: |
     ([{'stream': 'receipts'}] * matrix_synapse_workers_stream_writer_receipts_stream_workers_count | int)
     +
     ([{'stream': 'presence'}] * matrix_synapse_workers_stream_writer_presence_stream_workers_count | int)
+    +
+    ([{'stream': 'push_rules'}] * matrix_synapse_workers_stream_writer_push_rules_stream_workers_count | int)
+    +
+    ([{'stream': 'device_lists'}] * matrix_synapse_workers_stream_writer_device_lists_stream_workers_count | int)
+    +
+    ([{'stream': 'thread_subscriptions'}] * matrix_synapse_workers_stream_writer_thread_subscriptions_stream_workers_count | int)
   }}
 
 matrix_synapse_workers_stream_writers_container_arguments: []
@@ -1241,11 +1274,21 @@ matrix_synapse_instance_map: |
 
 # Redis information
 matrix_synapse_redis_enabled: false
-matrix_synapse_redis_host: ""
-matrix_synapse_redis_port: 6379
 matrix_synapse_redis_password: ""
 matrix_synapse_redis_dbid: 0
 matrix_synapse_redis_use_tls: false
+# Connection option 1: TCP
+matrix_synapse_redis_host: ""
+matrix_synapse_redis_port: 6379
+# Connection option 2: Unix socket (takes precedence over TCP if `matrix_synapse_redis_path` is set)
+# disabled by default
+matrix_synapse_redis_path_enabled: false
+# the path to the redis socket's parent dir (/tmp, not /tmp/redis.sock file) inside the container, Synapse default's is "/tmp/redis.sock"
+matrix_synapse_redis_path: "/tmp"
+# the filename of the redis socket, inside the container, Synapse default's is "redis.sock"
+matrix_synapse_redis_path_socket: "/redis.sock"
+# the path to the redis socket on the host, e.g., "/matrix/valkey/run" (parent dir, not the socket file itself).
+matrix_synapse_redis_path_host: ""
 
 # Controls whether Synapse starts a replication listener necessary for workers.
 #
@@ -1274,6 +1317,13 @@ matrix_synapse_database_cp_max: 10
 matrix_synapse_database_user: "synapse"
 matrix_synapse_database_password: ""
 matrix_synapse_database_database: "synapse"
+# Connection option 2: Unix socket (takes precedence over TCP if enabled)
+# disabled by default
+matrix_synapse_database_socket_enabled: false
+# the path to the postgres socket's parent dir inside the container (not the socket file itself).
+matrix_synapse_database_socket_path: "/tmp/postgres"
+# the path to the postgres socket on the host, e.g., "/matrix/postgres/run" (parent dir, not the socket file itself).
+matrix_synapse_database_socket_path_host: ""
 
 matrix_synapse_turn_uris: []
 matrix_synapse_turn_shared_secret: ""
@@ -1373,6 +1423,23 @@ matrix_synapse_max_event_delay_duration: 24h
 # See https://github.com/matrix-org/matrix-spec-proposals/pull/4222
 matrix_synapse_experimental_features_msc4222_enabled: false
 
+# Controls whether to enable the MSC4306 experimental feature ("thread subscriptions").
+#
+# In current Synapse, this also enables the MSC4308 thread-subscriptions extension
+# to Sliding Sync under the same upstream feature flag.
+#
+# See:
+# - https://github.com/matrix-org/matrix-spec-proposals/pull/4306
+# - https://github.com/matrix-org/matrix-spec-proposals/pull/4308
+matrix_synapse_experimental_features_msc4306_enabled: false
+
+# Controls whether to enable the MSC4354 experimental feature (sticky events).
+#
+# This is implemented since Synapse v1.148.0 and can be used by element-call v0.17.0+
+#
+# See https://github.com/matrix-org/matrix-spec-proposals/pull/4354
+matrix_synapse_experimental_features_msc4354_enabled: false
+
 # Enable this to activate the REST auth password provider module.
 # See: https://github.com/ma1uta/matrix-synapse-rest-password-provider
 matrix_synapse_ext_password_provider_rest_auth_enabled: false
@@ -1424,7 +1491,7 @@ matrix_synapse_ext_spam_checker_synapse_simple_antispam_config_blocked_homeserve
 matrix_synapse_ext_spam_checker_mjolnir_antispam_enabled: false
 matrix_synapse_ext_spam_checker_mjolnir_antispam_git_repository_url: "https://github.com/matrix-org/mjolnir"
 # renovate: datasource=docker depName=matrixdotorg/mjolnir
-matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.12.0"
+matrix_synapse_ext_spam_checker_mjolnir_antispam_git_version: "v1.12.1"
 matrix_synapse_ext_spam_checker_mjolnir_antispam_config_block_invites: true
 # Flag messages sent by servers/users in the ban lists as spam. Currently
 # this means that spammy messages will appear as empty to users. Default
@@ -1730,7 +1797,7 @@ matrix_synapse_register_user_script_matrix_authentication_service_path: ""
 matrix_synapse_reverse_proxy_companion_enabled: "{{ matrix_synapse_enabled and matrix_synapse_workers_enabled }}"
 
 # renovate: datasource=docker depName=nginx
-matrix_synapse_reverse_proxy_companion_version: 1.29.5-alpine
+matrix_synapse_reverse_proxy_companion_version: 1.29.6-alpine
 
 matrix_synapse_reverse_proxy_companion_base_path: "{{ matrix_synapse_base_path }}/reverse-proxy-companion"
 matrix_synapse_reverse_proxy_companion_confd_path: "{{ matrix_synapse_reverse_proxy_companion_base_path }}/conf.d"
@@ -1878,6 +1945,26 @@ matrix_synapse_reverse_proxy_companion_worker_connections: 1024
 # Option to disable the access log
 matrix_synapse_reverse_proxy_companion_access_log_enabled: true
 
+# Controls the regular nginx access log format used for `/var/log/nginx/access.log`.
+# `routing_debug` is the default because it includes the chosen upstream label,
+# the resolved backend address, and timing data, which makes it much easier to
+# verify request routing in worker deployments.
+# This does not affect the separate syslog integration format used by prometheus-nginxlog-exporter.
+matrix_synapse_reverse_proxy_companion_access_log_format: routing_debug
+
+# The available values for `matrix_synapse_reverse_proxy_companion_access_log_format`.
+# You can override this map to define custom formats, but that is fragile and discouraged.
+matrix_synapse_reverse_proxy_companion_access_log_format_presets:
+  main:
+    - '$remote_addr - $remote_user [$time_local] "$request"'
+    - '$status $body_bytes_sent "$http_referer"'
+    - ' "$http_user_agent" "$http_x_forwarded_for"'
+  routing_debug:
+    - '$remote_addr - $remote_user [$time_local] "$request"'
+    - '$status $body_bytes_sent "$http_referer"'
+    - ' "$http_user_agent" "$http_x_forwarded_for"'
+    - ' "$host" "$matrix_upstream_label" "$upstream_addr" "$upstream_status" "$request_time" "$upstream_response_time"'
+
 # Controls whether to send access logs to a remote syslog-compatible server
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled: false
 matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_server_port: ''
@@ -1974,10 +2061,13 @@ matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_wo
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_account_data_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints }}"
+matrix_synapse_reverse_proxy_companion_synapse_stream_writer_thread_subscriptions_stream_worker_client_server_locations: "{{ matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints }}"
 matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations: "{{ matrix_synapse_workers_media_repository_endpoints | default([]) }}"
 matrix_synapse_reverse_proxy_companion_synapse_user_dir_locations: "{{ matrix_synapse_workers_user_dir_worker_client_server_endpoints | default([]) }}"
-matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|pushrules/|rooms/[^/]+/(forget|upgrade|report)|login/sso/redirect/|register)
-matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^(/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect|/_synapse/client/(pick_username|(new_user_consent|oidc/callback|pick_idp|sso_register)$))
+matrix_synapse_reverse_proxy_companion_client_server_main_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/(account/3pid/|directory/list/room/|rooms/[^/]+/(forget|upgrade|report)|register)
+matrix_synapse_reverse_proxy_companion_client_server_sso_override_locations_regex: ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect(/|$)
 # Related to MSC4108 (https://github.com/matrix-org/matrix-spec-proposals/pull/4108)
 matrix_synapse_reverse_proxy_companion_client_server_qr_code_login_locations_regex: ^(/_matrix/client/(unstable|v1)/org.matrix.msc4108/rendezvous|/_synapse/client/rendezvous)$
 

roles/custom/matrix-synapse/tasks/validate_config.yml

@@ -149,6 +149,14 @@
     - "matrix_synapse_workers_stream_writer_account_data_stream_workers_count"
     - "matrix_synapse_workers_stream_writer_receipts_stream_workers_count"
     - "matrix_synapse_workers_stream_writer_presence_stream_workers_count"
+    - "matrix_synapse_workers_stream_writer_push_rules_stream_workers_count"
+
+- name: Fail if matrix-synapse-reverse-proxy-companion access log format is invalid
+  ansible.builtin.fail:
+    msg: >-
+      `matrix_synapse_reverse_proxy_companion_access_log_format` must be one of:
+      {{ matrix_synapse_reverse_proxy_companion_access_log_format_presets.keys() | sort | join(', ') }}
+  when: "matrix_synapse_reverse_proxy_companion_access_log_format not in matrix_synapse_reverse_proxy_companion_access_log_format_presets"
 
 - name: Fail when mixing generic workers with new specialized workers
   ansible.builtin.fail:

roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/conf.d/matrix-synapse-reverse-proxy-companion.conf.j2

@@ -10,8 +10,61 @@
 {% set stream_writer_account_data_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'account_data') | list %}
 {% set stream_writer_receipts_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'receipts') | list %}
 {% set stream_writer_presence_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'presence') | list %}
+{% set stream_writer_push_rules_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'push_rules') | list %}
+{% set stream_writer_device_lists_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'device_lists') | list %}
+{% set stream_writer_thread_subscriptions_stream_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'stream_writer') | selectattr('stream_writer_stream', 'equalto', 'thread_subscriptions') | list %}
 {% set media_repository_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'media_repository') | list %}
 {% set user_dir_workers = matrix_synapse_reverse_proxy_companion_synapse_workers_list | selectattr('type', 'equalto', 'user_dir') | list %}
+{% set stream_writer_client_server_routes = [
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream',
+		'workers': stream_writer_typing_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_typing_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream',
+		'workers': stream_writer_to_device_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_to_device_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream',
+		'workers': stream_writer_account_data_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_account_data_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream',
+		'workers': stream_writer_receipts_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_receipts_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream',
+		'workers': stream_writer_presence_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_presence_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream',
+		'workers': stream_writer_push_rules_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_push_rules_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_push_rules_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream',
+		'workers': stream_writer_device_lists_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_device_lists_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_device_lists_stream_workers_upstream',
+	},
+	{
+		'doc_url': 'https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247',
+		'workers': stream_writer_thread_subscriptions_stream_workers,
+		'locations': matrix_synapse_reverse_proxy_companion_synapse_stream_writer_thread_subscriptions_stream_worker_client_server_locations,
+		'upstream': 'stream_writer_thread_subscriptions_stream_workers_upstream',
+	},
+] %}
 
 {% macro render_worker_upstream(name, workers, load_balance) %}
 	upstream {{ name }} {
@@ -34,6 +87,7 @@
 {% macro render_locations_to_upstream(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
+		set $matrix_upstream_label "{{ upstream_name }}";
 		proxy_pass http://{{ upstream_name }}$request_uri;
 		proxy_http_version 1.1;
 		proxy_set_header Connection "";
@@ -41,9 +95,28 @@
 	{% endfor %}
 {% endmacro %}
 
+{% macro render_locations_to_upstream_or_main(locations, workers, upstream_name) %}
+	{% for location in locations %}
+	location ~ {{ location }} {
+		{% if workers | length > 0 %}
+		set $matrix_upstream_label "{{ upstream_name }}";
+		proxy_pass http://{{ upstream_name }}$request_uri;
+		proxy_http_version 1.1;
+		proxy_set_header Connection "";
+		{% else %}
+		{# Use the embedded DNS resolver in Docker containers to discover the service #}
+		resolver {{ matrix_synapse_reverse_proxy_companion_http_level_resolver }} valid=5s;
+		set $backend "{{ matrix_synapse_reverse_proxy_companion_client_api_addr }}";
+		proxy_pass http://$backend;
+		{% endif %}
+	}
+	{% endfor %}
+{% endmacro %}
+
 {% macro render_locations_to_upstream_with_whoami_sync_worker_router(locations, upstream_name) %}
 	{% for location in locations %}
 	location ~ {{ location }} {
+		set $matrix_upstream_label "{{ upstream_name }}";
 		# Use auth_request to call the whoami sync worker router.
 		# The handler resolves the access token to a user identifier and returns it
 		# in the X-User-Identifier header, which is then used for upstream hashing.
@@ -52,6 +125,7 @@
 
 		{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_debug_headers_enabled %}
 		add_header X-Sync-Worker-Router-User-Identifier $user_identifier always;
+		add_header X-Sync-Worker-Router-Upstream-Label $matrix_upstream_label always;
 		add_header X-Sync-Worker-Router-Upstream $upstream_addr always;
 		{% endif %}
 
@@ -100,25 +174,11 @@ map $request_uri $room_name {
 	{{- render_worker_upstream('generic_workers_upstream', generic_workers, 'hash $http_x_forwarded_for;') }}
 	{% endif %}
 
-	{% if stream_writer_typing_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_typing_stream_workers_upstream', stream_writer_typing_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_to_device_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_to_device_stream_workers_upstream', stream_writer_to_device_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_account_data_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_account_data_stream_workers_upstream', stream_writer_account_data_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_receipts_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_receipts_stream_workers_upstream', stream_writer_receipts_stream_workers, '') }}
-	{% endif %}
-
-	{% if stream_writer_presence_stream_workers | length > 0 %}
-	{{- render_worker_upstream('stream_writer_presence_stream_workers_upstream', stream_writer_presence_stream_workers, '') }}
+	{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+	{% if stream_writer_client_server_route.workers | length > 0 %}
+	{{- render_worker_upstream(stream_writer_client_server_route.upstream, stream_writer_client_server_route.workers, '') }}
 	{% endif %}
+	{% endfor %}
 
 	{% if media_repository_workers | length > 0 %}
 	{{- render_worker_upstream('media_repository_workers_upstream', media_repository_workers, 'least_conn;') }}
@@ -142,6 +202,7 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
+	set $matrix_upstream_label "synapse_main_client_api";
 
 	{% if matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_enabled %}
 	# Internal location for whoami-based sync worker routing.
@@ -186,36 +247,16 @@ server {
 
 		{# Workers redirects BEGIN #}
 
+		{% for stream_writer_client_server_route in stream_writer_client_server_routes %}
+			# {{ stream_writer_client_server_route.doc_url }}
+			{{ render_locations_to_upstream_or_main(stream_writer_client_server_route.locations, stream_writer_client_server_route.workers, stream_writer_client_server_route.upstream) }}
+		{% endfor %}
+
 		{% if generic_workers | length > 0 %}
 			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappgeneric_worker
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_client_server_locations, 'generic_workers_upstream') }}
 		{% endif %}
 
-		{% if stream_writer_typing_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-typing-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_typing_stream_worker_client_server_locations, 'stream_writer_typing_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_to_device_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-to_device-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_to_device_stream_worker_client_server_locations, 'stream_writer_to_device_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_account_data_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-account_data-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_account_data_stream_worker_client_server_locations, 'stream_writer_account_data_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_receipts_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-receipts-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_receipts_stream_worker_client_server_locations, 'stream_writer_receipts_stream_workers_upstream') }}
-		{% endif %}
-
-		{% if stream_writer_presence_stream_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#the-presence-stream
-			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_stream_writer_presence_stream_worker_client_server_locations, 'stream_writer_presence_stream_workers_upstream') }}
-		{% endif %}
-
 		{% if room_workers | length > 0 %}
 			# room workers
 			# https://tcpipuk.github.io/synapse/deployment/workers.html
@@ -237,13 +278,14 @@ server {
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_client_reader_client_server_locations, 'client_reader_workers_upstream') }}
 		{% endif %}
 
-		{% if media_repository_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
-			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
-			location ~ {{ location }} {
-				proxy_pass http://media_repository_workers_upstream$request_uri;
+			{% if media_repository_workers | length > 0 %}
+				# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
+				{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
+				location ~ {{ location }} {
+					set $matrix_upstream_label "media_repository_workers_upstream";
+					proxy_pass http://media_repository_workers_upstream$request_uri;
 
-				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
+					{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
 					proxy_cache            {{ matrix_synapse_reverse_proxy_companion_synapse_cache_keys_zone_name }};
 					proxy_cache_valid      any {{ matrix_synapse_reverse_proxy_companion_synapse_cache_proxy_cache_valid_time }};
 					proxy_force_ranges on;
@@ -287,6 +329,7 @@ server {
 	proxy_buffering on;
 	proxy_max_temp_file_size 0;
 	proxy_set_header Host $host;
+	set $matrix_upstream_label "synapse_main_federation_api";
 
 	{% if matrix_synapse_reverse_proxy_companion_synapse_workers_enabled %}
 		# Federation overrides — These locations must go to the main Synapse process
@@ -308,11 +351,12 @@ server {
 			{{ render_locations_to_upstream(matrix_synapse_reverse_proxy_companion_synapse_generic_worker_federation_locations, 'generic_workers_upstream') }}
 		{% endif %}
 
-		{% if media_repository_workers | length > 0 %}
-			# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
-			{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
-			location ~ {{ location }} {
-				proxy_pass http://media_repository_workers_upstream$request_uri;
+			{% if media_repository_workers | length > 0 %}
+				# https://matrix-org.github.io/synapse/latest/workers.html#synapseappmedia_repository
+				{% for location in matrix_synapse_reverse_proxy_companion_synapse_media_repository_locations %}
+				location ~ {{ location }} {
+					set $matrix_upstream_label "media_repository_workers_upstream";
+					proxy_pass http://media_repository_workers_upstream$request_uri;
 
 				{% if matrix_synapse_reverse_proxy_companion_synapse_cache_enabled %}
 					proxy_buffering        on;

roles/custom/matrix-synapse/templates/reverse_proxy_companion/nginx/nginx.conf.j2

@@ -48,12 +48,14 @@ http {
 	js_shared_dict_zone zone=whoami_sync_worker_router_cache:{{ matrix_synapse_reverse_proxy_companion_whoami_sync_worker_router_cache_size_mb }}m;
 	{% endif %}
 
-	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-		'$status $body_bytes_sent "$http_referer" '
-		'"$http_user_agent" "$http_x_forwarded_for"';
+	{% set access_log_format_fragments = matrix_synapse_reverse_proxy_companion_access_log_format_presets[matrix_synapse_reverse_proxy_companion_access_log_format] %}
+	log_format access_log_fmt
+	{% for fragment in access_log_format_fragments %}
+		'{{ fragment }}'{% if loop.last %};{% endif %}
+	{% endfor %}
 
 	{% if matrix_synapse_reverse_proxy_companion_access_log_enabled %}
-	access_log /var/log/nginx/access.log main;
+	access_log /var/log/nginx/access.log access_log_fmt;
 	{% else %}
 	access_log off;
 	{% endif %}

roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2

@@ -864,7 +864,7 @@ database:
     user: {{ matrix_synapse_database_user | string|to_json }}
     password: {{ matrix_synapse_database_password | string|to_json }}
     database: "{{ matrix_synapse_database_database }}"
-    host: "{{ matrix_synapse_database_host }}"
+    host: "{{ matrix_synapse_database_socket_path if matrix_synapse_database_socket_enabled else matrix_synapse_database_host }}"
     port: {{ matrix_synapse_database_port }}
     cp_min: {{ matrix_synapse_database_cp_min | to_json }}
     cp_max: {{ matrix_synapse_database_cp_max | to_json }}
@@ -2932,6 +2932,11 @@ redis:
   host: {{ matrix_synapse_redis_host | to_json }}
   port: {{ matrix_synapse_redis_port | to_json }}
 
+  # The full path to a local Unix socket file. If this is used, host and port are ignored.
+  {% if matrix_synapse_redis_path_enabled %}
+  path: {{ (matrix_synapse_redis_path + matrix_synapse_redis_path_socket) | to_json }}
+  {% endif %}
+
   # Optional database ID to connect to. Defaults to 0.
   dbid: {{ matrix_synapse_redis_dbid | to_json }}
 
@@ -3001,6 +3006,12 @@ experimental_features:
   {% if matrix_synapse_experimental_features_msc4222_enabled %}
   msc4222_enabled: true
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4306_enabled %}
+  msc4306_enabled: true
+  {% endif %}
+  {% if matrix_synapse_experimental_features_msc4354_enabled %}
+  msc4354_enabled: true
+  {% endif %}
 
 {% if matrix_synapse_experimental_features_msc4140_enabled %}
 max_event_delay_duration: {{ matrix_synapse_max_event_delay_duration | to_json }}

roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse-worker.service.j2

@@ -67,6 +67,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \
 			{% endfor %}
+			{% if matrix_synapse_redis_path_enabled %}
+			--mount type=bind,src={{ matrix_synapse_redis_path_host }},dst={{ matrix_synapse_redis_path }} \
+			{% endif %}
+			{% if matrix_synapse_database_socket_enabled %}
+			--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+			{% endif %}
 			--label-file={{ matrix_synapse_base_path }}/{{ matrix_synapse_worker_labels_file_name }} \
 			{% for arg in matrix_synapse_container_arguments %}
 			{{ arg }} \

roles/custom/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2

@@ -51,6 +51,12 @@ ExecStartPre={{ devture_systemd_docker_base_host_command_docker }} create \
 			{% endif %}
 			--mount type=bind,src={{ matrix_synapse_config_dir_path }},dst=/data,ro \
 			--mount type=bind,src={{ matrix_synapse_storage_path }},dst=/matrix-media-store-parent,bind-propagation=slave \
+			{% if matrix_synapse_redis_path_enabled %}
+			--mount type=bind,src={{ matrix_synapse_redis_path_host }},dst={{ matrix_synapse_redis_path }} \
+			{% endif %}
+			{% if matrix_synapse_database_socket_enabled %}
+			--mount type=bind,src={{ matrix_synapse_database_socket_path_host }},dst={{ matrix_synapse_database_socket_path }} \
+			{% endif %}
 			--label-file={{ matrix_synapse_base_path }}/labels \
 			{% for volume in matrix_synapse_container_additional_volumes %}
 			--mount type={{ volume.type | default('bind' if '/' in volume.src else 'volume') }},src={{ volume.src }},dst={{ volume.dst }}{{ (',' + volume.options) if volume.options else '' }} \

roles/custom/matrix-synapse/vars/main.yml

@@ -31,7 +31,36 @@ matrix_synapse_workers_sync_worker_client_server_endpoints:
 
 # Client reader workers handle generic client-server endpoints that don't contain a roomid or sync
 matrix_synapse_workers_client_reader_client_server_endpoints:
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(room_keys/|keys/(query|changes|claim|upload/|room_keys/)|login|register(/available|/m.login.registration_token/validity|)|password_policy|profile|rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))|createRoom|publicRooms|account/(3pid|whoami|devices)|versions|voip/turnServer|joined_rooms|search|user/.*/filter(/|$)|directory/room/.*|capabilities)
+  # Keep these as grouped regex entries instead of a single huge alternation.
+  # This preserves the existing specialized-routing policy while making future audits
+  # and endpoint-specific edits reviewable.
+
+  # Encryption and room-key APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/room_keys/
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/(query|changes|claim|room_keys/)
+
+  # MSC3814 dehydrated-device APIs:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device$
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/[^/]*/events$
+
+  # Login, registration, account, and profile APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/login
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/register(/available|/m.login.registration_token/validity|)?
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/password_policy
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/profile
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/account/(3pid|whoami|deactivate)
+
+  # Room-scoped client APIs handled by client readers in the specialized-worker model
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(joined_members|context/.*|members|state|hierarchy|relations/|event/|aliases|timestamp_to_event|redact|send|state/|(join|invite|leave|ban|unban|kick))
+
+  # Generic client discovery and lookup APIs
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/(createRoom|publicRooms|versions|voip/turnServer|joined_rooms|search|directory/room/.*|capabilities)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/user/.*/filter(/|$)
+
+  # MatrixRTC transport discovery:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/matrixrtc.py#L30-L52
+  - ^/_matrix/client/unstable/org.matrix.msc4143/rtc/transports$
 
 # Federation reader workers handle generic federation endpoints that don't contain a roomid
 matrix_synapse_workers_federation_reader_federation_endpoints:
@@ -47,12 +76,10 @@ matrix_synapse_workers_federation_reader_federation_endpoints:
 # because `matrix_synapse_workers_generic_worker_endpoints` also contains things like `/_synapse/client/`, etc.
 # While /_synapse/client/ endpoints are somewhat client-server API-related, they're:
 # - neither part of the client-server API spec (and are thus, different)
-# - nor always OK to forward to a worker (we're supposed to obey `matrix_synapse_companion_container_labels_client_synapse_client_api_enabled`)
+# - and they now include a meaningful Synapse-specific tree (`pick_idp`, `pick_username`, OIDC/SAML callbacks, rendezvous, etc.)
+# - some of these paths are auth-sensitive or deployment-sensitive, so we intentionally keep them out of the broad worker route model unless explicitly handled elsewhere
 #
-# It's also not too many of these APIs (only `^/_synapse/client/password_reset/email/submit_token$` at the time of this writing / 2021-01-24),
-# so it's not that important whether we forward them or not.
-#
-# Basically, we aim to cover most things. Skipping `/_synapse/client` or a few other minor things doesn't matter too much.
+# Basically, we aim to cover most spec client APIs here. Skipping `/_synapse/client` is intentional and conservative.
 matrix_synapse_workers_generic_worker_client_server_endpoints: "{{ matrix_synapse_workers_generic_worker_endpoints | default([]) | map('regex_search', '.*/_matrix/client.*') | list | difference([none]) }}"
 
 # A Synapse generic worker can handle both federation and client-server API endpoints.
@@ -93,6 +120,26 @@ matrix_synapse_workers_stream_writer_receipts_stream_worker_client_server_endpoi
 matrix_synapse_workers_stream_writer_presence_stream_worker_client_server_endpoints:
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
 
+# matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints contains the endpoints serviced by the `push_rules` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-push_rules-stream
+matrix_synapse_workers_stream_writer_push_rules_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+
+# matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints contains the endpoints serviced by the `device_lists` stream writer.
+# See: https://matrix-org.github.io/synapse/latest/workers.html#the-device_lists-stream
+matrix_synapse_workers_stream_writer_device_lists_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/(r0|v3)/delete_devices$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+
+# matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints contains the endpoints serviced by the `thread_subscriptions` stream writer.
+# Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/thread_subscriptions.py#L38-L247
+matrix_synapse_workers_stream_writer_thread_subscriptions_stream_worker_client_server_endpoints:
+  - ^/_matrix/client/unstable/io.element.msc4306/rooms/.*/thread/.*/subscription$
+  - ^/_matrix/client/unstable/io.element.msc4308/thread_subscriptions$
+
 # matrix_synapse_workers_user_dir_worker_client_server_endpoints contains the endpoints serviced by the `type = user_dir` (`app = generic_worker`) worker.
 # See: https://matrix-org.github.io/synapse/latest/workers.html#updating-the-user-directory
 matrix_synapse_workers_user_dir_worker_client_server_endpoints:
@@ -101,11 +148,11 @@ matrix_synapse_workers_user_dir_worker_client_server_endpoints:
 # matrix_synapse_workers_known_stream_writer_stream_types contains the list of stream writer stream types that the playbook recognizes.
 # This is used for validation purposes. If adding support for a new type, besides adding it to this list,
 # don't forget to actually configure it where appropriate (see worker.yaml.j2`, the nginx proxy configuration, etc).
-matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_known_stream_writer_stream_types: ['events', 'typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists', 'thread_subscriptions']
 
 # matrix_synapse_workers_webserving_stream_writer_types contains a list of stream writer types that serve web (client) requests.
 # Not all stream writers serve web requests. Some just perform background tasks.
-matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence']
+matrix_synapse_workers_webserving_stream_writer_types: ['typing', 'to_device', 'account_data', 'receipts', 'presence', 'push_rules', 'device_lists', 'thread_subscriptions']
 
 # matrix_synapse_workers_systemd_services_list contains a list of systemd services (one for each worker systemd service which serves web requests).
 # This list is built during runtime.
@@ -188,9 +235,11 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(v1|unstable)/rooms/.*/relations/
   - ^/_matrix/client/v1/rooms/.*/threads$
   - ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$
+  - ^/_matrix/client/unstable/im.nheko.summary/summary/.*$
+  - ^/_matrix/client/unstable/org.matrix.msc4143/rtc/transports$
   - ^/_matrix/client/(r0|v3|unstable)/account/3pid$
   - ^/_matrix/client/(r0|v3|unstable)/account/whoami$
-  - ^/_matrix/client/(r0|v3|unstable)/devices$
+  - ^/_matrix/client/(r0|v3|unstable)/account/deactivate$
   - ^/_matrix/client/versions$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/
@@ -208,9 +257,10 @@ matrix_synapse_workers_generic_worker_endpoints:
   - ^/_matrix/client/(r0|v3|unstable)/keys/changes$
   - ^/_matrix/client/(r0|v3|unstable)/keys/claim$
   - ^/_matrix/client/(r0|v3|unstable)/room_keys/
-  - ^/_matrix/client/(r0|v3|unstable)/keys/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
-  - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+  # MSC3814 dehydrated-device support:
+  # Ref: https://github.com/element-hq/synapse/blob/b99a58719b274fcbb327fd8d7649185792bfd12c/synapse/rest/client/devices.py#L256-L459
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device$
+  - ^/_matrix/client/unstable/org.matrix.msc3814.v1/dehydrated_device/[^/]*/events$
 
   # Registration/login requests
   - ^/_matrix/client/(api/v1|r0|v3|unstable)/login$
@@ -236,11 +286,14 @@ matrix_synapse_workers_generic_worker_endpoints:
 
   # Start of intentionally-ignored-endpoints
   #
-  # We ignore these below, because they're better sent to dedicated workers (various stream writers).
-  # If a stream writer is enabled, the endpoint should be routed to the stream writer, not to a generic worker.
-  # If a stream writer of a given type is not enabled, then a generic worker may process it.
-  # Because it's difficult to handle these individually based on which stream writer is enabled and which isn't,
-  # we just disable them here.
+  # We ignore these below, because they are now supposed to be owned by explicit
+  # early stream-backed routing in the reverse proxy.
+  #
+  # The intended behavior is:
+  # - if a stream writer is enabled, route to that stream writer
+  # - otherwise, route to Synapse `main`
+  #
+  # Broad generic-worker routing must not decide fallback behavior for these.
   #
   # # Account data requests
   # - ^/_matrix/client/(r0|v3|unstable)/.*/tags
@@ -253,6 +306,20 @@ matrix_synapse_workers_generic_worker_endpoints:
   # # Presence requests
   # - ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/
   #
+  # # Push rules requests
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/pushrules/
+  #
+  # # Device lists requests
+  # - ^/_matrix/client/(r0|v3)/delete_devices$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/devices(/|$)
+  # - ^/_matrix/client/(r0|v3|unstable)/keys/upload(/|$)
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/device_signing/upload$
+  # - ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/signatures/upload$
+  #
+  # # Thread subscriptions requests
+  # - ^/_matrix/client/unstable/io.element.msc4306/rooms/.*/thread/.*/subscription$
+  # - ^/_matrix/client/unstable/io.element.msc4308/thread_subscriptions$
+  #
   # # User directory search requests
   # - ^/_matrix/client/(r0|v3|unstable)/user_directory/search$
   # End of intentionally-ignored-endpoints